Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32:tratbho [trj],


  • Please log in to reply
6 replies to this topic

#1 TheHamburger

TheHamburger

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 26 January 2008 - 04:54 AM

I have the same problem as the OP.

I have followed boopme's advice but when I open Firefox Avast is still advising me that I am infected with tratHBO.

Here is the log from Super

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/26/2008 at 04:16 PM

Application Version : 3.9.1008

Core Rules Database Version : 3389
Trace Rules Database Version: 1383

Scan type : Complete Scan
Total Scan Time : 00:42:12

Memory items scanned : 164
Memory threats detected : 1
Registry items scanned : 4971
Registry threats detected : 10
File items scanned : 25054
File threats detected : 15

Trojan.Unclassifed/AffiliateBundle
C:\WINDOWS\SYSTEM32\RQRRPQO.DLL
C:\WINDOWS\SYSTEM32\RQRRPQO.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4982BAB-80E9-4838-A2A0-95D30F348161}
HKCR\CLSID\{F4982BAB-80E9-4838-A2A0-95D30F348161}
HKCR\CLSID\{F4982BAB-80E9-4838-A2A0-95D30F348161}\InprocServer32
HKCR\CLSID\{F4982BAB-80E9-4838-A2A0-95D30F348161}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{F4982BAB-80E9-4838-A2A0-95D30F348161}
C:\VUNDOFIX BACKUPS\BYXXYWV.DLL.BAD
C:\VUNDOFIX BACKUPS\IIFDDAX.DLL.BAD
C:\VUNDOFIX BACKUPS\KHFEDDB.DLL.BAD
C:\VUNDOFIX BACKUPS\QOMKKJI.DLL.BAD
C:\VUNDOFIX BACKUPS\RQRQRQP.DLL.BAD
C:\VUNDOFIX BACKUPS\RQRRPQO.DLL.BAD
C:\VUNDOFIX BACKUPS\SSQQNLJ.DLL.BAD
C:\VUNDOFIX BACKUPS\TUVURSS.DLL.BAD
C:\VUNDOFIX BACKUPS\URQNNKJ.DLL.BAD
C:\VUNDOFIX BACKUPS\VTUSPPN.DLL.BAD
C:\VUNDOFIX BACKUPS\YAYWVUR.DLL.BAD

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{80940573-32D3-4221-AA4F-74356EEBAE5F}
HKCR\CLSID\{80940573-32D3-4221-AA4F-74356EEBAE5F}
HKCR\CLSID\{80940573-32D3-4221-AA4F-74356EEBAE5F}\InprocServer32
HKCR\CLSID\{80940573-32D3-4221-AA4F-74356EEBAE5F}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\PMNLM.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{80940573-32D3-4221-AA4F-74356EEBAE5F}

Trojan.Vundo/Variant-Installer
C:\VUNDOFIX BACKUPS\PMNLM.EXE.BAD

Trojan.Downloader-Gen/DDC
C:\VUNDOFIX BACKUPS\VACPNIHP.EXE.BAD


Is there anything else I can do?

Thanks

Edited by boopme, 26 January 2008 - 10:43 AM.
{Split to own topic,~boopme}


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:11 AM

Posted 26 January 2008 - 10:54 AM

Please follow the the instructions for using Vundofix in BC's self-help tutorial: "How To Remove Vundo/Winfixer Infection".

After running VundoFix, a text file named vundofix.txt will have automatically been saved to the root of the system drive, usually at C:\vundofix.txt. Please copy & paste the contents of that text file into your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 TheHamburger

TheHamburger
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 28 January 2008 - 03:03 AM

Steps taken

1 Run Vundo fix (no infected files)

2 Run Virtumundobegone from safe mode (see log below)

3. run cleanmgr

4. uninstall Spy bot and Avast

5. install update and run Ad Aware , 2nd scan nothing found (couldn't find Uncheck Search for negligible risk)

6. install update and run Spybot and Avast

After several scans with Spybot (7 or 8) in normal and safe mode , with system restore off I didn't have a scan without problems.
Always there would be win32.Delf.uc and WindowsSecurityCentre.FirewallBypass and occasionally Virtuemonde.

7. download Combofix.exe + WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

This worked almost identically to the Combofix guide.

After Combofix completed (see log below) immediately Avast reported a TratHBO infection. (Avast restarted after Combofix rebooted the syestem)

8. Scan with spybot.

Virtumonde only.

Re scan

Delf.uc
FirewallBypass

9. Housecall see reports below

10. Panda (had to stop Avast)

11. run Stinger

12. install ZA

13. Check Windows update

14. Download HijackThis See report below.

VundoFix V6.7.7

Checking Java version...

Scan started at 3:38:55 PM 1/23/2008

Listing files found while scanning....

C:\WINDOWS\system32\awtuspm.dll
C:\WINDOWS\system32\awtuvsp.dll
C:\WINDOWS\system32\cbxyaax.dll
C:\WINDOWS\system32\cbxyxwt.dll
C:\WINDOWS\system32\ddcywww.dll
C:\WINDOWS\system32\ddcyyvu.dll
C:\WINDOWS\system32\efccbcb.dll
C:\WINDOWS\system32\efcddca.dll
C:\WINDOWS\system32\fccbxxw.dll
C:\WINDOWS\system32\hggdabb.dll
C:\WINDOWS\system32\jkkhhfd.dll
C:\WINDOWS\system32\jkkjkhe.dll
C:\WINDOWS\system32\jkkkijk.dll
C:\WINDOWS\system32\jkkkklm.dll
C:\WINDOWS\system32\khfecda.dll
C:\WINDOWS\system32\khffffc.dll
C:\WINDOWS\system32\ljjhggd.dll
C:\WINDOWS\system32\opnoopp.dll
C:\WINDOWS\system32\rqromkl.dll
C:\WINDOWS\system32\rqrpmji.dll
C:\WINDOWS\system32\rqrppqq.dll
C:\WINDOWS\system32\rqrsqpo.dll
C:\WINDOWS\system32\rqrsrqo.dll
C:\WINDOWS\system32\tuvstro.dll
C:\WINDOWS\system32\urqpqpp.dll
C:\WINDOWS\system32\xxyvtqo.dll
C:\WINDOWS\system32\xxywutq.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awtuspm.dll
C:\WINDOWS\system32\awtuspm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\awtuvsp.dll
C:\WINDOWS\system32\awtuvsp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbxyaax.dll
C:\WINDOWS\system32\cbxyaax.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbxyxwt.dll
C:\WINDOWS\system32\cbxyxwt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcywww.dll
C:\WINDOWS\system32\ddcywww.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcyyvu.dll
C:\WINDOWS\system32\ddcyyvu.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\efccbcb.dll
C:\WINDOWS\system32\efccbcb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\efcddca.dll
C:\WINDOWS\system32\efcddca.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fccbxxw.dll
C:\WINDOWS\system32\fccbxxw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hggdabb.dll
C:\WINDOWS\system32\hggdabb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkhhfd.dll
C:\WINDOWS\system32\jkkhhfd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkjkhe.dll
C:\WINDOWS\system32\jkkjkhe.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkkijk.dll
C:\WINDOWS\system32\jkkkijk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkkklm.dll
C:\WINDOWS\system32\jkkkklm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\khfecda.dll
C:\WINDOWS\system32\khfecda.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\khffffc.dll
C:\WINDOWS\system32\khffffc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljjhggd.dll
C:\WINDOWS\system32\ljjhggd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnoopp.dll
C:\WINDOWS\system32\opnoopp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqromkl.dll
C:\WINDOWS\system32\rqromkl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrpmji.dll
C:\WINDOWS\system32\rqrpmji.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrppqq.dll
C:\WINDOWS\system32\rqrppqq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrsqpo.dll
C:\WINDOWS\system32\rqrsqpo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrsrqo.dll
C:\WINDOWS\system32\rqrsrqo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tuvstro.dll
C:\WINDOWS\system32\tuvstro.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\urqpqpp.dll
C:\WINDOWS\system32\urqpqpp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxyvtqo.dll
C:\WINDOWS\system32\xxyvtqo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxywutq.dll
C:\WINDOWS\system32\xxywutq.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.7.7

Checking Java version...

Scan started at 12:20:52 PM 1/24/2008

Listing files found while scanning....

C:\WINDOWS\system32\byxxywv.dll
C:\WINDOWS\system32\ddcyyvu.dll
C:\WINDOWS\system32\iifddax.dll
C:\WINDOWS\system32\khfeddb.dll
C:\WINDOWS\system32\qomkkji.dll
C:\WINDOWS\system32\rqrqrqp.dll
C:\WINDOWS\system32\ssqqnlj.dll
C:\WINDOWS\system32\tuvurss.dll
C:\WINDOWS\system32\urqnnkj.dll
C:\WINDOWS\system32\vtusppn.dll
C:\WINDOWS\system32\yaywvur.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\byxxywv.dll
C:\WINDOWS\system32\byxxywv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcyyvu.dll
C:\WINDOWS\system32\ddcyyvu.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\iifddax.dll
C:\WINDOWS\system32\iifddax.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\khfeddb.dll
C:\WINDOWS\system32\khfeddb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qomkkji.dll
C:\WINDOWS\system32\qomkkji.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrqrqp.dll
C:\WINDOWS\system32\rqrqrqp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqqnlj.dll
C:\WINDOWS\system32\ssqqnlj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tuvurss.dll
C:\WINDOWS\system32\tuvurss.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\urqnnkj.dll
C:\WINDOWS\system32\urqnnkj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtusppn.dll
C:\WINDOWS\system32\vtusppn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yaywvur.dll
C:\WINDOWS\system32\yaywvur.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddcyyvu.dll
C:\WINDOWS\system32\ddcyyvu.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.7.7

Checking Java version...

Scan started at 3:57:45 PM 1/24/2008

Listing files found while scanning....

C:\WINDOWS\system32\ddcyyvu.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddcyyvu.dll
C:\WINDOWS\system32\ddcyyvu.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.7.7

Checking Java version...

Scan started at 10:33:26 AM 1/25/2008

Listing files found while scanning....

C:\WINDOWS\system32\ddcyyvu.dll
C:\WINDOWS\system32\eigtdyjq.dll
C:\windows\system32\eigtdyjq.dllbox
C:\WINDOWS\system32\hveicclu.dll
C:\WINDOWS\system32\mlnmp.ini
C:\WINDOWS\system32\mlnmp.ini2
C:\WINDOWS\system32\pmnlm.dll
C:\WINDOWS\system32\pmnlm.exe
C:\WINDOWS\system32\rqrrpqo.dll
C:\WINDOWS\system32\ulccievh.ini
C:\WINDOWS\system32\uwtvbkok.dll
C:\WINDOWS\system32\vacpnihp.exe
C:\WINDOWS\system32\xemtvwhe.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddcyyvu.dll
C:\WINDOWS\system32\ddcyyvu.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\eigtdyjq.dll
C:\WINDOWS\system32\eigtdyjq.dll Has been deleted!

Attempting to delete C:\windows\system32\eigtdyjq.dllbox
C:\windows\system32\eigtdyjq.dllbox Has been deleted!

Attempting to delete C:\WINDOWS\system32\hveicclu.dll
C:\WINDOWS\system32\hveicclu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mlnmp.ini
C:\WINDOWS\system32\mlnmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\mlnmp.ini2
C:\WINDOWS\system32\mlnmp.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnlm.dll
C:\WINDOWS\system32\pmnlm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnlm.exe
C:\WINDOWS\system32\pmnlm.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrrpqo.dll
C:\WINDOWS\system32\rqrrpqo.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ulccievh.ini
C:\WINDOWS\system32\ulccievh.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\uwtvbkok.dll
C:\WINDOWS\system32\uwtvbkok.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vacpnihp.exe
C:\WINDOWS\system32\vacpnihp.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\xemtvwhe.dll
C:\WINDOWS\system32\xemtvwhe.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddcyyvu.dll
C:\WINDOWS\system32\ddcyyvu.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\rqrrpqo.dll
C:\WINDOWS\system32\rqrrpqo.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.7.7

Checking Java version...

Scan started at 10:59:20 AM 1/25/2008

Listing files found while scanning....

C:\WINDOWS\system32\ddcyyvu.dll
C:\WINDOWS\system32\rqrrpqo.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddcyyvu.dll
C:\WINDOWS\system32\ddcyyvu.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\rqrrpqo.dll
C:\WINDOWS\system32\rqrrpqo.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddcyyvu.dll
C:\WINDOWS\system32\ddcyyvu.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\rqrrpqo.dll
C:\WINDOWS\system32\rqrrpqo.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.7.7

Checking Java version...

Scan started at 2:20:02 PM 1/26/2008

Listing files found while scanning....

C:\WINDOWS\system32\ddcyyvu.dll
C:\WINDOWS\system32\rqrrpqo.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddcyyvu.dll
C:\WINDOWS\system32\ddcyyvu.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\rqrrpqo.dll
C:\WINDOWS\system32\rqrrpqo.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddcyyvu.dll
C:\WINDOWS\system32\ddcyyvu.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\rqrrpqo.dll
C:\WINDOWS\system32\rqrrpqo.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.7.7

Checking Java version...

Scan started at 1:00:56 PM 1/27/2008

Listing files found while scanning....

No infected files were found.


[01/27/2008, 13:18:01] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\RT\Desktop\VirtumundoBeGone.exe" )
[01/27/2008, 13:18:04] - Detected System Information:
[01/27/2008, 13:18:04] - Windows Version: 5.1.2600, Service Pack 2
[01/27/2008, 13:18:05] - Current Username: RT (Admin)
[01/27/2008, 13:18:05] - Windows is in SAFE mode with Networking.
[01/27/2008, 13:18:05] - Searching for Browser Helper Objects:
[01/27/2008, 13:18:05] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} ()
[01/27/2008, 13:18:05] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/27/2008, 13:18:05] - No filename found. Continuing.
[01/27/2008, 13:18:05] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[01/27/2008, 13:18:05] - BHO 3: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[01/27/2008, 13:18:05] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[01/27/2008, 13:18:05] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[01/27/2008, 13:18:05] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[01/27/2008, 13:18:05] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/27/2008, 13:18:05] - No filename found. Continuing.
[01/27/2008, 13:18:05] - BHO 7: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[01/27/2008, 13:18:05] - BHO 8: {F4982BAB-80E9-4838-A2A0-95D30F348161} ()
[01/27/2008, 13:18:05] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/27/2008, 13:18:05] - Checking for HKLM\...\Winlogon\Notify\ssqonmk
[01/27/2008, 13:18:05] - Found: HKLM\...\Winlogon\Notify\ssqonmk - This is probably Virtumundo.
[01/27/2008, 13:18:05] - Assigning {F4982BAB-80E9-4838-A2A0-95D30F348161} MSEvents Object
[01/27/2008, 13:18:05] - BHO list has been changed! Starting over...
[01/27/2008, 13:18:05] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} ()
[01/27/2008, 13:18:05] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/27/2008, 13:18:06] - No filename found. Continuing.
[01/27/2008, 13:18:06] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[01/27/2008, 13:18:06] - BHO 3: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[01/27/2008, 13:18:06] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[01/27/2008, 13:18:06] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[01/27/2008, 13:18:06] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[01/27/2008, 13:18:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/27/2008, 13:18:06] - No filename found. Continuing.
[01/27/2008, 13:18:06] - BHO 7: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[01/27/2008, 13:18:06] - BHO 8: {F4982BAB-80E9-4838-A2A0-95D30F348161} (MSEvents Object)
[01/27/2008, 13:18:06] - ALERT: Found MSEvents Object!
[01/27/2008, 13:18:06] - Finished Searching Browser Helper Objects
[01/27/2008, 13:18:06] - *** Detected MSEvents Object
[01/27/2008, 13:18:06] - Trying to remove MSEvents Object...
[01/27/2008, 13:18:07] - Terminating Process: IEXPLORE.EXE
[01/27/2008, 13:18:07] - Terminating Process: RUNDLL32.EXE
[01/27/2008, 13:18:07] - Disabling Automatic Shell Restart
[01/27/2008, 13:18:07] - Terminating Process: EXPLORER.EXE
[01/27/2008, 13:18:08] - Suspending the NT Session Manager System Service
[01/27/2008, 13:18:08] - Terminating Windows NT Logon/Logoff Manager
[01/27/2008, 13:18:08] - Re-enabling Automatic Shell Restart
[01/27/2008, 13:18:08] - File to disable: C:\WINDOWS\system32\ssqonmk.dll
[01/27/2008, 13:18:08] - Renaming C:\WINDOWS\system32\ssqonmk.dll -> C:\WINDOWS\system32\ssqonmk.dll.vir
[01/27/2008, 13:18:08] - File successfully renamed!
[01/27/2008, 13:18:08] - Removing HKLM\...\Browser Helper Objects\{F4982BAB-80E9-4838-A2A0-95D30F348161}
[01/27/2008, 13:18:08] - Removing HKCR\CLSID\{F4982BAB-80E9-4838-A2A0-95D30F348161}
[01/27/2008, 13:18:08] - Adding Kill Bit for ActiveX for GUID: {F4982BAB-80E9-4838-A2A0-95D30F348161}
[01/27/2008, 13:18:09] - Deleting ATLEvents/MSEvents Registry entries
[01/27/2008, 13:18:09] - Removing HKLM\...\Winlogon\Notify\ssqonmk
[01/27/2008, 13:18:09] - Searching for Browser Helper Objects:
[01/27/2008, 13:18:09] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} ()
[01/27/2008, 13:18:09] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/27/2008, 13:18:09] - No filename found. Continuing.
[01/27/2008, 13:18:09] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[01/27/2008, 13:18:09] - BHO 3: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[01/27/2008, 13:18:09] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[01/27/2008, 13:18:09] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[01/27/2008, 13:18:09] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[01/27/2008, 13:18:09] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/27/2008, 13:18:09] - No filename found. Continuing.
[01/27/2008, 13:18:09] - BHO 7: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[01/27/2008, 13:18:09] - Finished Searching Browser Helper Objects
[01/27/2008, 13:18:09] - Finishing up...
[01/27/2008, 13:18:09] - A restart is needed.
[01/27/2008, 13:18:22] - Attempting to Restart via STOP error (Blue Screen!)


[01/27/2008, 13:18:01] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\RT\Desktop\VirtumundoBeGone.exe" )
[01/27/2008, 13:18:04] - Detected System Information:
[01/27/2008, 13:18:04] - Windows Version: 5.1.2600, Service Pack 2
[01/27/2008, 13:18:05] - Current Username: RT (Admin)
[01/27/2008, 13:18:05] - Windows is in SAFE mode with Networking.
[01/27/2008, 13:18:05] - Searching for Browser Helper Objects:
[01/27/2008, 13:18:05] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} ()
[01/27/2008, 13:18:05] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/27/2008, 13:18:05] - No filename found. Continuing.
[01/27/2008, 13:18:05] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[01/27/2008, 13:18:05] - BHO 3: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[01/27/2008, 13:18:05] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[01/27/2008, 13:18:05] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[01/27/2008, 13:18:05] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[01/27/2008, 13:18:05] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/27/2008, 13:18:05] - No filename found. Continuing.
[01/27/2008, 13:18:05] - BHO 7: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[01/27/2008, 13:18:05] - BHO 8: {F4982BAB-80E9-4838-A2A0-95D30F348161} ()
[01/27/2008, 13:18:05] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/27/2008, 13:18:05] - Checking for HKLM\...\Winlogon\Notify\ssqonmk
[01/27/2008, 13:18:05] - Found: HKLM\...\Winlogon\Notify\ssqonmk - This is probably Virtumundo.
[01/27/2008, 13:18:05] - Assigning {F4982BAB-80E9-4838-A2A0-95D30F348161} MSEvents Object
[01/27/2008, 13:18:05] - BHO list has been changed! Starting over...
[01/27/2008, 13:18:05] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} ()
[01/27/2008, 13:18:05] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/27/2008, 13:18:06] - No filename found. Continuing.
[01/27/2008, 13:18:06] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[01/27/2008, 13:18:06] - BHO 3: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[01/27/2008, 13:18:06] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[01/27/2008, 13:18:06] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[01/27/2008, 13:18:06] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[01/27/2008, 13:18:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/27/2008, 13:18:06] - No filename found. Continuing.
[01/27/2008, 13:18:06] - BHO 7: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[01/27/2008, 13:18:06] - BHO 8: {F4982BAB-80E9-4838-A2A0-95D30F348161} (MSEvents Object)
[01/27/2008, 13:18:06] - ALERT: Found MSEvents Object!
[01/27/2008, 13:18:06] - Finished Searching Browser Helper Objects
[01/27/2008, 13:18:06] - *** Detected MSEvents Object
[01/27/2008, 13:18:06] - Trying to remove MSEvents Object...
[01/27/2008, 13:18:07] - Terminating Process: IEXPLORE.EXE
[01/27/2008, 13:18:07] - Terminating Process: RUNDLL32.EXE
[01/27/2008, 13:18:07] - Disabling Automatic Shell Restart
[01/27/2008, 13:18:07] - Terminating Process: EXPLORER.EXE
[01/27/2008, 13:18:08] - Suspending the NT Session Manager System Service
[01/27/2008, 13:18:08] - Terminating Windows NT Logon/Logoff Manager
[01/27/2008, 13:18:08] - Re-enabling Automatic Shell Restart
[01/27/2008, 13:18:08] - File to disable: C:\WINDOWS\system32\ssqonmk.dll
[01/27/2008, 13:18:08] - Renaming C:\WINDOWS\system32\ssqonmk.dll -> C:\WINDOWS\system32\ssqonmk.dll.vir
[01/27/2008, 13:18:08] - File successfully renamed!
[01/27/2008, 13:18:08] - Removing HKLM\...\Browser Helper Objects\{F4982BAB-80E9-4838-A2A0-95D30F348161}
[01/27/2008, 13:18:08] - Removing HKCR\CLSID\{F4982BAB-80E9-4838-A2A0-95D30F348161}
[01/27/2008, 13:18:08] - Adding Kill Bit for ActiveX for GUID: {F4982BAB-80E9-4838-A2A0-95D30F348161}
[01/27/2008, 13:18:09] - Deleting ATLEvents/MSEvents Registry entries
[01/27/2008, 13:18:09] - Removing HKLM\...\Winlogon\Notify\ssqonmk
[01/27/2008, 13:18:09] - Searching for Browser Helper Objects:
[01/27/2008, 13:18:09] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} ()
[01/27/2008, 13:18:09] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/27/2008, 13:18:09] - No filename found. Continuing.
[01/27/2008, 13:18:09] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[01/27/2008, 13:18:09] - BHO 3: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[01/27/2008, 13:18:09] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[01/27/2008, 13:18:09] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[01/27/2008, 13:18:09] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[01/27/2008, 13:18:09] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/27/2008, 13:18:09] - No filename found. Continuing.
[01/27/2008, 13:18:09] - BHO 7: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[01/27/2008, 13:18:09] - Finished Searching Browser Helper Objects
[01/27/2008, 13:18:09] - Finishing up...
[01/27/2008, 13:18:09] - A restart is needed.
[01/27/2008, 13:18:22] - Attempting to Restart via STOP error (Blue Screen!)


Detected malware

Note: Complete removal of the malware listed below failed! If you require general hints and tips to solve the problem, please click here. Malware specific information is available from the relevant malware section.

WORM_IRCBOT.SN
2 Infections

Transfering more information about this malware...
General information about this type of malware.
There is currently no more information available for this malware...
General information about this type of malware.
To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

Malware Overview

This worm may be dropped by other malw...
Aliasnames: no more aliase names known
Platform: Windows 98, ME, NT, 2000, XP, Server 2003
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of malware.

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

WORM_IRCBOT.SN Behavior Diagram

Malware Overview

This worm may be dropped by other malware. It may arrive via network shares. It may be downloaded unknowingly by a user when visiting malicious Web sites.

It drops a copy of itself. This worm creates the following registry entry to enable its automatic execution at every system startup.

It creates an IRC script that automatically sends a message to all users who join the IRC server that it connects to.

It opens random TCP ports to connect to an Internet Relay Chat (IRC) server and joins an IRC channel. Once connected, it acts as a backdoor that allows a remote malicious user to issue commands locally on an affected machine.

Some infections of this malware could not be removed automatically! You can manually select "Remove" and perform another "cleanup" to try and solve this problem.
Alternatively, you may click here to receive detailed instructions on how to remove these infections manually.
Cleanup options Clean all detected Infections automatically
Select an individual action for each detected infection.
Infected operating systemChecking this line will take no action on the infection Checking this column will clean the infectionWarning: Checking this column will delete the infection (e.g. the infected file) from your hard disk.Files infected by this malwareThis will display all the files infected by the above malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup

PE_TRATS.A-O
1 Infections

Transfering more information about this malware...
General information about this type of malware.
There is currently no more information available for this malware...
General information about this type of malware.
To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

This file infector may be dropped by other malware. ...
Aliasnames: no more aliase names known
Platform: Windows 98, ME, NT, 2000, XP, Server 2003
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of malware.

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

PE_TRATS.A-O Behavior Diagram

This file infector may be dropped by other malware. It may also be downloaded unknowingly by a user when visiting malicious Web sites.

It drops another malware detected by Trend Micro as TROJ_TRATS.A.

It targets EXE files for infection. Its infection routine involves sandwiching a target file between its code and TROJ_TRATS.A's code. When an infected file is executed, normal file operation is still performed but, at the same time, the infection cycle is triggered all over again.

Some infections of this malware could not be removed automatically! You can manually select "Remove" and perform another "cleanup" to try and solve this problem.
Alternatively, you may click here to receive detailed instructions on how to remove these infections manually.
Cleanup options Clean all detected Infections automatically
Select an individual action for each detected infection.
Infected operating systemChecking this line will take no action on the infection Checking this column will clean the infectionWarning: Checking this column will delete the infection (e.g. the infected file) from your hard disk.Files infected by this malwareThis will display all the files infected by the above malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup

POSSIBLE_MLZP-4
1 Infections

Transfering more information about this malware...
General information about this type of malware.
There is currently no more information available for this malware...
General information about this type of malware.
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of malware.

Some infections of this malware could not be removed automatically! You can manually select "Remove" and perform another "cleanup" to try and solve this problem.
Alternatively, you may click here to receive detailed instructions on how to remove these infections manually.
Cleanup options Clean all detected Infections automatically
Select an individual action for each detected infection.
Infected operating systemChecking this line will take no action on the infection Checking this column will clean the infectionWarning: Checking this column will delete the infection (e.g. the infected file) from your hard disk.Files infected by this malwareThis will display all the files infected by the above malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup

POSSIBLE_MLWR-5
2 Infections

Transfering more information about this malware...
General information about this type of malware.
There is currently no more information available for this malware...
General information about this type of malware.
This is the Trend Micro detection for suspicious files that manifest behavior and characteristics similar to known PE_LOOKED variants. It can al...
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of malware.

This is the Trend Micro detection for suspicious files that manifest behavior and characteristics similar to known PE_LOOKED variants. It can also be used by other spyware such as TSPY_FRETHOG variants.

To view descriptions of PE_LOOKED and TSPY_FRETHOG variants, refer to the following links:

* PE_LOOKED
* TSPY_FRETHOG

If your Trend Micro product detects a file under this detection name, do not execute the file. Delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.

To submit files, please refer to the Solution section.

Some infections of this malware could not be removed automatically! You can manually select "Remove" and perform another "cleanup" to try and solve this problem.
Alternatively, you may click here to receive detailed instructions on how to remove these infections manually.
Cleanup options Clean all detected Infections automatically
Select an individual action for each detected infection.
Infected operating systemChecking this line will take no action on the infection Checking this column will clean the infectionWarning: Checking this column will delete the infection (e.g. the infected file) from your hard disk.Files infected by this malwareThis will display all the files infected by the above malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup
TITLE_OF_MALWARE
0 Infections

Transfering more information about this malware...
General information about this type of malware.
There is currently no more information available for this malware...
General information about this type of malware.
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of malware.

Some infections of this malware could not be removed automatically! You can manually select "Remove" and perform another "cleanup" to try and solve this problem.
Alternatively, you may click here to receive detailed instructions on how to remove these infections manually.
Cleanup options Clean all detected Infections automatically
Select an individual action for each detected infection.
Infected operating systemChecking this line will take no action on the infection Checking this column will clean the infectionWarning: Checking this column will delete the infection (e.g. the infected file) from your hard disk.Files infected by this malwareThis will display all the files infected by the above malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup
Detected signatures
EICAR signature
0 Signatures
The detected signature is not a security risk; it is designed to test antivirus scanners. The listed files are not infected. They only contain the EICAR signature.
Take no action on signatures on the machineDelete signatures. Warning! Deleting this column will remove all associated signature files.EICAR filesThis will display all file paths of the above signatureReasonno accessnot supported
Detected grayware/spyware

Note: Complete removal of the grayware listed below failed! If you require general hints and tips to solve the problem, please click here. Grayware specific information is available from the relevant grayware section.

HACKINGTOOLS_HIDEWIN
1 Infections

Transfering information about this grayware/spyware...
General information about this type of grayware/spyware.
There is currently no more information available for this grayware/spyware...
General information about this type of grayware/spyware.
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of grayware/spyware.

Some infections of this grayware/spyware could not be removed automatically!
Click here to receive instructions on how to remove this type of infection manually.
Cleanup options Clean all detected infections automatically
Select an individual action for each detected infection
Files infected by this grayware/spywareSelecting this line will take no action on the infection Selecting this column will clean the infectionWarning: Selecting this column will delete the infection (e.g. the infected file) from your hard diskFiles infected by this grayware/spywareThis will display all the files infected by the above grayware/malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup

HKTL_HIDEWIN.AA
1 Infections

Transfering information about this grayware/spyware...
General information about this type of grayware/spyware.
There is currently no more information available for this grayware/spyware...
General information about this type of grayware/spyware.
This hacking tool may arrive on a system as dropped file of other grayware, or as a downloaded file from the Internet when users visit malicious Web sites.
Aliasnames: no more aliase names known
Platform: Windows NT, 2000, XP, Server 2003
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of grayware/spyware.

This hacking tool may arrive on a system as dropped file of other grayware, or as a downloaded file from the Internet when users visit malicious Web sites.

It is a command line program that can be used by other grayware to perform their intended routines. It can also be used to hide sniffers, backdoor programs, keyloggers, and other applications that are capable of stealing information from affected users.

Some infections of this grayware/spyware could not be removed automatically!
Click here to receive instructions on how to remove this type of infection manually.
Cleanup options Clean all detected infections automatically
Select an individual action for each detected infection
Files infected by this grayware/spywareSelecting this line will take no action on the infection Selecting this column will clean the infectionWarning: Selecting this column will delete the infection (e.g. the infected file) from your hard diskFiles infected by this grayware/spywareThis will display all the files infected by the above grayware/malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup
TITLE_OF_GRAYWARE
0 Infections

Transfering information about this grayware/spyware...
General information about this type of grayware/spyware.
There is currently no more information available for this grayware/spyware...
General information about this type of grayware/spyware.
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of grayware/spyware.

Some infections of this grayware/spyware could not be removed automatically!
Click here to receive instructions on how to remove this type of infection manually.
Cleanup options Clean all detected infections automatically
Select an individual action for each detected infection
Files infected by this grayware/spywareSelecting this line will take no action on the infection Selecting this column will clean the infectionWarning: Selecting this column will delete the infection (e.g. the infected file) from your hard diskFiles infected by this grayware/spywareThis will display all the files infected by the above grayware/malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup
HTTP cookies
0 Detected
Cookies are generally used to save user-specific data from Internet transactions with a Web server via a browser. The cookies listed below are "profiling cookies" that are only used to monitor your Internet usage.
Cleanup options Remove all detected cookies
Select individual action for each detected cookie
Keep this cookieRemove this cookieCookiesThe cookies displayed here are classified as potentially malicious.ReasonThis column indicates the reason why cleanup failed.The system denied access to the cookieThe current pattern does not support removal
Detected vulnerabilities

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (934233)

Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory addresses several vulnerabilities in Microsoft Excel. These vulnerabilities exist because of the way Microsoft Excel handles specially crafted files that contain mal...
More information about this vulnerability and its elimination.
Affected programs and services: 2007 Microsoft Office System
Microsoft Excel 2000
Microsoft Excel 2002
Microsoft Excel 2003
Microsoft Excel 2003 Viewer
Microsoft Office 2000 Service Pack 3
Microsoft Office 2003 Service Pack 2
Microsoft Office 2004 for Mac
Microsoft Office 2007
Microsoft Office Compatibility Pack for Word
Excel
and PowerPoint 2007 File Formats
Microsoft Office XP Service Pack 3
Malware exploiting this vulnerability: unknown
This security advisory addresses several vulnerabilities in Microsoft Excel. These vulnerabilities exist because of the way Microsoft Excel handles specially crafted files that contain malformed records or font values. Once successfully exploited, these vulnerabilities allow an attacker to gain user rights similar to the currently logged on user.
More information about this vulnerability and its elimination.

Vulnerability in Microsoft Office Could Allow Remote Code Execution (934873)

Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update replaces security update MS07-015. A remote code execution vulnerability exists in the way Microsoft Office handles a specially crafted drawing object, which may be included as an attachment to ...
More information about this vulnerability and its elimination.
Affected programs and services: 2007 Microsoft Office System
Microsoft Office 2000 Service Pack 3
Microsoft Office 2003 Service Pack 2
Microsoft Office 2004 for Mac
Microsoft Office XP Service Pack 3
Malware exploiting this vulnerability: unknown
This update replaces security update MS07-015. A remote code execution vulnerability exists in the way Microsoft Office handles a specially crafted drawing object, which may be included as an attachment to an email message or hosted on a malicious Web site. A remote malicious user could exploit this vulnerability by constructing a specially crafted Office file containing a malformed drawing object that could allow remote code execution.
More information about this vulnerability and its elimination.

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (936542)

Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update solves a vulnerability that exists in the way Microsoft Excel handles malformed Excel files. This vulnerability can be expoited by a remote malicious user by sending a malformed file as an email message attachment o...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Excel 2000 Service Pack 3 (Microsoft Office 2000 Service Pack 3)
Microsoft Excel 2002 Service Pack 3 (Microsoft Office XP Service Pack 3)
Microsoft Excel 2003 Service Pack 2 (Microsoft Office 2003 Service Pack 2)
Microsoft Excel 2003 Viewer
Microsoft Office Compatibility Pack for Word
Excel
and PowerPoint 2007 File Formats
Microsoft Office Excel 2007 (2007 Microsoft Office System)
Malware exploiting this vulnerability: unknown
This update solves a vulnerability that exists in the way Microsoft Excel handles malformed Excel files. This vulnerability can be expoited by a remote malicious user by sending a malformed file as an email message attachment or as a file hosted on a malicious Web site. Once successfully exploited, the remote user can gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
More information about this vulnerability and its elimination.

MS07-042

Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: unknown
More information about this vulnerability and its elimination.
TITLE_OF_VULNERABILITY

Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: unknown
More information about this vulnerability and its elimination.
Port: is accessible

Transfering more information about this port...
An error occured while trying to retrieve more information about this port. There is currently no more information available.
Standard services over this port: Unknown
Malware exploiting this port: Unknown
Clean now



---------------------------------------
2nd
----------------------------------------
Detected malware

Note: Complete removal of the malware listed below failed! If you require general hints and tips to solve the problem, please click here. Malware specific information is available from the relevant malware section.

WORM_IRCBOT.SN
1 Infections

Transfering more information about this malware...
General information about this type of malware.
There is currently no more information available for this malware...
General information about this type of malware.
To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

Malware Overview

This worm may be dropped by other malw...
Aliasnames: no more aliase names known
Platform: Windows 98, ME, NT, 2000, XP, Server 2003
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of malware.

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

WORM_IRCBOT.SN Behavior Diagram

Malware Overview

This worm may be dropped by other malware. It may arrive via network shares. It may be downloaded unknowingly by a user when visiting malicious Web sites.

It drops a copy of itself. This worm creates the following registry entry to enable its automatic execution at every system startup.

It creates an IRC script that automatically sends a message to all users who join the IRC server that it connects to.

It opens random TCP ports to connect to an Internet Relay Chat (IRC) server and joins an IRC channel. Once connected, it acts as a backdoor that allows a remote malicious user to issue commands locally on an affected machine.

Some infections of this malware could not be removed automatically! You can manually select "Remove" and perform another "cleanup" to try and solve this problem.
Alternatively, you may click here to receive detailed instructions on how to remove these infections manually.
Cleanup options Clean all detected Infections automatically
Select an individual action for each detected infection.
Infected operating systemChecking this line will take no action on the infection Checking this column will clean the infectionWarning: Checking this column will delete the infection (e.g. the infected file) from your hard disk.Files infected by this malwareThis will display all the files infected by the above malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup

POSSIBLE_MLWR-5
2 Infections

Transfering more information about this malware...
General information about this type of malware.
There is currently no more information available for this malware...
General information about this type of malware.
This is the Trend Micro detection for suspicious files that manifest behavior and characteristics similar to known PE_LOOKED variants. It can al...
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of malware.

This is the Trend Micro detection for suspicious files that manifest behavior and characteristics similar to known PE_LOOKED variants. It can also be used by other spyware such as TSPY_FRETHOG variants.

To view descriptions of PE_LOOKED and TSPY_FRETHOG variants, refer to the following links:

* PE_LOOKED
* TSPY_FRETHOG

If your Trend Micro product detects a file under this detection name, do not execute the file. Delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.

To submit files, please refer to the Solution section.

Some infections of this malware could not be removed automatically! You can manually select "Remove" and perform another "cleanup" to try and solve this problem.
Alternatively, you may click here to receive detailed instructions on how to remove these infections manually.
Cleanup options Clean all detected Infections automatically
Select an individual action for each detected infection.
Infected operating systemChecking this line will take no action on the infection Checking this column will clean the infectionWarning: Checking this column will delete the infection (e.g. the infected file) from your hard disk.Files infected by this malwareThis will display all the files infected by the above malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup
TITLE_OF_MALWARE
0 Infections

Transfering more information about this malware...
General information about this type of malware.
There is currently no more information available for this malware...
General information about this type of malware.
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of malware.

Some infections of this malware could not be removed automatically! You can manually select "Remove" and perform another "cleanup" to try and solve this problem.
Alternatively, you may click here to receive detailed instructions on how to remove these infections manually.
Cleanup options Clean all detected Infections automatically
Select an individual action for each detected infection.
Infected operating systemChecking this line will take no action on the infection Checking this column will clean the infectionWarning: Checking this column will delete the infection (e.g. the infected file) from your hard disk.Files infected by this malwareThis will display all the files infected by the above malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup
Detected signatures
EICAR signature
0 Signatures
The detected signature is not a security risk; it is designed to test antivirus scanners. The listed files are not infected. They only contain the EICAR signature.
Take no action on signatures on the machineDelete signatures. Warning! Deleting this column will remove all associated signature files.EICAR filesThis will display all file paths of the above signatureReasonno accessnot supported
Detected grayware/spyware

Note: Complete removal of the grayware listed below failed! If you require general hints and tips to solve the problem, please click here. Grayware specific information is available from the relevant grayware section.
TITLE_OF_GRAYWARE
0 Infections

Transfering information about this grayware/spyware...
General information about this type of grayware/spyware.
There is currently no more information available for this grayware/spyware...
General information about this type of grayware/spyware.
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of grayware/spyware.

Some infections of this grayware/spyware could not be removed automatically!
Click here to receive instructions on how to remove this type of infection manually.
Cleanup options Clean all detected infections automatically
Select an individual action for each detected infection
Files infected by this grayware/spywareSelecting this line will take no action on the infection Selecting this column will clean the infectionWarning: Selecting this column will delete the infection (e.g. the infected file) from your hard diskFiles infected by this grayware/spywareThis will display all the files infected by the above grayware/malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup
HTTP cookies
0 Detected
Cookies are generally used to save user-specific data from Internet transactions with a Web server via a browser. The cookies listed below are "profiling cookies" that are only used to monitor your Internet usage.
Cleanup options Remove all detected cookies
Select individual action for each detected cookie
Keep this cookieRemove this cookieCookiesThe cookies displayed here are classified as potentially malicious.ReasonThis column indicates the reason why cleanup failed.The system denied access to the cookieThe current pattern does not support removal
Detected vulnerabilities

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (934233)

Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory addresses several vulnerabilities in Microsoft Excel. These vulnerabilities exist because of the way Microsoft Excel handles specially crafted files that contain mal...
More information about this vulnerability and its elimination.
Affected programs and services: 2007 Microsoft Office System
Microsoft Excel 2000
Microsoft Excel 2002
Microsoft Excel 2003
Microsoft Excel 2003 Viewer
Microsoft Office 2000 Service Pack 3
Microsoft Office 2003 Service Pack 2
Microsoft Office 2004 for Mac
Microsoft Office 2007
Microsoft Office Compatibility Pack for Word
Excel
and PowerPoint 2007 File Formats
Microsoft Office XP Service Pack 3
Malware exploiting this vulnerability: unknown
This security advisory addresses several vulnerabilities in Microsoft Excel. These vulnerabilities exist because of the way Microsoft Excel handles specially crafted files that contain malformed records or font values. Once successfully exploited, these vulnerabilities allow an attacker to gain user rights similar to the currently logged on user.
More information about this vulnerability and its elimination.

Vulnerability in Microsoft Office Could Allow Remote Code Execution (934873)

Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update replaces security update MS07-015. A remote code execution vulnerability exists in the way Microsoft Office handles a specially crafted drawing object, which may be included as an attachment to ...
More information about this vulnerability and its elimination.
Affected programs and services: 2007 Microsoft Office System
Microsoft Office 2000 Service Pack 3
Microsoft Office 2003 Service Pack 2
Microsoft Office 2004 for Mac
Microsoft Office XP Service Pack 3
Malware exploiting this vulnerability: unknown
This update replaces security update MS07-015. A remote code execution vulnerability exists in the way Microsoft Office handles a specially crafted drawing object, which may be included as an attachment to an email message or hosted on a malicious Web site. A remote malicious user could exploit this vulnerability by constructing a specially crafted Office file containing a malformed drawing object that could allow remote code execution.
More information about this vulnerability and its elimination.

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (936542)

Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update solves a vulnerability that exists in the way Microsoft Excel handles malformed Excel files. This vulnerability can be expoited by a remote malicious user by sending a malformed file as an email message attachment o...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Excel 2000 Service Pack 3 (Microsoft Office 2000 Service Pack 3)
Microsoft Excel 2002 Service Pack 3 (Microsoft Office XP Service Pack 3)
Microsoft Excel 2003 Service Pack 2 (Microsoft Office 2003 Service Pack 2)
Microsoft Excel 2003 Viewer
Microsoft Office Compatibility Pack for Word
Excel
and PowerPoint 2007 File Formats
Microsoft Office Excel 2007 (2007 Microsoft Office System)
Malware exploiting this vulnerability: unknown
This update solves a vulnerability that exists in the way Microsoft Excel handles malformed Excel files. This vulnerability can be expoited by a remote malicious user by sending a malformed file as an email message attachment or as a file hosted on a malicious Web site. Once successfully exploited, the remote user can gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
More information about this vulnerability and its elimination.

MS07-042

Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: unknown
More information about this vulnerability and its elimination.
TITLE_OF_VULNERABILITY

Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: unknown
More information about this vulnerability and its elimination.
Port: is accessible

Transfering more information about this port...
An error occured while trying to retrieve more information about this port. There is currently no more information available.
Standard services over this port: Unknown
Malware exploiting this port: Unknown
Clean no


Sorry if I have included too many reports.

I am still getting TratHBO warnings from Avast.

Any advice?

Thanks


Mod Edit: Edited to remove HJT log. ~tg

Edited by tg1911, 28 January 2008 - 03:46 AM.


#4 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:03:11 AM

Posted 28 January 2008 - 03:47 AM

TheHamburger,

I have removed your HJT log, as this is not the proper forum in which to post it.
If quietman7 thinks you should post a log for examination, he will recommend it to you, along with instructions on how to properly do it.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:11 AM

Posted 28 January 2008 - 09:14 AM

This is a very heavily infected system and vundo is not your only problem.

One or more of the identified infections is a backdoor Trojan. Backdoor Trojans, IRCBots are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge. Read the Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Although the backdoor Trojan has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Please read "When should I re-format?" and "Reformatting the computer or troubleshooting; which is best?".

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Let me know how you wish to proceed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 TheHamburger

TheHamburger
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 28 January 2008 - 10:11 PM

Thanks for that.

I will reformat.

Cheers

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:11 AM

Posted 28 January 2008 - 10:26 PM

In case you need help with this, please review the following links:
"How to partition and format a hard disk in Windows XP"
"How do I reinstall and reformat Windows XP on my hard drive?"

These links include step by step instructions:
"Reformat & Clean Install Windows".
"Clean Install Windows XP".
"XP Clean Install (Interactive Setup)".

Reformatting a hard disk deletes all data. You should back up all your important documents, data files and photos. You should not backup any .exe files because they may be infected. Save your files to a CD. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive. Don't forget you will have to update your system and apply all Windows security patches.

Also see "How to keep your Windows XP activation after clean install".

If you need additional assistance, you can start a new topic in the Windows XP Home and Professional forum.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users