Windows Live Messenger!?!?!?

[sawadeekap]

i received a file from my fren thru msn its a img file at first... then when u have received and run the program it(the virus or worm or??) will automatically send out the file using the msn without you knowing that a file is being send....
i did dl the avast cleaner but no virus found.. but my other fren on the list owez ask y i keep sending them file.. how do i clean this up???
the virus or worm is pretty clever it will post a question like "its that you on the right" then below will be a file waiting to be accepted with the file name img.(something)

thanks in advance for the advice!!

[Maxx_original]

1) download HJT from trendsecure.com, run it and post the log here...
2) we could try to find the malicious processes..
3) send the files responsible for that processes or services to virtotal and post the results
4) send the files to virus[at]avast[dot]com
5) we'll add some detection

after the clean-up, pls install all the latest updates for MSN, it's a big hole to your sytem without them... and a note: be careful when opening files received via MSN, ICQ etc...

[sawadeekap]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:04:17 AM, on 8/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VDOTool\TBPanel.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Razer\Copperhead\razerhid.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\VisualTooltip\VisualToolTip.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\DOCUME~1\Lester\LOCALS~1\Temp\{0F7B42DC-55A3-409C-A533-6F8CC180EDC4}\Blaero Start Orb.exe
C:\WINDOWS\vpcrtf.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Razer\Copperhead\razertra.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Razer\Copperhead\razerofa.exe
C:\DOCUME~1\Lester\LOCALS~1\Temp\{4A8B3CAB-9153-401E-B6BE-72750B3269B0}\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

[sawadeekap]

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [Vista Sidebar] C:\Program Files\Vista Sidebar\sidebar.exe
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\VisualTooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [Blaero Start Orb] C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
O4 - HKLM\..\Run: [Styler] C:\Program Files\Styler\Styler.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Funshion] "C:\Program Files\Funshion Online\Funshion\Funshion.exe" /tray
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Microsoft Visual Application] vpcrtf.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EDDA7B3F-CA25-4D98-81AC-8BA0E4AE65F6} (dcCertUtils.clsOperation) - https://www.hasil.org.my/efiling/dcCertUtils.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{23543BB4-6BAF-4E75-9682-954398D3FD65}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 10833 bytes


i have deleted the file so i cant send to avast..

[Maxx_original]

anyway

1) the item C:\WINDOWS\vpcrtf.exe may be related to IRCbot virus by a short google search...

2) i don't know why the visual vista-like tweaks are running from your temp directory.. i mean C:\DOCUME~1\Lester\LOCALS~1\Temp\{4A8B3CAB-9153-401E-B6BE-72750B3269B0}\sidebar.exe and C:\DOCUME~1\Lester\LOCALS~1\Temp\{0F7B42DC-55A3-409C-A533-6F8CC180EDC4}\Blaero Start Orb.exe...

can you send these files to www.virustotal.com and post the results here?

[CharleyO]

***

Someone correct me if I am wrong, but I think part of your problem may be found in this line ......

O4 - HKLM\..\Run: [Funshion] "C:\Program Files\Funshion Online\Funshion\Funshion.exe" /tray

I really have no idea what Funshion is nor could I discover that with a Google search ......

http://g.s.scandoo.com/search?hl=en&meta=on&q=Funshion.exe

I found these examples on a Chinese forum from the Google search ......

Deleted : virus Worm.Win32.Fujack.h documents : E : \ Games.exe / FSG
Deleted : virus Worm.Win32.Viking.lj documents : E : \ Program Files \ Funshion Online \ Funshion \ CrashReport.exe.Exe
Deleted : virus Worm.Win32.Fujack.h documents : E : \ powershadow_ch - v2.8.2 \ powershadow_ch_2.8.2.exe/FSG
Deleted : virus Worm.Win32.Viking.lj documents : E : \ Program Files \ Funshion Online \ Funshion \ Funshion.exe.Exe
Deleted : virus Worm.Win32.Fujack.h documents : E : \ Program Files \ Funshion Online \ Funshion \ CrashReport.exe / FSG
Deleted : virus Worm.Win32.Viking.lj documents : E : \ Program Files \ Funshion Online \ Funshion \ Uninstall.exe.Exe
Deleted : virus Worm.Win32.Fujack.h documents : E : \ Program Files \ Funshion Online \ Funshion \ Funshion.exe / FSG
Deleted : virus Worm.Win32.Viking.lj documents : E : \ Program Files \ Funshion Online \ Funshion \ XPSP2Patch \ SysOptimize.exe.Exe
Deleted : virus Worm.Win32.Fujack.h documents : E : \ Program Files \ Funshion Online \ Funshion \ Uninstall.exe / FSG
Deleted : virus Worm.Win32.Viking.lj documents : E : \ Program Files \ Funshion Online \ Funshion \ XPSP2Patch \ XPSP2Patch_cn.exe.Exe
Deleted : virus Worm.Win32.Viking.lj documents : E : \ Program Files \ Funshion Online \ Funshion \ XPSP2Patch \ XPSP2Patch_en.exe.Exe

Whatever Funshion is, it appears that it is easily infected or is the infection itself. BTY, all the Google results were Chinese related.


***

[sawadeekap]

Antivirus Version Last Update Result
AhnLab-V3 2007.8.15.0 2007.08.16 -
AntiVir 7.4.1.62 2007.08.15 -
Authentium 4.93.8 2007.08.16 -
Avast 4.7.1029.0 2007.08.15 -
AVG 7.5.0.476 2007.08.15 -
BitDefender 7.2 2007.08.16 -
CAT-QuickHeal 9.00 2007.08.14 -
ClamAV 0.91 2007.08.16 -
DrWeb 4.33 2007.08.16 -
eSafe 7.0.15.0 2007.08.10 -
eTrust-Vet 31.1.5063 2007.08.15 -
Ewido 4.0 2007.08.15 -
FileAdvisor 1 2007.08.16 -
Fortinet 2.91.0.0 2007.08.16 -
F-Prot 4.3.2.48 2007.08.15 -
F-Secure 6.70.13030.0 2007.08.16 -
Ikarus T3.1.1.12 2007.08.15 -
Kaspersky 4.0.2.24 2007.08.16 -
McAfee 5098 2007.08.15 -
Microsoft 1.2704 2007.08.15 -
NOD32v2 2465 2007.08.16 -
Norman 5.80.02 2007.08.15 -
Panda 9.0.0.4 2007.08.16 -
Prevx1 V2 2007.08.16 -
Rising 19.36.22.00 2007.08.15 -
Sophos 4.20.0 2007.08.12 -
Sunbelt 2.2.907.0 2007.08.16 -
Symantec 10 2007.08.16 -
TheHacker 6.1.8.170 2007.08.15 -
VBA32 3.12.2.2 2007.08.16 -
VirusBuster 4.3.26:9 2007.08.15 -
Webwasher-Gateway 6.0.1 2007.08.16 -
Additional information
File size: 524288 bytes
MD5: aa13e0e0a9f17a2d2e2f54206ce67e13
SHA1: fd131f9ff4a1360f20c78f85f72b4103e7480633
this is the blaero file

btw the funshion is kinda like bitcomet except it is in chinese which i also dunno much

[sawadeekap]

Antivirus Version Last Update Result
AhnLab-V3 2007.8.15.0 2007.08.16 -
AntiVir 7.4.1.62 2007.08.15 -
Authentium 4.93.8 2007.08.16 -
Avast 4.7.1029.0 2007.08.15 -
AVG 7.5.0.476 2007.08.15 -
BitDefender 7.2 2007.08.16 -
CAT-QuickHeal 9.00 2007.08.14 -
ClamAV 0.91 2007.08.16 -
DrWeb 4.33 2007.08.16 -
eSafe 7.0.15.0 2007.08.10 -
eTrust-Vet 31.1.5063 2007.08.15 -
Ewido 4.0 2007.08.15 -
FileAdvisor 1 2007.08.16 -
Fortinet 2.91.0.0 2007.08.16 -
F-Prot 4.3.2.48 2007.08.15 -
F-Secure 6.70.13030.0 2007.08.16 -
Ikarus T3.1.1.12 2007.08.15 -
Kaspersky 4.0.2.24 2007.08.16 -
McAfee 5098 2007.08.15 -
Microsoft 1.2704 2007.08.15 -
NOD32v2 2465 2007.08.16 -
Norman 5.80.02 2007.08.15 -
Panda 9.0.0.4 2007.08.16 -
Prevx1 V2 2007.08.16 -
Rising 19.36.22.00 2007.08.15 -
Sophos 4.20.0 2007.08.12 -
Sunbelt 2.2.907.0 2007.08.16 -
Symantec 10 2007.08.16 -
TheHacker 6.1.8.170 2007.08.15 -
VBA32 3.12.2.2 2007.08.16 -
VirusBuster 4.3.26:9 2007.08.15 -
Webwasher-Gateway 6.0.1 2007.08.16 -
Additional information
File size: 521216 bytes
MD5: 001503361a8a18bc4e45546f69bac5cf
SHA1: aabba79c9ee3795a6dc74a6c3d94618b7ac07f7d


sorry this is the blaero file ... the above is the other file sidebar i think..

[sawadeekap]

i cant find the C:\WINDOWS\vpcrtf.exe file.. even using search at startup yield no result..

[Maxx_original]

ook.. the file is maybe hidden.. try this: Start -> Run -> cmd

to cmd put this attrib -h -s C:\WINDOWS\vpcrtf.exe and look for the file again..

[sawadeekap]

ok i dun follow this part after cmd what do i type in the msdos side??? i am a beginner in computer 
pls give more info ya sorry ....

[DavidR]

You type attrib -h -s C:\WINDOWS\vpcrtf.exe.

[sawadeekap]

ok ok i got the file so what do i do now?

[sawadeekap]

Antivirus Version Last Update Result
AhnLab-V3 2007.8.15.0 2007.08.16 Win32/IRCBot.worm.86528.N
AntiVir 7.4.1.62 2007.08.16 Worm/IRCBot.86528.3
Authentium 4.93.8 2007.08.16 -
Avast 4.7.1029.0 2007.08.15 -
AVG 7.5.0.476 2007.08.16 BackDoor.Delf.OP
BitDefender 7.2 2007.08.16 Backdoor.Ircbot.ABEX
CAT-QuickHeal 9.00 2007.08.16 -
ClamAV 0.91 2007.08.16 Trojan.Delf-1459
DrWeb 4.33 2007.08.16 Trojan.MulDrop.8316
eSafe 7.0.15.0 2007.08.16 Win32.IRCBot.zi
eTrust-Vet 31.1.5064 2007.08.16 Win32/Rbot.HGU
Ewido 4.0 2007.08.16 Backdoor.IRCBot.zi
FileAdvisor 1 2007.08.16 -
Fortinet 2.91.0.0 2007.08.16 W32/IRCBot.ZI!tr.bdr
F-Prot 4.3.2.48 2007.08.16 -
F-Secure 6.70.13030.0 2007.08.16 Backdoor.Win32.IRCBot.zi
Ikarus T3.1.1.12 2007.08.16 Backdoor.Win32.IRCBot.zi
Kaspersky 4.0.2.24 2007.08.16 Backdoor.Win32.IRCBot.zi
McAfee 5098 2007.08.15 Generic.f
Microsoft 1.2803 2007.08.16 Backdoor:Win32/Agent!9972
NOD32v2 2466 2007.08.16 Win32/IRCBot.YH
Norman 5.80.02 2007.08.16 -
Panda 9.0.0.4 2007.08.16 Bck/IRCBot.BCF
Prevx1 V2 2007.08.16 BACKDOOR.IRCBOT.ABEX
Rising 19.36.32.00 2007.08.16 Worm.MSN.Win32.Msnfoto.a
Sophos 4.20.0 2007.08.12 -
Sunbelt 2.2.907.0 2007.08.16 -
Symantec 10 2007.08.16 W32.Lolurmom
TheHacker 6.1.8.170 2007.08.15 Backdoor/IRCBot.zi
VBA32 3.12.2.2 2007.08.16 Backdoor.Win32.IRCBot.zi
VirusBuster 4.3.26:9 2007.08.16 -
Webwasher-Gateway 6.0.1 2007.08.16 Worm.IRCBot.86528.3
Additional information
File size: 86528 bytes
MD5: 7299c5d5d5761779dfedfbd3808c8ed8
SHA1: 0fd4411e440c07e61090d6cf96b0ebb5dfa75512
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=5D662777009785CF521101907FA981009CCCA80D


i send the file to virustotal this i what i got back from them....

[Maxx_original]

ook... the file is really related to IRCbot virus... pack it to the password protected zip and send it to virus[at]avast[dot]com... the mail should contain a short description (virus name or the virtotal scan results) and of course the password...

when sent - run HJT again and check the items for the file itself and for its startup reference (C:\WINDOWS\vpcrtf.exe and O4 - HKLM\..\Run: [Microsoft Visual Application] vpcrtf.exe) and fix them..