Today I discovered a strange behavior on my WinXP box. No websites would appear in Google Chrome. Internet Explorer would spontaneously open to serve ads, and occasionally popups would appear in Firefox too.
I ran a virus scan, and Zone Alarm pinpointed a .dll file in windows/system32 as the culprit. I quarantined it, and thought I was done with the problem.
Not so! It seems that whenever I rebooted the machine, the malicious file would return, only with a different name.
So, I checked all the usual places…
I ran regedit and found a registry entry in HKLMSoftwareMicrosoftWindowsCurrentVersionRun that was using RunDLL32.exe to run a dll called wumomara.dll and another that was identical running nusoyeta.dll.
I’m guessing these are random names generated by whatever trojan started the whole thing in the first place. They’re both 8 characters long with alternating consonants and vowels.
I deleted both, then did a search for wumomara in the registry, and noticed that it had reappeared as quickly as I had deleted it.
I downloaded Mike Lin’s Startup Control Panel, and tried to delete it from there. Still no luck. As soon as I disabled one, an identical entry would appear.
I tried the same things after rebooting in Safe Mode. Still no luck.
I went to c:windowssystem32 and looked for the DLLs. They were hidden. So, I changed settings and permissions on the whole dang folder until I could see them.
Tried to delete them. Permission denied.
Tried to rename them. Permission denied.
Finally had some success when I tried to move them. CTRL-X from the system32 directory and CTRL-V on the desktop.
Then I created new text files called nusoyeta.dll and wumomara.dll in system32 and made them readonly.
Upon rebooting, I got bombarded with errors that wumomara was not a valid file. Not a problem, everything started up.
Then I went back to regedit, and did another search for wumomara.
This time, I found it all over the registry and I started removing entries.
This time, when I deleted the entry from HKLMSoftwareMicrosoftWindowsCurrentVersionRun it stayed gone.
Rebooting one more time showed that the errors were all gone.
Then, since somewhere along the line my firewall got buggy, I reinstalled ZoneAlarm, and ran a full “deep” scan. It found one remaining file… guhapiba.dll.vzr… which it was able to quarantine.
Chrome once again shows websites as it ought. No more unwanted popups are appearing, and my computer seems just a little faster.