I did everything although I'm not sure that it got rid of the popups.
During Safe Mode, when
I went to delete things through HijackThis after using Killvundo.bat,
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\vtstt.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddayy.dll
These two files weren't on the HijackThis list. I figured I'd let you know.
Here are the logs from ActiveScan, HiJackThis and Vundofix:
Incident Status Location
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\ddayy.dll
Spyware:spyware/virtumonde No disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Danny
Ho\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-22500802-2e77c7d0.zip
[counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Danny
Ho\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-22500802-2e77c7d0.zip
[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Danny
Ho\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-22500802-2e77c7d0.zip
[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Danny
Ho\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-4f78f92a-32722bd4.zip
[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Danny
Ho\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-4f78f92a-32722bd4.zip
[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Danny
Ho\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-4f78f92a-32722bd4.zip
[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Danny
Ho\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-4f78f92a-32722bd4.zip
[VerifierBug.class]
Spyware:Spyware/Virtumonde No disinfected C:\Program Files\Hijack
This\backups\backup-20051030-211725-227.dll
Adware:Adware/StartPage.AIW No disinfected C:\Program Files\Hijack
This\backups\backup-20051030-211725-841.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088793.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088794.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088795.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088796.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088797.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088798.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088799.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088800.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088801.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088802.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088803.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088804.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088805.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088806.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088807.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088808.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088809.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088810.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088811.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088812.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088813.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088814.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088815.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088816.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088817.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088818.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088819.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088820.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088821.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088822.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088823.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088824.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP449\A0088825.dll
Adware:Adware/StartPage.AIW No disinfected C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP458\A0089219.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\SYSTEM32\ddayy.dll
Logfile of HijackThis v1.99.1
Scan saved at 7:11:42 PM, on 11/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Logitech\CamDrvr\LVCOMS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.my.yahoo.com/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\vtstt.dll
(file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32
\ddayy.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32
\dla\tfswshx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -
osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
/r
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\CamDrvr\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111
Configuration Utility\wlancfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10
\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoft...free/asinst.cabO16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) -
http://pictures01.ai...AIM.9.5.1.7.cabO16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) -
http://upload.facebo...otoUploader.cabO20 - Winlogon Notify: ddayy - C:\WINDOWS\system32\ddayy.dll
O20 - Winlogon Notify: vtstt - vtstt.dll (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program
Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1
\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates
Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates
Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------
Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------
killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt
--------------------------------------------------------------------------------------
Filepaths entered
--------------------------------------------------------------------------------------
The filepath entered was C:\WINDOWS\system32\vtstt.dll
The second filepath entered was C:\WINDOWS\system32\ttstv.*
--------------------------------------------------------------------------------------
Log from Process
--------------------------------------------------------------------------------------
Killing PID 132 'smss.exe'
Error, Cannot find a process with an image name of explorer.exe
Killing PID 208 'winlogon.exe'
Killing PID 208 'winlogon.exe'
--------------------------------------------------------------------------------------
C:\WINDOWS\system32\vtstt.dll Deleted sucessfully.
C:\WINDOWS\system32\ttstv.* Deleted sucessfully.
Fixing Registry
--------------------------------------------------------------------------------------