Constant Avast Blocked Popup - "reannewscomm"

Hi,

Some introduction before I get to the problem.

Today I was watching a youtube video and got a virus notification. I thought nothing of it as Avast blocked it, until I started getting these popups requesting server access to my computer to download a file called “thawbrkr.dll”. Every time I clicked “no” the popup would reappear after about 1-2 minutes. I tried to determine what was causing the popups to appear, to no avail (I’m fairly experienced with dealing with viruses and malware; so I checked the usual places AppData, ProgramData, Windows, Program Files, and Temp folders but found nothing at all). I figured that accepting it would cause the virus more access but I was at wits end and figured that once it was on the machine I could get rid of it.

So now I have this virus that keeps being blocked by my Avast Antivirus scanner, called “Reannewscomm.com”. Every 10-15 seconds it blocks its attempt, for the past 2-3 hours now that I’ve been trying to get rid of it. I ran a complete scan of Malware Fighter and it did not detect it, and a complete scan of Avast Antivirus, and it didn’t find it. I’ve looked in the usual places again, and deleted any temporary files that came on the computer today (March 8), any cookies for today, and reupdated both Avast and Malware fighter to no avail.

The precise details of the blocked virus are as follows:

Object = http://reannewscomm.com/ads.php?sid=1967
Infection = URL:Mal
Process = C:\Windows\Explorer.exe

I tried to follow several guides on how to remove it manually (as the other option requires buying a tool that I’ve never heard of before and it only scans for free), and none have succeeded. All the usual indications of this virus are not present yet as Avast blocks it from putting those down and activating them. However, something is clearly trying to activate but I don’t know where to find it.

The popups only appear when I’m connected to the internet. When I disconnect from the internet (I use a wired connection) the popups cease to popup, leading me to believe that that server I allowed access to my computer is trying to create the virus or deploy the virus or something. I dunno. As stated, neither Avast nor my Malware Fighter detects the virus on my machine, and thus I feel that that server is causing the issue. So… does anyone know how to block a server from accessing the computer AFTER you’ve given it permission to have access?

However, something strange did happen recently. After trying to solve the problem for 4 hours, I got frustrated and left the computer alone. When I returned, it sounded like the computer was playing a podcast… though no podcasts were found on my machine, no internet explorer windows were open and no media player type programs were active. Disconnecting the internet / resetting the router didn’t stop this podcast, but ending Explorer.exe did (though that made the system unstable forcing me to restart it). The other thing of note is I have limited download capabilities right now (I can download it if I click Save Target As, but not any other method (ie Run / Save / Save As; these crashes internet explorer))

Any help would be appreciated.

Attach your basic diagnostic logs. (MBAM, FRST and aswMBR)
Instructions: https://forum.avast.com/index.php?topic=53253

Logs

EDIT:
(When attempting to post logs initially, internet explorer crashed)

The final log couldn’t be acquired as the program froze my machine entirely forcing a hard restart. It froze while scanning Windows → System32 → DiagCpl.dll

OK, now you’ve to wait a bit…

Managed to get the log from the final program by changing my IP address manually.

Let me know if this kills it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-429370524-3042837960-4195566341-1001\...\Run: [QujiBvaw] => regsvr32.exe "C:\Users\Jason\AppData\Roaming\QolaRzavd\YitUvfo.dll" C:\Users\Jason\AppData\Roaming\QolaRzavd Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

Hmm, I’ll try that.

One thing I did notice after leaving my computer disconnected from the internet for a while and coming back to it this morning, the popups have stopped when I connected to the internet.

I had been fiddling with IPConfig before I disconnected (I tried to switch over to IP v 6 from IP v 4, but that didn’t work; nor did release or renew, but then I tried flush DNS and registerDNS) However, I doubt that means it is gone (probably hibernating or biding its time), so I’ll still do this suggestion and get back to you.

I ran that FRST program again with the fixlist, it asked me to restart, I did. It partially worked. By partially, I mean it got rid of reannewscomm popups, but it is now replaced with two new ones I’ve never seen before for two different URLs; same otherwise URL: Mal and C:/Windows/Explorer. But they only appeared once, after I booted up.

Trying next program.

K did that. Reannewscomm appears to be gone, but at restart, had 4 blocked URL:Mal C:/Windows/Explorer, weirdly named sites, each different from the last.

Here is the log. (Didn’t find it in C:/ though, found it in Program Files)

Could I see the FRST fixlog please, are you still getting alerts

I spoke too soon. Today Reannewscomm.com came back, and the others aren’t around. So frustrating.

Um… I don’t know if it did produce a log. But I’ll check.

EDIT: Found it!

EDIT 2: Nope, the other 4 just re-appeared. Poop.

EDIT 3: I will mention that the Fix didn’t technically kill the virus. It moved a “copy” of the virus to quarantine, but a fresh copy was rebuilt at C:/Users/Jason/AppData/Roaming/QolaRzavd or, it copied the virus to quarantine and left the original… not quite sure which. Anyway, I left the virus copy in quarantine and deleted the original, but I’m still get the popups. Note, I was getting them before and after deleting it so I doubt deleting the original is problematic.

Could I have a fresh FRST log please also a screenshot of the popups

Sure I’ll rerun FRST64.exe and try to get screenshots of the popups.

Okay Reran, nothing detected, but uploading logs anyway. Also, got 4 screenshots. 1 for Reannews, and 3 for ones I’ve never seen before, and not the earlier 4 I mentioned. Haven’t seen those pop up again recently, so no screenshots for them. But…

In Task Manager, in Processes, I’m noticing several of these pop up increase in memory and CPU and then disappear. These tend to correlate precisely when I get another popup. Also, I have about 4-5 of them active in my Task Manager as well. Processes (if it helps):

COM Surrogate
Console Window Host
CTF Loader
Windows Installer
Client Server Runtime Process

I’ll also mention that since the virus is only active when I’m online, these processes are not active when I’m offline if it helps and only become active the moment I plug in my wired connection.

4 attachment maximum, so posting other two here.

I would like you to run this fix from safe mode as the bad boy has re-appeared

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-429370524-3042837960-4195566341-1001\...\Run: [QujiBvaw] => regsvr32.exe "C:\Users\Jason\AppData\Roaming\QolaRzavd\YitUvfo.dll" S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X] 2016-03-08 13:39 - 2016-03-08 15:47 - 00000000 ____D C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpyHunter 2016-03-08 13:39 - 2016-03-08 13:39 - 00003336 _____ C:\Windows\System32\Tasks\SpyHunter4Startup 2016-03-08 13:38 - 2016-03-08 13:38 - 00022704 _____ C:\Windows\system32\Drivers\EsgScanner.sys 2016-03-08 13:18 - 2016-03-08 13:18 - 00000000 ___HD C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0} Task: {5B66FAC9-6967-42C8-80C9-62DA1432E660} - System32\Tasks\SpyHunter4Startup => C:\Program Files\Enigma Software Group\SpyHunter\Spyhunter4.exe HKU\S-1-5-21-429370524-3042837960-4195566341-1001\Software\Classes\.exe: exefile => <===== ATTENTION HKU\S-1-5-21-429370524-3042837960-4195566341-1001\Software\Classes\exefile: <===== ATTENTION HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\str => ""="service" C:\Users\Jason\AppData\Roaming\QolaRzavd RemoveProxy: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Can’t. Restarted in Safe Mode, and whenever I click on to run the program, with or without Run as Administrator, explorer.exe crashes, and resets back to the Help / Support screen that initially pops up when restarting in safe mode.

EDIT2: I just noticed that the file I tried to use may not have been the original FRST, so I’m going to try the original FRST in safe mode now.

EDIT: After deleting the original virus in Roaming, the virus threw a tantrum for the reannewscomm WITHOUT running FRST, at restarting, stating for Register Server that it couldn’t be found.

However the other viruses has returned in force.

The popups go away before I can grab screenshots, but the files they are trying to use are in C:/Windows/System32/ : All by a new virus called “xml.infinity.info.com

  • conhost.exe
  • msiexec.exe
  • explorer.exe
  • ctfmon.exe
  • PresentationHost.exe
  • msdtc.exe
  • taskhost.exe
  • notepad.exe (found in windows)

If none of the fixes here will solve the problem, I will be forced to use the last resort option, which is to contact my ISP and see if they can block the servers from contacting me (as they’d have to send their signals and viruses through my ISP to do it). However, I’m reticent to do this as I’m not sure it will work OR if they could do it.

Nope, wouldn’t work in Safe Mode. So I ran it in normal mode, and it “appears” to have killed the virus.

I had no popup for register server at boot up this time. And haven’t yet had any other Avast popups.

I’ll remain watchful for the rest of the day to ensure it isn’t hiding somewhere, but I believe that finally did it so…

THANK YOU VERY MUCH I REALLY APPRECIATE IT!

Uploading fixlog just in case.

Looks like the main miscreant was hiding in the program data folder

Could I have one final FRST scan to check please

Sure I can do that. Here are the logs.