Repeated notifications Web Shield has blocked a harmful webpage

I am getting repeated notifications (every 30 seconds or so)…

 Avast Web Shield has blocked a harmful webpage or file.
 Object:      http://reannewscomm.com/ads.php?sid=1921
 Infection:  URL:Mal
 Process:    C:\Windows\explorer.exe

I am guessing I have some kind of virus - does anyone have any suggestions?

Thanks in advance,
cgraham2

I am attaching the Malwarebytes Protection Log and Scan Log

follow instructions here https://forum.avast.com/index.php?topic=53253.0
we need Malwarebytes and Farbar Recovery Scan Tool logs, attach the logs, 3 logs total

see below the box you write in … Attachments and other options

a malware expert will then assist you when online … tomorrow

I have attached 4 logs - I wasn’t sure which Malwarebytes log you needed.

This computer is connected to my network by an ethernet cable.
I disconnected it last night, and the notifications stopped.
When I plugged it back in to post this today, they started again.

I appreciate any help you can provide.
Thanks!

FIRST >>>>

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[b] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/b]
Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

- Right-click on 

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
- Press the Fix button just once and wait.
- If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
- When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please attach it to your reply.

SECOND >>>>

AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

- [b]Vista/7/8 users:[/b] Right click the [b]AdwCleaner[/b] icon on the desktop, click [b]Run as administrator[/b] and accept the UAC prompt to run AdwCleaner.

You will see the following console:

http://i1351.photobucket.com/albums/p785/dbreeze2/Scanners%20screens/AdwCleaner_v5016_zpsf8ln0fea.png

- Click the [b]Scan[/b] button and wait for the scan to finish.
- After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: [b]Waiting for action. Please uncheck elements you don't want to remove.[/b]
- Click the [b]Clean[/b] button.
- [b]Everything checked[/b] will be deleted.
- When the program has finished cleaning a report appears.
- Once done it will ask to reboot, allow this

http://1.bp.blogspot.com/-vitKqfMQS4o/UEDylIQ7HJI/AAAAAAAABLc/Hx-IwqKoaxg/s1600/adwcleaner_delete_restart.jpg

- On reboot a log will be produced; please attach that in your next reply. This report is also saved to [b]C:\AdwCleaner\AdwCleaner[C0].txt[/b]

Optional:

NOTE: If you see AVG Secure Search being targeted for deletion, Here’s Why and Here. You can always Reinstall it.

THINGS TO REPLY WITH >>>>

  • The Fixlog.txt file (attached).
    • The AdwCleaner[C#].txt log attached.
    • How is your system running now?

Thank you for your help - your instructions were very clear and easy to follow.

Since the notifications stopped when the computer was disconnected from the Internet, my partner felt we should leave it disconnected.
So I downloaded the fixlist.txt and AdwCleaner onto a USB stick, from a different computer, then moved them to the desktop on this computer.

I ran a Fix with FRST, and have attached the Fixlog.txt

I did a Scan and Cleaning with AdwCleaner, and the computer rebooted as expected.
I have attached that log as well.

Unfortunately, as soon as I reconnected the computer to the Internet, the Web Shield notifications started again
The same one from before:
http://reannewscomm.com/ads.php?sid=1921 pops up about every 30-45 seconds
And less frequently, one for:
http://xml.infinity-info.com/click?i=Y3*De*Qrf74_0

I am now also getting warnings from Malwarebytes that it is blocking malicious websites - with various different websites, for example:

Should I have done all this while the computer was connected to the Internet?
Thanks,
cgraham2

Forgot to say that it is OK to run this disconnected from the internet for now. You are doing fine so far.


FIRST >>>>

Let’s protect your systems with MCShield (if you need to use a USB stick for transferring data / logs, then let’s make sure that only data / logs are transferred!).

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control center select scanner and tick unhide items on flash drives

https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG

Plug in the drive and McShield will start a scan
Select logs and then copy/paste it to your next post

SECOND >>>>

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older versions of Java components and upgrade the application.

Upgrading Java :
Please download JavaRa to your desktop and unzip it to its own folder

  • Run JavaRa.exe, then click on Remove Java Runtime.
    • Select the Java version you have from the drop down list, and then click on Run Uninstaller
    • Press Yes if it asks to uninstall the product.
    • Allow the uninstaller to remove the installed version.
    • When its finished, go back to JavaRa, and click Back
    • Click on Update Java Runtime and then select Download and install latest version.
    • Press Next
    • Press Java Manual Download.
    • A browser window will open with the Java download page.
    • Click the Windows offline link to download Java.
    • Run the installer.
    • Close JavaRa
      THIRD >>>

Junkware Removal Tool
Please download JRT from here to your desktop.

Note: Temporarily disable/shut down your protection software now to avoid potential conflicts, how to do so can be read here.

Double click the JRT.exe file to run the application.

The application will open an Command Prompt window and run from there (this is normal for this program, so not to be alarmed).

When it is asked, press any key to allow the program to continue / run.

This will create a log on the desktop; please copy and paste the JRT.txt log text in your next post.

Note: After the log file is created, please enable your protection software / reboot your system and verify your protection software is enabled.

My apologies for the delays in dealing with this, but I’ve been in a big exam the last three days. I will have more time to work on this now.

I downloaded MCShield on my other computer and scanned the USB stick I used for transferring data & logs.

Here is the log (I removed extra line breaks to save space):

MCShield AllScans.txt <<<


MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2015.12.6.1 / Windows XP <<<
08/02/2016 12:52:50 AM > Drive C: - scan started (ACER ~142 GB, NTFS HDD )…
=> The drive is clean.
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
v 3.0.5.28 / DB: 2015.12.6.1 / Windows XP <<<
08/02/2016 12:53:32 AM > Drive D: - scan started (no label ~961 MB, FAT flash drive )…
=> The drive is clean.

I downloaded JavaRa and JRT on the other computer and transferred them to this computer with the USB stick.
I ran the Java uninstaller, then connected to the Internet to do the Java Manual Download / Windows offline

I disabled Avast and ran the JRT - here is that log (again, I removed extra line breaks):

Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.2 (01.06.2016)
Operating System: Windows 7 Home Premium x64 
Ran by waap (Administrator) on 08/02/2016 at  1:08:30.61

File System: 17
Successfully deleted: C:\Users\waap\AppData\Local{04CF301B-F050-439F-9DDA-04B9B14D2738} (Empty Folder)
Successfully deleted: C:\Users\waap\AppData\Local{1EBF73C3-42E2-4BBC-9108-B1A1948B04B8} (Empty Folder)
Successfully deleted: C:\Users\waap\AppData\Local{384CB774-FC63-4412-BF62-F2C5E32BD219} (Empty Folder)
Successfully deleted: C:\Users\waap\AppData\Local{3F64E34F-F1F6-435B-887B-3601EDCB4762} (Empty Folder)
Successfully deleted: C:\Users\waap\AppData\Local{4DE90E9A-9DE2-4FEB-B03C-D44E95936428} (Empty Folder)
Successfully deleted: C:\Users\waap\AppData\Local{5BC142B0-B72C-4A86-8C63-FD13F77E9187} (Empty Folder)
Successfully deleted: C:\Users\waap\AppData\Local{62CDA217-601D-41F2-B78B-46D6AEAE41D5} (Empty Folder)
Successfully deleted: C:\Users\waap\AppData\Local{6A786E58-525D-4224-A4A7-BD06ED63BBBC} (Empty Folder)
Successfully deleted: C:\Users\waap\AppData\Local{A4706E52-AF6B-4D06-8650-1A47E133B876} (Empty Folder)
Successfully deleted: C:\Users\waap\AppData\Local{AC37A9F3-B60E-419C-814C-2EE336C4867D} (Empty Folder)
Successfully deleted: C:\Users\waap\AppData\Local{C2D1B131-883A-48D3-9D1A-7D8484166FB0} (Empty Folder)
Successfully deleted: C:\Users\waap\AppData\Local{D1DBAC5A-B90E-4C7D-8A11-58E153DE231F} (Empty Folder)
Successfully deleted: C:\Windows\wininit.ini (File)
Successfully deleted: C:\Users\waap\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\20GVC5JL (Folder)
Successfully deleted: C:\Users\waap\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQ1RCZIR (Folder)
Successfully deleted: C:\Users\waap\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FOOFI3GX (Folder)
Successfully deleted: C:\Users\waap\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SVEQW754 (Folder)
Registry: 0

Scan was completed on 08/02/2016 at  1:12:03.58
End of JRT log

After the log was generated, I enabled Avast and rebooted the system.
When it restarted, the Program Compatibility Assistant said the JRT was missing a Windows component.
I have attached a screen capture of that pop-up window.
When I checked to verify that Avast was enabled, I notice there is a new version available.
Should I update at this point, or hold off for now?

The Web Shield is still popping up with the reannewscomm.com alert, and Malwarebytes is busy blocking the same malicious websites that I noted in the earlier post.
I will disconnect this computer from my network again, right after I submit this post.

Thanks again for your help, and your patience!

Yes, please update Avast to the latest version.

Do not apologize about the delay; real life always come first in these matters. Good luck on the exams!

I am doing further research on this one and will be back soon with more instructions; let’s see if the latest version of Avast does some more work on this issue.

I updated Avast and ran a Smart Scan.
No viruses, malware or network threats were detected.

The popups started again:
from Avast - for reannewscomm.com,
and from Malewarebytes - the same as before, with a few new ones as well

Most weren’t, but I noticed one of the Malewarebytes warnings indicated the Process was from notebook.exe?
I have attached some screenshot images.

Will unplug from the Internet again after posting :frowning:

Not all AVs detect everything… Let’s see what a different one finds.

This next step may take a while (just to warn you) …

ESET Online does not work with IE 11 (Internet Explorer) at the moment (a few weeks ago anyway) so if you have IE 11, Chrome or Firefox has to be used instead. ESET Online does work with IE 10 and earlier.

You can leave Avast! enabled even though ESET may warn about it. just makes the scan take longer. The pictures below showing what to click may be blue instead of green on the ESET website now, but the procedure is still the same

Please read carefully and Slowly, Notice all the settings listed below to check before starting the scan. Stop and ask if you have any questions.

Take note of the NO tick in the Remove found threats setting below at it needs to have the tick removed.


Hold down Control key and click on the following link to open ESET OnlineScan in a new window.

Link =>> ESET Online Scanner <<

Click the Run ESET Online Scanner located on the left side of the page (not the free trial).

http://i1351.photobucket.com/albums/p785/dbreeze2/abfacb96-0c99-4b59-b9e9-9298aa0ee3ec_zps865eb5f8.png

For browsers other than Internet Explorer only: (Microsoft Internet Explorer users can skip this step)
Click on the esetsmartinstaller link in the popup window that opens. Save it to your desktop.

http://i1351.photobucket.com/albums/p785/dbreeze2/Getinstallerpopup2_zps65f446a6.png

Double click on the icon on your desktop.

http://i1351.photobucket.com/albums/p785/dbreeze2/desktopfile_zps98a1ee89.png

Check (accept) the Terms of Use.

http://i1351.photobucket.com/albums/p785/dbreeze2/TOU_zps4ecd3406.png

Click the START button.
Accept any security warnings from your browser.

Now in the Computer scan settings window that appears:-
Make sure that the option Enable detection of potentially unwanted applications is selected.
Now click on Advanced Settings and configure the options as follows:

Remove found threats is Not checked
Scan archives is checked
Scan for potentially unsafe applications is checked
Enable Anti-Stealth Technology is checked

Now click on: Start

http://i1351.photobucket.com/albums/p785/dbreeze2/Loadsettings_2014-08-23_zps3f2d0c88.png

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

http://i1351.photobucket.com/albums/p785/dbreeze2/Downloadingsignatures_zps36c38587.png

http://i1351.photobucket.com/albums/p785/dbreeze2/Scanningdisplay_zpsec3aac14.png

When the scan is finished, if any threats are found you will see the screen below. Click to view the found threats.

http://i1351.photobucket.com/albums/p785/dbreeze2/Threatsfound_zpsfe95fb4e.png

At the bottom of the listed threats, there is an option to save the results to a text file. Please do this so you can attach the results here for review and removal of the items that are not false positives (these will be scripted out so do not worry).

http://i1351.photobucket.com/albums/p785/dbreeze2/Exporttotextfile_zps16cb487f.png

Once the log text file is saved, return to the Scan Finished screen by clicking “<<Back”, then click on the uninstall button and click Finish.

http://i1351.photobucket.com/albums/p785/dbreeze2/UninstallcheckedandFinish_zps6fb26ad8.png

Attach the saved log file in your next reply please. Thanks.

I tried holding down the Ctrl key and clicking the link for ESET OnlineScan, but I get a “Problem loading page” error (see attached screenshot).
Other webpages are loading fine.

From the URL bar, it appears to be trying to open:
www."http.com//www.eset.com/us/online-scanner/

Your screen shot for ESET doesn’t show that initial www."http.com//, and if I remove that, I can get to:
http://www.eset.com/us/online-scanner/
(see attached screen shot)

Is it okay for me to proceed with the scan from there, or would you like to send a different link?

Thanks

Not sure why the first attachment didn’t go through…

Not sure what happened to the link but http://www.eset.com/us/online-scanner/ is correct. Please use that for the scanner download.

Wow, that DID take a long time!
But 6 threats were detected - so hopefully we are closer :slight_smile:
I have attached the log
C

FIRST >>>>

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[b] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/b]
Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

- Right-click on 

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
- Press the Fix button just once and wait.
- If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
- When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please attach it to your reply.

SECOND >>>>

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older versions of Java components and upgrade the application. Please uninstall all Java on your machine (some of the malware found was in old Java locations) and then install the latest version.

Upgrading Java :
Please download JavaRa to your desktop and unzip it to its own folder

[*]Run JavaRa.exe, then click on Remove Java Runtime.
[*]Select the Java version you have from the drop down list, and then click on Run Uninstaller
[*]Press Yes if it asks to uninstall the product.
[*]Allow the uninstaller to remove the installed version.
[*]When its finished, go back to JavaRa, and click Back
[*]Click on Update Java Runtime and then select Download and install latest version.
[*]Press Next
[*]Press Java Manual Download.
[*]A browser window will open with the Java download page.
[*]Click the Windows offline link to download Java.
[*]Run the installer.
[*]Close JavaRa

O
M
G

;D

I have been sitting here, connected to the internet, enjoying the peace and quiet for the last 15 minutes.
This is the first time I have turned my speakers on in a week!
There hasn’t been a single alert from Avast or Malwarebytes.

This is WONDERFUL!

YOU are wonderful!

I have attached the Fixlog

Thank you, thank you, thank you!

Well that is good news!!! ;D ;D ;D

If everything else if fine for you (Avast is running / scanning with no warnings, etc.) then I will remove our tools and get you on your way …

If you did not do so at the end of the ESET scan, please uninstall ESET Online Scanner (via the Control Panel > Programs and Features).

Clean up of Malware Removal Tools
Now that we are through using these tools, let’s clean them off your system so that should you ever need to have malware removed again (we hope not) fresh, updated copies will be downloaded.

[]Download Delfix from here to your desktop and double click it to start the program
[*]Ensure Remove disinfection tools is ticked
Also tick:
[
]Activate UAC
[]Create registry backup
[
]Purge system restore
[*]Reset system settings

http://i1351.photobucket.com/albums/p785/dbreeze2/just%20stuff/DelFixSelectall_zps0f04cec4.png

[*]Click Run
[*]The program will run for a few moments and then notepad will open with a log. Note: Please save this log first before rebooting your system (if asked to); DelFix does not save the log as it is trying to remove all traces of our work on your system. Please attach the log in your next reply.

You can delete any log files left on your desktop as these are no longer needed.

==Some Tools to consider to help keep your system safe ==

Consider a program that will check for out-of-date programs on your system
Some programs don’t have update checks built in or make you run the application to start the check for updates process. An easier way to stay on top of the current versions of your installed programs is to use a version checking program like Heimdal Free from Heimdal Security (you can get the software from here and read more about it on the same page).

Unchecky is a small service that runs in the background to help keep those “extra toolbars” and tag along search engines from automatically installing. By automatically directing you to a custom install with all the options unchecked, only what you manually choose and confirm gets installed.

CryptoPrevent is a free program that prevents CryptoLocker / ransomware from infecting your PC by locking down the OS so the malware can not get a grip on your system. You can read the details about this program here.

Also, consider keeping MalwareBytes Antimalware in your arsenal of safe keeping programs. Use the free version (not the paid or trial version) and you won’t have a problem with your antivirus scanner program. Keep it updated and run a scan with it once a week.

Lastly, if you use Firefox as your main web browser, consider adding the NoScript and AdBlockPlus add-ons to the browser to block scripting hijacks and remove unwanted ads from the pages you view.

You may also find some information and tips at this thread:
How did I get infected in the first place?
and
COMPUTER SECURITY - a short quide to staying safer online


I’ll leave this topic open for a few days so that if you have any questions you can come back here. Surf safe, my friend!!

Avast is running, and there are still no warnings - it’s been several hours now.

I did click on the uninstall button at the end of the ESET scan, but I checked Programs and Features via the Control Panel to be sure, and ESET was not listed.

Thank you for suggesting tools to hopefully prevent this from happening again.
I notice that the link for the Heimdal Free takes me to Bleeping Computer - do you get some kind of referral for it?
I’m curious why I wouldn’t want to download it directly from Heimdal’s website?
If you get something if I go through Bleeping Computer instead - I’m cool with that.

I have attached the Delfix log

No, we don’t get a referral from BleepingComputer but we know that the links there will not be misleading or contain addons in the downloaded install files. It is always best to get the file directly from the vendor but some people will download from anywhere; BleepingComputer.com is safe and secure; I can’t say that about all download sites.