Hello,
Avast cleaned up lots, but I am still having issues.

I installed avast and am now getting popups alerting me to specific viruses and malware that is being blocked by avast every couple of minutes. I have run malwarebytes.com three times, isolated the viruses, but upon reboot, they instantly start popping up. The latest log from malware follows. Thanks for your help!

win32:Downloader-PKU trojan
win64:Sirefef-A trojan
wine32:Malware-gen

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.23.11

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.19272
Mom :: MOM-PC [administrator]

7/24/2012 7:15:56 PM
mbam-log-2012-07-24 (19-15-56).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 214342
Time elapsed: 11 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 5
C:\Windows\assembly\GAC\Desktop.ini (Trojan.0access) → Quarantined and deleted successfully.
C:\Windows\Installer{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\00000008.@ (Trojan.Dropper.BCMiner) → Quarantined and deleted successfully.
C:\Windows\Installer{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\trz17C2.tmp (Trojan.Sirefef) → Quarantined and deleted successfully.
C:\Windows\Installer{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\trz6BE5.tmp (Rootkit.Zaccess) → Quarantined and deleted successfully.
C:\Windows\Installer{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\trz9054.tmp (Rootkit.Zaccess) → Quarantined and deleted successfully.

(end)

This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.

I am not tech savvy!

I browsed the link you provided, but I am concerned about going through those processes without knowing what I am doing.

Thanks!

The processes outlines are used for the analysis phase, you don’t do anything other than what the instructions say run the tools and attach the logs so they can be analysed by a specialist.

Take things a step (one process) at a time until you have the first three done, you already have step one done by posting the MBAM log, essentially you have the OTL to run and attach its two logs and also run aswMBR and attach its log.

Then they will formulate a fix and give instructions on what to do to apply it and what other steps to do if required; you aren’t on your own.

I have run OTL and generated a log. while running the aswMBR.exe I got a blue screen of death, a scary message from windows and did get my system back in reboot. I have two additional shadowy documents on my desktop with the name of desktop.ini. I am very reluctant to rerun aswMBR.exe. I still have the popups from avast regarding the viruses. What else should I do?

Thank you!

I finished running the aswMBR, despite my fears. I am attaching my logs.

Thanks!

There may be a bit of time zone ping pong and availability before one of the malware removal specialist can analyse the logs.

You have Sirefef-PL [Rootkit] infection. I am going to refer you to our Certified Malware expert, named Essexboy. He will also review your logs and give you further instructions, however he comes on the forum late UK time. He will respond to you in this thread, so remember to check this thread daily.

Please do not make any further changes to your machine now that you have provided the logs.

IMPORTANT: If you are on a home network, disconnect the affected machine from the network. Do not share a USB/flash drive with this affected machine. Do not use this machine unless Essexboy or another malware removal specialist instructs you do to malware removal instructions; use a different machine to check email, sync your phone or other devices.

→ You also have A V G running on your system as well as PC_Tools. Having more than 1 AV can create problems. Please run the uninstaller for A V G: http://singularlabs.com/uninstallers/security-software/ then reboot your machine. This won’t get rid of the infection, but it may help your system run a bit better so we can get rid of the infection.

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL C:\Windows\assembly\GAC\Desktop.ini C:\Users\Mom\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla C:\Program Files\Common Files\AVG Secure Search

SRV - [2011/10/12 06:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] – C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe – (AVGIDSAgent)
SRV - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] – C:\Program Files\AVG\AVG2012\avgwdsvc.exe – (avgwd)
SRV - [2011/07/26 10:16:02 | 001,025,352 | ---- | M] () [On_Demand | Stopped] – C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe – (AVG Security Toolbar Service)
DRV - File not found [Kernel | On_Demand | Stopped] – system32\DRIVERS\SymIM.sys – (SymIMMP)
DRV - File not found [File_System | Disabled | Stopped] – system32\DRIVERS\avgrkx86.sys – (Avgrkx86)
DRV - [2011/10/07 06:23:48 | 000,230,608 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] – C:\Windows\System32\drivers\avgldx86.sys – (Avgldx86)
DRV - [2011/10/04 06:21:16 | 000,016,720 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Disabled | Stopped] – C:\Windows\System32\drivers\AVGIDSShim.sys – (AVGIDSShim)
DRV - [2011/08/08 06:08:58 | 000,040,016 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] – C:\Windows\System32\drivers\avgmfx86.sys – (Avgmfx86)
DRV - [2011/07/11 01:14:38 | 000,295,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] – C:\Windows\System32\drivers\avgtdix.sys – (Avgtdix)
DRV - [2011/07/11 01:14:02 | 000,024,272 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Disabled | Stopped] – C:\Windows\System32\drivers\AVGIDSFilter.sys – (AVGIDSFilter)
DRV - [2011/07/11 01:14:00 | 000,023,120 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] – C:\Windows\System32\drivers\AVGIDSEH.sys – (AVGIDSEH)
DRV - [2011/07/11 01:13:58 | 000,134,736 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Disabled | Stopped] – C:\Windows\System32\drivers\AVGIDSDriver.sys – (AVGIDSDriver)
IE - HKCU..\SearchScopes{95B7759C-8C7F-4BF1-B163-73684A933233}: “URL” = http://isearch.avg.com/search?cid={2E052D40-474A-46A0-81F7-4A7129FD4A2B}&mid=099c25e6470a47d6995ed1527e01930f-b2f266664df2b32354305ad297c8f9775aaef212&lang=en&ds=AVG&pr=fr&d=2011-10-31 16:01:35&v=9.0.0.18&sap=dsp&q={searchTerms}
FF - HKLM\Software\MozillaPlugins@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin: C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\11.2.0\npsitesafety.dll ()
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\avg@toolbar: C:\ProgramData\AVG Secure Search\11.1.0.12\ [2012/07/21 21:11:22 | 000,000,000 | —D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2012/07/22 21:07:50 | 000,000,000 | —D | M]
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll File not found
O2 - BHO: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll ()
O3 - HKLM..\Toolbar: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll ()
O3 - HKCU..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
O4 - HKLM…\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM…\Run: [HF_G_Jul] C:\Program Files\AVG Secure Search\HF_G_Jul.exe ()
O4 - HKLM…\Run: [ROC_roc_dec12] C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe ()
O4 - HKLM…\Run: [vProt] C:\Program Files\AVG Secure Search\vprot.exe ()
O4 - HKCU…\Run: [Adobe] C:\Users\Mom\AppData\Local\Apple\Adobe\dzrylzchm.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\viprotocol {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\11.2.0\ViProtocol.dll ()
[2012/07/03 13:06:53 | 000,000,000 | —D | C] – C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG PC Tuneup
[113 C:\Windows\Installer{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U*.tmp files → C:\Windows\Installer{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U*.tmp → ]
[2012/07/18 17:46:03 | 000,502,726 | ---- | M] () – C:\Windows\System32\drivers\AVG\iavichjg.avm
[2012/07/18 08:01:36 | 101,650,810 | ---- | M] () – C:\Windows\System32\drivers\AVG\incavi.avm
[2012/07/03 13:06:55 | 000,000,959 | ---- | M] () – C:\Users\Mom\Application Data\Microsoft\Internet Explorer\Quick Launch\AVG PC Tuneup.lnk
[2012/07/03 13:06:55 | 000,000,935 | ---- | M] () – C:\Users\Mom\Desktop\AVG PC Tuneup.lnk
[2012/04/03 20:05:12 | 000,000,000 | —D | M] – C:\Users\Mom\AppData\Roaming\AVG
[2012/07/21 21:11:32 | 000,000,000 | —D | M] – C:\Users\Mom\AppData\Roaming\AVG2012

:Files
ipconfig /flushdns /c
C:\Windows\Installer{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Users\Mom\AppData\Local{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Windows\System32\drivers\AVG
C:\Program Files\Common Files\AVG Secure Search
C:\Program Files\AVG
C:\Program Files\AVG Secure Search
C:\PROGRA~1\COMMON~1\SYMANT~1
C:\ProgramData\AVG Secure Search

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

I have tried to run OTL 5 times. Each time, about 15-20 seconds into the scan, the computer freezes and I get a (not responding) message. I have tried closing all operations, pasting the information into notebook, then pasting into the box on OTL. After restarting the computer to get the icons back, I got this message:

Files\Folders moved on Reboot…
C:\Users\Mom\AppData\Local\Temp\ehmsas.txt moved successfully.

PendingFileRenameOperations files…
File C:\Users\Mom\AppData\Local\Temp\ehmsas.txt not found!

Registry entries deleted on Reboot…

Can you help? Thanks!

OK continue on to the Combofix run please and we will look at that later

computer shut down while combofix was running. No report was created. What should I do now?

Could you reboot the computer to the safe mode menu and see if you have the option “repair my computer”

I was able to do that. The system restored to an earlier time. My avast is gone from the desktop, along with combofix an OTL.

What next? I really appreciate your assistance!

Could you run a fresh OTL scan please

I ran OTL twice. Both times got a pop up with win32 error, code 23 data error (cyclic redundancy check) with system event log rec 850 showing in the bottom tray.

While watching the scans, AVGIDSEH driver seemed to be a sticking point. I have tried many different ways to uninstall AVG…manually, through avast links, but it stll shows in programs. It doesn’t work and seems to have parts removed.

Attaching the log from OTL-
Thank you!

As you have the system repair option I would like to take a peek outside of windows

Please print these instruction out so that you know what you are doing

[*]Download Farbar Recovery Scan Tool x64 and save it to a flash drive.
[*]Reboot the computer and select repair my computer
[*]Select command prompt
[*]Insert the USB with FRST
At the command prompt type the following :
[*]notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select “Computer” and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.

http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FRST2.gif

[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

the process you outlined regarding fabar recovery scan tool didn’t go quite the way you outlined it. The system repair ran on my computer, then I was able to use the farbar scanner tool. I am attaching the log.

CRC is a disc error

Could you run the AVG removal tool available here http://www.avg.com/ww-en/utilities

Then re-run combofix please allowing it to update

I have run and rerun the avg remover tool. I have a popup when logging on stating that my avg pc tuneup has a problem. I have also tried manual removal, and have visited the avg site. I can’t get avg off my system! Agh! Never again!!!

I am going to download and run combofix. I really appreciate all of your guidance! Thanks!