My computer has been getting numerous alerts over the past few days and I have no idea how to fix this…
There appears to be 2 types of malwares (shown in the tittle) plaguing my computer 
Could someone point me around and show me what needs to be done in order to clean this mess?
Thanks!
Hi,
Please download Farbar Recovery Scan Tool and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Thanks for the quick anwser!
here are the .txt files
You have multiple varaints of ZeroAccess. I haven’t see this before. Two different variants are active in the system. We shall deploy removal instantly.
Scan with Combofix:
[*] Please download ComboFix and save it to your Desktop.
You may read how Combofix works here.
[*] Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.
[*] Run ComboFix. Click on I Agree! & follow the prompts.
Note: If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
[*] When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
(typical log location: C:\ComboFix.txt )
-------------------- Next ----------------------
Create fresh FRST Logs:
[*]Re-run FRST tool by double-clicking.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
-------------------- Next ----------------------
Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:
[*]Type Services.exe into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.
Once again, thanks for your attention!
Here’s the results:
Open notepad and copy/paste the text present inside the code box below:
Folder::
c:\program files (x86)\Google\Desktop\Install
c:\users\Simon\AppData\Local\Google\Desktop\Install
C:\Windows\Installer\{40021656-4d6d-26e9-ca6e-3085e6c4f832}
C:\Users\Simon\AppData\Local\{40021656-4d6d-26e9-ca6e-3085e6c4f832}
KillAll::
File::
C:\STFE4.tmp
C:\STF4B1E.tmp
C:\STF483D.tmp
C:\STF65BF.tmp
C:\STFF03D.tmp
C:\STFDB71.tmp
C:\STFFA1C.tmp
C:\STF68C0.tmp
C:\STF493D.tmp
C:\STF17F3.tmp
C:\STF7CF0.tmp
C:\STF3ADE.tmp
C:\STF8713.tmp
C:\STFF8AC.tmp
C:\STF20AA.tmp
C:\STFAF25.tmp
c:\users\ADMINI~1\AppData\Local\Temp\ALSysIO64.sys
C:\ProgramData\dsgsdgdsgdsgw.pad
ClearJavaCache::
DirLook::
c:\users\Simon\.matplotlib
C:\temp
Driver::
ALSysIO
DDS::
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3106777&CUI=UN40145512341332286
Firefox::
FF - ProfilePath - c:\users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\jbsnoky0.default\
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109986&tt=050412_30b
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - a8e90212000000000000002522efbb4a
FF - user.js: extensions.BabylonToolbar_i.hardId - a8e90212000000000000002522efbb4a
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15441
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1722:00
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
Save this as CFScript.txt
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
----------------------- next ---------------------------
Re-run FRST, just check box for Addition.txt and press Scan button.
Post here fresh created logs
----------------------- next ---------------------------
Let’s check is it damage caused by ZA been repaired. We shall use another Farbar’s tool called FSS.
Please download Farbar Service Scanner and run it on the computer with the issue.
[*]Make sure the following options are checked:
[*]Internet Services
[*]Windows Firewall
[*]System Restore
[*]Security Center/Action Center
[*]Windows Update
[*]Windows Defender
[*]Press “Scan”.
[]It will create a log (FSS.txt) in the same directory the tool is run.
[]Please copy and paste the log to your reply.
Here it is:
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
START
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT3106777&CUI=UN40145512341332286
URLSearchHook: (No Name) - {0F3DC9E0-C459-4a40-BCF8-747BD9322E10} - No File
URLSearchHook: (No Name) - {50fafaf0-70a9-419d-a109-fa4b4ffd4e37} - No File
SearchScopes: HKLM-x32 - DefaultScope {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3106777
SearchScopes: HKLM-x32 - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3106777
SearchScopes: HKCU - DefaultScope {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3106777
SearchScopes: HKCU - {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://search.babylon.com/?q={searchTerms}&affID=109986&tt=050412_30b&babsrc=SP_ss&mntrId=a8e90212000000000000002522efbb4a
SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3106777
Toolbar: HKLM-x32 - WinZipBar Toolbar - {50fafaf0-70a9-419d-a109-fa4b4ffd4e37} - C:\Program Files (x86)\WinZipBar\prxtbWin2.dll (Conduit Ltd.)
C:\Program Files (x86)\WinZipBar
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
Toolbar: HKCU - No Name - {50FAFAF0-70A9-419D-A109-FA4B4FFD4E37} - No File
Winsock: Catalog5 01 %SystemRoot%\System32\mswsock.dll [232448] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 %SystemRoot%\System32\mswsock.dll [326144] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\avg-secure-search.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml
C:\Program Files (x86)\mozilla firefox\searchplugins\avg-secure-search.xml
C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml
FF Extension: uTorrentControl_v1 Community Toolbar - C:\Users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\jbsnoky0.default\Extensions\{49c795c2-604a-4d18-aeb1-b3eba27e5ea2}
FF Extension: WinZipBar Community Toolbar - C:\Users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\jbsnoky0.default\Extensions\{50fafaf0-70a9-419d-a109-fa4b4ffd4e37}
C:\Users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\jbsnoky0.default\Extensions\{49c795c2-604a-4d18-aeb1-b3eba27e5ea2}
C:\Users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\jbsnoky0.default\Extensions\{50fafaf0-70a9-419d-a109-fa4b4ffd4e37}
CHR Extension: (uTorrentControl_v1) - C:\Users\Simon\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhifchfddcfhikmkjcfcobicabgieepm\2.5.0.1_0
CHR Extension: (Chrome In-App Payments service) - C:\Users\Simon\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.10_0
CHR HKLM-x32\...\Chrome\Extension: [jhifchfddcfhikmkjcfcobicabgieepm] - C:\Users\Simon\AppData\Local\CRE\jhifchfddcfhikmkjcfcobicabgieepm.crx
C:\Users\Simon\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhifchfddcfhikmkjcfcobicabgieepm
C:\Users\Simon\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Users\Simon\AppData\Local\CRE\jhifchfddcfhikmkjcfcobicabgieepm.crx
S3 ALSysIO; \??\C:\Users\ADMINI~1\AppData\Local\Temp\ALSysIO64.sys [x]
C:\Users\ADMINI~1\AppData\Local\Temp\ALSysIO64.sys
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
Folder: C:\Windows\SysWOW64\locale.nls
Folder: C:\Windows\system32\locale.nls
C:\STF*.tmp
2013-09-29 16:52 - 2013-09-29 16:52 - 00004122 _____ C:\STF68C0.tmp
2013-09-29 16:32 - 2013-09-29 16:32 - 00004122 _____ C:\STF493D.tmp
2013-09-29 16:01 - 2013-09-29 16:01 - 00004122 _____ C:\STF17F3.tmp
2013-09-29 15:48 - 2013-09-29 15:48 - 00004122 _____ C:\STF7CF0.tmp
2013-09-29 15:21 - 2013-09-29 15:21 - 00004122 _____ C:\STF3ADE.tmp
2013-09-29 14:54 - 2013-09-29 14:54 - 00004122 _____ C:\STF8713.tmp
2013-09-29 14:28 - 2013-09-29 14:28 - 00004122 _____ C:\STFF8AC.tmp
2013-09-29 14:27 - 2013-09-29 14:27 - 00004122 _____ C:\STF20AA.tmp
2013-09-29 13:03 - 2013-09-29 13:03 - 00004122 _____ C:\STFAF25.tmp
Folder: C:\Program Files (x86)\THQ
C:\ProgramData\dsgsdgdsgdsgw.pad
CMD: netsh winsock reset
CMD: ipconfig /flushdns
Hosts:
END
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
----------------------------- Next -----------------------------
Please download AdwCleaner by Xplode and save to your Desktop.
Double click on AdwCleaner.exe to run the tool.
[*]Click on the Scan button.
[*]After the scan has finished click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
[*]After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
[*]Post logfile will also be saved in the C:\AdwCleaner folder.
============================================
How’s your computer running now?
Hmmm,
I haven’t noticed anything out of the ordinary on my computer ever since starting this procedure so… I suppose thats a good sign?
Here are the loggs:
It is necessary to uninstall ComboFix :
[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
[*] In the line of text type in (Copy) the following:
ComboFix /Uninstall
Note that there is a space between " ComboFix " and " /Uninstall " .
[*] then click OK (or press Enter ).
Wait for the uninstall process is complete.
----- Next -----
Please download DelFix by “Xplode” to your Desktop.
Run the tool and check the following boxes below;
[] Remove disinfection tools
[] Create registry backup
[*] Purge System Restore
Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt
I don’t need DelFix log report.
----- Advice -----
I recommended to use MCShield if you will.
You may download MCShield from one of the following links:
MyCity - Official download link
Softpedija - Mirror download link
It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.
Be safe 
Well, what can I say?
You’ve done a wonderful job and I’m darn pleased with the customer service
You’re the man of the week for me! lol
Thanks
This is not the customer service, this is the user forum.
And the malware removers here are volunteers and not associated with Avast. 
Oh shit!
That makes it even better O_o
I was completely sure it was your job
thanks even more O_O