If anyone can help i have had the same process on my computer for ages. It's source file is
C:\WINDOWS\System32\vtd_16.exe

I have got AVG - that has found two trojans previously but never found or got rid of this process.

I have got Spybot and have run it as requested. I always get the same spyware.
Haxdoor-H: Library (File, fixed)
C:\WINDOWS\system32\klogini.dll
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-21-2693076698-2552189465-2221179514-1005\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Internet Settings\Zones\0\1004!=W=3
I also get the same message everytime when fixing problems. The message is
"SpybotSD.exe - Bad Image"
"The application or DLL C:\WINDOWS\system32\klogini.dll is not a valid Windows image. Please check this against your installation diskette"
I have also stopped some of the things in the system startup tool, i have stopped the things that do things with asian characters?!!

I have Adaware and have also run this as requested.

I have Tweaknow RegCleaner that always finds deskpan.dll and fde.dll are not fully safe to delete but they are invalid values.

I have Security Task Manager which always comes up with the process mentioned at the top of this message, it is given a process ID and it always comes from the same file - vtd_16.exe

I have TrojanHunter which always reports open ports (16661) with the same PID as the one presently on the task manager above. I really need to know how to close these ports.

I have Prevx which seams to be quite good at warning me of what is going on.

I have ZoneAlarm Firewall, this has been brilliant, it has told me when vtd_16 has been trying to listen to me and outgoing to the net. Not really sure what all this means but i've been blocking it anyway.

I have Hijack this, below is my log after doing all the scans etc. I am going to restart my computer before scanning in hijack.

Please help
I don't know how to get rid of this thing.

Logfile of HijackThis v1.98.2
Scan saved at 15:27:22, on 20/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\PREVX\Prevx Home\PXAgent.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\PREVX\Prevx Home\SAGUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Lucie\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PrevxHome] C:\Program Files\PREVX\Prevx Home\SAGUI.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk.disabled
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - (no file)
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093259453895
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab



Please help!

Answers to questions:

1. The Hijack This log is clean, no problems there.
2. The spyware Spybot is detecting could be due to a bug. Please read the thread about DSO Exploit at the top of this forum. Download and install the update for Spybot.
3. Boot into Safe Mode and go to the C:\Windows\System32 folder and delete: vtd_16.exe

Then reboot and perform another Spybot scan and see how things are going.

cannot find vtd_16.exe as a file, it is only a process.
It is not a hidden file either!
In security task manager the whole program closes if i try to end process or quarantine.
I have also found many files that have just arrived in the spybot system startup.
many winlogon keys: their command lines are things like lsd_f3.dll, draw32, crypt32 etc
What are these google gives the impression that they are all bad!
Help

A process is a file. A file can't only be a process, because a process is basically a file and the file has to run from somewhere. Try performing a search for vtd_16.exe in Safe Mode and deleting it.

Could you post a new Hijack This log please. Don't fix anything or remove them in Spybot or else it just hides them from me and I will think that your system is clean.

Hey thanks a million, i quarantined the process in security task manager in safe mode. I think this has done the job.
For the moment the settings on my computer look and seem safe.

Thanks for your help

Thats good. Have a read of this information for antispyware and other security measures you can take:

Preventing it returning

After your problem has been resolved on the forum, it is an absoulute MUST to do the following steps to prevent the problem returning. Click on the link to get access to the software or webpage that I'm referring to.

1. Visit Windows Update
Pay a visit to Windows Update and scan for and download ALL Critical Updates and Service Packs. New updates are usually released monthly so check back to Windows Update every month.

2. Download Antivirus Software-
If you haven't already got Antivirus software, you should download and install AVG Antivirus. It is freeware and is updated nearly every 2 days (sometimes more frequently if there are a lot of new viruses) and in my opinion, is better than some Antivirus software such as Norton. Antivirus software will prevent viruses infecting your system and it is important that you update it every two days or every week at the most.

3. Download a Firewall-
If you haven't already got a firewall, it is Very important that you download one. Firewalls will prevent unauthorised access to your computer and stop data leaking out of your computer. You may think that it won't happen to you, but Hackers don't care who you are, what you do, where you live or what you had for tea last Sunday on your holiday in the Lake District, they want your data. Firewalls will keep these sneaks out and one of the best is Sygate Personal Firewall, which happens to be freeware.

4. Spyware Scanners-
It is important that as well as having real time spyware protection, you have a spyware scanning application. If you have not already been told to download one earlier in this thread, it is a good idea to download Spybot Search And Destroy and Ad-aware. They are both spyware scanners and will search for a remove spyware. It is recommended that you have both, because one will pick up entries that the other misses. It is even a good idea to download these if you have other programs such as ASE, Spysweeper, Pest Patrol, etc, because one spyware scanner will not pick up everything. Please remember to update your spyware scanners weekly/fortnightly.

5. Prevent Spyware slipping through Internet Explorer-
Quite a lot of spyware slips through Internet Explorer if your settings are not tight enough. Spyware Blaster will help you prevent spyware slipping through and installing tracking cookies. Simply run it via Start> Programs> Spyware Blaster and click Enable All Protection and it will protect you. It doesn't even have to be open! Remember to update weekly/fortnightly.

6. Constant Spyware Protection-
It is important to have constant spyware protection. Spyware Guard works like an antivirus program but detects Spyware instead. It will constantly protect your system. Check for updates monthly.

All Of these steps are very important and it is HIGHLY recommended that you download all of the programs mentioned for your own safety. Remember to Update everything (including Windows using Windows Update)! It is also a good idea to perform weekly/fortnightly scans with Spybot S&D, Ad-aware and your antivirus software.

And last of all, please remember, that common sense is your greatest tool. Without it, spyware and other related Malware would rule!