I have Avasti Internet Security installed in my computer. During the past month, I have been bothered by virus warnings issued by the anti-virus program. Unfortunately, the program has not been able to help me get rid of the virus identified.

What is bewildering is the virus sometimes disappears but would reappear again at a later time; sometimes a boot-scan would identify the virus, but sometimes not. The inflected file could not be deleted from my computer in spite of manual attempts to do so.
Could someone help me solve this problem please?

Following is the sequence of events:

On 19th January, after a boot-time scan, there was a warming that a “threat”, namely, VBC:Banker-EA [Trj] was identified and the location was C:\Windoes\System32\config\SOFTWARE.LOG2. When I tried to fix the problem using the facility provided by the anti-virus program, the operation stopped halfway. When I tried to delete the “virus” from the identified location in my computer manually, the delete action also failed; a window popped up and told me that the file was in use and the delete action could not be completed because the file was open in another program. It however did not say which program.

On 20th January, I did another boot-time scan, this time no virus was identified but instead there was a warming that some files could not be scanned and the file name was identified as: C:\Windows\Installer\65daf8a.msp l>PATCH-CAB. However, I could not (still cannot) find such file in my computer as there is no file by the name “Installer” under Windows.

Upon recommendation by an Avasti technical staff, I downloaded an application called Malewarebytes Anti-maleware and did a scan. No virus was found.

On 26th January, I did another full system scan and many error messages were generated, such as “Error: the process cannot access the file because another process has locked…”, “Error: Archive is password protected (42056)” etc.

On 1st February, I did another boot-time scan, again a virus, same as the one found on 19th January was found but this time the location has changed to SOFTWARE.LOG1 . I tried again to delete this file but again not successful due to the same reason that “the file was in use”.

On 10th February, I did another boot-time scan, this time no virus was identified but there was a warning that some files could not be scanned. However, this time the error message was “Error: data error (cyclic redundancy check (23)”, with same file name C:\Windows\Installer\65daf8a.msp l>PATCH-CAB. Again I could not delete this file manually for the same reason cited earlier.
On 11th February, I did another full system scan and again files were identified as could not be scanned. Surprisingly, the message “Error: the process cannot access the file because another process has locked…” disappeared.

On 13th February, I did another boot-time scan. Same error message as on 10th February, and same file.
On 15th February, I did another boot-time scan and this time virus again identified: VBC:Banker-EA [Trj] and the location was C:\Windoes\System32\config\SOFTWARE.LOG2. Compared with 1st February, the location has returned to LOG2 and not LOG1, though I don’t understand the significance of this change. Again attempts to delete this file failed due to “the file was in use”.

On 16th February, I did yet another boot-time scan, but this time no virus found. What a surprise?
In the early morning of On 17th February, I did a boot-time scan and no virus was identified. But when I did a full system scan later, the virus returned. Same VBC:Banker-EA [Trj] virus and same location of LOG2. Upon completion of this second scan, the anti-virus program suggest that I immediately do a boot-time scan but surprise surprise, no virus was found.

I am now totally lost as whether or not my computer is inflected. How come a boot-time scan and a full system scan can produce two different kinds of results. Could someone help?

Attach your basic diagnostic logs. (MBAM, FRST and aswMBR)
Instructions: https://forum.avast.com/index.php?topic=53253

Thank you very much for your response. As requested, I attached herewith the logs requested.

Please take note that after I did the aswMBR scan, the file saved was a MBR.dat file and when I tried to attach it, it was rejected. So I have to do another scan, and while doing that scan, my computer had an error and had to be restarted. Thus I had to do yet another scan. The aswMBR log attached hereto is the result of the third scan.

I look forward to your advice as what I should do next.

Once again thank you very much for your help.

Stephen

FRST.txt is 0 bytes, that is not correct.
Run Farbar again and attach the new logs to your next post.

As requested, here attached are the required logs.

I don’t know if the following information is relevant or not, but when I tried to do a new Farbar scan, I thought I better choose the other version (32-bit version) since my previous logs were based on the 64-bit version). But when I tried to download the tool, it caused my computer to hang and I had to force stop my computer as I could not even shut down my computer. I tried to download twice and both times my computer hung. I eventually switched back to the 64-Bit version and it worked but Windows warmed me that running the scan would harm my computer.

Anyway, attached please find the two logs. Hope they are ok this time.

Thanks again.

OK, now you’ve to wait a bit…

Sure, thanks a lot.

I believe that the aoftware.log is a false positive as it is a windows generated text file.

Otherwise the computer looks OK

Excuse me for my ignorance, what is aoftware.log? Could you please explain in in layman terms?

Also, while I was trying to figure out how to get rid of the purported virus before I approached you, I downloaded an app called SpyHunter which I thought was free but discovered that it was not so. Then the app kept appearing at start up and I don’t seem to be able to get rid of it from my computer. When I tried to uninstall it through Control Panel, I got a window from Enigma Software Installer saying that “Setup Failed. Setup script function call error.” I repeated the uninstall action under safe mode, same result. So how can I get rid of that app?

Thank you for your help.

On 19th January, after a boot-time scan, there was a warming that a “threat”, namely, VBC:Banker-EA [Trj] was identified and the location was C:\\Windoes\System32\config\SOFTWARE.LOG2. When I tried to fix the problem using the facility provided by the anti-virus program, the operation stopped halfway. When I tried to delete the “virus” from the identified location in my computer manually, the delete action also failed; a window popped up and told me that the file was in use and the delete action could not be completed because the file was open in another program. It however did not say which program.

As for spyhunter , to protect the Avast forum I cannot tell you what I think of them http://www.bleepingcomputer.com/forums/t/604046/we-need-your-help-bleepingcomputer-is-being-sued-by-the-creators-of-spyhunter/

However, lets manually remove it and some other orphans

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: BHO: No Name -> {C9C67E2D-B3D1-49C9-B98C-1A6DB4ECEE10} -> No File BHO-x32: No Name -> {06433BFE-4946-4E89-823D-CD359C81CD06} -> No File BHO-x32: No Name -> {481EE3EC-C026-4F9A-BA22-FD07654ADFC0} -> No File BHO-x32: No Name -> {C9C67E2D-B3D1-49C9-B98C-1A6DB4ECEE10} -> No File FF Plugin-x32: @pptv.com/plugin -> C:\Program Files (x86)\Internet Explorer\PPLite\plugin\3.5.1.0098\npplugin2.dll [No File] S2 SpyHunter 4 Service; C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe [1042304 2016-02-15] (Enigma Software Group USA, LLC.) S3 esgiguard; C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [15920 2016-02-15] (Enigma Software Group USA, LLC.) S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2016-02-15] () 2016-02-15 20:18 - 2016-02-15 20:18 - 00003414 _____ C:\WINDOWS\System32\Tasks\SpyHunter4Startup 2016-02-15 20:18 - 2016-02-15 20:18 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpyHunter 2016-02-15 20:18 - 2016-02-15 20:18 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Enigma Software Group 2016-02-15 20:17 - 2016-02-15 20:17 - 00022704 _____ C:\WINDOWS\system32\Drivers\EsgScanner.sys 2016-02-15 20:17 - 2016-02-15 20:17 - 00000000 ____D C:\Program Files\Enigma Software Group 2016-02-15 20:15 - 2016-02-15 20:16 - 03286400 _____ (Enigma Software Group USA, LLC.) C:\Users\Admin\Downloads\SpyHunter-Installer.exe Task: {1CEACCFA-E546-41FF-A8EE-1D0D57C9D777} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION Task: {1F02B922-038A-47BF-89A4-B41E8F8ECC4B} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION Task: {2354ED61-00DE-4034-97CD-B403FCA99DDE} - System32\Tasks\{2E3702F2-3484-463A-AC12-4C8D1E0615B9} => pcalua.exe -a "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A2ABZRI7\wmp11-windowsxp-x64-JA-JP.exe" -d C:\Users\Admin\Desktop Task: {25A8953A-238E-4B7F-923F-67D650E9C93D} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION Task: {5EBB4FE8-8E90-493C-AA02-812285DCAC45} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION Task: {6306EC35-58E3-49D1-94C1-A842CFE12A49} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION Task: {6A4A0D56-FAF1-48D0-BC41-FA61C8505A7E} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION Task: {838C9630-9652-4461-A5FB-072EE1C2D05B} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION Task: {8C7E4A80-D059-464C-A6E6-A627EEB8AFA3} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION Task: {9BA413DF-8810-40FD-8C87-B676D23CA216} - \ASUSControlDeck -> No File <==== ATTENTION Task: {9DC1DC26-AE88-4A49-8435-6315C961741B} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION Task: {C8C4F1F9-0859-474D-8214-6850779981E3} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION Task: {D145D1E3-2A40-45FC-9FD0-88A090BAAAEA} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION Task: {EBA4AF3A-9A83-49B5-857E-183AE2B02375} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION C:\Users\Admin\PPJR_patch_72c.exe Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

How do I find out where is the location of FRST.exe.

It is where you downloaded it to.
e.g. desktop

Running from C:\Users\Admin\Downloads

Thank you.

Herewith is the log.

Please advise if this is the correct one.

Could you confirm that spyhunter has now gone

I believe it is gone. I looked under Control Panel - Programs and Features and could not find SpyHunter anymore. Thank you very much.

I did an AVAST full scan afterwards and discovered that there was still a warming that some files could not be scan and the location was :

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite-shm

The Status of this warming was this note:

Error: The process cannot access the file because another process has locked…

Please advise if I need to do anything further.

Thank you for your help.

Warnings are just that and does not mean the file is infected, just that it is either encrypted or corrupt… Not a problem

a warming that some files could not be scan

Thank you both for the enlightenment. I am much relieved. Thank you also for those who assisted earlier too.

Have a good day or good night, depending on where you are !