tag:blogger.com,1999:blog-15754461.post7549690460431282826..comments2009-10-30T11:16:40.549-07:00Neil C. Obremskihttp://www.blogger.com/profile/06141393537077736482noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-15754461.post-18417396591989633162009-10-30T11:16:40.549-07:002009-10-30T11:16:40.549-07:00One of my co-workers had this on her computer and none of the programs listed on bleepingcomputer could fix it. The computer blue screened when try to get into SafeMode, I couldn&#39;t get into regedit and I couldn&#39;t delete any of the entries in HiJack This. I followed your suggestions and loaded Windows Recovery Console and deleted the bad dll files that way - all fixed now :) I think I owe you a beer!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-15754461.post-4103230795633531852008-12-13T14:24:00.000-08:002008-12-13T14:24:00.000-08:00Neil, your suggestion worked Great!!! Thank you so much!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-15754461.post-18457359001258633072008-11-24T20:17:00.000-08:002008-11-24T20:17:00.000-08:00Dang I just spent nearly an hour <I>actually</I> getting rid of frickin' Vundo. It's insanely simple once you know what to do, but the problem is a lot of sources give you bad information. Here's the low-down:<BR/><BR/>1.) View C:\WINDOWS\System32 in Explorer sorted by "Created Date" to find the Vundo DLL's which should be very recent assuming you caught this early enough. Its DLL names are always an 8 character assortment of upper and lower-case letters.<BR/><BR/>2.) Write down the names of said files.<BR/><BR/>3.) Boot off your Windows XP CD. To do this put it in your drive, restart, and pay attention ... your computer should say something like "Press any key to boot from CD-ROM".<BR/><BR/>4.) After waiting 4-EVA for the CD to "start Windows", select the "Recovery Console" option. You'll need to type in your Administrator password so I hope you have it handy.<BR/><BR/>5.) Type "CD \WINDOWS\System32" (without the quotes) and then for each file you wrote down type "DEL blahblah.dll" (where blahblah is the file name).<BR/><BR/>6.) Type "EXIT" to restart your computer and this time don't boot from the CD.<BR/><BR/>7.) Once back in Windows, you should be able to clean out the registry entries left behind without them constantly re-appearing. Basically just run "REGEDIT" and do a search for those file names in the registry, deleting any place they show up. If you have some sort of utility to check for "Windows Errors" then it will do this for you.<BR/><BR/>--<BR/><BR/>The problem I was having is that since Vundo hooks into WinLogon, NONE of the solutions I found worked 100%. Sure they'd stop the BHO or pop-ups, but that main "kernel" of Vundo was still running. The delete-on-reboot utilities ran AFTER WinLogon and therefore would not delete it and I couldn't rename the files even in Safe Mode. Then I realized I was looking at it the wrong way, fighting the criminal from WITHIN their little cave rather than bombing it from outside. Good thing I kept those boot CD's around!Neil C. Obremskihttp://www.blogger.com/profile/06141393537077736482noreply@blogger.comtag:blogger.com,1999:blog-15754461.post-4626939701323458952008-11-23T10:32:00.000-08:002008-11-23T10:32:00.000-08:00Wouldn't you know it, but nearly a year later and I got Vundo on my desktop. I launched Internet Explorer simply to test a website and I believe some malicious AD code installed it on my system. Using my own blog entry (this one) I removed it with HijackThis and in doing so I found that the URL to that in my post is no longer valid (fixing now).<BR/><BR/>The culprit this time?<BR/><BR/><B>O4 - HKLM\..\Run: [acfa1503] rundll32.exe "C:\WINDOWS\system32\wroovkbn.dll",b</B><BR/><BR/>In case it helps, it was launching THIS website:<BR/><BR/><B>http://www.premiercardoffers.com/?Mkt=674&amp;SubMkt=1341&amp;PID=1&amp;BID=0&amp;SourceID=YOUR_SOURCEID&amp;jump=ap1</B>Neil C. Obremskihttp://www.blogger.com/profile/06141393537077736482noreply@blogger.comtag:blogger.com,1999:blog-15754461.post-81909295519435507482008-02-04T16:55:00.000-08:002008-02-04T16:55:00.000-08:00Yes I too have the same problem as your sister.It started happening after I had downloaded some MP3 files from Limewire. <BR/>The pop-up that appears at the bottom right hand corner is Malware. Just Google Advanced Cleaner and you'll see what I mean. Also known as Drive Cleaner as well.austral aliennoreply@blogger.comtag:blogger.com,1999:blog-15754461.post-24620651106140316392008-01-01T15:39:00.000-08:002008-01-01T15:39:00.000-08:00Hi, this virus is running rampant this month and it is a new strain of vundo that is very potent and corrupts many files. The only program that is currently able to completely remove it is called combofix You can download it through a site called bleepingcomputer.<BR/><BR/>After running combofix, if any important system files are quarantined you can reinstall them by taking the log file after combofix is done, renaming it log.txt, and dropping it into the rev icon on your desktop. This whole issue and these fixes are discussed on the avast antivirus forums.Anonymousnoreply@blogger.com