Malware gen / Trojan help please

Hi this is my first time posting on this board so bare with me. Everytime i use my internet my googles searchs get hijacked or i get a popup webpage of an advertizement. I downloaded Avast! and did a full scan bot on boot and afterboot. Avast found a few infected files, so i moved them to the Chest. Now every few mins avast pops up saying threat was blocked. My question is are these actual viruses or False positives.

This is the file in question:
C;\Windows\Installer{a7563e61-fba6-1c35-7029-c8c58af3a710}\U

In hte past 2 hours this file has been flagged about 40 times and it says it is:

Win32:Trojan-gen
Win32:Malware-gen
Win32:ZAccess-IJ {Trj}

Any help would be appreciated. Thanks

read the Faq’s im running OTL will attach logs after.

Now every few mins avast pops up saying threat was blocked
the symptoms indicate possible Siref rootkit
read the Faq's im running OTL will attach logs after.
[b]attach AdwCleaner / Malwarebytes / OTL / aswMBR logs[/b]

http://forum.avast.com/index.php?topic=53253.0

OTL LOG

Extras

asw:

MWB

ADW:

and yes you have a Siref infection …Essexboy will save you :wink:

Thanks for the info and woo for Essex! =)

If you don’t mind me asking what exactly does a Siref do?

Siref info
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2FSirefef
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Win32/Sirefef

Thanks again :slight_smile:

Here we go…

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
O2 - BHO: (WeCareReminder Class) - {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll (We-Care.com)
[2012/09/09 19:20:26 | 000,000,000 | ---- | M] () -- C:\ProgramData\7Bk038Cv.dat
[2012/09/09 19:20:12 | 000,000,001 | ---- | M] () -- C:\ProgramData\Kj6g85GG.exe_.b
[2012/09/09 19:20:12 | 000,000,001 | ---- | M] () -- C:\ProgramData\Kj6g85GG.exe.b

:Reg
[HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32] 
""="%systemroot%\system32\wbem\wbemess.dll" 
[-HKCU\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}] 

:Files
C:\Windows\assembly\GAC_32\Desktop.ini 
C:\Windows\assembly\GAC_64\Desktop.ini
C:\ProgramData\WeCareReminder
C:\Windows\Installer\{a7563e61-fba6-1c35-7029-c8c58af3a710}
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt  /c
ipconfig /release /c
ipconfig /renew /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

[*] Download RogueKiller and save it on your desktop.

NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

https://dl.dropbox.com/u/73555776/RKScan.GIF

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

https://dl.dropbox.com/u/73555776/RKDelete.GIF

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

https://dl.dropbox.com/u/73555776/RKFixShortcuts.GIF

[*]The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

FINALLY

Download the zip file from the link below
https://dl.dropbox.com/u/73555776/Droka.zip
Extract all the reg files to the desktop
Double click each in turn and allow to merge with the registry

OTL

RK says something about Zero Access? it popped up and started to blink the RK program.

RK

All reg from the zip went in Except for Sharedaccess one, is this ok?

OK lets check the shared access one. Zero access should now be history

run farbar service scanner

https://dl.dropbox.com/u/73555776/FSS.GIF

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

Hey Essex thanks for the help I’m at work now but I’ll def try it when I get home thanks again

No problem on the time