Murlo Trojan - more

You should not be trying to post in someone else's thread to begin with.

Are you also being told you have this by XoftSpy?? Did you purchase XoftSpy? If it is reporting the same thing as in the other thread, it may be a false positive.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, renaming, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis​

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy - only for Windows XP, 2K, & NT users
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

These could be false positives from XoftSpy. You show none of the signs that would typically relate to Murlo which just changes a few registry keys (and they are not the ip6fw keys) and creates a temp file. XoftSpy is well know to have false positive issues. Please attach a log that shows exactly what it is finding and where. The ip6fw services registry keys are valid keys! What entries are actually in it could be what XoftSpy is questioning. Since you have paid for this program, you should be also asking them about what they are reporting and why they aren't fixing it if it is really a problem (which I doubt they are). The only people detecting Murlo are people who use XoftSpy and it would be rather silly to assume that no other antispyware program would be detecting it if it truly existed.

The only problems I notice in your logs are too many realtime type anti-malware applications running. Uninstall CounterSpy that was installed during the READ ME now to at least help get rid of one. I do suggest you keep only one of the below:
Ad-Aware SE Plus
AVG Antispyware (only keep if a paid version)
Pest Patrol

I also do question what the below new file is on your PC! Do you know:

Code:

"C:\WINDOWS\"
is-rhshd.exe  14 Apr 2007      689664  "is-RHSHD.exe"

 

Seems more people are seeing this and others also conclude the same thing as me! And that is that it is a false positive. See the below:

http://www.techspot.com/vb/all/windows/t-75225-Xoftspy-pikes-up-trojans.html

 

Also suggest to them that they should produce text logs! Do they really think that most people are going to have XML file readers!


Those lines at the end are the same thing everyone else with XoftSpy is reporting. I don't see any problem with them and in addition, they don't appear to have anything to do with Murlo!


Did you know what the file was that I questioned?

 

It does not help me much either. Right click on the EXE file and check out file Properties and the Version tab (if it has one) to try and get more info. Is your system running okay without them?

Here are some other items that showed up on the 14th or April? Do any of them ring a bell as being related:

Code:

     
"C:\Documents and Settings\David Bridgen\Desktop\"
jobs.txt      14 Apr 2007         616  "JOBS.txt"
ays.  
"C:\Documents and Settings\David Bridgen\My Documents\"
labour~1.doc  14 Apr 2007       23040  "LABOUR OF LOVE.doc"
reginput.txt  14 Apr 2007         256  "RegInput.txt"

"C:\Documents and Settings\David Bridgen\Start Menu\Programs\Startup\"
sbauto~1.lnk  14 Apr 2007         515  "SBAutoUpdate.lnk"
speedt~1.lnk  14 Apr 2007         683  "SpeedTouch USB Diagnostics.lnk"
               
                                              
"C:\Documents and Settings\All Users\Start Menu\Programs\Startup\"
zonela~1.lnk  14 Apr 2007         555  "Zone Labs Client.lnk"
 
"C:\Program Files\"
MATCO         14 Apr 2007              "MATCO"
TYPEIN~1.0    14 Apr 2007              "Type International Characters 2.0"

I see you have Adware Away v3.0.3 installed. Did you purchase this? If not, you should uninstall it since it will not do anything for you unless you buy it. And even if you did buy it, it is a below average application. Consider dumping it anyway. Here is one review I had seen:

 

Inno Setup is a free software installation package that many programs use. Perhaps one of the items you recently installed used this to install their software.

 

Thanks for confirming my assumption that they were indeed false positives!

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!