There seams to be loads of info on Vundo on a Google search , It does seam to be a Symantec name for a virus/trojan not a AVG name. They can have different names for the same trojans
Anyway, I've just read through this thread http://forums.techguy.org/malware-removal-hijackthis-logs/406823-solved-trojan-vundo-virus.html all 3 pages of it , I think you could do the same M, there might be an answer in there for you.
There are a few entries in the HJT log that look dubious :
BonjourmDNSResponder.exe
crypserv.exe
New BoundaryPrismXLPRISMXL.SYS
RTHDCPL.EXE
DNAbtdna.exe
wscntfy.exe
Gateway sidepanel
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:windowssystem32BAE.dll
O4 - HKLM..Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..Run: [Recguard] %WINDIR%SMINSTRECGUARD.EXE
O4 - HKLM..Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU..Run: [Power2GoExpress] "C:Program FilesCyberLinkPower2GoPower2GoExpress.exe" /Startup
O4 - HKUSS-1-5-19..Run: [tudilukomu] Rundll32.exe "C:WINDOWSsystem32heyovoki.dll",s (User 'LOCAL SERVICE')
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:Program FilesBonjourmDNSResponder.exe
You should recognise most of these but : RTHDCPL.EXE, ALCMTR.EXE and heyovoki.dll looks mega dubious.
I'm no expert so a search is needed before action is taken....!
If I was you I'd go after these three, have the windows I mentioned above open and try to suss what is activating what , you could turn off all the startup programs in msconfig, reboot , see which programs have reinstated their startup command. Likelyhood is you trojan will write it's self into the startup list.
Otherwise look in Prefetch, it will be there as a startup command file.
If you read that thread you'll see he tells him to delete files with odd names 'fwxtpon.dll' ,whatever, your trojan will create files and will have called them random names, so you wont find them online maybe?!
AVG found a trojan once in a 'Bonjourno' called program so I'm wary of it
Anyway, I've just read through this thread http://forums.techguy.org/malware-removal-hijackthis-logs/406823-solved-trojan-vundo-virus.html all 3 pages of it , I think you could do the same M, there might be an answer in there for you.
There are a few entries in the HJT log that look dubious :
BonjourmDNSResponder.exe
crypserv.exe
New BoundaryPrismXLPRISMXL.SYS
RTHDCPL.EXE
DNAbtdna.exe
wscntfy.exe
Gateway sidepanel
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:windowssystem32BAE.dll
O4 - HKLM..Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..Run: [Recguard] %WINDIR%SMINSTRECGUARD.EXE
O4 - HKLM..Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU..Run: [Power2GoExpress] "C:Program FilesCyberLinkPower2GoPower2GoExpress.exe" /Startup
O4 - HKUSS-1-5-19..Run: [tudilukomu] Rundll32.exe "C:WINDOWSsystem32heyovoki.dll",s (User 'LOCAL SERVICE')
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:Program FilesBonjourmDNSResponder.exe
You should recognise most of these but : RTHDCPL.EXE, ALCMTR.EXE and heyovoki.dll looks mega dubious.
I'm no expert so a search is needed before action is taken....!
If I was you I'd go after these three, have the windows I mentioned above open and try to suss what is activating what , you could turn off all the startup programs in msconfig, reboot , see which programs have reinstated their startup command. Likelyhood is you trojan will write it's self into the startup list.
Otherwise look in Prefetch, it will be there as a startup command file.
If you read that thread you'll see he tells him to delete files with odd names 'fwxtpon.dll' ,whatever, your trojan will create files and will have called them random names, so you wont find them online maybe?!
AVG found a trojan once in a 'Bonjourno' called program so I'm wary of it
hey, Marino.. install Spyware Terminator. If it asks you to install it's own virus protection, say no ("Clam" Antivirus or something).
Once SpywareTerminator is installed, you'll have the power to allow or block anything that tries to run. Any time you see "heyovoki.dll" trying to run, just tell it to block it (and checkmark the box that says "remember this choice").
And like kings said, if you see any of those ".dll" files with seemingly random names, just Google-search it and if you see results about viruses, then block it from running if/when it tries to (using Spyware Terminator), and then use KillBox to delete the very same file.
If it really is a virus/malware/spyware, you'll notice that it tries to launch itself kind of frequently, but Spyware Terminator will allow you to dis-allow that.
Cleaning a computer off of stuff like this can be dang tricky. If I had your computer in front of me I could be of more help, but being so far away is a severe limitation.
Once SpywareTerminator is installed, you'll have the power to allow or block anything that tries to run. Any time you see "heyovoki.dll" trying to run, just tell it to block it (and checkmark the box that says "remember this choice").
And like kings said, if you see any of those ".dll" files with seemingly random names, just Google-search it and if you see results about viruses, then block it from running if/when it tries to (using Spyware Terminator), and then use KillBox to delete the very same file.
If it really is a virus/malware/spyware, you'll notice that it tries to launch itself kind of frequently, but Spyware Terminator will allow you to dis-allow that.
Cleaning a computer off of stuff like this can be dang tricky. If I had your computer in front of me I could be of more help, but being so far away is a severe limitation.
heyovoki.dll definitely is part of the Vundo virus, just to be clear.
M, I didnt have time to do any searching for you yesterday, so I just checked out a few of the names I copied from the HJT log : Seams that the only real dodgy file is the heyovoki.dll indeed.
On making a google search I get 2 results 1) This bandAmp thread and 2) A very very dodgy (too clean) looking site offering to scan (scam) my PC for vundo, they list all the possible registry entries, probably because they know what file names it will create.
Yes if only I had your PC infront of me too. it would be a lot easier.
All you can really do is get on to another PC and follow any instructions to get rid of vundo in your own.
Keep us updated as to your progress if you can.
On making a google search I get 2 results 1) This bandAmp thread and 2) A very very dodgy (too clean) looking site offering to scan (scam) my PC for vundo, they list all the possible registry entries, probably because they know what file names it will create.
Yes if only I had your PC infront of me too. it would be a lot easier.
All you can really do is get on to another PC and follow any instructions to get rid of vundo in your own.
Keep us updated as to your progress if you can.
Is there a software I can buy to get this resolved..It all points out to messing with my registry and finding what seems any random set of names...I saw a few options online..But Im scared to get anything online now ,so I rather get it on the Pc store..Suggestions...
Did you guys see Heyovoki in my log I cant find it?
Man thax for your help guys..Im freaking out....
I did the spyware terminator thing with the realtime protection and web shield ,would that work?
Did you guys see Heyovoki in my log I cant find it?
Man thax for your help guys..Im freaking out....
I did the spyware terminator thing with the realtime protection and web shield ,would that work?
Marino wrote…
Is there a software I can buy to get this resolved..It all points out to messing with my registry and finding what seems any random set of names...I saw a few options online..But Im scared to get anything online now ,so I rather get it on the Pc store..Suggestions...
Did you guys see Heyovoki in my log I cant find it?
Man thax for your help guys..Im freaking out....
I did the spyware terminator thing with the realtime protection and web shield ,would that work?
Most of all M dont freak out!
I wouldn't know of any 'buy me out of this shit button' sorry.
I do know the 'work your own way out' lol
BTW ... READ THAT LINK I GAVE YOU IN POST #17...sorry for shouting.
Visit that page through another pc, read the thread, understand it (enough), do download all the programs they tell you to and copy them on to a disk or a usb stick, and get them into your infected pc that way, if you dont want to go on line with the infected pc.
You could go after that heyovoki.dll file in your system and find a way to delete it, in safe mode or with a program.
What you have to try to do is hit the 'set up' of the 'virus' and getting it to not activate or protect it's self. Then you use the programs recommend on the thread to take out the rest (reg entries etc)
I wouldn't piss about too much in your reg, there are programs as I said to deal with that , you need to find the files it has deposited in your pc.
I can't get to save mode..Im getting a screen with a whole bunch of #'s.Any suggestions ...I ran spyware terminator and the other suggested and it finds nothing,not getting any more spam either,but Im sure is hiding...Now where is it??
ahh its opening....Im going to run the spywareterminator
in safe mode...
ahh its opening....Im going to run the spywareterminator
in safe mode...
The places I know :
- Start/run/msconfig/startup
- Windows/Prefetch
- Windows/System32
- C/Program Files
- My Computer/(right click)Properties/System Restore
M, Do it your self.....
It might be under an 'odd' program name in Program Files , though that one might have been detected by the programs your using.
If it's still in there and still popping up after a start up you still haven't looked in all the right places.
Have you simply opened your 'Task Manager' and looked to see whats running , it is a little easier than HJT.
Any weird file names running?
O! As to a screen full of #'s.....take your finger off the button!
- Start/run/msconfig/startup
- Windows/Prefetch
- Windows/System32
- C/Program Files
- My Computer/(right click)Properties/System Restore
M, Do it your self.....
It might be under an 'odd' program name in Program Files , though that one might have been detected by the programs your using.
If it's still in there and still popping up after a start up you still haven't looked in all the right places.
Have you simply opened your 'Task Manager' and looked to see whats running , it is a little easier than HJT.
Any weird file names running?
O! As to a screen full of #'s.....take your finger off the button!
maybe someone with lots of experiences can lookup into your computer with teamview to eliminate this virus
Way to go M.
Thats exactly how to do it, piece by piece , so the DNAbtdna.exe entry I copied is not kosha, it doesent look kosha!
You might find a folder in Program Files that points to / holds DNAbtdna.exe
On having a second look at you original HJT log DNAbtdna.exe might be using Program Files as a root folder, look :
C:Program FilesDNAbtdna.exe - it's not in a folder.
Thats exactly how to do it, piece by piece , so the DNAbtdna.exe entry I copied is not kosha, it doesent look kosha!
You might find a folder in Program Files that points to / holds DNAbtdna.exe
On having a second look at you original HJT log DNAbtdna.exe might be using Program Files as a root folder, look :
C:Program FilesDNAbtdna.exe - it's not in a folder.
| tajelavo.dll |
http://www.google.com/search?q=tajelavo.dll&sourceid=navclient-ff&ie=UTF-8&rls=GGGL,GGGL:2006-22,GGGL:en
entry + location : c:windowssystem32tajelavo.dll
Sorry, you do not have access to post...
Wanna post? Join Today!