Mrofinu/17pholmes Infection || Haxdoor/matcash Downloaders

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Important Announcement: The winners of the BC Million Post contest have been announced. You can read who the winners are at this post.

- BleepingComputer Management

BleepingComputer.com > Security > HijackThis Logs and Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Mrofinu/17pholmes Infection || Haxdoor/matcash Downloaders, How to fix/remove?

Options

ChaosKontrol View Member Profile	Aug 17 2008, 08:20 PM Post #1
New Member Group: Members Posts: 2 Joined: 17-August 08 Member No.: 230,823	So recently, I've noticed that my computer slowed down and has been buggier than usual. I did my usual scan of Yahoo! Anti-Spy, but I found things called Haxdoor E (Backdoor) and Matcash (Downloader). And 2 new processes showed up on my Task Manager, 17PHolmes and mrofinu. Also, when I logged on any account, the computer would stop responding and explorer.exe would stop responding also, so you could see the desktop and taskbar, but no icons near the clock on the bottom right would load, and the taskbar was always busy (I hovered and it had that hourglass thing over it). The only thing I could do was Ctrl-Alt-Del, and log off. When I logged back on, everything was fine except Windows Security popped up and said if I wanted to keep blocking or to unblock Windows Explorer. I chose unblock and my computer was fine until I turned off, and thus I had to repeat the same process again. I used to have AVG, but it practically considered everything dangerous, so I tried to use Kaspersky, but it wouldn't allow me to install it because it found AVG in my computer somewhere. So here is my HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:27:16 PM, on 8/17/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\system32\imapi.exe C:\Program Files\Airlink101\AWLH5026\WLService.exe C:\Program Files\Airlink101\AWLH5026\AWLH5026.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox 3 Beta 4\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\CA Yahoo! Anti-Spy\CAYahooAntispy.exe C:\WINDOWS\mrofinu.exe C:\WINDOWS\mrofinu.exe C:\Documents and Settings\Vincent\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo! R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310F3 D1DC7E4638E8323A15806F97BDE4417E6FD967002BA754E2C28323133A9D26033AAC O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} - http://gamedownload.ijjimax.com/gamedownlo...Plugin11USA.cab O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MIMO XR TM PCI Adapter WLService (MIMO XR TM PCI WLService) - Unknown owner - C:\Program Files\Airlink101\AWLH5026\WLService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 6257 bytes Please help This post has been edited by ChaosKontrol: Aug 17 2008, 09:41 PM

PropagandaPanda View Member Profile	Aug 18 2008, 03:20 PM Post #2
Group: HJT Team Posts: 2,434 Joined: 10-March 08 Member No.: 195,473	Hello. I am PropagandaPanda (Panda or PP for short) and I will be helping you with your log. I will need some time to look over your computer's log(s). I am still in training, so my responses to you must be checked by a coach. You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here. Please take note of a few guidelines for this fix: Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix. If you do not understand any step(s) provided, please do not hesitate to ask. I would much rather clarify instructions or explain them differently than have something important broken. Even if things appear to be better, it may not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself. Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post. With Regards, The Panda Important Note to Other Users Reading this Topic: The instructions provided in this topic are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed. -------------------- If I have been helping you and do not reply within 24 hours, please send me a message.

ChaosKontrol View Member Profile	Aug 19 2008, 09:59 AM Post #3
New Member Group: Members Posts: 2 Joined: 17-August 08 Member No.: 230,823	I have subscribed to this topic when I started it so all things are a go! Anyways, I recently installed Kaspersky 2009 on my computer. Soon after, it began finding thousands of files corrupted and scanned all of them. After a couple scans, it seemed to delete the 17PHolmes infection and I didn't have to log off and back on to get my computer working again. But, when I do log on, nothing happens until a window pops up that says WLService has encountered an error and needs to close. After that, everything works fine. The only thing that CA Anti-Spy has found is Haxdoor, which is located at: hkey_local_machine\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\autorizedapplications\list And that's pretty much it. I'll wait for your response.

PropagandaPanda View Member Profile	Aug 23 2008, 08:20 AM Post #4
Group: HJT Team Posts: 2,434 Joined: 10-March 08 Member No.: 195,473	Hello ChaosKontrol. Very sorry for the delay. Backdoor Threat I'm sorry to say that your computer is infected with one or more backdoor trojans. This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean. You may want to read this article on how to handle identity theft. You may also want to read this article regarding preventing of identity theft. This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection. Please read When Should I Format, How Should I Reinstall. I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so. View Point Program Viewpoint Manager and Viewpoint Media Player are considered as foistware instead of malware since it is installed without users approval, but does not have malicious effects. This changed from what we know in 2006 read this article. I suggest you remove the program(s) through Add and Remove Programs. Download and Run OTMoveIT Please download OTMoveIt2 by OldTimerto your desktop. Double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator). Copy the lines in the quotebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): QUOTE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\runner1 C:\WINDOWS\mrofinu.exe C:\WINDOWS\mrofinu1001186.exe Return to OTMoveIt2, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste. Click the red button. Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. Close OTMoveIt2 Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter .log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles* folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post. Update Java to Version 6 Update 7 Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling. Please then install the latest Java from this page. Follow the prompts and select the appropriate settings for your machine. Click on the "Required File" jdk-6u7-windows-i586-p.exe to download the installer. Double click the installer to run. Delete the installer after use. Install Antivirus An anti-virus is essential in keeping your computer safe while surfing the Internet. I see that you have a couple of antispyware programs, but you still require an antivirus. Please install a free anti-virus program from one of the trusted venders below: Antivir Avast Free AVG Free Bitdefender Free Save Uninstall List with HijackThis Double click the HijackThis icon on your desktop. If you see a while screen, click Main Menu at the middle bottom of the window, otherwise move onto the next step. Click Open the Misc Tools section. Under System tools, select Uninstall Manager.... Near the bottom right, click Save list... and save uninstall_list.txt onto your desktop. Close out of HijackThis. Post back with the uninstall list. Run Scan with Kaspersky Please do a scan with Kaspersky Online Scanner. This scan is for Internet Explorer Only. If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan. Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how. Open the Kaspersky Scanner page. Click on Accept and install any components it needs. The program will install and then begin downloading the latest definition files. After the files have been downloaded on the left side of the page in the Scan section select My Computer This will start the program and scan your system. The scan will take a while, so be patient and let it run. Once the scan is complete, click on View scan report Now, click on the Save Report as button. Save the file to your desktop. Copy and paste that information in your next post. You can refer to this animation by sundavis. This scanner will only scan. It does not remove any malware it finds. --------------- Please post back with: -the OTMoveIt log -the uninstall list generated by HijackThis -the Kaspersky log -a fresh HijackThis log With Regards, The Panda -------------------- If I have been helping you and do not reply within 24 hours, please send me a message.

don77 View Member Profile	Aug 30 2008, 06:39 AM Post #5
Forum Regular Group: HJT Team Posts: 3,212 Joined: 12-July 04 From: Boston Mass Member No.: 1,374	Due to the lack of feedback, this Topic is closed. If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

« Next Oldest · HijackThis Logs and Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 22nd November 2008 - 01:11 PM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides