URL:Mal - hxxps//:188.165.198.52

Hi,

Please help. Avast keeps blocking URL:Mal - hxxps//:188.165.198.52 every 10 seconds. I’ve tried everything to get rid of this, Malwarebytes, Avast, Hitman, Combofix, Adwcleaner, Emsisoft, Rkill, etc… nothing has helped! please help.

Thank you,

hendrix

hey and welcome to the forum. i will go and get you someone to help you.

first thing first plaese attach the logs from combofix, and second combofix is a tool that should not be run without someone how knows what he/she are doing with combofix. it can make your computer unbotable.

oops. well here is combofix file.

hendrix

Let me know if this makes a difference

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

Winlogon\Notify\ScCertProp: wlnotify.dll [X] Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (No File) Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (No File) Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File 2014-10-21 12:31 - 2014-10-28 14:32 - 00000000 ___HD () C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8} 2014-10-20 10:18 - 2014-10-20 10:18 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CopyTrans Control Center CustomCLSID: HKU\S-1-5-21-3283815662-1904791709-1846364949-1000_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32 -> C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\msvcp60.dll (Microsoft) Task: {C27ED4F5-42BF-4917-B455-74A55D032EDC} - \Optimizer Pro Schedule No Task File <==== ATTENTION c:\programdata\{9A88E103-A20A-4EA5-8636-C73B709A5BF8} c:\windows\ACF5FE1B377240688B872D2A6EFD0A05.TMP EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download to your desktop process explorer from here http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx
Open process explorer and from the menu bar select View > Lower Pane
Select Explorer.exe
A Lower window will open
Then on the menu bar go to File > Save as…
Then select the desktop and click save
On the desktop will then be a text file called explorer please attach that
You may need to edit the file name from explorer.exe.txt to explorer.txt to allow it to be attached

Thank you for the response. Attached are both logs. I’m still seeing the Avast web shield popup every 10 seconds.

here’s the process log again. not sure I did it right the first time.

Not quite right for process explorer
Could you run it again but ensure that you have explorer.exe highlighted and save the file as soon as you get an alert

Attached is the new explorer log. I opened lower pane, selected explorer and then did save as for log.

I also attached a screen shot.

Thank you,

hendrix

Do you have Daemon tools on your system and do you run torrents

Don’t know what daemon is and never have run torrents.

Can you do a system restore on the computer to at least one week ago

I tried there isn’t a restore point.

Could I have a fresh FRST scan please

See attached.

Thank you,

hendrix

Did you install Panther

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

2014-10-28 17:37 - 2014-10-28 17:37 - 00000000 _____ () C:\autoexec.bat 2014-10-28 17:36 - 2014-10-28 18:03 - 00000000 ____D () C:\Windows\ACF5FE1B377240688B872D2A6EFD0A05.TMP 2014-10-21 12:31 - 2014-10-28 20:10 - 00000000 ___HD () C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8} Winlogon\Notify\ScCertProp: wlnotify.dll [X] EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

see attached.

thank you,

don’t remember installing pathfinder ever…

Here is the two new shield blocks that are popping up. see attached.

OK lets take it out

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

2014-10-28 19:44 - 2011-02-10 15:48 - 00000000 ____D () C:\Windows\Panther 014-10-21 12:31 - 2014-10-30 11:34 - 00000000 ___HD () C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8} 2014-10-28 17:36 - 2014-10-28 18:03 - 00000000 ____D () C:\Windows\ACF5FE1B377240688B872D2A6EFD0A05.TMP S3 cleanhlp; \??\C:\Program Files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys [X] Winlogon\Notify\ScCertProp: wlnotify.dll [X] EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

see attached. also attached another Avast popup.

Thank you,
hendrix