Hello,
Lately I have been getting alerts from avast! every four minutes or so from a virus under these file:

C:\Windows\Installer{c44e2159-5180-a65b-93a8-beca4ad21656}\U\000000cb.@
C:\Windows\Installer{c44e2159-5180-a65b-93a8-beca4ad21656}\U\80000032.@

I have tried using multiple programs to remove this virus, but have had no success. I will attach my logs in my next post, any assistance in the matter would be excellent!

-Jared

These are my logs.

MBAM

alwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.06.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Jared :: PLAYSTATION3 [administrator]

8/6/2012 4:34:53 AM
mbam-log-2012-08-06 (04-34-53).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201770
Time elapsed: 4 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Windows\Installer{c44e2159-5180-a65b-93a8-beca4ad21656}\U\000000cb.@ (Rootkit.0Access) → Quarantined and deleted successfully.
C:\Windows\Installer{c44e2159-5180-a65b-93a8-beca4ad21656}\U\trzD905.tmp (Rootkit.0Access) → Quarantined and deleted successfully.

My OTL log and Extras log will be in the next couple posts.

And my extras log.

Monitoring 8)

Hello jweed24.

[*] I will be working on your Malware issues this may or may not solve other issues you have with your machine.
[*] The fixes are specific to your problem and should only be used for this issue on this machine.
[*] If you don’t know or understand something, please don’t hesitate to ask.
[*]Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc…)
[*] Please DO NOT run any other tools or scans whilst I am helping you.
[*] It is important that you reply to this thread. Do not start a new topic.
[*] Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
[*] Absence of symptoms does not mean that everything is clear.

[*]Download FRST64 to a USB flash drive.
[*]Plug the USB drive into the infected machine.

Boot your computer into Recovery Environment

[*]Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
[*]Select Repair your computer.
[*]Select Language and click Next
[*]Enter password (if necessary) and click OK, you should now see the screen below …

http://i1090.photobucket.com/albums/i366/garyr56/W7InstallDisk2.png

[*]Select the Command Prompt option.
[*]A command window will open.

[*]Type notepad then hit Enter.
[]Notepad will open.
[list]
[*]Click File > Open then select Computer.
[*]Note down the drive letter for your USB Drive.
[]Close Notepad.[/list]
[*]Back in the command window …

[*]Type e:/frst64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
[*]FRST will start to run.
[list]
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]When finished scanning it will make a log FRST.txt on the flash drive.[/list]
[*]Next

[*]Type Explorer.exe;Services.exe into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt on the flash drive.
[*]Exit FRST.
[*]Close the command window.
[*]Boot back into normal mode and post me the FRST.txt and Search.txt logs please.

Thanks for the post response!

Here are my logs from FRST:

Open notepad.

[*]Click Start
[*] Type notepad.exe in the search programs and files box and click Enter.
[] A blank Notepad page should open.
[] Copy/Paste the contents of the code box below into Notepad.

Start
HKLM-x32\...\Run: [OQSD Agent] C:\Windows\SysWOW64\28463\OQSD.exe [x]
HKLM-x32\...\Run: [CEOA Agent] C:\Windows\SysWOW64\28463\CEOA.exe [x]
HKLM-x32\...\Run: [FNUR Agent] C:\Windows\SysWOW64\28463\FNUR.exe [x]
2012-07-12 00:52 - 2012-07-12 00:52 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.671BB2742859A032
2012-07-12 00:44 - 2012-07-12 00:44 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.597E5821B20C067D
2012-07-12 00:39 - 2012-07-12 00:39 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D9A26B1F6F6D68E0
2012-07-12 00:33 - 2012-07-12 00:33 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.04E110C0C82E6ADE
2012-07-12 00:28 - 2012-07-12 00:28 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D5C5D57C4896DE65
2012-07-12 00:23 - 2012-07-12 00:23 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.1663AA00D47A68E4
2012-07-12 00:44 - 2012-07-12 00:44 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\gmccqllo.sys
2012-07-12 00:33 - 2012-07-12 00:33 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\gstsjdjm.sys
ZeroAccess:
C:\Windows\Installer\{c44e2159-5180-a65b-93a8-beca4ad21656}
C:\Windows\Installer\{c44e2159-5180-a65b-93a8-beca4ad21656}\@
C:\Windows\Installer\{c44e2159-5180-a65b-93a8-beca4ad21656}\L
C:\Windows\Installer\{c44e2159-5180-a65b-93a8-beca4ad21656}\U
C:\Windows\Installer\{c44e2159-5180-a65b-93a8-beca4ad21656}\L\00000004.@
C:\Windows\Installer\{c44e2159-5180-a65b-93a8-beca4ad21656}\L\1afb2d56
C:\Windows\Installer\{c44e2159-5180-a65b-93a8-beca4ad21656}\L\201d3dde
C:\Windows\Installer\{c44e2159-5180-a65b-93a8-beca4ad21656}\U\00000004.@
C:\Windows\Installer\{c44e2159-5180-a65b-93a8-beca4ad21656}\U\00000008.@
C:\Windows\Installer\{c44e2159-5180-a65b-93a8-beca4ad21656}\U\80000000.@
C:\Windows\Installer\{c44e2159-5180-a65b-93a8-beca4ad21656}\U\80000064.@
C:\Windows\Installer\{c44e2159-5180-a65b-93a8-beca4ad21656}\U\trzD878.tmp
C:\Windows\Installer\{c44e2159-5180-a65b-93a8-beca4ad21656}\U\trzF1B4.tmp
ZeroAccess:
C:\Users\Jared\AppData\Local\{c44e2159-5180-a65b-93a8-beca4ad21656}
C:\Users\Jared\AppData\Local\{c44e2159-5180-a65b-93a8-beca4ad21656}\@
C:\Users\Jared\AppData\Local\{c44e2159-5180-a65b-93a8-beca4ad21656}\L
C:\Users\Jared\AppData\Local\{c44e2159-5180-a65b-93a8-beca4ad21656}\U
ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini
ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
end

[*] Save it to your USB flashdrive as fixlist.txt

Boot into Recovery Environment

Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens …

[*] Press the Fix button once and wait.
[*] FRST will process fixlist.txt
[*] When finished, it will produce a log fixlog.txt on your USB flashdrive.

Exit out of Recovery Environment and post me the log please.

Step 2

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

This is the fixlog, I’m getting the Combofix log now.

Here is the Combofix log:

• Disable Microsoft Security Essentials.
  Open notepad and copy/paste the text present inside the code box below:

ClearJavaCache:: 

RegLock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

How is your computer behaving now ?

Feels like it is running very well, startup was much faster than usual.

Here is the new log from Combofix:

Nice 8)
Uninstall and some post cleening…
Step1

It is necessary to uninstall the ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

Step2

Re-run OTL and hit CleanUp!

Step3

[]Download AdwCleaner (by Xplode) on your desktop.
[*]Launch it, click on [Search] and wait for the scan.
[]When the scan ends, notepad with the report will appears.

[*] Click on the [Delete] Wait for the programme completes his work.
The program will close all active programs. Click OK to confirm that.
On the next two windows that open ( Informations and Restart required ) click OK
[*] The computer will restart and open a notepad ( C:\AdwCleaner[S1].txt ) with the report.
[*] Save the notepad report on the Desktop
[*] Please attach here C:\AdwCleaner[S1].txt

Note: The report will also be stored on C:\AdwCleaner[S1].txt

Step4

You need to install some Antivirus software. AV is the basic protection from malware.

Step5

I recommended to you to use MCShield if you will.
MyCity - Official download link
Softpedija - Mirror download link
It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but will immediately clean Memory card or external HDD

Ran an Avast! scan, no infected files found! Computer is running so much better. I attached the AdwCleaner log.

Thank you so much for all your help today, it feels so good to be rid of that malware!

That’s it, were done. 8)