Hi,

I keep getting the following Avast alert popping up every few minutes.

<<
Trojan Horse Blocked
Object: C:\Windows\Installer{a68d6323-ad72-3f90-b575-5cd05d5bbb09}\U\80000032.@
Infection: Win32:Downloader-PKU[Trj]
Action: Moved to Chest
Process: C:\Windows\system32\services.exe

They’ve obviously been moved to the avast virus chest but the pop-ups keep happening.

I have run a full system scan and a boot time scan which cleared a few other bits and pieces but avast seems unable to clear this one.

Can anyone help please???

Thanks in advance,
Andrew

Follow this guide and attach the logs
http://forum.avast.com/index.php?topic=53253.0

Hi,

Results log from mbam below.
Pop-ups still appearing
Is it OK to go on to the OTL stage now?

Many thanks,
Andrew

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.09.07

Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 8.0.6001.18943
sharon :: SHARON-LAPTOP [administrator]

Protection: Enabled

09/08/2012 14:14:20
mbam-log-2012-08-09 (14-14-20).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201699
Time elapsed: 8 minute(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 4
HKCR\CLSID{147A976F-EEE1-4377-8EA7-4716E4CDD239} (PUP.MyWebSearch) → No action taken.
HKCU\SOFTWARE\XML (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKCU\SOFTWARE\CLASSES\CLSID{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Handle (Malware.Trace) → Quarantined and deleted successfully.

Registry Values Detected: 2
HKCU\SOFTWARE\CLASSES\CLSID{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) → Data: C:\Users\sharon\AppData\Local{a68d6323-ad72-3f90-b575-5cd05d5bbb09}\n. → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|{F3F0ECD4-7BA0-F8A6-0E03-701656D9049E} (Trojan.Agent) → Data: C:\Users\sharon\AppData\Roaming\Apple Computer\WebKit\smss.exe → Quarantined and deleted successfully.

Registry Data Items Detected: 1
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command| (Hijack.StartMenuInternet) → Bad: (“C:\Users\sharon\AppData\Local\av.exe” /START “C:\Program Files\Internet Explorer\iexplore.exe”) Good: (iexplore.exe) → Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 8
C:\Windows\Installer{a68d6323-ad72-3f90-b575-5cd05d5bbb09}\n (Trojan.Agent.BVXGen) → Quarantined and deleted successfully.
C:\Windows\Installer{a68d6323-ad72-3f90-b575-5cd05d5bbb09}\U\00000004.@ (Rootkit.Zaccess) → Quarantined and deleted successfully.
C:\Windows\Installer{a68d6323-ad72-3f90-b575-5cd05d5bbb09}\U\00000008.@ (Trojan.Dropper.BCMiner) → Quarantined and deleted successfully.
C:\Windows\Installer{a68d6323-ad72-3f90-b575-5cd05d5bbb09}\U\000000cb.@ (Rootkit.0Access) → Quarantined and deleted successfully.
C:\Windows\Installer{a68d6323-ad72-3f90-b575-5cd05d5bbb09}\U\80000000.@ (Rootkit.0Access) → Quarantined and deleted successfully.
C:\captura.bmp (Malware.Traces) → Quarantined and deleted successfully.
C:\codigo1.bmp (Malware.Traces) → Quarantined and deleted successfully.
C:\error.bmp (Malware.Traces) → Quarantined and deleted successfully.

(end)

I should add that I also have SpyBot-SD resident running and that seems unable to catch it too

Hi Again,

The OTL scan is complete and the logs are attached.

Thanks.
Andrew

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL IE - HKU\S-1-5-21-2636109023-1060695178-1331362222-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&AF=100490&babsrc=SP_ss&mntrId=0c639f9000000000000000225f1f202a FF - prefs.js..browser.search.order.1: "Search the web (Babylon)" FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"

:Files
ipconfig /flushdns /c
[2011/12/05 16:16:19 | 000,002,310 | ---- | M] () – C:\Program Files\mozilla firefox\searchplugins\babylon.xml
C:\Windows\Installer{a68d6323-ad72-3f90-b575-5cd05d5bbb09}
C:\Users\sharon\AppData\Local{a68d6323-ad72-3f90-b575-5cd05d5bbb09}

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

FINALLY

run farbar service scanner

https://dl.dropbox.com/u/73555776/FSS.GIF

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

Great thanks.
Have run the aswMBR scan and the Win32:Sirefef-PL [Rtk] has finally shown up.
Log attached.
I will proceed with the “OTL Run Fix” and “ComboFix” and “FarBar” as instructed.

Thanks,
Andrew

Hi again,

ComboFix completed and log attached.
Only 1 more to go - FarBar

Laters
Andrew

FarBar scan completed and log attached.
Will reboot and fire up the avast shields again

Andrew

Hi,

Well, I have gone through everything you had me do and I am delighted to say “no more virus”!! No more pop-ups for over an hour.

Thanks you so much - very much appreciated.

It’s a shame avast support themselves couldn’t see their way clear to giving this level of service rather than “go ask someone else” OK, moan over

Your advice and support has been absolutely first class and I’m very grateful.

Kind regards,
Andrew

He is not completely done yet…socheck back later

ok thanks - but still a massive improvement on what it was

OK lets get windows updates working now

Right click the link below and select “Save Target As…” then save to your desktop
https://dl.dropbox.com/u/73555776/bits_vista.reg
Right click the reg file and select merge
Accept the warnings and reboot

Then let me know what problems remain