Good morning all:
Can anyone help me with a Malware/virus infection on an Alienware Laptop? I have AVAST Internet Security 2015 Licensed full version installed. Lately I get multiple pop-ups from AVAST telling me it has blocked a malicious URL. The process file it points to is iexplore.exe. This happens even if Internet Explorer is not opened up. Avast used to give me an popup when I first booted my laptop with the voice saying that my avast virus database has been updated. Not getting that anymore either. I have manually updated AVAST via the Maintenance/tools tab but not sure if the update is valid or it’s updating from a malicious URL or not. So not really trusting AVAST at this point and it may be corrupt. I had updated AVAST and ran a full scan and it found some suspect files, quarantined them as it couldn’t repair them. I also did the Boot scan after this scan as AVAST recommended and it did not find anything during the boot scan. I also have MBAM which I updated and ran-it found a few files corrupt and couldn’ rerpair those. This morning after boot up, with task manager opened to check resources, cpu usage was intermittent from low % usage and then jumping up to 100% usage. Obviously at 100% usage, the laptop was slow or non-responsive for any commands. I know I’ve got an infection, I know it’s there, I just don’t know what it is or where it is, and it is deep rooted, and it is fighting like hell to stay hidden. Teeing me off, annoying me, and making me wish I could put a contract out on virus developers world-wide.
I apologize in advance for any poor forum etiquette on my part. Although I am a long time licensed user of AVAST on multiple Desktops/laptops in my home, this is my first time post in a forum looking for help. Past infections I have had I have been able to eradicate/clean on my own-this time I am lost for answers.
Thanks in advance
Ed

How to recive help instructions https://forum.avast.com/index.php?topic=53253.0

Thanks for the reply Pondus-I will update and run MBAM in accordance with the help link instructions, after I get home from work.

For help you need to attach the requested logs

Avast used to give me an popup when I first booted my laptop with the voice saying that my avast virus database has been updated. Not getting that anymore either.

Thanks for that link Pondus-Now I understand why the Avast doesn’t give me the popup with the fem voice saying, “Avast virus database has been updated”!! I loved hearing that voice first thing in the morning with my coffee. I guess she would get old to hear her 516 times within a 24 hour period. MBAM first up this afternoon after work, open it, update it, run the scan, post copy of the scan results log to my thread.

I did the MBAM scan (Log File attached) I tried to download FARBAR and got a security alert that says, “Your current security settings do not allow this file to be downloaded”. So now what do I do?

Is it avast that give that message? If so right click avast tray icon and pause shields

It doesn’t appear to be an avast type message!! I tried downloading from within the avast safe zone and it appears in the download folder but couldn’t move it to the desktop!! It shows to be in the desktop folder but doesn’t show on the actual desktop itself
Modified: this is not an AVAST pop up message telling me I could not download the farbar file.
I’ve run malwarebytes a couple of times now including once in safe mode-it finds nothing. Tried downloading the farbar file while booted into safe mode and still got a security alert box that says, “Your current security settings do not allow this file to be downloaded.” Have tried downloading other type files including attachments posted in the forum and now all downloads are blocked with that same pop up security alert message.

I am getting the same thing going on I’ve read about in other threads in here. Interval pop ups from AVAST saying it has blocked an infection. Latest one has for infection details:
URL: hxxp://go.wvydeo.com/results…etc and etc
Infection: URL:Mal
Process: C:\Program Files\Internet Explorer\iexplore.exe

There is a lot more to the URL then what I typed but you’ve seen it elsewhere in this forum many times now. No sense to have it all up there. But this pops up from avast with sometimes the same URL and sometimes different ones.

Your computer has been infested with a creepy browser hijacker virus that should be removed from your PC , it came in by visiting that online link. File up the logs and wait for the help of a qualified remover as described here: https://forum.avast.com/index.php?topic=53253.0

polonus

Tried downloading the farbar file while booted into safe mode and still got a security alert box that says, "Your current security settings do not allow this file to be downloaded." Have tried downloading other type files including attachments posted in the forum and now all downloads are blocked with that same pop up security alert message.

Pondus: I will be picking up a couple of cheapo USB’s today on the way home from work and will download the programs on another computer and then try to move them onto the laptop’s desktop this afternoon/evening. Last night after my frustrating download attempts were blocked, I disconnected the machine from my LAN/internet and let AVAST run a quick scan offline. It did find a few files that it marked THREAT HIGH and moved them to the AVAST Chest where they currently sit as I did not delete them from the chest. My big question here is: Does FRST and aswMBR programs when I run them on the infected laptop (If I am successful in getting them onto the desktop from a USB); does the laptop need to be connected to the internet while I am running either of them or can they both be run with the laptop offline?

I also wish to extend my thanks to all the volunteers in here who devote such massive amounts of time to all of us who find ourselves in these preventable situations. I understand that this is a thin availability time of year for volunteers in here and I appreciate all the assistance for me as well as others.

Does FRST and aswMBR programs when I run them on the infected laptop (If I am successful in getting them onto the desktop from a USB); does the laptop need to be [b]connected to the internet while I am running either of them[/b] or can they both be run with the laptop offline?

Ok I was able to download and run FRST & saved the log! Downloaded &!running aswMBR now!! AswMBR appears to have stopped on one file and lingering there! Appears nothing is happening. Is this normal? It was scanning the C drive and looks stopped/hung up on one file! But there are no error messages from it nor does it say not responding!

Just dropp aswMBR and attach the two logs from FRST

Attached are the two files from FRST scan. The aswMBR scan was stopped manually by me as it appeared to hang up and I restarted the scan and it stopped on the same file the second time and appears to be hung up. Windows task manager indicates aswMBR is still running. I am running aswMBR for a third time now and it appears to be hung up on the same file as the previous two times. I am letting it sit for a bit as there is NO program not responding message and windows task mgr says it is still running.

Attached is my aswMBR scan results text file. My Frst files were uploaded previous post.

Close! But not (Quite) true. His infection is POWELIKS. But I find it curious that there is no Group Policy of IFEO Blacklist set on his system…

Also: (Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe
What that you messing around in the Registry?

Remover Notified.

Hello edmundo1 and welcome to avast!. I will be working on your Malware issues.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the ‘all clear’ even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper

Let’s start with this mighty ARK scanner. Make shure you run fixdamage.exe after disinfection.

Please download Malwarebytes AntiRootkit (MBAR) and save it to your desktop.
[i]For full instructions how MBAR works, read this article

> Doubleclick on the MBAR file (
http://www.mcshield.net/personal/magna86/Images/mbar.png
) and allow it to run.
• Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.
• mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.
• After reading the Introduction, click Next if you agree.

• On the Update Database screen, click on the Update button. Once you see ‘Success: Database was successfully updated’ click on Next
• Under Scan Targets ensure all boxes are ticked. Then click the Scan button.

Notice: with some infections, you may see two messages boxes:

• ‘Could not load protection driver’. Click ‘OK’.
• ‘Could not load DDA driver’. Click ‘Yes’ to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

>> If malware is not detected, click the Exit button to close the program and post the mbar-log-year-month-day.txt and system-log.txt reports.

>> If an infection/s are found ensure Create Restore Point are ticked. Then select the "Cleanup! button to remove threats.
• The clean up procedure will be scheduled for process, pop-up will be shown.
Select the Yes button and the system should re-boot to complete the cleaning process.

>> Notice: only if an RootKit are detected, ensure to run fixdamage.exe tool located in mbar folder, \Plugins\fixdamage.exe

• Run fixdamage.exe, at the black window to continue type Y (alias for Yes). Wait few seconds for execution …
• When you see “press any key to exit” fix is completed, press any key to close the window. Reboot the system.

> The following reports will be created in mbar folder:

1. mbar-log-year-month-day (hour-minute-second).txt
2. system-log.txt

Please post both logs in your next reply.

Okay magna86, I ran ARK and the logs are attached. Looks like it found two Malware items and I did the cleanup and restart as directed by ARK. Do I need to run the fixdamage.exe or not?