Non-stop Avast "Web Shield has blocked a harmful webpage or file" alerts

Viruses and worms
1

For the last 2 days, I have been continually receiving the Avast alert “Web Shield has blocked a harmful webpage or file” when browsing in both Firefox and Explorer. It gives me a very long URL starting with “hxxp://38.71.2.31…” My computer seems to run fine. An Avast full scan shows no viruses or problems. I installed and ran Malwarebytes, which came up with 1 risky file, since deleted. When I examine my “processes” in Task Manager" I see nothing inappropriate. I have deleted most files in my Temp folders. Yet, the alert continues to pop up. What is going on? Is there something on my computer? Or is this an overly sensitive setting in Avast? Perhaps as a result of recent Avast updates? I’ve read by others to just report these as false positives, but I’m hesitant to do this in case I’m wrong. What should I do?

2

Attach your logs. (MBAM, OTL and aswMBR…!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0

3

I’m not sure; is this what you mean? This is the log from my Malwarebytes scan:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/14/2014
Scan Time: 2:16:55 PM
Logfile: MalwareBytesScanLog Jun 14.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.06.14.06
Rootkit Database: v2014.06.02.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Allen

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 278745
Time Elapsed: 7 min, 44 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

4

Yes, still we need your other logs as well.

5

When I try to post the OTL log I get this error:

The following error or errors occurred while posting this message:
The message exceeds the maximum allowed length (20000 characters).

6
7

? Pondus – Can’t tell – are you trying to be helpful or just goofing with me?

8

As Asyn said…Attach the logs…not copy and paste

9

See what he marked in red.

10

Okay, I’ve attached the OTL, Malwarebytes and aswMBR logs.

Any feedback would be appreciated.

Thanks,

Allen

11

Your OTL log is corrupted

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select both shortcut and additions at the bottom
[*]Press Scan button.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach all 3 logs generated.

12

Hi, here are the 3 Farbar Recovery logs. Just out of curiosity, when you say that my OTL log is corrupted, do you see evidence of a virus or malware, or just that there are missing/damaged files, or something else?

Thanks,

Allen

13

OTL log is not readable… looks like chinese gibbely gobbel

14

The OTL Log is corrupted, but you can still get data off from it.

15

To parse the OTL log would take about 30 minutes and it is not complete

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

16

Thanks; some questions:

  • Not sure when you say the OTL log looks like Chinese gobbly-gook. It seems legible to me, in English. However, I’m not familiar with this stuff, so I don’t know what it’s supposed to look like.
  • Did you look at the Farbar logs I attached a little while ago? Did they provide any more info on what is going on?
  • When I tried to download Combofix, Avast blocked it. Is this normal-- is this why you say to turn off the anti-virus program?

Thanks,

Allen

17

Yes temporarily disable Avast whilst combofix is being downloaded and run

The attached screenshot shows what the OTL log looked like

18

Wow – that’s not at all what the text file I saved looks like! Is there another way I can re-save the OTL log in it’s original form for you? I’ve pasted in the opening part of the file below to show you it’s not messed up.

Also, my problem is that I get Avast error messages that suggest some malware on my computer is trying to contact an unknown URL, which Avast is blocking. If I disable Avast to download and use Combofix, then I leave the door open for this (possible) malware to get through unblocked to its contact URL and cause more serious problems. So, I really do not want to disable Avast. Yet, I cannot download Combofix while Avast is working because Avast blocks it.

Allen

OTL logfile created on: 6/14/2014 3:12:13 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\The Foto Finisher\Downloads
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.11.9600.17126)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

11.43 Gb Total Physical Memory | 8.72 Gb Available Physical Memory | 76.31% Memory free
22.86 Gb Paging File | 19.63 Gb Available in Paging File | 85.87% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 1846.33 Gb Total Space | 834.91 Gb Free Space | 45.22% Space Free | Partition Type: NTFS
Drive D: | 16.59 Gb Total Space | 2.07 Gb Free Space | 12.49% Space Free | Partition Type: NTFS

Computer Name: FOTOFINISHER | User Name: The Foto Finisher | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2014/06/14 15:09:21 | 000,602,112 | ---- | M] (OldTimer Tools) – C:\Users\The Foto Finisher\Downloads\OTL.exe
PRC - [2014/06/10 12:01:02 | 000,275,568 | ---- | M] (Mozilla Corporation) – C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2014/06/06 09:37:05 | 003,890,208 | ---- | M] (AVAST Software) – C:\Program Files\AVAST Software\Avast\avastui.exe
PRC - [2014/05/19 17:45:22 | 033,322,312 | ---- | M] (Dropbox, Inc.) – C:\Users\The Foto Finisher\AppData\Roaming\Dropbox\bin\Dropbox.exe
PRC - [2014/05/13 20:32:15 | 001,863,856 | ---- | M] (Adobe Systems, Inc.) – C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe
PRC - [2014/05/12 07:24:42 | 000,860,472 | ---- | M] (Malwarebytes Corporation) – C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
PRC - [2014/05/12 07:24:40 | 001,809,720 | ---- | M] (Malwarebytes Corporation) – C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
PRC - [2014/05/12 07:24:34 | 006,970,168 | ---- | M] (Malwarebytes Corporation) – C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
PRC - [2014/05/09 09:49:20 | 000,050,344 | ---- | M] (AVAST Software) – C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2014/05/08 14:59:39 | 000,263,048 | ---- | M] (Google Inc.) – C:\Program Files (x86)\Google\Update\1.3.24.7\GoogleCrashHandler.exe
PRC - [2014/03/11 23:36:06 | 000,247,968 | ---- | M] (Microsoft Corporation.) – C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.EXE
PRC - [2013/12/20 23:04:16 | 000,065,432 | ---- | M] (Adobe Systems Incorporated) – C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2013/09/07 09:14:38 | 000,055,624 | ---- | M] (Apple Inc.) – C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe
PRC - [2012/10/18 18:00:00 | 000,200,632 | R— | M] (WinZip Computing, S.L.) – C:\Program Files\WinZip\ZipSendService.exe
PRC - [2011/08/16 14:03:24 | 000,020,480 | ---- | M] (Hewlett-Packard) – C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe
PRC - [2011/08/16 14:03:16 | 000,016,384 | ---- | M] (Hewlett-Packard) – C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe
PRC - [2011/08/12 09:54:32 | 001,128,952 | ---- | M] (PDF Complete Inc) – C:\Program Files (x86)\PDF Complete\pdfsvc.exe
PRC - [2010/02/22 04:57:06 | 000,406,992 | ---- | M] (Adobe Systems Incorporated) – C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
PRC - [2010/02/04 22:47:34 | 000,093,376 | ---- | M] (OLYMPUS IMAGING CORP.) – C:\Program Files (x86)\Olympus\ib\olycamdetect.exe
PRC - [2008/11/20 10:47:28 | 000,062,768 | ---- | M] (Hewlett-Packard) – C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe

19

follow Essexboys instructions to the dot … he does this all day long so know how this stuff works…

20

Okay, I ran Combofix; I attached the file because when I paste it into this reply my message exceeds the maximum size allowed. I believe that Combofix deleted 1 file and 1 folder in my Temp and/or User/App Data/Local folders.

My computer seems to run fine; I am not aware of any problems that may have occurred due to malware. As mentioned, I was getting many alerts from Avast Webshield saying it blocked a dangerous file or website (with a specific URL), yet I don’t know if there actually is something on my computer, or perhaps these were false alerts? Interestingly, after getting many alerts for 2 days, I have not seen any more since yesterday evening, but I’ve not been online that much.

What do you think? Am I okay, or do I need to do something more?

Also, as mentioned, my version of the OTL text file is not corrupted, so I can get that to you (perhaps as a Word file) if you want to see it.

Thank you,

Allen