TechSpot

Mrofinu922.exe no reformat needed

By Ex0duS_5150
Nov 10, 2007
  1. wow, i cant post any help to anyone anywhere unless i post a thread? and even then you cant reply unless your an admin? how is this a forum? more like a dictatorship to me. cant reply by way of private message unless you post 5 times or more, lol!! bs, i posted 6 times and still cant private message this guy who could use my advice. too bad for him i guess. well ill post what i know about this thing and hopefully the admins don't pull it cause im actually tring to help someone with out reformatting. hopefully the guy sees my post. at any rate, this little nasty along with a few others took a hold of my log in file so i couldn't delete it in safe mode even. i used :hijackthis, smaudfix, vindofix,combofix,spybot,adaware, and nortons virus. nothing caught it all. 2 or 3 files none of these programs saw. dlls actually. heres a list of them.

    C:\WINDOWS\17PHolmes922.exe
    C:\WINDOWS\mrofinu922.exe
    C:\WINDOWS\SmFzb24gUGllcmFudG96emk\mAIWvZb0o355wAI Rx36dyA4.vbs
    C:\WINDOWS\system32\byxxyya.dll
    C:\WINDOWS\system32\dvaywcwd.dll.vir
    C:\WINDOWS\system32\efccaxx.dll
    C:\WINDOWS\system32\nnnlkjg.dll
    C:\WINDOWS\system32\nnnllji.dll.vir
    C:\WINDOWS\UpdReg.EXE
    C:\WINDOWS\system32\ssqrppo.dll
    C:\WINDOWS\system32\ddccy.dll
    C:\WINDOWS\NirCmd.exe
    C:\Program Files\WS_FTP Pro\wsbho2k0.dll


    ssqrppo.dll was reinstalling everything i deleted. this was the file that kept everything going. was allso embedded in the winlogin file that runs your loging in to windows, this is in safe mode as well!! Safemode did nothing for me. in the end i removed the offending .dll with my copy of wininternals. i suppose you could remove the .dlls in dos as well im thinking.

    BTW, just because HJT is clean dosent mean there HD is, lol!!!!!
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Thanks for the info, much appreciated, but I think Combofix could get rid of those files too. A lot of which are vundo variants.

    I have no idea why you`re complaining, seeing as you only just joined TS.

    Our policy of not allowing members to post urls for their first few posts is designed to stop spammers and in general, works very well.

    I have received plenty of pm`s from members with no posts let alone 5, so I don`t know why you can`t pm anyone.

    This is the second time I`ve asked. What thread were you trying to post in?

    Regards Howard :)
     
  3. Ex0duS_5150

    Ex0duS_5150 TS Rookie Topic Starter

    in answer to your questions and reply s virus removal, a thread started by Jason Pierantozzi aka jaacyn . hes downloaded the same hacked exec for DeamonTools pro 4.1. i did and his HJT log is listing the same dlls and whatnot mine did. after googling mrofinu922.exe yesterday, it didint come up at all. today there one page on google. your site came up with this persons problem. since ive gotten rid of it i wanted to save this poor soul from going threw what i did. ok, combofix DOSE NOT delete these files. if you think im wrong, ill give you or direct you to the DL and you can try it yourself. a can assure you it was 5 posts in when i tried to message this person and was refused. i posted a few more posts and i was able to message him, problem solved. I was just a little confused as to why you close a thred and say the the HJT log is clean. HJT dose not work with this malware,or virus. ive used everything listed in my last post before a few diffrent times. this is the first time i wasent able to fix something from safe mode. little background on my experience, ive been building and trouble shooting PCs for over 6 years now. ive never ran into something i couldent fix. i haven't reformatted in 4 years and ive caught a few nastys in my time with this install. i sorta know my way around. well i like to think i do anyway.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I closed that thread because the files had been deleted by Combofix.

    As far as I`m aware, he wasn`t having any more problems, otherwise, I would have expected him to get back to me.

    Here`s a link to the thread.

    http://www.techspot.com/vb/topic90946.html

    Here`s a link to his last Combofix log, which clearly shows the files have been deleted.

    http://www.techspot.com/vb/attachment.php?attachmentid=24663&d=1194060217

    However, I do appreciate you efforts in trying to help.

    Just on the off chance you might know.

    Have you ever come across these files?

    C:\WINDOWS\system32\drivers\sdatjvii.dat
    C:\WINDOWS\system32\drivers\uzaudnku.dat
    C:\WINDOWS\system32\atmf.dll

    I was going to try deleting them via the recovery console, but unfortunately, the poster doesn`t have his Windows CD.

    I have tried numerous ways of deleting them, but all to no avail so far.

    Regards Howard :)
     
  5. Ex0duS_5150

    Ex0duS_5150 TS Rookie Topic Starter

    you know what, i dont see ssqrppo.dll in his log, **** im sorry man. that is what combofix, WILL NOT delete. or maybe i just need sleep. 14 hrs of sleep in 72 hrs man. ive got 2 boxes that are severely infected with maleware. and clients are getting antsy. lol!! i need sleep!!! another box i have to yet build. crap, good thing someone is paying me for this sheesh!!! i dont think ive run across those particular dlls no. ill loog thru some of the logs ive saved over the years though, how new is it?
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No worries mate.

    I know what lack of sleep can do, believe me lol.

    Regards Howard :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...