The two noted viruses keep recurring after sending them to the chest. I get a new alert every few minutes. My system is definitely being affected. Can you please help?

follow this guide and attach (not copy and paste) the logs from Malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0

when done a malware removal specialist will be notified…

Monitoring…

Ok…first of all I was not able to access I/E from my icon…some of my icons/programs will not work. So, I had to do this in Safe Mode. I hope that this is alright. I downloaded Malwarebytes successfully and have the MBAM file.

Next problem, after I received the MBAM file it said to reboot in which I did. When it rebooted normally my screen is now completely blank. Then I tried to reboot in Safe Mode again and did have a screen with icons. I went to download the OTL (in safe mode) and it gave me a message to the effect that an .exe file should not normally be downloaded and asked if I wanted to delete or run anyway. I chose to run anyway and nothing downloaded to my system as the instructions stated…“click on icon, make sure other programs not running, etc.”. The only thing that happened was the OTL menu appeared on my screen but was not saved to my system.

Now what?
Thank you very much.

Go ahead and attach the log made by Malwarebytes and then do the following (in safe mode with networking if needed)…

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.

[*]Disable any script blocking protection
[*]Right-click and Run as Administrator dds to run the tool.
[*]When done, two DDS.txt’s will open.
[*]Save both reports to your desktop.

Please include the contents of the following in your next reply:

DDS.txt

Attach.txt

I tried to download DDS but had similiar problem as with OTL download. It ran but would not save to desktop and therefore was not run as Administrator in your instructions. The resulting files are attached.

Hi,

WARNINGUnfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.

Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.

If you would like to format and reinstall your Operating System please let me know and we can assist you with that.

If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help.

Download Combofix from the link below, and save it to your desktop.
Link

Note: It is important that it is saved directly to your desktop
If you get a message saying “Illegal operation attempted on a registry key that has been marked for deletion”, please restart your computer.

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt for further review.

First, thank you very much with your help so far! I went to download Combofix and save it to my desktop (in safe mode) but like the others I am getting a error type message that states…

“The publisher of ComboFix(4).exe couldn’t be verified.”

Then, I have option to choose “Run” or “View downloads”.

Sorry, but I just want to be sure that I choose the right thing.

Also, I do not know if this helps but I do have the original Vista disk that came with this system.

Go ahead and run it.

I ran Combofix but I can’t seem to find where the .txt file was saved. It is kind of like the other files that I tried to save and run…could this be because I am running in Safe Mode? Anyway, it says that it completed it but I can’t find the .txt file.

Any thoughts?

The log is not located at C:\Combofix.txt ?

If not there look for it in C:\Qoobox\ComboFix.txt

It is definitely not at C: root directory. There is a Qoobox directory that was created and it has some folders in it. I looked through the individual folders but I do not see any .txt files at all.

Ok…go ahead and run ComboFix again and hopefully there is a log created. If not we may need to try another route.

I downloaded and reran Combofix. As I was watching the file process it said that “Output Folder” was 32788R22FWJFW and then my computer beeped several times and an error message displayed but disappeared too quickly to be read. This time the attached file appeared on drive C:.

Ok…just tried to attach the file named Combofix but said that I could not open it to attach it and may need Administrator priviledges.

I wanted to let you know that I found the OTL file that I had earlier stated would not download to my desktop. It looks to be on the system but just not accessible from the desktop. Would you like me to try and run it?

Yes go ahead and try to give OTL another run and post the logs. If needed you can do all of this in Safe Mode with Networking.

I ran OTL in Safe Mode and was successful. Files attached.

Hi,

Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.

If you are running Malwarebytes 1.6 or better, please disable it for the duration of this run.

To disable Malwarebytes

[*]Open the scanner and select the Protection tab
[*]Remove the tick from “Start Protection Module with Windows” as seen below

http://i1224.photobucket.com/albums/ee380/jeffce74/MBAM16orgreater.jpg

Once complete continue with the instructions…

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

:Services

:OTL
DRV - File not found [Kernel | Boot | Stopped] -- System32\drivers\ggyrsex.sys -- (anubvg)
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-4247701468-2985291210-1972710796-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 50 BD 3C D6 16 59 CD 01  [binary data]
IE - HKU\S-1-5-21-4247701468-2985291210-1972710796-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-4247701468-2985291210-1972710796-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
O15 - HKU\S-1-5-21-4247701468-2985291210-1972710796-1000\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O33 - MountPoints2\{ba2506b4-2989-11dd-a7b3-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{ba2506b4-2989-11dd-a7b3-806e6f6e6963}\Shell\AutoRun\command - "" = E:\autorun.exe
O33 - MountPoints2\{ee8f26c5-2e41-11dd-a1f5-001cc02c62d5}\Shell - "" = AutoRun
O33 - MountPoints2\{ee8f26c5-2e41-11dd-a1f5-001cc02c62d5}\Shell\AutoRun\command - "" = F:\LaunchU3.exe
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\LaunchU3.exe
[2012/06/12 10:04:12 | 000,055,296 | ---- | M] () -- C:\Users\Patrick\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

:Files
C:\Windows\Installer\{4cf4b664-1180-9b83-6774-88561b2659d8}\

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

Thank you very much for everything that you have done this far! I went through the entire prior process and am attaching the new OTL log. One thing though, the boxes for LOP Check and Purity were not already checked when I went into the OTL program. So, I am assuming that they were not checked in the previous steps. Again, this was all done in Safe Mode.

Hi,

Good job!

Please delete the current version of Combofix.exe from your desktop and download a new version from here to your desktop.

Disable your AntiVirus and AntiSpyware applications.

Right-click and Run as Administrator on the Combofix.exe and follow the prombts on your display. When finish, it will create a C:\Combofix.txt. Please post this log for further review.