Yahoo Antispy detects it as AntiVerminsPro (adware) and I have it in my PC. How do I go about removing this adware?

Its a rogue antispyware program that is itself adware/spyware. More info here

http://www.spywarewarrior.com/rogue_anti-spyware.htm

or just google it.

Which anti-spyware program is good? Ad-Aware, AVG or Spyware Doctor?

All… AVG is the best imho.
You can test also SuperAntispyware, SpywareTerminator and a-squared.

This malware is listed in the databases of both Spybot-S&D and Spyware Terminator. Either one should be able to help you with this malware.

I’ve done a scan with Spyware Terminator, hereA’s the log:

Logfile of Spyware Terminator v2.0.0.193 (db:1.0.915.675)
Scan Time: 9/24/2007 10:29:22 AM length: 1844 s
Platform: Windows XP Service Pack 2 (WINNT 5.1.2600)
User: Admin
Boot Mode: Normal
Scan type: Full_Spyware_Scan
Scanned Objects: 46642 (Critical:1)
Filter: No System items, No Safe items, No Invalid items

Running Processes
AAWTray.exe [Lavasoft AB] : C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
aawservice.exe [Lavasoft AB] : C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

Internet Settings
R - HKLM\Software\Microsoft\Internet Explorer\Main, Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R - HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R - HKLM\Software\Microsoft\Internet Explorer\Search, CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R - HKLM\System\CurrentControlSet\Services\Tcpip\Parameters, Domain =
R - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony, DomainName =

StartUps
04 - HKLM\System\CurrentControlSet\Control\Session Manager, BootExecute : : C:\WINDOWS\system32\LSDELETE.EXE

Shell Extensions
Yahoo! Mail Shell Extension - {5464D816-CF16-4784-B9F3-75C0DB52B499} - [Yahoo! Inc.] : C:\Program Files\Yahoo!\Common\YMMAPI.dll
CISORecorderContextMenu Object - {34F4B935-17DC-4885-8BC9-CCD1ADF42F93} - [Alex Feinman] : C:\Program Files\Alex Feinman\ISO Recorder\ISORecorder.dll

Services
23 - [Lavasoft AB] : C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
23 - [Intel Corporation] : C:\WINDOWS\system32\drivers\ac97intc.sys
23 - [Intel Corporation] : C:\WINDOWS\system32\DRIVERS\e100b325.sys
23 - [3Com Corporation] : C:\WINDOWS\system32\DRIVERS\el90xnd5.sys
23 - [Intel(R) Corporation] : C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
23 - [Intel Corporation] : C:\WINDOWS\system32\DRIVERS\IdeBusDr.sys
23 - [Intel Corporation] : C:\WINDOWS\system32\DRIVERS\IdeChnDr.sys

I just don’t understand what’s wrong in the log but there is a detected “Minibug” (Remaining Items of Unclassified Threat). What does that mean?

Hi again flygirl.

I’m sorry - when I first read your post I didn’t realize you were trying to remove this from your computer. Not that you weren’t clear about it - I just wasn’t focused.

SmitFraudFix should take care of the problem but I am at work at the moment and don’t have my abbreviated SmitFraudFix instructions with me. You can find a tutorial here

http://www.bleepingcomputer.com/forums/topic69886.html#automated

Just skip down to the “Automated Removal instructions …”, print them, and proceed as indicated. After the tool finishes post the SmitFraudFix log and a HijackThis log in your next response.

I ran SmitFraudFix in safe mode and followed instrutions and here is a log from SmitFraudFix:

SmitFraudFix v2.229

Scan done at 20:04:42.43, Mon 09/24/2007
Run from C:\Documents and Settings\Admin\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler’s .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip..{2F832083-5D08-4F7B-94F9-6F928316DAB5}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip..{296E7D4A-C34B-4FBE-B73C-3736073BFDBF}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip..{2F832083-5D08-4F7B-94F9-6F928316DAB5}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip..{2F832083-5D08-4F7B-94F9-6F928316DAB5}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“System”=“”

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler’s .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

How is everything looking now?

Its looking fine to me. I mean, I don’t see any sign of infection.

Has it been successfully removed already?

I think it’s gone. I even scanned using HJT. Here is a HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:17:07 PM, on 9/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SpywareTerminator] “C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe”
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188170533037
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188170496544
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

–
End of file - 4004 bytes

Looks clean ;D

You might want to consider a firewall, and this is using resources unnecessarily and could be optionally fixed

O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

But no sign of infection.

Mauserme, why does this keep coming and reappearing in the computers? Sorry to hijack the thread.

O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
[/quote]
Mauserme, why does this keep coming and reappearing in the computers? Sorry to hijack the thread.
[/quote]
I was asking myself the same thing. Anyway, I fixed that problem already.

I have to admit to a less than perfect understanding of dumprep, but here goes.

You probably know dumprep is responsible for error reporting. If an error report is generated under a non-privileged user account, however, it does not get reported immediately even if the user clicks OK. Rather, it’s put in an error queue waiting for an administrator to log in. This is done both to prevent the non-privileged user from potentially seeing the data and because only an admin is given rights to send this data. So at this point an HKLM Run key is written to the registry to run dumprep at start up until an admin can deal with it.

Now, if an admin doesn’t log in, or logs in but doesn’t respond to the error notice within a finite time frame, or does respond but there is an error removing the run key, it stays as a startup item indefinitely. I suppose blocking it in the firewall might even cause this condition, but this is a guess.

Hi all :

  Years ago I asked a very experienced Malware fighter about this and was
  advised NOT to have Hijackthis "fix" it .

Yes, as I said above it is an optionall fix. Different people will have different opinions about it. For me, letting it run every boot is pointless and removing the run key will not prevent it from running again if and when its needed.

I feel the same…

Yeah… your explanation seems reasonable for why the key keeps reappearing.