vtsqr.dll

AJM · Sep 25, 2005

Hello
Virus checker does not like C:\WINDOWS\SYSYEM32\VTSQR.DLL, when it deals
with said file windows a bit upset at starts up and requires the file. Does
a virus or other nasty use this file? How can I keep both windows and Virus
checker happy?

Also don't know if this is related but there is something running in the
background using up resources looking at task launcher processes SYSTEM IDLE
PROCESS and WINLOGON.EXE are battling away for CPU usage one second one is
85% say next the other is, this goes on constantly.

XP home, all windows updates auto installed, P4 2.0 GHz CPU, 1024 Mb RAM,
connected LAN to router for ADSL. Use Avast as virus checker and have MS
antispyware installed.

Thanks
AJM Scotland

David H. Lipman · Sep 25, 2005

From: "AJM" <[email protected]>

| Hello
| Virus checker does not like C:\WINDOWS\SYSYEM32\VTSQR.DLL, when it deals
| with said file windows a bit upset at starts up and requires the file. Does
| a virus or other nasty use this file? How can I keep both windows and Virus
| checker happy?
|
| Also don't know if this is related but there is something running in the
| background using up resources looking at task launcher processes SYSTEM IDLE
| PROCESS and WINLOGON.EXE are battling away for CPU usage one second one is
| 85% say next the other is, this goes on constantly.
|
| XP home, all windows updates auto installed, P4 2.0 GHz CPU, 1024 Mb RAM,
| connected LAN to router for ADSL. Use Avast as virus checker and have MS
| antispyware installed.
|
| Thanks
| AJM Scotland
|

Please submit a sample of "VTSQR.DLL" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

When you get the report, please post back the EXACT results.

As always, I suggest blocking TCP and UDP ports 135 ~ 139 and 445 on *any* SOHO Router.
This will help keep the hackers and Internet worms out of your LAN and keep MS Networking
from leaking out of your LAN into the Internet.

AJM · Sep 26, 2005

David here are the results from virus tool. Guess from this avast was right
enough and thought said file was a trojano-2502.
Very usefull service thanks for your advice. I know nothing about vtsqr.dll
and what role it plays in XP or other software but I know when it is not
there XP throws up many run error boxes.
This experience has been very interesting and changed my use and thoughts on
Virus scanners.

I have yet to work out how to block ports on the router etc as you also
recommended.
Thanks
AJM

Server response

--------------------------------------------------------------------------------

Results of a file scan
This is a report processed by VirusTotal on 09/26/2005 at 02:25:59 (CET)
after scanning the file "vtsqr.dll" file.
Antivirus Version Update Result
AntiVir 6.32.0.6 09.25.2005 ADSPY/Virtumonde.O
Avast 4.6.695.0 09.23.2005 Win32:Trojano-2502
AVG 718 09.23.2005 no virus found
Avira 6.32.0.6 09.25.2005 ADSPY/Virtumonde.O
BitDefender 7.2 09.25.2005 no virus found
CAT-QuickHeal 8.00 09.25.2005 AdWare.Virtumonde.o (Not a Virus)
ClamAV devel-20050917 09.25.2005 Adware.Virtumonde-1
DrWeb 4.32b 09.25.2005 no virus found
eTrust-Iris 7.1.194.0 09.25.2005 no virus found
eTrust-Vet 11.9.1.0 09.23.2005 no virus found
F-Prot 3.16c 09.23.2005 no virus found
Ikarus 0.2.59.0 09.23.2005 AdWare.Virtumonde.O
Kaspersky 4.0.2.24 09.25.2005 Trojan.Win32.Crypt.o
McAfee 4589 09.23.2005 potentially unwanted program Adware-Virtumundo
NOD32v2 1.1232 09.25.2005 Win32/Adware.Virtumonde.O
Norman 5.70.10 09.23.2005 no virus found
Panda 8.02.00 09.25.2005 no virus found
Sophos 3.98.0 09.25.2005 no virus found
Symantec 8.0 09.25.2005 no virus found
TheHacker 5.8.2.114 09.22.2005 Adware/Virtumonde.o
VBA32 3.10.4 09.21.2005 AdWare.Virtumonde.o

AJM · Sep 26, 2005

David
Thanks again, I have worked out how to block ports on my Netgear DG834
router, is done.
I think I will give another Virus engine a go.
Cheers
AJM

David H. Lipman said:
From: "AJM" <[email protected]>

| David here are the results from virus tool. Guess from this avast was
right
| enough and thought said file was a trojano-2502.
| Very usefull service thanks for your advice. I know nothing about
vtsqr.dll
| and what role it plays in XP or other software but I know when it is not
| there XP throws up many run error boxes.
| This experience has been very interesting and changed my use and
thoughts on
| Virus scanners.
|
| I have yet to work out how to block ports on the router etc as you also
| recommended.
| Thanks
| AJM

< snip >

OK - Thanx...

McAfee 4589 09.23.2005 potentially unwanted program Adware-Virtumundo

It is non-viral malware in the class of adware.

Please download, install and update the following software...

Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

The following is to make sure no viral malware is on the PC.

NOTE: Before you scan with the following tool, disable Avast. Avast has
a habit of flaselt
decalring the Trend Micro Sysclean utility as having the VBS/Redlof. This
is a long
standing, known, False Positive declaration and can be avoided if Avast is
disabled.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script
Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart
scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and
WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus
Command Line Scanners to
remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in
Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files
or you can
download the files and perform a scan in Normal Mode. Once you have
downloaded the files
needed for each scanner you want to use, you should reboot the PC into
Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want
to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal
Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to
go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *

What make and model Router do you have ?

On many Linksys models you can set the port blocking at;
http://192.168.1.1/Filters.htm

The attached graphic is representative on some Linksys models and how to
set the port
blocking.