Hi all

This is the second time i have posted on the Avast! Forum about a problem with my PC. I am not sure what has happened this time, but I am almost certain that it is either malware or virus related (or similar). I didn’t even know I had anything wrong with my computer per say until I tried to install my new Avast! License File. When I did so it told me that I couldn’t insert it. I have since had multiple issues with not having access to temp files and my Google Drive not working as well as programs not allowing me to install them e.g. hijack this. I have also had issues doing a print screen and saving it, as Paint will not allow me to save what I paste into there after I have done a print screen. If anyone could help me out that would be awesome.

I only have 5 days remaining on my current avast license and I am hoping to have this sorted before that runs out.

Anything you require I will get for you as quick as I can.

Thanks in advance.
Raz

Hi,

Follow this guide from link below for running pre-scan program and other diagnostic tool.
http://forum.avast.com/index.php?topic=53253.0

Run and post here Malwarebytes, OTL and aswMBR logreports. I will assist you in removal process.

Thanks

Attached are the log files for the steps up until McShield. Let me know if I missed any out.

Hi,

Before I proceed with malware removal, as aswMBR didn’t load it properly (might be rootkit), I’ll need to check some system core section, things what OTL and MBAM can’t see it at x64bit Windows.

Please download GMER, the AntiRootkit tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click [ Scan ] button and wait until the full scan is complete;
[*]Click [ Save … ]- save the report to the Desktop (named ARK );

[*]Click the >>> button and select Autostart card;
[*]Click [ Scan ] button;
[*] After quick scan, click Copy button;
[*]Open notepad and Paste text. Save report to the Desktop (named autostart )

Attach here both Gmer logreports. (ARK.txt and autostart.txt)

Hi, when I first ran the Gmer file which I downloaded it came up with the following error.

CreateFile
“C:\USERS\JARROD~1\APPDATA\LOCAL\TEMP\uwrdapow.sys”"
Access is denied.

I have also noticed that I have no access to any temporary directory on my entire computer and can not even open AutoCad as it requires temporary folder access.

Attached is the ARC log which you required. but when I open up the Autostart tab and click Scan nothing happens. I have tried it in a multitude of scenarios from having the file saved on the desktop, in a folder, open as administrator. Do you have any possible solutions for getting the Autostart to run?

Thanks again.

I see …
Well, for start let’s deploy two mighty tool, MBAR and ComboFix. Together they shall target a wide range of active malware and CF shall also execute some additional cleaning and repairs.

After the running of these two tools I need to see if there some malware lefted behind and not caught. To do so, we shall use greate FRST tool as it can see all aspects of Windows.

Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/

Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
Please note: This is a beta version so please be sure to read the disclaimer and note of it.

[*] Unzip/unrar MBAR in a folder to your Desktop and MBAR shall run by itself …

[*] Click on Next > then on Update button to download fresh definitions.
[*] When database updates click Next
[*] In the following window ensure “Targets” scan for Drivers; Sectors; System are ticked. Then select “Scan button”

[*] If an infection/s are found ensure “Create Restore Point” is checked, then select the “Cleanup Button” to remove threats.
Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.

[*] The Clean up procedure will be Scheduled for process.
[*] When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.

Please attach the two following logs from the mbar folder:

system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.

NEXT…

1. Please download ComboFix by sUBs from here and save it to your Desktop.
   If you are unsure how ComboFix works please read this guide carefully.
   Note: ComboFix must be downloaded to your Desktop.

2. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
   If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.

3. Run ComboFix. Click on I Agree!

[i][size=7pt]- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.

• ComboFix will check if there is a newer version of ComboFix available.
  Click Yes if prompted to download.[/size]
  -If Recovery Console is not installed, ComboFix will offer download & installation.
  Click Yes to allow ComboFix to install Recovery Console.
• ComboFix will scan your computer in stages, total of 50 stages.
  Do not mouse-click around while ComboFix is running.
  Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
  [/i]

4. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
   Attach log reports ( ComboFix.txt) back to topic.

THEN …

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

I’ve done the mbar scan and attached are the two logs that you require. I am just about to do the combo fix stuff now.

Thanks again.

Combofix run and log file attached.

I have noticed that I am not getting all of the pop-ups now saying that temporary files cannot be created so I think this may have done something good to help the problem, but I will finish the FarBar recovery tool as well.

FRST64 run and log files are attached.

Just one final thing. I have tried again to activate my license file for Avast and it still tells me that the file cannot be found. I’m not sure if this is helpful for you or not but I thought I’d let you know either way.

Hi,
Abaut avast license, try to re-install avast and then try again to activate avast via license file.
But again, it can be that some active malware protects himself from being deleted.

As for as FRST concern, something stopped him to load&read the specific section which is suspicious.
Let’s run FRST in RE environment to see if there’s any rootkit that hides…

Please download Farbar Recovery Scan Tool x64 and save it to a flash drive.

[*]Plug the flashdrive into the infected PC.
[*]Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer
[*]Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.

In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.

[*] In the command window type in notepad and press Enter.
[*] When notepad opens, click File and select Open.
[*]Select “Computer” and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64.exe and press Enter.

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run. When the tool opens click Yes to disclaimer.
[*]Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please attach it to your reply.

Attached is the required log after running Farbar as you said.

Ok, we shall run ComboFix via CFScript from normal mode.

Open notepad and copy/paste the text present inside the code box below:

ClearJavaCache::

File::
C:\Users\Jarrod & Mini\QTPluginInstaller.exe

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Have you try to re-install avast and then to insert license?
How’s your computer running now?

Hi

I ran the Combofix again and got the log file. I attached it from my home PC (but it looks like it didn’t work as I can’t see my last reply in the thread). I am writing this from my Work PC so at the moment I don’t have access to the log file.

Also I uninstalled Avast! as you suggested, but when I tried to re-install it, there is something preventing me from running the .exe. I tried to install using safe mode and it still won’t. Do you think I will need to install using safe mode with command prompt (or is there some other way that I can re-install Avast). I have unplugged the internet from my PC at the moment as it is now unprotected and I don’t really feel like getting more worms/viruses.

What do you suggest I do now?

Hi

I have heard recently that there has been an influx of Ransomware that has been found on computers around here (got an email from my work ICT department warning about excessive ransomware reports) and I was wondering if this could possibly be the problem. Although I assume that it possibly isn’t as I haven’t received any warning or notifications requesting payments for anything.

I don’t really know anything about Malware so I could be dead wrong, but I thought that if it was a possibility that you might like to know about it as it may give you some ideas.

Let me know if you can think of anything that would be beneficial to my PC.

Thanks again for everything and sorry that it’s being such a temperamental piece of Malware haha.

Hi

Here is description of Ransom malware and how it looks like and his malicious intent.

Last posted log dos not indicate on malware, not anymore. Naturally, to confirm that, I’ll need to see the last ComboFix.txt report.

And I can not say why you can not run the installation or license file itself (Have you tried to download fresh avast-setup?). That it is to file associations, CF should been correct that so …

Attached is the Combo Fix log you required.

Thanks

Hi again.

So I just thought I’d let you know where I am up to at the moment. I have found what the reason was for me not being able to install any programs. I am not sure if it was Malware related or not, but for some reason my Temp folder was getting deleted and not being able to be re-created in the User profiles. So i changed the Temp Folder Location to default to C:\Temp and I have successfully installed and activated Avast again. After that I ran Malwarebytes and a few other spyware and malware programs and all came up clean so I am not sure if it is fixed or not but for the moment it seems it may be.

Despite the above I am still recieving an error message when I start up my computer from Google Docs regarding temp folder access but I have a feeling that it is to do with Google Docs itself more so than any Malware. Let me know if you feel the same way regarding this or if I should still be concerned.

Thanks for all of your help and I hope that my issues are fixed. Although if you find anything suspicious in the last Combofix log that I posted please let me know ASAP.

Cheers for everything.
Raz

Hm…instead of pronounce you as clean, now I see some new entries in the logs.

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.

THEN…

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

File: C:\Windows\system32\drivers\zaevycfn.sys
File: C:\Windows\system32\drivers\zionvcid.sys

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

=>> Please attach here fresh created FRST.txt log and FixLog.txt

Hi

Thanks for the information. Attached are the two logs which you require. I hope they are helpful for you.

Cheers