Constant Avast Blocked Popup - "reannewscomm"

[jason.roberts10000]

Hi,

 Some introduction before I get to the problem.

 Today I was watching a youtube video and got a virus notification. I thought nothing of it as Avast blocked it, until I started getting these popups requesting server access to my computer to download a file called "thawbrkr.dll". Every time I clicked "no" the popup would reappear after about 1-2 minutes. I tried to determine what was causing the popups to appear, to no avail (I'm fairly experienced with dealing with viruses and malware; so I checked the usual places AppData, ProgramData, Windows, Program Files, and Temp folders but found nothing at all). I figured that accepting it would cause the virus more access but I was at wits end and figured that once it was on the machine I could get rid of it.

 So now I have this virus that keeps being blocked by my Avast Antivirus scanner, called "Reannewscomm.com". Every 10-15 seconds it blocks its attempt, for the past 2-3 hours now that I've been trying to get rid of it. I ran a complete scan of Malware Fighter and it did not detect it, and a complete scan of Avast Antivirus, and it didn't find it. I've looked in the usual places again, and deleted any temporary files that came on the computer today (March , any cookies for today, and reupdated both Avast and Malware fighter to no avail.

The precise details of the blocked virus are as follows:

   Object = http://reannewscomm.com/ads.php?sid=1967
   Infection = URL:Mal
   Process = C:\Windows\Explorer.exe

 I tried to follow several guides on how to remove it manually (as the other option requires buying a tool that I've never heard of before and it only scans for free), and none have succeeded. All the usual indications of this virus are not present yet as Avast blocks it from putting those down and activating them. However, something is clearly trying to activate but I don't know where to find it.

 The popups only appear when I'm connected to the internet. When I disconnect from the internet (I use a wired connection) the popups cease to popup, leading me to believe that that server I allowed access to my computer is trying to create the virus or deploy the virus or something. I dunno. As stated, neither Avast nor my Malware Fighter detects the virus on my machine, and thus I feel that that server is causing the issue. So... does anyone know how to block a server from accessing the computer AFTER you've given it permission to have access?

 However, something strange did happen recently. After trying to solve the problem for 4 hours, I got frustrated and left the computer alone. When I returned, it sounded like the computer was playing a podcast... though no podcasts were found on my machine, no internet explorer windows were open and no media player type programs were active. Disconnecting the internet / resetting the router didn't stop this podcast, but ending Explorer.exe did (though that made the system unstable forcing me to restart it). The other thing of note is I have limited download capabilities right now (I can download it if I click Save Target As, but not any other method (ie Run / Save / Save As; these crashes internet explorer))

Any help would be appreciated.

[Asyn]

Attach your basic diagnostic logs. (MBAM, FRST and aswMBR)
Instructions: https://forum.avast.com/index.php?topic=53253

[jason.roberts10000]

Logs

EDIT:
(When attempting to post logs initially, internet explorer crashed)

The final log couldn't be acquired as the program froze my machine entirely forcing a hard restart. It froze while scanning Windows -> System32 -> DiagCpl.dll

[Asyn]

OK, now you've to wait a bit...

[jason.roberts10000]

Managed to get the log from the final program by changing my IP address manually.

[essexboy]

Let me know if this kills it

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
HKU\S-1-5-21-429370524-3042837960-4195566341-1001\...\Run: [QujiBvaw] => regsvr32.exe "C:\Users\Jason\AppData\Roaming\QolaRzavd\YitUvfo.dll"
C:\Users\Jason\AppData\Roaming\QolaRzavd
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
  
• Click on Scan.
  
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
  
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S0].txt as well.
  

[jason.roberts10000]

Hmm, I'll try that.

One thing I did notice after leaving my computer disconnected from the internet for a while and coming back to it this morning, the popups have stopped when I connected to the internet.

I had been fiddling with IPConfig before I disconnected (I tried to switch over to IP v 6 from IP v 4, but that didn't work; nor did release or renew, but then I tried flush DNS and registerDNS) However, I doubt that means it is gone (probably hibernating or biding its time), so I'll still do this suggestion and get back to you.

[jason.roberts10000]

I ran that FRST program again with the fixlist, it asked me to restart, I did. It partially worked. By partially, I mean it got rid of reannewscomm popups, but it is now replaced with two new ones I've never seen before for two different URLs; same otherwise URL: Mal and C:/Windows/Explorer. But they only appeared once, after I booted up.

Trying next program.

[jason.roberts10000]

K did that. Reannewscomm appears to be gone, but at restart, had 4 blocked URL:Mal C:/Windows/Explorer, weirdly named sites, each different from the last.

Here is the log. (Didn't find it in C:/ though, found it in Program Files)

[essexboy]

Could I see the FRST fixlog please, are you still getting alerts

[jason.roberts10000]

I spoke too soon. Today Reannewscomm.com came back, and the others aren't around. So frustrating.

Um... I don't know if it did produce a log. But I'll check.

EDIT: Found it!

EDIT 2: Nope, the other 4 just re-appeared. Poop.

EDIT 3: I will mention that the Fix didn't technically kill the virus. It moved a "copy" of the virus to quarantine, but a fresh copy was rebuilt at C:/Users/Jason/AppData/Roaming/QolaRzavd or, it copied the virus to quarantine and left the original... not quite sure which. Anyway, I left the virus copy in quarantine and deleted the original, but I'm still get the popups. Note, I was getting them before and after deleting it so I doubt deleting the original is problematic.

[essexboy]

Could I have a fresh FRST log please also a screenshot of the popups

[jason.roberts10000]

Sure I'll rerun FRST64.exe and try to get screenshots of the popups.

[jason.roberts10000]

Okay Reran, nothing detected, but uploading logs anyway. Also, got 4 screenshots. 1 for Reannews, and 3 for ones I've never seen before, and not the earlier 4 I mentioned. Haven't seen those pop up again recently, so no screenshots for them. But...

In Task Manager, in Processes, I'm noticing several of these pop up increase in memory and CPU and then disappear. These tend to correlate precisely when I get another popup. Also, I have about 4-5 of them active in my Task Manager as well. Processes (if it helps):

COM Surrogate
Console Window Host
CTF Loader
Windows Installer
Client Server Runtime Process

I'll also mention that since the virus is only active when I'm online, these processes are not active when I'm offline if it helps and only become active the moment I plug in my wired connection.

[jason.roberts10000]

4 attachment maximum, so posting other two here.