[mj87]

Hi all,

I am having issues removing a malware/virus from my laptop. I receive the below notification when visiting almost any website. Avast is not able to remove the malware, and i also ran Malwarebytes scan which was also not able to find or remove the issue. Any help will be appreciated.

 

[Gary R]

• If you have a 32 bit system Download FRST to your Desktop.
• If you have a 64 bit system Download FRST64 to your Desktop.
• If you don't know whether your system is 32 bit or 64 bit, download both. Only one will run on your machine. That's the one to use.
• Double click Frst.exe to launch it.
• FRST will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • When finished scanning 2 logs will open on your Desktop, FRST.txt and Addition.txt
  • Please post them in your next reply.

 

[mj87]

Hi Gary, Thanks! Files are attached.

 

[Gary R]

Looking them over now. Dependant on how many entries I need to research this can sometimes take a while.

Back when I've finished.

 

[Gary R]

As far as I can see, there are no obvious signs of an active infection in the FRST logs you have supplied.

So what I would advise you to do is the following ....

Download the Free (Portable) version of Revo Unnstaller ... Download Revo Uninstaller Freeware - Free and Full Download ... and use it to uninstall the following programs.

Avast Free AntiVirus
AdAware Antivirus

Instructions for how to use Revo Uninstaller (Portable) ....

• Download free portable version using link above.
• Right click on RevoUninstaller_Portable.zip and select Extract All to extract the files to a location of your choice.
• Open the new Folder Created (RevoUninstaller_Portable) and click on RevoUPort.exe to launch Revo Uninstaller
• Now click on Avast Free AntiVirus to select it, then click on Uninstall
• Click Continue when prompted
• Revo will now create a System Restore Point, and then Use Avast's Uninstaller to uninstall it, when finished click on the Scan button, and Revo will scan for any remnants
• If any are found, click on Select All to select them, then click on Delete to remove them.

Repeat the above for AdAware Antivirus

When finished reboot your computer to complete the removals.

The reason I'm advising this is as follows ....

Recent versions of Avast do not appear to get on well with W10, and I've seen quite a few people with it installed that are having problems of a similar nature to the ones you're experiencing. Windows Defender is a perfectly capable Anti-Malware program, and since it is already integrated into W10, it causes few if any problems.

Do not confuse the W10 version of Windows Defender with earlier versions, which were nowhere near as capable, this version offers as good a protection as any 3rd party program (free or paid for) and is perfectly adequate for most people's use.

AdAware does not add any protection that Windows Defender is not already providing, so there is no point in keeping it. Having more than one AV program installed does not increase your protection, it just gives more opportunity for conflicts, as programs of this type "fight" for the same resources.

The reason I've recommended the use of Revo Uninstaller to remove the two programs, is that AV programs integrate tightly with your OS, and their inbuilt uninstallers often leave a lot of orphans behind which can cause problems, Revo does a much better job of uninstalling and usually leaves you with few if any orphans.

NEXT ...

I would like you to run an online AV scan for me, just to make sure I haven't missed anything ....

Download ESET Online Scanner and save it to your desktop.

• Right-click on esetonlinescanner_enu.exe and select Run as Administrator.
• When the tool opens, click Get Started.
• Read and accept the license agreement.
• At the Welcome to ESET Online Scanner window, click Get Started.
• Select whether you would like to send anonymous data to ESET.
• Note: if you see the "Welcome Back to ESET Online Scanner" screen, click Computer Scan > Full Scan.
• Click on the Full Scan option.
• Select Enable ESET to detect and remove potentially unwanted applications, then click Start scan.
• ESET will now begin scanning your computer. This may take some time.
• When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop as eset.txt. Click on Continue.
• ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue.
• On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback.
• Open the scan log on your desktop (eset.txt) and copy and paste its contents into your next reply.

 

[mj87]

Thanks Gary. Above is all done and thanks for the info. I will continue to use Revo for uninstalling apps.

The ESET log generated the following:


11/10/2020 15:56:28 PM
Files scanned: 338059
Detected files: 0
Cleaned files: 0
Total scan time: 00:39:16
Scan status: Finished

Let me know if you need anything else.

 

[Gary R]

Can you run a new scan with FRST and attach the new logs please.

There were a couple of things in your previous logs that needed attention, but it wasn't clear whether Avast was causing them or something else.

Now that Avast has been removed I'd like to see whether they are still there or not, and if they are then we can take care of them.

 

[mj87]

Attached both FRST.txt and Addition.txt

FYI, I also removed a few other apps that were pre-installed on my laptop just to clean things up (WildTangent and XBox game apps)

 

[Gary R]

OK, just a few things to deal with, nothing of any real consequence, mostly left overs and orphans but we might as well deal with them while we have the opportunity.

• Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
• Press Ctrl+y (Ctrl and y keys at the same time)
• A blank randomly named .txt Notepad file will open.
• Copy and paste the following into it (don't include Code: )....

HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
U1 aswbdisk; no ImagePath
S3 mfeavfk01; \Device\mfeavfk01.sys [X]
\Device\mfeavfk01.sys
2020-11-10 15:56 - 2020-11-10 15:56 - 000000268 _____ C:\Users\djeft\Desktop\eset.txt
2020-11-10 15:11 - 2020-11-10 16:20 - 000000000 ____D C:\Users\djeft\AppData\Local\ESET
2020-11-10 15:11 - 2020-11-10 15:11 - 000000785 _____ C:\Users\djeft\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ESET Online Scanner.lnk
2020-11-10 15:11 - 2020-11-10 15:11 - 000000657 _____ C:\Users\djeft\Desktop\ESET Online Scanner.lnk
2020-11-10 15:10 - 2020-11-10 15:10 - 015012440 _____ (ESET spol. s r.o.) C:\Users\djeft\Downloads\esetonlinescanner.exe
SearchScopes: HKLM -> {79189544-6A48-41B7-840C-82CAD9BAE564} URL = hxxp://www.amazon.ca/s/ref=azs_osd_ieaca?ie=UTF-8&tag=hp-ca2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {79189544-6A48-41B7-840C-82CAD9BAE564} URL = hxxp://www.amazon.ca/s/ref=azs_osd_ieaca?ie=UTF-8&tag=hp-ca2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-2278406881-1469945495-2225885510-1001 -> {79189544-6A48-41B7-840C-82CAD9BAE564} URL = hxxp://www.amazon.ca/s/ref=azs_osd_ieaca?ie=UTF-8&tag=hp-ca2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
EmptyTemp:
Hosts:
cmd: ipconfig /flushdns

• Press Ctrl+s to save fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Now press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
• Please post me the log

 

[mj87]

Ok, just so we are clear - I re-saved the randomly named .txt file as fixlist.txt in the same directory.
Here is the generated Fixlog.txt:


Fix result of Farbar Recovery Scan Tool (x64) Version: 11-11-2020
Ran by djeft (11-11-2020 11:24:08) Run:1
Running from C:\Users\djeft\Downloads
Loaded Profiles: djeft
Boot Mode: Normal
==============================================

fixlist content:
*
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
U1 aswbdisk; no ImagePath
S3 mfeavfk01; \Device\mfeavfk01.sys [X]
\Device\mfeavfk01.sys
2020-11-10 15:56 - 2020-11-10 15:56 - 000000268 _ C:\Users\djeft\Desktop\eset.txt
2020-11-10 15:11 - 2020-11-10 16:20 - 000000000 ____D C:\Users\djeft\AppData\Local\ESET
2020-11-10 15:11 - 2020-11-10 15:11 - 000000785 _ C:\Users\djeft\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ESET Online Scanner.lnk
2020-11-10 15:11 - 2020-11-10 15:11 - 000000657 _ C:\Users\djeft\Desktop\ESET Online Scanner.lnk
2020-11-10 15:10 - 2020-11-10 15:10 - 015012440 _ (ESET spol. s r.o.) C:\Users\djeft\Downloads\esetonlinescanner.exe
SearchScopes: HKLM -> {79189544-6A48-41B7-840C-82CAD9BAE564} URL = hxxp://www.amazon.ca/s/ref=azs_osd_ieaca?ie=UTF-8&tag=hp-ca2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {79189544-6A48-41B7-840C-82CAD9BAE564} URL = hxxp://www.amazon.ca/s/ref=azs_osd_ieaca?ie=UTF-8&tag=hp-ca2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-2278406881-1469945495-2225885510-1001 -> {79189544-6A48-41B7-840C-82CAD9BAE564} URL = hxxp://www.amazon.ca/s/ref=azs_osd_ieaca?ie=UTF-8&tag=hp-ca2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
EmptyTemp:
Hosts:
cmd: ipconfig /flushdns
*

HKLM\SOFTWARE\Policies\Mozilla => removed successfully
HKLM\System\CurrentControlSet\Services\aswbdisk => removed successfully
aswbdisk => service removed successfully
HKLM\System\CurrentControlSet\Services\mfeavfk01 => removed successfully
mfeavfk01 => service removed successfully
\Device\mfeavfk01.sys => Error: No automatic fix found for this entry.
C:\Users\djeft\Desktop\eset.txt => moved successfully
C:\Users\djeft\AppData\Local\ESET => moved successfully
C:\Users\djeft\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ESET Online Scanner.lnk => moved successfully
C:\Users\djeft\Desktop\ESET Online Scanner.lnk => moved successfully
C:\Users\djeft\Downloads\esetonlinescanner.exe => moved successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{79189544-6A48-41B7-840C-82CAD9BAE564} => removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => value restored successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{79189544-6A48-41B7-840C-82CAD9BAE564} => removed successfully
HKU\S-1-5-21-2278406881-1469945495-2225885510-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{79189544-6A48-41B7-840C-82CAD9BAE564} => removed successfully
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 10510336 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 106152412 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 6711265 B
Edge => 1378450 B
Chrome => 0 B
Firefox => 1139346045 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 1293168 B
systemprofile32 => 1293168 B
LocalService => 1584046 B
NetworkService => 2048602 B
djeft => 84260761 B

RecycleBin => 1274410991 B
EmptyTemp: => 2.4 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 11:24:35 ====

 

[Gary R]

Looks like everything was processed OK, so how's your computer behaving now please ?

 

[mj87]

Computer is running well. Of course, with Avast removed i am no longer receiving the notifications. Performance seems good and as long as there is no forced connection to whatever "mikkiload" is we should be good! Thanks Gary.

 

[Gary R]

If you notice, the Avast message says ... We've safely aborted connection on mikkiload.com because it was infected with ..... Other:Malware-gen[trj]

What that means is that Avast blocked you from connecting with the site mikkiload.com because that site is infected, that does not necessarily mean there is an infection on your machine.

It could be that you have landed on a site or sites that had a hidden link to mikkiload.com.

The scans we run showed no signs of an infection, so what I suggest is that you keep an eye on things for a few days, and if your computer behaves oddly in any way then please post back here.

I'll leave the topic open over the weekend, and if I haven't heard from you by Monday, then I'll close it.

If you wish to uninstall FRST and remove all its files, please do the following ...

• Rename FRST64.exe to Uninstall.exe
• Double click on Uninstall.exe to launch it.
  • Your computer will reboot, and on reboot will remove FRST and all its files.

 

[mj87]

Ok, understood.

Just one last thing to note - the notification from Avast appeared when visiting any and all webpages including common pages like Google or YouTube. So i dont think these popular pages would have any hidden links that could trigger an antivirus. I felt that it must be something in the background that is forcing a connection.

I trust your expertise however. I will monitor the performance over the next few days and advise if any issues arrise. Thanks again for your help!

 

[Gary R]

You're welcome.

There is always the possibility that we've missed something, but it could also have been a mis-identification by Avast as well, and since no other scanner is detecting anything on your computer, I think that's more likely to be the case.

IMO Avast is not the AV it once was, and to be honest the latest renditions of it seem to be a bit unreliable with their detections, and I would not personally recommend it to anyone any longer.