I am getting this Avast alert constantly, every few seconds:
Avast Web Shield has blocked a harmful webpage or file.
Object: hxxps://188.165.198.52
Infection: URL: Mal
Process C:\Windows\explorer.exe
I also previously received countless similar alerts with the only difference being that the Object was reported as hxxps:\svadxvbtuc8.com.
Recently, the computer had been crashing 1-2 times daily without producing any minidump files even after I configured my system to record minidumps as explained in other forums like bleepingcomputer.com. The blue screen error messages referred to a faulty driver on the kernel stack and identified it as aswsp.sys, which I read elsewhere is an Avast file. A few days ago, I uninstalled and reinstalled Avast in Safe Mode and since then have not had any crashes, but now I get these Avast alerts literally non-stop and the system is very slow, so there is clearly something still wrong.
I have run MalwareBytes Anti-Malware (including the scan for rootkits) several times over the past few days. It initially found several things that it fixed, but when I run it now no problems are found.
I ran Farbar Recovery Scan Tool and have attached the .txt logs here for review.
When I attempted to run aswMBR.exe, the computer crashed and the blue screen error message stated that the aswMBR.sys driver was at fault.
If anyone can help me fix this problem, I would be very grateful! Thank you for your time.
I tried again to run aswMBR.exe, this time in Safe Mode. When I previously tried to run it after a normal boot, the computer crashed as soon as I clicked to open the file. When I tried it in Safe Mode, the program launched okay but it froze shortly after I started the scan. The program always hangs at the same point, when the scan is at the file “C:\Windows\system32\drivers\tsusbflt.sys.”
I hope this additional information is somehow useful in diagnosing the problem. Thanks in advance for any help.
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
BHO-x32: No Name -> {9D974C8C-6D92-44FB-BEAF-B45A1C0CF17F} -> No File
Toolbar: HKLM-x32 - No Name - {A1BDF46B-9DE6-4090-8791-84F26E00934C} - No File
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
CHR HKCU\...\Chrome\Extension: [bblmmloknbmfjgdjcdmmgpajlebiciec] - C:\Users\Meesh!\AppData\Local\CRE\bblmmloknbmfjgdjcdmmgpajlebiciec.crx []
CHR HKLM-x32\...\Chrome\Extension: [bblmmloknbmfjgdjcdmmgpajlebiciec] - C:\Users\Meesh!\AppData\Local\CRE\bblmmloknbmfjgdjcdmmgpajlebiciec.crx []
2014-10-20 22:28 - 2014-10-27 17:17 - 00000000 ___HD () C:\ProgramData\{CA2FACF7-9029-4A21-892B-E7F60B39FF1A}
CustomCLSID: HKU\S-1-5-21-517968910-2589987697-1092317901-1000_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> No File
Task: C:\Windows\Tasks\EasyShare Registration Task.job => @‰Q¹
äˆC¼œ<U\À¥ÅFa<
sÀ €!Þa
2ö!C:\Windows\system32\rundll32.exeZC:\PROGRA~3\Kodak\EasyShareSetup\$REGIS~1\Registration_8.3.30.1.sxt _RegistrationOffer@16aMeesh!0Ûa2
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Download to your desktop process explorer from here http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx
Open process explorer and from the menu bar select View > Lower Pane
Select Explorer.exe
A Lower window will open
Then on the menu bar go to File > Save as…
Then select the desktop and click save
On the desktop will then be a text file called explorer please attach that
You may need to edit the file name from explorer.exe.txt to explorer.txt to allow it to be attached
When I run Process Explorer, however, the computer crashes. It runs fine until I select Lower Pane View and highlight explorer.exe, then it immediately crashes. This has happened three times. I can either view the lower pane or select explorer.exe, but the moment that I do both at the same time, it goes to blue screen. The blue screen error message states that there is a faulty driver on the kernel stack and identifies it as ProcExp152.sys. I also ran BlueScreenView.exe and it indicates that the crashes were caused by compositebus.sys and/or ntoskrnl.exe. I don’t really understand what any of this means, though.
Please let me know if you have further suggestions. Thanks again.
Well, I failed to mention earlier that I have not received any Avast alerts today at all, even prior to running the fix that you provided. Two days ago, there were no alerts the whole day, either, and yet the alerts resumed yesterday and continued non-stop all day long. Therefore, I did not interpret the absence of alerts this morning (prior to running your fix) as indicative that the problem had been resolved. I cannot think of anything that I did differently each day to explain why the alerts, which had been plaguing my computer for nearly a week, temporarily stopped on Monday, resumed on Tuesday, and then stopped again today.
I will uninstall DAEMON Tools Light anyhow and let you know if anything changes. Thanks again for sharing your time and expertise.
Hi. Just thought I should post another update and ask if things look all clear at this point. I have attached fresh logs in case you could take another look and let me know if you advise anything further.
I haven’t had any Avast alerts at all for a few days now, so I am hopeful that the problem is solved! As I mentioned previously, the alerts actually seem to have stopped before I ran your fix. But the system still seemed abnormally slow for a while even though there were no alerts. For the past couple of days, though, things seem back to normal.
Also, I tried running Process Explorer again and this time was able to view the lower screen and save the log for explorer.exe, which I have also attached. I think what triggered the crashes when I ran it previously was that I selected “Run as administrator” to open the program. After successfully using the program when opening it normally, I tested it by trying again with “Run as administrator” and it crashed again, so I think that explains it. I don’t know when it’s necessary to run a program as the administrator and when not to, but I thought I had read somewhere that it may be necessary when running utility programs like this. Anyway, you might want to advise people who report problems that they should not ignorantly choose “Run as administrator” to open Process Explorer.
Lastly, I thought I should let you know that, since running your fix, the system now writes minidumps when it crashes, so that’s another improvement.
Thank you very much for your help! I am so glad to have my computer working normally again.
WARNING:Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disableJava in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent install this programme to lock down and prevent crypto ransome ware
I just have a couple of questions before I leave you:
After I installed CryptoPrevent and applied the default protection level per your instructions, a pop-up message asked me if, since this is the first time that the program is “applying protection,” do I want to “whitelist all items in known blocked locations?” The message stated that this should be done only if the system is currently free of malware. I selected yes, to whitelist existing items. Was that the right choice? If not, can you please advise me how to change the settings?
Would it be okay to install a fresh copy of DEAMON Tools Lite or did you find some problem with this program?
Sorry to bother you with more questions after all the help you’ve already provided, but I want to make sure that I keep the system running clean in the future. Thanks again!