WinFixer 2005 and mroh.exe

I was assigned a computer loaded down with virii and spyware to clean up, which I seemed to have successfully cleaned up for the most part using TrendMicro and Panda online scanners, updated Ad-Aware, Spybot, MSAS, CWShredder and HiJackThis (I have had plenty of experience using all of these programs before). However, I am still getting automatic downloading of WinFixer 2005 and what I suspect to be a malicious program ( mroh.exe ) running in the background. I also think I might still have some strains of Look2Me still lurking around...

This is an IBM computer with Windows 2000 Service Pack 4 and most updates installed on it.

I have used KillBox to try and delete the mroh.exe file, and it will delete it in safe mode, but once I bring it back up in normal mode, it comes right back into the WINNT\system32\ folder. I am also still trying to determine where WinFixer is generating itself from.

So any help ya'll could give would be appreciated.

Thanks,

bbbco

 

Here ya go...

 

Wait... HiJackThis can be installed directly on a folder on the C: drive, correct? According to the sticky post about HiJackThis in this forum:

C:\Hijack This\HiJackThis.exe is a permanent location with its own folder that makes it safe...it is irrelevant whether it is under Program Files or not.


I have tried removing WinFixer 2005 before, but on restarting and connecting to the internet (for online scans, etc) it pops back up and asks to install. Regardless whether you push OK or Cancel, it still installs automatically in the background, unless you X out of the Internet Explorer Browser that comes up quickly first. There is obviously a thread or remnant left behind that "calls home" when it realizes that the program is not installed. I am trying to figure out where this thread is (whether files, or in the registry, etc) but no leads. I was hoping someone around here might have had experience with his nasty program and might know how to rat it out.

HiJackThis and KillBox will not kill C:\WINNT\system32\mroh.exe unless I am in SafeMode, but as soon as boot normally, mroh.exe is right back in the same place.

Thanks for your help.

bbbco

 

Ok, so I ran BitDefender, it found a few things, but could not clean most of them.

Then, as per your instructions, I downloaded ewido and as soon as that had installed and rebooted into normal mode, it found mroh.exe and said that it was a "PurityScan" and it also found wfhtcpip.dll in the system32 folder, calling it Look2Me.

So I rebooted in safe mode and ran the scan and it found a ton of trash that it cleaned and removed. I will post the log in the next post, because I had to split it up because of the 2MB limit.

I then rebooted into normal mode, ran CCleaner and that found some stuff in the Issues section. I also ran HiJack This and it looks pretty clean. I have posted the log generated for HiJack This on this post.

However, once I connected to the internet, WinFixer2005 came back up wanting to install, but I xed out of that before it tried to install anything, and after surfing over here to the forums, a random pop-up appeared. So it looks like we are getting somewhere, but something is still left around...hmm...

Thanks,

bbbco

 

Here's the log for ewido.

I ended up having to zip the file up instead. Sorry for any inconvienence.


bbbco

 

Ok, I did that. Here are the logs.

I am going to reboot and let you know if anything comes up. I haven't had anything so far...

bbbco

 

Not trying to butt in but these 2 startup entries are unnecessary!

O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

 

Nope, no pop-ups as far as I can tell...

Though I did notice after I ran the L2MFix that I now have 2 quick launch bars and 2 task bars...

I took a screenshot so that you can see (look at the bottom near the Start menu). I have tried fiddling with them, but they both stick around...


Thanks for all the help!

bbbco

 

Nevermind...somehow it spontaneously created them, but I was able to get it back to normal by right-clicking, toolbars, and then unchecking the multiple quick launch selections.

Welp, thanks for all the help guys, I appreciate it!

bbbco

 

Nope, everything looks fine!

Thanks a bunch!

bbbco