Help! Antivermins troubles
Moderator: Thanas
Help! Antivermins troubles
I uninstalled and deleted the "Antivermins" application folder, ran Spybot-S&D and Ad-Aware SE personal, found nothing, yet there is still that annoying little taskbar icon that goes "Click Me! Buy my products!" I'm at a loss. What do I do?
"The surest sign that the world was not created by an omnipotent Being who loves us is that the Earth is not an infinite plane and it does not rain meat."
"Lo, how free the madman is! He can observe beyond mere reality, and cogitates untroubled by the bounds of relevance."
"Lo, how free the madman is! He can observe beyond mere reality, and cogitates untroubled by the bounds of relevance."
Check your running processes and see if you see a suspicious one or two. Start up in safe mode and delete the offenders however you do that, I forget how. Make sure your startup of windows doesn't initiate anything that will restore deleted spyware. Scan using Ad-Aware for Alternate Data Streams. Try reg-cleaning tools like CCleaner and EasyCleaner cautiously (I can't guarantee you'll not blow up your computer or something but IMX they're very safe). Try HijackThis!
If all that doesn't work, you've exceeded my malware removal capacity too.
If all that doesn't work, you've exceeded my malware removal capacity too.
-
Velthuijsen
- Padawan Learner
- Posts: 235
- Joined: 2003-03-07 06:45pm
download RogueRemover. This should remove AntiVermins.
Once you have run RogueRemover grab yourself the program called HijackThis.
And just do a scan, nothing more. There is a sticky thread on this forum where you can post the result.
Once you have run RogueRemover grab yourself the program called HijackThis.
And just do a scan, nothing more. There is a sticky thread on this forum where you can post the result.
OK, ran RogueRemover. Doesn't detect anything, even though the bloody thing is still in my bar. I'll post a hijackthis log in the appropriate thread.
Thanks.
Thanks.
"The surest sign that the world was not created by an omnipotent Being who loves us is that the Earth is not an infinite plane and it does not rain meat."
"Lo, how free the madman is! He can observe beyond mere reality, and cogitates untroubled by the bounds of relevance."
"Lo, how free the madman is! He can observe beyond mere reality, and cogitates untroubled by the bounds of relevance."
-
Velthuijsen
- Padawan Learner
- Posts: 235
- Joined: 2003-03-07 06:45pm
@Shortie:
AntiVermins doesn't have an uninstaller.
I just realised that that annoying buy me tray icon might be something else then AntiVermins, a program called SmitFraud.
download SmitfraudFix.zip
Save it and extract the program to your desktop but do not run it yet.
Write the next part of the help down before executing the steps detailed.
Reboot your computer in safe mode.
Incase you do not know for sure how:
Run SmitfraudFix.exe, you should get a basic window with only a few options.
Select the 2nd option, that is Clean (safe mode recommended).
Let the program run. Eventually you will be asked Do you want to clean the registry ? (y/n) press Y and enter
Your computer should shutdown on it's own after completion, when you restart a notepad showing the log of removed files will be shown.
Next step:
Turn of your anti-virus program.
Run the following online virus scan: Panda online scan. It requires IE 5.0 or higher and you should allow the installing of the ActiveX component needed for the scan.
You will be asked a few questions about where you live, etc.
Once past that the scan will download files (and possible ask for your permission to instal the ActiveX component).
When the download is completed select Local Disks.
Once done save the log and re-enable your own virusscanner.
Note that I looked through your HijackThis log, but seeing that I'm not the official responder as indicated in the thread I'm not going to clutter up who is helping by butting in there as well but next time you are looking for a crack or a warez please select a site that is known to be free of drive by installers.
AntiVermins doesn't have an uninstaller.
I just realised that that annoying buy me tray icon might be something else then AntiVermins, a program called SmitFraud.
download SmitfraudFix.zip
Save it and extract the program to your desktop but do not run it yet.
Write the next part of the help down before executing the steps detailed.
Reboot your computer in safe mode.
Incase you do not know for sure how:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.
- When you are at the logon prompt, log in as the user your normally log in as.
Run SmitfraudFix.exe, you should get a basic window with only a few options.
Select the 2nd option, that is Clean (safe mode recommended).
Let the program run. Eventually you will be asked Do you want to clean the registry ? (y/n) press Y and enter
Your computer should shutdown on it's own after completion, when you restart a notepad showing the log of removed files will be shown.
Next step:
Turn of your anti-virus program.
Run the following online virus scan: Panda online scan. It requires IE 5.0 or higher and you should allow the installing of the ActiveX component needed for the scan.
You will be asked a few questions about where you live, etc.
Once past that the scan will download files (and possible ask for your permission to instal the ActiveX component).
When the download is completed select Local Disks.
Once done save the log and re-enable your own virusscanner.
Note that I looked through your HijackThis log, but seeing that I'm not the official responder as indicated in the thread I'm not going to clutter up who is helping by butting in there as well but next time you are looking for a crack or a warez please select a site that is known to be free of drive by installers.
I already did the SmitFraudFix thing, except it didn't reboot at the end.
OK, did the Panda ActiveScan. Here's the report:
OK, did the Panda ActiveScan. Here's the report:
Incident Status Location
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\uninst.exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\uninstaller.exe
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\François Luc\Application Data\Mozilla\Firefox\Profiles\tifvcpsc.default\cookies.txt[.com.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\François Luc\Application Data\Mozilla\Firefox\Profiles\tifvcpsc.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\François Luc\Application Data\Mozilla\Firefox\Profiles\tifvcpsc.default\cookies.txt[.adtech.de/]
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\François Luc\Application Data\Mozilla\Firefox\Profiles\tifvcpsc.default\cookies.txt[.anm.co.uk/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\François Luc\Application Data\Mozilla\Firefox\Profiles\tifvcpsc.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\François Luc\Application Data\Mozilla\Firefox\Profiles\tifvcpsc.default\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\François Luc\Application Data\Mozilla\Firefox\Profiles\tifvcpsc.default\cookies.txt[.ct.360i.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\François Luc\Application Data\Mozilla\Firefox\Profiles\tifvcpsc.default\cookies.txt[.go.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\François Luc\Application Data\Mozilla\Firefox\Profiles\tifvcpsc.default\cookies.txt[.microsofteup.112.2o7.net/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\François Luc\Application Data\Mozilla\Firefox\Profiles\tifvcpsc.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\François Luc\Application Data\Mozilla\Firefox\Profiles\tifvcpsc.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\François Luc\Application Data\Mozilla\Firefox\Profiles\tifvcpsc.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\François Luc\Application Data\Mozilla\Firefox\Profiles\tifvcpsc.default\cookies.txt[.weborama.fr/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\François Luc\Application Data\Mozilla\Firefox\Profiles\tifvcpsc.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\François Luc\Application Data\Mozilla\Firefox\Profiles\tifvcpsc.default\cookies.txt[adserver.filefront.com/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\François Luc\Application Data\Mozilla\Firefox\Profiles\tifvcpsc.default\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\François Luc\Application Data\Mozilla\Firefox\Profiles\tifvcpsc.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\François Luc\Application Data\Mozilla\Firefox\Profiles\tifvcpsc.default\cookies.txt[server.iad.liveperson.net/hc/15816569]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\François Luc\Application Data\Mozilla\Firefox\Profiles\tifvcpsc.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\François Luc\Cookies\françois luc@com[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\François Luc\Cookies\françois luc@drivecleaner[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\François Luc\Cookies\françois luc@stats.drivecleaner[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\François Luc\Cookies\françois luc@xiti[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\François Luc\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\RECYCLER\S-1-5-21-1844237615-448539723-839522115-1004\Dc2\Process.exe
Possible Virus. Not disinfected C:\WINDOWS\system32\hjpprpu.dll
"The surest sign that the world was not created by an omnipotent Being who loves us is that the Earth is not an infinite plane and it does not rain meat."
"Lo, how free the madman is! He can observe beyond mere reality, and cogitates untroubled by the bounds of relevance."
"Lo, how free the madman is! He can observe beyond mere reality, and cogitates untroubled by the bounds of relevance."
-
Velthuijsen
- Padawan Learner
- Posts: 235
- Joined: 2003-03-07 06:45pm
The bad news is that you do have SmitFraud, the last line in the Panda log is one of the dlls it uses.
Seeing it still exists after running SmithFraudFix you need to do a manual removal.
Create a file name RemoveAV.reg on your desktop
Copy and paste the next code into this file
Save the altered file then double click this file. When asked if you want to merge the information into the registry select yes
Next step:
Insure you can see hidden files and folders:
Look for the following files, you might not have all the files since you have been trying to clean up the mess already:
Reboot your computer in safe mode
Once rebooted delete the following list of files and folders (if they still exist seeing that you have tried fixing this mess).
[edit]
If it isn't fixed this problem is out of my league and you might want to look for help with someone who is more of a professional with this kind of problem.
[/edit]
Seeing it still exists after running SmithFraudFix you need to do a manual removal.
Create a file name RemoveAV.reg on your desktop
Copy and paste the next code into this file
Code: Select all
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AntiVermins"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{3c767c6b-602d-4b9b-829d-a3dc5b2d89dd}"=-
"{fe288882-f661-4522-88f3-20cfb7866fa4}"=-
"{4fbbdfd6-2ca9-4bba-93e4-aadf75321bca}"=-
[-HKEY_CLASSES_ROOT\CLSID\{3c767c6b-602d-4b9b-829d-a3dc5b2d89dd}]
[-HKEY_CLASSES_ROOT\CLSID\{fe288882-f661-4522-88f3-20cfb7866fa4}]
[-HKEY_CLASSES_ROOT\CLSID\{4fbbdfd6-2ca9-4bba-93e4-aadf75321bca}]
Next step:
Insure you can see hidden files and folders:
- Click on the Tools menu and select Folder Options.
- Click on the View tab.
- Under the Hidden files and folders category select Show hidden files and folders.
- Uncheck Hide protected operating system files.
- Press Apply and then OK.
Look for the following files, you might not have all the files since you have been trying to clean up the mess already:
- hjpprpu.dll
- cvnzie.dll
- kuhmk.dll
- hjpprpu.dll.bad
- cvnzie.dll.bad
- kuhmk.dll.bad
Reboot your computer in safe mode
Once rebooted delete the following list of files and folders (if they still exist seeing that you have tried fixing this mess).
- C:\Program Files\AntiVermins\
- C:\Windows\System32\hjpprpu.dll.bad
- C:\Windows\System32\cvnzie.dll.bad
- C:\Windows\System32\kuhmk.dll.bad
[edit]
If it isn't fixed this problem is out of my league and you might want to look for help with someone who is more of a professional with this kind of problem.
[/edit]
Excellent. Your solution worked, and I am now smitfraud-free. Thank you.
"The surest sign that the world was not created by an omnipotent Being who loves us is that the Earth is not an infinite plane and it does not rain meat."
"Lo, how free the madman is! He can observe beyond mere reality, and cogitates untroubled by the bounds of relevance."
"Lo, how free the madman is! He can observe beyond mere reality, and cogitates untroubled by the bounds of relevance."