Todo ? Virus / *hmunmlcl*.exe ? Trijan Problem

G'Day Folks,


On the Vista Ultimate ASUS Laptop I have come up with a problem that keeps returning.


We have Bitdefender Internet Security 2008 installed and all the latest Vista updates.


After importing eMails from another MS Outlook 2003 .pst file, the BitDefender popup started coming up warning about a TODO trying to connect to the Internet.


Related images and Bitdefender scan - with detected Trojans - Which were then deleted [ Generic.Malware.dld!! and Trojan.Spy.Goldun.HP ] - are attached in the word 97 / 2003 document ZIP file TODO Error or virus01.zip - TODO Error or virus02.zip - and TODO Error or virus03.zip in sequence of task actiones.


Other related information on my search yielded the following - which with the "SDFix.exe did not work on Vista (the "Y"(es) option never appeared.


The search was for " *hmunmlcl*.exe " (after selecting other combinations of original file names in the popups with no results) and only searching for an abreviated form " *hmunmlcl*.exe " Which resulted in the following;


trojan qui revient meme apres suppression


- [ Translate this page ]*hmunmlcl*.exe.conf *exhmunmlcl*.exe.conf *mdnk*.exe.conf J'ai tenté des nettoyages avec cccleaner, ad-aware, spybot et testé avec hijackthis et ils ne ...


www.commentcamarche.net/forum/affich-7518665-trojan-qui-revient-meme-apres-suppression - 94k - Cached - Similar pages


dos agobot.hm


- [ Translate this page ]pour gaobot ==> http://securityresponse.symantec.com/avcenter/FxGaobot.exe ... ftp://www.renonce.com/pub/renonce/RimouveXPFr.exe ...


www.commentcamarche.net/forum/affich-647874-dos-agobot-hm - 68k - Cached - Similar pages


More results from www.commentcamarche.net »


Aiuto Perfavore!!!!!!!exhmunmlclr.exe!!!!!file Smvss - TWEAKNESS BOARD


- [ Translate this page ]ORA) un altro file che si chiama XXexymupcntXX.exe, dove le X rappresentano di volta in volta dei numeri diversi, esattamente come per hmunmlcl.exe e ...


forum.tweakness.net/index.php?showtopic=2369 - 63k - Cached - Similar pages


Search for the ads2.start-run.com - result was


iinet:Super Fast Internet


www.gonaked.com.au $49.95, 4GB, unlimited local and national calls. Learn more


Did you mean: ads2.start-run.com


Search Results[HELP]Virus o che altro che vuole connettersi? - Hardware Upgrade ...- [ Translate this page ]TODO: <File description> (21wwhmunmlcl61.exe) is trying to connect to ads2.stat-run.com (209.61.252.21) using remote port 6921. ...


www.hwupgrade.it/forum/showthread.php?t=1796394 - 90k - Cached - Similar pages


In order to show you the most relevant results, we have omitted some entries very similar to the 1 already displayed.


If you like, you can repeat the search with the omitted results included.


Did you mean to search for: ads2.start-run.com


As you will see by the images at the end of the document, the Malicious and Bitdevender scan gave the system a clean bill of health, yet the popup after re-booting came back (last 3 images in document)


Anyone have a cleaner for this or know what the problem is ??

Comments

  • Hello pcbugfixer,


    Please upload one or more samples so they can be analyzed. There is not much we can do just by looking at the screenshots.


    About the TODO thing... as you noticed, that is what it's written in the file's properties. BitDefender takes the description of the file and shows it. In case the description is not present, it uses the filename.


    Cris.

  • pcbugfixer
    pcbugfixer ✭✭✭
    edited January 2009

    G'Day Chris,


    Thanks for looking at this. Can you be more specific as to what samples you want?


    However I doubt that I have anything left of the detected and deleted files, i.e. the Generic.Malware.dld!!.6CA535D6 Deleted, the Trojan.Spy.Goldun.HP Deleted and the Win32.Netsky.T@mm Deleted, as they where per report of action "Deleted" and not quarantined, so I am unable to send them in.


    I doubt however that they are the problem as after the save mode scan with Bitdefender, the popups reappeared and continued to generate the offending exe files. E.G. 23wwhmunmlcl23.exe, or 47wwhmunmlc69.exe, etc. each time generating a new one in the Temp folder of the user just changing the numbers of the file, e.g. 83wwhmunmlc83.exe, 17wwhmunmlc17.exe etc.


    Continuing with my own research, the searches lead me to any and most related issues of which one was the Avast forum site - http://forum.blabla.com/index.php?topic=37888.0


    I temporarily "permanently disabled" BDIS 2008 and loaded other detectors as per the last post by "Tech" on the <removed> forum site - http://forum.<removed>.com/in...p?topic=37888.0 downloading all the software and then loading each in turn to allow them to scan the Laptop to see if they would discover anything that the others missed.


    The Suggestions of the post were;


    Didn't <removed> detect this virus?


    Seems you should have sent it to quarantine... Why is it returning?


    I suggest: (Tech's suggestion)


    1. Disable System Restore and then reenable it again.


    2. Clean your temporary files.


    3. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try <removed>! instead.


    4. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.


    5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or <removed> RootkitBuster.


    6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.


    7. Immunize your system with SpywareBlaster or <removed>.


    8. Check if you have insecure applications with Secunia Software Inspector.


    When I loaded "<removed>!" it found a " comrepl.exe file in the c:\windows\system32 folder and identified it as " Trojan.DownLoad.3206 " and after deleting it and rebooting the Laptop, the popups in relation to the TODO, etc. have stopped At least they have not returned for the last 5 hours while I use some of the other Virus, Malware, etc. detection programs to see what else the others have missed. - good exercise, opens your eys to see what they discover that others miss.


    While using the <removed>, I also accidentally deleted the " livesrv.exe " from the Program Files\Common Files\BitDefenderD\BitDefender Update Services folder which <removed> had identified as an incurable infection, probably "DLOADER.Trojan" - This I will repair after I have scanned the Laptop with some of the other scanners as previously mentioned.


    The only reference I found for the " Trojan.DownLoad.3206 " was on this site - http://translate.google.com.au/translate?h...ficial%26sa%3DG However no details for it.


    So far none of the other Virus/ Malware etc scanners are finding anything of significance other than Cookies.


    Anyone reading this, I would suggest that they remember that no "One" Security come Anti-Virus program protects you from "Everything" - There ain't such a program" but is on my wish list.

  • alexcrist
    alexcrist
    edited January 2009

    I was asking for one or more files like "83wwhmunmlc83.exe" (and variants). Also, since you also found comrepl.exe, it would have been useful if you sent it to us.


    As a general rule, we can use any samples of malware that are not already detected by BitDefender. Any undetected sample which is sent to us does only to improve BitDefender's detection rate, so it's users are more protected against threats.


    But since you already removed all of them, there's nothing else we can do about it. If, by any chance, they re-appear (or if you know what's the infection source), please send them to us, so we can add detection for them.


    As for livesrv.exe... Dr<removed> has been detecting it for a very long period of time (I know about it since a year ago, but the detection might be even older). Why they didn't already fix it is beyond my understanding (and I'm talking here about Dr<removed> fixing their false detection, because livesrv.exe is perfectly legit and there's nothing to fix about it).


    Cris.

  • pcbugfixer
    pcbugfixer ✭✭✭
    edited August 2008

    Ok Chris,


    The next time I have a customers PC with BitDefender on it, I will "Quarantine" the detected files instead of deleting them, so that they can be forwarded (reported / sent in) Bit hard when BD did not detect the comrepl.exe Tojan.


    Obviously a User would want to delete all the discovered infections (Infected files /Viruses / Trojans / etc) and if BitDefender or this Forum would prefer that they are Quarantined, then a Sticky should be created with clear instructions for the User that even a Novice can understand. :D


    Anyway, no re-occurrence so far !


    :ph34r:

  • alexcrist
    alexcrist
    edited August 2008
    The next time I have a customers PC with BitDefender on it, I will "Quarantine" the detected files instead of deleting them, so that they can be forwarded (reported / sent in) Bit hard when BD did not detect the comrepl.exe Tojan.


    It would be better to be sent through mail or forum. They have a higher priority.


    Still, sending through Quarantine is better than not sending at all.


    Obviously a User would want to delete all the discovered infections (Infected files /Viruses / Trojans / etc) and if BitDefender or this Forum would prefer that they are Quarantined, then a Sticky should be created with clear instructions for the User that even a Novice can understand. :D


    Well, no.


    As I said, there's nothing we can do with already detected samples. Once a sample is detected, it's obvious that it is already found in our database. And a file gets quarantined by BD only if it's already detected.


    We could use undetected samples, so we can add detection. And these samples can be gathered without risks only by users who know what they are doing. We don't recommend, by any means, for someone who doesn't know how to handle malware and the risks involved to "play" with this kind of files. Obviously, for novices, it's better to get rid of any suspect files before any more harm is done.


    But if someone has enough knowledge to handle infected files, then, by all means, pack the files and send them to us, so we can study them. :)


    Also, instructions for virus submission are already posted here: Virus Submission


    Cris.

  • G'Day Folks, Attn: Chris.


    Here are 2 of the files in question


    comrepl.zip = comrepl.exe which generates a file called hmunmlcl*.exe (replace * with a double number like 47- missed to catch that one in the Temp folder)


    and then the popup warning (1st) warns about 31wwhmunmlcl74.zip = 31wwhmunmlcl74.exe which it offers to Quarantine


    Both files uploaded as zip with advised usual password


    When you find what caused it, let me know please!


    :ph34r:

  • stOneskull
    edited January 2009

    i have this virus..


    scary little critter it is.


    thanks for posting the info about <removed>!


    i will try it now.