[D.M. Schwartz]

Hello, all.

I'm new to this forum. It looks like the right place for infection issues.

I spent about 3 hours yesterday tracking down a trojan and trying to kill it. It launches a program called "runner1" that calls mrofinu100186.exe or 17PHolmes100186.exe. No matter if they are removed from \windows, they return. runner1 is invisible, except as a registry entry. I corrupted its regedit binary data, hoping that would cripple it. Still don't know if that worked.

Spybot couldn't find or remove any of this.

There are traces of 17PHolmes in the temporary internet files as well as a J-script that might be related. Of course, I killed all of those.

I'm thinking that Limewire brought these things in. True?

UPDATE 5 August 2008:

I followed the procedures in another thread here about 17PHolmes and mrofinu.exe as well as the procedures from the Virtual Dr. website. The anti-spyware and malware removal tools took out many infections, identified mrofinu, but could not remove it. HijackThis shows it's still there. Then, I downloaded Microsoft's Malicious Software Removal Tool 8 July 2008. It cleaned a virut-type virus out but again did not kill mrofinu (17PHolmes).

BTW, editing the hex string argument to mrofinu.exe that is stored in the Registry crippled the process enough that it can't run, but that is a temporary fix, undone at re-boot.

Cheers,

Dave

Edited by D.M. Schwartz, 05 August 2008 - 09:33 AM.

[Advertisements]

Hello Dave and welcome at Geekstogo,

Click here to download HJTInstall.exe

• Save HJTInstall.exe to your desktop.
• Doubleclick on the HJTInstall.exe icon on your desktop.
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
• Click on Install.
• It will create a HijackThis icon on the desktop.
• Once installed, it will launch Hijackthis.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Thunderbird1988

[Thunderbird1988]

Hello Dave and welcome at Geekstogo,

Click here to download HJTInstall.exe

• Save HJTInstall.exe to your desktop.
• Doubleclick on the HJTInstall.exe icon on your desktop.
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
• Click on Install.
• It will create a HijackThis icon on the desktop.
• Once installed, it will launch Hijackthis.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Thunderbird1988

[D.M. Schwartz]

Hello, Thunderbird.

I figured out that mrofinu (17PHolmes) was installed by a trojan downloader named VRR1.TMP, which hides in a local settings folder, or nearby. Because it only runs when the Internet is first connected (and then periodically), most spyware/virus killers and HackThis miss the launcher and only see the trojan along with its registry entry, "runner1." So, after all the virus and spyware cleaning in the world, VRR1.TMP remains. Perhaps that name should be in the databases? Or, has the name been morphing too fast?

To find and kill VRR1.TMP, the internet must NOT be connected. SuperAntiSpyware found and quarantined VRR1.TMP, so now the system seems to be clean. RegRun may have helped too, but since I ran the two programs sequentially, one may have helped the other.

I'll let you know if mrofinu (17PHolmes) is truly dead in a day or two.

Cheers,

Dave

[D.M. Schwartz]

Thunderbird,

As you can see from the logs, below. Software tools can remove the trojan, but it re-downloads (mrofinu.zip to temp internet files folder) and installs itself as soon as I allow a network connection. Could be, svchost.dll is infected?

Cheers,

Dave

LOGS:

HijackThis_No_Network Log
"""""""""""""""""""""""""

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:59 PM, on 8/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Skra] C:\Program Files\Skra\Skra.exe
O4 - HKCU\..\Run: [iwfk] C:\PROGRA~1\COMMON~1\iwfk\iwfkm.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Skra] C:\Program Files\Skra\Skra.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [iwfk] C:\PROGRA~1\COMMON~1\iwfk\iwfkm.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Skra] C:\Program Files\Skra\Skra.exe (User 'Default user')
O4 - Global Startup: IEEE 802.11g USB Wireless LAN Utility.lnk = C:\Program Files\IEEE 802.11g USB Wireless LAN\Wireless LAN\WlanUtil.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase5036.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 2818 bytes





HijackThis_Net_COnnected Log
""""""""""""""""""""""""""""

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:35 PM, on 8/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal



Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\17PHolmes1001186.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Skra] C:\Program Files\Skra\Skra.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [iwfk] C:\PROGRA~1\COMMON~1\iwfk\iwfkm.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Skra] C:\Program Files\Skra\Skra.exe (User 'Default user')
O4 - Global Startup: IEEE 802.11g USB Wireless LAN Utility.lnk = C:\Program Files\IEEE 802.11g USB Wireless LAN\Wireless LAN\WlanUtil.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase5036.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 3216 bytes


"""""""""""""""""""""""""""""""""""""""""""


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/07/2008 at 09:51 PM

Application Version : 4.15.1000

Core Rules Database Version : 3469
Trace Rules Database Version: 1460

Scan type : Complete Scan
Total Scan Time : 00:45:06

Memory items scanned : 151
Memory threats detected : 0
Registry items scanned : 3989
Registry threats detected : 0
File items scanned : 14090
File threats detected : 16

Adware.Tracking Cookie
C:\Documents and Settings\David\Cookies\david@atdmt[2].txt
C:\Documents and Settings\David\Cookies\[email protected][2].txt
C:\Documents and Settings\David\Cookies\david@tacoda[2].txt
C:\Documents and Settings\David\Cookies\[email protected][2].txt
C:\Documents and Settings\David\Cookies\david@adrevolver[2].txt
C:\Documents and Settings\David\Cookies\david@realmedia[1].txt
C:\Documents and Settings\David\Cookies\[email protected][1].txt
C:\Documents and Settings\David\Cookies\david@fastclick[1].txt
C:\Documents and Settings\David\Cookies\david@apmebf[1].txt
C:\Documents and Settings\David\Cookies\david@advertising[1].txt
C:\Documents and Settings\David\Cookies\david@casalemedia[1].txt
C:\Documents and Settings\David\Cookies\david@zedo[2].txt
C:\Documents and Settings\David\Cookies\david@burstnet[2].txt
C:\Documents and Settings\David\Cookies\[email protected][1].txt
C:\Documents and Settings\David\Cookies\david@doubleclick[1].txt
C:\Documents and Settings\David\Cookies\david@tribalfusion[1].txt


""""""""""""""""""""""""""""""""""""""""""


Malwarebytes' Anti-Malware 1.24
Database version: 1026
Windows 5.1.2600 Service Pack 2

10:37:21 PM 8/7/2008
mbam-log-8-7-2008 (22-37-21).txt

Scan type: Full Scan (C:\|)
Objects scanned: 87911
Time elapsed: 38 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\Y736LZT4\17PHolmes[1].cmt (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Noah\Local Settings\Temporary Internet Files\Content.IE5\OA4QFITE\17PHolmes[2].cmt (Trojan.Downloader) -> Quarantined and deleted successfully.

[Thunderbird1988]

Hello D.M. Schwartz,

You don't seem to have a virusscanner installed. Please go to the Free Protection Tools page (link is in my signature) and Download a virusscanner.

Before running a new scan let's clean out the temporary folders.




Download ATF Cleaner to your Desktop.

• Double-click ATF-Cleaner.exe to run the program.
  
• Click Select All found at the bottom of the list.
  
• Click the Empty Selected button.

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
  
• Click the Empty Selected button.
  
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
  
• Close ALL Internet browsers (very important).
  
• Click the Empty Selected button.
  
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.




Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.




Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close ALL OTHER PROGRAMS.
  
• Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  
• In the Drivers section click on Non-Microsoft.
  
• Under Additional Scans click the checkboxes in front of the following items to select them:
  
  
  • Reg - BotCheck
    
    File - Additional Folder Scans
    
    
• Do not change any other settings.
  
• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
  
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  
• Save the file to your desktop or other location where you can find it back.

Use the Add Reply button and attach the file in your next post.

Thunderbird1988

[D.M. Schwartz]

Thunderbird,

I replaced my anti-virus software with Avira (free version). It took two scans in safe mode to find and kill 2 things: Virut.U and mrofinu. They were not related.

Over 20 executable files were infected with Virut.U, so Avira deleted them and I copied in new exes and dlls from one of my known-clean PCs.

As for the trojan, mrofinu (17PHolmes), its seed was hiding here:

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4XEJ8LEZ\wr[1].exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan

All is good, now. Scans clean, etc.

Thanks for your help! Please let other folks infected with these things know about the above.

Best Regards,

Dave

[Thunderbird1988]

Hello Dave,

I would like you to do another scan. Virut is a file infector, and I think it is good to know if no other files got infected.

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Thunderbird1988

[Thunderbird1988]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.