pop's up blocked notifications on avast for several Trojan and Root Kit infceti

Avast keeps popping up every few minute saying a trojan horse has been blocked and then immediately after that it says Root Kit blocked (Root Kit). I cant figure out what is going on and need some help. Thank you in advance.

Details of the Avast Pop-ups can be found below

Root Kit

Object: C:\Windows\Installer{1ea3c691-4881-9ec7-bb0b-a0f3e9b2bcef}\U\80000000cb.@
Infection: Win32:Sirefef-AO [Rtk].
Action: Moved to chest
Process: C:\Windows\System32\services.exe

Trojan Horse

Object: C:\Windows\Installer{1ea3c691-4881-9ec7-bb0b-a0f3e9b2bcef}\U\80000000.@
Infection: Win64:Sirefef-A [Trj].
Action: Moved to chest
Process: C:\Windows\System32\services.exe

Also had to look into this topic (http://forum.avast.com/index.php?topic=53253.0) and managed to install MBAM ran OTL and aswMBR where the logs are attached. While running OTL the extras file didn’t come up, hope this is of any help. Thanks in advance.

Screen shots of the pop ups are attached

removers are notified. it may take hours before one arrive so be patient

that will be fine with me, thank you for keeping me informed.

Monitoring 8)

Hi,
I will be working on your Malware issues :wink:

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



:OTL
[2012/08/19 18:27:23 | 000,001,712 | ---- | C] () -- C:\Windows\Installer\{1ea3c691-4881-9ec7-bb0b-a0f3e9b2bcef}\U\00000001.@
[2012/06/18 11:13:55 | 000,002,048 | -HS- | C] () -- C:\Windows\Installer\{1ea3c691-4881-9ec7-bb0b-a0f3e9b2bcef}\@
[2012/06/18 11:13:55 | 000,002,048 | -HS- | C] () -- C:\Users\Arvind\AppData\Local\{1ea3c691-4881-9ec7-bb0b-a0f3e9b2bcef}\@

:files
ipconfig /flushdns /c

:commands
[CREATERESTOREPOINT]
[emptytemp]


[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.


Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

OTL log report attached

Ran ComboFix, but mid way tru the computer restarted and when i logged into the user account ComboFix was still running and at the end of the process it came back saying that my avast antivirus and my avast antispyware is still active but while i checked this in the task bar the security software was disabled, the pop up came up with 2 short beeps.

The attachment would give you a clear picture.

Hi,
Do you have Combofix.txt log? Seek in C:\Combofix.txt.
If you dont then disable avast (read part "How to disable avast")

Delete current Combofix and download fresh one and re-run Combofix.
If you are disabled avast as above instructed then just ignore Combofix warning abaut AV.
Attach here C:\Combofix.txt

Hi Magna86,

No i don’t have the ComboFix.txt on C: and i ran ComboFix by disabling avast, i will do it again and post the results,

Thanks,
Hinder

Hi Magna86,

ComboFix ran successfully and the results are attached, also enabled Avast.

looks like it has improved i’ve noticed that since i ran ComboFix for the 1st time the pop up’s have stopped appearing.

Thanks,
Hinder

Open notepad and copy/paste the text present inside the code box below:



Folder::
c:\windows\Installer\{1ea3c691-4881-9ec7-bb0b-a0f3e9b2bcef}
c:\users\Arvind\AppData\Roaming\Yvfao
c:\users\Arvind\AppData\Roaming\Ogon

RegLock::
[HKEY_USERS\S-1-5-21-177292663-3467407036-2314786757-1000_Classes\CLSID\{2684a19c-e235-4369-b63c-1c0853283b7e}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:000000dc
"Therad"=dword:00000015
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
   1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_USERS\S-1-5-21-177292663-3467407036-2314786757-1000_Classes\CLSID\{54002561-b107-4feb-8069-4f451f0f74b4}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000031
"Therad"=dword:0000002c
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
   38,95,44,62,5a,3c,ac,7b,84,e2,a9,d1,fc,bd,44,a8,a3,fb,a9,9d,e8,15,04,c4,6d,\
.
[HKEY_USERS\S-1-5-21-177292663-3467407036-2314786757-1000_Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):71,d1,31,34,3e,bf,88,a6,87,dd,a6,b9,72,ac,4a,aa,35,ad,b7,7f,41,
   12,7d,8f,32,34,f4,81,0a,cb,4e,c7,ac,3a,b4,24,52,95,e1,9f,00,00,00,00,00,00,\
.
[HKEY_USERS\S-1-5-21-177292663-3467407036-2314786757-1000_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):12,4a,0d,ae,1c,5f,98,dd,5a,ca,db,0c,d3,e5,19,6d,a5,9c,0a,e9,fa,
   d2,0e,e6,10,db,e6,32,c5,c5,99,83,a9,ed,59,03,01,41,8c,fe,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

How is your computer running now?

sure magna86 i would do that and the computer seems to be running better apart from the user profile which seems to be a bit laggy while loading, i will post the outcome of ComboFix again,

all rite there is the file that we wanted

No more malware.

It is necessary to uninstall the ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

Do you still have avast warning about malware?
If not then be free to re-run OTL and click on CleanUp! button

ok magna86

i have un-installed ComboFix as suggested and in terms of the warnings i haven’t had one since yesterday, i am going to re-run OTL now.

Hi Magna86,

ran OTL and initiated a clean up and at the end of the process the system restarted, though there is still no sign of avast popping up with those warnings which i had previously.

the only other thing that i wanted to let you know about was the user profile which took almost 30seconds to load, i’m not sure if that had anything to do with the infection b’cause prior to the infection the profile used to come up within 10seconds (This is after restarting the computer twice), but apart from this the node works like a charm and i want to thank you for the assistance provided and your prompt response’s.

Regards
Hinder

Lest check…

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

[*] Make sure that all options are checked.
[*] Press “Scan”.
[] It will create a log (FSS.txt) in the same directory the tool is run.
[
] Please attach FSS.txt log to your reply.

sorry for the late response i’m running FSS now, will attach the log shortly