Avast Pop Up alerts 8000064.@ 80000032.@ 00000004.@ 80000000.@ 000000cb.@

I am getting avast alerts every 5 to 10 minutes Displaying Malware and Trojan Virus blocked

The name of the viruses are 8000064.@ 80000032.@ 00000004.@ 80000000.@ 000000cb.@

Please help!

Hi,

Please attach here OTL scan (and OTL only) following this instructions and attach here logs.
http://forum.avast.com/index.php?topic=53253.0

When I click to download adwcleaner.exe a windows message pops up saying “adwcleaner.exe contained a virus and was deleted” and it wont let me download it. In fact the other links provided for Malware bytes’ Anti-Malware and OTL the same message pops up, not allowing me to download the programs because a virus was detected.

What do I do??

I need to see only OTL logs with custom scans script. Ignore that warning or try to download & run OTL from diferent browsers. Or try to disable your AV.
What exactly telling you that all thouse tools are malware becose they all are legit malware removal tools?

An internet explorer message. google chrome worked. here is OTL

  1. Please download ComboFix from here and save it to your Desktop.
    If you are unsure how ComboFix works please read this guide carefully.
    note: ComboFix must be downloaded to your Desktop.

  1. Temporarily disable your AntiVirus program.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
[*]=> Again, right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.


  1. Run ComboFix. Click on I Agree!

ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.


  1. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
    Attach log reports ( ComboFix.txt) back to topic.

here is the combofix log

Hi,
You have been attach the same log three times. :slight_smile:

Create CFScript for Combofix:

Open notepad and copy/paste the text present inside the code box below:

Folder::
c:\program files (x86)\Google\Desktop\Install
c:\users\Hunter\AppData\Local\Google\Desktop\Install
c:\program files (x86)\Ask.com
c:\program files (x86)\uTorrentBar

DirLook::
c:\program files (x86)\MyITLab

FileLook::
c:\windows\SysWow64\setup16.exe
c:\windows\SysWow64\instnm.exe
c:\windows\SysWow64\user.exe

ClearJavaCache:: 

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"=-
[-HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"=-
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ApnUpdater"=-

DDS::
Trusted Zone: myitlab.com
Trusted Zone: pearsoncmg.com
Trusted Zone: pearsoned.com
Trusted Zone: researchnavigator.com

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Here you go

Looks good. Re-check with FRST and FSS.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

----- next -----

Please download Farbar Service Scanner and run it on the computer with the issue.
[*]Make sure the following options are checked:

[*]Internet Services
[*]Windows Firewall
[*]System Restore
[*]Security Center/Action Center
[*]Windows Update
[*]Windows Defender

[*]Press “Scan”.
[]It will create a log (FSS.txt) in the same directory the tool is run.
[
]Please copy and paste the log to your reply.

The pop ups stopped!

Although some of my files have copies with the titles changed to “~$” for the first letters of the title. What is that?

We will come to that. I’m waiting FRST and FSS logs.

Addition.txt created by FRST?

Ok, here is the thing. You had the latest variant of ZeroAccess rootkit that use RLO chars (right-to-left). Only powerfull tools as Combofix and FRST may fully deal with this infections.
For this ZA story is to be even sweeter, ZA has been two days ago received one more update and now inflicts even more damage to system.

From control Panel > Add or Remove programs uninstall:

AOL Messaging Toolbar (HKCU)
AOL Messaging Toolbar (x32)
Ask Toolbar (x32 Version: 1.13.2.0)
DefaultTab Chrome (x32 Version: 1.1.25)
uTorrentBar Toolbar (x32 Version: 6.8.2.0)

----- next -----

  1. Open notepad and copy/paste the text present inside the code box below.
    To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

START
HKLM-x32\...\Runonce: [Del167710840] - cmd.exe /Q /D /c del "C:\Users\Hunter\AppData\Local\Temp\0.del" [x]
HKCU\...\Runonce: [Del167710824] - cmd.exe /Q /D /c del "C:\Users\Hunter\AppData\Local\Temp\0.del" [x]
HKLM-x32\...\Run: [vProt] - C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe [2285232 2013-09-06] ()
C:\Program Files (x86)\AVG SafeGuard toolbar
C:\Program Files (x86)\Common Files\AVG Secure Search
C:\Users\Hunter\AppData\Local\AVG SafeGuard toolbar
URLSearchHook: (No Name) - {03402f96-3dc7-4285-bc50-9e81fefafe43} -  No File
SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=484&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=2813022415904912&q={searchTerms}
SearchScopes: HKLM-x32 - {443789B7-F39C-4b5c-9287-DA72D38F4FE6} URL = http://slirsredirect.search.aol.com/redirector/sredir?sredir=843&query={searchTerms}&invocationType=tb50-ie-aim-chromesbox-en-us&tb_uuid=20111226185512130&tb_oid=26-12-2011&tb_mrud=19-06-2012
SearchScopes: HKLM-x32 - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=484&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=2813022415904912&q={searchTerms}
SearchScopes: HKCU - {443789B7-F39C-4b5c-9287-DA72D38F4FE6} URL = http://slirsredirect.search.aol.com/redirector/sredir?sredir=843&query={searchTerms}&invocationType=tb50-ie-aim-chromesbox-en-us&tb_uuid=20111226185512130&tb_oid=26-12-2011&tb_mrud=19-06-2012
SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=484&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=2813022415904912&q={searchTerms}
BHO-x32: DefaultTab Browser Helper - {7F6AFBF1-E065-4627-A2FD-810366367D01} - C:\Users\Hunter\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll No File
Winsock: Catalog5 01 %SystemRoot%\System32\mswsock.dll [232448] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 %SystemRoot%\System32\mswsock.dll [326144] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
CHR HKLM-x32\...\Chrome\Extension: [bejbohlohkkgompgecdcbbglkpjfjgdj] - C:\Users\Hunter\AppData\Local\Temp\ccex.crx
C:\Users\Hunter\AppData\Local\Temp\ccex.crx
R2 vToolbarUpdater15.4.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe [1616048 2013-09-06] (AVG Secure Search)
C:\Users\Hunter\AppData\Local\Temp\oi_{E4EF6AC9-A479-4F38-80D7-0AC3418579E6}.exe
C:\Users\Hunter\AppData\Local\Temp\UNINSTALL.EXE
C:\Users\Hunter\AppData\Local\Temp\is357113909\AVG_Safeguard.exe
C:\Users\Hunter\AppData\Local\Temp\is357113909\DefaultTabSetup.exe
C:\Users\Hunter\AppData\Local\Temp\is357113909\nss_handler.exe
C:\Users\Hunter\AppData\Local\Temp\is357113909\OpenItSetup.exe
C:\Users\Hunter\AppData\Local\Temp\is357113909\SymCCIS.dll
C:\Users\Hunter\AppData\Local\Temp\is357113909\uninstaller.exe
C:\Users\Hunter\AppData\Local\Temp\is357113909\wajam_validate.exe
C:\Users\Hunter\AppData\Local\Temp\avg_a04920\avg-secure-search-installer.exe
C:\Users\Hunter\AppData\Local\Temp\avg_a04920\ProgFiles\AVG SafeGuard toolbar\lip.exe
C:\Users\Hunter\AppData\Local\Temp\avg_a04920\ProgFiles\AVG SafeGuard toolbar\PostInstall.exe
C:\Users\Hunter\AppData\Local\Temp\avg_a04920\ProgFiles\AVG SafeGuard toolbar\Uninstall.exe
C:\Users\Hunter\AppData\Local\Temp\avg_a04920\ProgFiles\AVG SafeGuard toolbar\vprot.exe
C:\Users\Hunter\AppData\Local\Temp\avg_a04920\ProgFiles\AVG SafeGuard toolbar\15.4.0.5\AVG SafeGuard toolbar_toolbar.dll
C:\Users\Hunter\AppData\Local\Temp\avg_a04920\ConfigFiles\avguidx.dll
C:\Users\Hunter\AppData\Local\Temp\avg_a04920\ConfigFiles\MachineIdCreator.exe
C:\Users\Hunter\AppData\Local\Temp\avg_a04920\CommonFiles\AVG SafeGuard toolbar\avgdttbx.dll
C:\Users\Hunter\AppData\Local\Temp\avg_a04920\CommonFiles\AVG SafeGuard toolbar\AVGRewardsWorker.dll
C:\Users\Hunter\AppData\Local\Temp\avg_a04920\CommonFiles\AVG SafeGuard toolbar\DriverInstaller.exe
C:\Users\Hunter\AppData\Local\Temp\avg_a04920\CommonFiles\AVG SafeGuard toolbar\DriverInstaller_64.exe
C:\Users\Hunter\AppData\Local\Temp\avg_a04920\CommonFiles\AVG SafeGuard toolbar\helper.dll
C:\Users\Hunter\AppData\Local\Temp\avg_a04920\CommonFiles\AVG SafeGuard toolbar\log4cplusU.dll
C:\Users\Hunter\AppData\Local\Temp\avg_a04920\CommonFiles\AVG SafeGuard toolbar\loggingserver.exe
C:\Users\Hunter\AppData\Local\Temp\avg_a04920\CommonFiles\AVG SafeGuard toolbar\npsitesafety.dll
C:\Users\Hunter\AppData\Local\Temp\avg_a04920\CommonFiles\AVG SafeGuard toolbar\ScriptHelper.exe
C:\Users\Hunter\AppData\Local\Temp\avg_a04920\CommonFiles\AVG SafeGuard toolbar\SiteSafety.dll
C:\Users\Hunter\AppData\Local\Temp\avg_a04920\CommonFiles\AVG SafeGuard toolbar\ToolbarUpdater.exe
C:\Users\Hunter\AppData\Local\Temp\avg_a04920\CommonFiles\AVG SafeGuard toolbar\ViProtocol.dll
C:\Users\Hunter\AppData\Local\Temp\avg_a04224\avg-secure-search-installer.exe
C:\Users\Hunter\AppData\Local\Temp\avg_a04224\ProgFiles\AVG SafeGuard toolbar\lip.exe
C:\Users\Hunter\AppData\Local\Temp\avg_a04224\ProgFiles\AVG SafeGuard toolbar\PostInstall.exe
C:\Users\Hunter\AppData\Local\Temp\avg_a04224\ProgFiles\AVG SafeGuard toolbar\Uninstall.exe
C:\Users\Hunter\AppData\Local\Temp\avg_a04224\ProgFiles\AVG SafeGuard toolbar\vprot.exe
C:\Users\Hunter\AppData\Local\Temp\avg_a04224\ProgFiles\AVG SafeGuard toolbar\14.0.0.12\AVG SafeGuard toolbar_toolbar.dll
C:\Users\Hunter\AppData\Local\Temp\avg_a04224\ConfigFiles\avguidx.dll
C:\Users\Hunter\AppData\Local\Temp\avg_a04224\ConfigFiles\MachineIdCreator.exe
C:\Users\Hunter\AppData\Local\Temp\avg_a04224\CommonFiles\AVG SafeGuard toolbar\avgdttbx.dll
C:\Users\Hunter\AppData\Local\Temp\avg_a04224\CommonFiles\AVG SafeGuard toolbar\AVGRewardsWorker.dll
C:\Users\Hunter\AppData\Local\Temp\avg_a04224\CommonFiles\AVG SafeGuard toolbar\DriverInstaller.exe
C:\Users\Hunter\AppData\Local\Temp\avg_a04224\CommonFiles\AVG SafeGuard toolbar\DriverInstaller_64.exe
C:\Users\Hunter\AppData\Local\Temp\avg_a04224\CommonFiles\AVG SafeGuard toolbar\npsitesafety.dll
C:\Users\Hunter\AppData\Local\Temp\avg_a04224\CommonFiles\AVG SafeGuard toolbar\ScriptHelper.exe
C:\Users\Hunter\AppData\Local\Temp\avg_a04224\CommonFiles\AVG SafeGuard toolbar\SiteSafety.dll
C:\Users\Hunter\AppData\Local\Temp\avg_a04224\CommonFiles\AVG SafeGuard toolbar\ToolbarUpdater.exe
C:\Users\Hunter\AppData\Local\Temp\avg_a04224\CommonFiles\AVG SafeGuard toolbar\ViProtocol.dll
C:\Users\Hunter\AppData\Local\Temp\167961502.Uninstall\uninstaller.exe
Task: {9F8B01D5-0960-4C58-B55E-8A4DE1B7CCF7} - System32\Tasks\Scheduled Update for Ask Toolbar => C:\Program Files (x86)\Ask.com\UpdateTask.exe
CMD: netsh winsock reset
CMD: ipconfig /flushdns
Hosts:
END
  1. Save notepad as fixlist.txt
    NOTE. It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  2. Run FRST/FRST64 and press the Fix button just once and wait.
    If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
    The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.

----- next -----

Re-run FRST and attach here fresh created FRST.txt logreport.

----- next -----

Please download Services Repair tool, available here, and save it to your Desktop. Right click on it and select Run As Administrator, follow the prompts. It should reboot when it finishes. If not reboot it yourself.
http://kb.eset.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe

Please post here created log.

----- next -----

Re-run FSS and post here fresh created FSS logreport.

We will continue tomorrow. Please refresh your topic tomorrow.

ok