URL:Mal C:\Windows\explorer.exe

For the last few days, Avast has been constantly popping up an alert, sometimes every few seconds:

Avast web shield has blocked a harmful webpage or file.
Object: hxxps://188.165.198.52
Infection: URL:Mal
Process: C:\Windows\explorer.exe

This happens whether there is a browser open or not. (Win 7 Home Premium)

A full scan with Avast comes up clean.

I also tried Malwarebytes, Superantispyware, Tdsskiller, JRT, FRST, Adwclean, Rkill. (All of those are now uninstalled)

The only thing that stops the alerts is to block that IP with the firewall, but that obviously doesn’t get rid of the underlying infection.

I would greatly appreciate your help.

Thanks.

Instructions here https://forum.avast.com/index.php?topic=53253.0
Attach requested logs

OK, I have attached the requested logs.

Also, I noticed a possible fix for a similar problem in a different topic on this forum (quoted below), but I don’t know if it would work for my situation.

Thanks.

[b][u]CAUTION : This fix is only valid for this specific machine, using it on another may break your computer [/u][/b]

So, don’t try it!

Remover Notified.

Could you let me know if this makes a difference

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.) Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\615\G2AWinLogon_x64.dll [X] BHO: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> No File Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - No File 2014-10-27 23:16 - 2014-10-27 23:17 - 00000000 ____D () C:\ProgramData\E1864A66-75E3-486a-BD95-D1B7D99A84A7 2014-10-21 18:44 - 2014-10-29 02:15 - 00000000 ___HD () C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8} HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\GoToAssist => ""="Service" EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

Thanks for your reply.

Here’s a new development:

When I logged into the computer today, just as I was following your instructions and saving fixlist.txt, a different Avast alert popped up that said:

Avast File System Shield has blocked a threat. No further action is required.

Object C:\ProgramData.…\icmp.dll

Infection: Win64:Malware-gen

Action: Deleted

Process: C:\Windows\System32\notepad.exe

The threat was detected and blocked just before the file was opened.

Since then, the other popup warning has stopped, so I think Avast may have solved the problem.

Do you think that I should still do the fix you recommended, or should I wait to see if the constant popups return?

Could you give me the full path for the deleted dll please

Could you give me the full path for the deleted dll please

I would like to know that, too! I quoted the popup alert exactly as written (I’ve attached a screenshot).

Where would I look for it? I found a log file for Web Shield, but not for File System Shield. I’m lucky I was even able to read it and get a screenshot because the popup disappeared so fast and was only available once by clicking “Show last popup message”.

Do you have any suggestions as to where that information might be stored? Why would Avast not include the full path?

Thanks again for your continued assistance.

If you hover over the file name it should expand to a full path. Could you run a boot scan please

The chain of events with the deleted-dll popup was that, when it first appeared, it closed before I could read it, so I right-clicked on the Avast icon in the notification area and selected “Show last popup message”. At that point, my priority was to get a screenshot, so I did that, assumung that I could bring it up again to see if I could get more details by mousing over or clicking on it. When I had the screenshot safely saved, I went back to the right-click context menu, but “Show last popup message” was greyed out and no longer available.

But, GOOD NEWS - I found a log file that contains the full path of the dll.

It was in C:\ProgramData\AVAST Software\Avast\report\FileSystemShield.txt,
not C:\ProgramData\AVAST Software\Avast\log:

“10/30/2014 2:04:57 PM
C:\ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\icmp.dll [L] Win64:Malware-gen (0)
File was successfully deleted…”

So you were on the right track when you included C:\ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8} in your recommended fix.

I left that directory there for now, just in case you want more info. It currently contains 1 file:

8afc49b02429a (306 KB)

I have attached the log file from the boot-time scan you requested.

So far, no more alerts about hxxps://188.165.198.52

Thanks for your continued assistance.

OK lets now delete that folder again

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8} EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

OK lets now delete that folder again

I just want to clarify that I did not run your first fix because Avast popped up and deleted the malicious dll before I had a chance to run it. If there is anything else listed in your first fix that needs to be done, please let me know.

Also, for clarification: In your previous reply you requested that I run a boot scan and I assumed that you meant an Avast boot-time scan, so the log that I posted was from that scan. If my assumption was incorrect, please let me know.

I have attached the log from the current FRST fix.

Thanks.

OK that explains why the folder was still there :slight_smile: I really must learn to read properly

Any further problems before I tidy up

Any further problems before I tidy up

Nope. There haven’t been any popup alerts regarding hxxps://188.165.198.52 since C:\ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\icmp.dll was deleted.

Thanks.

In that case methinks I will send you on your merry way :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

Done.

Thanks very much for all your help.

My pleasure :slight_smile: