Avast keeps giving antivirus signs every couple of minutes

I’ve had this problem for a few days now. Anyway, I keep getting ‘Malicious Malware Blocked’ messages from avast. Like this one. . .

“URL: http://server1.u147852369.codisk.com/new
Process: file://C:\ProgramData\w1BSDrcl16\LmtNlP6…
Infection: al”

I’ve run a number of virus scans with Avast and Malware Bytes and it hasn’t picked anything up. I also searched on here and found what could be a few solutions and so scanned my computer with CC Cleaner and TDSS Killer but they didn’t pick anything up either.

Altthough, I used CC Cleaner last night and the problem seemed to stop but this morning, the problem was back again.

Currently, I’m scanning with aswMBR which I found posted on here and will post the log when I get it. Still, does anyone have any advice/help for what this may be? It’s starting to annoy me.

Thanks! :slight_smile:

Okay, here are the logs that I got from the scan with aswMBR.

aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-07 13:46:17

13:46:17.899 OS Version: Windows x64 6.1.7600
13:46:17.899 Number of processors: 2 586 0x603
13:46:17.899 ComputerName: JACK-PC UserName: Jack
13:46:19.303 Initialize success
13:46:19.396 AVAST engine defs: 12010700
13:46:22.158 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\0000005a
13:46:22.173 Disk 0 Vendor: ST950032 D005 Size: 476940MB BusType: 11
13:46:22.236 Disk 0 MBR read successfully
13:46:22.251 Disk 0 MBR scan
13:46:22.251 Disk 0 Windows 7 default MBR code
13:46:22.267 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 100 MB offset 2048
13:46:22.282 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 15000 MB offset 206848
13:46:22.298 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 461838 MB offset 30926848
13:46:22.314 Service scanning
13:46:24.030 Modules scanning
13:46:24.030 Disk 0 trace - called modules:
13:46:24.061 ntoskrnl.exe CLASSPNP.SYS disk.sys amd_xata.sys storport.sys hal.dll amd_sata.sys
13:46:24.061 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa80047f7060]
13:46:24.076 3 CLASSPNP.SYS[fffff8800195943f] → nt!IofCallDriver → [0xfffffa80047844e0]
13:46:24.092 5 amd_xata.sys[fffff880010747a8] → nt!IofCallDriver → \Device\0000005a[0xfffffa8004780190]
13:46:25.418 AVAST engine scan C:\Windows
13:46:28.600 AVAST engine scan C:\Windows\system32
13:48:00.474 AVAST engine scan C:\Windows\system32\drivers
13:48:10.489 AVAST engine scan C:\Users\Jack
13:48:27.028 AVAST engine scan C:\ProgramData
13:50:29.910 Scan finished successfully
13:51:46.719 Disk 0 MBR has been saved successfully to “C:\Users\Public\Pictures\PhotoStage\MBR.dat”
13:51:46.734 The log file has been saved successfully to “C:\Users\Public\Pictures\PhotoStage\virus scan.txt”

follow the guide here and attach the OTL log`s ( not copy and paste )
http://forum.avast.com/index.php?topic=53253.0

lower left corner: additional options > attach

Sucuri report that URL ( -http://server1.u147852369.codisk.com ) infected and blacklisted

see attached screen shot

Malware entry: MW:HTA:7 - http://sucuri.net/malware/malware-entry-mwhta7

urlQuery - http://urlquery.net/report.php?id=15040

Didn’t think that websites could host HTA in their website and succeed in running the code.

Thought HTA was for offline use only. :-\

Here are the logs from the OTL Scan, hope I’m doing this right. I’m not very good when it comes to computers.

There should be an Extra.txt also…not that important but if you have it?

Essexboy is notified :wink:

Ah, didn’t know I had to attach the extra text. Here it is.

Thanks for your help by the way. I really appreciate it.

Edit: Also attached a fresh aswMBR scan log.

Okay, I scanned just the AppData file with both avast and MalwareBytes and this time, both picked up viruses/malware.

I deleted them, rescanned again. This time MalwareBytes picked up another called ‘Malware.Packer’ I deleted it and am now just waiting to see whether this has solved the problem. Fingers crossed :slight_smile:

Edit: Rescan and MalwareBytes picked up a Malware.Packer in this folder. c:\Users\jack daily use\AppData\Local\Temp\lodF72A.tmp

Not sure if that is any use to you or not?

Here you go this should kill it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O4 - HKU\S-1-5-21-1383542091-2160655984-1875061668-1003..\Run: [rK03bwEL] C:\ProgramData\6fWJaLB3Fqx\hW5VQ8o1I.exe () [2012/01/06 16:37:31 | 000,000,000 | ---D | C] -- C:\ProgramData\6uRdbo05qqu [2012/01/06 16:37:28 | 000,000,000 | ---D | C] -- C:\ProgramData\FFgyZQUChVoX

:Files
ipconfig /flushdns /c
C:\ProgramData\6fWJaLB3Fqx

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Thanks, I really appreciate it :slight_smile:

I think this is it, I ran OST and the first log came up without clicking scan? It just opened automatically.

The second attached log is after I manually ran a quick scan.

Are you still getting the alerts ?

Nope, that seems to have stopped it. Thanks a lot :slight_smile:

Leave it run for a bit and once you are happy let me know and I will remove my tools

Everything is working fine now. Thanks for your help!

Give it a day or so and then report if OK, just to be sure.