vsmvhk.dll

Discussion in 'other security issues & news' started by spy1, Mar 7, 2005.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Playing around with a file.
     

    Attached Files:

  2. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re: Test

    Couple more to go.
     

    Attached Files:

  3. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re: Test

    Still playing.
     

    Attached Files:

  4. dog

    dog Guest

    Re: Test

    What app are you using to view the ADS Stream, Pete? It looks familiar :doubt:
     
  5. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re: Test

    Hey, let's check it to death.
     

    Attached Files:

  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re: Test

    Starting to think this thing may actually be alright.
     

    Attached Files:

  7. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re: Test

    It was TrojanHunter, dog (screenshots from post 1 & 2) - could have used TDS-3, too. (Actually did, in the other screenshot). Pete
     
  8. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Re: Test

    I wonder what this dll is, and what is it for

    the winlogon dll too...strange.
     
  9. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re: Test

    I'm sure that's quite possible - if that's the case, I'm in the process of sending it to enough people to find out.

    Hey, can't a guy play with his toys? :D Pete

    (This one's from The Cleaner)
     

    Attached Files:

  10. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Re: Test

    in fact like I said, pg should have blocked it...
     
  11. FanJ

    FanJ Guest

    Re: Test

    Hey Pete,

    Is that a CLSID that I see?

    If so, copy it from your TDS-log and search here:
    http://computercops.biz/CLSID.html

    As far as I could tell with those bad eyes of mine, it was:
    {4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
    and that one was not in there.

    Well anyhow, just only a guess ;)

    I hope your PC is clean my friend.
    Take care !!
    Warm regards, Jan.
     
  12. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Re: Test

    the prblem is they key is found in : app_init.dll in the registry...that concerns me to begin with, the fact I cannot find a single thing on the whole www concerms me more and the fact you have a sunotify.dll in your winlogon makes the thing complete.

    maybe I am wrong here, if so, forgive me.

    Inf.
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Re: Test

    Good thinking Jan, but that CLSID is the one for ADS. :)

    Regards,

    Pieter
     
  14. FanJ

    FanJ Guest

    Re: Test

    Whoops :oops: , thanks Pieter !!

    Cheers/groetjes, Jan.
     
  15. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Re: Test

    If its spyware and you hava processgaurd protecting that registry key from changes what so ever, then I think it would be impossible to clean it...

    the fact that nothing indicates your infected (except that m$ app) makes me wonder too...
     
  16. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re: Test

    Well, I removed winlogon from PG's protection list - I'll wait and see what - if anything - makes it do a request.

    I'm sure I could get rid of the vsmvhk.dll if I wanted to, but at this point I'm simply not sure that it's a good idea.

    I'll wait and see what further comes to light. Pete
     
  17. Marja

    Marja Honestly, I'm not a bot!!

    Joined:
    Mar 8, 2004
    Posts:
    4,553
    Location:
    In the Vast Fields of My Mind
    Re: Test

    Well, you got my curiousity going, Spy1, I'll wait with you and Infinity to see what the heck it is!? :D
     
  18. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Re: Test

    I hope I didn't give you an attack...:(
     
  19. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re: Test

    <g> No, not at all. I'm just trying to find out what it is for you, Infinity.

    And, hey - if it's the discovery of the century, it's still all good! Pete
     
  20. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Re: Test

    Thanx Pete!!

    with your arsenal it shouldn't be malware anyway.

    Inf.
     
  21. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re: Test

    Interesting.
     

    Attached Files:

  22. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re: Test

    And then it added itself to explorer.exe
     

    Attached Files:

  23. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re: Test

    Is anyone reading this using Ryan_Means_GCWN for adding a "Streams" tab to your "Properties" tabs? If so, could you do a "Search" on your computer for the vsmvhk.dll? Not saying the two are connected, just trying to see if they are. Pete
     
  24. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Re: Test

    HI Pete , I just installed it and I cannot see a dll in process explorer with that name...

    if it is adding the dll into the apinit_dll registry setting it will be blocked by PG and regdefend

    it is not that


    Inf.
     
  25. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Take a look at this and see what you all think. Since I just started using Filemon today, I'm not really sure what I'm seeing there (what it means, that is). Pete

    NM - I can't upload a zip, apparently. Crap.
     
Thread Status:
Not open for further replies.