PDA

View Full Version : Please HELP - Think I Deleted Files Incorrectly



femmebotte
2009-01-18, 01:46
I was browsing the internet in Firefox (windows XP) and clicked on a link to another site but all of a sudden 10-12 new windows came up. I found through the cookies that I had adtrgt or something like that...

I called the help desk at my work (since its my work laptop) but only the "extended" help is on during the weekends. They recommended AdAware and a co-worker recommended SpyBot. I downloaded SpyBot and ran it on the computer after a restart. It found a lot more stuff than I thought... and it also found two Virtumonde trojans.

This is strange because I have had a virtumonde trojan on my home computer in the past and it was very noticeable. On my work computer I have noticed nothing. Also on my home computer I ran an .exe file which triggered the virus. I have no recollection of doing this on my work computer from any unreliable source.

Anyway, I followed the cleanup suggested... I looked through the items they found and nothing (other than the Virtumonde) looked strange or unexpected.

After the fix completed, SpyBot was asking me to "Allow Changes" or "Deny Changes" when deleting or adding some files from/to the system. I do not know what the files were for, but for deleting (first pop-up) I clicked allow, and for the next couple that were adding files, I clicked deny. I had no idea what these meant and they kept popping up so I just shut down the computer with an End Program to SpyBot.

I restarted the computer and immediately when it got to the desktop I got a couple errors saying the dll was missing from a few of the folders where I deleted stuff. Then some black C prompt windows popped up. I just closed them but the Allow/Deny box came up again and I couldn't get rid of it. I tried to use IE6 and it worked fine (I uninstalled Firefox for the time being - plan to reinstall after this is all over).

I am just wondering... should I do a system restore to whatever time is available before 4am this morning when I saw the pop-ups? I did do the back-up that SpyBot asked me to do before running the scan. I am just afraid to touch it at this point. I plan to ask my DLS service for help on Tuesday when I return to work but wondering if I completely damaged my system and they need to reinstall the operating system or if this can be fixed without any of that? Is there anything I can do in the meantime?

Also, if there are any ideas on that weird Virtumonde appearing in the scan but no symptoms of the virus that would be helpful too..

thanks!

drragostea
2009-01-18, 06:58
Here's the problem, a domino effect. :laugh:
Let me explain. Virtumonde is a trojan not a virus. And your infection does not need to be an execution of a malicious .exe. It could be merely a drive-by-download. But your description about a "new 10-12 new windows" coming up, sounds very suspicious. I'm suspecting that they were ads or malicious banners.

And I would suggest you disable TeaTimer (the prompts;Allow or Deny) if you are not familiar with it, because you were probably denying Spybot's attempts to remove the trojan. Usually the symptoms of a successful Virtumonde removal, would be a few prompts about startup items and a bad image of some .dll file missing. Then, I would suggest you allow all the changes, because Spybot successfully removed it.

How is your work machine doing at the moment? And I would not suggest a system restore, because that might mean bringing back the trojan.

femmebotte
2009-01-18, 15:20
Hello,

Thanks for the reply! I have not turned my machine back on since I posted here yesterday.

The 10-12 new windows immediately popped up when I clicked on a link from one site to go to what I thought was another page in the same site, but obviously was not. The site did not appear shady at the time, but I guess I should have assumed it was... I was researching Chinese Astrology. I was also on a site that was #2 or3 from a google search.

Anyhow, I just want to make sure I understand - it is the TeaTimer that is creating those pop-ups asking me to accept/deny? I am not familiar at all with TeaTimer but during the install I included it in the options to allow.

Does this mean the Trojan is not completely gone? Its so strange because I had no other indicators... maybe the ads were part of the Trojan or something.

I did DENY some of the attempts for SpyBot to "Add" files to the computer... I had no idea what was going on and why SpyBot wanted to add files. Should I just disable the TeaTimer, allow all the changes SpyBot wants to make, and try to run the SpyBot again to make sure there is nothing I missed in allowing/denying?

What about those pop-ups I get that the dll is unavailable? They seem like system messages...

I am really afraid to ruin my work's laptop... and remove things from the registry, etc. that I should not. There were definitely registry keys affected by the Trojan...

Just as curiosity, with a system restore - I know deleted files (such as .doc, etc.) can't be retrieved but what about removed applications or registry keys that were removed... what is the point of system restore anyway?

Thanks again!

femmebotte
2009-01-18, 15:24
Another thing - I wrote down the first request SpyBot or TeaTimer, which ever it was, made to me:

Change: Value Deleted (the others said Value Added)
Entry: CPM83b0daff
Old Data: Rundll32.exe "c:\windows\system32\nuyajuk..

And the small window wouldn't let me see the rest of the name, but when I rebooted the windows popping up as system messages told me it could not find the dll file in nuyajuk... whatever the rest of the name was...

drragostea
2009-01-18, 21:20
Another problem here is that Spybot itself is not "adding" files but rather the Virtumonde trojan is. Spybot merely prompts you about what something is doing and what is happening.

Like I said before, I would recommend that you disable TeaTimer, but you could possibly deny something good (like Spybot's attempt to remove the Trojan).

What Virtumonde attempts to do on the infection machine is to download more garbage (malware components) and create random generated files and startup entries to ensure that it'll run everytime you boot up the machine.
What Spybot is detecting is Virtumonde itself, not a false positive.

And I wouldn't trust "Sponsored Ads" from Google, because a majority of the time it's not what they really say. :cowboy:

Anyhow, I just want to make sure I understand - it is the TeaTimer that is creating those pop-ups asking me to accept/deny?
Yes, that is Spybot-SD's Resident Shield.

Does this mean the Trojan is not completely gone? Its so strange because I had no other indicators... maybe the ads were part of the Trojan or something.
It is possible that it is removed by Spybot. Does Spybot still detect it?

And to your second post, I would suggest you Allow that. This tells us that Spybot was able to remove Virtumonde and it's startup files (the trojan tends to startup when your machine boots).

The prompts about a bad image or a unavailable .dll file (usually randomly named) is normal about a reboot. It should not reappear on the next reboot.
Just as curiosity, with a system restore - I know deleted files (such as .doc, etc.) can't be retrieved but what about removed applications or registry keys that were removed... what is the point of system restore anyway?
Not really... your documents remain unchanged. No documents are deleted. And they remain in the same place as they were last time.
And for the removed applications, it could be possible that a uninstalled application would be brought back.

The whole point of the System Restore is to bring your machine to an earlier state. So like if you're infected at one point, you can always take advantage of this feature. So it'll be like in a way you were never infected.

femmebotte
2009-01-18, 21:36
Ok I am starting my computer now...

How do I disable the TeaTimer? I am not sure if SpyBot deleted all the Trojan since I have not run it again...

femmebotte
2009-01-18, 21:43
Ok I got two RUNDLL errors with a red circle and X inside...

I just clicked OK...

I went through the other questions and clicked Allow Changes on the Deletion of the files from the registry... the names were pretty weird so I think they must have been Trojan...

It just finished and I am going to try to run SpyBot again... I also keep getting an error when I start SpyBot - it says:

Spybot SD.exe - Unable to Locate Component
Theis application has failed to start because framedyn.dll was not found. Re-installing the application may fix this problem.

I click OK and then Spybot opens fine. I am going to try to uninstall and reinstall Spybot and see what happens...

femmebotte
2009-01-18, 21:49
On second thought... when I just tried to remove Spybot it reminded me that I had backed-up the PC... if I ever want to undo changes I will lose those... If you think that dll is not useful for the program to run accurately and successfully, I will keep using this version and install another one after I know this is working properly....

femmebotte
2009-01-18, 22:36
I have no disabled TeaTimer because I do not know how to or where it is.

My scan is about 50% complete and the Spybot found 2 Virtumonde files.

Here are the details:

Virtumonde.prx (4 entries) - Last time there were 8 I think...
all locations are Registry Values
The CPM83b0daff is there again but I thought I allowed the delete.

Virtumonde (1 entry) - Last time there were 2 or 4 I think...

Do you recommend I just allow all the changes when the scan is finished?

Thanks again!

femmebotte
2009-01-18, 23:08
So those two issues were the only ones found. I ran the fix and allowed the changes to delete. I am running a 2nd scan before reboot to make sure they were really gone. I will reboot and then run the scan again to make sure there isn't a start-up option somewhere that Spybot is not finding.

Thanks!

femmebotte
2009-01-19, 00:49
I have scanned twice more and twice removed Virtumonde.prx (3 entries) in the register keys.

I am restarting now to see if that makes a difference... any ideas?

femmebotte
2009-01-19, 01:49
I am using the IE on the infected computer and getting lots of pop-ups.

I went into the Advanced Mode of SpyBot and found this list:

1/17/2009 3:07:14 PM Allowed (based on user decision) value "CPM83b0daff" (new data: "") deleted in System Startup global entry!
1/17/2009 3:07:35 PM Denied (based on user decision) value "SpybotDeletingA9724" (new data: "command /c del "c:\windows\system32\nuyajuku.dll_old"") added in System Startup global entry!
1/17/2009 3:07:47 PM Denied (based on user decision) value "SpybotDeletingC6770" (new data: "cmd /c del "c:\windows\system32\nuyajuku.dll_old"") added in System Startup global entry!
1/17/2009 3:07:51 PM Denied (based on user decision) value "SpybotDeletingA1703" (new data: "command /c del "C:\WINDOWS\system32\kumeweva.dll_old"") added in System Startup global entry!
1/17/2009 3:10:13 PM Denied (based on user decision) value "SpybotDeletingC9617" (new data: "cmd /c del "C:\WINDOWS\system32\kumeweva.dll_old"") added in System Startup global entry!
1/17/2009 3:10:28 PM Denied (based on user decision) value "SpybotDeletingA6581" (new data: "command /c del "C:\WINDOWS\system32\venaroyu.dll_old"") added in System Startup global entry!
1/17/2009 3:10:37 PM Denied (based on user decision) value "SpybotDeletingC489" (new data: "cmd /c del "C:\WINDOWS\system32\venaroyu.dll_old"") added in System Startup global entry!
1/17/2009 3:10:42 PM Denied (based on user decision) value "SpybotDeletingB6407" (new data: "command /c del "c:\windows\system32\nuyajuku.dll_old"") added in System Startup user entry!
1/17/2009 3:10:44 PM Denied (based on user decision) value "SpybotDeletingD535" (new data: "cmd /c del "c:\windows\system32\nuyajuku.dll_old"") added in System Startup user entry!
1/17/2009 3:10:48 PM Denied (based on user decision) value "SpybotDeletingB3736" (new data: "command /c del "C:\WINDOWS\system32\kumeweva.dll_old"") added in System Startup user entry!
1/18/2009 2:38:34 PM Allowed (based on user decision) value "SpybotDeletingD834" (new data: "") deleted in System Startup user entry!
1/18/2009 2:38:38 PM Allowed (based on user decision) value "SpybotDeletingB2760" (new data: "") deleted in System Startup user entry!
1/18/2009 2:38:42 PM Allowed (based on user decision) value "SpybotDeletingD6911" (new data: "") deleted in System Startup user entry!
1/18/2009 4:05:01 PM Allowed (based on user whitelist) value "CPM83b0daff" (new data: "") deleted in System Startup global entry!
1/18/2009 4:05:10 PM Allowed (based on user decision) value "peyomaluhu" (new data: "") deleted in System Startup global entry!
1/18/2009 4:05:14 PM Allowed (based on user decision) value "peyomaluhu" (new data: "Rundll32.exe "C:\WINDOWS\system32\kumeweva.dll",s") added in System Startup global entry!
1/18/2009 5:23:03 PM Allowed (based on user whitelist) value "peyomaluhu" (new data: "") deleted in System Startup global entry!
1/18/2009 5:23:07 PM Allowed (based on user whitelist) value "peyomaluhu" (new data: "Rundll32.exe "C:\WINDOWS\system32\kumeweva.dll",s") added in System Startup global entry!
1/18/2009 6:15:13 PM Allowed (based on user whitelist) value "peyomaluhu" (new data: "") deleted in System Startup global entry!
1/18/2009 6:15:16 PM Allowed (based on user whitelist) value "peyomaluhu" (new data: "Rundll32.exe "C:\WINDOWS\system32\kumeweva.dll",s") added in System Startup global entry!

The peyomaluhu is what keeps showing up over and over and I keep getting a message when I restart staying the kumeweva.dll could not be found.

I found instructions on another site on how to disable the TeaTimer... but I did not continue and run the .bat file... I just unchecked the TeaTimer in the Advanced Mode...

Help please!

drragostea
2009-01-19, 09:07
Does the .dll error still occur?
And also, if you should remove Spybot-Search&Destroy it should (I'm pretty sure) that it'll remove the settings too, if not it'll just leave behind a folder with some configuration files.

To skip the technical stuff in fixing that .dll error, you might as well uninstall Spybot and install a fresh copy from here:
http://www.safer-networking.org/en/mirrors/index.html
-
Doing so, should remove your settings for TeaTimer too (seems to be a bit in a jumble) because the Virtumonde entry seems to persistently reappear.

What you'll have to do is start your own thread in the Malware Removal Forums to remove Virtumonde. A specialist with assist you to remove it (because Virtumonde is going to be persistent).
Follow the directions below and attach the required logs (just HJT will do fine) and install a fresh copy of Spybot-Search&Destroy (this time, I would really suggest you do not install TeaTimer, because you'll have to disable it when your helper assists you to prevent TeaTimer from interfering with the fixes).

Good luck (instructions below).
---
Consider posting in the Malware Removal (http://forums.spybot.info/forumdisplay.php?f=22) forum and having someone take a look at your system.

If you decide to have an experienced malware removal specialist assist you, please follow the procedure in this link to run scans and produce a HijackThis log: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) ( http://forums.spybot.info/showthread.php?t=288).
After you have completed the required scans and produced the requested logs, start your own thread in the Malware Removal (http://forums.spybot.info/forumdisplay.php?f=22) forum, making sure to post the HijackThis log produced from the above instructions.
___