On Jan 27, 6:09 am, "V Green"
nowhere.net> wrote:> Excellent. The variant I had seemed to be more persistent
> than yours and I did not have the advantage of a dual-boot
> setup to delete files so deleting "locked" files via the VundoFix
> app was the most expeditious way to go.
>
> I have bookmarked all this stuff in case I run into it again.
>
> Too bad that the time & energy wasted by the a$$holes who
> write stuff likeVundocan't be redirected into fixing the world
> economy or something...
>
> "stand_58"
amexol.net> wrote in message
>
> news:%%23O3VduHYIHA.6044@TK2MSFTNGP05.phx.gbl...
>>> Mr. Green, you led me to a place from which I could get rid of this bugger.
>
>> The heavy lifting was the work done by Shedrick in the posting you pointed
>> me at in the forum, and the major path to fixing was the files pointed to by
>> the Run key in the registry that got renamed to have a space before the
>> .exe, and then had a bunch of crap added to them. Just looking for those
>> and systematically getting rid of the larger versions of them, renaming each
>> of the diddled * .exe files to *MUSTFIX.exe, and finally getting rid of
>> all the garbage created in windows\system32, took away a lot of the engine
>> from this miserable load of bits.
>
>> Since I have a dual boot capability (media center and xp), there's nothing
>> in the infected partition that is undeletable, though of course editing the
>> registry is more easily done from the XP partition.
>
>> After I used Media Center to do the editing in the XP partition, I booted
>> into XP and was able to take advantage of the load= line being filled up by
>>Vundowith a now deleted file (another thing that Shedrick explained in his
>> posting) and do the same kind of registry cleaning Shedrick did.
>
>> Amazingly, I didn't even need to use the tools or Hijackthis. TheVundo
>> variant that I had wasn't quite as determined in keeping itself going as it
>> first seemed....its creators could have made it even more of a trial to
>> restore a machine to good order.
>
>> So finally, again, thank you Mr. Green (directly) and Shedrick (by proxy)
>
>> "V Green"
nowhere.net> wrote in message
>>news:uzk$MOUXIHA.5364@TK2MSFTNGP04.phx.gbl...>>> OK, great.
>
>>> Basically what remember doing (was a while ago) was to kill
>>> all bogus processes with Task Manager. Then look for
>>> suspect entries with the same name in the Registry and delete those.
>
>>> Then look for recently created files with nonsense names
>>> in the usual places in \WINDOWS and \Documents and Settings.
>
>>> If they won't delete in regular or Safe Mode, write a script
>>> in Notepad with the pathname of the files that you want to
>>> delete that are locked, example:
>
>>> C:\Windows\system32\khffddc.dll
>
>>> Save this to your desktop as vundofix.vft - type "All Files".
>
>>> Then start VundoFix and drag vundofix.vft onto it. Click
>>> the RemoveVundobutton.
>
>>> VundoFix will "unlock" the files and delete them. Screen may go
>>> blank and you might have to reboot.
>
>>> Run HijackThis and look for anything else (you can use HJT
>>> to take the place of the manual Registry search above - it found
>>> all the same entries that took me much longer to find with
>>> Search).
>
>>> Good luck. It is possible to beat this sumbitch.
>
>>> "stand_58"
hotmail.com> wrote in message
>>>news:%%23pxXUGUXIHA.4440@TK2MSFTNGP06.phx.gbl...>>>> Mr. G. Thank you so very much for your reply. I've tried the tool, it's
>>>> really good....and ultimately it didn't do the job.
>
>>>> But the article you pointed out is amazingly good. Shedrick really has
>>>> teased out all the issues that likely beset my machine, and better than
>>>> that
>>>> he intelligently walked the paths that I found myself blindly stumbling
>>>> around in when I spent a day failing to bet this bugger.
>
>>>> If I find anything different from what he found, I'll post it. (my junk
>>>> is
>>>> called ddayv.dll and ddayv.exe, and I also get vyadd.ini readily created.
>>>> Other than that.......I have to print out his article and follow his
>>>> lead.
>
>>>> And again, thanks to you.
>>>> "V Green"
nowhere.net> wrote in message
>>>>news:uGaR1HLXIHA.4140@TK2MSFTNGP04.phx.gbl...>
>>>>> Try the tool. For me it got most of it, but I had to manually
>>>>> remove a bogus .DLL (see the forums on how to
>>>>> do this-drag n' drop a vundofix.vft file onto vundofix
>>>>> after stopping all processes related to it).
>
>>>>> HijackThis is also needed to tell you where the SOB
>>>>> is hiding in the Registry. If you know what you're doing,
>>>>> you won't need to send the log to anyone, just interpret
>>>>> it yourself. You already know what you're looking for.
>
>>>>> You might like this forum entry:
>
>
>>>>> BTW, I got infected through an exploitable version of
>>>>> the Sun Java Runtime after running one of those applets that
>>>>> Ebay uses to show pictures of an item.
>
>>>>> "stand_58"
hotmail.com> wrote in message
>>>>>news:Onj8kt7WIHA.748@TK2MSFTNGP04.phx.gbl...>>>>>> Not the ordinary question, though.
>
>>>>>> I have a dual boot system; media center edition is not blessed with
>>>>>> this
>>>>>> miserable trojan/virus/worm, while my XPSP2 is. I use XP as the
>>>>>> default,
>>>>>> and of course years of using it means it's set up the way I want it,
>>>>>> and
>>>>>> I
>>>>>> don't want to just trash it or bear the consequence of what a repair
>>>>>> install
>>>>>> might do to me, especially since I don't have SP2 slipstreamed into my
>>>>>> original XP disk.
>
>>>>>> Anyway, what I have done is to try using some of theVUNDOtrojan
>>>>>> removal
>>>>>> tools. The flavor ofVundothat I have keeps on producing files like
>>>>>> ddayv.exe and ddayv.dll in the system32 directory, and running them.
>>>>>> Also
>>>>>> vyadd.ini files in that directory. It shovels load instructions for
>>>>>> the
>>>>>> ddayv.exe into the registry in a few places.
>
>>>>>> I can edit the registry and get rid of all the junk that I find, but
>>>>>> of
>>>>>> course I'm not finding the root of the problem. I can also boot into
>>>>>> the
>>>>>> media center and use that to edit the xp windows\system32 directory
>>>>>> and
>>>>>> get
>>>>>> rid of all the files created in there since the virus hit.
>
>>>>>> I can work in safe mode in XP and the trojan doesn't write all the
>>>>>> garbage
>>>>>> that it typically writes.
>
>>>>>> Now here's something interesting.
>
>>>>>> I'll have gotten rid of all the instances of ddayv.exe, and then I'll
>>>>>> boot.
>>>>>> I get a message box that looks as if I've tried to open ddayv.exe and
>>>>>> windows\system32 just can't find it, and if I want to search for it
>>>>>> (yeah,
>>>>>> right) I can do so. The system tray has not yet loaded, the GUI is
>>>>>> up,
>>>>>> Windows is usable, but ddayv.exe has not yet been created in the
>>>>>> system32
>>>>>> directory.
>
>>>>>> I just click OK on the message box, the boot process continues, and
>>>>>> the
>>>>>> new
>>>>>> garbage gets written into the registry and into the system32 folder.
>
>>>>>> The help I am looking for from you people is some kind of utility that
>>>>>> will
>>>>>> let me step through the end of the boot process. I know there's a
>>>>>> step
>>>>>> by
>>>>>> step way of doing a cold boot and a bootlog can be captured (am I only
>>>>>> living in the Win 98 world here?....remembering a capability long
>>>>>> gone?).
>>>>>> The question is whether there is something available that would let me
>>>>>> walk
>>>>>> through the later stages of the boot process so I can find out just
>>>>>> what
>>>>>> it
>>>>>> is that first invokes rundll to make the ddayv.dll run....and before
>>>>>> that,
>>>>>> what makes ddayv.exe create ddayv.dll, and before that what makes
>>>>>> ddayv.exe
>>>>>> get created from apparently nothing. There's got to be a way to drill
>>>>>> down
>>>>>> to that nothing.
>
>>>>>> So this is a long post, I hope I'm not asking the impossible and I'm
>>>>>> not
>>>>>> looking to post a hijack this log so somebody can create a batch file
>>>>>> for
>>>>>> me
>>>>>> or recommend a list of steps to take.
>
>>>>>> Thanks in advance.
