Jump to content

Trojan Horses

Jeremy
 Share

Recommended Posts

Jeremy

Jeremy

Posted
Posted

So after a few years of going without any malware I've become infected with several dozen harmful files. Kaspersky cleaned out the lot of them except for one .DLL in system32 called vtsqp.dll. It doesn't detect it. I zipped it and sent it to Kaspersky already. However, it has a hidden attribute that I am unable to change and to my surprise I do not see it in Safe Mode or while booted to Knoppix. Unlocker shows that its tied into winlogon.exe and explorer.exe. I believe it is the main culprit as each time I reboot, new .DLL trojans are found in system32. FileMon doesn't show anything very useful. I tried MoveOnBoot, that didn't work. Sure I could format my drive or use Acronis but I want to conquer this thing old-school. Anyone have any ideas?

Link to comment
Share on other sites

techtype

techtype

Posted
Posted

Automated Vundo fix

Please print these instructions out for use in Safe Mode.

1. Please download VundoFix.exe to your desktop. > http://www.atribune.org/downloads/VundoFix.exe

2. Double-click VundoFix.exe to extract the files

This will create a VundoFix folder on your desktop.

3. Reboot into >>>safe mode<<< Click Here for instructions

Now you are in safe mode open the VundoFix folder

4. Double-click on KillVundo.bat

The first thing you see will be this :-

VundoFix V2.1 by Atri

By pressing enter you agree that you are using this at your own risk

Please seek assistance at one of the following forums:

http://www.atribune.org/forums

http://www.247fixes.com/forums

http://www.geekstogo.com/forum

http://forums.net-integration.net

5. Press enter again.

Next you will see :-

Type in the file-path as instructed by the forum staff

Then Press Enter, Then F6, Then Enter Again to continue with the fix.

Please type the following file path

C:\WINDOWS\repair\srvdisk.dll (as shown in the O2 & O20 entries in YOUR hijackthis)

Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

6. Next you will see :-

Please type in the second file-path as instructed by the forum staff

Then Press Enter, Then F6, Then Enter Again to continue with the fix.

Please type the following file path (make sure to enter it exactly as below)

C:\WINDOWS\repair\ksidvrs.* This will be the vundo filename spelt backward. for example if the vundo dll was badfile.dll you would enter elifdab.*

REMEMBER...(This is the entry as shown in the O2 & O20 entries in YOUR hijackthis ... spelt backwards)

Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

The fix will run then Hijackthis will open.

7. In Hijackthis, please place a check next to the following item(s) and click FIX CHECKED :-

O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\repair\srvdisk.dll

After you have fixed these item(s), close Hijackthis and Press any key to Force a reboot of your computer.

Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry! this is normal...

Once your machine reboots please continue with the instructions below.

Download and install CleanUp > http://www.stevengould.org/downloads/cleanup/CleanUp40. exe

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).

Set the program up as follows :-

Click "Options..."

Move the arrow down to "Custom CleanUp!"

Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins

Delete Cookies

Delete Prefetch files

Cleanup! All Users

Click OK

Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: http://www.pandasoftware.com/products/activescan.htm

Link to comment
Share on other sites
Jeremy

Jeremy

Posted
  • Author
Posted (edited)

Ah, I remembered Vundo showed up in spyware scans with Ad-Aware and Spybot. Thanks for the instructions, I'll see if that fixes it. Cheers. :hello:

Edit - I downloaded the VundoFix v6.3.15 from SoftPedia and didn't even have to go into Safe Mode. It detected the following files:

C:\WINDOWS\system32\pqstv.bak1

C:\WINDOWS\system32\pqstv.bak2

C:\WINDOWS\system32\pqstv.ini

C:\WINDOWS\system32\pqstv.ini2

C:\WINDOWS\system32\pqstv.tmp

C:\WINDOWS\system32\vtsqp.dll

Come to think of it I did see those in FileMon. Anyway, it removed them and no malware has been recreated since. Thank you very much TechType. :D

Edited by Jeremy
Link to comment
Share on other sites
  • 1 month later...
  • 4 weeks later...
Woomera

Woomera

Posted
Posted (edited)

Vundo and Icesword,never heared of them before yet 2 powerful and usefull tools.

thanks alot for the info guys :)

Though i need help.i cant run icesword,it says "initialize failed[1]!" anyone else had this problem or knows how to fix?

im running vista but i tried running it with xp compatibility too but no luck.

Edited by Woomera
Link to comment
Share on other sites
Woomera

Woomera

Posted
Posted

No other errors.just an small window says "initialize failed[1]!" and then i close it and nothin happens.

i searched the web and there were others with the same issues but no result.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...