Hello. Like other users, Avast is noticing me each 5 minutes that it blocks Win32:Malware-gen & Win32:Downloader-PKU[Trj] …
I read the “how to post your log” and that’s what I will do:

MBAM (it’s in Spanish but I think it’s understandable, “Archivos detectados” means “files detected” )

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Versión de la Base de Datos: v2012.08.03.08

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
MartíxD :: MARTÍXD-PC [administrador]

04/08/2012 11:04:28
mbam-log-2012-08-04 (11-04-28).txt

Tipos de Análisis: Análisis Rápido
Opciones de análisis activado: Memoria | Inicio | Registro | Sistema de archivos | Heurística/Extra | Heurística/Shuriken | PUP | PUM
Opciones de análisis desactivados: P2P
Objetos examinados: 205721
Tiempo transcurrido: 1 minuto(s), 26 segundo(s)

Procesos en Memoria Detectados: 0
(No se han detectado elementos maliciosos)

Módulos de Memoria Detectados: 0
(No se han detectado elementos maliciosos)

Claves del Registro Detectados: 0
(No se han detectado elementos maliciosos)

Valores del Registro Detectados: 0
(No se han detectado elementos maliciosos)

Elementos de Datos del Registro Detectados: 0
(No se han detectado elementos maliciosos)

Carpetas Detectadas: 0
(No se han detectado elementos maliciosos)

Archivos Detectados: 37
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\00000008.@ (Trojan.Dropper.BCMiner) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trz12F9.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trz1644.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trz1684.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trz190E.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trz1E43.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trz2654.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trz281A.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trz350.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trz3BFF.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trz3D76.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trz5DB2.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trz5ECD.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trz6F68.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trz7049.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trz75EE.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trz7FD6.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trz8209.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trz8418.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trz88FD.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trz8DBD.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trz9EC0.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trzA0E2.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trzB2F.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trzB60B.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trzC4E7.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trzC672.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trzC7A5.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trzCC29.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trzD315.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trzD366.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trzD8A7.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trzE24D.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trzE397.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trzE5D9.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trzE898.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.
C:\Windows\Installer{2c9666f2-6ef6-08d5-7fc5-e0edb763dc46}\U\trzF104.tmp (Rootkit.0Access) → En cuarentena y eliminado con éxito.

fin)

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-04 11:20:43

11:20:43.059 OS Version: Windows x64 6.1.7600
11:20:43.059 Number of processors: 4 586 0x2A07
11:20:43.059 ComputerName: MARTÍXD-PC UserName: MartíxD
11:20:44.288 Initialize success
11:20:44.326 AVAST engine defs: 12080400
11:20:57.465 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-0
11:20:57.465 Disk 0 Vendor: SAMSUNG_ 1AJ1 Size: 476940MB BusType: 3
11:20:57.467 Disk 1 \Device\Harddisk1\DR1 → \Device\Ide\IAAStorageDevice-1
11:20:57.468 Disk 1 Vendor: WDC_WD10 15.0 Size: 953869MB BusType: 3
11:20:57.487 Disk 0 MBR read successfully
11:20:57.489 Disk 0 MBR scan
11:20:57.490 Disk 0 Windows 7 default MBR code
11:20:57.499 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476838 MB offset 206848
11:20:57.518 Disk 0 scanning C:\Windows\system32\drivers
11:21:02.562 Service scanning
11:21:12.141 Modules scanning
11:21:12.145 Disk 0 trace - called modules:
11:21:12.158 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
11:21:12.160 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8009b87060]
11:21:12.163 3 CLASSPNP.SYS[fffff8800160143f] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-0[0xfffffa80083f6050]
11:21:12.776 AVAST engine scan C:\Windows
11:21:14.034 AVAST engine scan C:\Windows\system32
11:21:42.960 File: C:\Windows\system32\services.exe INFECTED Win32:Sirefef-ZT [Trj]
11:21:54.063 File: C:\Windows\assembly\GAC_32\Desktop.ini INFECTED Win32:Sirefef-PL [Rtk]
11:21:54.840 File: C:\Windows\assembly\GAC_64\Desktop.ini INFECTED Win32:Sirefef-PL [Rtk]
11:22:18.663 AVAST engine scan C:\Windows\system32\drivers
11:22:23.910 AVAST engine scan C:\Users\MartíxD
11:30:01.798 AVAST engine scan C:\ProgramData
11:31:44.770 Scan finished successfully
11:37:37.269 Disk 0 MBR has been saved successfully to “C:\Users\MartíxD\Desktop\MBR.dat”
11:37:37.270 The log file has been saved successfully to “C:\Users\MartíxD\Desktop\aswMBR.txt”

Really thanks for your help.
PD: Sorry for my English XD

Hi

Step1

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Step2

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

Here it is.

Before scanning, ComboFix alerted that Avast was running, but I disabled the options that you said. So I dont know if it could be influenced.

A lot of thanks for helping!

Open notepad and copy/paste the text present inside the code box below:

FCOPY::
c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll|c:\windows\system32\user32.dll
c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll|c:\windows\SysWOW64\user32.dll

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
  00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
  6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,74,\
  00,73,00,70,00,6b,00,67,00,00,00,70,00,6b,00,75,00,32,00,75,00,00,00,00,00

DDS::
uStart Page = hxxp://search.babylon.com/?affID=112555&tt=280612_8_&babsrc=HP_ss&mntrId=107942cc000000000000002522b0a37d
uSearchAssistant = hxxp://cloud-search.linkury.com/results.htm?cx=partner-pub-7890126930977991:1926905636&cof=FORID:11&q={searchTerms}&sa=Search&siteurl=search.linkury.com

ClearJavaCache:: 

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Done.
Anyway, after first execution of ComboFix the alerts of Avast haven’t appeared anymore. It seems resolved, but dont know for sure so I’m continuing your instructions.

Thanks a lot!

Hmmm good @Annie84

It is necessary to uninstall the ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

Run OTL and hit the cleanup button.

It is necessary to update system (SP1)

Mmmm can’t uninstall.

Appears a mesage: Windows can’t find the file “ComboFix”.
I have to do this, right?

http://i.imgur.com/gOTAs.jpg[quote author=argus link=topic=102570.msg821299#msg821299 date=1344081016]

And

It is necessary to update system (SP1)

Note that there is a space between " ComboFix " and " /Uninstall " .

You did so?

If not, delete ComboFix icon and folders
c:\combofix
c:\qoobox

do you mean windows version?

No windows, just a service pack > Turn on Automatic Update

Yes, I tried it.

And I can’t delete Qoobox folder, it says that I need Administrator permisions for delete but I’m an Administrator :o

Qoobox folder is not a problem, you do not have to delete it. It is important that the malware is gone 8)

Ok, so the nightmare has finished!

Really thanks for your help, awesome job!