Constant Avast Web Malware warnings

On a particular computer, Using avast free antivirus, version 2014.9.0.2011, definitions 141030-1

Symptoms:

  1. Frequent warnings from web shield that “Infection blocked” at URL and then a URL address such as one of these:

hxxp://88.214.194.199/19960834/MjAwMDQ4MA==/?l=eyJhYyI6MjUsInBjIjo2MCwidWlkIjoxMDAyNCwic3ViaWQiOiIyMDAwN

hxxp://xmlka.com/click?app=app20&click=7bec4754-28ea-4a4a-bcf9-a90925f5d6aa&search=2a9bf97e-6f01-42cf-b9d4-137c97e1e159&feed=18407&subid=70329

hxxp://rythenaretwo.eu/j188227172106/gate.php

This can occur even when all web browsers are closed and just working on an Office file or playing a game.

  1. Explorer.exe process goes berserk. Grows in size reaching over 4 GB. Heavy processor use. Attempts to “stop process” take long time or fail entirely. However, if try to run other programs, explorer will reduce in size.

  2. Messages popup saying something like Explorer.Exe click to update. This is ignored.

  3. Mysterious folders appear in the User/Appdata/LocalLow folder, typically under Apple or Adobe but could be elsewhere. The folder names are gibberish letters. Inside the folder are a bunch of empty folders and one called “Google” and then inside that is Chrome. Note: Chrome is NOT installed on this computer. Browsers are Firefox and IE.

  4. When shutting down computer, sometimes process is slow as switches from desktop to shutting down screen. Just before that a bunch of what appear to be web pages or advertisements flash by extremely fast.

  5. Ran Avast Boot scan. Found HTML:RedirBA-inf [TRJ] and quarantined, however on reboot, problem still remains with excessive Explorer.exe

  6. User received a popup to update windows media player and may have clicked on that before all of this started 3-4 weeks ago. Also user might have installed software from Internet to watch television programs only available in foreign markets. User has been chastised.

Attach your basic logs. (MBAM, FRST and aswMBR…!!)
Instructions: https://forum.avast.com/index.php?topic=53253.0

Here are the logs. Note all of these were run from safe mode. While in safe mode, I did not notice any unusual explorer.exe behavior.

I was not allowed to post MBR.dat file so I assume you don’t need that.

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKCU Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION HKCU Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION HKU\S-1-5-21-645520271-2940420500-1820277929-1001\...\MountPoints2: {68ca6db3-d46a-11de-a43b-806e6f6e6963} - D:\autorun.exe -auto HKU\S-1-5-21-645520271-2940420500-1820277929-1001\...\MountPoints2: {be07c763-f971-11e0-bdff-90e6ba68ebe7} - I:\Bolt.exe GroupPolicyUsers\S-1-5-21-645520271-2940420500-1820277929-1001\User: Group Policy restriction detected <======= ATTENTION Toolbar: HKLM - avast! WebRep - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File 2014-10-21 10:52 - 2014-10-31 01:38 - 00000000 ___HD () C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8} 2014-10-22 17:38 - 2009-07-13 22:09 - 00000000 ____D () C:\Windows\System32\Tasks\WPD Task: {6CBF50C5-9D21-4CA4-A1E1-01BD26E9A06D} - System32\Tasks\{DC9073C9-41C5-4F16-9678-DC60993EB4E4} => D:\setup.exe C:\Users\Playroom\gotomypc_438.exe EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download to your desktop process explorer from here http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx
Open process explorer and from the menu bar select View > Lower Pane
Select Explorer.exe
A Lower window will open
Then on the menu bar go to File > Save as…
Then select the desktop and click save
On the desktop will then be a text file called explorer please attach that
You may need to edit the file name from explorer.exe.txt to explorer.txt to allow it to be attached

Here are the two requested logs.

Note: On boot up this morning computer hung at loading screen with message “Please wait” and black screen. However, another computer on the network could see the folders on the subject computer.

Does the system boot normally now ? And are the alerts still present

Will monitor next 24 hours and see. Thanks.