avast: 800000cb.@ and 80000000.@ constant pop ups. need help removing them

[cadence]

800000cb.@
Win32:Trojan-gen

80000000.@
Win32:Malware-gen

these 2 viruses are located in C:/windows/installer/{2cdae1c8-30de-f317-04b4-ad2e...

avast pop ups of these viruses every 5 minutes.

[Pondus]

follow this guide and attach (not copy and paste) logs from Mawarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0

[cadence]

I have attached the following requested logs. Thanks for coming to help me. I need to fix this.

[oldman]

Hi cadence, welcome to the forum.

To make cleaning this machine easier

• Please do not uninstall/install any programs unless asked to
  It is more difficult when files/programs are appearing in/disappearing from the logs.
  
• Please do not run any scans other than those requested
  
• Please follow all instructions in the order posted
• All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
• Do not attach any logs/reports, etc.. unless specifically requested to do so.
• If you have problems with or do not understand the instructions, Please ask before continuing.
  
• Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.
  

There are quite a few services missing. We'll worry about them after we get this cleaned up a bit.

Download ComboFix from one of these locations:

Link 1

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.  Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  
  
• Right click on ComboFix.exe, click Run as Administrator & follow the prompts.
  

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. If after running combofix you recieve an message "Illegal operation attempted on a registery key that has been marked for deletion" or similar reboot the computer.
4. CF disconnects your machine from the internet.  The connection is automatically restored before CF completes its run.  If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log.

Thanks

[cadence]

I have attached the combofix txt.

[oldman]

Hi cadence,

 µTorrent
You have µTorrent, a P2P/file sharing program installed on your computer. P2P applications like it are the largest source of malware we see. You'll be doing yourself a favor by removing it.

References for the risk of these programs can be found in these links:
http://www.microsoft.com/windows/ie/commun...protection.mspx

http://www.internetworldstats.com/articles...cles/art053.htm

I would recommend that you uninstall µTorrent, however that choice is up to you. If you choose to remove this program, you can do so via Control Panel >> Uninstall a program option under the Programs category.

If you wish to keep it, please do not use it until your computer is cleaned.


Next

Open a new Notepad session

• Click the Start button, click run
  
• in the run box type notepad
  
• click ok
  
• In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  
  
• Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
  
  
  

Code: [Select]

File::
C:\Windows\Installer\{2cdae1c8-30de-f317-04b4-ad2e7fa2f39b}\U\00000001.@
C:\Windows\Installer\{2cdae1c8-30de-f317-04b4-ad2e7fa2f39b}\@
C:\Users\Lok\AppData\Local\{2cdae1c8-30de-f317-04b4-ad2e7fa2f39b}\@

Folder::
C:\Windows\Installer\{2cdae1c8-30de-f317-04b4-ad2e7fa2f39b}\U
C:\Windows\Installer\{2cdae1c8-30de-f317-04b4-ad2e7fa2f39b}
C:\Users\Lok\AppData\Local\{2cdae1c8-30de-f317-04b4-ad2e7fa2f39b}

In the notepad

• Click File, Save as..., and set the Save in to your Desktop
  
• In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  
• Click save
  
  Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.
  
  This will start ComboFix again.Close  all browser/windows first.
  
  **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  
  
  
  Please post back with
  • add-remove.txt
  • combofix log
  
  
  How's the computer now?
  
  

[/list]

[cadence]

After reading those articles, I decided to remove µTorrent on my computer.
I have attached the combofix log. What is the add-remove.txt? I can't find it or don't know how to locate it.
My computer ran normally with the viruses except for the continuous pop ups from avast and sometimes when i would click links on search pages such as google, it would redirect me to a different site. Was that because of the viruses? Since avast is disabled on my computer right now, should I turn it back on to check if I still get the pop ups?

[bas33]

I have the same problem as ts can i use the same solution?

[essexboy]

I have the same problem as ts can i use the same solution?

No you will need to start your own thread

[cadence]

I decided to enable avast and so far it has been 90 minutes without any avast pop ups of malware/threat. My computer is running good. thanks for helping me. Does this mean that my computer is fixed?  Also, how do i get rid of these programs you advised me to download? sorry to bother.

[cadence]

i ran an avast full scan and it detected two threats:80000000. @.vir and 800000cb.@.vir. i moved those two to the virus chest. i shut down the computer and ran a boot scan which came out clean. I'm confused at the moment. what do i do?

[oldman]

Hi cadence,

Please do not do any scans unless requested. Sometimes programs like antivirus programs detect our tools or parts of them. They can cause corruption in the tools and cause problems. The last 2 avast detections where of files we have quarantined with combofix. All tools and quarantined files will be removed when we are finished cleaning this machine.

There still is a bit to do.

This infection is known to corrupt some of windows services. We'll have a look.
Next

Please download Farbar Service Scanner and save it to your desktop.

• Check all the boxes and click scan
  
• Please copy and paste the log to your reply.

Pleas post back with the OTL log and the FSS log.

[cadence]

oh man, sorry about that. i had no idea. do you want me to rerun otl for the otl log?

[cadence]

Farbar Service Scanner Version: 06-08-2012
Ran by Lok (administrator) on 08-08-2012 at 19:43:00
Running from "C:\Users\Lok\Downloads"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

[oldman]

Hi cadence,

Your java is out of date. Click your start button > Control Panel. Under Programs click Uninstall a program. Uninstall

J2SE Runtime Environment 5.0 Update 22
J2SE Development Kit 5.0 Update 22


Do not uninstall Java(TM) 6 Update 31

Next

Click your start button > Control Panel

• Use the drop down menu beside view by and change it to small icons
  
• locate java (32bit) in the list and click on it
  
• when the java console opens click the update tab
  
• Click update now
  

Decline any extra installs that may be offered.

Next, Double click on OTL.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
• Do Not copy the word CODE
  
• please note the fix starts with the :
  
• to ensure you get it all click the [select]

Code: [Select]

:Services

:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
"DisplayName"="@%SystemRoot%\\system32\\qmgr.dll,-1000"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Description"="@%SystemRoot%\\system32\\qmgr.dll,-1001"
"ObjectName"="LocalSystem"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"DelayedAutoStart"=dword:00000001
"Type"=dword:00000020
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,45,00,76,00,65,00,\
  6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,00,00
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,\
  00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
  67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\
  00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
  00,00,53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,\
  00,67,00,65,00,00,00,53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50,00,\
  72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6e,00,\
  63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,60,ea,00,00,01,00,00,00,c0,d4,01,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  71,00,6d,00,67,00,72,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Performance]
"Library"="bitsperf.dll"
"Open"="PerfMon_Open"
"Collect"="PerfMon_Collect"
"Close"="PerfMon_Close"
"InstallType"=dword:00000001
"PerfIniFile"="bitsctrs.ini"
"First Counter"=dword:00000774
"Last Counter"=dword:00000784
"First Help"=dword:00000775
"Last Help"=dword:00000785
"Object List"="1908"
"1008"=hex(b):bc,81,53,b3,1d,d9,cc,01
"PerfMMFileName"="Global\\MMF_BITS_s"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Security]
"Security"=hex:01,00,14,90,90,00,00,00,a0,00,00,00,14,00,00,00,34,00,00,00,02,\
  00,20,00,01,00,00,00,02,c0,18,00,00,00,0c,00,01,02,00,00,00,00,00,05,20,00,\
  00,00,20,02,00,00,02,00,5c,00,04,00,00,00,00,02,14,00,ff,01,0f,00,01,01,00,\
  00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
  20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,\
  00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,01,02,\
  00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,\
  00,20,02,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum]
"0"="Root\\LEGACY_BITS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

:Commands
[emptytemp]
[createrestorepoint]

Then click the Run Fix button at the top

• Let the program run unhindered
• Please save the resulting log to be posted in your next reply.
• Reboot your computer

Please post the  OTL fix log

Next rerun FSS the same way you did before and post the log.