Windows Tutorials - Herong's Tutorial Notes
Dr. Herong Yang, Version 4.20

Trojan and Adware - Vundo (vtsts.dll) Removal

Part:   1  2  3  4  5  6 

Windows Tutorials - Herong's Notes © 2006 Dr. Herong Yang

Adware - VSAdd-in.dll and Removal

Trojan and Adware - Vundo

Controlling IE Addons

Removing Spyware

Web Log Analysis

Paint - Graphics Tool

WinRAR - RAR Compression Tool

FTP Server and Client

Crossover Cable Network

... Table of Contents

(Continued from previous part...)

Action: I repeated my partial removal process to remove these DLL files:

1. Zipped all 2 suspicious files into a zip file, bho_200611.zip, and tried to delete them: 

>del C:\WINDOWS\system32\swcskmxu.dll
   (deleted)

>del C:\WINDOWS\system32\gidijvia.dll
   (not deleted because it is in use)

2. Closed all Internet Explorer windows and File Explorer windows, and ran HiJackThis: 

Find and check the gidijvia.dll in the log
Click the "Fix checked" button

3. Ran HijackThis again: 

Go to Config >> Misc Tools >> Delete a file on reboot
Select file: C:\WINDOWS\system32\gidijvia.dll
Click Yes to reboot the system

4. Verified the following places: 

HijackThis report: clean
C:\WINDOWS\system32 directory: clean
Internet Explorer add-on list: clean

What Is vtsts.dll?

Of course, this time I had to do more than removing these DLL files. I had to try to find the root of this Trojan Vundo.

So I looked at the HiJackThis report carefully again, examining each entry in the report and did Google search on each associated program. When I reached the following entry, I got some interested matches on Google search result: 

O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD}
   - C:\WINDOWS\system32\vtsts.dll

Google Search Result - Part I: When I searched for "vtsts.dll" with Google, I got the following interesting items out of 785 matches:

1. From www.bullguard.com/forum/8/DowloadTrojan-Virus-vtstsdll_14346.html, it's a long forum post and replies dated on May 7, 2005. The infected system has 2 related entries in its HiJackThis report: 

O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26}
   - C:\WINDOWS\system32\vtsts.dll
O20 - Winlogon Notify: vtsts - C:\WINDOWS\SYSTEM32\vtsts.dll

Based on the replies, the infected system was cleaned by AVG Antivirus from www.grisoft.com, after several failed attempts from different anti-virus tools.

2. From forums.techguy.org/security/415370-solved-help-remove-downloader-trojan.html, it's a long forum post and replies date on Nov. 9, 2005. The infected system has 3 related entries in its HiJackThis report: 

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
   - C:\WINDOWS\system32\vtsts.dll
O20 - Winlogon Notify: vtsqr - C:\WINDOWS\system32\vtsqr.dll
O20 - Winlogon Notify: vtsts - C:\WINDOWS\SYSTEM32\vtsts.dll

Based on the replies, the infected system was cleaned by using VundoFix.exe from atribune.org and Killbox from subratam.org, combined with detailed guiding instructions providing by the forum moderator, Flrman1.

(Continued on next part...)

Part:   1  2  3  4  5  6 

This site Web Google

Dr. Herong Yang, updated in 2006
Windows Tutorials - Herong's Tutorial Notes - Trojan and Adware - Vundo (vtsts.dll) Removal