mrofinu1001186.exe???

M

mastaof420

New Member
i havent used my computer in a while and i turned it on the other day and it said this program had failed to launch........ i clicked ok
then did a virus scan with avg free 7.5
then i upgraded my avg to 8.0 and restarted the computer
now everytime i try to log on i type in my password and is say loading settings
then it instanly logs me right back off
even on my guest account
so i started back up in safe mode and did a virus scan with avg command line scanner and it found like 5000 viruses most in the system restore files
now when i restart my computer in safe mode explorer.exe wont run
so i have a background but no icons or start menu
all i can do is use taskmgr
it makes it impossible to do anything
i tried to manually run explorer.exe and it says bad file name
it will run msconfig and i can uncheck the mrofinu1001186.exe but it just keeps coming back
so i went into the winnt/ file and tried to delete it manually and it say access denyed
so i renamed it to a random file name then deleted it
but still every time i restart its back
i pretty much cant run anything but what is accessable through taskmgr
and it wont let me use regedit
i havent been able to update avg and i have no internet access from that computer
its freekin pissin me off
can somebody plz shine some light on this for me?
 
Hello, please download and post a log with HiJackThis.

Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
  • Click Save to save the log file and then the log will open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
 
i dont know if i can install hyjackthis
i have no explorer program so its really hard to do anything
the only way i have of getting stuff is through taskmanager
where is the actuall explorer program located
is it under the system32 file?
ive been unable to find it and it wont run from the startup
the only way im able to get into windows is under safe mode
if i load windows the normal way then as soon as i type in my password
it automatically logs me right off
i dont have a chance to do anything
i know its gotta be this mrofinu1001186.exe that is messing everything up
cuz this is one of the only startup programs that still runs
and as soon as it loads the computer logs off
i need to copy explorer.exe back into the system file so i can get back into windows
plz help
 
ok so i manually fixed the explorer problem myself
i copied and pasted explorer.exe and regedit.exe from my laptop
now i was able to get into window in safe mode
and it no longer auto logs me off when i get on in normal mode
im not on that computer now but when i get home i will post my hyjackthis log
i ran the trendmicro housecall scanner all night on my computer it found somewhere in excess of 7000 infected files
when i did the clean up files it deleted most of them but not all
and now when i go into my windows file
explorer is there but regedit and msconfig are both gone
i have not restarted the computer since the scan cuz im afraid its gunna do the same shit all over again
im goin to manually paste regedit and msconfig again but i think the computer is missing more than that cuz the windows file is amost empty except the folders
all the programs are gone except a few maybe like 10
and the 17pholmes..... and mrofinu.... are still there
i cant delete them but i can rename them so i rename it to deactivate it
but this is where im stuck
the computer is in workin order for the moment but i need to be able to manually take out the registry entries for these programs
regedit doesnt let me take them out
 
To the OP: If you dont want to reinstall then, download Combofix. Then boot into safe mode by tapping F8 on bios page.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

* Download this file from one of the three below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
* Then double click combofix.exe & follow the prompts.
* When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
g25racer - What the Hell??? Resprital has posted a hijackthis code, so we need that before we do anything really! :rolleyes::rolleyes::rolleyes::rolleyes:
 
He didnt post any code! He simply posted instructions. Plus combofix will tell us the same thing plus more than what hijackthis will. And the likelyness that he will get hijackthis running? Very nill
 
ok u guys are underestimating me
im A+ certified so im not ur average computer retard
i got the computer running again
im on it now
i already had hijackthis installed
my log is at the bottom
ill run combo fix next
i manually copied explorer, ms-config, regedit, and taskmgr
because after running the trend micro scan the taskmgr was gone too
along with like everything else
the computer is running ok now
but i still cant delete the virus files
it says access denied file in use
but i canceled the program in taskmgr
and i renamed the source file to disable it
i used regedit and took it out of the startups
but i need a program to manually remove the whole key from the registry not just disable it
ok here is my log
keep in mind this is my log without a restart
after i ran the trend micro and deleted registry entries

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38:37 PM, on 7/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKCU\..\Policies\Explorer\Run: [{049BE340-08FB-1033-0401-030505040001}] "C:\Program Files\Common Files\{049BE340-08FB-1033-0401-030505040001}\Update.exe" te-110-12-0000213
O4 - HKUS\S-1-5-21-2729244171-3309014658-2146403040-1003\..\Policies\Explorer\Run: [{049BE340-08FB-1033-0401-030505040001}] "C:\Program Files\Common Files\{049BE340-08FB-1033-0401-030505040001}\Update.exe" te-110-12-0000213 (User '?')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150164577284
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://gateway.cf1live.com/eSupport/static/weblaunch/weblaunch.cab
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} (CWebLaunchCtl Object) - https://support.gateway.com/eSupport/static/weblaunch/weblaunch2.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - https://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/activedata/SymAData.dll
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINNT\System32\alg.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINNT\system32\cisvc.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINNT\System32\imapi.exe (file missing)
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINNT\System32\mnmsrvc.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINNT\System32\msdtc.exe (file missing)
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINNT\System32\msiexec.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Unknown owner - C:\Program Files\Intel\NCS\Sync\NetSvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINNT\system32\nvsvc32.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINNT\system32\sessmgr.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINNT\System32\locator.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINNT\System32\SCardSvr.exe (file missing)
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINNT\system32\spoolsv.exe (file missing)
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINNT\system32\smlogsvc.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINNT\system32\wdfmgr.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINNT\System32\ups.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINNT\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINNT\System32\wbem\wmiapsrv.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\cezer.html
 
There's more going on here than meets the eye, I suspect a file infector.

Please do a scan with Kaspersky Online Scanner

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
 
g25racer said:
He didnt post any code! He simply posted instructions. Plus combofix will tell us the same thing plus more than what hijackthis will. And the likelyness that he will get hijackthis running? Very nill
Click to expand...

well code, instructions, same thing.

i know what the combo fix log will do, but best to have a hijackthis log, to see differences.
 
ok so after i did the hijackthis log
i turned on the windows updates
then i shut off the computer and let it do its update thing before shutting off
now when i try to turn the computer on i dont get the regular log on screen
instead of having the normal xp screen with my icon and password slot
and my guest account
now i have a box that kinda looks like windows nt
instead of saying mike and having my icon
it has a space to put in a login name and it says owner
and when i put in my password it does the same thing it did before when explorer.exe was gone it just logs me right off
but now when i go to safe mode it does the same thing
before when i would go to safe mode it would just have an icon that said administrator and i would just click it and it would auto log in even without explorer running i would just get a blank desktop with the safe mode in each corner
now it just auto logs me off like before...........even in safe mode
im about to throw this computer out the freekin window
i think i am goin to do a repair install but i dont want to lose any of the stuff on my harddrive or my installed programs
cuz some of them i cant get back
the messed up thing is that i was almost sure i had gotten rid of the virus
but every time i shut the computer down and restart explorer.exe dissapears
 
You must log in or register to reply here.
Back
Top