Like others the past few days I have had win32:atraps-pf and win32:malware-gen popping up saying they were moved to the chest and then in a few minutes they are popping up again. I have run a system and boot scan and while both were found and moved to chest I am still having the pop up windows telling me they are being moved to chest.

I am not sure what to do and would appreciate any help you could give me.

Thanks

follow this guide and attach (not copy and paste) logs from Malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0

when done, the removal specialists will be notified

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.03.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Javier :: ZIGGY [administrator]

Protection: Enabled

7/3/2012 2:57:41 PM
mbam-log-2012-07-03 (14-57-41).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 225326
Time elapsed: 6 minute(s), 42 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Users\Javier\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Security Guard 2012 (Rogue.SecurityGuard2012) → Quarantined and deleted successfully.

Files Detected: 4
C:\Windows\Installer{d0d044e9-7abb-0899-018b-0676cf8a906a}\U\00000008.@ (Trojan.Dropper.BCMiner) → Quarantined and deleted successfully.
C:\Users\Javier\AppData\Roaming\ldr.ini (Malware.Trace) → Quarantined and deleted successfully.
C:\Users\Javier\AppData\Roaming\qH5sQJ7dE8R9YwUSecurity Guard 2012.ico (Rogue.SecurityGuard2012) → Quarantined and deleted successfully.
C:\Users\Javier\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Security Guard 2012\Security Guard 2012.lnk (Rogue.SecurityGuard2012) → Quarantined and deleted successfully.

(end)

OK lets clear this away

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL O4 - HKU\S-1-5-21-2715573629-4157893080-3159168945-1001..\Run: [shefgd] C:\Users\Javier\AppData\Roaming\shefgd.dll (DT Soft Ltd) [2012/07/02 17:36:27 | 000,140,288 | ---- | C] (DT Soft Ltd) -- C:\Users\Javier\AppData\Roaming\shefgd.dll [2011/10/04 12:37:16 | 000,000,000 | ---D | M] -- C:\Users\Javier\AppData\Roaming\c0ycA1ivDoFp [2011/10/13 12:31:32 | 000,000,000 | ---D | M] -- C:\Users\Javier\AppData\Roaming\d9hTXwjUClBzNx1 [2012/04/14 01:41:24 | 000,000,000 | ---D | M] -- C:\Users\Javier\AppData\Roaming\OpenCandy [2011/10/04 12:37:17 | 000,000,000 | ---D | M] -- C:\Users\Javier\AppData\Roaming\qH5sQJ7dE8R9YwU [2011/10/04 12:37:03 | 000,000,000 | ---D | M] -- C:\Users\Javier\AppData\Roaming\xhYXwjUVeItPyAu

:Files
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Windows\Installer{d0d044e9-7abb-0899-018b-0676cf8a906a}
C:\Users\Javier\AppData\Local{d0d044e9-7abb-0899-018b-0676cf8a906a}

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Okay - I’ve included the OTL and Combofix log. The virus alert pop ups appear to have gone and my machine seems to be running okay. Hopefully that does it Essexboy. Thanks a million.

Hi jetxabarri,

Frustrating and as annoying as it is, it is normal to feel violated when something like a sirefef rootkit infects your system. That is what you have. This is a serious infection, but one essexboy can handle with your help.

To ensure essexboy completely removes all remnants of it and any other infection, please be patient and work with him until he gives the all clear.

You are right, he has killed it, but it could come back later if parts of it are left behind, so… work with him.

OK that is good, could you run a further quick scan with MBAM please and let me know how the computer is behaving