Hello, my first post here.

My Granddaughter loaded some kind of game related malware that makes Avast alert me every 2 minutes with ‘Threat Detected’ Win32:Malware-gen C:\Windows\Installer.…80000000.@

It looks like the common problem others are posting about recently. I tried to get rid of it with an Avast Boot Time Scan, Advanced System care, Spybot-SD, MbAB, IObit, etc and some files were deleted, but I guess I did’t get all of it. Some of the garbage that came up and was deleted were:
C:\ProgramData\Microsoft\Windows\DRM\5AED.tmp
Win32:MDE-B(Susp)
Win32:PUP-gen [PUP]
Win64:Sirefef-F [Rtk]
Win32:Trojan-gen

MbAB comes up clean now, but I’ve attached my logs and would really appreciate your help getting rid of this bug.

Thank you,
Paul.

I just noticed that my Windows Update and Hp Update won’t work anymore.

Hp Update say’s Access Denied.

I ran the Troubleshooting Fix Problems with Windows Update, but it wouldn’t fix the problems.

Thanks in advance for any help!

A malware removal specialist has been informed of your topic.

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL O3 - HKU\S-1-5-21-442203092-2771800596-1516199507-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found. O3 - HKU\S-1-5-21-442203092-2771800596-1516199507-1000\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.

:Files
C:\Windows\SysWOW64\config\systemprofile\AppData\Local{68605e0d-daa6-1d6d-c742-08482023d0c2}
C:\Windows\System32\config\systemprofile\AppData\Local{68605e0d-daa6-1d6d-c742-08482023d0c2}
C:\Windows\Installer{68605e0d-daa6-1d6d-c742-08482023d0c2}
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c
sc create BITS binpath= “c:\windows\system32\svchost.exe -k netsvcs” start= delayed-auto /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

FINALLY

run farbar service scanner

https://dl.dropbox.com/u/73555776/FSS.GIF

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

OK, finished all that and logs are attached.
I haven’t had any alerts, and the computer seems to be running normal.
Thanks so much for your help! Is there more steps to do?

Please run the MSfixit from here http://support.microsoft.com/kb/971058#appliesto

Then let me know of any remaining problems

Ok, I ran the utility but it couldn’t repair Windows Update. In the ‘Details’ section it read ‘Change Windows Update locations to Windows default settings’. I did try to run Windows Update and I have an important update to install, but it would freeze up on 0% when downloading and then say ‘Download failed’.

Still no alerts on Avast- that’s good

The Windows Update program listed error #80246008 when the download failed, which is the BITS service. I tried to start BITS (it’s set to Automatic (delayed start) already) but the error ‘Module cannot be found’ pops up?

I tried to run Hp Updates and it said Access Denied still, however I do see that I have Hp Support Assistant 6.1.12.1 running and up to date, so that should be good for Hp updates, right?

I see the path to BITS is C:\Windows\system32\svchost.exe -k netsvcs

That may be the corrupt malware that was removed?

sc create BITS binpath= “c:\windows\system32\svchost.exe -k netsvcs” start= delayed-auto /c

This is the correct order to start the bits service

Download Windows Repair (all in one) from this site

Install the programme then run

https://dl.dropbox.com/u/73555776/waio%20start.JPG

Go to step 3 and allow it to run SFC

https://dl.dropbox.com/u/73555776/waio%20step3.JPG

On the start repairs tab click start

https://dl.dropbox.com/u/73555776/waiostart%20rep.JPG

Select the following items and tick restart system when finished

https://dl.dropbox.com/u/73555776/waio%20rep%20list.JPG

I downloaded and ran Windows Repair (all in one) and MSfix-it but they both failed to fix the BITS program.

I did some reading about this BITS problem that seems to be common (because of this damn virus malware thing) and I tried the Take Ownership program and a couple other things, but my BITS program is corrupt and will not run. The Installer folder is empty of all files including hidden ones.

I’ll probably end up taking all of our stuff off of the computer and reformatting this thing. >:(

Question: How do I avoid getting this thing again, did my grandaughter voluntarily click on something or did it just get past Avast and other security programs?!!! It looks like a common infection now, is there a name for this thing and what are they doing about it? (very frustrated!)

No this is a fairly new variant of zero access… Up until two days ago it was repairable, this is only the third case I have seen, and the first where I have been told the installer folder was empty

This would explain a lot…

I will see if there is a fix for this

Ok, thank you!

If I copy the folder from my other computer and drop it in that one, would it work?

It may do but as of yet a solution is not showing itself… But there are a few people working on it

I can’t find that Install folder on either computer, how do I find it?

Also, how do you open a command prompt on Win7?

Thanks again for your help! Windows Update seems to be the only thing screwed up still.

OK there may be a solution… But it may not work, there again it will not make it worse…

Open an elevated command prompt:

Go Start > All Programs > Accessories
Right click Command Prompt select Run as Administrator
In the Black Box type the following :

sc delete bits

Reboot the computer

Then right click the link below ands select save target as… to your desktop

https://dl.dropbox.com/u/73555776/bits.reg

Double click the reg file on your desktop and allow to merge

Reboot and try updates again

It worked! Great job, thank you for your help, time, and patience!

You now have windows updates again ???

If so then that will make a fair few people happy

If you are OK now let me know and I will remove my tools

Yes, everything seems to be working.

One problem is that one of the optional updates was a Windows Security program which conflicted with Avast. I removed the Update Security program, but it still slowed down the boot/start-up time. Should I re-load Avast or is there a remnant registry from the update I can remove?

I think your tools were removed when I clicked ‘Clean Up’ on OTL?

Thanks Again!

Try a repair of Avast and on the general settings > Troubleshooting select Avast to start after windows services