Archive for March, 2008

MSN worm “myphoto*.zip msmpserv.exe removal

Posted by egomoo on March 31, 2008
Worm / No Comments

[#: The article MSN worm “myphoto*.zip msmpserv.exe removal is an article in Spyware Removal Instructions, the original author is egomoo .you can read more articles at Worm,the next article:.#]

the registry autorun entry: 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

 <Microsoft Services><msmpserv.exe>

the running process:

C:\WINDOWS\system32\msmpserv.exe

Hijackthis log :

O4 – HKLM\..\Run: [Microsoft Services] msmpserv.exe

======================================================

removal case :

that every time you  reboot it regenerates because the virus is in your autorun entry,just like “MsnMsgr.Exe” when your windows startup ,the MSN will be running .the key process “msmpserv.exe” is the boss of the MSN worm,and you don’t delete it ,it will regenerate others.
the case link:http://dasherxxx.blogspot.com/2008/03/msn-myphoto-viruse-disableremoval.html

Removal Instructions:
1. delete malware files
those files are malware files,you can use “unlocker” or “killbox” to delete them.

c:\windows\system32\tphklock.dll
c:\windows\system32\notifyf2.dll
c:\windows\system32\ssqqjkcv.dll
C:\WINDOWS\system32\msmpserv.exe
c:\windows\system32\tuvwqqqn.dll

2. delete the autorun entry in the registry,you can use “msconfig”
how to do :http://dasherxxx.blogspot.com/2008/03/msn-myphoto-viruse-disableremoval.html
 or the software:SRENG that you using scan the srenglog
how to do:open SRENG—Boot Items–registry ,find those entries.

[WinlogonNotify: tphotkey]    <tphklock.dll>
[WinlogonNotify: tpfnf2]    <notifyf2.dll>
[WinlogonNotify: ssqQjKCv]    <ssqQjKCv.dll>
[Microsoft Services]    <msmpserv.exe>  

 or you can download the fix reg file

the name “Microsoft Services”  pretend to puzzle people think it’s normal windows entry,the author of MSN worm is crafty

Share/Save/Bookmark

Tags:

mrofinu1188.exe mrofinu1000106.exe Removal Instructions

Posted by egomoo on March 29, 2008
Trojan / No Comments

Usually there will be have Some similarly in  Combo Fix Log or HijackThis Log ,just like this

C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\b148.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b128.exe

This malware  is most likely downloaded many other  adwares and  spywares to a user’s PC without one’s  knowledge.
   
the running process:

C:\WINDOWS\mrofinu1188.exe

the startup item :

HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257

some links about removal mrofinu1188.exe:

http://forums.techguy.org/malware-removal-hijackthis-logs/652411-solved-winable-popups-limewire-gone.html
http://www.castlecops.com/t206741-malware_and_spyware_Dont_know_how_to_remove_Help.html

if you can not get rid of it by yourself ,you can try to go:

http://www.geekstogo.com/forum/Malware-Removal-HijackThis-Logs-Go-Here-f37.html

It is difficult to removal mrofinu1188.exe because it has downloaded lots fo other harmful malware.



How to remove?

download SREng:
http://www.kztechs.com/sreng/sreng2.zip
Extract it to the Desktop
Double click SREng.exe to run it
Select: Smart Scan
Then, click the [Scan] buttonWhen finished, click on the [Save Reports] button
Save the log to the Desktop,and send me a email with the log as Attachment.mailto:egomoo#gmail.com

I would be glad to help you to removal this Trojan.

Share/Save/Bookmark

Tags:


 Powered by Max Banner Ads 
« Previous Page