TechSpot

Trojan.virtuomonde

By newbyneedshelp
Nov 19, 2008
  1. Guys,

    attached is my log from Hijack this. I have a Trojan that won't go away. Can someone please review and let me know what to remove.

    Thanks,
     
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Hi newbyneedshelp,

    Welcome to Techspot!

    My name is Blind Dragon and I will be helping you with your Malware problem. During the course of our interactions please be sure to follow all instructions carefully, and ask questions if you are unsure of how to proceed at any point.

    Please have a read here-> Is your system infected? Read this before Cleaning or Formatting

    If you decide to clean your system please follow these Viruses/Spyware/Malware, preliminary removal instructions and post back in this thread with the requested logs. There should be at least 3.

    1)MBAM log
    2)SAS log
    3)Hijackthis log (last step)

    This thread is for the use of newbyneedshelp only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. newbyneedshelp

    newbyneedshelp TS Rookie Topic Starter

    Blind Dragon,

    Thanks for your quick reply. Unfortunately, a complete re-install will be impossible as this is a work system. I will do as you have instructed and get back asap.

    Thanks,
     
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Ok, when you have completed the 8 steps attach the logs here and I will review them.
     
  5. newbyneedshelp

    newbyneedshelp TS Rookie Topic Starter

    Blind Dragon,

    As requested....Thanks,
     
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Hello,

    It appears that you skipped the step about updating your Java Runtime!!!

    It also appears you may have had Mcafee at one time and tried to remove it, please let me know if this is correct.
    -------------------------------------------------------------------

    * Download VirtumundoBegone, place it on your desktop.

    * Doubleclick VirtumundoBeGone.exe to start the tool.
    * Follow the instructions on the screen.
    * Don't worry if you'll get a Blue screen with an error in it - this is normal.

    After reboot,

    * Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.ca/myway
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
    O2 - BHO: (no name) - {55d5a256-365c-46ac-975c-3db886df75c4} - C:\WINDOWS\system32\hitemodo.dll (file missing)
    O4 - HKLM\..\Run: [CPMb72cf228] Rundll32.exe "c:\windows\system32\mofanedo.dll",a
    O4 - HKLM\..\Run: [yizuhopovi] Rundll32.exe "C:\WINDOWS\system32\mewunite.dll",s
    O4 - HKUS\S-1-5-19\..\Run: [yizuhopovi] Rundll32.exe "C:\WINDOWS\system32\mewunite.dll",s (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [yizuhopovi] Rundll32.exe "C:\WINDOWS\system32\mewunite.dll",s (User 'NETWORK SERVICE')
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O20 - AppInit_DLLs: C:\WINDOWS\system32\kafujote.dll c:\windows\system32\mofanedo.dll
    O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\mofanedo.dll
    O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\mofanedo.dll


    * Click on Fix Checked when finished and exit HijackThis.
    Make sure your Internet Explorer is closed when you click Fix Checked!


    -------------------------------------------------------------------
    OTMoveit3 by OldTimer
    Please download the OTMoveIt3 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and

      choose Copy):

      Code:
      :files
      c:\windows\system32\mofanedo.dll
      C:\WINDOWS\system32\kafujote.dll
      C:\WINDOWS\system32\mewunite.dll
      C:\WINDOWS\system32\hitemodo.dll
      
      :commands
      [EmptyTemp]
    • Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and

      choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please

      open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine

    choose Yes.

    -----------------------------------------------

    Attach here:
    1) VBG.TXT
    2) OTMoveit3 Log
    3) Fresh Hijackthis log
     
  7. newbyneedshelp

    newbyneedshelp TS Rookie Topic Starter

    As requested

    I think Macafee was removed previously and Avast installed in its place. Just an FYI, the problem I am having it almost no internet acess. I can load a few pages, but most take forever if nothing. Also, I get a lot of pop ups.

    Thanks,
     
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Your Java Runtime still appears out of date.

    We will run the Mcafee uninstaller to get rid of leftovers.

    Are you getting any redirects when searching/browsing the net?
    ==============================================

    Remove Mcafee products
    1. Click Start, Settings, Control Panel.
    2. Double-click Add or Remove Programs.
    3. Select the McAfee SecurityCenter product.
    4. Click Remove and follow the steps provided.
    5. Download the Mcafee removal tool from http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe
    6. Click Save and save the file to your desktop
    7. Make sure all McAfee windows are closed.
    8. Double-click MCPR.exe to run the removal tool. (Vista users need right click and run as administrator)
    9. Restart your computer after receiving the message CleanUp Successful.

    ==============================================

    [​IMG]Combofix
    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt
     
  9. newbyneedshelp

    newbyneedshelp TS Rookie Topic Starter

    I went to download combofix and Spyware doctor blocked a Trojan. Is this a virus?

    What's going on?
     
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Nope, disable any real time protection. It is a false positive, many tools we use show up as viruses, because they function in a similar manner - I think combofix gets flagged because of the scripting ability. You will see what I am talking about

    Disable
    Download
    Run
     
  11. newbyneedshelp

    newbyneedshelp TS Rookie Topic Starter

    It's Back

    Blind Dragon,

    I figured out the website that is giving me this. I will not be going anymore. Here is a current scan. Please take a look and review.

    Thanks,
     
  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    And the combofix log?
     
  13. newbyneedshelp

    newbyneedshelp TS Rookie Topic Starter

    Here you go.
     
  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    OTMoveit3 by OldTimer
    Please download the OTMoveIt3 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :files
      c:\windows\XBC0C8LU.htm
      c:\windows\89W3OHQH.htm
      c:\windows\KGQD1LFG.htm
      c:\windows\3RQ1A36Y.htm
      
      :commands
      [EmptyTemp]
    • Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    ====================================

    [​IMG]Run Kaspersky Online AV Scanner

    In order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply


    Show me both logs and hopefully we can clean up and secure the machine.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...