Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mrofinu.exe


  • This topic is locked This topic is locked
1 reply to this topic

#1 Siddharth Shitut

Siddharth Shitut

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 19 August 2008 - 02:10 PM

Hi i saw mrofinu.exe in my processes yesterday. I googled it and came to these forums. I read some things about ComboFix. I downloaded ComboFix and ran the software. It has generated a log. Now I think the next step is to post the log here..... Can anyone tell me what the next step would be?


ComboFix 08-08-18.04 - Sid 2008-08-19 18:50:44.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.570 [GMT 5.5:30]
Running from: D:\Documents and Settings\Sid.HOME-B9BAAFBBF9\Desktop\ComboFix.exe
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Documents and Settings\Anu-Shraddha\UserData
D:\Documents and Settings\Anu-Shraddha\UserData\index.dat
D:\Documents and Settings\Anu-Shraddha\UserData\WH2F01EN\YL[1].xml
D:\Documents and Settings\Sid.HOME-B9BAAFBBF9\Cookies\sid@src[1].txt
D:\Documents and Settings\Sid.HOME-B9BAAFBBF9\UserData
D:\Documents and Settings\Sid.HOME-B9BAAFBBF9\UserData\index.dat
D:\WINDOWS\system32\appmgmt.dll
D:\WINDOWS\system32\drivers\Ibvj55.sys
D:\WINDOWS\system32\drivers\Winbb57.sys
D:\WINDOWS\system32\MYBHO.DLL
D:\WINDOWS\system32\WinCtrl32.dl_
D:\WINDOWS\system32\WinCtrl32.dll

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IBVJ55
-------\Legacy_WINBB57
-------\Service_Ibvj55
-------\Service_Winbb57


(((((((((((((((((((((((((   Files Created from 2008-07-19 to 2008-08-19  )))))))))))))))))))))))))))))))
.

2008-08-19 18:42 . 2008-08-19 18:42	<DIR>	d--------	D:\Program Files\PrevxCSI
2008-08-19 18:42 . 2008-08-19 18:42	17,408	--a------	D:\WINDOWS\system32\drivers\pxark.sys
2008-08-19 18:41 . 2008-08-19 18:42	<DIR>	d--------	D:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-08-19 18:33 . 2008-08-19 18:33	<DIR>	d--------	D:\Program Files\InCode Solutions
2008-08-18 21:53 . 2008-08-18 21:53	29	--a------	D:\WINDOWS\system32\weifsofi.tmp
2008-08-18 21:52 . 2008-08-18 21:52	8,192	--a------	D:\WINDOWS\system32\12.tmp
2008-08-18 21:52 . 2008-08-18 21:52	136	--a------	D:\WINDOWS\system32\10.tmp
2008-08-18 21:52 . 2008-08-18 21:52	0	--a------	D:\WINDOWS\system32\15.tmp
2008-08-18 21:50 . 2008-08-18 21:51	<DIR>	d--------	D:\Documents and Settings\Anu-Shraddha\Application Data\dvdcss
2008-08-13 16:16 . 2008-08-13 16:16	<DIR>	d--------	D:\Documents and Settings\Anu-Shraddha\Application Data\vlc
2008-08-12 23:54 . 2008-08-17 15:04	<DIR>	d--------	D:\My Downloads
2008-08-12 23:48 . 2008-08-12 23:54	<DIR>	d--------	D:\Program Files\BearShare
2008-08-12 22:13 . 2008-08-12 23:01	<DIR>	d--------	D:\Documents and Settings\Sid.HOME-B9BAAFBBF9\Application Data\mjusbsp
2008-08-12 22:13 . 2004-03-12 00:53	59,392	--a------	D:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-08-12 22:13 . 2004-03-12 00:53	59,392	--a--c---	D:\WINDOWS\system32\dllcache\usbaudio.sys
2008-08-12 22:13 . 2001-08-17 14:02	9,600	--a------	D:\WINDOWS\system32\drivers\hidusb.sys
2008-08-12 22:13 . 2001-08-17 14:02	9,600	--a--c---	D:\WINDOWS\system32\dllcache\hidusb.sys
2008-08-12 22:10 . 2004-03-12 00:54	31,616	--a------	D:\WINDOWS\system32\drivers\usbccgp.sys
2008-08-12 22:10 . 2004-03-12 00:54	31,616	--a--c---	D:\WINDOWS\system32\dllcache\usbccgp.sys
2008-08-12 18:15 . 2001-08-17 13:56	7,552	--a------	D:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-08-12 18:15 . 2001-08-17 13:56	7,552	--a--c---	D:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-08-12 18:06 . 2004-03-12 00:53	26,624	--a--c---	D:\WINDOWS\system32\dllcache\usbstor.sys
2008-08-11 23:08 . 2008-08-11 23:08	<DIR>	d--------	D:\Program Files\Warkeys
2008-08-11 22:37 . 2008-08-11 22:37	<DIR>	d--------	D:\WINDOWS\system32\LogFiles
2008-08-11 22:37 . 2008-08-11 22:37	<DIR>	d--------	D:\Program Files\Windows Media Connect 2
2008-08-11 22:36 . 2008-08-11 22:37	<DIR>	d--------	D:\WINDOWS\system32\drivers\umdf
2008-08-11 22:28 . 2008-08-12 18:28	376	--a------	D:\WINDOWS\ODBC.INI
2008-08-11 22:27 . 2008-08-11 22:27	<DIR>	d--------	D:\WINDOWS\SHELLNEW
2008-08-11 22:27 . 2008-08-11 22:27	<DIR>	d--------	D:\Program Files\Microsoft.NET
2008-08-11 22:27 . 2008-08-11 22:27	<DIR>	d--------	D:\Program Files\Microsoft Works
2008-08-11 22:27 . 2008-08-11 22:27	<DIR>	d--------	D:\Program Files\Microsoft ActiveSync
2008-08-11 22:27 . 2008-08-11 22:27	<DIR>	d--------	D:\Program Files\Common Files\L&H
2008-08-11 21:54 . 2008-08-11 21:54	<DIR>	d--------	D:\Program Files\AVG
2008-08-11 21:54 . 2008-08-17 18:03	<DIR>	d--------	D:\Documents and Settings\All Users\Application Data\avg8
2008-08-11 21:38 . 2008-08-11 21:38	<DIR>	d--------	D:\Program Files\VideoLAN
2008-08-11 21:33 . 2008-08-18 22:46	69	--a------	D:\WINDOWS\NeroDigital.ini
2008-08-11 21:31 . 2008-08-11 21:32	<DIR>	d--------	D:\Program Files\Common Files\Ahead
2008-08-11 21:26 . 2008-08-18 23:25	<DIR>	d--------	D:\Program Files\Garena
2008-08-11 21:26 . 2008-08-11 21:26	<DIR>	d--------	D:\Documents and Settings\Sid.HOME-B9BAAFBBF9\Application Data\InstallShield
2008-08-11 08:29 . 2008-08-19 18:52	<DIR>	d--------	D:\Documents and Settings\Anu-Shraddha
2008-08-11 08:25 . 2008-08-11 08:25	<DIR>	d--------	D:\Program Files\Google
2008-08-11 08:25 . 2008-08-11 08:25	<DIR>	d--------	D:\Documents and Settings\All Users\Application Data\NVIDIA
2008-08-11 08:23 . 2008-08-11 08:23	<DIR>	d--------	D:\Documents and Settings\SID~1~HOM\LOCALS~1
2008-08-11 08:23 . 2008-08-11 08:23	<DIR>	d--------	D:\Documents and Settings\SID~1~HOM
2008-08-11 08:09 . 2008-08-11 08:09	<DIR>	d--------	D:\Documents and Settings\Sid.HOME-B9BAAFBBF9\Application Data\vlc
2008-08-11 01:43 . 2008-08-11 01:43	<DIR>	d--------	D:\Program Files\uTorrent
2008-08-11 01:43 . 2008-08-14 00:51	<DIR>	d--------	D:\Documents and Settings\Sid.HOME-B9BAAFBBF9\Application Data\uTorrent
2008-08-11 01:35 . 2008-08-11 01:35	0	--a------	D:\WINDOWS\nsreg.dat
2008-08-11 01:31 . 2008-08-11 08:11	<DIR>	d--------	D:\Program Files\Internet Download Manager
2008-08-11 01:31 . 2008-08-19 18:53	<DIR>	d--------	D:\Documents and Settings\Sid.HOME-B9BAAFBBF9\Application Data\DMCache
2008-08-11 01:31 . 2008-08-11 21:32	67	--a------	D:\WINDOWS\IDMan.INI
2008-08-11 01:29 . 2008-08-11 01:29	<DIR>	d--------	D:\WINDOWS\system32\QuickTime
2008-08-11 01:29 . 2008-08-11 01:29	<DIR>	d--------	D:\Program Files\K-Lite Codec Pack
2008-08-11 01:29 . 2008-08-11 01:29	<DIR>	d--------	D:\Documents and Settings\All Users\Application Data\QuickTime
2008-08-11 01:27 . 2008-08-11 01:27	<DIR>	d--------	D:\WINDOWS\system32\Lang
2008-08-11 01:27 . 2008-08-11 01:27	940,794	--a------	D:\WINDOWS\system32\LoopyMusic.wav
2008-08-11 01:27 . 2008-08-11 01:27	146,650	--a------	D:\WINDOWS\system32\BuzzingBee.wav
2008-08-11 01:25 . 2008-08-11 22:14	<DIR>	d--------	D:\WINDOWS\nview
2008-08-11 01:25 . 2006-10-22 15:06	253,952	--a------	D:\WINDOWS\system32\NVUNINST.EXE
2008-08-11 01:25 . 2006-10-22 12:22	221,184	--a------	D:\WINDOWS\system32\nvudisp.exe
2008-08-11 01:25 . 2008-08-19 18:53	88,566	--a------	D:\WINDOWS\system32\nvapps.xml
2008-08-11 01:25 . 2006-10-22 12:22	17,056	--a------	D:\WINDOWS\system32\nvdisp.nvu
2008-08-11 01:22 . 2008-08-11 01:22	664	--a------	D:\WINDOWS\system32\d3d9caps.dat
2008-08-11 01:22 . 2008-08-11 01:22	552	--a------	D:\WINDOWS\system32\d3d8caps.dat
2008-08-11 01:21 . 2008-08-11 01:21	<DIR>	d--------	D:\Program Files\SystemRequirementsLab
2008-08-11 01:18 . 2008-08-11 01:18	<DIR>	d--------	D:\Program Files\Realtek
2008-08-11 01:18 . 2008-08-11 21:26	<DIR>	d--h-----	D:\Program Files\InstallShield Installation Information
2008-08-11 01:18 . 2008-08-11 01:18	<DIR>	d--------	D:\Program Files\Common Files\InstallShield
2008-08-11 01:09 . 2008-08-19 18:52	<DIR>	d--------	D:\Documents and Settings\Sid.HOME-B9BAAFBBF9
2008-08-11 01:06 . 2008-08-11 01:06	<DIR>	d--------	D:\Documents and Settings\Sid
2008-08-11 01:04 . 2008-08-11 01:04	<DIR>	d---s----	D:\WINDOWS\system32\Microsoft
2008-08-11 01:04 . 2008-08-11 01:04	<DIR>	d--hs----	D:\Documents and Settings\NetworkService
2008-08-11 01:04 . 2008-08-11 01:04	<DIR>	d--hs----	D:\Documents and Settings\LocalService
2008-08-11 01:04 . 2008-08-11 01:04	8,192	--a------	D:\WINDOWS\REGLOCS.OLD
2008-08-11 01:01 . 2001-08-23 17:30	13,463,552	--a--c---	D:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-08-11 01:00 . 2008-08-11 01:00	<DIR>	d--------	D:\WINDOWS\system32\xircom
2008-08-11 01:00 . 2008-08-11 22:22	<DIR>	d--------	D:\Program Files\microsoft frontpage
2008-08-11 01:00 . 2008-08-11 22:36	316,640	--a------	D:\WINDOWS\WMSysPr9.prx
2008-08-11 01:00 . 2008-08-11 22:46	23,392	--a------	D:\WINDOWS\system32\nscompat.tlb
2008-08-11 01:00 . 2008-08-11 22:46	16,832	--a------	D:\WINDOWS\system32\amcompat.tlb
2008-08-11 01:00 . 2008-08-11 01:00	2,577	--a------	D:\WINDOWS\system32\CONFIG.NT
2008-08-11 01:00 . 2008-08-11 01:00	0	--a------	D:\WINDOWS\control.ini

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

2004-03-12 05:49  1039360  b2ba1925ce6ff96eeef00327fa4c2337	D:\WINDOWS\explorer.exe
2004-03-12 05:49  1039360  b694899f20429e4b45b5a6873ec2ba70	D:\WINDOWS\system32\dllcache\explorer.exe

2004-03-12 05:48  25088  cb4c08c5be41d7b9a20b4f2ed98cc481	D:\WINDOWS\system32\ctfmon.exe
2004-03-12 05:48  25088  b4eacb643c96033820e0e7292a464d6e	D:\WINDOWS\system32\dllcache\ctfmon.exe

2004-03-12 05:49  67584  4970dc89086e38b621099f0f0d57ea80	D:\WINDOWS\system32\spoolsv.exe
2004-03-12 05:49  67584  670d9d8bd4e5ae799f100273f0a68604	D:\WINDOWS\system32\dllcache\spoolsv.exe

2004-03-12 05:49  155136  fa6f881f6a115e69ab53b9d444991d80	D:\WINDOWS\system32\wuauclt.exe
2004-03-12 05:49  122368  2a8f8347baf3f9c6470bd4daa89b1619	D:\WINDOWS\system32\dllcache\wuauclt.exe

2004-03-12 05:49  35328  0c80eeafd9169f0dd5493240dce41a7f	D:\WINDOWS\system32\userinit.exe
2004-03-12 05:49  35328  a4b36d38cfca4e0138c068694352ac13	D:\WINDOWS\system32\dllcache\userinit.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45080112-43D4-4B43-A8BC-7F1DFBFDCEAF}]
2008-08-19 18:54	3584	--a------	D:\WINDOWS\system32\MYBHO.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="D:\Program Files\Internet Download Manager\IDMan.exe" [2005-07-04 17:35 556544]
"googletalk"="D:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 02:52 3817472]
"cdloader"="D:\Documents and Settings\Sid.HOME-B9BAAFBBF9\Application Data\mjusbsp\cdloader2.exe" [2008-06-13 01:07 50520]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-03-12 05:48 25088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"NvMediaCenter"="D:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 138240 D:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-15 09:21 16281600 D:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-17 10:04 2958848 D:\WINDOWS\SkyTel.exe]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1634304 D:\WINDOWS\system32\nwiz.exe]

D:\Documents and Settings\Sid.HOME-B9BAAFBBF9\Start Menu\Programs\Startup\
Warkeys Update.lnk - D:\Program Files\Warkeys\update\Warkeys Update.exe [2006-08-04 02:24:12 225411]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\uTorrent\\uTorrent.exe"=
"D:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"D:\\Program Files\\Garena\\Garena.exe"=
"D:\\Documents and Settings\\Sid.HOME-B9BAAFBBF9\\Application Data\\mjusbsp\\magicJack.exe"=

R0 pxark;pxark;D:\WINDOWS\system32\drivers\pxark.sys [2008-08-19 18:42]
R2 CSIScanner;CSIScanner;D:\Program Files\PrevxCSI\prevxcsi.exe [2008-08-19 18:42]
S2 WZCSVCRDSessMgr;Wireless Zero Configuration WZCSVCRDSessMgr;D:\WINDOWS\system32\A.tmp [2008-08-19 18:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84a81485-6884-11dd-a0a6-806d6172696f}]
\Shell\AutoRun\command - O:\autorun.exe
\Shell\phone\command - O:\autorun.exe

*Newly Created Service* - ALFO62
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - D:\Documents and Settings\Sid.HOME-B9BAAFBBF9\Application Data\Mozilla\Firefox\Profiles\dwx9fc99.default\
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-19 18:53:57
Windows 5.1.2600 Service Pack 2, v.2096 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 


D:\WINDOWS\system32\B.tmp

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Alfo62]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mickey32]
"ImagePath"="\??\D:\WINDOWS\system32\drivers\mickey32.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WZCSVCRDSessMgr]
"ImagePath"="D:\WINDOWS\system32\A.tmp srv"
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\temp\VRR2.tmp
D:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-08-19 18:55:26 - machine was rebooted
ComboFix-quarantined-files.txt  2008-08-19 13:25:20

Pre-Run: 96,193,650,688 bytes free
Post-Run: 96,504,049,664 bytes free

216


BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:25 PM

Posted 19 August 2008 - 07:48 PM

Hi Siddharth bleeput

ComboFix logs should not to be posted outside the HijackThis forums and then only when requested by a HJT Team member. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem in the Am I infected? What do I do? forum. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed.
The BC Staff

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users