Mor.exe has stopped working?

gbu · 06 Mar 2012

The last couple of days ive had a window pop-up that says 'mor.exe has stopped working'
Iv'e noticed this comes up when i visit a site that uses java as the java icon appears in the toolbar at the same time as the window pops up.
The detailed info that is shown is:-
Fault Module Name: mor.exe

Fault Module Version: 0.0.0.0
Fault Module Timestamp: 721c31e7
Exception Code: c0000005
Exception Offset: 0003910b
OS Version: 6.1.7601.2.1.0.256.1
Locale ID: 2057
Additional Information 1: 0a9e
Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
Additional Information 3: 0a9e
Additional Information 4: 0a9e372d3b4ad19135b953a78882e789

Read our privacy statement online:
Windows 7 Privacy Statement - Microsoft Windows

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt

i click on Close Program and the java icon goes away.

Golden · 06 Mar 2012

Hi,

There appears to be quite a few hits for this file as being associated with a malware infection. Java is often used as a vehicle for malware delivery, so I think its best to scan your system for malware.

Please perform an online scan using this link, and then post the results back here:

http://www.eset.eu/eset-online-scanner

This way we can rule this out.

Regards,
Golden

gbu · 06 Mar 2012

Thanks for the reply, heres what the scan found:-

C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\4fd90665-49176361 Java/Exploit.Blacole trojan
C:\Users\James\AppData\Roaming\sdra64.exe Win32/Spy.Zbot.WM trojan
C:\Windows\System32\aigovox.dll a variant of Win32/Urlbot.NAO trojan
C:\Windows\System32\movuxavi.exe a variant of Win32/Urlbot.NAT trojan
C:\Windows\System32\MPK\MpkNetInstall.exe probably a variant of Win32/Agent.EUDBPIN trojan
C:\Windows\SysWOW64\aigovox.dll a variant of Win32/Urlbot.NAO trojan
C:\Windows\SysWOW64\movuxavi.exe a variant of Win32/Urlbot.NAT trojan
C:\Windows\SysWOW64\MPK\MpkNetInstall.exe probably a variant of Win32/Agent.EUDBPIN trojan

My own AV Microsoft Security Essentials picked up these before this scan was run.:-

Exploit:Java/CVE-2011-3544.AV
file:C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\5675a445-743090a4->Men.class

Exploit:Java/CVE-2011-3544.AU
file:C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\3ba307a2-5361461b->Loo.class

Golden · 06 Mar 2012

Hi,

Yes - thats a good demonstration on the vulnerabilities of Java, especially if its not updated.

Some of these trojans appear to be backdoor trojans, meaning your system could be significanly compromised. I prefer to get a professional malware removalist opinion ion this, so I will ask Jacee and/or Corinne to make a recommendation.

They will either:
1. Guide you through a removal process, or
2. Recommend a format + clean install

If the infection is that severe, only a clean install can guarantee complete removal.

In the meantime, backup all your user data to an external drive, and also more importantly, on a different clean computer change all your passwords on your email, bank accounts etc. etc.

Regards,
Golden

Jacee · 06 Mar 2012

.. doubled possted message, ignore

Jacee · 06 Mar 2012

sdra64.exe Win32/Spy.Zbot.WM trojan
sdra64.exe | ThreatExpert statistics

Warning! Backdoor Trojans

These are the most dangerous, and most widespread, type of Trojan.
Backdoor Trojans provide the author or ‘master’ of the Trojan with remote ‘administration’ of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.
If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.

They should be changed by using a different computer and not the infected one, if not an attacker may get the new passwords and transaction information.

Banking and credit card institutions should be notified of the possible security breech.
More info can be found below:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
How to report ID theft, fraud, drive-by installs, hijacking and malware? Security | DSLReports.com, ISP Information

Please ask for more help here: Virus, Spyware & Malware Removal - What the Tech

Golden · 07 Mar 2012

Thanks Jacee.

gbu · 07 Mar 2012

Thanks for the help Jacee and Golden :)

Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.

After reading this part it got me thinking as to a recent problem i had with my router that kept cutting out, i phoned tech support for BeUnlimited and they guided me through a process to allow them to set up remote access to my pc in order to update the firmware and reset some of my settings.
Could this be something the scan is picking up on?

Golden · 07 Mar 2012

Hi,

I think it is unlikely that this could have caused the problem, but you should consider it possible. Did you turn OFF the remote connection option after they were finished?

I would very strongly urge you to follow Jacee's advice she posted.

Come back and let us know how you get on after visiting the site she recommended.

Regards,
Golden

gbu · 07 Mar 2012

Thanks for the reply and will join that forum and post there shortly.

I just looked and i had the top box checked so it was allowing remote connections, and the bottom one was checked like yours is i have now unticked the top one.