vstart.exe - Dangerous

vstart.exe

Manual removal instructions:

Antivirus Report of vstart.exe:
vstart.exe Malware
vstart.exeDangerous
vstart.exeHigh Risk
vstart.exe
We suggest you to remove mtlrd.sys from your computer as soon as possible.
Mtlrd.sys is Trojan/Backdoor.
Kill the file mtlrd.sys and remove mtlrd.sys from Windows startup.

File: 0001.exe
-------------------------------------------------------------------------------------
Classification:
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.20 JS:ADODB-BM
AVG 8.5.0.406 2009.08.21 Generic_c.AYVN
BitDefender 7.2 2009.08.21 Dropped:Generic.XPL.ADODB.727242F7
Comodo 2039 2009.08.21 TrojWare.Win32.TrojanDropper.VBS.~A
DrWeb 5.0.0.12182 2009.08.21 -
F-Secure 8.0.14470.0 2009.08.20 Trojan-Downloader.JS.gen
Kaspersky 7.0.0.125 2009.08.21 Trojan-Downloader.JS.gen
Microsoft 1.4903 2009.08.20 Trojan:Win32/Meredrop
NOD32 4353 2009.08.20 -
Symantec 1.4.4.12 2009.08.21 Trojan.Dropper

Additional information
File size: 6656 bytes
MD5 : 85eb9b8f35bf328cac83499dd08fcfcd
SHA1 : e0cf71b2b0a4246ee2b811dd484d81f0f1edbbf8
-------------------------------------------------------------------------------------
Installation
When the program is executed, it creates the following registry subkeys and values:

----------------------------------
Keys deleted:1
----------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009081120090812

----------------------------------
Keys added:15
----------------------------------
HKLM\SOFTWARE\Classes\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4545525}
HKLM\SOFTWARE\Microsoft\ESENT\Process\ipconfig
HKLM\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG
HKLM\SOFTWARE\Microsoft\DownloadManager
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTLRD
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTLRD\0000
HKLM\SYSTEM\CurrentControlSet\Services\Apcdli
HKLM\SYSTEM\CurrentControlSet\Services\mtlrd
HKLM\SYSTEM\CurrentControlSet\Services\mtlrd\Security
HKCU\Software\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4545525}
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009081020090817
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009082120090822
HKCU\Software\Microsoft\Windows Script Host
HKCU\Software\Microsoft\Windows Script Host\Settings

----------------------------------
Values deleted:5
----------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009081120090812\CachePath: "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012009081120090812"
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009081120090812\CachePrefix: ":2009081120090812: "
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009081120090812\CacheLimit: 0x00002000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009081120090812\CacheOptions: 0x0000000B
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009081120090812\CacheRepair: 0x00000000

----------------------------------
Values added:35
----------------------------------
HKLM\SOFTWARE\Classes\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}\dlloadtime: "1250837114"
HKLM\SOFTWARE\Classes\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}\mac: "00-0C-29-82-06-4B"
HKLM\SOFTWARE\Classes\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}\dln: "0"
HKLM\SOFTWARE\Classes\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}\fid: "2265"
HKLM\SOFTWARE\Classes\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}\wversion: "4.5.0"
HKLM\SOFTWARE\Classes\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}\lver: "4.5.0"
HKLM\SOFTWARE\Classes\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}\ladd: ""
HKLM\SOFTWARE\Classes\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}\ldll: "mtlrd.dll"
HKLM\SOFTWARE\Classes\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}\lsys: "mtlrd"
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4545525}\StubPath: "C:\Program Files\WinRAR\stimon.pif"
HKLM\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG\Trace Level: ""
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTLRD\0000\Service: "mtlrd"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTLRD\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTLRD\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTLRD\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTLRD\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTLRD\0000\DeviceDesc: "mtlrd"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTLRD\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\Apcdli\TempPath: "\??\C:\WINDOWS\Temp\kzdh@loader-lyrics_2265.dll"
HKLM\SYSTEM\CurrentControlSet\Services\mtlrd\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\mtlrd\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\mtlrd\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\mtlrd\ErrorControl: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\mtlrd\ImagePath: "\??\C:\Documents and Settings\All Users\Application Data\Microsoft\Media Player\wmp\mtlrd.sys"
HKLM\SYSTEM\CurrentControlSet\Services\mtlrd\DisplayName: "mtlrd"
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009081020090817\CachePath: "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012009081020090817"
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009081020090817\CachePrefix: ":2009081020090817: "
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009081020090817\CacheLimit: 0x00002000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009081020090817\CacheOptions: 0x0000000B
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009081020090817\CacheRepair: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009082120090822\CachePath: "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012009082120090822"
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009082120090822\CachePrefix: ":2009082120090822: "
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009082120090822\CacheLimit: 0x00002000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009082120090822\CacheOptions: 0x0000000B
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009082120090822\CacheRepair: 0x00000000

----------------------------------
Values modified:8
----------------------------------
HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\Position: 2C 00 00 00 A0 00 00 00 00 00 00 00 80 02 00 00 3A 02 00 00 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\Position: 2C 00 00 00 A0 00 00 00 00 00 00 00 80 02 00 00 58 02 00 00 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
HKCU\Software\Microsoft\Internet Explorer\Desktop\Old WorkAreas\OldWorkAreaRects: 00 00 00 00 00 00 00 00 20 03 00 00 3A 02 00 00
HKCU\Software\Microsoft\Internet Explorer\Desktop\Old WorkAreas\OldWorkAreaRects: 00 00 00 00 00 00 00 00 20 03 00 00 58 02 00 00
HKCU\Software\Microsoft\Internet Explorer\Main\Window_Placement: 2C 00 00 00 02 00 00 00 03 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 20 03 00 00 3A 02 00 00
HKCU\Software\Microsoft\Internet Explorer\Main\Window_Placement: 2C 00 00 00 00 00 00 00 01 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 20 03 00 00 3A 02 00 00
HKCU\Software\Microsoft\Internet Explorer\Security\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F\UserFile: 01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0 4F C2 97 EB 01 00 00 00 A2 C5 D9 2F 35 B2 BE 40 BC E1 10 8F D5 25 9D F2 00 00 00 00 24 00 00 00 53 00 6D 00 61 00 72 00 74 00 53 00 63 00 72 00 65 00 65 00 6E 00 20 00 43 00 61 00 63 00 68 00 65 00 00 00 03 66 00 00 A8 00 00 00 10 00 00 00 FD 92 C1 3E E5 8C A7 EC 0A 9D 64 AA 9D 37 67 D6 00 00 00 00 04 80 00 00 A0 00 00 00 /.../ FA 52 95 2D 92 27 48 46 7E BF 0E E0 36 11 81 55 01 AF A0 1D 41 93 0E 61 A8 B0 28 DF 16 46 7F C2 2D 58 F8 16 E1 A0 71 F3 E6 36 F0 93 A6 FE B1 AE 91 B6 60 83 5C A2 4D 39 F5 55 23 03 EB 58 14 00 00 00 35 DF 61 75 5F 3C 4F 4A 22 6B F1 43 1F 03 DC 87 E6 FF D9 D8

----------------------------------
Files added:16
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012009081020090817\index.dat
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012009082120090822\index.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF78B.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF98DE.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\_inimac
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Player\wmp\mtlrd.sys
C:\Program Files\WinRAR\stclient.dll
C:\Program Files\WinRAR\stimon.pif
C:\Program Files\00007.exe
C:\Program Files\Microsoft Office\SYSTEM\sysbar.exe
C:\Program Files\vstart.exe
C:\WINDOWS\system32\mtlrd.dll
C:\WINDOWS\Temp\00004.exe
C:\WINDOWS\Temp\00006.exe
C:\WINDOWS\Temp\00008.exe
C:\WINDOWS\internet.vbs

----------------------------------
Files deleted:1
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012009081120090812\index.dat

----------------------------------
Files [attributes?] modified:2
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

----------------------------------
Folders added:6
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012009081020090817
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012009082120090822
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Player\wmp
C:\Documents and Settings\All Users\Application Data\Microsoft\Outlook Express
C:\Program Files\Microsoft Office
C:\Program Files\Microsoft Office\SYSTEM

----------------------------------
Folders deleted:1
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012009081120090812

----------------------------------
Total changes:90
----------------------------------

-------------------------------------------------------------------------------------
Internet activity:
Code:
HTTP GET http://www.procto.cn/xz/00004.exe
HTTP GET http://www.procto.cn/dll/00005.exe
HTTP GET http://www.procto.cn/xz/00006.exe
HTTP GET http://www.procto.cn/xz/00007.exe
HTTP GET http://www.procto.cn/xz/00008.exe
HTTP GET http://release.51edm.net/geturl.php?q=Fa...
HTTP GET http://update.51edm.net/20090806/01.kdg?...
HTTP GET http://www.procto.cn/cpa/count.asp?mac=0...
HTTP GET http://www.procto.cn/favicon.ico
HTTP GET http://release.51edm.net/puturl.php?q=Fa...
HTTP GET http://www.procto.cn/cpa.txt
HTTP GET http://crl.microsoft.com/pki/crl/product...
HTTP GET http://crl.verisign.com/pca3.crl
HTTP GET http://csc3-2004-crl.verisign.com/CSC3-2...
HTTP GET http://crl.microsoft.com/pki/crl/product...
HTTP GET http://crl.microsoft.com/pki/crl/product...
HTTP GET http://crl.usertrust.com/UTN-USERFirst-O...
HTTP GET http://crl.microsoft.com/pki/crl/product...
-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:

Item Name: {2bf41072-b2b1-21c1-b5c1-0305f4545525}
Author: Unknown
Related File: C:\Program Files\WinRAR\stimon.pif
Type: ActiveSetup

After first reboot detected by RegRun Reanimator:

Item Name: mtlrd
Author:
Related File: \??\C:\Documents and Settings\All Users\Application Data\Microsoft\Media Player\wmp\mtlrd.sys
Type: Services detected by Partizan

Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------

Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)



Remove vstart.exe now!

Dmitry Sokolov:

I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.

Since that time I work every day to fix the issues that antiviruses cannot.

If your antivirus have not helped you solve the problem, you should try UnHackMe.

We are a small company and you can ask me directly, if you have any questions.

Testimonials

You can read UnHackMe testimonials here.