Trojan horse infections

[whads354]

I'm new on here having just installed the free version of avast after a recommendation. Until recently I was using Microsoft Security Essentials to protect my laptop but this has obviously been breached. I was finding I couldn't move from one web page to another. After installing avast I can now do this but every few minutes things stall and I get a message saying one of three trojan horses has been stopped by avast. They are win32:malware-gen,  win64:sirefef-A,  win32:downloader-PKU and all affect process windows\system32\services.exe and have an object of windows\installer\...\ followed by a long number. I've seen on google people like PC Tools Spyware Doctor offering to get rid of them but when I tried the free version it seemed like a way of getting money out of me without giving me any confidence it would be successful. It's driving me barmy, please can someone advise how I can remove these and restore my sanity.

[Asyn]

Please attach your logs.
http://forum.avast.com/index.php?topic=53253.0

[whads354]

Asyn, Thanks for your reply and for offering to help. To add to my earlier email since running the antimalwarebytes scan I now regularly get two messages from Microsoft. The first says Host Process for Windows services has stopped working and was closed. The second follows straight away and says Windows is not working correctly and suggests I carry out updates. I've not done that and won't until I hear back from you.
Steve

[whads354]

OTL

[whads354]

[

[Pondus]

as asyn said.....attach logs.....not copy and paste

[whads354]

DRV

[whads354]

Sorry, didn't read instructions properly.
Steve

[whads354]

One more, the FSS log for the sirefef infection

[magna86]

Hello 

• I will be working on your Malware issues this may or may not solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine.
• If you don't know or understand something, please don't hesitate to ask.
  
• Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc...)
• Please DO NOT run any other tools or scans whilst I am helping you.
  
• It is important that you reply to this thread. Do not start a new topic.
• Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
• Absence of symptoms does not mean that everything is clear.

*************************


Step1

Re-run OTL.exe.

• Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
  
  

Code: [Select]

:OTL
[2 C:\Windows\Installer\{22f5016a-7768-1103-2177-7e62b23e0fa5}\U\*.tmp files -> C:\Windows\Installer\{22f5016a-7768-1103-2177-7e62b23e0fa5}\U\*.tmp -> ]

:files
C:\Windows\Installer\{22f5016a-7768-1103-2177-7e62b23e0fa5}
C:\Users\Steve\AppData\Local\{22f5016a-7768-1103-2177-7e62b23e0fa5}
ipconfig /flushdns /c

:commands
[CREATERESTOREPOINT]
[emptytemp]
[Reboot]



• Then click the Run Fix button at the top.
  
• Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

*********************************


Step2


> Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.


> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
  Attach log reports ( ComboFix.txt) back to topic.

[whads354]

Magna86. thanks for helping me.
Logs attached.

[magna86]

> Please delete current Combofix and download fresh one.

>Open notepad and copy/paste the text present inside the code box below:

Code: [Select]

Folder::
c:\program files\BabylonToolbar
c:\programdata\Babylon
c:\users\Steve\AppData\Roaming\Babylon

ClearJavaCache::

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0010\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0011\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0012\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0013\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0014\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000


Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )


*****************************


Additional checks:

Download TDSSKiller  and save it to your desktop

    Execute TDSSKiller.exe by doubleclicking on it.

•     Press Start Scan
  
   
•   If Suspicious object is detected, the default action will be Skip, click on Continue.
   
•   If Malicious objects are found, select Cure.
  

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please attach the contents of that log in your next reply.

[whads354]

Logs attached.

[magna86]

Combofix log is not completed.
Attach it again:
C:\ComboFix.txt

[whads354]

That small file was it. After the programme ran the message that the log was being prepared disappeared and the computer froze. I waited for ages before restarting but that was all that was recorded. I've run the programme again, all worked well this time and have attached the log. I hope I haven't messed things up by doing this.