Hello,

On Monday my Avast antivirus started popping up alerts at an alarming rate about malware and trojans being blocked. I proceeded to do a number of boot-scans, quick scans and full system scans and Avast found over 500 infections on my system. Every time I ran a scan I’d try to move the infected files to the virus chest, but every time I’d get an error message saying the virus chest wasn’t available. I’m using a paid version of Avast and never had any problems with viruses or other infections until Monday night.

After lurking here for a little while I downloaded a trial of malwarebytes and have been running scans with that as well. After the first scan with MB I restarted my computer as it told me to but now all I can do is run it in safe mode. Whenever I try to boot windows normally it just gives me a frozen load screen. Would this be caused by my running avast and malwarebytes at the same time?

Also, here’s the first few logs I got from malwarebytes.

I’ve run several scans and each comes up with more infections. It always seems to come from some hidden file in C:\Windows\Installer. Any time I try to search \Installer I can never find the file specified, unless I jump to it through malwarebytes. But once I’m there I can’t trace it through \Installer.

It’s always this: C:\Windows\Installer{f96f4439-751d-91ad-af78-9e38f0b5b963}\U.

I’ve tried to remove each file that’s found in C:\Windows\Installer{f96f4439-751d-91ad-af78-9e38f0b5b963}\U, but to no avail. They just reappear the next time I start my computer and run a scan.

Assistance would be greatly appreciated.

Hi there I know exactly what this is

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

As requested, here they are.

After this let me know what problems remain

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O3 - HKU\S-1-5-21-1947678083-1013025310-4180369925-1005\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. O3 - HKU\S-1-5-21-1947678083-1013025310-4180369925-1005\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. [2012/06/15 14:27:53 | 000,002,048 | ---- | C] () -- C:\Windows\Installer\{f96f4439-751d-91ad-af78-9e38f0b5b963}\U\00000004.@ [2012/06/15 14:27:53 | 000,001,584 | ---- | C] () -- C:\Windows\Installer\{f96f4439-751d-91ad-af78-9e38f0b5b963}\U\000000cb.@ [2012/06/12 06:30:32 | 000,000,773 | ---- | C] () -- C:\Windows\Installer\{f96f4439-751d-91ad-af78-9e38f0b5b963}\L\00000004.@ [2012/01/10 20:50:47 | 000,002,048 | -HS- | C] () -- C:\Windows\Installer\{f96f4439-751d-91ad-af78-9e38f0b5b963}\@ [20 C:\Windows\Installer\{f96f4439-751d-91ad-af78-9e38f0b5b963}\U\*.tmp files -> C:\Windows\Installer\{f96f4439-751d-91ad-af78-9e38f0b5b963}\U\*.tmp -> ]

:Files
ipconfig /flushdns /c
C:\Windows\Installer{f96f4439-751d-91ad-af78-9e38f0b5b963}

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

THEN

[b]Reset/Renew TCP/IP connection[/b]

[*] Open an elevated command prompt. To do that:[*] Click the Start Orb
[*] In the Start Search box type cmd.exe. A program named cmd.exe will be listed at the top of the menu list under Programs
[*] Right click on cmd.exe and click Run as Administrator. A black command window will open up.
[*] At the blinking cursor type the following commands, pressing the Enter key after each command typed:[*] ipconfig /release
Back at the blinking cursor tpye the following command, and press the Enter key.[*] ipconfig /renew

[*] Back at the blinking cursor type Exit and press the Enter key. This will close the command window.
[*] Reboot the computer

[b]Reset Winsock on Vista / 7[/b]

[*] Open an elevated command prompt. To do that:[*] Click the Start Orb
[*] In the Start Search box type cmd.exe. A program named cmd.exe will be listed at the top of the menu list under Programs
[*] Right click on cmd.exe and click Run as Administrator. A black command window will open up.
[*] At the blinking cursor type the following commands, pressing the Enter key after each command typed:[*] netsh winsock reset catalog
You should see an entry in the command window similar to the image below:

http://2.bp.blogspot.com/_ekxQkyj9-D8/TSxKQgtaSXI/AAAAAAAAALo/zMzH8wBe4YA/s400/1+winsock+catalog.png

Back at the blinking cursor type the following command, and press the Enter key.[*] netsh int ip reset reset.log hit
You may get a response similar to the one in the image below:

http://2.bp.blogspot.com/_ekxQkyj9-D8/TSxKSfVP5TI/AAAAAAAAALs/74-ImCgokBI/s400/2.jpg

[*] Back at the blinking cursor type Exit and press the Enter key. This will close the command window.
[*] Reboot the computer

FINALLY

Run a fresh OTL quick scan selecting all users

I’ve gotten as far as resetting the winsock for Windows 7, but every time I type “netsh winsock reset catalog” I get the following:

The following helper cannot be loaded: WSHELPER.DLL.
The following command was not found: winsock reset catalog.

OK this is becoming quite regular now the wshelper dll is missing … Lets search for it

Run OTL and copy paste the following into the custom scans and fixes box

/md5start
WSHELPER.*
/md5stop

Press quick scan and post the resultant log please

Even though the command prompt wasn’t working I’m happy to report that avast is no longer freaking out saying there’s infections every 2 minutes and I can run windows normally again.

I think it’s a good idea to finish the process though, so here’s the newest log.

I have since found that it is difficult to repair that bit of damage so I will let you know once I find a solution

One further element to kill I am afraid but it should not take long to run

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

This may sound like a simple question, but how do you turn off avast?

I looked at the link you gave and followed the directions for avast but combofix says it’s still active. Idk how else you can turn off avast completely.

Right click the Orange blob
Select Shield control
Select disable for one hour

I’d done that earlier but ComboFix said everything was still active and it may inhibit the scan. I just wanted to check with you before I went ahead and did it.

Thank you, by the way. You’ve been a huge help so far!

No problem, Combofix should not find a great deal but it will check out a system file for me

This is the only log type file I could find associated with ComboFix on my system, so I hope it’s what you need.

Also, after I ran ComboFix and my system rebooted I kept getting blue screens, even in safe mode. I shut my computer down for 10 minutes then rebooted and it seems to have stopped. What would cause that?

Combofix failed to run properly

Could you re-run it from safe mode please

It keeps saying that Avast isn’t shut down and that it won’t run right unless I shut it down. I’ve shut down all system shields and to no avail. I also just tried running ComboFix again from safe mode and it caused another blue screen. This time without even starting.

OK lets try a different tool the zip file produced at the end will need to be uploaded to a file sharing site for me to collect

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right

http://dl.dropbox.com/u/73555776/Kas%20front.JPG

Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan

http://dl.dropbox.com/u/73555776/Kas%20Scan%20area.JPG

Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post

Now the Analysis

Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information

http://dl.dropbox.com/u/73555776/kas%20manual.JPG

On completion click the link to locate the zip file to upload and attach to your next post

http://dl.dropbox.com/u/73555776/Kas%20Zip.JPG

Well, I’m running the scan now, and it’s at 17% complete with about 6 hours left to go. But just now Avast displayed 2 threats that were blocked.

Both were Win32:Sirefef-PL [Rtk]

They were in C:\Qoobox\Quarantine\C\Windows\assembly\GAC_64\Desktop.ini.vir

I’ve never seen this Qoobox file before now. It seems like just as I get one problem taken care of another pops up. What gives? Is it from the initial infection?

Also, I still can’t seem to get the virus chest to work in my Avast program… which irks me considering I’ve got a paid subscription. How do I fix this?

Now avast is saying that the files in the OTL folder are infected. I’m beginning to think it’s avast going haywire and not my computer…

Those are quarantined files (Qoobox, OTLMoved)

The chest should start working once AVP has finished

AVP says it didn’t detect anything in the scan. I did the information gathering and have the zip file. What site would you prefer I post the zip to?