Various Malware, need help in removal Please

So it would appear that I am infected with WinantivirusPro 2006, I get the pop ups constantly but I have not installed the program. I also get blank windows popping up to a certain ip address that contains information on what I was currently doing. Such as this "http://85.12.25.85/trafc-2/rfe.php?cmp=vm_mg_ff_nonusa_fail&nid=ec&uid=AB11DEAC21A011DB973F00167647FA98&guid=e0f30edd+1D10514769CC421B8E80F83036AF28EA&lid=forums%3E&url=http%3A%2F%2Fforums.majorgeeks.com%2Fshowthread.php%3Ft%3D38752&affid=862"

So I went through the steps you guys have posted and I have lots of logs for you read, I really need your help and I hope that I can make it as painless as possible. I already ran VundoFix as well and it deleted a lot of .dll files that I noticed were spyware.

Oh and for future notice, I am unable to load safe mode. My computer simply loads it and I cannot do anything but move my mouse. I do not know if this is related to spyware or not.

Attached are the various logs that were requested in the steps.

Thanks in advance,
Ryan

 

Here are some additional files that were requested.

 

Please download smitRem.exe and save to your desktop.

Double click on the smitRem.exe file to extract it to it's own folder on the desktop. (this should be the default selection). Now open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of the drive that you ran the batch file on, eg; Local Disk C: or partition where your operating system is installed.

After completing the above, run another Panda scan. After the completion of the Panda scan attach the three logs.

1. Panda Log
2. SmitRem Log
3. HJT Log

 

here you go, thanks for the help.

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Please look in Add/Remove Programs for the following and uninstall them if found:

VSAdd-in

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {E4F6935E-12D8-4FEB-B14D-0D50E41BAA4B} - E:\WINDOWS\msagent\pm3yss.dll (file missing)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O15 - Trusted Zone: http://locator.cdn.imageservr.com

O20 - Winlogon Notify: tuvvsrs - tuvvsrs.dll (file missing)

Again, make sure ALL browser windows are closed when you click FIX.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

E:\VundoFix Backups ← Delete this whole folder!

E:\Program Files\VSAdd-in ← Delete this whole folder if it exist!

E:\Documents and Settings\All Users\Application Data\SecTaskMan ← Delete this whole folder if it exist!

Next, run CCleaner to clean up cookies and temp files.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, REBOOT and proceed with the rest of this fix...

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Hey, thanks a lot man. The pop ups are gone and my winpatrol isnt constantly coming up with new dlls being registered. I think you may have done it. Can't thank you enough.

Here is my new hijack log.

Just so you know, the steps I was supposed to do in safemode I did in normal because of my problem with safemode mentioned above.

Hope its all gone

Thanks!
ryan

 

Your HJT log looks good, are you having any current problems?

 

Nope, everything seems fine.

thanks man.

peace!

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

Surf Safely!