1.) Download This files and removal Tools for Win32:Murlo-CH [Trj]
Download Combofix http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Download HostGuard , HostGuard Download Link2 , Host Guard Complete Installer
* Download This Complete OfflineWin32:Murlo-CH [Trj] Removal Guide and tools with CFScript and HostGuard and ATF-Cleaner
*Alternate Download Link
2.) After Downloading - first we will reset Windows host file in order to Remove Win32:Murlo-CH [Trj]
but before doing so.. Unplug your network or your wireless connection, make sure you are not
connected to the network..
Some infections will put malicious lines into your hosts files. We will reset your hosts file with HostGuard.
* Please download HostGuard.zip to your desktop and unzip the contents.
* Install HostGuard
* Run HostGuard and Click Fix Windows Host - this will fix Your Windows Host
* Close or Hide HostGuard
If you or SpyBot-SD have added modifications to your hosts file, they will need to be re-added
Or you can use the HostGuard to Guard your Windows Host this is much better..
3.) Run ATF-Cleaner Clean All Click main and Checll All and click Empty Selected, then if you have
Mozilla Firefox Click FireFox and Select All then Click Empty Selected and also for opera if you have
it in your system.
4.) Running CFScript.txt with ComboFix to remove Win32:Murlo-CH [Trj]
# Close any open browsers before we can start Win32:Murlo-CH [Trj] removal process.
# Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix
if you have downloaded the CFScript then you must have them now in your desktop with COMBOFIX.EXE
CFScript.txt
- you can manualy create CFScript.txt, open notepad and copy the text below.
KILLALL::
File::
C:\WINDOWS\trz742.tmp
C:\WINDOWS\system32\trz740.tmp
C:\WINDOWS\system32\trz73F.tmp
C:\WINDOWS\system32\trz73E.tmp
C:\WINDOWS\system32\trz73D.tmp
C:\WINDOWS\system32\trz73C.tmp
C:\WINDOWS\system32\HBQQFFO.dll.$DIS
C:\WINDOWS\system32\explore.exe
C:\WINDOWS\system32\HBCT.dll
C:\WINDOWS\system32\HB1000Y.dll
C:\WINDOWS\system32\HBSOUL.dll
C:\WINDOWS\system32\HBFY.dll
C:\WINDOWS\system32\HBQQFFO.dll
C:\WINDOWS\system32\kildh3l.dll
C:\WINDOWS\system32\wllame.dll
C:\WINDOWS\system32\catower.dll
C:\WINDOWS\system32\comboaus.dll
C:\WINDOWS\system32\pewire.dll
C:\WINDOWS\system32\aotoppt.dll
C:\WINDOWS\system32\johandy.dll
C:\WINDOWS\system32\jolndyo.dll
C:\WINDOWS\system32\micsus.dll
C:\WINDOWS\system32\cupops.dll
C:\WINDOWS\system32\System.exe
C:\WINDOWS\system32\HBQQSG.dll
C:\WINDOWS\system32\lensch.dll
C:\WINDOWS\system32\yulhodpf.dll
C:\WINDOWS\system32\eskislk.exe
C:\WINDOWS\system32\eskisl.dll
C:\WINDOWS\Update.dll
Registry::
O21 - SSODL: sysocmgr - {DA1DE019-A6A8-ED40-4B87-248B2A93DE99} - C:\WINDOWS\sysocmgr.dll
O21 - SSODL: yulhodpf.dll - {434FA69C-5F0A-42e1-82B8-10AF2C8E53C6} - C:\WINDOWS\system32\apoebqrg.dll
O21 - SSODL: ehhzzeza.dll - {EB9660D8-E1CD-4ff0-B4A9-00CD907F928A} - C:\WINDOWS\system32\ehhzzeza.dll
O21 - SSODL: ljpzxdum.dll - {71A78CD4-E470-4a18-8457-E0E0283DD507} - C:\WINDOWS\system32\ljpzxdum.dll
O21 - SSODL: ssawfayn.dll - {D3112B69-A745-4805-874E-ABD480EA1299} - C:\WINDOWS\system32\ssawfayn.dll
O21 - SSODL: apoebqrg.dll - {434FA69C-5F0A-42e1-82B8-10AF2C8E53C6} - C:\WINDOWS\system32\apoebqrg.dll
O21 - SSODL: lmpsxxfz.dll - {2CB77746-8ECC-40ca-8217-10CA8BE5EFC8} - C:\WINDOWS\system32\lmpsxxfz.dll
O21 - SSODL: ifyshalr.dll - {F0930A2F-D971-4828-8209-B7DFD266ED44} - C:\WINDOWS\system32\ifyshalr.dll
O21 - SSODL: avicapwm.dll - {6B9FEAD7-4319-4312-AB05-D8C9CD255BFE} - C:\WINDOWS\system32\avicapwm.dll
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"3PMmUpdate"=-
"HBService32"=-
"HBService"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{434FA69C-5F0A-42e1-82B8-10AF2C8E53C6}"=-
"{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}"=-
"{71A78CD4-E470-4a18-8457-E0E0283DD507}"=-
"{D3112B69-A745-4805-874E-ABD480EA1299}"=-
"{2CB77746-8ECC-40ca-8217-10CA8BE5EFC8}"=-
"{F0930A2F-D971-4828-8209-B7DFD266ED44}"=-
"{6B9FEAD7-4319-4312-AB05-D8C9CD255BFE}"=-
*After copying paste and save the file CFScript.txt
* Now Make Sure all windows are close and no browser is open.and also make sure you are unpluged from the network and
if you are using wireless make sure you have turn it off.
* Now we will start to remove Win32:Murlo-CH [Trj] removal process
* Now drag and drop CFScript.txt to COMBOFIX
Restart your computer after completing these steps.
this will remove Win32:Murlo-CH [Trj]
Guide Copyright by Mark Sheldon Wong
Http://haktech.blogspot.com
Area51.Network
Webcargo.Networks
No comments:
Post a Comment