I’ve been trying to figure out some PC issues for a while now and I’ll push this to the cloud so some future generation doesn’t have to face this.
Symptoms:
– lot of blue-screen errors
– lot of dead processes, many of them off on rundll32.exe
– weird connectivity issues (DNS timeouts, pages not loading)
– then this week, a couple of weird pop-up issues
Now here’s the thing… I run full antivirus, firewall, the whole kit and kaboodle, and I practice safe computing. I haven’t had any kind of issue like this in ten years, easily.
Interestingly, because I don’t use IE much, I didn’t notice what was going on for a long time, because that’s where it fires off all the pop-up windows (etc).
Anyway, the tale continues.
There are many weird entries in my startup:
yodokuge, rundll32.exe c:\windows\system32\yodokuge.dll”,b
yojinafi, rundll32.exe c:\windows\system32\yojinafi.dll”,s
yodokuge, rundll32.exe c:\windows\system32\yodokuge.dll”,b
munemume, rundll32.exe c:\windows\system32\munemume.dll”,a
Information on this is scant. Here’s a McAffe post on the last one. This is intentional, of course: they’re using randomly-generated names to make them harder to detect and, presumably, harder to troubleshoot.
And it’s all over the place. When I run Hijack This!, there’s a ton of this:
O2 - BHO: (no name) - {4c9e468c-2390-4182-91ff-0f82b3d9ee48} - C:\WINDOWS\system32\vupeteho.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL C:\WINDOWS\system32\hewalote.dll c:\windows\system32\femawiko.dll c:\windows\system32\munemume.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\munemume.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\munemume.dll
That thing wants to be run in the worst way.
I believe that this is “Vundo.H” which is… well, check out Google… there’s a lot of people who are just hosed.
First, and I can’t recommend this highly enough, if you have a clean box, use it to do the research and potentially the downloading/CD burning/etc you’ll require. There’s going to be a lot of rebooting ahead of you.
Figuring out what you’ve come down with
– crack open task manager, and look for any strange rundll32.exe processes you see.
– scan the process list for any other unfamiliar process names
– open up msconfig (windows-R, type msconfig) and look through the startup list. You should see a bunch of weird rundll32 items.
– if you’ve got it, run Hijack This! which will produce a sweet log file you can scour.
– scour that log file
Optional
– Fix yourself a cold beverage, because this is going to take a while
Tools
– Hijack This!
– I used Malwarebytes’ Anti-Malware 1.36
Fixing (how I finally got it to work, your mileage will vary)
1. In task manager, try and kill off the weird rundll32 processes. You may have no success as they spawn new ones, but if it works it’ll save you a lot of trouble down the line
2. Run your anti-malware tool of choice. The first time through, you’re probably not going to make much progress, so do the quick scan, it’ll find like ~20 things in memory/startup/whatever. Fix them. It’ll ask you to reboot. Don’t.
3. If you can, run a full anti-virus scan, with updated definitions and everything. Hopefully it’ll turn up a metric ton of files with names like wuwuaua.dll.bak and so on, and be able to nuke them.
4. Reboot in safe mode. Run a set of full scans. Fix everything.
5. Repeat step 4 until nothing comes up. This will take a couple of cycles.
It took me pretty much a whole evening to fix, though obviously you’re not involved the whole time. I watched a baseball game. Each time you go through the cycle, you’re eliminating places the files can live, ways it can load, and closing off places it can go.
And some of the loops… like the extremely thorough virus scan I just did, take a long, long time (35h). But it finally came up clean.
Anyway, so yeah, future generations: be persistent, patient, and you can win. But if you just wipe, reinstall everything, and go on your merry way, well, I wouldn’t blame you.
The primary function of antivirus – of all security software – is to PREVENT infection/intrusion. A resident antivirus is much less effective at disinfecting a system which for whatever reason has become infected. In that case, the infected HD should be removed, then installed as a static, non-bootable second drive in a clean box, whose antivirus will more likely disinfect the infected drive, by experience in one sweep. If that doesn’t work, simply cut your losses and wipe/reinstall.
This strategy – with antimalware as well – eliminates time-consuming, incremental sweeps which in the end might not be entirely successful. A friend brought me her box recently, infected to the max due to negligence with antivirus updates. I stuck her HD into my computer, scanned, disinfected, and replaced – less than an hour’s work for a now disinfected system.
That’s a sweet strategy. If I’d had a second box, that would have been perfect. Thanks!