Virus file - need help on removal

Status
Not open for further replies.

Rukichu

Posts: 34   +0
Hey guys! I'm having a bit of a problem. I have the virus "hafedeku.dll" on my computer. I've found the registry key for it and I've found it on the "Startup programs" list in msconfig. Problem is, everytime I try to delete the registry key, it just reappears. I know that this is because the related file is still on my computer, and that it is just re-adding that registry key.
I don't know what file is related to this problem and if someone could please help me out with this, I would greatly appreciate it!

**EDIT:

I also wanted to include a few more details:
1. I've already checked my computer for the file "hafedeku.dll" and there is nothing, yet the registry key and startup program is still there.
2. My computer occasionally has random popups from IE, especially on startup. Also, IE sometimes runs in the background and ends up taking up like 90% of my CPU usage. I'm not sure if this is related or if this is yet another virus issue.
3. I've also gotten the "blue screen of death" a couple times, but not often.

I have attached a HJT log here.

If there are any other logs I should post first, someone please let me know.
 

Attachments

  • hijackthis.log
    7.4 KB · Views: 6
Vundo (Virtumondo) detected - Go to the 8 Steps - Miss nothing - repost as needed.

Hello Rukichu - :wave:

This will be my last visit to the board until Monday or Tuesday, but maybe I can help get you started...

Go back to the top of the board and read the stickies by Julio. Follow them - especially the 8 steps - to the letter!

You may love McAfee, but for the purposes of getting clean, we need to have you d/l and install some other packages, and that will mean uninstalling McAfee for now... you will find all needed instructions if you are careful with the 8-steps. And being careful now is what is required. If you decide you wish to go back to McAfee later, that is up to you, but the packages recommended / required in the 8 steps... (specificially Avira and Comodo, ) are among the best, and free, and you may like the way they work even better than you have grown to like McAfee.

You may still run into a problem or two or... as you go, and if you do then repost with your specific difficulties... one of the experienced helpers will help you work through the issues as they are revealed.

I expect you will have difficulties as your reported malware is probably Vundo (Virtumondo).
And it requires some special procedures to get rid of it.:suspiciou

Good luck. Hopefully you will be cleaned up long before I get back! :grinthumb
 
Keep it all in this thread, plus you don't have to unistall McAfee if you paid good money for it.

8 steps said:
If you're NOT running any antivirus or firewall software, you should install one ASAP If you already have an Anti-virus program - please be sure to check for updates and run a full scan of your system - Please note anything that it finds in your thread.
 
Okay...I have a little problem...I was able to run CCleaner just fine, but for some reason SuperAntiSpyware and MalwareBytes will not run when I click on them. I'm pretty sure this because the virus is blocking them from working.
What should I do?
 
This assumes that you have malwarebytes installed,

Malwarebytes not running

Please download and try running this: randmbam.exe

It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already.

Once done, try running a scan again
 
Obtained Logs

Okay here are all the logs. Please let me know where to go from here.
The HJT log is in the first post.
 
Delete Domains

Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

Fix entries using HiJackThis
  • Launch HiJackThis
  • Click the Do a system scan only button
  • Put a check next to the entries listed below
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKUS\S-1-5-19\..\Run: [sujihopoye] Rundll32.exe "C:\WINDOWS\system32\hafatipo.dll",s (User 'LOCAL SERVICE')
O20 - AppInit_DLLs: C:\WINDOWS\system32\madudori.dll C:\WINDOWS\system32\timijapu.dll issisq.dll

  • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
  • Click the Fix checked button and close HiJackThis
  • Reboot HijackThis if necessary

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

CF_download_FF.gif


CF_download_rename.gif

--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
 
Can ComboFix have a dash in the name? I don't think it works that way
I know all other programs do, but ComboFix requires letters only to work, please try it
 
Run CFScript
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word KillAll:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
KillAll::

File::
c:\windows\system32\nominenu.exe
c:\windows\system32\ukaloboh.tmp
c:\windows\system32\domeroha.dll.tmp
c:\windows\system32\fatopoze.dll.tmp
c:\windows\system32\goyinoro.dll.tmp
c:\windows\system32\gozomose.dll.tmp
c:\windows\system32\hesudipi.dll.tmp
c:\windows\system32\madudori.dll.tmp
c:\windows\system32\mosoraza.dll.tmp
c:\windows\system32\natulevo.dll.tmp
c:\windows\system32\paletigi.dll.tmp
c:\windows\system32\sopakowo.dll.tmp
c:\windows\system32\sufojeni.dll.tmp
c:\windows\system32\sugemeha.dll.tmp
c:\windows\system32\vetaweyo.dll.tmp
c:\windows\system32\wakozawa.dll.tmp
c:\windows\system32\wuyojogi.dll.tmp
c:\windows\system32\zelokore.dll.tmp
c:\windows\system32\zurokawe.dll.tmp

Folder::

Service::
Viewpoint Manager Service
UACd.sys

DirLook::

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ec46b1ad-19d1-11dc-ad3e-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9323aad-f3fe-11db-b907-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e63f5ad-087b-11dc-9ac1-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6cba5d2d-f4cd-11db-b3ec-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10a77790-f28e-11db-b04b-806d6172696f}]

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please download ATF Cleaner by Atribune.


  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

OTListIt2 by OldTimer
  • Download OTListIt2 to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTListIt2.
    • Please copy the contents of these files, one at a time, and post it with your next reply.
 
Install this now,

MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer

OTListIt2 by OldTimer

Run OTList2.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    Code:
    :Processes
    explorer.exe
         
    :OTLI
    SRV - (Viewpoint Manager Service [Disabled | Stopped]) --  File not found
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done

Unistall these,

Java(TM) 6 Update 3

Java(TM) 6 Update 5

Java(TM) 6 Update 7


f_Logo1m_7c1b64d.png
Run Kaspersky Online AV Scanner

In order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click on "My Computer"
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Attach the report into your next reply

If you are having trouble with the scan, please see this animated guide.

>>>Animated Guide<<<
 
Yikes, that kaspersky scan was a killer!
Here are the logs. I also included the OTListIt2 log just in case.
 
Good.

All the bad stuff was in the Qoobox, apart from one thing which we will take care of now.

Apart from that you're all good. How are things running?

OTListIt2 by OldTimer

Run OTList2.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    Code:
    :Processes
    explorer.exe
         
    :Files
    C:\PeoplePC\Utilities\ppal3ppc.exe
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done

-----------------------------------------------------------------------------------------------------

Uninstall combofix
Uninstall combofix by going to Start -> Run -> type in combofix /u <-Note the space and hit enter

You can also hold your windows key and press R to open the box.

uninstallcombofix.png


-----------------------------------------------------------------------------------------------------

  • Double-click OTListIt2.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt2 attempting to contact the internet, please allow it to do so.

  • Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and re-enable system restore here:

    Windows XP System Restore Guide

    or

    Windows Vista System Restore Guide

Re-enable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

    Instructions for Spybot S & D

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:

    Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place
 
kritius! :wave:

Welcome back! (Or at least i haven't seen you post in quite a while)

and a follow-up post to Rukichu too from our prior thread :) (and fyi... you're in excellent hands for your malware problem now!)
 
Thanks so much, you are seriously awesome!! I hope after all this, my flash drive problem is resolved as well!

Again, thanks a lot kritius; you are a lifesaver!
 
OK,

What is the D: drive then? Out of curiosity.

Download Flash_Disinfector.exe by sUBs from HERE and save it to your desktop.

  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.
 
It says it is the DVD drive. When I click on it, it asks me to insert a DVD into the drive.

Will flash disinfector delete all the files on my flash drive or just erase any viruses that might be on there?
 
Status
Not open for further replies.
Back