Thread: Trojan.Vundo C:\windows\system32\vtstr.dll
View Single Post
Old 12-01-2005, 04:39 PM   #2 (permalink)
Vikesrock8411
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


Hello Uffan104 and welcome to TSF

I would reccommend that you Subscribe to this thread so you are notified of any replies via email. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

You have a couple different things going on here. We will attack vundo first, then work on cleaning out the rest.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Downloads(make sure to save these in a permanent location)
VundoFix.exe Double-click VundoFix.exe to extract the files

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Tools
Open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this
    Quote:
    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....
  • At this point press enter one time.
  • Next you will see:
    Quote:
    Please Type in the filepath as instructed by the forum staff
    and then press enter:
  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\System32\vtstr.dll
  • Press Enter to continue with the fix.
  • Next you will see:
    Quote:
    Please type in the second filepath as instructed by the forum staff then press enter:
  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\System32\rtstv.* <<<The * is part of the filename!
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:
    • R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
      O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\System32\vtstr.dll
      O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
      O20 - Winlogon Notify: vtstr - C:\WINDOWS\System32\vtstr.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.

Please run a new scan with Hijackthis and post the log here.
Please make sure to post the header of the log as it provides critical information needed to fix your system. Also please do not post logs in quote or code boxes. Thank You
Vikesrock8411 is offline