Help me remove malware like Windows Antivirus pro 2000

Topic:Help me remove malware like Windows Antivirus pro 2000

Remainpoint:0

Nevakonaza Gender

PostTime:12/14/2008 8:19:00 PM

Top

Level:

Professional point:

Experience:

Thread:

255

Post:

956

Total online time:

Joined date:

4/28/2007 11:29:00 PM

Last Visit:

12/16/2008 11:28:56 PM

Status:

	Try our remote PC help service to fix your PC instantly(Only cost $19.95)
	Register to make Ads free

I recently accidentally downloaded a virus and I have gotten my computer to a working order but I need some help.

I posted a while ago but since then I have noticed a lot of things in other posts.
I have changed hijackthis.exe to PCOH.exe
and I also have a smart fraud fix scan.

So I will repost with my new updated information

Please help I have no clue what to do.

Thanks a tonne!

Logfile of HijackThis v1.99.1
Scan saved at 3:26:44 PM, on 1/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Common Files\{74655C02-06A3-1033-0124-030403220001}\Update.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\Hijackthis\PCOH.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {FC15B7F1-0946-7ECC-12DB-04F2BE5740C8} - C:\WINDOWS\System32\uootif.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\System32\xanqwyyf.dll
O2 - BHO: (no name) - {EC2F6751-47AA-46D3-8D28-24390F0B9492} - C:\WINDOWS\System32\ddccb.dll
O2 - BHO: (no name) - {FC15B7F1-0946-7ECC-12DB-04F2BE5740C8} - C:\WINDOWS\System32\uootif.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [{74655C02-06A3-1033-0124-030403220001}] "C:\Program Files\Common Files\{74655C02-06A3-1033-0124-030403220001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\System32\drvxif.dll,startup
O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\xbwmfprf.dll",setvm
O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\System32\nfomon\nfomon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Uste] "C:\DOCUME~1\SCOTTS~1\APPLIC~1\SSTEM3~1\lsass.exe" -vt yazb
O4 - HKCU\..\Run: [Vzf] C:\Documents and Settings\Scott Summers\Application Data\T?sks\??xplore.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1168393388123
O20 - Winlogon Notify: ddccb - C:\WINDOWS\System32\ddccb.dll
O20 - Winlogon Notify: winsih32 - C:\WINDOWS\SYSTEM32\winsih32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U2NvdHQgU3VtbWVycw\command.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

==================================================

SmitFraudFix v2.132

Scan done at 15:24:39.96, Wed 01/10/2007
Run from E:\antivirus\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

C:\

C:\WINDOWS

C:\WINDOWS\system

C:\WINDOWS\Web

C:\WINDOWS\system32

C:\Documents and Settings\Scott Summers

C:\Documents and Settings\Scott Summers\Application Data

Start Menu

C:\DOCUME~1\SCOTTS~1\FAVORI~1

Desktop

C:\Program Files

Corrupted keys

Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="about:Home"
"SubscribedURL"="about:Home"
"FriendlyName"="My Current Home Page"

Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

pe386-msguard-lzx32

Scanning wininet.dll infection

End


ScottH	PostTime:12/15/2008 11:09:30 PM	Point:0 \| # 1
Level: 2 Professional point: 1 Experience: 53 Thread: 308 Post: 995 Total online time: 53M Joined date: 4/28/2007 10:52:00 PM Last Visit: 12/16/2008 11:36:38 PM Status:	Download AVG Anti-Spyware from HERE and save that file to your desktop. When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files. On the main screen select the icon "Update" then select the "Update now" link. Next select the "Start Update" button. The update will start and a progress bar will show the updates being installed. Once the update has completed, select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode. Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter. IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process: Launch AVG Anti-Spyware by double clicking the icon on your desktop. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan". AVG will now begin the scanning process. Please be patient as this may take a little time. Once the scan is complete, do the following: If you have any infections you will be prompted. Then select "Apply all actions." Next select the "Reports" icon at the top. Select the "Save report as" button in the lower lef- hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important). Close AVG Anti-Spyware and reboot your system back into Normal Mode. Please go HERE to run Panda's ActiveScan Once you are on the Panda site click the Scan your PC button A new window will open...click the Check Now button Enter your Country Enter your State/Province Enter your e-mail address and click send Select either Home User or Company Click the big Scan Now button If it wants to install an ActiveX component allow it It will start downloading the files it requires for the scan (Note: It may take a couple of minutes) When download is complete, click on My Computer to start the scan When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans.


ADE	PostTime:12/16/2008 2:43:18 AM	Point:0 \| # 2
Level: 1 Professional point: 46 Experience: 6 Thread: 265 Post: 966 Total online time: 6M Joined date: 4/29/2007 12:00:00 AM Last Visit: 12/17/2008 12:21:04 AM Status:	OKay that was pretty intense and I had no clue what happened but here are the logs SmitFraudFix v2.132 Scan done at 17:15:06.87, Wed 01/10/2007 Run from E:\antivirus\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll Killing process Generic Renos Fix GenericRenosFix by S!Ri Deleting infected files Deleting Temp Files Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" Registry Cleaning Registry Cleaning done. After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll End ===================================================== VundoFix V6.2.13 Checking Java version... Java version is 1.5.0.8 Scan started at 5:24:56 PM 1/10/2007 Listing files found while scanning.... C:\WINDOWS\System32\ddccb.dll C:\WINDOWS\System32\bccdd.ini C:\WINDOWS\System32\bccdd.bak1 Beginning removal... Attempting to delete C:\WINDOWS\System32\ddccb.dll C:\WINDOWS\System32\ddccb.dll Has been deleted! Attempting to delete C:\WINDOWS\System32\bccdd.ini C:\WINDOWS\System32\bccdd.ini Has been deleted! Attempting to delete C:\WINDOWS\System32\bccdd.bak1 C:\WINDOWS\System32\bccdd.bak1 Has been deleted! Performing Repairs to the registry. Done! ===================================================== Logfile of HijackThis v1.99.1 Scan saved at 5:35:37 PM, on 1/10/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe C:\Program Files\Common Files\{74655C02-06A3-1033-0124-030403220001}\Update.exe C:\Program Files\Ipwindows\ipwins.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Hijackthis\PCOH.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - {FC15B7F1-0946-7ECC-12DB-04F2BE5740C8} - C:\WINDOWS\System32\uootif.dll (file missing) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\System32\xanqwyyf.dll O2 - BHO: (no name) - {C5AB1B3A-95AF-4A44-8504-DC73B7E105A6} - C:\WINDOWS\System32\ddccb.dll (file missing) O2 - BHO: (no name) - {FC15B7F1-0946-7ECC-12DB-04F2BE5740C8} - C:\WINDOWS\System32\uootif.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" O4 - HKLM\..\Run: [{74655C02-06A3-1033-0124-030403220001}] "C:\Program Files\Common Files\{74655C02-06A3-1033-0124-030403220001}\Update.exe" mc-110-12-0000272 O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\xbwmfprf.dll",setvm O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\System32\nfomon\nfomon.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [Uste] "C:\DOCUME~1\SCOTTS~1\APPLIC~1\SSTEM3~1\lsass.exe" -vt yazb O4 - HKCU\..\Run: [Vzf] C:\Documents and Settings\Scott Summers\Application Data\T?sks\??xplore.exe O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1168393388123 O20 - Winlogon Notify: winsih32 - C:\WINDOWS\SYSTEM32\winsih32.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U2NvdHQgU3VtbWVycw\command.exe (file missing) O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Meng	PostTime:12/16/2008 10:49:45 PM	Point:0 \| # 3
Level: 1 Professional point: 10 Experience: 14 Thread: 278 Post: 973 Total online time: 14M Joined date: 4/28/2007 11:18:00 PM Last Visit: 12/17/2008 12:41:03 AM Status:	You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Next, please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt Warning: running option #2 on a non infected computer will remove your Desktop background. Download and run VundoFix: http://www.atribune.org/ccount/click.php?id=4 Double-click VundoFix.exe to run it. Put a check next to Run VundoFix as a task. You will receive a message saying vundofix will close and re-open in a minute or less. Click OK. When VundoFix re-opens, click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES. Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will shutdown your computer, click OK. Turn your computer back on. Please post the contents of C:\vundofix.txt and a new HijackThis log.

Sorry, you are not login, click here to login