1 2 3

#16December 13th, 2008 · 01:30 PM
128 threads / 44 songs
2,814 posts
Puerto Rico
The name that keeps coming up is Trojan Vundo....
#17December 13th, 2008 · 03:04 PM
340 threads / 59 songs
4,344 posts
United Kingdom
There seams to be loads of info on Vundo on a Google search , It does seam to be a Symantec name for a virus/trojan not a AVG name. They can have different names for the same trojans
Anyway, I've just read through this thread http://forums.techguy.org/malware-removal-hijackthis-logs/406823-solved-trojan-vundo-virus.html all 3 pages of it , I think you could do the same M, there might be an answer in there for you.
There are a few entries in the HJT log that look dubious :

BonjourmDNSResponder.exe
crypserv.exe
New BoundaryPrismXLPRISMXL.SYS
RTHDCPL.EXE
DNAbtdna.exe
wscntfy.exe

Gateway sidepanel

O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:windowssystem32BAE.dll

O4 - HKLM..Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..Run: [Recguard] %WINDIR%SMINSTRECGUARD.EXE
O4 - HKLM..Run: [Alcmtr] ALCMTR.EXE

O4 - HKCU..Run: [Power2GoExpress] "C:Program FilesCyberLinkPower2GoPower2GoExpress.exe" /Startup

O4 - HKUSS-1-5-19..Run: [tudilukomu] Rundll32.exe "C:WINDOWSsystem32heyovoki.dll",s (User 'LOCAL SERVICE')

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:Program FilesBonjourmDNSResponder.exe

You should recognise most of these but : RTHDCPL.EXE,  ALCMTR.EXE and heyovoki.dll looks mega dubious.
I'm no expert so a search is needed before action is taken....!
If I was you I'd go after these three, have the windows I mentioned above open and try to suss what is activating what , you could turn off all the startup programs in msconfig, reboot , see which programs have reinstated their startup command. Likelyhood  is you trojan will write it's self into the startup list.
Otherwise look in Prefetch, it will be there as a startup command file.

If you read that thread you'll see he tells him to delete files with odd names 'fwxtpon.dll' ,whatever, your trojan will create files and will have called them random names, so you wont find them online maybe?!
AVG found a trojan once in a 'Bonjourno' called program so I'm wary of it 
#18December 13th, 2008 · 11:58 PM
115 threads / 18 songs
1,414 posts
United States of America
hey, Marino.. install Spyware Terminator.  If it asks you to install it's own virus protection, say no ("Clam" Antivirus or something).

Once SpywareTerminator is installed, you'll have the power to allow or block anything that tries to run.  Any time you see "heyovoki.dll" trying to run, just tell it to block it (and checkmark the box that says "remember this choice").

And like kings said, if you see any of those ".dll" files with seemingly random names, just Google-search it and if you see results about viruses, then block it from running if/when it tries to (using Spyware Terminator), and then use KillBox to delete the very same file.

If it really is a virus/malware/spyware, you'll notice that it tries to launch itself kind of frequently, but Spyware Terminator will allow you to dis-allow that.

Cleaning a computer off of stuff like this can be dang tricky.  If I had your computer in front of me I could be of more help, but being so far away is a severe limitation.
#19December 13th, 2008 · 11:59 PM
115 threads / 18 songs
1,414 posts
United States of America
heyovoki.dll definitely is part of the Vundo virus, just to be clear.
#20December 14th, 2008 · 03:16 AM
340 threads / 59 songs
4,344 posts
United Kingdom
M, I didnt have time to do any searching for you yesterday, so I just checked out a few of the names I copied from the HJT log : Seams that the only real dodgy file is the heyovoki.dll indeed.
On making a google search I get 2 results 1) This bandAmp thread and 2) A very very dodgy (too clean) looking site offering to scan (scam) my PC for vundo, they list all the possible registry entries, probably because they know what file names it will create.
Yes if only I had your PC infront of me too. it would be a lot easier.
All you can really do is get on to another PC and follow any instructions to get rid of vundo in your own.
Keep us updated as to your progress if you can.
#21December 14th, 2008 · 06:53 AM
128 threads / 44 songs
2,814 posts
Puerto Rico
Is there a software I can buy to get this resolved..It all points out to messing with my registry and finding what seems any random set of names...I saw a few options online..But Im scared to get anything online now ,so I rather get it on the Pc store..Suggestions...

Did you guys see Heyovoki in my log I cant find it?
Man thax for your help guys..Im freaking out....

I did the spyware terminator thing with the realtime protection and web shield ,would that work?
#22December 14th, 2008 · 09:20 AM
340 threads / 59 songs
4,344 posts
United Kingdom
Marino wrote…
Is there a software I can buy to get this resolved..It all points out to messing with my registry and finding what seems any random set of names...I saw a few options online..But Im scared to get anything online now ,so I rather get it on the Pc store..Suggestions...

Did you guys see Heyovoki in my log I cant find it?
Man thax for your help guys..Im freaking out....

I did the spyware terminator thing with the realtime protection and web shield ,would that work?

Most of all M dont freak out!
I wouldn't know of any 'buy me out of this shit button' sorry.
I do know the 'work your own way out' lol
BTW ... READ THAT LINK I GAVE YOU IN POST #17...sorry for shouting.
Visit that page through another pc, read the thread, understand it (enough), do download all the programs they tell you to and copy them on to a disk or a usb stick, and get them into your infected pc that way, if you dont want to go on line with the infected pc.
You could go after that  heyovoki.dll file in your system and find a way to delete it, in safe mode or with a program.
What you have to try to do is hit the 'set up' of the 'virus' and getting it to not activate or protect it's self. Then you use the programs recommend on the thread to take out the rest (reg entries etc)
I wouldn't piss about too much in your reg, there are programs as I said to deal with that , you need to find the files it has deposited in your pc.
#23December 14th, 2008 · 09:35 AM
128 threads / 44 songs
2,814 posts
Puerto Rico
I can't get to save mode..Im getting a screen with a whole bunch of #'s.Any suggestions ...I ran spyware terminator and the other suggested and it finds nothing,not getting any more spam either,but Im sure is hiding...Now where is it??


ahh its opening....Im going to run the spywareterminator
in safe mode...
#24December 14th, 2008 · 10:46 AM
340 threads / 59 songs
4,344 posts
United Kingdom
The places I know :
- Start/run/msconfig/startup
- Windows/Prefetch
- Windows/System32
- C/Program Files
- My Computer/(right click)Properties/System Restore

M, Do it your self.....
It might be under an 'odd' program name in Program Files , though that one might have been detected by the programs your using.
If it's still in there and still popping up after a start up you still haven't looked in all the right places.

Have you simply opened your 'Task Manager' and looked to see whats running , it is a little easier than HJT.
Any weird file names running?

O! As to a screen full of #'s.....take your finger off the button! 
#25December 14th, 2008 · 12:11 PM
188 threads / 27 songs
2,825 posts
Germany
maybe someone with lots of experiences can lookup into your computer with teamview to eliminate this virus
#26December 14th, 2008 · 12:22 PM
128 threads / 44 songs
2,814 posts
Puerto Rico
I found this...In Windows prefetch..Its the same name for a bit torrent Dna except by the # 's at the end..Did a search on it an came up as a Vundo virus...So I went to it and deleted it..Still looking for more..
#27December 14th, 2008 · 12:46 PM
340 threads / 59 songs
4,344 posts
United Kingdom
Way to go M.
Thats exactly how to do it, piece by piece , so the DNAbtdna.exe entry I copied is not kosha, it doesent look kosha!
You might find a folder in Program Files that points to / holds DNAbtdna.exe
On having a second look at you original HJT log DNAbtdna.exe might be using Program Files as a root folder, look :
C:Program FilesDNAbtdna.exe   -   it's not in a folder.
#28December 14th, 2008 · 12:50 PM
340 threads / 59 songs
4,344 posts
United Kingdom
O4 - HKCU..Run: [BitTorrent DNA] "C:Program FilesDNAbtdna.exe"
You've still got it running at startup in the original HJT
#29December 14th, 2008 · 12:54 PM
340 threads / 59 songs
4,344 posts
United Kingdom
#30December 14th, 2008 · 12:56 PM
340 threads / 59 songs
4,344 posts
United Kingdom
And I think it's created : rophvd.dll , make a search for this file in your PC, narrow it down to Windows/system32 to start with.
No point googling it's a random name.
1 2 3

Sorry, you do not have access to post...
Wanna post? Join Today!

Server Time: September 27th, 2020 · 4:43 PM
© 2002-2012 BandAMP. All Rights Reserved.