TechSpot

NTVDM Error opens all the time now!!!

By mlww2us
Jan 3, 2007
  1. Hello I had some issues with Brave sentry on christmas eve. I was able to remove that but now my problem is an error message that pops up every couple of seconds. It happens in both my profile and my wifes profile as well.

    The message generated is a 16 bit DOS subsystem.
    Path is provided as C:\documents and settings\profile\localsettings\temp\cmd.exe
    I have tried to delete this file but it continues to come back. This must be a malicous trojan but unable to figure out how to kill it. I have gone into safe mode and ran ad aware, AVG antivirus, and AVG spyware. I installed the spybot product you mentioned in this forum. I have not been able to run spybot as it crashes when ever I try to run it. I have run the AVG and placed the logfile for this and HJK as well. I hope you will be able to assist me in removing this problem. Also I now get a message about the winsock32.exe when shutting down. I have to hit end now to stop it.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your system is heavily infected with all kinds of nasties.

    If that were my system, I wouldn`t hesitate to reformat and reinstall from scratch. However, you may take a different view.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    Let me know how you wish to proceed.

    Regards Howard :wave: :wave:


    This thread is for the use of mlww2us only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. mlww2us

    mlww2us TS Rookie Topic Starter

    Hi Howard,

    Thanks for the quick reply. I have been thinking about the reformat and may do that later. In regards to my current issue have you dealt with the specific
    error I am having related to the cmd.exe error? Have you resolved this before? I noticed some others users of this forum were also having the exact same message but I did not see if they were able to correct the issue. If you have dealt with this nasty little bugger before I would like to try and resolve it.

    Let me know what you think!

    Thank you sir.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, let`s try the following.

    Run AVG Antispyware, delete all files in AVG Antispyware quarantine and disable the active shield as this may interfere with any fix we try and run. On the top of the main screen click Shield. Click the word active to change it to inactive. Close AVG Antispyware.

    We need to temporarily disable Spybot search & Destroy`s tea time, as it may interfere with any fix we are trying to run.

    Disable Spybot's TeaTimer. This is a two step process.
    First:
    - Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
    - Choose Exit Spybot S&D Resident
    Second:
    - Open Spybot S&D
    - Click Mode, check Advanced Mode
    - Go To Left Panel, Click Tools, then also in left panel, click Resident
    - If your firewall raises a question, say OK
    - Uncheck the box labeled Resident Tea-Timer and OK any prompts.
    - Use File, Exit to terminate Spybot
    - Reboot your machine for the changes to take effect.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Viewpoint
    Viewpoint Toolbar V35
    Viewpoint Manager
    BroadJump
    Client Foundation

    Close control panel.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    winsock32
    ICF

    Close the services window.


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    ViewMgr.exe
    CFD.exe
    winsock32.exe
    83765.exe
    80421.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    Fix all O1 - Hosts: entries.

    O2 - BHO: Nick Aracde Toolbar - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - C:\PROGRA~1\NICKAR~1\NICKAR~1.DLL (file missing)

    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBarBHO.dll

    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll

    O3 - Toolbar: Nick Aracde Toolbar - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - C:\PROGRA~1\NICKAR~1\NICKAR~1.DLL (file missing)

    O4 - HKLM\..\Run: [winsock32] winsock32

    O4 - HKLM\..\RunServices: [winsock32] winsock32

    O4 - HKCU\..\Run: [winsock32] winsock32

    O4 - HKCU\..\Run: [WinUpdate] "C:\DOCUME~1\Matt\LOCALS~1\Temp\83765.exe "

    O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\Matt\LOCALS~1\Temp\80421.exe

    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML

    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

    O16 - DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} (Invoke Solutions Participant Control(MR)) - http://online.invokesolutions.com/events/bin/media/5.1.3.1429-3.0.0.7207/MILive. cab

    O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32:svchost.exe (file missing)

    O23 - Service: winsock32 (winsock32.exe) - Unknown owner - C:\WINDOWS\winsock32.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\winsock32.exe
    C:\Program Files\Viewpoint<Delete the entire folder.
    C:\DOCUME~1\Matt\LOCALS~1\Temp\80421.exe
    C:\DOCUME~1\Matt\LOCALS~1\Temp\83765.exe

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of mlww2us only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. mlww2us

    mlww2us TS Rookie Topic Starter

    I have not been able to get the spybot SD to even run. It not running on the taskbar. I double click and it will briefly open then shut down again. I have not been able to open and run Spybot successfully. Do you feel its safe to run thru the other steps since I have never been able to get spybot to run.
    The only function I was able to do was hit immunize before it shut down. I don't know if TeaTimer is running.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    In that case, before following the instructions, uninstall SS&D from add remove programmes. You can always reinstall it after we`re done cleaning.

    Regards Howard :)

    This thread is for the use of mlww2us only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. mlww2us

    mlww2us TS Rookie Topic Starter

    Howard you are top notch sir!!!

    I have performed the steps you provided and so far I have not had another occurence of the dreaded cmd.exe error. I did notice a ton of startup items came up in the task bar. That was a bit strange as they have not been there
    in months. Here is the latest HJK log you asked for. Let me know if you have any more work for me to do.

    mlww2
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your system is infected with Bravesentry, This is a bogus antispyware programme.

    Go HERE and follow the instructions for Bravesentry removal.

    Post a fresh HJT log when done.

    Regards Howard :)

    This thread is for the use of mlww2us only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. mlww2us

    mlww2us TS Rookie Topic Starter

    Ok I have run the smitfraudfix and this seems to have removed the bravesentry crap. The Bravesentry hit my PC on Christmas Eve how about that for a Christmas gift. I have created another HJT log or as I like to think
    of it as HJK "hijack killer". I thought I removed the BraveSentry but all was not
    what it seemed.

    Howard thanks for all the excellent help you have provided!!! This is a great forum keep up the great work!!!

    MLWW2
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is now clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of mlww2us only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...