Mrofinu922.exe no reformat needed

Status
Not open for further replies.
E

Ex0duS_5150

wow, i cant post any help to anyone anywhere unless i post a thread? and even then you cant reply unless your an admin? how is this a forum? more like a dictatorship to me. cant reply by way of private message unless you post 5 times or more, lol!! bs, i posted 6 times and still cant private message this guy who could use my advice. too bad for him i guess. well ill post what i know about this thing and hopefully the admins don't pull it cause im actually tring to help someone with out reformatting. hopefully the guy sees my post. at any rate, this little nasty along with a few others took a hold of my log in file so i couldn't delete it in safe mode even. i used :hijackthis, smaudfix, vindofix,combofix,spybot,adaware, and nortons virus. nothing caught it all. 2 or 3 files none of these programs saw. dlls actually. heres a list of them.

C:\WINDOWS\17PHolmes922.exe
C:\WINDOWS\mrofinu922.exe
C:\WINDOWS\SmFzb24gUGllcmFudG96emk\mAIWvZb0o355wAI Rx36dyA4.vbs
C:\WINDOWS\system32\byxxyya.dll
C:\WINDOWS\system32\dvaywcwd.dll.vir
C:\WINDOWS\system32\efccaxx.dll
C:\WINDOWS\system32\nnnlkjg.dll
C:\WINDOWS\system32\nnnllji.dll.vir
C:\WINDOWS\UpdReg.EXE
C:\WINDOWS\system32\ssqrppo.dll
C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\NirCmd.exe
C:\Program Files\WS_FTP Pro\wsbho2k0.dll


ssqrppo.dll was reinstalling everything i deleted. this was the file that kept everything going. was allso embedded in the winlogin file that runs your loging in to windows, this is in safe mode as well!! Safemode did nothing for me. in the end i removed the offending .dll with my copy of wininternals. i suppose you could remove the .dlls in dos as well im thinking.

BTW, just because HJT is clean dosent mean there HD is, lol!!!!!
 
Thanks for the info, much appreciated, but I think Combofix could get rid of those files too. A lot of which are vundo variants.

I have no idea why you`re complaining, seeing as you only just joined TS.

Our policy of not allowing members to post urls for their first few posts is designed to stop spammers and in general, works very well.

I have received plenty of pm`s from members with no posts let alone 5, so I don`t know why you can`t pm anyone.

This is the second time I`ve asked. What thread were you trying to post in?

Regards Howard :)
 
in answer to your questions and reply s virus removal, a thread started by Jason Pierantozzi aka jaacyn . hes downloaded the same hacked exec for DeamonTools pro 4.1. i did and his HJT log is listing the same dlls and whatnot mine did. after googling mrofinu922.exe yesterday, it didint come up at all. today there one page on google. your site came up with this persons problem. since ive gotten rid of it i wanted to save this poor soul from going threw what i did. ok, combofix DOSE NOT delete these files. if you think im wrong, ill give you or direct you to the DL and you can try it yourself. a can assure you it was 5 posts in when i tried to message this person and was refused. i posted a few more posts and i was able to message him, problem solved. I was just a little confused as to why you close a thred and say the the HJT log is clean. HJT dose not work with this malware,or virus. ive used everything listed in my last post before a few diffrent times. this is the first time i wasent able to fix something from safe mode. little background on my experience, ive been building and trouble shooting PCs for over 6 years now. ive never ran into something i couldent fix. i haven't reformatted in 4 years and ive caught a few nastys in my time with this install. i sorta know my way around. well i like to think i do anyway.
 
I closed that thread because the files had been deleted by Combofix.

As far as I`m aware, he wasn`t having any more problems, otherwise, I would have expected him to get back to me.

Here`s a link to the thread.

https://www.techspot.com/vb/topic90946.html

Here`s a link to his last Combofix log, which clearly shows the files have been deleted.

https://www.techspot.com/vb/attachment.php?attachmentid=24663&d=1194060217

However, I do appreciate you efforts in trying to help.

Just on the off chance you might know.

Have you ever come across these files?

C:\WINDOWS\system32\drivers\sdatjvii.dat
C:\WINDOWS\system32\drivers\uzaudnku.dat
C:\WINDOWS\system32\atmf.dll

I was going to try deleting them via the recovery console, but unfortunately, the poster doesn`t have his Windows CD.

I have tried numerous ways of deleting them, but all to no avail so far.

Regards Howard :)
 
you know what, i dont see ssqrppo.dll in his log, **** im sorry man. that is what combofix, WILL NOT delete. or maybe i just need sleep. 14 hrs of sleep in 72 hrs man. ive got 2 boxes that are severely infected with maleware. and clients are getting antsy. lol!! i need sleep!!! another box i have to yet build. crap, good thing someone is paying me for this sheesh!!! i dont think ive run across those particular dlls no. ill loog thru some of the logs ive saved over the years though, how new is it?
 
Status
Not open for further replies.

Similar threads

A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A
L
Solved Unknown spyware/ Monitoring/ Hijacking of my devices
Replies
15
Views
3K
Broni
Broni
E
Solved Svchost.exe launching multiple iexplore.exe - unknown cause
Replies
23
Views
3K
Broni
Broni

Latest posts

Back