Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Remove Virtumode gutodayo file from loading...


  • Please log in to reply
17 replies to this topic

#1 funkyox1

funkyox1

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 01 March 2009 - 05:49 PM

Greetings,
I have just used Combofix to remove my spyware issues, but still am getting something loading into the registry even after the file has been deleted.

Every time I bootup I get the error that is file is not found.
Gutodayo
I found out this is part of the Virtumonde Spyware family.

Even when I delete this registry entry is keeps coming back after I bootup.
O4 - HKLM\..\Run: [CPM8b954291] Rundll32.exe "C:\WINDOWS\System32\gutodayo.dll",a

How can I stop this from loading into the registry every time I bootup?
Spybot keeps finding this and lists it as Virtumode..

Any help would be greatly appreciated.

BC AdBot (Login to Remove)

 


#2 funkyox1

funkyox1
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 01 March 2009 - 05:59 PM

Greetings,
I just used Combo fix to correct some Spyware issues I am having.
Now every time I bootup I get this error.

Norton Password Manger:
---------------------------
Microsoft Visual C++ Runtime Library
---------------------------
Runtime Error!

Program: ...am Files\Norton SystemWorks\Password Manager\AcctMgr.exe

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

I tried both of these fixes from the Norton help site, but am still having this issue.

1) You need to reinstall Microsoft Windows Script. Click the link for Microsoft Windows Script 5.7 for your version of Windows.

2) Reinstall or update DirectX

I have lost my Norton Install CD and code and am not sure if I can re-install this properly from add/remove programs without it..

Any help would be greatly appreciated.
Thanks

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,807 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:45 PM

Posted 02 March 2009 - 06:00 PM

Hello funkyox1 and welcome to BC :thumbsup:

I have merged your two topics and I am moving them from the specialized HiJack This forum to the Am I Infected forum as no logs are posted.

PLEASE DO NOT NOW POST LOGS. We do not analyze them in this forum.

Please note that ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

I also direct you to Papakid's excellent remarks on just why this program is not to be used unless under the guidance of a specialist: http://www.bleepingcomputer.com/forums/ind...t&p=1159014

That said, please tell us:

1) What is your operating system: Windows XP, Vista, etc.

2) What issues were you and are you having with your computer? What spyware issues were you having? What symptoms were you experiencing and what symptoms are you experiencing now?

3) What you tried to resolve the issue?

4) What security programs do you have installed?

Orange Blossom :flowers:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 funkyox1

funkyox1
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 03 March 2009 - 08:06 AM

Hi Orange Blossom.
Thanks for replying to me..

First off, I fixed my Norton Password manger issues be re-running the original password manger msi.

Now I'll answer all your questions.
1)I am using Windows XP SP1
2)and 3) Answered below.
I was getting spyware from the Sharebee and Megaupload sites. (I download a lot of free music from music blogs)
My IE would freeze up, and also many many IE windows would open up at once. I use Firefox mainly and even that browser was getting popups. Also my regular windows explorer was freezing. My pc is always clean, I can tell instantly when I have new spyware. This last instance occured when I was using both IE and Firefox to download music. Both browsers froze when I was sent to Sharebee, right after that I was infected. I cleaned up pretty much everything at this point with the one exception that I posted as an issue.
I first used Spybot which detected the Virtumode gutodayo bug in the registry.
I used Hijack this which also found the same thing here.
O4 - HKLM\..\Run: [CPM8b954291] Rundll32.exe "C:\WINDOWS\System32\gutodayo.dll",a
I checked out msconfig and also found this gutodayo dll running through rundll32.exe...
(It's always the same reg key that is the problem)
HK_local_Machine\SOFTWARE\Microsoft\Windows\Current Version\Run\Rundll32.exe "C:\WINDOWS\System32\gutodayo.dll",a
I used Malwarebytes and Combofix as well.
Malware bytes found the same gutodayo file, but Combo fix did not..
(Combo fix actually found gutodayo as an orphaned file)

No matter what I used, it would clean the gutodayo bug, but it would come back instantly, (unless I was in safemade or using miniPE)

My problem is that no matter how many times I delete this gutodayo file from the registry using any means, it comes right back instantly.
It lives here:
HK_local_Machine\SOFTWARE\Microsoft\Windows\Current Version\Run\Rundll32.exe "C:\WINDOWS\System32\gutodayo.dll",a

This is very very nasty.
Everytime I boot up I get the run32 error that the gutodayo file is not found.
I found this gutodayo file hidden in the System 32 directory with no date time stamp, I deleted this file as well as 5 or 6 other associated bad hidden files, also no date time stamps on these either.
I located these using the miniPE utility as a boot up tool.

I do believe this gutodayo file is gone, my browsers and pc seem to be working fine now.
What I need to do now is figure out how to get this gutodayo file reg key from loading into the reg everytime it is deleted.
I am thinking some type of odd service oe exe file is running, or maybe one of the system or win .ini files have been modified.

I did notice an odd entry in a related reg key.
This looked odd to me.
HK_local_Machine\SOFTWARE\Microsoft\Windows\Current Version\Runonce\regsister -regserver. I think it said..(I forgot exactly what else came after, there might be more to this, I deleted this key as well and it too, came right back)
I could find no info on any type of "regsister" file...

Hopefully you kind folks here can shead some light on this for me

4) I am using the 2004 Norton Systemworks suite of products and well as Spybot with teatimer running to let me know when new registry entries are made.

Thanks Orange Blossom, I hope to hear from someone..
This has been a great learning experience dealing with this issue, I hope to learn why this gutodayo file still loads into the reg every time its deleted.

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:45 PM

Posted 03 March 2009 - 08:24 AM

:thumbsup: funkyox1

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
reboot

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Now make sure MBAM is updated

Please download Malwarebytes Anti-Malware (v1.34) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

I need to see a current complete MBAM log
Chewy

No. Try not. Do... or do not. There is no try.

#6 funkyox1

funkyox1
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 03 March 2009 - 09:49 AM

Thanks for the quick response Chewy,
I'll perform all of these instructions ASAP.
Should I post the MBAM log here or the other post that requests logs?
Thanks, talk to you soon..

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:45 PM

Posted 03 March 2009 - 10:00 AM

Post logs that I ask for specifically, if you post a HJT log or Combofix or similar in this forum then that will close this thread

Logs is a general term, I thing OrangeBlossom was refering to those special HJT logs that only go in that forum

Edited by DaChew, 03 March 2009 - 10:02 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#8 funkyox1

funkyox1
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 03 March 2009 - 08:43 PM

Hi Chewy,
Well I followed exactly what you recommended.
And it looks like I am 100% clean now with no bugs.
Not sure what did the trick, Maybe it was the ATM cleaner or maybe it was the Malwarebytes latest update running the quick scan.
(I just ran Malwarebytes yesterday with yesterdays update but running the full scan.. It only found the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm8b954291 (Trojan.Vundo.H) key then)

Today it found the culprit that was loading the gutodayo dll into the above reg key.
The culprit appears to be this little guy. C:\WINDOWS\Fonts\franšais.EXE (Worm.Archive)

Crazy stuff...

Thank you for all your help. You guys are the best. Fast response and right on the money.
I can't thank you enough..
Below is the Malwarebytes log you requsted..

Do you have any recommendations to prevent me from acquiring more nasty spyware?? (besides stopping my downloading of music, lol)
It sure is a shame that the little pleasure I get from downloading legitimate music from music sharing blogs can be ruined by getting infected with all this nasty spyware...

Thanks again Chewy, May the force be with you!!!

Malwarebytes' Anti-Malware 1.34
Database version: 1815
Windows 5.1.2600 Service Pack 1

3/3/2009 6:41:13 PM
mbam-log-2009-03-03 (18-41-13).txt

Scan type: Quick Scan
Objects scanned: 74145
Time elapsed: 4 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm8b954291 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Fonts\franšais.EXE (Worm.Archive) -> Quarantined and deleted successfully.

#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:45 PM

Posted 03 March 2009 - 09:25 PM

http://www.bleepingcomputer.com/forums/ind...t&p=1160679

Here's some prevention tips, there are many more around this forum

The best tool is sitting on your shoulders, use it.
Chewy

No. Try not. Do... or do not. There is no try.

#10 funkyox1

funkyox1
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 03 March 2009 - 10:03 PM

Hey Chewy,
Guess what..
When I activated my Spybot Teatimer, my issue reappeared..
Can you believe that??
Is there a way to clean out the settings within teatimer to start fresh..

I think thats been the issue all along..
It seems to be putting the gutodayo dll back in the registry

HK_local_Machine\SOFTWARE\Microsoft\Windows\Current Version\Run\Rundll32.exe "C:\WINDOWS\System32\gutodayo.dll",a

Dam, the things you find out..
All good learning tho'...

#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:45 PM

Posted 03 March 2009 - 10:32 PM

I reloaded 2 or 3 computers I built because of teatimer, I was loading spybot before norton's and windows update

Long ago and far away

Can you believe that??


Yes, I don't like the feature and I have been using spybot since Moses came down off the mountain
Chewy

No. Try not. Do... or do not. There is no try.

#12 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,807 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:45 PM

Posted 03 March 2009 - 11:45 PM

Is there a way to clean out the settings within teatimer to start fresh..


There is a way of resetting it. However, I don't know what that is. I'll find someone that does. In the meantime, I'd suggest deactivating Teatimer.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:45 PM

Posted 03 March 2009 - 11:50 PM

We need to enable Spybot S&D's "TeaTimer"
Now that we're done with the fix, we should reenable TeaTimer.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click on Posted Image
  • Click on Posted Image
  • Check this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:45 PM

Posted 03 March 2009 - 11:52 PM

I'll find someone that does


Then download ResetTeaTimer.exe to your desktop. (In case you use Firefox, rightclick the link and choose "Save Link As").
Doubleclick ResetTeaTimer.exe and let it run.

http://home.hetnet.nl/~stefsmeenk/ResetTeaTimer.exe

Make sure teatimer is turned off first

Now rerun MBAM and other scanners
Chewy

No. Try not. Do... or do not. There is no try.

#15 funkyox1

funkyox1
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 04 March 2009 - 07:16 AM

Great, thanks..
I'll try that resetteatimer.exe and let you folks know how it turns out...

Thanks everybody, for your help and assistance...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users