Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winfixer Popups, Cleaned But Still Having Vtstu Entry


  • This topic is locked This topic is locked
6 replies to this topic

#1 NDAVE

NDAVE

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 02 August 2006 - 09:45 PM

Hi

I had Vundo trojon which i tried to fix using VunduFix but it wasnt able to delete vtstu.dll file nor able to detact it. I found this article which asked me to use VirtumundoBeGone.exe

The logs of that clean up is as follows:


[08/02/2006, 20:37:34] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\NEHAL DAVE\Desktop\VirtumundoBeGone.exe" )
[08/02/2006, 20:37:43] - Detected System Information:
[08/02/2006, 20:37:43] - Windows Version: 5.1.2600, Service Pack 2
[08/02/2006, 20:37:43] - Current Username: NEHAL DAVE (Admin)
[08/02/2006, 20:37:43] - Windows is in SAFE mode with Networking.
[08/02/2006, 20:37:43] - Searching for Browser Helper Objects:
[08/02/2006, 20:37:43] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[08/02/2006, 20:37:43] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[08/02/2006, 20:37:43] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/02/2006, 20:37:43] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[08/02/2006, 20:37:43] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[08/02/2006, 20:37:43] - BHO 3: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[08/02/2006, 20:37:43] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/02/2006, 20:37:43] - BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[08/02/2006, 20:37:43] - BHO 6: {B3E46867-1F50-48FA-A19A-66144809CA80} ()
[08/02/2006, 20:37:43] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/02/2006, 20:37:43] - Checking for HKLM\...\Winlogon\Notify\vtstu
[08/02/2006, 20:37:43] - Found: HKLM\...\Winlogon\Notify\vtstu - This is probably Virtumundo.
[08/02/2006, 20:37:43] - Assigning {B3E46867-1F50-48FA-A19A-66144809CA80} MSEvents Object
[08/02/2006, 20:37:43] - BHO list has been changed! Starting over...
[08/02/2006, 20:37:43] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[08/02/2006, 20:37:43] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[08/02/2006, 20:37:43] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/02/2006, 20:37:43] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[08/02/2006, 20:37:43] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[08/02/2006, 20:37:43] - BHO 3: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[08/02/2006, 20:37:43] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/02/2006, 20:37:43] - BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[08/02/2006, 20:37:43] - BHO 6: {B3E46867-1F50-48FA-A19A-66144809CA80} (MSEvents Object)
[08/02/2006, 20:37:43] - ALERT: Found MSEvents Object!
[08/02/2006, 20:37:43] - Finished Searching Browser Helper Objects
[08/02/2006, 20:37:43] - *** Detected MSEvents Object
[08/02/2006, 20:37:43] - Trying to remove MSEvents Object...
[08/02/2006, 20:37:44] - Terminating Process: IEXPLORE.EXE
[08/02/2006, 20:37:44] - Terminating Process: RUNDLL32.EXE
[08/02/2006, 20:37:44] - Disabling Automatic Shell Restart
[08/02/2006, 20:37:44] - Terminating Process: EXPLORER.EXE
[08/02/2006, 20:37:44] - Suspending the NT Session Manager System Service
[08/02/2006, 20:37:44] - Terminating Windows NT Logon/Logoff Manager

[08/02/2006, 20:42:10] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\NEHAL DAVE\Desktop\VirtumundoBeGone.exe" )
[08/02/2006, 20:42:12] - Detected System Information:
[08/02/2006, 20:42:12] - Windows Version: 5.1.2600, Service Pack 2
[08/02/2006, 20:42:12] - Current Username: NEHAL DAVE (Admin)
[08/02/2006, 20:42:12] - Windows is in SAFE mode with Networking.
[08/02/2006, 20:42:12] - Searching for Browser Helper Objects:
[08/02/2006, 20:42:12] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[08/02/2006, 20:42:12] - BHO 2: {16E9B30C-B1AD-4ACB-B9E1-BA6FBCCA8E7B} ()
[08/02/2006, 20:42:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/02/2006, 20:42:12] - Checking for HKLM\...\Winlogon\Notify\vtstu
[08/02/2006, 20:42:12] - Found: HKLM\...\Winlogon\Notify\vtstu - This is probably Virtumundo.
[08/02/2006, 20:42:12] - Assigning {16E9B30C-B1AD-4ACB-B9E1-BA6FBCCA8E7B} MSEvents Object
[08/02/2006, 20:42:12] - BHO list has been changed! Starting over...
[08/02/2006, 20:42:13] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[08/02/2006, 20:42:13] - BHO 2: {16E9B30C-B1AD-4ACB-B9E1-BA6FBCCA8E7B} (MSEvents Object)
[08/02/2006, 20:42:13] - ALERT: Found MSEvents Object!
[08/02/2006, 20:42:13] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[08/02/2006, 20:42:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/02/2006, 20:42:13] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[08/02/2006, 20:42:13] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[08/02/2006, 20:42:13] - BHO 4: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[08/02/2006, 20:42:13] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/02/2006, 20:42:13] - BHO 6: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[08/02/2006, 20:42:13] - Finished Searching Browser Helper Objects
[08/02/2006, 20:42:13] - *** Detected MSEvents Object
[08/02/2006, 20:42:13] - Trying to remove MSEvents Object...
[08/02/2006, 20:42:14] - Terminating Process: IEXPLORE.EXE
[08/02/2006, 20:42:15] - Terminating Process: RUNDLL32.EXE
[08/02/2006, 20:42:15] - Disabling Automatic Shell Restart
[08/02/2006, 20:42:15] - Terminating Process: EXPLORER.EXE
[08/02/2006, 20:42:15] - Suspending the NT Session Manager System Service
[08/02/2006, 20:42:15] - Terminating Windows NT Logon/Logoff Manager
[08/02/2006, 20:42:15] - Re-enabling Automatic Shell Restart
[08/02/2006, 20:42:15] - File to disable: C:\WINDOWS\system32\vtstu.dll
[08/02/2006, 20:42:15] - Renaming C:\WINDOWS\system32\vtstu.dll -> C:\WINDOWS\system32\vtstu.dll.vir
[08/02/2006, 20:42:15] - File successfully renamed!
[08/02/2006, 20:42:15] - Removing HKLM\...\Browser Helper Objects\{16E9B30C-B1AD-4ACB-B9E1-BA6FBCCA8E7B}
[08/02/2006, 20:42:15] - Removing HKCR\CLSID\{16E9B30C-B1AD-4ACB-B9E1-BA6FBCCA8E7B}
[08/02/2006, 20:42:15] - Adding Kill Bit for ActiveX for GUID: {16E9B30C-B1AD-4ACB-B9E1-BA6FBCCA8E7B}
[08/02/2006, 20:42:15] - Deleting ATLEvents/MSEvents Registry entries
[08/02/2006, 20:42:15] - Removing HKLM\...\Winlogon\Notify\vtstu
[08/02/2006, 20:42:15] - Searching for Browser Helper Objects:
[08/02/2006, 20:42:15] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[08/02/2006, 20:42:15] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[08/02/2006, 20:42:15] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/02/2006, 20:42:15] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[08/02/2006, 20:42:15] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[08/02/2006, 20:42:15] - BHO 3: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[08/02/2006, 20:42:15] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/02/2006, 20:42:15] - BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[08/02/2006, 20:42:15] - Finished Searching Browser Helper Objects
[08/02/2006, 20:42:16] - Finishing up...
[08/02/2006, 20:42:16] - A restart is needed.
[08/02/2006, 20:42:16] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[08/02/2006, 20:42:28] - Attempting to Restart via STOP error (Blue Screen!)

-------------------------------
The hijackthis.log after this cleanup is as follows

Logfile of HijackThis v1.99.1
Scan saved at 10:26:48 PM, on 8/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\ctalogd.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\ctad.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\NEHAL DAVE\Desktop\HJT.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8A8BA302-6336-4A7B-A6E4-F3D8529AEA7F} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146898023093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: vtstu - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Trust Agent (ctad) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CiscoTrustAgent\ctad.exe
O23 - Service: Cisco Trust Agent Event Logging Service (ctalogd) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CiscoTrustAgent\ctalogd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

-----------------------
In logs u will see
O2 - BHO: (no name) - {8A8BA302-6336-4A7B-A6E4-F3D8529AEA7F} - (no file)
O20 - Winlogon Notify: vtstu - C:\WINDOWS\

I searched for vtstu* but nothing found on my machine!!!!!!!!!!

I try to clean this entries using hijackthis, but as soon as i delete i start to get warning from SpyBot S&D Resident that entry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vtstu=
is being added. I have blocked this entry & resident keeps blocking it but it is getting retried every 2 secs... This goes in infinite loop & i have to restart. Once i restart, the hijack logs shown above comes back..

It seems that some trojon is still there which is trying to add the entry again. Need your help to clean my machine.

Thanks,
Dave

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:39 AM

Posted 04 August 2006 - 05:44 AM

Hello and welcome.. :thumbsup:

Sorry for the couple days delay.

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
---

Then.... Please run a scan with HijackThis and check the following objects for removal:

O2 - BHO: (no name) - {8A8BA302-6336-4A7B-A6E4-F3D8529AEA7F} - (no file)
O20 - Winlogon Notify: vtstu - C:\WINDOWS\


Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

---

Reboot and post a fresh HijackThis log. :flowers:
Hi there, stranger!

#3 NDAVE

NDAVE
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 04 August 2006 - 08:26 AM

Hi Rawe

Below is the log
---------------
Logfile of HijackThis v1.99.1
Scan saved at 9:22:13 AM, on 8/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\ctalogd.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\ctad.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\NEHAL DAVE\Desktop\HJT.exe
C:\Program Files\Gaim\gaim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\svchost.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146898023093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Trust Agent (ctad) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CiscoTrustAgent\ctad.exe
O23 - Service: Cisco Trust Agent Event Logging Service (ctalogd) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CiscoTrustAgent\ctalogd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--------------------------
It seems like TeaTimer was adding the entry back or something after hijackthis cleans up & i reboot the machine. I uninstalled SpyBot. Removed the 2 entries using hijackthis & then reinstalled Spybot & enabled TeaTimer. Now till i understand the machine is clean. Can u plz confirm it... :thumbsup:

Thanks much
Dave

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:39 AM

Posted 04 August 2006 - 09:15 AM

Your HijackThis log is looking good. :thumbsup:

Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Software icon > Add/Remove Programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have next icon next to it: Posted Image
    Select it and click Remove.
    • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
    • It will say "Java Plug-in" under the icon.
      Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
    • If you are unable to update you can manually update by going here:http://java.sun.com/javase/downloads/index.jsp
  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
    Downloaded Applications
    Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.
---

Hows the system running now? :flowers:
Hi there, stranger!

#5 NDAVE

NDAVE
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 05 August 2006 - 07:43 AM

Rawe

My computer is back to normal & is running fast as before.
Thanks for ur help

Cheers,
Dave

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:39 AM

Posted 05 August 2006 - 08:03 AM

You're welcome :thumbsup:

Please read here how to clear old restore points and create a new one.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Other necessary Programs:
  • AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have.
  • Firewall <= A firewall is definatley a must have. Two good free versions are Kerio Personal Firewall and ZoneLabs.
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice;
So how did I get infected in the first place? (My favourite)
Hi there, stranger!

#7 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:39 AM

Posted 06 August 2006 - 11:16 AM

Since this issue appears to be resolved, this Topic has been closed. Should you need this Topic reopened, please PM a Staff member with the address of this thread. :thumbsup:
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users