non-stop Avast alerts blocking hxxps://188.165.198.52

Hello. I need help to resolve what seems to be a virus or malware on my computer.

My problem is similar to the problems described by another poster in this thread: https://forum.avast.com/index.php?topic=158137.0;prev_next=next#new

I am getting this Avast alert constantly, every few seconds:

Avast Web Shield has blocked a harmful webpage or file.
Object: hxxps://188.165.198.52
Infection: URL: Mal
Process C:\Windows\explorer.exe

I also previously received countless similar alerts with the only difference being that the Object was reported as hxxps:\svadxvbtuc8.com.

Recently, the computer had been crashing 1-2 times daily without producing any minidump files even after I configured my system to record minidumps as explained in other forums like bleepingcomputer.com. The blue screen error messages referred to a faulty driver on the kernel stack and identified it as aswsp.sys, which I read elsewhere is an Avast file. A few days ago, I uninstalled and reinstalled Avast in Safe Mode and since then have not had any crashes, but now I get these Avast alerts literally non-stop and the system is very slow, so there is clearly something still wrong.

I have run MalwareBytes Anti-Malware (including the scan for rootkits) several times over the past few days. It initially found several things that it fixed, but when I run it now no problems are found.

I ran Farbar Recovery Scan Tool and have attached the .txt logs here for review.

When I attempted to run aswMBR.exe, the computer crashed and the blue screen error message stated that the aswMBR.sys driver was at fault.

If anyone can help me fix this problem, I would be very grateful! Thank you for your time.

Here is the Malwarebytes’ Anti-Malware log.

I tried again to run aswMBR.exe, this time in Safe Mode. When I previously tried to run it after a normal boot, the computer crashed as soon as I clicked to open the file. When I tried it in Safe Mode, the program launched okay but it froze shortly after I started the scan. The program always hangs at the same point, when the scan is at the file “C:\Windows\system32\drivers\tsusbflt.sys.”

I hope this additional information is somehow useful in diagnosing the problem. Thanks in advance for any help.

hey aswmbr does not run on a windows 8 and above so no need to attach it. The expert will be here to help you later today so be patince.

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

BHO-x32: No Name -> {9D974C8C-6D92-44FB-BEAF-B45A1C0CF17F} -> No File Toolbar: HKLM-x32 - No Name - {A1BDF46B-9DE6-4090-8791-84F26E00934C} - No File Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File CHR HKCU\...\Chrome\Extension: [bblmmloknbmfjgdjcdmmgpajlebiciec] - C:\Users\Meesh!\AppData\Local\CRE\bblmmloknbmfjgdjcdmmgpajlebiciec.crx [] CHR HKLM-x32\...\Chrome\Extension: [bblmmloknbmfjgdjcdmmgpajlebiciec] - C:\Users\Meesh!\AppData\Local\CRE\bblmmloknbmfjgdjcdmmgpajlebiciec.crx [] 2014-10-20 22:28 - 2014-10-27 17:17 - 00000000 ___HD () C:\ProgramData\{CA2FACF7-9029-4A21-892B-E7F60B39FF1A} CustomCLSID: HKU\S-1-5-21-517968910-2589987697-1092317901-1000_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> No File Task: C:\Windows\Tasks\EasyShare Registration Task.job => @‰Q¹ äˆC¼œ<U\À¥ÅFa< sÀ €!Þa 2ö!C:\Windows\system32\rundll32.exeZC:\PROGRA~3\Kodak\EasyShareSetup\$REGIS~1\Registration_8.3.30.1.sxt _RegistrationOffer@16aMeesh!0Ûa 2 EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download to your desktop process explorer from here http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx
Open process explorer and from the menu bar select View > Lower Pane
Select Explorer.exe
A Lower window will open
Then on the menu bar go to File > Save as…
Then select the desktop and click save
On the desktop will then be a text file called explorer please attach that
You may need to edit the file name from explorer.exe.txt to explorer.txt to allow it to be attached

Hello. Thank you very much for your assistance!

The Fixlog.txt file is attached.

When I run Process Explorer, however, the computer crashes. It runs fine until I select Lower Pane View and highlight explorer.exe, then it immediately crashes. This has happened three times. I can either view the lower pane or select explorer.exe, but the moment that I do both at the same time, it goes to blue screen. The blue screen error message states that there is a faulty driver on the kernel stack and identifies it as ProcExp152.sys. I also ran BlueScreenView.exe and it indicates that the crashes were caused by compositebus.sys and/or ntoskrnl.exe. I don’t really understand what any of this means, though.

Please let me know if you have further suggestions. Thanks again.

In reply to mikaelrask:

Thanks for your comments, but actually my system is Windows 7 Home Premium 64-bit SP1. Guess I should have mentioned that in my original post.

Could you temporarily uninstall daemon tools light please then reboot. Does the alert stop

Well, I failed to mention earlier that I have not received any Avast alerts today at all, even prior to running the fix that you provided. Two days ago, there were no alerts the whole day, either, and yet the alerts resumed yesterday and continued non-stop all day long. Therefore, I did not interpret the absence of alerts this morning (prior to running your fix) as indicative that the problem had been resolved. I cannot think of anything that I did differently each day to explain why the alerts, which had been plaguing my computer for nearly a week, temporarily stopped on Monday, resumed on Tuesday, and then stopped again today.

I will uninstall DAEMON Tools Light anyhow and let you know if anything changes. Thanks again for sharing your time and expertise.

Thanks for the update as this is proving a beast to locate

Hi. Just thought I should post another update and ask if things look all clear at this point. I have attached fresh logs in case you could take another look and let me know if you advise anything further.

I haven’t had any Avast alerts at all for a few days now, so I am hopeful that the problem is solved! As I mentioned previously, the alerts actually seem to have stopped before I ran your fix. But the system still seemed abnormally slow for a while even though there were no alerts. For the past couple of days, though, things seem back to normal.

Also, I tried running Process Explorer again and this time was able to view the lower screen and save the log for explorer.exe, which I have also attached. I think what triggered the crashes when I ran it previously was that I selected “Run as administrator” to open the program. After successfully using the program when opening it normally, I tested it by trying again with “Run as administrator” and it crashed again, so I think that explains it. I don’t know when it’s necessary to run a program as the administrator and when not to, but I thought I had read somewhere that it may be necessary when running utility programs like this. Anyway, you might want to advise people who report problems that they should not ignorantly choose “Run as administrator” to open Process Explorer.

Lastly, I thought I should let you know that, since running your fix, the system now writes minidumps when it crashes, so that’s another improvement.

Thank you very much for your help! I am so glad to have my computer working normally again.

In that case methinks I will send you on your merry way :slight_smile: Thanks for the info

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

My way is now merry again, thanks so much to you!

I just have a couple of questions before I leave you:

  1. After I installed CryptoPrevent and applied the default protection level per your instructions, a pop-up message asked me if, since this is the first time that the program is “applying protection,” do I want to “whitelist all items in known blocked locations?” The message stated that this should be done only if the system is currently free of malware. I selected yes, to whitelist existing items. Was that the right choice? If not, can you please advise me how to change the settings?

  2. Would it be okay to install a fresh copy of DEAMON Tools Lite or did you find some problem with this program?

Sorry to bother you with more questions after all the help you’ve already provided, but I want to make sure that I keep the system running clean in the future. Thanks again!

The settings are good for Cryptoprevent :slight_smile:

Yes you can now re-install Daemon tools light if you wish

Great, thank you again!