Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

vtd_16.exe [resolved]

Started by OwenJ , Dec 07 2004 05:34 PM

This topic is locked

#1
OwenJ

Posted 07 December 2004 - 05:34 PM

New Member

Member
7 posts

I have some kind of trojan (possibly Haxdoor-K) which I cannot remove. I know the offending files, and have removed them with killbox.

I've removed vtd_16.exe which is the process in task manager and afterwards removed the following files which it has dropped:

cm.dll
draw32.dll
hm.sys
memlow.sys
p2.ini
vdnt32.sys
wd.sys
i.a3d
klogini.dll

I have also removed the following registry entries:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Draw32
HKLM\System\CurrentControlSet\Services\memlow
HKLM\System\CurrentControlSet\Services\vdnt32

Yet after all this, it still reappears (after a couple of login's, it usually takes about a day)
I'll post a HiJack this log after, any advice would be welcomed.

Owen

#2
OwenJ

Posted 07 December 2004 - 05:35 PM

New Member

Topic Starter
Member
7 posts

Logfile of HijackThis v1.98.2
Scan saved at 23:35:02, on 07/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102109999390
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#3
admin

Posted 07 December 2004 - 11:24 PM

Founder Geek

Community Leader
24,639 posts

C:\WINDOWS\system32\NOTEPAD.EXE

Did you have notepad open? It's an often infected file.

Please run a free online virus scan here (tick the "Auto Clean" checkbox):
http://housecall.antivirus.com/

And a free trojan scan here:
http://www.moosoft.com/

Reboot your PC.

Let us know the results. <_<

#4
OwenJ

Posted 08 December 2004 - 01:19 PM

New Member

Topic Starter
Member
7 posts

I'm fairly sure I had notepad open at the time. I've tried the same approach again, and am still having the same problem. vtd_16.exe keeps appearing again.
The main problem with this process is that it keeps shutting down my computer (ie. sends it to the blue screen of death), stating vdnt32.sys as the problem.

I've tried various AV, trojan and other removal tools, but to no avail.

Owen

#5
admin

Posted 08 December 2004 - 04:44 PM

Founder Geek

Community Leader
24,639 posts

Download Service Filter from the following link and unzip it. Follow the instructions that will be unzipped in the folder:
http://www.geekstogo...=download&id=41

Post the contents from the POST_THIS.TXT file that is generated.

#6
nino

Posted 14 December 2004 - 11:38 AM

New Member

Member
3 posts

Here is the information gathered by your script. Does it make sense?
Please note I am trunnig a Dutch version of XP. The words waar en onwaar mean true and false.

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Professional
Version: 5.1.2600
dec 14, 2004 18:35:29

---> Begin Service Listing <---

Unknown Service # 1
Service Name: avast! Mail Scanner
Display Name: avast! Mail Scanner
Start Mode: Manual
Start Name: LocalSystem
Description: Implements mail scanning for the avast! ...
Service Type: Own Process
Path: "c:\program files\alwil software\avast4\ashmaisv.exe" /service
State: Running
Process ID: 3280
Started: Waar
Exit Code: 0
Accept Pause: Onwaar
Accept Stop: Waar

Unknown Service # 2
Service Name: DCSPGSRV
Display Name: DiamondCS Process Guard Service v3.000
Start Mode: Auto
Start Name: LocalSystem
Description: Used in DiamondCS products for various security ...
Service Type: Own Process
Path: "c:\program files\processguard\dcsuserprot.exe"
State: Running
Process ID: 2032
Started: Waar
Exit Code: 0
Accept Pause: Waar
Accept Stop: Waar

Unknown Service #3
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Beheert schaduwkopieën op basis van software, die door de Volume Shadow Copy-service zijn gemaakt. ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{0be6a4cd-63b3-45fe-b01b-9dc3bc3e68e8}
State: Stopped
Process ID: 0
Started: Onwaar
Exit Code: 1077
Accept Pause: Onwaar
Accept Stop: Onwaar

Unknown Service # 4
Service Name: test
Display Name: test
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\ins.exe
State: Stopped
Process ID: 0
Started: Onwaar
Exit Code: 0
Accept Pause: Onwaar
Accept Stop: Onwaar

---> End Service Listing <---

There are 87 Win32 services on this machine.
4 were unrecognized.

Script Execution Time: 8,015625 seconds.

#7
nino

Posted 15 December 2004 - 11:28 AM

New Member

Member
3 posts

Looks like it is GONE!

1st: I downloaded GIANT Anti Spyware from http://www.spynet.co...-Haxdoor.k.aspx.
2nd: I updated the virus definitions.
3th: I removed all the files and registry entries as stated in robertd_34's first post on this subject.
4th: I restarted the systemin safe mode (Giant also crashes when running in normal mode)
5th: I ran GIANT Anti Spyware, and it found and removed the trojans.
6th: I repeated 3th.
7th: I rebooted the system, and al obnoxious processes were no longer there! Only the registry again contained the Draw32 key, which I removed.

#8
coachwife6

Posted 15 December 2004 - 05:03 PM

SuperStar

Retired Staff
11,413 posts

You can post another log and we can check it out. Click the link in my signature for the latest version of Hijack This. It was just updated today. Download it and run it and post a log. :tazz:

#9
nino

Posted 16 December 2004 - 03:40 AM

New Member

Member
3 posts

That's a nice offer, but the virus is gone, so there nothibng more to chaeck out, thanks heavens...

#10
cliqua

Posted 01 January 2005 - 08:41 PM

New Member

Member
2 posts

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Professionnel
Version: 5.1.2600
janv. 2, 2005 03:38:40

===> Begin Service Listing <===

Unknown Service #1
Service Name: MDM
Display Name: Machine Debug Manager
Start Mode: Auto
Start Name: LocalSystem
Description: Manages local and remote debugging for Visual Studio ...
Service Type: Own Process
Path: "c:\program files\fichiers communs\microsoft shared\vs7debug\mdm.exe"
State: Running
Process ID: 1424
Started: Vrai
Exit Code: 0
Accept Pause: Faux
Accept Stop: Vrai

Unknown Service #2
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Gère les copies logicielles de clichés instantanés de volumes créés par le service de cliché ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{ee821034-9718-41d4-9162-bc2bb3d18c4e}
State: Stopped
Process ID: 0
Started: Faux
Exit Code: 1077
Accept Pause: Faux
Accept Stop: Faux

---> End Service Listing <---

There are 79 Win32 services on this machine.
2 were unrecognized.

Script Execution Time: 3,342773 seconds.

--------------

Could someone tell me if 'MS Software Shadow Copy Provider' is a normal process I should get or not ?

Thanks :tazz:

#11
cliqua

Posted 01 January 2005 - 08:50 PM

New Member

Member
2 posts

I keep on having this [bleep] vtd_16.exe process running on my computer even after having done all the tests and instructions up there ...

While using net limiters, here is where vtd_16.exe leads me to : 64.18.139.200

Down there you will find the result of the tracert to this IP.

-----------------------

Détermination de l'itinéraire vers 64.18.139.200 avec un maximum de 30 sauts.

1 <1 ms <1 ms <1 ms cliqua.mshome.net [192.168.0.1]
2 117 ms 57 ms 74 ms ***.my.IP.***
3 60 ms 103 ms 146 ms stmaurice-6k-1-a5.routers.proxad.net [213.228.14
.254]
4 117 ms 76 ms 64 ms th2-6k-2-v810.intf.routers.proxad.net [212.27.50
.29]
5 110 ms 149 ms 49 ms cbv-6k-2-v808.intf.routers.proxad.net [212.27.50
.26]
6 62 ms 101 ms 51 ms sl-gw11-par-11-0.sprintlink.net [217.118.239.145
]
7 53 ms 39 ms 31 ms sl-bb20-par-9-0.sprintlink.net [217.118.224.44]

8 166 ms 101 ms 153 ms sl-bb23-nyc-14-0.sprintlink.net [144.232.20.45]

9 205 ms 248 ms 207 ms sl-bb21-nyc-8-0.sprintlink.net [144.232.7.110]
10 234 ms 220 ms 272 ms sl-bb22-nyc-14-0.sprintlink.net [144.232.7.102]

11 296 ms 218 ms 260 ms sl-bb21-chi-9-0.sprintlink.net [144.232.9.149]
12 145 ms 136 ms 147 ms sl-bb20-chi-14-0.sprintlink.net [144.232.26.1]
13 290 ms 228 ms 217 ms sl-st20-chi-12-0.sprintlink.net [144.232.8.219]

14 226 ms 248 ms 228 ms sl-xocomm-12-0.sprintlink.net [144.223.241.10]
15 249 ms 278 ms 295 ms p5-0-0.RAR2.Chicago-IL.us.xo.net [65.106.6.137]

16 214 ms 297 ms 258 ms p6-0-0.RAR1.NYC-NY.us.xo.net [65.106.0.30]
17 287 ms 268 ms 208 ms p0-0-0.MAR1.NYC-NY.us.xo.net [65.106.3.46]
18 180 ms 187 ms 210 ms ge4-0.CHR1.Secaucus-NJ.us.xo.net [64.1.6.35]
19 189 ms 263 ms 157 ms 209.116.198.126
20 215 ms 175 ms 153 ms 204.8.216.1
21 189 ms 222 ms 222 ms 64.18.139.200

Itinéraire déterminé.

--------------

is there anyone here that could help me killing this spyware please ?