This has popped up a second time. The symptom is AVAST popping up repeated threat warnings every time Internet Explorer is opened about a website at transfer.net

The worrying thing is that Avast doesn’t appear to block or detect the Trojan itself, it only detects it’s actions, which I presume are attempts to send IE off to a nasty site to download some crap

Even a full system scan and boot scan do not detect any problems using avast

I have to use Malwarebytes to get rid of the damn thing

The second time this happened it just appeared without any warning, so I presume one of the websites I was browsing is infected, most like the Guardian UK newspaper

Malwarebytes reports an infected file and what looks like a registry key as well. It effectively removes the problem, but why isn’t avast ?

How do I stop this thing?

Malwarebytes scanlog:

[i]Malware Database: v2015.09.02.06
Rootkit Database: v2015.08.16.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Richard

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 344653
Time Elapsed: 3 min, 34 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
IPH.Trojan.VawTrak, HKU\S-1-5-21-2012706291-1211643455-3253695099-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|BefhAmgix, regsvr32.exe “C:\ProgramData\BefhAmgix\VoxbOwazn.qnb”, Quarantined, [fd21a18abad1b185ffdff0106b95fe02]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
IPH.Trojan.VawTrak, C:\ProgramData\BefhAmgix\VoxbOwazn.qnb, Quarantined, [fd21a18abad1b185ffdff0106b95fe02],

Physical Sectors: 0
(No malicious items detected)

(end)[/i]

Do I need to do more?

Malwarebytes reports an infected file and what looks like a registry key as well. It effectively removes the problem, [b]but why isn't avast ?[/b]

And badguys send out new versions evry day. Statistic https://www.av-test.org/en/statistics/malware/

if you want a check?

follow instructions here https://forum.avast.com/index.php?topic=53253.0
attach Farbar Recovery Scan Tool logs … 2 logs total

see below the box you write in … Attachments and other options

Banking Trojan Vawtrak: Harvesting Passwords Worldwide
http://now.avg.com/banking-trojan-vawtrak-harvesting-passwords-worldwide/
http://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/3141/vawtrak-plagues-users-in-japan

so i suggest change all password after your computer is confirmed clean

By “change all passwords”…err, what ones? Everywhere? There are dozens. I cleared the thing off using Malwarebytes and ran full scans with that and Avast after the first lot and have since used things like Amazon and PayPal (but thankfuly no bank site)

Why isn’t Avast catching these things, should I install something like AVG as well?

Naturally I am monitoring things to ensure no unauthorised purchase or payments are happening. My bank will only authorise payments by using a home card reader anyway and I specifically registered PayPal with a limited transaction card

How do I posty attachments?

How do I posty attachments?

Why isn't Avast catching these things, [b]should I install something like AVG as well?[/b]

avast detect several versions of it, i can give eksamples if needed

Ah.

There may be some hours wait before anyone from removal team is online and check your logs

Need to dig deeper

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Okay. Log attached

Computer was functioning normally after first removal using Malwarebytes, the symptom was a persistent threat warning from Avast when using Internet Explorer

Last bit, let me know of any problems after this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: 2015-08-27 22:25 - 2015-09-02 17:03 - 00000000 ____D C:\ProgramData\BefhAmgix RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Okay. Does this mean that my PC was still infected after Malwarebytes “removed” this thing five days ago? I ran maximum scans with Avast etc and all reported clear, and didn’t get any threat warnings (until today, when the popup from Avast reappeared)

I have since used my credit card to pay for a few things (obviously, not today, I’d never do that with Avast throwing up popup threat warnings), do I need to report to the card company, have it revoked as compromised and get them to issue a new one? I used GlobalPay and it required CC details to be entered to make a payment.

I’m REALLY WORRIED!

How on earth did this thing get on my PC/ I never install crap or open attachments! Today it just appeared from nowhere

After the first removal with Malwarebytes all seemed to be functioning as normal until today

Unfortunately like all automated tools they just remove the offending file but leave the folder behind, this can trigger a re-infection

Alert the credit card company but as Avast was blocking any data transfer you should be safe

These are mainly downloaded using social engineering although new ways and means are always being devised

How is the computer behaving now ?

It is fine. But then after I did the first removal with Malwarebytes five days ago it was then also!

How do I prevent reinfection now PC is clean?

Difficult to say how to protect as the method of infection was unknown, this was when it appeared 2015-08-27 22:25 if that helps you to narrow down the vector

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove Combofix

Click Start then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
In the box copy/paste the following command:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

Then click OK (or press Enter ).
Wait for the uninstall process to complete.

Remove tools

Download and run Delfix
Select the options as shown

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe

[b]How on earth did this thing get on my PC[/b] / I never install crap or open attachments! Today it just appeared from nowhere

Drive-by download – in the form of spam email attachments or links to compromised sites
Malware downloader – such as Zemot or Chaintor
Exploit kit – such as Angler

Exploit kit
http://www.trendmicro.com/vinfo/us/security/definition/Exploit-Kit

Angler
http://blog.trendmicro.com/trendlabs-security-intelligence/latest-flash-exploit-in-angler-ek-might-not-really-be-cve-2015-0359/
http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-zero-day-integrated-into-exploit-kits/

Thanks for all the help guys. I already had firewall and anti-virus and as I said, I don’t install crap or open attachments so I;ve no idea.

The only thing I can identity as a possible source is an update to Internet Explorer, but that was via Update and it was marked as signed by Microsoft

Anyway I let the card company know, nothing untoward seen on the account, they’ve noted I let them know so anything nasty I won’t be liable for anyway

I don't install crap or open attachments so I;ve no idea