hi, I seem to be having the same problem as everyone else. Avast keeps popping up every so often telling me about a malware/ trojan horse threat on my computer. I tried disinfecting my laptop using malwarebytes, superantispyware and avast. The scan results turn up positive to have infected files every time I scan and I always put them in quarantine but it still doesn’t solve the problem. I attached my latest MBAM log, OTL and aswMBR like it says on the other post. I hope this can be fixed. Pls help. Thanks.
Whilst the alerts are a pain, avast is at least preventing it from getting worse.
There may be some delay due to differing time zones and availability of the volunteer malware removal specialists.
Im on it 
Be right back…
Ok, your computer is badly infected with a traces of a lots a malware activity.
Step1
Download AVZ Antiviral Toolkit from the following link:
http://support.kaspersky.com/downloads/utils/avz4.zip
[*] Extract the archive to a folder.
[*] Run AVZ (double click on
http://amf.mycity.rs/pg/images/avz.png
icon);
[*] Click on File > Custom Scripts ;
[*] In the new window that opens, Copy/Paste everything inside the field code:
begin
ShowMessage('Attention! Before performing the script, AVZ will automatically close all network connections.' + #13#10 + 'After the computer restarts the network connection will be restored automatically');
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
if not IsWOW64
then
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
end;
DeleteFile('C:\Windows\assembly\GAC_32\Desktop.ini');
DeleteFile('C:\Windows\assembly\GAC_64\Desktop.ini');
DeleteFile('C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\00000008.@');
DeleteFile('C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L\00000004.@');
DeleteFile('C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\80000064.@');
DeleteFile('C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@');
DeleteFile('C:\Users\Marz\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@');
DeleteFile('C:\Users\Marz\AppData\Roaming\ngecar.dll');
DeleteDirectory('C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U');
DeleteDirectory('C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L');
DeleteDirectory('C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}');
DeleteDirectory('C:\Users\Marz\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
[*] Click the Run and wait to execute the script.
Step2
Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.
Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.
How to disable avast:
[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.
Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.
Step3
Check USB storage devices / removable drives
Download MCShield from one of the following links:
MyCity - Official download link
Softpedija - Mirror download link
[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.
When all scanning is done, you need to attach a logreport that has made MCShield.
Start → All Programs → MCShield → Logs
Attach here → AllScans.txt
Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.
…last step 4
Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
[*] Make sure that all options are checked.
[*] Press “Scan”.
[] It will create a log (FSS.txt) in the same directory the tool is run.
[] Please attach FSS.txt log to your reply.
I did everything you told me to. here are the logs. im keeping my fingers crossed that the virus hasn’t done irreparable damage to my computer. thanks again 
Malware has damaged a couple of legitimate system files.
You need to read the private message i send to you, do it and then do the following:
-Delete current Combofix and download a fresh one from here:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- Combofix must be on your Desktop ( your old Combofix is here: c:\users\Marz\Downloads\ComboFix.exe )
-Open notepad and copy/paste the text present inside the code box below:
File::
c:\windows\SysWow64\drivers\vdm5nzk0.sys
KillAll::
FMove::
C:\services.exe|c:\windows\system32\services.exe
Folder::
c:\users\Marz\AppData\Roaming\xsecva
ClearJavaCache::
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
Save this as CFScript.txt
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
Step2
Download folowing files to your Desktop
https://www.dropbox.com/s/9x7yyfwpo6mge7c/bits.reg
https://www.dropbox.com/s/x96lhjv1thr4xle/windefend.reg
Duble-click and run the files. On pop-up request click Yes/Ok/Manage. Reboot your computer
-Re-run FSS as before and attach ehre fresh FSS logreport.
should i uninstall the old combofix or can i just directly delete it?
No, do not uninstall. Just delete Combofix icon and download fresh one:
We need to you run a new and fresh Combofix. So, just delete Combofix and down. a fresh versions.
ok,tnx!
here are the new logs i hope whatever the virus has damaged has been fixed…thanks again
Hi,
We are in good progress 8)
[]Download AdwCleaner (by Xplode) on your desktop.
[*]Launch it, click on [Search] and wait for the scan.
[]When the scan ends, notepad with the report will appears.
[*] Click on the [Delete] Wait for the programme completes his work.
The program will close all active programs. Click OK to confirm that.
On the next two windows that open ( Informations and Restart required ) click OK
[*] The computer will restart and open a notepad ( C:\AdwCleaner[S1].txt ) with the report.
[*] Save the notepad report on the Desktop
[*] Please attach here C:\AdwCleaner[S1].txt
Note: The report will also be stored on C:\AdwCleaner[S1].txt
- Re-run Combofix and attach here fresh Combofix.txt log
Hi, my computer rebooted but now my screen is stuck on the start up screen for a while now and it looks like it’s not loading. I removed my external hard drive while my computer was loading and I’m not sure if that’s why it froze. Can I just restart it again?
I don’t want to decide by myself to reboot it because im scared to do further damage. What should I do? Pls help
It’s still frozen right now 
I understand your reluctance to reboot again, unfortunately magna86 if off-line so there may be some delay due to differing time zones and availability.
Ok,tnx. I guess I’m going to have hang in here while he’s still unavailable. I’d rather wait than regret it later.
You’re welcome.
Hi! So, I finally decided to reboot my computer. I just couldn’t resist leaving it on overnight with the screen frozen like that. Fortunately, it was a good call cause it just continued with the adwcleaner and no further damage was done (i hope). Anyway, after I did that I went ahead and ran combofix again like you said. So, here are the new logs
Personally I too would just have rebooted, but not wanting to butt in, I couldn’t advise that. Hopefully it won’t be long before magna86 can get back to the topic and check the new logs.
@morzzzy
Sorry for waited, but I could be back earlier :-[
You have no reason to worry abaut, adwcleaner is a tool that does not affect on system core files or important drivers so…
You should immediately restart yourcomputer as soon as you see something that does not go according to plan.
And since adwcleaner has delete a lot of crapware…believe me it was worth it.
- Re-run AdwCleaner and click on Uninstall
It is necessary to uninstall the ComboFix :
[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
[*] In the line of text type in (Copy) the following:
ComboFix /Uninstall
Note that there is a space between " ComboFix " and " /Uninstall " .
[*] then click OK (or press Enter ).
Wait for the uninstall process is complete.
It is necessary to uninstall AVZ Antiviral Toolkit .
[*] Re-run AVZ (double click on
http://amf.mycity.rs/pg/images/avz.png
icon);
[*] The menu choose File > Scripts Standard ;
[*] In the window that opens check the 6 and click Execute Selected Scripts;
[*] Click Yes ;
[*] After the procedure you will receive notification: Script Executed ;
[*] Quit the program and delete the folder where is program.
How is your computer running now?