Trojan.virtuomonde

Status
Not open for further replies.
N

newbyneedshelp

Posts: 13   +0
Guys,

attached is my log from Hijack this. I have a Trojan that won't go away. Can someone please review and let me know what to remove.

Thanks,
 
Hi newbyneedshelp,

Welcome to Techspot!

My name is Blind Dragon and I will be helping you with your Malware problem. During the course of our interactions please be sure to follow all instructions carefully, and ask questions if you are unsure of how to proceed at any point.

Please have a read here-> Is your system infected? Read this before Cleaning or Formatting

If you decide to clean your system please follow these Viruses/Spyware/Malware, preliminary removal instructions and post back in this thread with the requested logs. There should be at least 3.

1)MBAM log
2)SAS log
3)Hijackthis log (last step)

This thread is for the use of newbyneedshelp only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Blind Dragon,

Thanks for your quick reply. Unfortunately, a complete re-install will be impossible as this is a work system. I will do as you have instructed and get back asap.

Thanks,
 
Hello,

It appears that you skipped the step about updating your Java Runtime!!!

It also appears you may have had Mcafee at one time and tried to remove it, please let me know if this is correct.
-------------------------------------------------------------------

* Download VirtumundoBegone, place it on your desktop.

* Doubleclick VirtumundoBeGone.exe to start the tool.
* Follow the instructions on the screen.
* Don't worry if you'll get a Blue screen with an error in it - this is normal.

After reboot,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
O2 - BHO: (no name) - {55d5a256-365c-46ac-975c-3db886df75c4} - C:\WINDOWS\system32\hitemodo.dll (file missing)
O4 - HKLM\..\Run: [CPMb72cf228] Rundll32.exe "c:\windows\system32\mofanedo.dll",a
O4 - HKLM\..\Run: [yizuhopovi] Rundll32.exe "C:\WINDOWS\system32\mewunite.dll",s
O4 - HKUS\S-1-5-19\..\Run: [yizuhopovi] Rundll32.exe "C:\WINDOWS\system32\mewunite.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [yizuhopovi] Rundll32.exe "C:\WINDOWS\system32\mewunite.dll",s (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\kafujote.dll c:\windows\system32\mofanedo.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\mofanedo.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\mofanedo.dll

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!


-------------------------------------------------------------------
OTMoveit3 by OldTimer
Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and

    choose Copy):

    Code: 
    :files
c:\windows\system32\mofanedo.dll
C:\WINDOWS\system32\kafujote.dll
C:\WINDOWS\system32\mewunite.dll
C:\WINDOWS\system32\hitemodo.dll

:commands
[EmptyTemp]
  • Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and

    choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please

    open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine

choose Yes.

-----------------------------------------------

Attach here:
1) VBG.TXT
2) OTMoveit3 Log
3) Fresh Hijackthis log
 
As requested

I think Macafee was removed previously and Avast installed in its place. Just an FYI, the problem I am having it almost no internet acess. I can load a few pages, but most take forever if nothing. Also, I get a lot of pop ups.

Thanks,
 
Your Java Runtime still appears out of date.

We will run the Mcafee uninstaller to get rid of leftovers.

Are you getting any redirects when searching/browsing the net?
==============================================

Remove Mcafee products
1. Click Start, Settings, Control Panel.
2. Double-click Add or Remove Programs.
3. Select the McAfee SecurityCenter product.
4. Click Remove and follow the steps provided.
5. Download the Mcafee removal tool from http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe
6. Click Save and save the file to your desktop
7. Make sure all McAfee windows are closed.
8. Double-click MCPR.exe to run the removal tool. (Vista users need right click and run as administrator)
9. Restart your computer after receiving the message CleanUp Successful.

==============================================

avatar62338_1.gif
Combofix
  • Download Combofix to your desktop.
  • Double click combofix.exe & follow the prompts.
  • A window will open with a warning.
  • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt
 
Nope, disable any real time protection. It is a false positive, many tools we use show up as viruses, because they function in a similar manner - I think combofix gets flagged because of the scripting ability. You will see what I am talking about

Disable
Download
Run
 
It's Back

Blind Dragon,

I figured out the website that is giving me this. I will not be going anymore. Here is a current scan. Please take a look and review.

Thanks,
 
OTMoveit3 by OldTimer
Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    :files
c:\windows\XBC0C8LU.htm
c:\windows\89W3OHQH.htm
c:\windows\KGQD1LFG.htm
c:\windows\3RQ1A36Y.htm

:commands
[EmptyTemp]
  • Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

====================================

f_Logo1m_7c1b64d.png
Run Kaspersky Online AV Scanner

In order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click on "My Computer"
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Attach the report into your next reply


Show me both logs and hopefully we can clean up and secure the machine.
 
Status
Not open for further replies.

Similar threads

B
Help with PUBG Mobile Pc
Replies
0
Views
420
basitdogar
B
E
I have been taken over by a software called Astanda using XML to Log everything and roaming to an SQL server.
Replies
0
Views
466
eriksnyman1
E
TechSpot
AMD Ryzen 7 5700X3D Review: 3D V-Cache for $250
2
Replies
34
Views
1K
bengtakevarg
B

Latest posts

Back