Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ujomesum.dll (Hiloti.cx trojan)


  • Please log in to reply
7 replies to this topic

#1 millerpa

millerpa

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 16 April 2011 - 01:11 PM

This ujomesum startup item runs the command -- rundll32.exe "C:\Windows\ujomesum.dll",Startup -- (as shown in System Configuration Utility). I try to stop in from loading on startup using the MSCONFIG but it keeps coming back immediately (before reboot). I believe this showed up during my last virus infection that I removed using Malwarebytes. I search the registry and the program that is placing this in the startup folder is Qfoniquyi. I delete all keys and folders associated with these two names but they immediately come back. I have also run rkill and malwarebytes and it turns up nothing. A run of AVG virus scan turns up this DLL as part of a Hiloti.cx trojan but is unalbe to fix it. I have searched the internet for these two names and have turned up nothing so I am assuming that they are some random names or something new. I am runnig 32-bit XP Pro sp3. There are no other noticable symptoms of this file execution, I just happen to run across it during periodic cleanup. Any ideas?

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:32 PM

Posted 16 April 2011 - 03:59 PM

Are you getting a "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message ??
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 millerpa

millerpa
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 17 April 2011 - 03:17 PM

Yes. After AVG tried to clean the infection I got this upon starting windows:
'Error loading C:\WINDOWS\ujomesum.dll
The specified module could not be found.'

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:32 PM

Posted 17 April 2011 - 04:33 PM

Its not unusual to receive such an error after using specialized fix tools.

A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.

Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file(s) in the error message.
Right-click on the entry and choose delete.
Reboot your computer and see if the startup error returns.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 millerpa

millerpa
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 21 April 2011 - 11:18 PM

Yes, that worked. Thank you very much for the help!!!

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:32 PM

Posted 22 April 2011 - 10:39 AM

before we let you go..
Let's run an online scan.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 millerpa

millerpa
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 24 April 2011 - 09:01 PM

I think this is the portion of the log file needed. It took so long to run that I had to stop a couple times...

ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=9de43dbb7ff8524e86e8a8cfabed2dbd
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-04-24 06:16:01
# local_time=2011-04-24 02:16:01 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777195 100 0 36025594 36025594 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=181309
# found=3
# cleaned=0
# scan_time=6256
C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\6.0\34\ba13362-6bb2b7f0 Java/TrojanDownloader.Agent.NBB trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Sarah\Local Settings\Temp\aB624.tmp a variant of Win32/Injector.FLK trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Sarah\Local Settings\Temp\jar_cache2243309136687746651.tmp a variant of Java/TrojanDownloader.OpenStream.NBM trojan (unable to clean) 00000000000000000000000000000000 I

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:32 PM

Posted 25 April 2011 - 11:09 AM

Hello, we found some serious infostealers that ESET was NOT able to clean. Injectors are very dangerous malware as they keep injecting malware into the system. I would advise you to cahange all paswords on here from a clean computer. If you do financials on here I would cinsider a reformat.

To clean this we will need to move you.
We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users