Threat keeps coming back

[Kellen]

Hi all,

I seem to have a tough malware/virus infection that I can't get rid of. I've run multiple anti-virus/anti-malware programs but it keeps coming back every time.

Currently, I'm using Avast which keeps informing me that it has located and blocked a threat. I've tried the boot scan and it said that it removed everything, but once I started up the messages continued. I've also tried Malwarebytes and a boot-check with AVG with no success.

Other symptoms that I've noticed:
-I originally had AdAware, which the virus appears to have completely destroyed. It keeps trying to reinstall itself and everytime I attempt to uninstall it fails.
-I can no longer unzip files with the built in unzip for Windows 7, it just creates an empty folder. This is a problem when I try to download and install anti-virus software
-Slow run times
-Random pop-ups with web links

I'm getting tired of running the same virus checks/cleaning routines and being told it is repaired only to reappear. Unfortunately, I'm somewhat of a novice so I'm unsure how to post my existing logs, but any help is greatly appreciated!

Kellen

[Asyn]

Please attach your logs. (AdwCleaner, MBAM, OTL and aswMBR..!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0

[Pondus]

Also give info of what file avast detect....and malware name
You may attach a screenshot of the avast pop up

[mchain]

Also give info of what file avast detect....and malware name
You may attach a screenshot of the avast pop up

Use the W7 snipping tool to capture the avast! pop-up and temporarily pin (pin icon in the message box) the pop-up by ticking it with your mouse and/or press ALT+PrntScrn buttons together and use/open/paste Paint to save the .jpg image to desktop.

Right-click the avast! icon in system tray and select 'Show last pop-up message' to display the message box you wish to capture.

When done, just tick the pin icon in the message box again to allow the pop-up message to disappear normally.

[jeffce]

Monitoring... 

[Kellen]

Hi all,

I've attached the logs and images as best I could.

The problem may be solved, however, as I ran Microsoft Safety Scanner before installing the log applications and I have yet to receive more "threat" pop-ups from Avast. I am also able to unzip files again. I still cannot uninstall Adaware, but perhaps that is a separate issue.

Again, I appreciate all the help!

Kellen

[Kellen]

One more with the Avast screenshot...

[Pondus]

Your Malwarebytes was not updated when you did the scan..
update and run quick scan....no need to attach New log if nothing is detected

the most important logs are OTL.txt and aswmbr.txt  also attach those

Jeffce will be back later and help you

[mchain]

Please stay with us as avast! noted a siref(ef) rootkit infection.  jeffice can at least verify the rootkit is gone if OTL and aswMBR.exe logs are submitted or work to ensure all remnants of the rootkit are gone for good if not.

[jeffce]

Yes please run OTL and aswMBR as well as the following and then attach all logs please...

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.

• Disable any antivirus programs during the scan (If you have difficulty properly disabling your protective programs, refer to this link here )
  
• Double click dds to run the tool.
  
• When done, two DDS.txt's will open.
  
• Save both reports to your desktop.
  

---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt

Attach.txt
----------

[Kellen]

Whoops, somehow missed those two. Will have the new Malware one up when it completes.

[jeffce]

After looking at the OTL log, you still have a major infections...

**WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.

Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.

If you would like to format and reinstall your Operating System please let me know and we can assist you with that.

If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help. 
----------

Please download and run DDS using the instructions that I provided in Reply 9. 

Next...

ComboFix

Download Combofix from either of the links below, and save it to your desktop. 
Link 1
Link 2

**Note:  It is important that it is saved directly to your desktop**
If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.


--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

When finished, it will produce a report for you. 

• Please post the C:\ComboFix.txt for further review.

[Kellen]

Attached are the DDS logs.

[jeffce]

Great job!! 

Be sure to follow the instructions provided in Reply 11 as well...I think we are "cross posting". 

[Kellen]

ComboFix doesn't seem to be generating a text file in that location, only a file folder: 32788R22FWJFW

How do I get it to save the text file?

Also attached a couple of new threats that have popped up.