Repeating Avast Web Shield blocked a harmful webpage or file

[REDACTED]

Here you go. No change in the problem.

[essexboy]

Could you download a fresh copy of FRST please, run the scan again but this time also tick shortcut txt
Please download Farbar Recovery Scan Tool and save it to your Desktop.

Then attach all 3 logs

[REDACTED]

Here are the FRST & Shortcut text files you requested.

[REDACTED]

I'm a little confused as to what file you wanted. Here are two files from FRST in my documents directory and one from the Desk Top directory. Is this what you requested?

[essexboy]

I am unable to locate the trigger yet

This programme will produce a zip file, could you upload that to a file sharing site for me to collect

 Download AVZ tool from here to your desktop
Unzip all files to a folder on your desktop
Open the folder and double click the AVZ icon
When the tool opens select "File" > "Standards scripts"


Place a tick in :

 
5. Update signature database

Then press "Execute selected scripts"


Once that has execute then
select "File" > "Standards scripts"
Place a tick in :

3.   Advanced  System Analysis with malware removal mode enabled


When finished look in the folder AVZ4 on your desktop
Open the LOG folder
Upload virusinfo_syscure to a file sharing site for me to collect

[REDACTED]

I preformed the scans and am ready to provide the log files. However, I am not familar with file sharing sites and don't understand where you want me to upload them to. Also, do you want the zip, xml & htm versions of the virusinfo_secure files?

[REDACTED]

I think I figured out file sharing. Let me know if this works for you.

https://drive.google.com/file/d/0BwuFuigoTpS2Vk80WE50M2c5SWM/view?usp=sharing

[REDACTED]

Or perhaps this works?

https://drive.google.com/file/d/0BwuFuigoTpS2Ym5KeURoS1VtRmM/view?usp=sharing
https://drive.google.com/file/d/0BwuFuigoTpS2TlZHVTBFUmZoakE/view?usp=sharing

[essexboy]

Could you let me know if this makes a difference


FIX

Open AVZ as before
Click "File" > "Custom scripts"


A dialogue will open
Copy and paste the following script into the marked space then press run


Script for insertion :

Code: [Select]

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 DelCLSID('{FFB699E0-306A-11d3-8BD1-00104B6F7516}');
 DeleteFile('c:\051e59436ad68e9a9db4e57bce61\wgasetup.exe','32');
ExecuteSysClean;
RebootWindows(true);
end.

Ensure that you copy from begin to end

[REDACTED]

It ran and then rebooted but no change on the the alarms.

[essexboy]

The only area left to check now is the MBR

Download the latest version of TDSSKiller from here and save it to your Desktop.
 
 

• Doubleclick on TDSSKiller.exe to run the application
  
  
  
• Then click on Change parameters.
   
  
   
  
• Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system  and Use KSN to scan objects , then click OK.
   
  
• Click the Start Scan button.
   
   
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
   
  
   
  
• If malicious objects are found, they will show in the Scan results and offer three (3) options.
• Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
  
  
• Get the report by selecting Reports

 

• Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  

Please copy and paste its contents on your next reply.

[REDACTED]

Prior to making the selections after installing the program, the program found a root bug and I clicked on cure. The system rebooted and I then make the selections and ran it again. I have not had any alarms after the initial reboot. Is the report in a file somewhere? I have so far been unable to copy it to send it to you.

[REDACTED]

Here is the report. Still no Alarms .

[essexboy]

Darn it has not shown in the log what it detected, can you remember roughly what it was

[REDACTED]

I really don’t trust my memory on this but I remember thinking that the message displayed made reference to the same problem I mentioned in my second posting.

“The RootKit Found message window displayed "MBR:\\.PHYSICAL DRIVE0\Boot MBR:Cidox-D [Rtk]". On prior occasions I have seen this message and have tried deleting as the pop up window suggests. I did not do so this time.”

I suspect that while Avast had identified the problem on several prior occasions but that it didn’t fix the problem even though it attempted to do so.  I think that Kapersky identified the same problem but that its cure actually worked. I wish I had printed the report prior to running it a second time.

In any event, I haven’t seen any more of those annoying alarms and that is great. Thank you for all your help. Is there anything else I should do?