I see that there are other posts regarding these viruses, but I don’t know very much about computers and don’t know if I should follow the directions given to those posters or not since we have different computers. (?)
Anyway, problems started a week after I installed AVG Free edition. I have since uninstalled it and its components ( I think) and installed Avast instead, but every 5 or 10 seconds I am being warned of these 2 main threats: Win32:Sirefef-AHF
Please help me! This is my boyfriend’s computer and I feel awful about ruining it

MBAM log:

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.16.10

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Matt :: MATT-PC [administrator]

Protection: Enabled

8/16/2012 1:34:52 PM
mbam-log-2012-08-16 (13-34-52).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 197625
Time elapsed: 3 minute(s), 24 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Windows\Installer{792f4199-0b73-e2f4-7b46-706eb422a6b8}\U\00000008.@ (Trojan.Dropper.BCMiner) → Quarantined and deleted successfully.
C:\Windows\Installer{792f4199-0b73-e2f4-7b46-706eb422a6b8}\U\000000cb.@ (Rootkit.0Access) → Quarantined and deleted successfully.

(end)

Monitoring 8)

Hi,
I will be working on your Malware issues

Multiple Antivirus Programs

You are running more than 1 Antivirus program!

AV: AVAST Software
AV: AVG Technologies

Running - more than one - antivirus program is not recommended because:
[*]They can conflict with each other.
[*]Report the other antivirus software as malicious.
[*]Antivirus programs use an enormous amount of computer’s resources… actively scanning your computer.
[*]Can cause your computer to become unstable…run slowly and even, in rare cases, BSOD crash…etc
I strongly suggest you uninstall one of them. Which one, is your decision.

Then, download uninstaller tool from here for AntiVirus that you decide to remove:
http://singularlabs.com/uninstallers/security-software/

Removal - step1

Download AVZ Antiviral Toolkit from the following link:

http://support.kaspersky.com/downloads/utils/avz4.zip

[list]
[*] Extract the archive to a folder.
[*] Run AVZ (double click on
http://amf.mycity.rs/pg/images/avz.png
icon);

[*] Click on File > Custom Scripts ;

[*] In the new window that opens, Copy/Paste everything inside the field code:

begin
ShowMessage('AVZ will automatically close all network connections' + #13#10 + 'After the computer restarts the network connection will be restored automatically');
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
if not IsWOW64
then
  begin
   SearchRootkit(true, true);
   SetAVZGuardStatus(True);
  end;
QuarantineFile('C:\Windows\assembly\GAC_32\Desktop.ini','');
QuarantineFile('C:\Windows\assembly\GAC_64\Desktop.ini','');
QuarantineFile('C:\Windows\Installer\{792f4199-0b73-e2f4-7b46-706eb422a6b8}\U\00000008.@','');
QuarantineFile('C:\Windows\Installer\{792f4199-0b73-e2f4-7b46-706eb422a6b8}\U\80000064.@','');
QuarantineFile('C:\Windows\Installer\{792f4199-0b73-e2f4-7b46-706eb422a6b8}\L\00000004.@','');
QuarantineFile('C:\Windows\Installer\{792f4199-0b73-e2f4-7b46-706eb422a6b8}\@','');
QuarantineFile('C:\Users\Matt\AppData\Local\{792f4199-0b73-e2f4-7b46-706eb422a6b8}\@','');
DeleteFile('C:\Windows\assembly\GAC_32\Desktop.ini');
DeleteFile('C:\Windows\assembly\GAC_64\Desktop.ini');
DeleteFile('C:\Windows\Installer\{792f4199-0b73-e2f4-7b46-706eb422a6b8}\U\00000008.@');
DeleteFile('C:\Windows\Installer\{792f4199-0b73-e2f4-7b46-706eb422a6b8}\U\80000064.@');
DeleteFile('C:\Windows\Installer\{792f4199-0b73-e2f4-7b46-706eb422a6b8}\L\00000004.@');
DeleteFile('C:\Windows\Installer\{792f4199-0b73-e2f4-7b46-706eb422a6b8}\@');
DeleteFile('C:\Users\Matt\AppData\Local\{792f4199-0b73-e2f4-7b46-706eb422a6b8}\@');
DeleteFileMask('C:\Windows\Installer\{792f4199-0b73-e2f4-7b46-706eb422a6b8}', '*', true);
DeleteFileMask('C:\Users\Matt\AppData\Local\{792f4199-0b73-e2f4-7b46-706eb422a6b8}', '*', true);
DeleteFileMask('%Tmp%' , '*.*' , true) ;
DeleteDirectory('C:\Windows\Installer\{792f4199-0b73-e2f4-7b46-706eb422a6b8}');
DeleteDirectory('C:\Users\Matt\AppData\Local\{792f4199-0b73-e2f4-7b46-706eb422a6b8}');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

[*] Click the Run and wait to execute the script.

Step 2

Re-run OTL, click on RunScan and attach here fresh OTL.txt log

Hi! thanks for helping!
I thought I unintalled AVG and all of it’s components?! Uh-oh. Can you see that in the logs I posted? I want to keep Avast so I will try the steps you listed, but I am still confused about having AVG on the comp still…I mean, I removed it BECAUSE I think the virus came from it since this computer had been used for over a year with no antivirus software on it, and one week after AVG is installed is when the craziness begins!

run AVG removal tool so that all leftover files are gone

http://singularlabs.com/uninstallers/security-software/

Ok, so I ran the AVG removal tool again…a couple of times, actually. Still not sure if all traces of it are gone though.
The new Log is attached

Ok, i will remove AVG remains …

Step1

[*] Run [color=darkblue] AVZ (double click on
http://amf.mycity.rs/pg/images/avz.png
icon);

[*] Click on File > Custom Scripts ;

[*] In the new window that opens, Copy/Paste everything inside the field code:

begin
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
if not IsWOW64
then
  begin
   SearchRootkit(true, true);
   SetAVZGuardStatus(True);
  end;
StopService('avgtp');
DeleteService('avgtp');
QuarantineFile('C:\Windows\SysNative\drivers\avgtpx64.sys','');
DeleteFile('C:\Windows\SysNative\drivers\avgtpx64.sys');
QuarantineFile('C:\Program Files (x86)\Yontoo\YontooIEClient.dll','');
DeleteFile('C:\Program Files (x86)\Yontoo\YontooIEClient.dll');
DelBHO('{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}');
DelBHO('{95B7759C-8C7F-4BF1-B163-73684A933233}');
DelBHO('{31332EEF-CB9F-458F-AFEB-D30E9A66B6BA}');
QuarantineFile('C:\Users\Matt\Documents\AVGInstLog.cab','');
DeleteFile('C:\Users\Matt\Documents\AVGInstLog.cab');
DeleteFileMask('C:\Program Files (x86)\AVG', '*', true);
DeleteFileMask('C:\Users\Matt\AppData\Local\AVG Secure Search', '*', true);
DeleteFileMask('C:\Program Files (x86)\Yontoo', '*', true);
DeleteDirectory('C:\Program Files (x86)\AVG');
DeleteDirectory('C:\Users\Matt\AppData\Local\AVG Secure Search');
DeleteDirectory('C:\Program Files (x86)\Yontoo');
DeleteFileMask('%Tmp%' , '*.*' , true) ;
BC_ImportDeletedList;
BC_Activate;
ExecuteSysClean;
RebootWindows(true);
end.

[*] Click the Run and wait to execute the script.

Step2

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

I followed the steps exactly…now I can’t click on anything (including the internet) to send the log to you. I get a bunch of crazy messages saying they have been removed. I am using a diff computer now. Did Combofix kill my computer??

Everything I try to click on now (even Combofix) says “illegal operation on a registry key that has been marked for deletion”
OMG…please help. Now I’m really freaking out…

Did you try to restart your computer?
Don’t freak out, just reboot your computer and error will gone.
Attach here C:\Combofix.txt

magna…maybe you should have in the instructions “reboot twice” after combofix run

LOL…all is well. Freaking out is good sometimes because the feeling you have when you realize it’s fine afterall is f***ing AMAZING!
Okay, reboot went great but Log is gone. Can I rerun Combofix? I searched entire computer for that log. Should have ctrl-C’d first, huh?
:-[

Admit it, I’ve saved you ;D
I dont want to scare you again with Combofix (I think we will not need CF anymore), so, just do the following.

Re-run OTL. Make sure all other windows are closed and to let it run uninterrupted.

[*] Click on Scan All Users

[*] Paste this into Custom Scans/Fixes box at the bottom

netsvcs
drives
%SYSTEMDRIVE%\*.exe
/md5start
services.*
/md5stop
CREATERESTOREPOINT

[*] Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*] When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

[*] Please attach them in this thread.

You totally saved me.
Is there a bowing/subservient emoticon for this? lmao
I jumped the gun and ran combo again before i read your reply. Attached is the log…
and soon I will do the other steps (at work now, so my attention is incremental. lol sorry)

Hehe, you are some brave girl…
No need for OTL now

Malware hase been removed. Just some quick fix-es…

Open notepad and copy/paste the text present inside the code box below:

Folder::
C:\$AVG
c:\program files (x86)\Yontoo
c:\program files (x86)\Common Files\AVG Secure Search

Driver::
vToolbarUpdater12.2.0;

ClearJavaCache:: 

RegLockDel::
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]

RegLock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Final log…I hope!

Open Notepad

• by click start
• Click Run
• Type notepad into the box and click enter
• Notepad will open
• Copy and Paste everything from the Code box into Notepad:

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]

• Go to File > Save As
• Save File name as Fix.reg
• Change Save as Type to All Files and save the file to your desktop
• Close Notepad, and double-click Fix.reg on your Desktop
• When it asks if you want to merge the info to the registry, hit YES/OK
  Reboot computers

It is necessary to uninstall AVZ Antiviral Toolkit .

[*] Re-run AVZ (double click on
http://amf.mycity.rs/pg/images/avz.png
icon);

[*] The menu choose File > Scripts Standard ;

[*] In the window that opens check the 6 and click Execute Selected Scripts;

[*] Click Yes ;

[*] After the procedure you will receive notification: Script Executed ;

[*] Quit the program and delete the folder where is program.

It is necessary to uninstall the ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

How is your computer running now?

I could not complete the first step because the pop up box told me “can’t add to registry…” and something about only adding binary files?

Ok, no problem, now go to Step2 and Step3 ( uninstall AVZ and Combofix )
Then…
Download AppRemover (~ 6MB) on Desktop .
Run the tool.

Click Next, choose the second option (Clean Up a Failed Uninstall), confirm with Continue, go to Next, wait to be finished, choose what is found and remove it by clicking on the Next .

// this step ( and first step with fix.reg ) is not as important, this is just remove the remains legitimate entrys.

Only two things did not happen:

1. that fix.reg thing. I know you said it’s not important, but of course I tried again a few times anyway (there’s that bravery thing again! lol). Same results. Not gonna happen
2. App remover did not find any traces of anything to uninstall. I also clicked the bottom part which said something like “don’t see anything? try this”. Yeah well I “tried that” and I got nothin’. Hopefully that’s a good sign?

So can I officially erase all of those strange notepad files I made? Is there anything new that I have done or added during this removal process that I should definitely NOT delete?

Anyway…I have had ZERO Avast warnings since earlier today when I ran that combofix. WHOOO HOOOO! Virus free…right?!
Thanks soooooo much! You guys are amazing. I’m on my way out the door now to get “avast! Forum” tattooed on my face.