This virus has been plaguing me for some time now.
Now, I’ve searched the interwebs (and this site) and I know you have already confirmed that the Avast4 folder in C:\Windows\Temp is used by Avast for decompression, however there’s one issue: I uninstalled Avast, a week ago actually. I recently upgraded to GDATA. The folder, no matter how many times I deleted it, reappeared. I went into safe made, opened registry editor, and used my common sense to determine which Avast! registry keys were unneccessary. I deleted them. All of them. Back on the full system, it has made an effect. All components of my computer are now working, however the Avast4 folder shows random pop up messages telling me that I, “Have insufficient rights to delete this folder”. I hit OK, and then the folder gets deleted.
If that isn’t enough proof, both Avast! and G-DATA denied registry changes, as well as port attacks, yet were unable to find the source of the problem.
Malware-Bytes’ Anti Malware was clean
Spybot Search and Destroy was clean
Ad-Aware was clean
GData was clean
Avast! was clean
After I uninstalled Avast though, I kept getting these, “Access to registry denied” messages from my AV.
Also, I did a scan with Avast! that lasted 4 hours, and it came up with a few results, most of which were false positives. One interesting thing that did pop up, however, was Win32.WinSpy (Trj). I don’t know if it could have falsely misidentified a file. However, Avast was “conveniently” bugging and the “Send to chest!” button was not working. Now, I don’t know if I’m crazy, but that seems like intentional tampering to me.
“When closing file “C:\Windows\Temp_avast5_\unp197631899.tmp” the virus “Gen:Trojan.Heur.GM.0004808D18 (Engine A)” has been detected. Access denied.”
I attached a HJT log, so anything you guys can provide would be great.