Re: Please help with VUNDO removal

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Mr. G. Thank you so very much for your reply. I've tried the tool, it's
really good....and ultimately it didn't do the job.

But the article you pointed out is amazingly good. Shedrick really has
teased out all the issues that likely beset my machine, and better than that
he intelligently walked the paths that I found myself blindly stumbling
around in when I spent a day failing to bet this bugger.

If I find anything different from what he found, I'll post it. (my junk is
called ddayv.dll and ddayv.exe, and I also get vyadd.ini readily created.
Other than that.......I have to print out his article and follow his lead.

And again, thanks to you.
"V Green" <vanceg@xxxxxxxxxxx> wrote in message
news:uGaR1HLXIHA.4140@xxxxxxxxxxxxxxxxxxxxxxx
http://vundofix.atribune.org/

Try the tool. For me it got most of it, but I had to manually
remove a bogus .DLL (see the forums on how to
do this-drag n' drop a vundofix.vft file onto vundofix
after stopping all processes related to it).

HijackThis is also needed to tell you where the SOB
is hiding in the Registry. If you know what you're doing,
you won't need to send the log to anyone, just interpret
it yourself. You already know what you're looking for.

You might like this forum entry:

http://www.atribune.org/forums/index.php?showtopic=3660

BTW, I got infected through an exploitable version of
the Sun Java Runtime after running one of those applets that
Ebay uses to show pictures of an item.


"stand_58" <stand_58@xxxxxxxxxxx> wrote in message
news:Onj8kt7WIHA.748@xxxxxxxxxxxxxxxxxxxxxxx
Not the ordinary question, though.

I have a dual boot system; media center edition is not blessed with this
miserable trojan/virus/worm, while my XPSP2 is. I use XP as the default,
and of course years of using it means it's set up the way I want it, and
I
don't want to just trash it or bear the consequence of what a repair
install
might do to me, especially since I don't have SP2 slipstreamed into my
original XP disk.

Anyway, what I have done is to try using some of the VUNDO trojan removal
tools. The flavor of Vundo that I have keeps on producing files like
ddayv.exe and ddayv.dll in the system32 directory, and running them.
Also
vyadd.ini files in that directory. It shovels load instructions for the
ddayv.exe into the registry in a few places.

I can edit the registry and get rid of all the junk that I find, but of
course I'm not finding the root of the problem. I can also boot into the
media center and use that to edit the xp windows\system32 directory and
get
rid of all the files created in there since the virus hit.

I can work in safe mode in XP and the trojan doesn't write all the
garbage
that it typically writes.

Now here's something interesting.

I'll have gotten rid of all the instances of ddayv.exe, and then I'll
boot.
I get a message box that looks as if I've tried to open ddayv.exe and
windows\system32 just can't find it, and if I want to search for it
(yeah,
right) I can do so. The system tray has not yet loaded, the GUI is up,
Windows is usable, but ddayv.exe has not yet been created in the system32
directory.

I just click OK on the message box, the boot process continues, and the
new
garbage gets written into the registry and into the system32 folder.

The help I am looking for from you people is some kind of utility that
will
let me step through the end of the boot process. I know there's a step
by
step way of doing a cold boot and a bootlog can be captured (am I only
living in the Win 98 world here?....remembering a capability long gone?).
The question is whether there is something available that would let me
walk
through the later stages of the boot process so I can find out just what
it
is that first invokes rundll to make the ddayv.dll run....and before
that,
what makes ddayv.exe create ddayv.dll, and before that what makes
ddayv.exe
get created from apparently nothing. There's got to be a way to drill
down
to that nothing.

So this is a long post, I hope I'm not asking the impossible and I'm not
looking to post a hijack this log so somebody can create a batch file for
me
or recommend a list of steps to take.

Thanks in advance.






.

Relevant Pages

  • Re: Final Report Vundo
    ... Since I have a dual boot capability, ... registry is more easily done from the XP partition. ... Vundo with a now deleted file (another thing that Shedrick explained in his ... ddayv.exe and ddayv.dll in the system32 directory, ...
    (microsoft.public.windowsxp.configuration_manage)
  • Re: Please help with VUNDO removal
    ... I have a dual boot system; media center edition is not blessed with this ... ddayv.exe into the registry in a few places. ... but ddayv.exe has not yet been created in the system32 ... I just click OK on the message box, the boot process continues, and the new ...
    (microsoft.public.windowsxp.configuration_manage)
  • Re: Please help with VUNDO removal
    ... suspect entries with the same name in the Registry and delete those. ... I have a dual boot system; media center edition is not blessed with this ... but ddayv.exe has not yet been created in the system32 ...
    (microsoft.public.windowsxp.configuration_manage)
  • Re: Final Report Vundo
    ... registry is more easily done from the XP partition. ... ddayv.exe and ddayv.dll in the system32 directory, ... I can also boot into ... Download and run firefox to protect your from future spyware ...
    (microsoft.public.windowsxp.configuration_manage)
  • Re: ntoskrnl.exe problem HELP
    ... option when you go to try to boot into safe mode, ... I hope I don't see anything like this ever again, messing with the registry ... access the installation as a simple data disk and use a suitable ... from the working Windows installation ...
    (microsoft.public.windowsxp.help_and_support)