Jeremy Posted March 10, 2007 Share Posted March 10, 2007 So after a few years of going without any malware I've become infected with several dozen harmful files. Kaspersky cleaned out the lot of them except for one .DLL in system32 called vtsqp.dll. It doesn't detect it. I zipped it and sent it to Kaspersky already. However, it has a hidden attribute that I am unable to change and to my surprise I do not see it in Safe Mode or while booted to Knoppix. Unlocker shows that its tied into winlogon.exe and explorer.exe. I believe it is the main culprit as each time I reboot, new .DLL trojans are found in system32. FileMon doesn't show anything very useful. I tried MoveOnBoot, that didn't work. Sure I could format my drive or use Acronis but I want to conquer this thing old-school. Anyone have any ideas? Link to comment Share on other sites More sharing options...
techtype Posted March 10, 2007 Share Posted March 10, 2007 Automated Vundo fixPlease print these instructions out for use in Safe Mode.1. Please download VundoFix.exe to your desktop. > http://www.atribune.org/downloads/VundoFix.exe2. Double-click VundoFix.exe to extract the filesThis will create a VundoFix folder on your desktop.3. Reboot into >>>safe mode<<< Click Here for instructionsNow you are in safe mode open the VundoFix folder4. Double-click on KillVundo.batThe first thing you see will be this :-VundoFix V2.1 by AtriBy pressing enter you agree that you are using this at your own riskPlease seek assistance at one of the following forums:http://www.atribune.org/forumshttp://www.247fixes.com/forumshttp://www.geekstogo.com/forumhttp://forums.net-integration.net5. Press enter again.Next you will see :-Type in the file-path as instructed by the forum staffThen Press Enter, Then F6, Then Enter Again to continue with the fix.Please type the following file pathC:\WINDOWS\repair\srvdisk.dll (as shown in the O2 & O20 entries in YOUR hijackthis)Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.6. Next you will see :-Please type in the second file-path as instructed by the forum staffThen Press Enter, Then F6, Then Enter Again to continue with the fix.Please type the following file path (make sure to enter it exactly as below)C:\WINDOWS\repair\ksidvrs.* This will be the vundo filename spelt backward. for example if the vundo dll was badfile.dll you would enter elifdab.*REMEMBER...(This is the entry as shown in the O2 & O20 entries in YOUR hijackthis ... spelt backwards)Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.The fix will run then Hijackthis will open.7. In Hijackthis, please place a check next to the following item(s) and click FIX CHECKED :-O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\repair\srvdisk.dllAfter you have fixed these item(s), close Hijackthis and Press any key to Force a reboot of your computer.Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry! this is normal...Once your machine reboots please continue with the instructions below.Download and install CleanUp > http://www.stevengould.org/downloads/cleanup/CleanUp40. exeOpen Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).Set the program up as follows :-Click "Options..."Move the arrow down to "Custom CleanUp!"Put a check next to the following (Make sure nothing else is checked!):Empty Recycle BinsDelete CookiesDelete Prefetch filesCleanup! All UsersClick OKPress the CleanUp! button to start the program.It may ask you to reboot at the end, click NO.Then, please run this online virus scan: http://www.pandasoftware.com/products/activescan.htm Link to comment Share on other sites More sharing options...
Jeremy Posted March 10, 2007 Author Share Posted March 10, 2007 (edited) Ah, I remembered Vundo showed up in spyware scans with Ad-Aware and Spybot. Thanks for the instructions, I'll see if that fixes it. Cheers. Edit - I downloaded the VundoFix v6.3.15 from SoftPedia and didn't even have to go into Safe Mode. It detected the following files:C:\WINDOWS\system32\pqstv.bak1C:\WINDOWS\system32\pqstv.bak2C:\WINDOWS\system32\pqstv.iniC:\WINDOWS\system32\pqstv.ini2C:\WINDOWS\system32\pqstv.tmpC:\WINDOWS\system32\vtsqp.dllCome to think of it I did see those in FileMon. Anyway, it removed them and no malware has been recreated since. Thank you very much TechType. Edited March 10, 2007 by Jeremy Link to comment Share on other sites More sharing options...
ViX Posted April 30, 2007 Share Posted April 30, 2007 Hello Or a simpler option, you could have use Icesword to find the vtsqp.dll and used the 'force delete' option. Link to comment Share on other sites More sharing options...
Woomera Posted May 28, 2007 Share Posted May 28, 2007 (edited) Vundo and Icesword,never heared of them before yet 2 powerful and usefull tools.thanks alot for the info guys Though i need help.i cant run icesword,it says "initialize failed[1]!" anyone else had this problem or knows how to fix?im running vista but i tried running it with xp compatibility too but no luck. Edited May 28, 2007 by Woomera Link to comment Share on other sites More sharing options...
Tarun Posted May 28, 2007 Share Posted May 28, 2007 What sort of error accompanies the Initialize failed error? Link to comment Share on other sites More sharing options...
Woomera Posted May 29, 2007 Share Posted May 29, 2007 No other errors.just an small window says "initialize failed[1]!" and then i close it and nothin happens.i searched the web and there were others with the same issues but no result. Link to comment Share on other sites More sharing options...
Tarun Posted May 29, 2007 Share Posted May 29, 2007 Try a fresh copy, and also see if it works on any other machines you or a friend can access. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now