Can't Remove TR/Dldr.Murlo.NN.3 [trojan] (http://abb.633f94d3.info/abb.gif)

Hello all, unfortunately my first post is due to malware removal. First of all, I assume that I have the same problem with this thread http://forums.majorgeeks.com/showthread.php?t=165030 but I couldn't generalize the given solution for my case.

I currently have 6 PCs with the same exactly problem and Avira Antivir Premium installed: After removing a bunch of infected files (Murlo.NN.3 as well as Parite.B and Almanche32.B) the PC seems clean. However, from time to time a URL is tried to been accessed (http://abb.633f94d3.info/abb.gif) which means that there is still something installed in the computer; that shouldnt. This file probably tries to download further infected files to the computer, but the antivirus successfully blocks it. In some of the PCs, some other files are also being detected such as C:\Documents and Settings\25\Local Settings\Temp\wmsetup.dll. Other files that have been initally removed and may give a hint are linkinfo.dll, rundll.exe, businesn.dll, as well as an altered hosts (system32\etc) file.

If the antivirus remains installed, there seems to be no problem but because the PCs belong to an Internet Cafe with Deep Freeze running, we would like to remove the antiviruses. The problem began when we unlocked deep freeze due to maintenance reasons. I assume that the virus was installed through network shared folders. I had previously let by mistake all root hard drives shared; I now disabled the sharing of these drives. Is it still possible that a virus can be transmitted over the network if the PCs have no shared folders/drives?

I attach the logs of one of the PCs; I guess that if a solution is found for one of them, all of the PCs will be able to be fixed.

Thanks in advance for your time,
Fanis

 

Edit by chaslang: Merge two thread together. Remove dup logs

 

Thanks for your reply. Yes I still have the same problems I mentioned in my previous post.

Sincerely,
Fanis.

 

Sorry, I didnt explain my problem well. This URL is tried to be accessed while there is no activity at all in the PC, no browser running. I am notified from the antivirus only. The problem is that when the antivirus is not running, the URL is accessed and a variety of infected DLLs are downloaded, hooked into the registry, the hosts file is changing etc.

In pure safe mode without networking it wont; as it doesn't in normal mode when the LAN connection is disabled. The trojan downloaded is only activated (as far as I understood) when the PC can reach the Internet.

Regarding safe mode with networking, I am not really sure yet as the URL is accessed at random time intervals. The last 45 minutes that I left a PC in safe mode (where Antivir real-time protection is not enabled) no suspicious activity took place; as far as I can understand.

Correct me if I am wrong, but I think given the aforementioned details, there is no issue regarding a specific browser. Moreover I believe that there is no add-on installed as both IE and Firefox were cleanly installed without any mods added-on.

There are recently installed (in the fatal Deep Freeze unlock) games. I am as sure as I can be that they are clean (checked with Antivir & Nod - fully updated).

Games as well, they are hidden for not a specific purpose (but I made them, not a malware).

NOTE1: In this PC (in the others not) except the suspicous URL that is tried to be accessed, 2 files are detected/deleted and later on recreated.

1. C:\Documents and Settings\25\Local Settings\Temporary Internet files\abb.gif (The file that the suspicious URL offers)
2. C:\Documents and Settings\25\Local Settings\Temp\wmsetup.dll

Both are characterized by Avira AntiVir Premium as being infected with TR/Dldr.Murlo.NN.3 [trojan].

NOTE2: Just a hint (maybe): In the 2 PCs that I ran MGtools, I found the following entry on runkeys.txt which seems suspicious and I can't identify:

sa.dat 5 Aug 2008 6 "SA.DAT"​

under the "Showing Shared Tasks Folder". Is there a chance that it may be related somehow with the trojan?


Thanks again for your effort. The scans will take a while so I will post the logs as soon as they are ready in a new reply.

 

Dear chaslang,

Unfortunately I was unable to complete either of the 2 online scans you suggested earlier.

Panda Active Scan freezed 3 times in 37%; after many hours of scanning. IE was still working but no particular file was being checked, neither I was able to cancel it or get the logs so far. BTW, it had detected so far 7 infected files, 2 suspicious and 6 vulnerabilities.

Trend Micro HouseCall also froze (with Firefox as with IE did not even began scanning but rather froze in the "Installing & Update" step). It also detected 1 malware so far (before checking though "Windows" directory), characterizing it as PE_PARITE.A. I was unable to get further information (like which file was the infected one) or resolve the threat.

Just to mention something about the "Parite" threats: I am almost certain that executables (as well as HTMLs and TXTs) infected by Parite.A/B are due to an infection on the servers around 1 year ago, which was successfully resolved; on the servers at least.

Another problem is that yesterday, yet 2 more PCs that have been unlocked from Deep Freeze for maintenance (1 week ago, along with the already infected ones) started to show incidents of infection. As I perceive it, the virus was installed to most of the PCs - if not on all - at that day, but it is activated in a "random" way.

Is it possible to proceed without the logs of the online scanners? Any alternative scanner/solution? Should I try more things such as running HouseCall with quick scan selected, or disabling Avira's AntiVir first?

I also installed Comodo Personal Firewall and it is currently scanning my system for malwares. Will you need any logs from Comodo? Should I do/check something specific on it or just let it run on background?

I really appreciate your effort and hope that we will find where the remainders of this malware reside.

Fanis

 

OK, here is Comodo's log from the scan suggested during installation. No suspicious files, just mIRC and Remote Administrator's 2.1 components; which I have installed myself.

I also found and attached a strange file on %temp% which may be Panda's Active Scan log file, as far as it had scanned before crushing. I don't know if it is of any help.

Moreover, I configured Comodo Defense Security Level at "Paranoid", left Firewall level at the default "Safe Mode". I checked the processes list, nothing I dont know.. I also got some notifications about connecting to the Net Cafe's server, everything seems fine.

Meanwhile, Antivir warned me again for trying to access infected files as well as the infamous URL, but Comodo did not show anything! Something strange that I see in my current active connections is the following:

System TCP OUT is actively communicating with both of our servers at their 139 port from this PC's 1140 & 1267 ports.​

However I think that is from file sharing because as I read and write files to the servers "Bytes In" and "Bytes Out" are increasing.

Finally, I started again HouseCall with "Recommended Scan" option, but it's going to take a while (if it won't crush again). If any log/screenshot/further information might be useful to you, just ask me.

Fanis

 

I managed to run ActiveScan by installing and using IE 7. The log is attached. I didn't try to clean anything at the end of the scan as it requred registration and I was not sure what I was supposed to do.

I am trying to run also HouseCall, if I succeed I ll upload the log soon.

Regards,
Fanis

 

Sorry for all these posts, I just found something new. HouseCall is probably freezing because the "java" process eventually reaches 1GB of memory and thus the PC is stucking.

However, I can overcome this by making 3-4 manual scans and set it to check a smaller range of folders each time.

The interesting thing is that while scanning the Windows folder, it found a PE_PATCHED.DV infection on the file C:\windows\system32\actxprxy.dll.

I used the online scanner at http://virusscan.jotti.org/ for this file, and only Ikarus Antivirus is detecting it as Trojan-Downloader.Win32.Small.ap; no other antivirus says something. I double-checked it by scanning only these DLLs from the PC infected so far, and all of them are infected. On the contrary, these DLLs from the non-infected PCs are not detected as malware.

I hope this can tell you something more. For the time being, in another PC (not the one we are working on together) I replaced the infected file with a legitimate one, full scanned it again, and left it like this to see how will behave.

Fanis

 

Dear Chaslang,

Finally I didn't manage to run MircroTrend HouseCall. Even if I manually select only few folders for scan, it always scans the whole hard disk and eventually the system runs out of memory. However, except the malware it detected previously in the actxprxy.dll, it does not detect anything else.

I also tried something else in order to get more hints about the virus: I ignored some of Avira's Antivir messages regarding the files it detects every once in a while in order to see what is really hapenning from comodo alerts.

I attached some screenshots from Comodo's alerts that may tell something more about what the virus does. After ignoring the initial warnings from Antivir, QQ_Update.cab, wmsetup.dll, update[1].gif, and abb[1].gif were created in C:\windows\temp and C:\Documents and Settings\X\Local Settings\Temp (where X is local user, "NetworkService", and "LocalService").

Despite these images, it also created a unxxx.bat that automatically removes C:\WINDOWS\TEMP\QQ_Update.cab (the file that is downloaded and does more of the stuff). Moreover, it tried to access cmd.exe and rundll32.exe.

Finally, in the active connections of Commodo I saw that explorer.exe was connected through TCP on port 80 of 60.191.223.76. I did a tracert for this IP and it seems suspicious, maybe the source from where further trojans were downloaded.

I really hope that these information will be useful to you.

Sincerely,
Fanis

 

Dear chaslang,

I followed the whole procedure, the logs are attached. Just one note, I replaced even on this PC the actcprxy.dll with a legitimate one (I was too curious). The good thing is that in 3 PCs that I replaced also this file, things seem ok. They are running without antivirus for at least 40 hours now and nothing has been downloaded.

However, there were PCs that showed malware indicators after 3-4 days of their infection, thus, I still have to wait in order to be sure whether they are clean or not.

If I see anything strange hapenning on this PC I will tell you.

Fanis

PS: The startup process O4 - Global Startup: Icons.lnk = bats\icos.bat is something I installed, completely safe.

 

Dear chaslang,

For the time being everything seems alright. When I removed windows messenger through the tool, it asked me for a restart which I didn't.

Thanks for your effort and I hope that I wont see anything strange in the following days.

Fanis.