"avast! Web Shield has blocked a harmful webpage or file" [LOGS ATTACHED]

Hi all,
Since two days ago (22/11/2014) Avast has begun displaying this error message: “avast! Web Shield has blocked a harmful webpage or file.”

Upon clicking on the error messages, I was led to an Avast webpage with these details:

URL
hxxp://tsangakha.com/b/opt/288245620E5353051415B64D
Infection
URL:Mal

and
URL
hxxp://bnswhat.su/b/opt/4C61600C102BA7500A6D4218
Infection
URL:Mal

and

URL
hxxp://bnswhat.su/b/opt/1C7EC8079074E2AA8A3207E2
Infection
URL:Mal

The redirected webpage seems to be varying, on the first day it was ‘rumerse.com’.

The affected process is C:\Windows\explorer.exe across all alerts.

These alerts come in bursts of 2 to 4 times every 10 seconds or so.

So far I have scanned using Avast Boot-scan, Spybot S&D, Malwarebytes and AdwCleaner, and have carried out their respective recommended actions. Still, Web Shield continues with these alerts.

I have generated logs according to the To-do stickied thread, attached are the logs from Malwarebytes, FRST and aswMBR. Please pardon the aswMBR log that is kinda clogged up with Log Saves, the scanner kept failing halfway through and that was the only way I could assure I had a log of any kind. Strangely, the scan managed to complete when I kept up with the saves.

EXTRA NOTES: If it helps, there were quite a few suspicious things going on while the aswMBR scan was being done.

  1. Avast Antivirus suddenly caught two Win32:Evo-gen infections. However, when I chose ‘Fix Automatically’, the infected file could not be found. When I navigated to the folder in question, the infected file was not there too. SS of incidents are attached in post below.

  2. Then, explorer.exe stopped working and had to restart itself. SS is also attached in post below.

Any help is appreciated, and many thanks in advance.

Here are the SS of incidents mentioned in OP, posted here because of attachment restrictions.

https://drive.google.com/folderview?id=0B05KVjAH3D6gSzNCSGNDb1J4cVE&usp=sharing

This will stop the alerts

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKU\S-1-5-21-4262379184-666637543-835322669-1000\...\Run: [IZBsoft] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\NovaWill\AppData\Local\Uhmzmedia\ggWebDlg.dll ShellIconOverlayIdentifiers: [1SecureIconsProvider] -> {FC9D8189-520A-4417-AED7-9EAC810C6FBA} => C:\ProgramData\Microsoft\Secure\Icons\SecureIconsProvider.dll () ShellIconOverlayIdentifiers: [FunOverlay] -> {A5662DF9-0C2E-4A56-9FE1-BACFF6966D88} => No File ShellIconOverlayIdentifiers: [SugarSyncBackedUp] -> {0C4A258A-3F3B-4FFF-80A7-9B3BEC139472} => No File ShellIconOverlayIdentifiers: [SugarSyncPending] -> {62CCD8E3-9C21-41E1-B55E-1E26DFC68511} => No File ShellIconOverlayIdentifiers: [SugarSyncRoot] -> {A759AFF6-5851-457D-A540-F4ECED148351} => No File ShellIconOverlayIdentifiers: [SugarSyncShared] -> {1574C9EF-7D58-488F-B358-8B78C1538F51} => No File HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION SearchScopes: HKLM-x32 -> DefaultScope {EEE6C360-6118-11DC-9C72-001320C79847} URL = BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll No File BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll No File BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll No File Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File FF NetworkProxy: "autoconfig_url", "data:text/javascript,function%20FindProxyForURL(url%2C%20host)%20%7Bif%20(url.indexOf('discoverymedia.com')%20!%3D%20-1%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fdsc.discovery.com%2F*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fsongza.com*')%20%7C%7C%20host%20%3D%3D%20's.hulu.com'%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fplay.spotify.com*')%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fplay.spotify.com*')%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fwww.spotify.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.spotify.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fgrooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fretro.grooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fhtml5.grooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Flisten.grooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.grooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fpiki.fm*')%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fpiki.fm*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.rdio.com*')%20%7C%7C%20(url.indexOf('proxmate%3Dactive')%20!%3D%20-1%20%26%26%20url.indexOf('amazonaws.com')%20%3D%3D%20-1)%20%7C%7C%20(url.indexOf('proxmate%3Dus')%20!%3D%20-1)%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fwww.daisuki.net*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.crunchyroll.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.last.fm*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fext.last.fm*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.mtv.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fmedia.mtvnservices.com*')%20%7C%7C%20host%20%3D%3D%20'www.pandora.com'%20%7C%7C%20url.indexOf('vevo.com')%20!%3D%20-1%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.iheart.com*')%20%7C%7C%20url.indexOf('southparkstudios.com')%20!%3D%20-1%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.funimation.com*')%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fsecure.funimation.com*'))%20%7B%20return%20'PROXY%20ab-us04.personalitycores.com%3A8000%3B%20PROXY%20ab-us03.personalitycores.com%3A8000%3B%20PROXY%20ab-us01.personalitycores.com%3A8000%3B%20PROXY%20ab-us05.personalitycores.com%3A8000%3B%20PROXY%20ab-us10.personalitycores.com%3A8000%3B%20PROXY%20ab-us02.personalitycores.com%3A8000%3B%20PROXY%20ab-us07.personalitycores.com%3A8000%3B%20PROXY%20ab-us09.personalitycores.com%3A8000%3B%20PROXY%20ab-us06.personalitycores.com%3A8000'%3B%7D%20%20else%20%7B%20return%20'DIRECT'%3B%20%7D%7D" FF NetworkProxy: "type", 2 FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll No File FF Plugin-x32: @funshion.com/npFunshion -> C:\Users\NovaWill\funshion\funshiontools\npFunshion.dll ( ) FF Plugin HKU\S-1-5-21-4262379184-666637543-835322669-1000: ubisoft.com/uplaypc -> C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll No File 2014-11-17 23:53 - 2014-11-22 20:45 - 00000000 ____D () C:\Users\NovaWill\AppData\Local\Oxgics 2014-11-17 23:53 - 2014-11-19 10:32 - 00000000 ____D () C:\Users\NovaWill\AppData\Local\Uhmzmedia C:\ProgramData\Microsoft\Secure C:\Users\NovaWill\funshion

C:\Users\NovaWill\AppData\Local\Uhmzmedia
EmptyTemp:
CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Hi Essexboy,

Thanks for replying! I have attached the FRST Fixlog as per instruction.

However, I cannot download AdwCleaner as Avast has blocked it as a rootkit. Could it be that the initial infection somehow prevents me from downloading it? In any case, I have attached SS of the Avast alerts. When I choose ‘Fix Automatically’, it deletes the AdwCleaner executable from my desktop.

The initial infections are still being reported by Avast, albeit with redirection to different websites.

However, I cannot download AdwCleaner as Avast has blocked it as a rootkit.
happens all the time with these tools ....especially after evry update

right click avast tray icon and pause shields … then download and run

OK I’ve done what Pondus recommended so here goes the remaining log… ;D

Have the alerts ceased now ?

Nope, they haven’t.

Could you screenshot the Avast popup please and attach that

The websites it redirects to vary often, so here are 4 examples.

By the way, thanks again for the help, Essexboy.

OK lets increase the size of the hammer :slight_smile:

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

I like the sound of that! Hang on…

Here’s the log. Sorry about the Spybot S&D and Windows Defender running in the background though, they were not inside the System Tray and I missed them.

Do you want me to retry Combofix.exe again?

As of now the same Avast alerts are still popping up.

Combofix should have alerted to the fact they were still enabled…

Regardless, it appears as if CF (“The Big Hammer”) has completed successfully. If Essex needs it re-run, he’ll let ya know :slight_smile:

Hmm this looks like it may turn into a hunt

  1. Close any open browsers.

  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  3. Open notepad and copy/paste the text in the quotebox below into it:

Renv:: c:\program files (x86)\Wizet\MapleStorySEA\MapleStory .exe

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

THEN

Could you run a fresh FRST scan please but this time tick shortcuts.txt as well and attach the two logs generated

Alright, here it is. From the time I posted this, the Avast alerts are still coming up.

P.S. I will be going overseas for about a week, thank you all for the help so far. See you soon back on this desktop.

Could you uninstall Spybot please as it is reversing some of my registry changes

Then :

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X] HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-4262379184-666637543-835322669-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION FF NetworkProxy: "autoconfig_url", "data:text/javascript,function%20FindProxyForURL(url%2C%20host)%20%7Bif%20(url.indexOf('discoverymedia.com')%20!%3D%20-1%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fdsc.discovery.com%2F*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fsongza.com*')%20%7C%7C%20host%20%3D%3D%20's.hulu.com'%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fplay.spotify.com*')%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fplay.spotify.com*')%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fwww.spotify.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.spotify.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fgrooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fretro.grooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fhtml5.grooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Flisten.grooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.grooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fpiki.fm*')%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fpiki.fm*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.rdio.com*')%20%7C%7C%20(url.indexOf('proxmate%3Dactive')%20!%3D%20-1%20%26%26%20url.indexOf('amazonaws.com')%20%3D%3D%20-1)%20%7C%7C%20(url.indexOf('proxmate%3Dus')%20!%3D%20-1)%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fwww.daisuki.net*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.crunchyroll.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.last.fm*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fext.last.fm*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.mtv.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fmedia.mtvnservices.com*')%20%7C%7C%20host%20%3D%3D%20'www.pandora.com'%20%7C%7C%20url.indexOf('vevo.com')%20!%3D%20-1%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.iheart.com*')%20%7C%7C%20url.indexOf('southparkstudios.com')%20!%3D%20-1%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.funimation.com*')%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fsecure.funimation.com*'))%20%7B%20return%20'PROXY%20ab-us04.personalitycores.com%3A8000%3B%20PROXY%20ab-us03.personalitycores.com%3A8000%3B%20PROXY%20ab-us01.personalitycores.com%3A8000%3B%20PROXY%20ab-us05.personalitycores.com%3A8000%3B%20PROXY%20ab-us10.personalitycores.com%3A8000%3B%20PROXY%20ab-us02.personalitycores.com%3A8000%3B%20PROXY%20ab-us07.personalitycores.com%3A8000%3B%20PROXY%20ab-us09.personalitycores.com%3A8000%3B%20PROXY%20ab-us06.personalitycores.com%3A8000'%3B%7D%20%20else%20%7B%20return%20'DIRECT'%3B%20%7D%7D" FF NetworkProxy: "socks_remote_dns", true FF NetworkProxy: "type", 0 Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\??\?? ??.lnk -> C:\Program Files (x86)\Funshion Online\2.8.9.7\Uninstall.exe (No File) Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\??\??.lnk -> C:\Program Files (x86)\Funshion Online\2.8.9.7\Funshion.exe (No File) Shortcut: C:\ProgramData\Application Data\Microsoft\Windows\Start Menu\Programs\??\?? ??.lnk -> C:\Program Files (x86)\Funshion Online\2.8.9.7\Uninstall.exe (No File) Shortcut: C:\ProgramData\Application Data\Microsoft\Windows\Start Menu\Programs\??\??.lnk -> C:\Program Files (x86)\Funshion Online\2.8.9.7\Funshion.exe (No File) Shortcut: C:\ProgramData\Application Data\Application Data\Microsoft\Windows\Start Menu\??.lnk -> C:\Program Files (x86)\Funshion Online\2.8.9.7\Funshion.exe (No File) Shortcut: C:\ProgramData\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\??\?? ??.lnk -> C:\Program Files (x86)\Funshion Online\2.8.9.7\Uninstall.exe (No File) Shortcut: C:\ProgramData\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\??\??.lnk -> C:\Program Files (x86)\Funshion Online\2.8.9.7\Funshion.exe (No File) C:\Program Files (x86)\Funshion Online EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Done! Fixlog attached.

Currently the avast alerts are still coming.

Could you attach a screenshot of the Avast popup please

It’s attached. Seems to have been narrowed down though, this was the only alert that came up in the past thirty minutes.