Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

vtstt.dll and dday.dll - Winfixer [RESOLVED]

Started by Tiney , Oct 30 2005 08:30 PM

  • This topic is locked This topic is locked

#1
Tiney
Posted 30 October 2005 - 08:30 PM

Tiney

    New Member

  • Member
  • Pip
  • 8 posts
I've had these for a few weeks now and I've tried to get rid of them on my own. I tried to follow the instructions for fixing them from forum/people who have had similar problems, but for some reason, they haven't worked for me. I also followed all of the required steps listed in the beginning of this forum. I pinpointed the problems to dday.dll and vtstt.dll through HijackThis. I hope you guys can help me, thanks so much!

Logfile of HijackThis v1.99.1
Scan saved at 9:26:35 PM, on 10/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Logitech\CamDrvr\LVCOMS.EXE
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\vtstt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddayy.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\CamDrvr\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures01.ai...AIM.9.5.1.7.cab
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O20 - Winlogon Notify: ddayy - C:\WINDOWS\system32\ddayy.dll
O20 - Winlogon Notify: vtstt - C:\WINDOWS\SYSTEM32\vtstt.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

:tazz:

Edited by Tiney, 01 November 2005 - 08:22 AM.

  • 0

Advertisements

#2
John_L
Posted 02 November 2005 - 10:21 PM

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Hello Tiney and welcome to Geeks To Go :tazz:

Sorry forum has been busy. Can you please post another hijack log for us please and we will see what we can do for you. :)
  • 0

#3
Tiney
Posted 03 November 2005 - 02:44 PM

Tiney

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks for trying to help. :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 3:43:30 PM, on 11/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Logitech\CamDrvr\LVCOMS.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Semagic\LiveJournalU.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Danny Ho\My Documents\Games\Vampires\DAIM.exe
C:\Program Files\Hijack This\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\vtstt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddayy.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\CamDrvr\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures01.ai...AIM.9.5.1.7.cab
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O20 - Winlogon Notify: ddayy - C:\WINDOWS\system32\ddayy.dll
O20 - Winlogon Notify: vtstt - C:\WINDOWS\SYSTEM32\vtstt.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
  • 0

#4
John_L
Posted 03 November 2005 - 07:49 PM

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Hello Tiney :tazz:

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\vtstt.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\ttstv.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\vtstt.dll
    O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddayy.dll
    O20 - Winlogon Notify: ddayy - C:\WINDOWS\system32\ddayy.dll
    O20 - Winlogon Notify: vtstt - C:\WINDOWS\SYSTEM32\vtstt.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#5
Tiney
Posted 06 November 2005 - 01:08 PM

Tiney

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I just wanted to leave a message that I haven't gotten to using these instructions yet because I've been so busy with classes (college :tazz:) but when I do find the time to fix my computer, I'll let you know the results. Thanks so much for helping me! :)
  • 0

#6
John_L
Posted 06 November 2005 - 10:40 PM

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
No problem Tiney, i will continue to monitor for 7 days please reply with a hello or something, just to keep this thread alive or i will skid it as inactive if those 7 days pass.
  • 0

#7
Tiney
Posted 09 November 2005 - 06:13 PM

Tiney

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I did everything although I'm not sure that it got rid of the popups. :tazz: During Safe Mode, when

I went to delete things through HijackThis after using Killvundo.bat,

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\vtstt.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddayy.dll

These two files weren't on the HijackThis list. I figured I'd let you know.

Here are the logs from ActiveScan, HiJackThis and Vundofix:


Incident Status Location







Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\ddayy.dll






Spyware:spyware/virtumonde No disinfected Windows Registry






Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Danny

Ho\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-22500802-2e77c7d0.zip

[counter.class]


Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Danny

Ho\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-22500802-2e77c7d0.zip

[Dummy.class]


Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Danny

Ho\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-22500802-2e77c7d0.zip

[VerifierBug.class]


Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Danny

Ho\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-4f78f92a-32722bd4.zip

[Beyond.class]


Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Danny

Ho\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-4f78f92a-32722bd4.zip

[BlackBox.class]


Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Danny

Ho\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-4f78f92a-32722bd4.zip

[Dummy.class]


Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Danny

Ho\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-4f78f92a-32722bd4.zip

[VerifierBug.class]


Spyware:Spyware/Virtumonde No disinfected C:\Program Files\Hijack

This\backups\backup-20051030-211725-227.dll




Adware:Adware/StartPage.AIW No disinfected C:\Program Files\Hijack

This\backups\backup-20051030-211725-841.dll




Spyware:Spyware/Virtumonde No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088793.dll




Spyware:Spyware/Virtumonde No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088794.dll




Spyware:Spyware/Virtumonde No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088795.dll




Spyware:Spyware/Virtumonde No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088796.dll




Spyware:Spyware/Virtumonde No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088797.dll




Adware:Adware/StartPage.AIW No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088798.dll




Adware:Adware/StartPage.AIW No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088799.dll




Spyware:Spyware/Virtumonde No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088800.dll




Spyware:Spyware/Virtumonde No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088801.dll




Adware:Adware/StartPage.AIW No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088802.dll




Spyware:Spyware/Virtumonde No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088803.dll




Adware:Adware/StartPage.AIW No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088804.dll




Spyware:Spyware/Virtumonde No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088805.dll




Adware:Adware/StartPage.AIW No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088806.dll




Adware:Adware/StartPage.AIW No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088807.dll




Spyware:Spyware/Virtumonde No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088808.dll




Adware:Adware/StartPage.AIW No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088809.dll




Spyware:Spyware/Virtumonde No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088810.dll




Adware:Adware/StartPage.AIW No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088811.dll




Spyware:Spyware/Virtumonde No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088812.dll




Adware:Adware/StartPage.AIW No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088813.dll




Spyware:Spyware/Virtumonde No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088814.dll




Adware:Adware/StartPage.AIW No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088815.dll




Spyware:Spyware/Virtumonde No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088816.dll




Spyware:Spyware/Virtumonde No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088817.dll




Adware:Adware/StartPage.AIW No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088818.dll




Adware:Adware/StartPage.AIW No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088819.dll




Spyware:Spyware/Virtumonde No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088820.dll




Adware:Adware/StartPage.AIW No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088821.dll




Adware:Adware/StartPage.AIW No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088822.dll




Spyware:Spyware/Virtumonde No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088823.dll




Adware:Adware/StartPage.AIW No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088824.dll




Adware:Adware/StartPage.AIW No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088825.dll




Adware:Adware/StartPage.AIW No disinfected C:\System Volume

Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP458\A0089219.dll




Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\SYSTEM32\ddayy.dll






Logfile of HijackThis v1.99.1
Scan saved at 7:11:42 PM, on 11/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Logitech\CamDrvr\LVCOMS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\vtstt.dll

(file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32

\ddayy.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32

\dla\tfswshx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -

osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"

/r
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\CamDrvr\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe

bthprops.cpl,,BluetoothAuthenticationAgent
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111

Configuration Utility\wlancfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10

\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) -

http://pictures01.ai...AIM.9.5.1.7.cab
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) -

http://upload.facebo...otoUploader.cab
O20 - Winlogon Notify: ddayy - C:\WINDOWS\system32\ddayy.dll
O20 - Winlogon Notify: vtstt - vtstt.dll (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program

Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1

\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates

Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates

Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe



VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\vtstt.dll

The second filepath entered was C:\WINDOWS\system32\ttstv.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 132 'smss.exe'

Error, Cannot find a process with an image name of explorer.exe


Killing PID 208 'winlogon.exe'
Killing PID 208 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\system32\vtstt.dll Deleted sucessfully.
C:\WINDOWS\system32\ttstv.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------
  • 0

#8
John_L
Posted 09 November 2005 - 06:42 PM

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Hello again :tazz:

Can you post that log again and this time turn word wrap off in notepad, it makes reading these logs a nightmare.
  • 0

#9
Tiney
Posted 09 November 2005 - 07:13 PM

Tiney

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Oh, that's why it turned out funny. Sorry about that! Thanks for your patience. :tazz:


Incident Status Location

Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\ddayy.dll
Spyware:spyware/virtumonde No disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Danny Ho\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-22500802-2e77c7d0.zip[counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Danny Ho\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-22500802-2e77c7d0.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Danny Ho\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-22500802-2e77c7d0.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Danny Ho\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-4f78f92a-32722bd4.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Danny Ho\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-4f78f92a-32722bd4.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Danny Ho\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-4f78f92a-32722bd4.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Danny Ho\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-4f78f92a-32722bd4.zip[VerifierBug.class]
Spyware:Spyware/Virtumonde No disinfected C:\Program Files\Hijack This\backups\backup-20051030-211725-227.dll
Adware:Adware/StartPage.AIW No disinfected C:\Program Files\Hijack This\backups\backup-20051030-211725-841.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088793.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088794.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088795.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088796.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088797.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088798.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088799.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088800.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088801.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088802.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088803.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088804.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088805.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088806.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088807.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088808.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088809.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088810.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088811.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088812.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088813.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088814.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088815.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088816.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088817.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088818.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088819.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088820.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088821.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088822.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088823.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088824.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088825.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP458\A0089219.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\SYSTEM32\ddayy.dll

Logfile of HijackThis v1.99.1
Scan saved at 8:10:47 PM, on 11/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Logitech\CamDrvr\LVCOMS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\vtstt.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddayy.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\CamDrvr\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures01.ai...AIM.9.5.1.7.cab
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O20 - Winlogon Notify: ddayy - C:\WINDOWS\system32\ddayy.dll
O20 - Winlogon Notify: vtstt - vtstt.dll (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe


VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\vtstt.dll

The second filepath entered was C:\WINDOWS\system32\ttstv.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 132 'smss.exe'

Error, Cannot find a process with an image name of explorer.exe


Killing PID 208 'winlogon.exe'
Killing PID 208 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\system32\vtstt.dll Deleted sucessfully.
C:\WINDOWS\system32\ttstv.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------
  • 0

#10
John_L
Posted 09 November 2005 - 07:20 PM

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Thanks for that :tazz:

hmmm seems like we had more than one instance of vundo in here.

Run this tool and lets see what it does for us.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Also provide another hijack log with these results :)
  • 0

Advertisements

#11
Tiney
Posted 09 November 2005 - 09:18 PM

Tiney

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I ran SpySweeper twice because I thought I lost the log for the first run after it said I had to restart the computer to get rid of some of spyware. But of course, I didn't really lose the log. I think this time everything's gone, but I'm sure you'll let me know. Thanks! :tazz:

********
9:16 PM: | Start of Session, Wednesday, November 09, 2005 |
9:16 PM: Spy Sweeper started
9:16 PM: Sweep initiated using definitions version 569
9:16 PM: Starting Memory Sweep
9:18 PM: Memory Sweep Complete, Elapsed Time: 00:01:55
9:18 PM: Starting Registry Sweep
9:18 PM: Registry Sweep Complete, Elapsed Time:00:00:15
9:18 PM: Starting Cookie Sweep
9:18 PM: Found Spy Cookie: pointroll cookie
9:18 PM: danny [email protected][1].txt (ID = 3148)
9:18 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
9:18 PM: Starting File Sweep
9:39 PM: File Sweep Complete, Elapsed Time: 00:21:22
9:39 PM: Full Sweep has completed. Elapsed time 00:23:33
9:39 PM: Traces Found: 1
10:13 PM: Removal process initiated
10:13 PM: Quarantining All Traces: pointroll cookie
10:13 PM: Removal process completed. Elapsed time 00:00:00
********
8:31 PM: | Start of Session, Wednesday, November 09, 2005 |
8:31 PM: Spy Sweeper started
8:31 PM: Sweep initiated using definitions version 569
8:31 PM: Starting Memory Sweep
8:32 PM: Found Adware: virtumonde
8:32 PM: Detected running threat: C:\WINDOWS\SYSTEM32\ddayy.dll (ID = 77)
8:33 PM: Memory Sweep Complete, Elapsed Time: 00:02:07
8:33 PM: Starting Registry Sweep
8:33 PM: HKCR\msevents.msevents\ (5 subtraces) (ID = 749130)
8:33 PM: HKCR\msevents.msevents.1\ (3 subtraces) (ID = 749136)
8:33 PM: HKLM\software\classes\msevents.msevents\ (5 subtraces) (ID = 749153)
8:33 PM: HKLM\software\classes\msevents.msevents.1\ (3 subtraces) (ID = 749157)
8:33 PM: HKCR\clsid\{52b1dfc7-aafc-4362-b103-868b0683c697}\ (12 subtraces) (ID = 812324)
8:33 PM: HKLM\software\classes\clsid\{52b1dfc7-aafc-4362-b103-868b0683c697}\ (12 subtraces) (ID = 812338)
8:33 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{52b1dfc7-aafc-4362-b103-868b0683c697}\ (ID = 812351)
8:33 PM: Found Trojan Horse: trojan-downloader-conhook
8:33 PM: HKLM\software\classes\clsid\{00dbdac8-4691-4797-8e6a-7c6ab89bc441}\ (3 subtraces) (ID = 833627)
8:33 PM: HKCR\clsid\{00dbdac8-4691-4797-8e6a-7c6ab89bc441}\ (3 subtraces) (ID = 833628)
8:33 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{00dbdac8-4691-4797-8e6a-7c6ab89bc441}\ (ID = 833629)
8:34 PM: Registry Sweep Complete, Elapsed Time:00:00:16
8:34 PM: Starting Cookie Sweep
8:34 PM: Found Spy Cookie: pointroll cookie
8:34 PM: danny [email protected][2].txt (ID = 3148)
8:34 PM: Found Spy Cookie: bluestreak cookie
8:34 PM: danny ho@bluestreak[2].txt (ID = 2314)
8:34 PM: Found Spy Cookie: maxserving cookie
8:34 PM: danny ho@maxserving[1].txt (ID = 2966)
8:34 PM: Found Spy Cookie: overture cookie
8:34 PM: danny [email protected][1].txt (ID = 3106)
8:34 PM: Found Spy Cookie: realmedia cookie
8:34 PM: danny ho@realmedia[1].txt (ID = 3235)
8:34 PM: Found Spy Cookie: reliablestats cookie
8:34 PM: danny [email protected][2].txt (ID = 3254)
8:34 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:34 PM: Starting File Sweep
9:00 PM: File Sweep Complete, Elapsed Time: 00:26:33
9:00 PM: Full Sweep has completed. Elapsed time 00:29:01
9:00 PM: Traces Found: 63
9:11 PM: Removal process initiated
9:11 PM: Quarantining All Traces: virtumonde
9:11 PM: virtumonde is in use. It will be removed on reboot.
9:11 PM: C:\WINDOWS\SYSTEM32\ddayy.dll is in use. It will be removed on reboot.
9:11 PM: Quarantining All Traces: trojan-downloader-conhook
9:12 PM: Quarantining All Traces: bluestreak cookie
9:12 PM: Quarantining All Traces: maxserving cookie
9:12 PM: Quarantining All Traces: overture cookie
9:12 PM: Quarantining All Traces: pointroll cookie
9:12 PM: Quarantining All Traces: realmedia cookie
9:12 PM: Quarantining All Traces: reliablestats cookie
9:12 PM: Preparing to restart your computer. Please wait...
9:12 PM: Removal process completed. Elapsed time 00:00:14
********
8:25 PM: | Start of Session, Wednesday, November 09, 2005 |
8:25 PM: Spy Sweeper started
8:28 PM: Your spyware definitions have been updated.
8:31 PM: | End of Session, Wednesday, November 09, 2005 |

Logfile of HijackThis v1.99.1
Scan saved at 10:17:02 PM, on 11/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Logitech\CamDrvr\LVCOMS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\CamDrvr\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures01.ai...AIM.9.5.1.7.cab
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O20 - Winlogon Notify: vtstt - vtstt.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

#12
John_L
Posted 09 November 2005 - 10:18 PM

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Hello again :tazz:

That spysweeper is a great tool and saved us a lot of work.

Fire up hijack this, press scan only and place a check next to this.

O20 - Winlogon Notify: vtstt - vtstt.dll (file missing)

Close all browsers and click fix on hijack this.

Reboot and show me a new log please. :)
  • 0

#13
Tiney
Posted 09 November 2005 - 10:43 PM

Tiney

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here's the latest log. :tazz: Thanks!


Logfile of HijackThis v1.99.1
Scan saved at 11:42:44 PM, on 11/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Logitech\CamDrvr\LVCOMS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\CamDrvr\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures01.ai...AIM.9.5.1.7.cab
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

#14
John_L
Posted 10 November 2005 - 12:06 AM

John_L

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,398 posts
Well that was it your log is now nice and clean congrats!!!!! :tazz:

Since your issues have been addressed and you are ready to travel the net again, I will just give you a few ideas on how to stay safe out there. Best of all these programs are all readily available on the net for free :)

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

More info and download is available at:

Spyware Blaster Spyware Guard

Might I suggest the following Free Spyware programs for added security, you can download them at the following links. These programs work great for detection:

Ad-aware SE--Adaware Tutorial

Spybot S&D--Spybot Tutorial

Antiviruses play an important role in keeping your computer safe and worry free while using the net. *NOTE* Only one antivirus must be allowed to run on your computer, as having two or more running can and will cause conflicts.

AVG Avast

Firewalls are also a must in any good prevention :

Zone Alarm Sygate Kerio

There are different browsers available on the net, other than Internet Explorer, we believe!! these are better for security purposes :

Firefox Opera

You must stay on top of your updates at all times, for the above mentioned applications.

It is vitally important to stay on top of your critical updates provided by microsoft.

This can be accessed by going to Windows Updates and following the prompts.

To add to the performance of your computer, i suggest a weekly maintenance program. Run this tool. Ccleaner

Lastly a second opinion on the Antivirus that you have chosen. I suggest running these online virus scans periodically, just to make sure that the av is doing a proper job, of keeping you safe :

Rav Online Scan Housecall Online Scan Panda Activescan

Housecall Java Online Scan<---For those who use Firefox

And finally a little Posted Image How did I get infected in the first place ? (by Mr. Tony Klein and dvk01)

Good luck and safe surfing :)
  • 0

#15
Tiney
Posted 10 November 2005 - 08:32 AM

Tiney

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thank you so much, you have been so helpful! :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP