vstr.dll and explorer.exe 100% cpu usage

Welcome to Majorgeeks!

Please attach the other logs that were requested.

- GetRunKey
- ShowNew

See step 6 of the READ ME.

Note that you cannot see files in C:\WINDOWS\Downloaded Program Files\ by using Windows Explorer. You have to use either the command prompt or you must use another program to see them (another stupid idea of Microsoft's). ExplorerXP is much better at showing ALL files on your system. It does not allow them to be hidden from your view like Windows Explorer does.

 

Start by downloading two tools we will need

- Process Explorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of vtstr.dll once and then click the kill button. After you have killed all of the vtstr.dllunder winlogon click ok. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
winexy32.dll

Next double click on explorer.exe and again click once on each instance of vtstr.dll and kill it. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
winexy32.dll

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {B5188738-04BA-4FBB-A920-A699D37F7422} - C:\WINDOWS\system32\vtstr.dll
O4 - HKCU\..\Run: [Srro] "C:\PROGRA~1\COMMON~1\STEM~1\chkntfs.exe" -vt yax
O15 - Trusted Zone: http://www.amaena.com
O15 - Trusted Zone: http://uss2.city.ac.uk
O15 - Trusted Zone: http://webct0.city.ac.uk
O15 - Trusted Zone: http://webct1.city.ac.uk
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://locator1.cdn.imagesrvr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O15 - Trusted Zone: http://*.systemdoctor.com
O15 - Trusted Zone: http://www.winantivirus.com
O15 - Trusted Zone: http://www.winantiviruspro.com
O15 - Trusted Zone: http://download.cdn.winsoftware.com
O20 - Winlogon Notify: vtstr - C:\WINDOWS\system32\vtstr.dll
O20 - Winlogon Notify: winexy32 - winexy32.dll (file missing)



After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now click Start, Run, and enter cmd and click OK! This will open a command prompt window. In the command prompt window enter the below commands each followed by the Enter key.
del %windir%\temp\win*.*
exit


Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
Now back on Killbox's main window, Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\WINDOWS\system32\auscbcjd.exe
C:\WINDOWS\system32\lslvsygd.exe
C:\WINDOWS\system32\ofmajkoi.exe
C:\WINDOWS\system32\rpptimvj.exe
C:\WINDOWS\system32\vtstr.dll
C:\WINDOWS\system32\rtstv.tmp
C:\WINDOWS\system32\rtstv.ini
C:\WINDOWS\system32\rtstv.ini2


If Killbox does not reboot or if you get a Pending Operations type error message just click OK to continue and then just reboot your PC yourself.


Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp\
C:\Documents and Settings\HP_Owner\Local Settings\Temp\

Now attach a new HJT log and tell me how the steps went.

Also attach a new log from ShowNew and a new log from GetRunKey.

I'm expecting that the HKEY_LOCAL_MACHINE\software\microsoft\mssmgr registry will come back and that we will need a special step to remove it.

Make sure you tell me how things are working now!

 

I don't know what you mean. You have to be more specific. What different characters? What key part?

Everything in the Trusted Zone should be removed.

Not a problem! It is a backup step just in case the bad files exist and they do not always exist.

Please complete the rest of the procedure. You were not supposed to go back online until all steps were finished.

 

Finish doing what I requested in my procedure.

 

Yes it is! And you still need to finish what I requested in message # 4.

 

Let's not worry about Norton being disabled yet. First you need to get all your malware removed.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (if anything else is in the Trusted Zone, fix it too):
O15 - Trusted IP range: http://202.67.220.225
O15 - Trusted IP range: http://59.148.220.121
O15 - Trusted IP range: http://62.4.84.53
O15 - Trusted IP range: http://82.98.235.58
O15 - Trusted IP range: http://85.12.25.90

After clicking Fix, exit HJT.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
Now back on Killbox's main window, Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\WINDOWS\system32\arfjphmj.exe
C:\WINDOWS\system32\ayrofhfe.exe
C:\WINDOWS\system32\buxiamxd.exe
C:\WINDOWS\system32\cknssaww.exe
C:\WINDOWS\system32\dyuvnicq.exe
C:\WINDOWS\system32\ewcbxmrf.exe
C:\WINDOWS\system32\fiulirtf.exe
C:\WINDOWS\system32\fjrxfufh.exe
C:\WINDOWS\system32\fqkojwap.exe
C:\WINDOWS\system32\joeskqet.exe
C:\WINDOWS\system32\kffnrlql.exe
C:\WINDOWS\system32\oapaacbm.exe
C:\WINDOWS\system32\oaxusqep.exe
C:\WINDOWS\system32\odjnlufy.exe
C:\WINDOWS\system32\stdjlctc.exe
C:\WINDOWS\system32\teoxnkxx.exe
C:\WINDOWS\system32\tmcltvaj.exe
C:\WINDOWS\system32\trhltetp.exe
C:\WINDOWS\system32\twfbuheh.exe
C:\WINDOWS\system32\ubhhjpbx.exe
C:\WINDOWS\system32\unvogtju.exe
C:\WINDOWS\system32\vfkjwgjb.exe
C:\WINDOWS\system32\xogymbrr.exe
C:\WINDOWS\system32\xpcasspy.exe
C:\WINDOWS\system32\ydoifkgh.exe
C:\WINDOWS\system32\ywksfkdb.exe
C:\WINDOWS\Downloaded Program Files\UDC6_0001_D18M1108NetInstaller.exe

If Killbox does not reboot or if you get a Pending Operations type error message just click OK to continue and then just reboot your PC yourself.


Now attach a new HJT log and tell me how the steps went.

Also attach a new log from ShowNew and a new log from GetRunKey.

Make sure you tell me how things are working now!

 

Ooops! I missed one!

Have HJT fix the below line too:

O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/installdrivecleanerstart.cab

Why did you delete the O16 lines related to Bitdefender and Panda? Now if I requested you to run new scans you will have to redownload all there files again. You should only be deleting what we ask you to delete and only running what we ask you to run and nothing else.

 

Yes you did delete them. In your first message, your HJT log had these lines:

and now they are gone. The only way they would go away is if you deleted them using HijackThis or my manual registry editing.

Your log is clean. Is your antivirus program working okay now?

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

I don't know what you are referring too. Panda did not delete anything. All it found was a few cookies. I don't know what you mean by antivirus notify key.

Which programs in particular are you referring too? Things like Spybot, Windows Defender, Ccleaner? Yes you should keep them. No you do not need to keep GetRunKey & ShowNew. They are very small and constantly change anyway. Process Explorer, Pocket Killbox, and HijackThis are good to have around in case they are needed and they don't use any resources on your PC (other then some very small disk space) until you run them.

 

You are wasting your time. You should not be touching this. There is nothing wrong with the settings as they are. They merely indicate that you are no longer using the Windows default settings. They were changed when you installed Symantec. Symantec is now your Security Center.

 

This is not messed up by Spybot and everyone really already knows about it. Spybot is just telling you that the Windows system defaults have been changed. It is sort of a warning to make sure you know about it. It is not a problem and it cannot be fixed (there is nothing to fix) while you have another application running as your security center.

 

The hosts file should only be what is shown below in the quote box. This is the Windows default file.