Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hmunml35dl.exe.conf?


  • Please log in to reply
9 replies to this topic

#1 malachi31

malachi31

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 12 December 2007 - 11:34 PM

Hi

I am a new member here. I have worked on computers for many years, and I am not an expert, but certainly well trained in security.

I do all the safety precautions, and yet I think that I have become infected by something, and I really need some help.

The only thing that I have installed in the last week was Wordperfect Office X3 full installation. It has a registration program and auto updater which I found a way to remove. However, since then I have a conf and exe file that appears in my C:\Documents and Settings\Username\Local Settings\Temp file from out of nowheres. It then spawns a process that takes up about 36mb of memory and slight cpu usuage. With 2 gigs, I barely notice it, however, I KNOW every program, service, and process running, and this one I can't identify.

I uninstalled X3 thinking it was that using a special uninstaller which cleared the registry and everything. I did a System Restore 2 days before installation, and yet this keeps reappearing. It is called hmunml35dl.exe.conf and it spawns numerous exe's called 23hmunml35dl.exe or various different numbers at the beginning.

A Google search finds nothing. I can delete the conf and the exe's from the Temp folder and yet they keep reappearing. I have searched the Registry and can't find anything about it. I have run a thorough Avast Pro scan and it detects nothing. I did the same with Spybot, Adaware, AVG Anti-Spyware, and even Spyware Blaster. Hijack this shows the running process if it is running, but nothing else about it. The icon for it is three cubes with the letters MFC, and a search for that suggests it could be a Microsoft Foundation Class Visual C++ program which makes me think it is something still from the X3 as it did install Macros support.

I have even rebooted into Safemode, run all of the above with System Restore off, deleted the conf and all the spawned exe's, and then rebooted back into running mode. Still it reappears.

I have checked my Firewall, and nothing is trying to get through. The hardware firewall is the same and nothing is trying to 'call home' that I can see. No Services have been started without my knowledge? I did see one random Advertisement Pop Up, and I checked the Messenger Services was not turned on. I have cleared all but eBay, Java, and Flash ActiveX's from my IE. Now around the same time, I did notice that my IE is not saving cookies properly and I constantly have to relogin to sites. I ran CWShredder and it found one instance of Cool Web in the msconfig and deleted it. I keep up to date on all of these and run Adaware and Spybot every few days.

I am completely stumped? :thumbsup: Is this a Visual C++ thing from the X3 that once installed I can never turn off? Is this someone's homemade personal trojan that someone has created and I picked up inadvertently through IE and because of this it isn't in a malware, spyware, trojan, av database? Does anyone please have any experience with this or suggestions. I really need some assistance.

Thank you very much!

TJ

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:35 AM

Posted 13 December 2007 - 07:44 AM

Welcome to BC malachi31

Please go to jotti's virusscan or virustotal.com..
In the "File to upload & scan" box, browse to the location of the suspicious file and submit [upload] it for scanning/analysis.
Post back with the results of the file analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 malachi31

malachi31
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 13 December 2007 - 11:49 AM

Hi

I used jotti's scan, and Dr. Web identified it as Win32.HLLW.Medbod.origin. No other scanner got a hit. When I searched for that on Dr. Web's site, there was no information?

Have a been hit with a brand new one in the wild? :thumbsup:

I will be offline until later this evening, so if I don't reply to your reply for more information or assistance, that's why.

I appreciate the help.

Thanks:)

TJ

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:35 AM

Posted 13 December 2007 - 12:05 PM

Please click on this link -> Submit Malware Sample.
In the Link to topic where this file was requested: box, copy and paste the link to where your hijackthis log is posted.

In the Browse to the file you want to submit: box, browse to the location of Hmunml35dl, then click Send File.
Once it shows "Your file was successfully submitted", please let me you know that you have submitted the file.

The identified infection is a backdoor Trojan. Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge. Read the Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Although the backdoor Trojan has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS - "When should I re-format?".

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful.

Let me know how you wish to proceed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 malachi31

malachi31
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 13 December 2007 - 10:20 PM

Hells bells and buckets of blood :thumbsup:

Well I submitted the file right after checking it at Dr. Web so already on top of that.

I noticed this file a few days ago only just starting and I killed the process everytime I saw it appear within moments or minutes. I never leave this machine on over night so it wasn't on the internet unattended the last few days for sure.

I followed some instructions actually found here around lunch time. I got Cureit, Stinger, and Trend Micro System Cleaner. I turned off system restore. I rebooted via F8 in safe mode. I ran all of those programs. That one plus two others - a DOS.Boot. one and a W32.Beagle were found in archives in a program backup folder. They were deleted. I emptied the temp folder shredding it with Window Washer. I deleted the system restore points. By the time I got went back to work after lunch and then got home, all was completed. This was several hours ago. I am online again, and no instances of that .exe have reappeared in the temp folder or the task manager. Do you think I got it all?

This is my only home machine, and right now I am not in a place that I can do a complete reformat and wipe due to work. I should add here that I do have a NAT firewall/router plus windows firewall installed and functioning. I had no unusual activity reported on either of these. I also do not have ICQ and no other addon's seemed to find their way on to my system after reading those linked articles.

I have started calling banks and such to inform them and change online passwords. At work tomorrow I can change other passwords like eBay and Amazon.

I might be able to get a laptop to use over Xmas, and then I could do a reformat and reinstall, but I would also have to get XP again. This was set up through work. All in all this is a horrid situation with horribly difficult circumstances surrounding it.

Whatever further assistance y'all can give I greatly appreciate it.

Thanks!

TJ

Edited by malachi31, 13 December 2007 - 10:27 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:35 AM

Posted 14 December 2007 - 06:28 AM

Win32.HLLW.Medbod was identified by Dr.Web as being related to Backdoor.Sdbot, Backdoor.Win32.IRCBot.kp among others and added to definitions database so it sounds like you were able to remove the infection.

Your decision as to what action to take should be made by asking yourself the questions presented in the "When should I re-format? link". Reformatting and doing a clean install of the OS is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, any important data files, pictures, etc should be scanned with your anti-virus before backing up. Should you decide that is want you want to do, here are a few helpful links.

"How to reformat and reinstall Windows XP - Method #1"
"How to reformat and reinstall Windows XP - Method #2"

These links include detailed step by step instructions:
"Clean Install Windows XP".
"XP Clean Install Interactive Setup".

In the meantime, turn System Restore back to enable your computer to "roll-back" to a clean working state should you decide not to reformat or until you do.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 malachi31

malachi31
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 14 December 2007 - 08:38 AM

>>Win32.HLLW.Medbod was identified by Dr.Web as being related to Backdoor.Sdbot, >>Backdoor.Win32.IRCBot.kp among others and added to definitions database so it sounds >>like you were able to remove the infection.

I am glad to hear that! Hopefully my sending that to Dr. Web will help others. I am rather scrupulously clean with my PC - firewalls, av, spyware detectors run regularly, no p2p, etc., and it just goes to show that anyone can still get a trojan. Now I am trying to figure how I got it - possibly infected from work.

>>In the meantime, turn System Restore back to enable your computer to "roll-back" to a >>clean working state should you decide not to reformat or until you do.

Right after I was clean and rebooted after Safe Mode removal, I turned on System Restore and set a new, fresh clean point to return to if necessary. You guys give great advice here. Thanks!

I will have to get in touch with work and get ahold of XP through them in order to do a reinstall, and I will argue with IT to have it done. :thumbsup:

I have checked over the last few hours and nothing has re-entered the temp. I was advised by the IT guys to run from the cmd prompt a netstat -a to check on open ports, and none associated with any unknown processes was found. I am changing the rest of my passwords and account information today from work, and I will look into a reformat and reinstall here shortly.

Again, thank you for the assistance! It was much appreciated:)

TJ

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:35 AM

Posted 14 December 2007 - 09:14 AM

Your welcome.

To protect yourself against malware and reduce the potential for re-infection, be sure to read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"The Ten Most Dangerous Things Users Do Online".
"The 10 Biggest Security Risks".
"Hardening Windows Security - Part 1" and "Hardening Windows Security - Part 2".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 malachi31

malachi31
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 14 December 2007 - 08:33 PM

Awesome links. Thanks. :thumbsup:

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:35 AM

Posted 15 December 2007 - 07:11 AM

Safe surfing and have a malware free day. :thumbsup:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users