I just did a boot-time scan and found 2 corrupted zip archives:

• File C:\users\Sabrina\AppData\LocalLow\Google\GoogleEarth\webdata\f_000056|>ru.kml Error 42125 {zip archive is corrupted}
• FileC:\users\Sabrina\AppData\LocalLow\Google\GoogleEarth\webdata\f_00009c}>sk.kml Error 42125 {zip archive is corrupted}

After moving the first file to the chest and deleting the second one, this is what I got:

• FilieC:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5M3UOJKE\banner[1].htm is infected by HTML: Iframe-inf
  -FilieC:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OFZBVTV2|93a872037e7e78b8f3f3f1180f7ed52c[1].htm is infected by HTML: Applet-inf [Trj]

What am I supposed to do now to remove these viruses from my computer completely. In all honesty, I have read other threads and I’m not great on grasping concepts about how to remove viruses. I have read many posts and all the information is completely overwhelming. Any help would be apprecited.

Hi brinojos,

Why run a boot scan? Did Avast! alert and say a boot scan was needed to be run?

As for the corrupted zip archives, these will not be seen unless a boot scan is called for and run. Normal scans will not report these files as they do not look for them. A boot scan will go much deeper into your system than a normal or quick scan will.

A corrupt zip archive is just that. It means Avast! cannot open the file to look inside. Archive files are just that, inert and inactive until you open them. As such, they cannot harm your system as long as you leave them alone.

The other files detected are in your Internet Explorer temporary folder, and can be deleted safely using a program such as CCleaner. Word of caution with CCleaner. Use only the default settings, do not try to get fancy with it, else you could have more problems in the future.

Quarantine or delete? Deleting leaves you no options. Quarantine will, at the very least, allow you to recover that file in the chest should you find you need it later, and it is proved to be a false positive. Always quarantine, then you will be keeping your options open. Delete removes that file permanently, thus no option remains.

They are just temp files that avast detected…

Clearing Temp Files.

Download CCleaner from here: http://www.piriform.com/ccleaner/download/standard

Install it on you PC…go to the options tab…click on the advanced…uncheck only delete temp file less than 24 hours [see screenshot]…Back to the cleaner tab…click run cleaner and allow it to complete then close the program…run this program once a week rugularly

Thank you for the help. I ran a boot-time scan because Avast asked me to. Now, are these viruses causing my computer to constantly freeze, which I have to shut down by pressing down on the power button? Also, how do I keep Avast from showing pop-ups about every few seconds?

Sorry, that was not clear.

You did right to run a boot scan on request.

Please read this and follow instructions here: http://forum.avast.com/index.php?topic=53253.0

Run the first three programs listed, and attach the logs in your next reply.

Click “Attachments and other options” and attach the four logs in your next reply.

Also, how do I keep Avast from showing pop-ups about every few seconds?

follow the guide mchain gave you

So, I’v been running the Malware program, but my computer keeps freezing UGH!! I only got as far as telling it to restart my computer because it found 2 Trojan viruses, but it froze on me again.

Ok, so I was finally able to complete the process, this is what the Log says:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.09.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Sabrina :: SABRINA-PC [administrator]

8/9/2012 2:12:48 PM
mbam-log-2012-08-09 (14-12-48).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 191934
Time elapsed: 3 minute(s), 26 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) → 2836 → Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) → Delete on reboot.

(end)

Monitoring

Hello,
I will be working on your Malware issues.

Step1
Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

:files
C:\Windows\Installer\{914b59a4-9ad4-94a9-208d-7b00e6bd9f57}
C:\Windows\System32\config\systemprofile\AppData\Local\{914b59a4-9ad4-94a9-208d-7b00e6bd9f57}
ipconfig /flushdns /c

:commands
[CREATERESTOREPOINT]
[emptytemp]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

Step2

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

Step3

Check USB storage devices / removable drives

Download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that has made MCShield.

Start → All Programs → MCShield → Logs

Attach here → AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

Here’s the Log after re-running OTL

Whatdo you mean by making sure it’s saved on my Desktop? When I dowload anything, it’s automatically placed in my Download folder. Can I just move it to the Desktop folder?

Ok, so far I have done as you asked. When running ComboFix I got the following warnings, what do I do?

Yes, of course

To read the instructions that I have linked where is explained how to use Combofix.
To follow my instructions and turn off antivirus, and run Combofix.
note: If you turn off antivirus as described and Combofix still reports active antivirus, click on Yes, ignore warnings and allow Combofix to finish in the scan.

For Step 3, is that for any and all flash drives I own?

Here’s the Log I got after running ComboFix.

1. Open notepad and copy/paste the text present inside the code box below:

KillAll::

Reboot::

File::
c:\windows\svchost.exe

ClearJavaCache::

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

2.

Re-run Malwarebytes,select “Perform Quick Scan”, then click Scan.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[*]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
[*]Please save the log to a location you will remember ( desktop for example ).
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[]Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

3.
Attach here AllScans.txt from MCShield.

Report from ComboFix, Malware, and MCShield

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.09.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Sabrina :: SABRINA-PC [administrator]

8/9/2012 9:19:00 PM
mbam-log-2012-08-09 (21-19-00).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 194660
Time elapsed: 3 minute(s), 31 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) → 4768 → Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) → Delete on reboot.

(end)

MCShield AllScans.txt <<<

MCShield v 2.1.4.13 / DB: 2012.8.6.1 <<<

8/9/2012 10:28:16 PM > Drive C: - scan started (OS ~195 GB, NTFS HDD )…

=> The drive is clean.

8/9/2012 10:28:16 PM > Drive D: - scan started (Data ~245 GB, NTFS HDD )…

=> The drive is clean.

MCShield v 2.1.4.13 / DB: 2012.8.6.1 <<<

8/9/2012 10:31:55 PM > Drive G: - scan started (no label ~7595 MB, FAT32 flash drive )…

=> The drive is clean.

MCShield v 2.1.4.13 / DB: 2012.8.6.1 <<<

8/9/2012 10:31:55 PM > Drive H: - scan started (XTRA PDN ~1887 MB, FAT32 flash drive )…

=> The drive is clean.

MCShield v 2.1.4.13 / DB: 2012.8.6.1 <<<

8/9/2012 10:32:28 PM > Drive G: - scan started (no label ~7595 MB, FAT32 flash drive )…

=> The drive is clean.

MCShield v 2.1.4.13 / DB: 2012.8.6.1 <<<

8/9/2012 10:32:29 PM > Drive H: - scan started (XTRA PDN ~1887 MB, FAT32 flash drive )…

=> The drive is clean.

MCShield v 2.1.4.13 / DB: 2012.8.6.1 <<<

8/9/2012 10:32:53 PM > Drive F: - scan started (BLACKBERRY2 ~7574 MB, FAT32 flash drive )…

=> The drive is clean.

MCShield v 2.1.4.13 / DB: 2012.8.6.1 <<<

8/9/2012 10:33:52 PM > Drive F: - scan started (no label ~1699 MB, FAT flash drive )…

=> The drive is clean.

MCShield v 2.1.4.13 / DB: 2012.8.6.1 <<<

8/9/2012 10:34:54 PM > Drive C: - scan started (OS ~195 GB, NTFS HDD )…

=> The drive is clean.

8/9/2012 10:34:54 PM > Drive D: - scan started (Data ~245 GB, NTFS HDD )…

=> The drive is clean.

MCShield v 2.1.4.13 / DB: 2012.8.6.1 <<<

8/9/2012 10:35:09 PM > Drive F: - scan started (no label ~1699 MB, FAT flash drive )…

=> The drive is clean.

MCShield v 2.1.4.13 / DB: 2012.8.6.1 <<<

8/9/2012 10:35:42 PM > Drive F: - scan started (BLACKBERRY2 ~7574 MB, FAT32 flash drive )…

=> The drive is clean.

[list]
Multiple Antivirus Programs

You are running more than 1 Antivirus program!

AV: avast! Antivirus Enabled/Updated {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Trend Micro Titanium Internet Security Disabled/Updated {68F968AC-2AA0-091D-848C-803E83E35902}

Running - more than one - antivirus program is not recommended because:
[*]They can conflict with each other.
[*]Report the other antivirus software as malicious.
[*]Antivirus programs use an enormous amount of computer’s resources… actively scanning your computer.
[*]Can cause your computer to become unstable…run slowly and even, in rare cases, BSOD crash…etc
I strongly suggest you uninstall one of them. Which one, is your decision.

We have one stubborn malware file…

[*] Please download BlitzBlank by emsisoft and save it to your desktop.

[*] Open Blitzblank.exe by double click on it.

[*] Click OK at the warning (and take note of it, this is a VERY powerful tool!).

[*] Click the Script tab and copy/paste the following text there:

 
DeleteFile:
c:\windows\svchost.exe

[*] Click Execute Now. Your computer will need to reboot in order to replace the files.
[*] When done, post me the report created by Blitzblank. you can find it at the root of the drive C:\

Re-run Combofix and attach here fresh Combofix.txt

Wow, I didn’t know I was running 2 antivirus programs. I only recall installing Avast.

Sorry, I forgot about you

Logs looks good. How is your computer running now?