There has been no attempt to circumvent Avast today but I was tricked by that once this week (one day off then returned the following day)
I’m sure that you’re already all over this but I noticed that some of the registry keys shown on the OTL report are associated with Trojan Z.Access
Reports are attached and I hope you have a good weekend.
JanDG
Boise, ID
Hi,
Do you know for this regfile?
C:\Fixit50388.reg
ps: caution with this regfile to not load their values
I'm sure that you're already all over this but I noticed that some of the registry keys shown on the OTL report are associated with Trojan Z.AccessZAccess ( akaZeroAcces or 0access) is nasty rootkit. The section that you saw in OTL.txt log is special checking for 0access rootkit in its quest for loading files and registry values. All your listed entries&lines are legitimate.
Open notepad and copy/paste the text present inside the code box below:
Firefox::
FF - ProfilePath - c:\users\jan\appdata\roaming\mozilla\firefox\profiles\7ae7yqnj.default\
FF - prefs.js: browser.startup.homepage - hxxps://startpage.com/do/mypage.pl?prf=dcb62b2a934916af554ee73a1ceaa4dc
Save this as CFScript.txt
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
Test your mashine and tell me how is your computer running now.
Hi Magna,
The Fixit file is a MS attempt to reset hyperlinks damaged by the uninvited installation of Google Chrome. BTW, it didn’t work and resetting had to be done manually.
I have (indirectly) identified ib.adnxs on the machine - the urls of the popups begin with adnxs.com. Made a few feeble attempts to remove it but it wasn’t happening. Blocked the annoyance but didn’t solve the problem by installing adblock plus for FF.
This is the second day that there was no attempt to lower Avast’s shields so I’m excited about that.
ComboFix file attached. BTW, the pev.exe file was stopped working about 1/2 way through the scan but I guess that isn’t unusual with ComboFix.
Again, thank you for all the time you’ve spent on this. It is my unqualified opinion that all of the crap that has found its way to my computer was download at the same time from the same site.
JanDG
I ran another scan with Avast and it indicated the following virus
MPPT97:Shell Code-O [Expl]
Path: D\hpapps\APP05660\src\setup\setup\APP\IDSDefs\sigs\DAT
I have no idea whether this is a real virus or not but I moved it to the “chest”
Hi,
Path: D\hpapps\APP05660\src\setup\setup\APP\IDSDefs\sigs\DATIt's not the system root partition so, detection is heuristics related.
Step#1
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:files
c:\users\jan\appdata\roaming\mozilla\firefox\profiles\7ae7yqnj.default\extensions\plugin@selectionlinks.com
:files
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c
:commands
[CREATERESTOREPOINT]
[emptytemp]
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.[/list]
Step#2
http://imageshack.us/a/img841/7292/thisisujrt.gif
Please download Junkware Removal Tool to your desktop.
[]Shut down your protection software now to avoid potential conflicts.
[]Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select “Run as Administrator”.
[]The tool will open and start scanning your system.
[]Please be patient as this can take a while to complete depending on your system’s specifications.
[]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
[]Post the contents of JRT.txt into your next message.
Step#3
reset firefox to default:
note: before this action just for precaution backup your bookmarks.
I want you to reset firefox back to defaults, to do this I need you to do this
At the top of the Firefox window, click the “Firefox” button,
go over to the “Help” sub-menu
(on Windows XP, click the Help menu at the top of the Firefox window) and select “Troubleshooting Information”.
Click the “Reset Firefox” button in the upper-right corner of the Troubleshooting Information page.
click “Reset Firefox” in the confirmation window that opens.
Firefox will close and be reset. When it’s done. Click “Finish” and Firefox will open.
Step#4
Re-run OTL for fresh scanning…
[*]Make sure all other windows are closed and to let it run uninterrupted.
[*] Click on Scan All Users
[*] Paste this into Custom Scans/Fixes box at the bottom
c:\windows\system32\tzres.dll /md5
[*] Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[list]
[*] When the scan completes, it will open notepad OTL.Txtand it will be saved in the same location as OTL.
[*] Please attach fresh OTL txt log in this thread.
Step#5
ESET Online Scanner
Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
[*]Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.[*] Turn off the real time scanner of any existing antivirus program while performing the online scan[*]Tick the box next to YES, I accept the Terms of Use.[*]Click Start[*]When asked, allow the activex control to install[*]Click Start[*]Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.[*]Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.[*]Click Scan[]Wait for the scan to finish[]When the scan is done, if it shows a screen that says “Threats found!”, then click “List of found threats”, and then click “Export to text file…”[] Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.[]Close the ESET online scan, and let me know how things are now.
How is your computer running now? Any pop-ups/warning…?
Logs attached
ESET ran for 3.5 hours and found no viruses
The system appears to be running fine. No further attempts to drop the shields, hard drive running much more quietly and no pop-ups or redirects.
Magna, attempts to drop Avast’s shields began again this morning.
I give up. Whatever this is, we’re not going to get at it.
One question though. Is there anything I can do to minimize the possibility of this happening again. Since it slipped past Avast (and probably every other anti-virus checker out there) would running MalWare Bytes (or any other product you might recommend) with Avast make any difference?
Anyhow, thanks again for everything you’ve done.
Hi,
I see some new malware and leght entries… These entries in past logsdoesn’t been there. Somehow, machine has re-infected.
You might have running or doing something with machine, and unconscious you do re-infections.
http://www.mycity.rs/images/smiles/icon_exclaim.gif
It’s time to upgrade from avast5 to avast7.
http://www.mycity.rs/images/smiles/icon_exclaim.gif
No more sense to trying disinfect system with the old AV Engine.
Delete old Combofix ( drag&drop to recycle bin)
Download new&fresh Combofix from here:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Open notepad and copy/paste the text present inside the code box below:
KillAll::
Driver::
LAJKB
GXR
File::
C:\Users\Jan\AppData\Local\Temp\LAJKB.exe
C:\Users\Jan\AppData\Local\Temp\GXR.exe
ClearJavaCache::
Save this as CFScript.txt
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
Re-run OTL. Just click on RunScan button and attach here fresh OTL.txt logreport.
…if after avast upgrade & fix you still have some pop-up, do a screenshot of that error/pop-ups so i may see what is it.
Nope, I’m running Avast 7 with the most current updates - 7.0.1474 and 180205-0. The path indicated i.e. \Alwil\Avast5 is a source of confusion to me.
After yesterday’s 3.5 hour virus check, I only visited 2 or 3 sites and then shut down for the day. The sites I visit are fairly benign but yesterday I did do a Java update but from their site, not from a pop-up or reminder. If there is a tool available where I can check the URLs I visited yesterday for malware downloads, I’ll check them out.
Logs attached.
Please go to systemroot and attach Combofix.txt log now for review. ( C:\ComboFix.txt )
Your system should be malware free now, because I do not see active malware in last OTL log.
Whatever makes that pop-up/warning, should not the malicious origin. But I really want to know what is the problem…
We need to get the answer directly from avast ( your AV ).
Nope, I'm running Avast 7 with the most current updates ...Hm...
Uninstall avast from control panel > add or remove programs.
reboot your system…
Then download avast uninstall tool from here:
http://singularlabs.com/uninstallers/security-software/
Run the tool to remove all posible AV leftovers …
reboot system
Download fresh avast setup ( you may download fresh avast from here: http://www.filehippo.com/download_avast_antivirus/ )
…and do a nice and clean install.
After ~two days, attach here the following:
screenshot of warning:
Navigate to avast report folder and attach here BehaviorShield.txt and FileSystemShield.txt avast logreport
C:\ProgramData\AVAST Software\Avast\report[b]BehaviorShield.txt[/b]
… report[b]FileSystemShield.txt[/b]
…go to avast logs folder and attach here selfdef.txt avast logreport
C:\ProgramData\AVAST Software\Avast\log[b]selfdef.txt[/b]
Before uninstalling Avast, is there someplace I can copy the “unlock key” from or is stored someplace on my machine (hopefully not in the directory that will be uninstalled).
Would love to send a screen print but I don’t know how to do so when everything is disabled while the pop up is counting down.
Log attached
Thanks
Licens key? …copy anywhere you want.
Would love to send a screen print but I don't know how to do so when everything is disabled while the pop up is counting down.Ok. Leave it that way then if you will. If a pop-up or a warning message shows again, it is best for begin to do re-install avast. Better than repair...
But as I said, the last attached logs are clean & malware free. Something else bothers avast. :-\
When pop-up shows, press few time PrtSc (aka Print Screen ) or Alt + PrtSc on keyboard. That should be enough.
When you remove the pop-up, go to paint and paste desktop image ( pop-ups image ).
PS: Check now if you have the avast logs, attach them now, I’l be happy to look at them. If not, then do as i wrote in my previous post, after re instaling avast and after the first warning message ( if shows again)
- Navigate to avast report folder and attach here BehaviorShield.txt and FileSystemShield.txt avast logreportC:\ProgramData\AVAST Software\Avast\report\BehaviorShield.txt
… report\FileSystemShield.txt…go to avast logs folder and attach here selfdef.txt avast logreport
C:\ProgramData\AVAST Software\Avast\log\selfdef.txt
Also, i want you to install MCShield (just in case) to protect system from infection through a USB device or portable HDD and the like.
Download MCShield from one of the following links:
MyCity - Official download link
Softpedija - Mirror download link
[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.
When all scanning is done, you need to attach a logreport that has made MCShield.
Start → All Programs → MCShield → Logs
Attach here → AllScans.txt
Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.
Magna,
Sorry to have be unclear. My question was “where can I find the unlock key” so I can move it out of a directory that might be deleted during uninstallation.
Can’t send behavior shield.txt as its 625kb or sefdef.txt as its 1.31mb. If you’d like me to email them to you please let me know.
Thank you,
Jan
Can't send behavior shield.txt as its 625kb or sefdef.txt as its 1.31mb
Go to pastebin site:
http://pastebin.com/
copy/paste the contents of the log to pastebin site and click Submit.
Copy - paste URL here so i may see the contents of the text. 
Abouth license file…i’m not shure, i need to ask.
You’re supposed to save&backup your original license file somewhere.
But leave on for now. Don’t re-install jet. I see interesting contents from scan results of MCShield program.
Sinse your logs are clean, and usb flash drives are clean now, let’s see how will your PC running now.
If you again get pop-ups, report here (with posible screenshot).
Behavior Shield - http://pastebin.com/pe0xH7KZ
SelfDef - http://pastebin.com/E0rsU3gp
Apparently, AVAST will resend me the license on request so we’re ok there
No pop-ups today (and they would have done so by now)
Thanks
Apparently, AVAST will resend me the license on request so we're ok there No pop-ups today (and they would have done so by now)
it seems that problem is solved. If pop-up somehow still popup again, reinstall avast. But it should not occur any more.
By avast logs I do not see malicious staff, just attempting to access a some leght Windows file and for some reason it could not…
It is necessary to uninstall ComboFix !
[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
[*] In the line of text type in (Copy) the following:
ComboFix /Uninstall
Note that there is a space between " ComboFix " and " /Uninstall " .
[*] then click OK (or press Enter ).
Wait for the uninstall process is complete.
Re-run OTL and click on CleanUp! button.
You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.
I recommended to you to keep Malwarebytes and MCShield.
MCShield will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but will immediately clean Memory card or external HDD
Be safe 
Magna,
Have followed all your instructions and recommendations.
I can’t thank you enough for the time you spent on this. I don’t know what kind of arrangement you guys have with Avast or whoever, but I hope the effort that you put into this is somehow recognized.
JanDG
Magna,
I’m not reopening the issue because I’m pretty much sick of it and the problem something other than a virus anyhow.
But, if it’s helpful to you, I’m attaching a screen shot of the pop up. I have waited for the process to be identified and requested more info without success with either.
Let’s again run detailed analysis of system…
[*]Download FRST to a USB flash drive.
[*]Plug the USB drive into the infected machine.
Boot your computer into Recovery Environment
[*]Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
[*]Select Repair your computer.
[*]Select Language and click Next
[*]Enter password (if necessary) and click OK, you should now see the screen below …
http://i1090.photobucket.com/albums/i366/garyr56/W7InstallDisk2.png
[*]Select the Command Prompt option.
[]A command window will open.
[list]
[*]Type notepad then hit Enter.
[]Notepad will open.
[list]
[*]Click File > Open then select Computer.
[*]Note down the drive letter for your USB Drive.
[]Close Notepad.[/list]
[]Back in the command window …
[*]Type e:/frst.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
[*]FRST will start to run.
[list]
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]When finished scanning it will make a log FRST.txt on the flash drive.[/list]
[*]Exit FRST.[/list]
[*]Close the command window.
[*]Boot back into normal mode and post me the FRST.txt logs please.
Download DDS+ and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds+.exe
Double click dds to run the tool.
Under Options for dds.txt check box for extend search period
Click on Start
* When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
Save both reports to your desktop. DDS.txt and Attach.txt attach back to topic.
Download GMER , AntiRootkit tool from the link below and save it to your Desktop :
Double-clicking to run GMER .
[*] Wait for initial scan to finish - if there is any query, click No ;
[*] Click Scan and wait until the full scan is complete;
[*] Click Save … - save the report to the Desktop (called Gmer1 );
// note: the scan for Gmer1 log may take some time
[*] Right-click in the window GMER and select Options> Only non MS files - click Scan ;
[*] after a fasts scan, click Save … - save the report to the Desktop (called Gmer2 );
Attach here Gmer1 and Gmer2 logreports.