Avast pop-ups have started to show MALWARE BLOCKED and TROJAN HORSE BLOCKED on a frequent 5 minute basis. I’ve completed a Malwarebytes scan and it found and ‘fixed’ the virus, and i’ve done a scan with Avast but it can’t remove the virus. I can’t turn on any firewalls or update windows, i have no idea what else to do.

Followed the instructions from http://forum.avast.com/index.php?topic=53253.0 and did another Malwarebytes scan, and now it couldnt find any infected files.

Attached the logs…someone please HELP ME! Cheers.

Can’t see them, try again.

Oops, sorry! I think it worked this time

you are infected with a Siref rootkit. :-[

:-[
Can you help me fix it?? :-\

removal experts are notified, now make coffe and wait.

[*] I will be working on your Malware issues this may or may not solve other issues you have with your machine.
[*] The fixes are specific to your problem and should only be used for this issue on this machine.
[*] If you don’t know or understand something, please don’t hesitate to ask.
[*]Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc…)
[*] Please DO NOT run any other tools or scans whilst I am helping you.
[*] It is important that you reply to this thread. Do not start a new topic.
[*] Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
[*] Absence of symptoms does not mean that everything is clear.

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

:files
C:\Program Files (x86)\Norton Safe Web Lite\Engine\2.0.0.16\ccSvcHst.exe
C:\Windows\SysNative\drivers\NSTx64\0200000.010\ccSetx64.sys
C:\Windows\Installer\{4a910770-4dad-f4b0-0b30-253b10029146}
C:\Windows\assembly\Desktop.ini
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
ipconfig /flushdns /c

:service
NSL
ccSet_NST

:OTL
IE - HKU\S-1-5-21-215040487-2971206822-3967916641-1000\..\SearchScopes\{A044764A-7CC4-4540-80FF-4D92880D150F}: "URL" = http://www.mysearchresults.com/search?c=2653&t=01&q={searchTerms}
IE - HKU\S-1-5-21-215040487-2971206822-3967916641-1000\..\SearchScopes\{AB79D3B4-AEDB-428a-B504-BAC00521A1C7}: "URL" = http://search.musicfrost.com/results.php?q={searchTerms}
CHR - homepage: http://www.qvo6.com/?utm_source=b&utm_medium=ild&from=ild&uid=HitachiXHTS545050B9A300_101121PBN475170ZN0TEX&ts=1370493459
O2:[b]64bit:[/b] - BHO: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files (x86)\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
O2:[b]64bit:[/b] - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O2 - BHO: (Norton Safe Web Lite BHO) - {F0DA78E9-6B60-42fb-BC26-EF2CFB8C8FF3} - C:\Program Files (x86)\Norton Safe Web Lite\Engine\2.0.0.16\CoIEPlg.dll (Symantec Corporation)
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files (x86)\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
O3 - HKLM\..\Toolbar: (Norton Safe Web Lite) - {30CEEEA2-3742-40e4-85DD-812BF1CBB83D} - C:\Program Files (x86)\Norton Safe Web Lite\Engine\2.0.0.16\CoIEPlg.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-215040487-2971206822-3967916641-1000\..\Toolbar\WebBrowser: (Norton Safe Web Lite) - {30CEEEA2-3742-40E4-85DD-812BF1CBB83D} - C:\Program Files (x86)\Norton Safe Web Lite\Engine\2.0.0.16\CoIEPlg.dll (Symantec Corporation)
O33 - MountPoints2\{1265af08-e718-11e0-b9e6-840cc463d1be}\Shell - "" = AutoRun
O33 - MountPoints2\{1265af08-e718-11e0-b9e6-840cc463d1be}\Shell\AutoRun\command - "" = "F:\WD SmartWare.exe" autoplay=true

:commands
[CREATERESTOREPOINT]
[EMPTYJAVA]
[emptytemp]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

.

============= Next =============

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

I think it all worked…heres the log reports

Open notepad and copy/paste the text present inside the code box below:

Driver::
ccSet_NST
NSL

File::
c:\windows\system32\drivers\NSTx64\0200000.010\ccSetx64.sys
c:\windows\SYSNATIVE\drivers\NSTx64\0200000.010\ccSetx64.sys
c:\program files (x86)\Norton Safe Web Lite\Engine\2.0.0.16\ccSvcHst.exe

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Run the Norton Removal Tool.

https://support.norton.com/sp/en/us/home/current/solutions/kb20080828154508EN_EndUserProfile_en_us?product=home&version=1

Tried ComboFix but it came up with the message “the syntax of the command is incorrect”

hello try again changing the name of combofix by what you want ( your second name , the name of your dog…)
some infections know and block combofix with it’s name

Change what?..

CFScript, there is a mistake. Download this script to the desktop.

In any case the infection is gone, trying to remove the remnants of Norton. How’s your computer behaving now?

K i’ll try that now…yeahh good! No more pop ups from avast so i guess that means its all good?

the latest combofix log

OK this is good

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

Yipeeeee! Thanks a bill ;D ;D