Murlo Trojan

I sincerely hope that you can help me - XoftSpySE tells me that I have a Trojan called Murlo Trojan and it exists in three locations "system\currentcontrolset\services\ip6fw\enum\0" and "system\...\...\...\enum\count" and "system\...\...\...\enum\nextinstance”.
XoftSpy will remove the Trojans but they reappear every time that I bootup. I have worked through Malware Removal Guide but have had very little success. I have carried out the instructions in 0 through to 4. Under 5 - I have run CCleaner, Spybot Search & Destroy and CounterSpy. CounterSpy produced a report which I have attached (I have subsequently deleted the Cookies). Under 6A - I have run Bitedefender and attach the report, however I could not get Panda ActiveScan to work - I have tried in Safe Mode and in Normal but keep getting message "Error on Page". Under 6B - neither GetRunKey.Zip nor ShowNew.zip will give the files "runkeys.txt" nor "newfiles.txt" after carrying out your instructions. I have attached a HighjackThis log. I hope that you will be able to help although I have not had success with some of your requests. Many thanks in anticipation. Colin17.

 

Your logs show nothing of concern. Can you post a log from XoftSpySE? That way I can see exactly what it is finding.

 

Thank you for response - I have not been able to get a log from XsoftSpy but I have typed the report out below :-
Vendor Type Threat level Characteristics Object
Murlo Trojan Registry Value Severe Risk View Details system\countercontrolset\services\ip6fw\enum\0
Murlo Trojan Registry Value Severe Risk View Details system\countercontrolset\services\ip6fw\enum\count
Murlo Trojan Registry Value Severe Risk View Details system\countercontrolset\services\ip6fw\enum\nextinstance
doubleclick cookie File Low Risk View Details C:\Documents and Settings\Colin\Cookies\colin@doubleclick[1].txt
mediaplex cookie File Low Risk View Details C:\Documents and Settings\Colin\Cookies\colin@mediaplex[1].txt
tribalfusion cookie File Low Risk View Details C:\Documents and Settings\Colin\Cookies\colin@tribalfusion[1].txt

I hope that this is ok for you - I cannot get the info for each threat on one line. The "View Details" sends you to Pareto Logic website where it describes the threat.
Regards
Colin

 

Unfortunately that report doesn't tell me much, ip6fw is a legit service it can also be a rootkit.

The process IPv6 Windows Firewall Driver belongs to the software Microsoft® Windows® Operating System by Microsoft Corporation (www.microsoft.com).

Description: ip6fw.sys is located in the folder C:\Windows\System32\drivers. The file size on Windows XP is 29056 bytes.

Download:
- ISeeYouXP.zip by ShadowPuterDude

Extract the contents of ISeeYouXP.zip to the root directory of drive C:\. This will create a folder named ISeeYouXP in the root directory of Drive C.

Using Windows Explorer (right click the Start button and select Explore to open Windows Explorer) navigate to C:\ISeeYouXP and locate ISeeYouXP.bat.

Double-click the batch file to run the script.

( Do not attempt to run this program from inside the ZIP file or by using Winzip or similar tool. it will not work properly. )

Possible Error Messages

• If your ISeeYouXP.txt log appears to be empty or semi-empty or you get an error message similar to the below when running ISeeYouXP.bat and you are running Windows XP or Windows 2000, follow the steps further down that relate to your OS
  
  To fix the above error message, choose the download below which is appropriate for your system
  • For Windows XP Pro: download and run: XPproFix
  • For Windows XP Home: download and run: XPHomeFix
  • For Windows 2000: download and run: W2KFix
  Then run ISeeYouXP.bat again and attach the log.
• A possible second type of error message may occur as shown in the quote box below! If you get either of these two messages, perform the Resolution steps given in this: Virtual Device Driver Error Message in 16-Bit MS-DOS Subsystem

After attempting to fix the above errors, run ISeeYouXP.bat and attach the log.

 

Hi Shadow_Peter Dude
I have just run ISeeYouXP.bat and attach the log as requested.
Colin17

 

Hi Shadow_Puter_Dude
I have also now managed to run GetRunKey.bat & ShowNew.bat and attach logs.
Best regards
Colin17

 

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Download
- Pocket Killbox

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Otherwise you logs are clean.

 

Hello Shadow_Puter_Dude
Thank you for response - I have carried out the instructions but I did not get the message at the end "PendingFileRenameOperations" prompt.
I have also run XoftSpy and unfortuneately the Murlo Trojan is still there.
I did get a messsage on bootup and I have typed these out on Wordpad as an attachment "Message.rtf" to this post.
Colin17

 

There may be a problem with the Drivers for your Dell Printer. You may need to uninstall teh pprinter drivers and then install the drivers after a reboot.

Download Registry Search (see the link titled RegSearch Download Link)

* Extract the files from Regsearch.zip into a folder.
* Doubleclick regsearch.exe to start the program.
* Enter ip6fw in the top area of the form and then click "OK".
* Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Attach this file to your next reply.

 

Thank you for reply - please find post attached
Colin17

 

These 3 keys do not exist according to the registry search I had you do:

I'm leaning towards a False Positive.

 

Thank you for your time and effort. I am pleased to know that it is nothing serious. I have read through post by dmb06851 and I will also persue Pareto.
If I get a response I will post it on this thread. Once again many thanks.

 

After sending my last reply I shut down my PC since I was going out for a while. I had not contacted Pareto but when I next booted up my PC and ran XSoftSpy the "Murlo Trojan" notification had disappeared - why I know not!
Well once again many thanks for your help. Colin17.

 

Yes - XSoftSpy is set to automatically update - however I did not see any update take place. Perhaps it was carried out in the background whilst the PC was booting up as I had now set XSoftSpy to launch at start up. Colin17

 

Dear Chaslang - The XoftSpy last update was 2007/4/19 DB-235. The version of XoftSpy is XoftSpySE v4.31. Colin17.