« previous next »
Pages: [1]   Go Down

Author Topic: Avast Unable to remove Trojan "sofofuhi.dll" (Trojan.Virtumod.1459?)  (Read 3702 times)

0 Members and 1 Guest are viewing this topic.

fljackson4

  • Guest
Avast Unable to remove Trojan "sofofuhi.dll" (Trojan.Virtumod.1459?)
« on: December 02, 2008, 06:38:19 PM »
I have come accross "sofofuhi.dll" in my win32 subdirectory.  Avast can't seem to get rid of it.  VirusTotal reports the following - some kind of Trojan:

Antivirus Version Last Update Result
AhnLab-V3 2008.12.2.2 2008.12.02 -
AntiVir 7.9.0.36 2008.12.02 -
Authentium 5.1.0.4 2008.12.02 -
Avast 4.8.1281.0 2008.12.02 -
AVG 8.0.0.199 2008.12.02 -
BitDefender 7.2 2008.12.02 -
CAT-QuickHeal 10.00 2008.12.02 -
ClamAV 0.94.1 2008.12.02 -
DrWeb 4.44.0.09170 2008.12.02 Trojan.Virtumod.1459
eSafe 7.0.17.0 2008.12.02 Suspicious File
eTrust-Vet 31.6.6239 2008.12.02 -
Ewido 4.0 2008.12.02 -
F-Prot 4.4.4.56 2008.12.01 -
F-Secure 8.0.14332.0 2008.12.02 -
Fortinet 3.117.0.0 2008.12.02 -
GData 19 2008.12.02 -
Ikarus T3.1.1.45.0 2008.12.02 -
K7AntiVirus 7.10.540 2008.12.02 -
Kaspersky 7.0.0.125 2008.12.02 -
McAfee 5451 2008.12.01 -
McAfee+Artemis 5451 2008.12.01 -
Microsoft 1.4104 2008.12.02 -
NOD32 3658 2008.12.02 -
Norman 5.80.02 2008.12.02 -
Panda 9.0.0.4 2008.12.02 -
PCTools 4.4.2.0 2008.12.02 -
Prevx1 V2 2008.12.02 -
Rising 21.06.12.00 2008.12.02 Trojan.Win32.VUNDO.bvp
SecureWeb-Gateway 6.7.6 2008.12.02 Win32.Malware.gen!92 (suspicious)
Sophos 4.36.0 2008.12.02 -
Sunbelt 3.1.1832.2 2008.12.01 -
Symantec 10 2008.12.02 -
TheHacker 6.3.1.2.171 2008.12.02 -
TrendMicro 8.700.0.1004 2008.12.02 -
VBA32 3.12.8.10 2008.12.02 -
ViRobot 2008.12.2.1496 2008.12.02 -
VirusBuster 4.5.11.0 2008.12.01 -
Additional information
File size: 93236 bytes
MD5...: 0e5d0d0319fa80415718bc589d494b0d
SHA1..: 1412aa281591336ced5aa245f2bc5428a5862d3c
SHA256: 09d989a9a6f043aa5db058dd0b7e161ea84aad481c4e11f9949de7252b7930c5
SHA512: 6faf4e1e126a4e0863126d61aa1b382e925d02d99d1be0176d29de2f4cf5dfc1
cfd416ce49d132c1b0376f8f6943ba827a52d5ebdbd35da9e7107fc03dc98744
 
ssdeep: 1536:4B/2GtUbh1cMjSIJtURZwG0SaEX/EIlaQNPcjGbnv7IO:O2zUayZx83QNpv
MO
 
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10001067
timedatestamp.....: 0x0 (Thu Jan 01 00:00:00 1970)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x51d2 0x5200 7.92 3ec2d1c3c80a1f7de4e4ff2cc5904a64
.rdata 0x7000 0x52d4 0x5400 7.85 f337639ad381495417ede5b268f5db8b
.data 0xd000 0xb7ff 0xb400 7.99 fd1220e078663fa2f7daf6a4e8728906
.rsrc 0x19000 0x489 0x600 2.67 83b220b4281def97f43a351a012a9e2b
.reloc 0x1a000 0x7954 0x800 0.77 848ac8f4412a072219c2896a1630cc56

( 4 imports )
> user32.dll: ToAscii, RegisterClassW, MessageBoxW, MessageBeep, GetMessageW, DispatchMessageW
> KERNEL32.dll: HeapDestroy, SetFilePointer, SetEnvironmentVariableW, GetStdHandle, GetExitCodeProcess, FlushFileBuffers, CloseHandle, ExitProcess
> advapi32.dll: RegOpenKeyExW, RegQueryValueExW, RegCloseKey, RegEnumValueW
> comdlg32.dll: GetOpenFileNameW, GetFileTitleW

( 0 exports )
 
« Last Edit: December 02, 2008, 08:27:38 PM by fljackson4 »
Logged

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89172
  • No support PMs thanks
Re: Avast Unable to remove Trojan "sofofuhi.dll" (Trojan.Virtumod.1459?)
« Reply #1 on: December 02, 2008, 08:44:29 PM »
Does avast actually detect it ?
If so what do you mean by it can't get rid of it, e.g. what happens, error messages, etc. ?

It isn't unusual to not have avast detect on VirusTotal when it does so on your system. VT isn't able to update the VPS in real time as the user is and this is often the cause. Remember the point of submitting it to VT is to see what the other scanners find.

Though the file name looks like the usual random Vundo file name.
A google search only returns two hits, strange if it were a legit file which it isn't, http://www.google.co.uk/search?q=sofofuhi.dll.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
1. SUPERantispyware On-Demand only in free version.
2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

A specialist tool if these don't get it - Vundo Fix Tool - Aliases - WinFixer / Virtumonde / Msevents / Trojan.vundo.
Here are the cleansing instructions for Virtumonde: http://www.bleepingcomputer.com/forums/topic18610.html

Download VundoFix.exe to your desktop.
 
Logged
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security
Pages: [1]   Go Up
« previous next »