# Trojan Deleted tcpip.sys and Drivers?!



## Artimus (Apr 27, 2007)

Well i will try to describe this as best as i can.
About a month ago I Installed AVG Antivirus.. and set its scheduled scans for 6am every day.

On the 02/08/2007.. it found A0074593.exe(1.2MB) in C:\System Volume Information\_restore and added it to the virus vault. I think this is where it started, but i cannot be sure. (Some similar files were detected at an earlier date)

Anyway, on the 04/08/2007.. AVG Detected system32\dllcache\tcpip.sys and system32\drivers\tcpip.sys as infected with Backdoor.Hupigon.XTA. I've tried to Google it, but found only posts in foreign languages.

I got a warning, saying "Your windows Files are different to the originals, do you want to replace them?" or something like that. I assumed it was BitComet interfering with the tcpip files or something, so i ignored it. Nothing happened until i restarted my computer on the 05/08/2007, and AVG detected 2 new files A0085231.sys and A0085232.sys in the C:\System Volume Information\_restore folders again.

I didn't know what to do.. and the tcpip files were GONE.. so my network was not working at all. All i could think of doing was Start>Run>sfc.exe /scannow. I put in the Windows CD and it did the scan, and then i restarted the computer. (It took 3 restarts to get into Windows, it kept crashing at the Login screen.. Blue Screen and Restarted itself automatically)

The tcpip files had returned... and i AVG scanned again, but it didn't pick anything up. I did a bit of reading about worms that infect the tcpip and open up your ports for scanning, and logging private information. I just want to know if AVG got rid of this thing, what it is, and if i have to do anything else to make sure i'm clean before i start using my private information again.

Let me know if you need any other information.


----------



## chauffeur2 (Feb 7, 2006)

Hello Artimus, Welcome to TSF! :wave:

In view of the information that you have given, I recommend that you go *here*; read and follow the instructions _very carefully_; then, post all the requested logs and information; as instructed, to *here*. _(Click on the coloured links.)_

*Please create a new thread in the HiJackThis Log Help Forum and not back in this one.*. 

When you are carrying out *The 5 Steps*, if you _cannot_ complete any of them for whatever reason, just make mention of the fact in your post to The HJT Help Forum; an Analyst will assist you with other workarounds.

Once done, please be patient, as the Security Team Analysts are usually very busy; one of them will answer your request as soon as they can.

Good Luck with it.

Kind Regards,


----------



## Artimus (Apr 27, 2007)

I did the 5 steps. Sorry, but, what does HijackThis have to do with my problem?


----------



## chauffeur2 (Feb 7, 2006)

There is the possibility that there might be 'traces' of those 'nasties' remaining on your system.


----------

