I was using IE to briefly access a site and Avast immediately detected a virus - my screen momentarily went blank and then some type of “locked computer for criminal activity” screen was presented. I didn’t stay on the screen very long and instead unplugged my ethernet cable and did a hard reboot into safe mode. I did an avast scan in safemode but with no results.

After rebooting in normal mode with networking, Avast blocked a file and a system popup with a RunDLL header stated “Operation did not successfully complete because the file contains a virus.”

The most recent avast log transfer has 3501244.dll / Win32:Evo-Gen [Susp] and 4421053.js / VBS:Agent-AIG [Trj] as moved to the virus chest. I’ve since scanned with AVAST and Malware Bytes (quick scans), but they haven’t detected anything.

I haven’t been experiencing any other symptoms but I’m now paranoid that an infection still remains.

OTL log and aswMBR log attached.

Can someone help?

do a full system scan with Malwarebytes and try Hitman pro and Superantispywarethose, Norton Power Eraser, and comodo Cleaning Essentials are other useful tools. Sounds like you got hit by a piece of ransomware. Are you still in safe mode, or are you back on the regular desktop. Listen to what the mods say, they have more experience in this than I do.

This is a goo how-to remove Ransomware completely video.
http://www.youtube.com/watch?v=5Ws2IcM4CMA

I’m back to using the regular desktop. No locking or splash screens yet, but I’m afraid something might still be lurking in the background and so I don’t want to do any online banking or use log in credentials. I’m just not sure if AVAST actually caught/removed it.

I am not an expert, but may I ask what the piece of malware looked like. Did it claim to be part of the FBI. Go on you tube through the link I provide. Comment on his video saying what happened, He may help you further. Make sure you scans with some of the tools I provided.
Here is the persons website.
http://briteccomputers.co.uk/
Note: You were lucky, some of these ransomeware lock you out of safe mode, I am kind of assuming that you have the FBI Money pak since It doesn’t lock you out of safe mode.

It wasn’t any of the screens listed. I shut the computer down very quickly when the screen appeared so I didn’t have a chance to gather all the info, other than something about the computer being locked due to criminal activity, etc,. I was able to enter safemode without any issues.

As posted in the OP, avast picked up and blocked something just prior to the screen appearing, but it still hijacked my comp and showed the screen before I shut down. Booting back up into normal mode gave the RunDLL error (with no program or dll listed), but this hasn’t occurred after restarting. The only viruses found so far were moved to the chest by AVAST.

I tried downloading Hitmanpro from CNET, and it installed DJMIX toolbar which I had to use a windows restore point to get rid of. Unfortunately I don’t have any restore points prior to the criminal activity splash screen.

Link to Hitman pro
http://dl.surfright.nl/HitmanPro_x64.exe

Ask the mods for more help. You might have got hit with a drive by download( If you had not downloaded anything while you were browsing). those alerts might have blocked the Ransom rare from doing much damage leaving it harmless. Activate free license after doing a Default scan.

Also scan with these engines:

1. Superantispyware
   http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
   2)Hitman pro
2. Norton Power eraser
   http://liveupdate.symantec.com/upgrade/NPE/1033/NPE.exe
3. Comodo Cleaning Essentials
   http://download.comodo.com/cce/download/setups/cce_2.5.242177.201_x64.zip

CCE comes with Killswitch which shows porcesses. Post a screenshot of the running processes so the mods can look at it and see if they can find any suspicious process running.

Hi I would not recommend hitmanpro nor Norton Power Eraser as first choice tools. I have had to recover many systems that they have made unbootable as they cannot handle zero access/TDL4 or TDSS safely

It looks like Avast killed it with the startup scan which is good to see, all I need to do is just clean up the detritus ;D

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
IE - HKU\S-1-5-21-2261125273-2831712280-2205663631-1000\..\SearchScopes\{EA4B13CA-FDBF-E716-8E65-65F1231BD0D7}: "URL" = http://www.startnow.com/s/?q={searchTerms}&src=defsearch&provider=Bing&provider_code=Z065&partner_id=287&product_id=463&affiliate_id=&channel=9007&toolbar_id=200&toolbar_version=2.0&install_country=US&install_date=20110519&user_guid=7D319CD6EEB4477491F1AA5433CD6CA7&machine_id=5e9b8b8ca0072de29981b25e72990719&browser=IE&os=win&os_version=6.1-x64-SP0
O4 - HKU\S-1-5-21-2261125273-2831712280-2205663631-1000..\Run: [DietPower 4.4 Update Setup] C:\Users\Riddley\AppData\Local\{C94721FD-A682-4593-813E-D9018B386EDF}\DietPowerSetup.exe /updatesetup File not found
O4 - HKU\S-1-5-21-2261125273-2831712280-2205663631-1000..\Run: [DietPower 4.4 Update Setup for All Users] C:\ProgramData\{C94721FD-A682-4593-813E-D9018B386EDF}\DietPowerSetup.exe (DietPower )
O33 - MountPoints2\{649e8cda-5f69-11e0-9ec2-806e6f6e6963}\Shell\AutoRun\command - "" = E:\InstAll.exe
[2013/02/15 17:21:12 | 095,023,320 | ---- | M] () -- C:\ProgramData\4421053.pad
[2013/02/15 17:20:59 | 000,000,153 | ---- | M] () -- C:\ProgramData\4421053.reg
[2013/02/15 17:20:59 | 000,000,062 | ---- | M] () -- C:\ProgramData\4421053.bat
@Alternate Data Stream - 1220 bytes -> C:\Users\Riddley\AppData\Local\Temp:y6Gi0s2GQZJY7gYkxCG4Ekwy
@Alternate Data Stream - 1078 bytes -> C:\ProgramData\Microsoft:fVzhF8JHlfJVwYK8HAEwcaPX
@Alternate Data Stream - 1050 bytes -> C:\ProgramData\Microsoft:c1W1POQnwZnOYz0e1Q0wT4

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Hi I would not recommend hitmanpro nor Norton Power Eraser as first choice tools. I have had to recover many systems that they have made unbootable as they cannot handle zero access/TDL4 or TDSS safely

Thanks for the help.

Here are the attached logs.

That looks good now, are there any problems ?

No problems as of yet. It was just strange that the virus locked down my computer with that screen, then vanished after AVAST picked up that file trying to run when rebooting.

If it hadn’t caught those files, I suspect I wouldn’t even be typing this ;D

Yep the ransom virus is totally dependant on one file … Kill that then you have no problems
Obviously Avast killed it on the reboot

If all is well tomorrow let me know and I will tidy up