Jump to content


  • Posts

  • Joined

  • Last visited


0 Neutral

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Yes the laptop is working normally. I also hope the other folks that got into the same trouble and posted here originally found the solution as well. This issue consumed a lot of my time but in the end i came out a little wiser and of course learned my lesson. Again, it was a good decision writing to Malwarebytes forum that help me not only solve the problem but also clean my laptop from bloat. You are top 💯 Cheers!
  2. Yes, i will reinstall Firefox and keep you posted. I wasn't using Dropbox and Java in the laptop for some time now so i will not reinstall them.
  3. Exactly, no signs of infection, no unwanted behavior from the laptop, works normally again. I also uninstalled the programs you mentioned. Surely i will reinstall some of them because i use them and will check for updated as you advised. I was starting to get anxious with it because typical scanning did not fixed it but eventually Malwarebytes saved the day!
  4. Hello, I think we are finally getting fixed! Fixlogs attached for the last 2 fixlists. Please note that 2nd fixlog says "The system cannot find the path specified." because we had already made manual removals. Closing notes: As other users mentioned vcwatav are random letters generated that is why you can't find any other results on Google. The malware does point to C:\users\myusername\AppData\Roaming\randomletters though and also fakes Firefox Default Browser Agent scheduled task. Again, do not try repacked programs from dark corners on the internet no matter what their "instructions" say. Use official software only. Malwarebytes gives free specific user and device support? You guys deserve respect 💪 Fixlog 1.txt Fixlog 2.txt
  5. Hello @AdvancedSetup, Yes, sorry for the late replies, i also noticed some replies from @lout and intended to reply. The issue is typically solved and but i intend to follow your latest instructions and mark it as solved in 1 or 2 days and of course thank you one more time. Thank you for your patience!
  6. Hello, Sorry for the late reply. Here are the FRST64 logs that you requested (Search.txt, FRST.txt, Addition.txt). A few notes about them: C:\Users\myusername\Desktop\vcwatav\ folder is created by me and contains files/programs related to this issue so it is safe folder. What it is concerning in the Search.txt is that C:\Users\myusername\AppData\Roaming\vcwatav is recognized as a Microsoft file and digitally signed. I also searched for vcwatav in C disk and found a log called vcwatav.log on C:\Users\myusername\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs and has this information: 1,"fusion","GAC",0 1,"WinRT","NotApp",1 Inside that folder there are also other logs: NGenTask.exe.log Patch Set-up.exe.log RegAsm.exe.log Setup.exe.log Setup2.exe.log And except for the above they contain also info like PublicKeyToken=xxxxxxxxx","C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System\258d42........\System.ni.dll" Is the above suspicious and would you like me to attach them? Additionally, i have some more interesting news: I managed to delete that nasty vcwatav in the Roaming folder with the Windows Powershell program (run as administrator) with the command: Remove-Item vcwatav -Force. Also, i managed to download it before deletion (by using Chrome typing in the url bar C:/Users/myusername/AppData/Roaming/, it was visible there!) and i will send it to you for further investigation. I think it may be an interesting case to you as experts since it managed to trick antivirus/anti-malware programs. It is a 64KB file without extension and looks really suspicious when opened with notepad (it has a lot of Microsoft references). For safety reasons i will send it to @AdvancedSetup in a private message. So now my laptop seems clear in the naked eye but if you have further instructions i will try to follow them. And a closing note to average users that may see this: I paid a tough price ignoring Windows Smart security and experimenting with programs i shouldn't have. Tens of hours searching, stressing laptop with scans therefore decreasing its lifespan, avoiding logins to payment services, seeking for help in forums (with not real name out of shame, viperg lol!). If you are not a security researcher, do not use pirated/unknown programs even for testing. If there is a program you need, just buy it from the official source or don't get involved, just take a break and enjoy life with what you can do, or a difficult path with troubleshooting, even ending with a format awaits (i still have insecurity with this case). Thanks malwarebytes team and @AdvancedSetup for the support, i was impressed with their professional tactics but if you asked me, i would rather not meet them and just have their program installed. FRST.txt Search.txt Addition.txt
  7. I deleted this particular schedule task. The C:\users\myusername\AppData\Roaming\vcwatav remains and cannot be accessed or deleted with the same error "The directory name is invalid." I also attach the Autoruns log again. Is it ok now? I doubled-checked that in the Scan options the 3 latter checkboxes are checked and pressed rescan and save the logs. I noticed Autoruns auto-exited in my first attempt and suspected maybe it's malware's intervention to avoid detection, like with other scans when this pesky vcwatav opens up in a cmd window for some seconds. I remain at your disposal. LAPTOP-autoruns-2.zip
  8. Sorry again for the double post. I found the correct entry in the task scheduler library which has the vcwatav path and i attach the screenshot.
  9. About the Driver i think i tried all the possible solutions (uninstall-scan new hardware changes, automatic update, driver you sent me) but still remains with yellow mark. I think i shouldn't worry about it. On the other hand, Autoruns.exe found the vcwatav entry and relates it with Firefox default browser agent (screenshot attached). I went to Task Scheduler and saw that entry but it has different name and location (screenshot attached). I don't mind uninstalling Firefox if needed. Also, i tried to access C:\users\myusername\AppData\Roaming\vcwatav through Windows Explorer and it says "You are attempting to open a file of type System File (.sys)". Finally i attach the Autoruns.zip you asked. LAPTOP.zip
  10. To add to my previous answer, my laptop is a Dell Inspiron 5558.
  11. Thank you for the help! I removed Java 8 Update 91. As for the Hard Disk Controller, yes indeed there is a yellow mark on Device Manager (screenshot attached). This might have happened since i replaced the HDD with as SSD. I tried to update it manually and with the Dell application but couldn't find any proper update. Windows and Dell app say i've already installed the latest driver. Even in official forums answers i've read that if this doesn't affect performance you can ignore it, so i wouldn't worry about it much. However, i appreciate your concern and of course if you have any suggestions to correct this issue i would happily follow advice (Hardware IDs screenshots attached). Unfortunately, the main issue still exists (vcwatav process still pops-up randomly and access to C:\users\myusername\AppData\Roaming\vcwatav still returns "The directory name is invalid"). I can accept the pop-ups and go on (they are not that many after all) if this vcwatav is related to this SATA driver issue, but maybe this is too comforting to be true? If you think this process is downright suspicious, i can feel the format coming closer to me but of course i'm open to follow further instructions. Kind regards.
  12. Thank you for giving me the opportunity to resolve this. AdwCleaner found some interesting registry entries. Also, on every Windows restart i was also prompted to update. I await for further instructions if needed. MB Logs.txt AdwCleaner[C00].txt FRST.txt Addition.txt
  13. The computer is a Dell laptop that has all the latest updates from the Dell application and runs the latest updated version of Windows 10 Home. The only issue i notice on the laptop is that on device manager the Standard SATA AHCI Controller has a yellow exclamation mark but this does not seem to impact its functionality.
  14. Hello Malwarebytes team, After installing a suspicious program bypassing Smart Security warning (100% my bad), Skeeyah installed and was immediately removed by Windows defender. However, after uninstalling the suspicious program a side effect of this bad action remained: A process found on C:\users\myusername\AppData\Roaming\vcwatav is running randomly on a cmd window and displays data related to RegAsm process. I googled vcwatav and not a single result returns. I also tried to access and delete this folder on cmd and it returns "The directory name is invalid". Also, on windows explorer the folder is invisible. This process pops up randomly and upon security checks. On security checks particularly remains open a lot more seconds (is it trying to evade detection?). The laptop does not seem to underperform or run other unknown processes on task manager. I tried rkill, malwarebytes and windows defender normal and offline scan. Nothing seems to remove this silent but maybe dangerous process that was installed 100% by my mistake. Well everybody deserves a second chance that is why i'm asking for help and a way to remove this. Please see the attached screenshot that displays this vcwatav process that looks like RegAsm, running for a few seconds while malwarebytes permorms a check. Kind regards.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.