PDA

View Full Version : Win32.Murlo.ff removal



nande
2007-05-30, 20:00
How do i remove Win32.Murlo.ff

pskelley
2007-05-31, 15:50
Welcome to Safer Networking, if you still need help and are not receiving it elsewhere, it appears you have missed some important instructions our administrator has posted at the top of the forum, especially this: "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please read and follow all instructions and post all required logs or reports, anything less will slow your process.
Use "Post Reply" to post the information in the instructions and stay in the same topic.

Thanks

nande
2007-05-31, 17:24
StartupList report, 2007-05-31, 16:23:10
StartupList version: 1.52.2
Started from : C:\Program Files\HJT\HiJackThis_v2.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16441)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\kxmixer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\HJT\HiJackThis_v2.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

kX Mixer = "C:\WINDOWS\system32\kxmixer.exe" --startup
avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

PeerGuardian = "C:\Program Files\PeerGuardian2\pg2.exe"
StartCCC = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
SpybotSD TeaTimer = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssmyst.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168364236078

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

spybot removes murlo but return after reboot

pskelley
2007-05-31, 17:46
Please read the directions again, they are important. You have posted part of a startup list and I require a HJT log.

Download Trend Micro Hijack This™
http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php?page=download
Download it to your Program Files folder.
Doubleclick the HijackThis_V2.exe to start it.
Click "Do a System Scan and save a logfile"
This will create a HijackThislog.
Copy and paste the contents of the log in your next reply

nande
2007-05-31, 17:58
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16:58:40, on 2007-05-31
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\kxmixer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\HJT\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [kX Mixer] "C:\WINDOWS\system32\kxmixer.exe" --startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [PeerGuardian] "C:\Program Files\PeerGuardian2\pg2.exe"
O4 - HKCU\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168364236078
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA34DA94-4C01-469F-AB50-247344018D33}: NameServer = 195.67.199.39,195.67.199.40,195.67.199.41
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe


sorry my bad

pskelley
2007-05-31, 18:44
Thanks for the HJT log...and it shows nothing. We will need to investigate more. Here is the Google on this item:
http://www.google.com/search?hl=en&q=Win32.Murlo.ff+&btnG=Google+Search

http://research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Downloader.Win32.Murlo.ff&threatid=133198

Read all of that information, this one is nasty, it will try to download junk, block any attempts and stay offline as much as possible to deny it internet access.

Can you tell me what program gave you the name and was there more information? Like the location (pathway)?

Since I don't see anything in the log, let's take a look for a hidden rootkit like this:

Please download F-Secure BlackLight Beta:
https://europe.f-secure.com/exclude/blacklight/index.shtml

Save it to its own folder in the Desktop
Double-click blbeta.exe to run the program
Click : Scan
A list of all items found is created

The list is in the BlackLight folder on the Desktop, and named fsbl.xxxxxxx.log (xxxxxxx are numbers).

Please provide the log created by BlackLight in your next reply.

(do not remove anything, most if not all of the files will be valid)

Follow the directions in this link to run AVG Anti-Spyware. Delete or quarantine anything it finds and post the scan rport for me.
http://forums.security-central.us/showthread.php?t=3165

Recap: Post any information you know about the trojan, the log from BlackLight and the scan results from AVG Anti-Spyware.

Thanks...Phil

nande
2007-05-31, 20:29
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 19:23:44 2007-05-31

+ Scan result:



C:\Documents and Settings\user\Desktop\EvID4226Patch223d-en.zip/EvID4226Patch.exe -> Not-A-Virus.Hacktool.EvID : Cleaned.
:mozilla.243:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\m5flui2v.Bon Echo\cookies.txt -> TrackingCookie.Toplist : Cleaned.
:mozilla.243:E:\moz bon echo backupp\Thursday\cookies.txt -> TrackingCookie.Toplist : Cleaned.
:mozilla.36:E:\moz bon echo backupp\Wednesday\cookies.txt -> TrackingCookie.Toplist : Cleaned.


::Report end

Blackligt log

05/31/07 18:00:43 [Info]: BlackLight Engine 1.0.61 initialized
05/31/07 18:00:43 [Info]: OS: 5.1 build 2600 (Service Pack 2)
05/31/07 18:00:43 [Note]: 7019 4
05/31/07 18:00:43 [Note]: 7005 0
05/31/07 18:00:45 [Note]: 7006 0
05/31/07 18:00:45 [Note]: 7011 1336
05/31/07 18:00:45 [Note]: 7026 0
05/31/07 18:00:45 [Note]: 7026 0
05/31/07 18:00:47 [Note]: FSRAW library version 1.7.1021
05/31/07 18:03:38 [Note]: 2000 1012
05/31/07 18:04:17 [Note]: 7007 0

spybot found it running spybot now to give you info

nande
2007-05-31, 20:45
spybot info

Win32.Murlo.ff: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Ip6Fw\Enum



may or may not be related to murlo
Removal tool loaded into memory
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINDOWS
Scanning: C:\Program Files\Common Files
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\system32\kxctrl.exe
Removed!


Trojan.Gromozon Removed!

and virusrescue a site the google serch found ip range is labeld as malware exploits in pg 2 and the it seems like somthing tried to make contact :spider:

pskelley
2007-05-31, 22:13
Thanks, this one bothers bothers me a little:
C:\WINDOWS\system32\kxctrl.exe
http://www.google.com/search?hl=en&q=kxctrl.exe&btnG=Google+Search
Creative Labs Sound Card Drivers <<< may be this?

Can you tell me exactly what symptoms you are receiving? Or did you post because of something Spybot found? It could be this is a false positive.
Here is what I would like you to do.

1) Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

2) Now use search to locate that file, make sure it is here:
C:\WINDOWS\system32\kxctrl.exe
It may not be there, allow enough time, it can take a while for search
to look for the file.
Start > Search > All Files and Folders > copy/paste the file into the box > search.

3) If it finds that file, then use one or mor of these free scanners to scan it and post the information for me:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

4) Gromozon <<< is a very bad rootkit, but before we go any further, I located this information at PCPitStop where Jacee and administrator friend ran into this item,
http://forums.pcpitstop.com/index.php?showtopic=134706&st=0&

Please read all of the information in this post: Jacee 3:39pm Wed Feb 14 2007

Thank you for contacting Sunbelt Software. The Trojan.Gromozon detection
is an erroneous, phantom detection -- meaning that the file lpt4.ago is
not really on your system and that you are not at risk from the Gromozon
Trojan.
The item you are finding is: Win32.Murlo.ff: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Ip6Fw\Enum

I am still interested in your symptoms, and the results of the scan of that file if you find it, but in light of this information, contacting Sunbelt Software and asking them about this might be the thing to do.
http://www.sunbelt-software.com/Support/

Thanks

nande
2007-05-31, 23:18
i did this becus spybot detected murlo and my pc can be a litle strange sometimes.
ok the file kxctrl was gone from the system32 folder dident return but i took the file in the kx program folder and put it in the system32 folder.
eSafe 7.0.15.0 05.31.2007 suspicious Trojan/Worm the rest of the av gave clean results.
the gromozon removal tool gave
Gromozon-Related Malicious Code Detected! by gromozon removal tool
and removed.

do you want the file for examenation ?

so the regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Ip6Fw\Enum
is related to my firewall ?

pskelley
2007-05-31, 23:29
so the regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Ip6Fw\Enum
is related to my firewall ?
I am not really sure, the Google is all over for Ip6Fw

http://www.google.com/search?hl=en&q=Ip6Fw&btnG=Google+Search

Perhaps the Spybot experts could give you some information? Since it appears that is what is finding it.
http://forums.spybot.info/forumdisplay.php?f=4

Let's do this: System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

nande
2007-05-31, 23:33
i ran "virus total" on kxctrl in the program folder just to check if some maleware modified the file in system32 folder and it seams it dident finish propoly last time as more av checked the file esafe flaged it like the other one rest was clean exept for Panda 9.0.0.4 05.31.2007 Suspicious file

nande
2007-05-31, 23:56
the regkey seems to be related to windows ip6 firewall (ip6fw.sys) which is turned off. this site claims ip6fw.sys is malware/bad http://www.castlecops.com/o23list-2666.html
system restore is turned off avg is turned off.

should i ask in the false positive forum ?

pskelley
2007-06-01, 00:05
You must not have looked at the Google link:
http://www.google.com/search?hl=en&q=Ip6Fw&btnG=Google+Search
That was why I could not be sure. All I can suggest is that you scan the file and if it looks bad, move it to the recycle bin and let it set there for a week or so. It is easier to return a valid file from the recycle bin than it is to locate the file and download it from online if it turns out it is valid and needed.

Thanks