Trojan:vbs/mutuodo.a

There were reports about a malicious program called Trojan:vbs/mutuodo.a, but so far our researchers could not find any samples that would work correctly. Nonetheless, we feel it is important to know the information that is currently available as it may help some of you to avoid the threat in question. As you see further in the text, we will discuss how the malware is spread and what could be the other channels used to distribute it. Moreover, if you continue reading our article, you will learn how Trojan:vbs/mutuodo.a might act after entering the system or how to recognize the Trojan and what is the risk of leaving it unattended. At the end of the text, there will be instructions showing how one could erase the malicious application manually. However, keep it in mind without a fully working sample the instructions might be inaccurate. In other words, we cannot guarantee they will work for everyone, which is why our researchers recommend using a reliable antimalware tool instead.

To begin with, it seems the malware could be associated with an adware application called PriceFountain as there were reports saying the Trojan might have been dropped by it. Therefore, we suspect the malicious application could be distributed with other adware or threats alike too. Meaning, in order to protect the system from it, users should be extra careful when downloading new software. Firstly, it is vital to make sure the chosen program is reliable. Next, users should look for safe sources to download it, for example, the software’s official site or distributor. Needless to say, torrent and other similar file-sharing websites are not safe since they may distribute pirated software or freeware bundled with malware. Consequently, we strongly recommend staying away from such sites if you do not want to infect your system accidentally. Another thing our researchers would suggest is choosing a reliable antimalware tool. Such software can alert the user about potential threats or even stop them from harming the system and files located on the computer.

Those who encountered Trojan:vbs/mutuodo.a say it might attempt to create several Registry entries to make the computer run the Trojan automatically. For instance, the threat could try to create value names in the HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce directory with a couple of different names. Then, the malicious application should try creating executable files in the %APPDATA% and %LOCALAPPDATA% folders. Afterward, it appears to be the malware might change user’s settings, for example, replace his login password. Currently, there is no other information on what Trojan:vbs/mutuodo.a could do after infecting the computer, but based on our experience with other similar threats we could list a few possibilities. Like many other Trojans, it is possible it might steal user’s sensitive data and install more malicious software, for example, keyloggers, rootkits, backdoors, ransomware, etc. The malware could be extremely dangerous and cause a lot of problems, which is why our researchers recommend removing it right away.

Just as we explained earlier, we may not have all information about the Trojan yet, which means we cannot provide proper deletion steps. Thus, keep it in mind, the instructions available below might help you find some files belonging to Trojan:vbs/mutuodo.a, but we cannot be sure the malicious application will not create even more data. Unfortunately, to remove it permanently it is crucial to get rid of all data associated with the Trojan since leaving even a single file behind may allow Trojan:vbs/mutuodo.a to restore itself. Under such circumstances, we advise using a reliable antimalware tool instead; as it could locate all files belonging to the malicious application and even allow you to erase them at the same time. Nevertheless, if you think you are experienced enough to handle the threat manually, you could try the instructions located a bit below this paragraph. Also, users who have other questions about the Trojan or need more assistance while removing it could leave us messages at the end of this page.

Eliminate Trojan:vbs/mutuodo.a

1. Press Ctrl+Alt+Delete.
2. Go to the Task Manager.
3. Find the malware’s process, for example, synhelper.exe.
4. Mark this process and click End Task.
5. Exit Task Manager.
6. Tap Win+E.
7. Navigate to this location: %APPDATA%\PriceFountain\UpdateProc
8. Inside of it you should find a malicious .exe file, for example, UpdateTask.exe.
9. Either right-click the mentioned .exe file or the PriceFountain folder and select Delete.
10. Go to %LOCALAPPDATA%\{GUID}, for example, %LOCALAPPDATA%\{a4835daf-3520-45d5-9dd9-adc5cbf8a9b2}
11. Look for another suspicious .exe file, for example, synhelper.exe.
12. Right-click the mentioned .exe file and select Delete.
13. Check the %APPDATA% directory.
14. Look for folders titled PriceFountain, UpdateProc, Mogan, or named similarly; they may contain files titled bkup.dat.
15. Right-click the mentioned folders and select Delete.
16. Close File Explorer.
17. Press Win+R.
18. Insert Regedit and click OK.
19. Find these paths:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
20. Look for value names called PriceFountain, Rinapi, or similarly; they should point to locations mentioned in the previous steps.
21. Right-click these value names and press Delete.
22. Exit Registry Editor.
23. Empty Recycle Bin.
24. Reboot the PC.