georgemcd Posted May 4, 2010 Hi, A few days ago I got a virus called antimalware doctor on my laptop which was pretty hard to get rid of, and have been having problems every since. Every few hours or so I get a message saying "services and controller app stopped working and was closed", follwed by a messages saying windows has encountered a critical error and will restart in 1 minute. There doesn't seem to be a way to stop this and its extremely annoying when it happens and i'm in the middle of doing something. There's a trojan that superantispyware detects when I scan the computer with the following location :- c:\windows\system32\drivers\MLURK.sys which the programme says gets removed but after the required restart it finds it again. I dont think this is related to the above issue but it may be, google doesn't seem to come up with anything when i search for Mlurk.sys. Can anyone help? Cheers George Share this post Link to post Share on other sites
Seth Posted May 4, 2010 Welcome to the SAS forum George. Be sure you're using the latest version and definition files in SAS. You can do so by right clicking on the SAS icon near the time, then choose "Check For Updates". Now run a complete scans and see if the Trojan re-appears. If so, please submit a Customer Support Request. The SAS team will then analyze the possible infection and make changes to the definition files if necessary. https://www.superantispyware.com/csrcreateticket.html Share this post Link to post Share on other sites
SUPERAntiSpy Posted May 4, 2010 Hi, A few days ago I got a virus called antimalware doctor on my laptop which was pretty hard to get rid of, and have been having problems every since. Every few hours or so I get a message saying "services and controller app stopped working and was closed", follwed by a messages saying windows has encountered a critical error and will restart in 1 minute. There doesn't seem to be a way to stop this and its extremely annoying when it happens and i'm in the middle of doing something. There's a trojan that superantispyware detects when I scan the computer with the following location :- c:\windows\system32\drivers\MLURK.sys which the programme says gets removed but after the required restart it finds it again. I dont think this is related to the above issue but it may be, google doesn't seem to come up with anything when i search for Mlurk.sys. Can anyone help? Cheers George George - we'll be happy to help you out. Can you post your latest SUPERAntiSpyware Scan Log here so we can see exactly what version of the product and definitions you are using? If you are using the latest defintions we will run a custom diagnostic which will allow us to pinpoint the problem, update our definitions and help you and other users that are infected with the same issue. Share this post Link to post Share on other sites
georgemcd Posted May 4, 2010 George - we'll be happy to help you out. Can you post your latest SUPERAntiSpyware Scan Log here so we can see exactly what version of the product and definitions you are using? If you are using the latest defintions we will run a custom diagnostic which will allow us to pinpoint the problem, update our definitions and help you and other users that are infected with the same issue. Thanks. I seem to be having a problem updating to the latest version, it comes up with the error "There was an error trying to retrieve definitions. Make sure your firewall is not blocking SUPERANTISPYWARE from accessing the internet". I have tried turning off the windows firewall but got the same error. I'm also running Avira anti-virus, would that stop it at all? I'm also having problems updating Avira as it says the same thing that it can't get a connection so i suspect it is related to my virus. Latest log is: SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 05/04/2010 at 12:58 PM Application Version : 4.34.1000 Core Rules Database Version : 4865 Trace Rules Database Version: 2649 Scan type : Quick Scan Total Scan Time : 00:31:41 Memory items scanned : 659 Memory threats detected : 0 Registry items scanned : 514 Registry threats detected : 0 File items scanned : 19924 File threats detected : 13 Adware.Casino Games (Golden Palace Casino) C:\POKER\PADDY POWER POKER\CASINO.EXE C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\PADDY POWER POKER\PADDY POWER POKER.LNK C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\PADDY POWER POKER.LNK C:\USERS\PUBLIC\DESKTOP\PADDY POWER POKER.LNK Adware.Tracking Cookie C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@doubleclick[1].txt C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ads.bcserving[1].txt C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@videoegg.adbureau[1].txt C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@invitemedia[2].txt C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ad.yieldmanager[2].txt C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@content.yieldmanager[2].txt C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@content.yieldmanager[3].txt C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertise[1].txt Trojan.RootKit/Gen C:\WINDOWS\SYSTEM32\DRIVERS\MLURK.SYS Share this post Link to post Share on other sites
Seth Posted May 4, 2010 In regards to the programs not updating, go into Control Panel>Internet Options>Connections>Lan Settings. Nothing should be checked in the Lan Settings Window. If so, uncheck it, then try to update. If that doesn't help, did the computer ever run Norton? Share this post Link to post Share on other sites
georgemcd Posted May 4, 2010 In regards to the programs not updating, go into Control Panel>Internet Options>Connections>Lan Settings. Nothing should be checked in the Lan Settings Window. If so, uncheck it, then try to update. If that doesn't help, did the computer ever run Norton? Also, you're using an old version of SAS. Right click on the SAS icon near the time and choose "Check For Updates". Thanks Seth I did that and it let me update both SuperAntiSpyware and avira, was that box checked as a result of the trojan? Anyways seems like a pretty nasty attack because when I ran the spyware scan again after updating it found a few trojans that weren't picked up before: SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 05/04/2010 at 05:04 PM Application Version : 4.34.1000 Core Rules Database Version : 4888 Trace Rules Database Version: 2700 Scan type : Complete Scan Total Scan Time : 00:40:26 Memory items scanned : 734 Memory threats detected : 1 Registry items scanned : 7433 Registry threats detected : 1 File items scanned : 23505 File threats detected : 19 Trojan.Agent/Gen-FakeAlert C:\USERS\GEORGE\APPDATA\LOCAL\TEMP\UDK.EXE C:\USERS\GEORGE\APPDATA\LOCAL\TEMP\UDK.EXE [M5T8QL3YW3] C:\USERS\GEORGE\APPDATA\LOCAL\TEMP\UDK.EXE C:\USERS\GEORGE\APPDATA\LOCAL\TEMP\UDJ.EXE C:\WINDOWS\UVOZIA.EXE C:\Windows\Prefetch\UDK.EXE-C69763CA.pf Adware.Tracking Cookie C:\Users\George\AppData\Roaming\Microsoft\Windows\Cookies\george@atdmt[2].txt C:\Users\George\AppData\Roaming\Microsoft\Windows\Cookies\george@uk.findstuff[2].txt C:\Users\George\AppData\Roaming\Microsoft\Windows\Cookies\george@stat.dealtime[1].txt C:\Users\George\AppData\Roaming\Microsoft\Windows\Cookies\george@trafficengine[1].txt C:\Users\George\AppData\Roaming\Microsoft\Windows\Cookies\george@dealtime[1].txt C:\Users\George\AppData\Roaming\Microsoft\Windows\Cookies\george@mediatraffic[1].txt C:\Users\George\AppData\Roaming\Microsoft\Windows\Cookies\george@overture[1].txt C:\Users\George\AppData\Roaming\Microsoft\Windows\Cookies\george@doubleclick[1].txt C:\Users\George\AppData\Roaming\Microsoft\Windows\Cookies\george@adviva[1].txt Adware.Casino Games (Golden Palace Casino) C:\POKER\PADDY POWER POKER\CASINO.EXE C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\PADDY POWER POKER\PADDY POWER POKER.LNK C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\PADDY POWER POKER.LNK C:\USERS\PUBLIC\DESKTOP\PADDY POWER POKER.LNK Trojan.Agent/Gen-Banker C:\USERS\GEORGE\APPDATA\LOCAL\TEMP\WGVYD.EXE Trojan.RootKit/Gen C:\WINDOWS\SYSTEM32\DRIVERS\MLURK.SYS I followed the process to remove them and ran it again on startup and they were all removed successfully apart from the one I originally mentioned (MLURK.SYS). Share this post Link to post Share on other sites
Seth Posted May 4, 2010 You're welcome George. Yes, the "Proxy" was checked due to the infection. It's designed to prevent the removal of the infection. I noticed that you updated SAS as per my direction...good job. If you run a complete scan and the same infection appears, then please submit a CSR. Share this post Link to post Share on other sites