1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Help Me Please!!!

Discussion in 'Virus & Other Malware Removal' started by moozer, Feb 1, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. moozer

    moozer Thread Starter

    Joined:
    Jul 3, 2005
    Messages:
    665
    I've got something on my system called Antivermins - claims it's a high-end antispyware prog - links to a legit looking site.

    I aint so sure - so I'm here to ask for help. Dunno where it's come from!

    Keeps popping up with a "System Alert" flashing a warning symbol in sys tray

    Somebody please help before it starts getting jiggy with my PC!!!
     
  2. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    * Click here to download HJTsetup.exe.
    Save HJTsetup.exe to your desktop.

    Double click on the HJTsetup.exe icon on your desktop.
    By default it will install to C:\Program Files\Hijack This.
    Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    Put a check by Create a desktop icon then click Next again.
    Continue to follow the rest of the prompts from there.
    At the final dialogue box click Finish and it will launch Hijack This.
    Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    Click Save to save the log file and then the log will open in notepad.
    Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    Come back here to this thread and Paste the log in your next reply.
    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  3. moozer

    moozer Thread Starter

    Joined:
    Jul 3, 2005
    Messages:
    665
    Logfile of HijackThis v1.99.1
    Scan saved at 15:42:01, on 02/02/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\Program Files\Windows Defender\MsMpEng.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\ntl\ntl Netguard\fws.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    D:\Program Files\Common Files\Command Software\dvpapi.exe
    D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    D:\WINDOWS\system32\nvsvc32.exe
    D:\Program Files\CyberLink\Shared files\RichVideo.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\Explorer.EXE
    D:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
    D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    D:\Program Files\QuickTime\qttask.exe
    D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    D:\Program Files\Winamp\winampa.exe
    D:\WINDOWS\system32\ctfmon.exe
    D:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
    D:\Program Files\Mozilla Firefox\firefox.exe
    D:\WINDOWS\system32\msiexec.exe
    D:\Program Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - D:\Program Files\ntl\ntl Netguard\pkR.dll
    O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - D:\Program Files\ntl\ntl Netguard\FBHR.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [BJCFD] D:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "D:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
    O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0CFA086E-6336-4D95-B6AA-90F564E99631} (TNSClicker.Clicker) - http://www.shopandscan.com/TNSClicker.CAB
    O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
    O21 - SSODL: exemplars - {2acf3add-34a1-4f2f-99cf-cc69785d1e90} - D:\WINDOWS\system32\cwgppb.dll
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - D:\Program Files\Common Files\Command Software\dvpapi.exe
    O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - D:\Program Files\ntl\ntl Netguard\fws.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
     
  4. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Please download SmitfraudFix (by S!Ri)
    Extract the content (a folder named SmitfraudFix) to your Desktop.

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm
     
  5. moozer

    moozer Thread Starter

    Joined:
    Jul 3, 2005
    Messages:
    665
    SmitFraudFix v2.138

    Scan done at 20:08:54.95, 02/02/2007
    Run from D:\Documents and Settings\Andy.HOME-6D4DFB4A45\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is FAT32
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» D:\


    »»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system32\LogFiles


    »»»»»»»»»»»»»»»»»»»»»»»» D:\Documents and Settings\Andy.HOME-6D4DFB4A45


    »»»»»»»»»»»»»»»»»»»»»»»» D:\Documents and Settings\Andy.HOME-6D4DFB4A45\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu

    D:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Online Security Guide.url FOUND !
    D:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Security Troubleshooting.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» D:\DOCUME~1\ANDY~1.HOM\FAVORI~1

    D:\DOCUME~1\ANDY~1.HOM\FAVORI~1\Online Security Test.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop

    D:\DOCUME~1\ALLUSE~1.WIN\DESKTOP\Online Security Guide.url FOUND !
    D:\DOCUME~1\ALLUSE~1.WIN\DESKTOP\Security Troubleshooting.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» D:\Program Files

    D:\Program Files\AntiVermeans\ FOUND !
    D:\Program Files\Video ActiveX Object\ FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{2acf3add-34a1-4f2f-99cf-cc69785d1e90}"="exemplars"

    [HKEY_CLASSES_ROOT\CLSID\{2acf3add-34a1-4f2f-99cf-cc69785d1e90}\InProcServer32]
    @="D:\WINDOWS\system32\cwgppb.dll"

    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2acf3add-34a1-4f2f-99cf-cc69785d1e90}\InProcServer32]
    @="D:\WINDOWS\system32\cwgppb.dll"



    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  6. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

    Next, please reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

    A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Warning: running option #2 on a non infected computer will remove your Desktop background.
     
  7. moozer

    moozer Thread Starter

    Joined:
    Jul 3, 2005
    Messages:
    665
    SmitFraudFix v2.138

    Scan done at 21:09:05.44, 02/02/2007
    Run from D:\Documents and Settings\Andy.HOME-6D4DFB4A45\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is FAT32
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{2acf3add-34a1-4f2f-99cf-cc69785d1e90}"="exemplars"

    [HKEY_CLASSES_ROOT\CLSID\{2acf3add-34a1-4f2f-99cf-cc69785d1e90}\InProcServer32]
    @="D:\WINDOWS\system32\cwgppb.dll"

    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2acf3add-34a1-4f2f-99cf-cc69785d1e90}\InProcServer32]
    @="D:\WINDOWS\system32\cwgppb.dll"


    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri

    D:\WINDOWS\system32\cwgppb.dll -> Hoax.Win32.Renos.gen.i
    D:\WINDOWS\system32\cwgppb.dll -> Deleted


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    D:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Online Security Guide.url Deleted
    D:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Security Troubleshooting.url Deleted
    D:\DOCUME~1\ALLUSE~1.WIN\DESKTOP\Online Security Guide.url Deleted
    D:\DOCUME~1\ALLUSE~1.WIN\DESKTOP\Security Troubleshooting.url Deleted
    D:\DOCUME~1\ANDY~1.HOM\FAVORI~1\Online Security Test.url Deleted
    D:\Program Files\AntiVermeans\ Deleted
    D:\Program Files\Video ActiveX Object\ Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  8. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Run ActiveScan online virus scan:
    http://www.pandasoftware.com/products/activescan.htm

    Once you are on the Panda site click the Scan your PC button.
    A new window will open...click the Check Now button.
    Enter your Country.
    Enter your State/Province.
    Enter your e-mail address and click send.
    Select either Home User or Company.
    Click the big Scan Now button.
    If it wants to install an ActiveX component allow it.
    It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    When download is complete, click on My Computer to start the scan.
    When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
    Post the contents of the ActiveScan report.
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/540378

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice