Avast WEBforum
Other => Viruses and worms => Topic started by: REDACTED on October 24, 2014, 07:41:31 PM
-
My computer has been running slower for days. I installed avast and the scan found nothing, but I've received constant pop-ups from the avast! Web Shield:
Object: https://svadxvbtuc8c.com (yesterday it was a different URL)
Infection: URL:Mal
Process: C:\Windows\explorer.exe (always the same)
I've run the other recommended scanners listed on the main forum topic. Logs attached.
Any help is greatly appreciated!
-
Ditto. Avast we need your help!!
-
Ditto here. Driving me crazy!
-
This is the message:
Object: svadxvbtuc8c.com
Infection: URL:MAL
Process: C:\WINDOWS\explorer.exe
Clicking on MORE DETAILS takes you to an "apparent" AVAST website.
-
You appear to be running three antivirus programmes, two will need to go
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
I am getting the same thing as well. It changes almost daily and I have been unable to remove.
-
Essexboy,
I ran Combofix as instructed. Log attached. The issue persists: I continue to receive pop-ups like the one previously described.
One hiccup: I physically disconnected my computer from the internet before disabling avast! (as I'm concerned about whatever information the virus is trying to transmit), I then ran ComboFix, but it obviously wasn't able to update to the latest version. Per your instructions, I did not re-run ComboFix. Should I update it and re-run?
Many thanks.
-
Could you re-attach the FRST log please as I would like to take another look at it
Also are any other computers that use your router experiencing this ?
-
Attached.
Regarding other computers: not that I am aware of.
-
OK as of now I am unable to locate the trigger, do you have a system restore point prior to the alerts starting ?
If so could you restore to that and if the alerts do not re-appear run a fresh FRST scan so that I can run a comparison
-
No, I don't have an early enough restore point.
Forgive me naivety, but is there no way to install a corrected version of explorer.exe?
-
Its not explorer it is just that the file is using explorer to access that site. Have you ever used process explorer by sysinternals ?
-
I don't think so? Should I?
-
OK if you feel happy could you do the following :
Download to your desktop process explorer from here http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx
Run the programme and expand (by pressing the +) explorer.exe
When the alert appears note down what process is using explorer at that time
In my screenshot I just have Caledos running under explorer
-
Screenshot below.
-
Also, none of the files changed when the avast! pop-up occurred.
-
So there was no additional entry when the alert occurred, were you using your printer at that time ?
-
Correct - no additional entry.
Yes, I was using the printer.
Attached is another screenshot.
One observation: I've noticed that the pop-ups tend to occur more often with Internet Explorer is open, *BUT* they will also occur when Internet Explorer is not open, or even before Internet Explorer has been launched upon a new startup.
Second observation: Whenever I open up Windows Explorer, it lags for a second, and then I get the pop-up.
-
Another screenshot attached--it popped up even when Process Explorer was the only thing running under explorer.exe.
-
I'm using windows 7 and the avast popup is driving me absolutely insane. I have noticed that in my process list I have 2 explorer.exe running at the same time, one of them shows up at proper place and can access file location....The other doesn't go to file location and also cannot be ended.
I have absolutely no clue on what this bug is but I'm about to try comodo or even blasted Norton to get this thing GONE
-
Got it here too - a few warnings about xmlka.com yesterday and now constant pop ups of svadxvbtuc8c.com. MalwareBytes Anti-Malware scan came up clean, Avast! quick scan was clean, now running a deep scan of Avast!
OS is Windows 7 Home Premium.
-
Blake7 could you reboot the computer to safe mode with networking and let me know if the alerts cease when you use a browser
-
I have been having this exact same issue for the past 24 hours. For me the alert happens constantly, maybe every 10-15 seconds. It started Friday morning and I tried 3 different restore points going back the past week and am unable to get rid of it. I am currently in the process of backing up some files to wipe my system today. Since the question of printer use was asked previously I do not have a printer connected.
-
Same thing here. Started a couple of days ago. Malwarebytes found a few innocuous things the first time, nothing after that. Ran quick scans, deep scan and 2 boot scans. still popping up every minute.
Help us Avast!
-
I'm having the same problem, every 30 seconnds, even without launchine IE, svadxvbtuc8c.com appears in my avast poppup. i have two machines running win7, this one is on win7pro. the win7home machine i use for gaming is unaffected both are wire connected to the router.
Its been going on for at least 24 hours. i'm rather shocked that avast doesn't log the file that is sending the url request.
I don't have a restore point so i'm currently backing up essential files to onedrive and prepping for a wipe and reinstallation of win7.
I'd love to hear if someone comes up with a solution to this issue.
malwarebytes and windows defender aren't finding the culprit though both did turn up some possible viruses/spyware which i promptly removed.
Interesting side note, i primarily use opera for browsing. the only things i use IE for are direct links to netflix amazon prime and pbskids. odd that the infection would occur at IE in my opinion.
i've done boot scans through avast as well as deep scans.
I'm afraid to drop my anti-virus to install combofix because if avast is blocking this connection, i'm pretty sure it'll succeed if i take avast down.
-
Could everybody start their own topic please. At this stage I have not found the trigger however, restoring to a time before the alerts occur will cure it
-
The URL svadxvbtuc8c.com was registered on 10/23/14, fwiw. I'd start with a restore to 10/22. However, it sounds like this may be one of several URLs which are being called by the same unknown process. I'm also getting calls to xmlka.com, which was registered in April of this year.
-
Essexboy--Sorry for the long delay. I tried launching in safe mode, but avast was disabled and, though the program would launch, I couldn't get it to turn the shield on. The button literally wouldn't "push."
I see a lot of other folks have been posting about the same bug. Have you figured out the trigger?
Thanks.
-
I believe so, could I have a fresh FRST log please
-
Log attached.
-
I haven't had any pop-ups this morning. Avast shield appears to be on. All I've done since our last exchange was run Safe Mode once. Could that have cured it?
-
Never mind, the pop-ups are back. Now trying to go to xmlka.com, which was one of the domains last week as well.
-
Yes, the other site has been taken down
Download to your desktop process explorer from here http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx
Open process explorer and from the menu bar select View > Lower Pane
Select Explorer.exe
A Lower window will open
Then on the menu bar go to File > Save as..
Then select the desktop and click save
On the desktop will then be a text file called explorer please attach that
You may need to edit the file name from explorer.exe.txt to explorer.txt to allow it to be attached
-
Explorer.txt attached.
-
Could you do that again please and ensure that explorer.exe is highlighted
-
Here you are--sorry about that.
-
Nothing showing there, could I have a fresh FRST scan please
-
Attached.
I've only had the pop-up once or twice today. Last week it was like every minute or two.
I haven't been doing anything else to actively get rid of it. My avast did update to the latest version, but nothing came up in a quick scan.
-
I am now getting a new url in addition to xmkla. See attached.
-
I've started getting lots of pop ups again. Mostly for xmlka. Attached are new logs, in case they show anything different.
-
Tons of pop-ups again this morning. Any thoughts?
-
I hate these new ones as it takes a while to locate the trigger
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
2014-10-16 13:21 - 2014-10-27 08:49 - 00000000 ___HD () C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
C:\Users\brebling\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) by Xplode onto your desktop.
- Close all open programs and internet browsers.
- Double click on AdwCleaner.exe to run the tool.
- Click on Scan.
- After the scan is complete click on "Clean"
- Confirm each time with Ok.
- Your computer will be rebooted automatically. A text file will open after the restart.
- Please post the content of that logfile with your next answer.
- You can find the logfile at C:\AdwCleaner[S1].txt as well.
-
Logs attached. No avast pop-ups so far!
-
Fingers crossed can you monitor it for a day or so please
-
I think I'm cured. (Admittedly, I haven't waited the full 21 day quarantine period . . . )
Thanks for all the help EssexBoy!
-
A bit of a roller coaster that one :)
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Click Start then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
In the box copy/paste the following command:
ComboFix /Uninstall
Note that there is a space between " ComboFix " and " /Uninstall " .
Then click OK (or press Enter ).
Wait for the uninstall process to complete.
Download and run Delfix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix)
(https://dl.dropboxusercontent.com/u/73555776/delfix.JPG)
: Keep Java Updated :
WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article (http://www.forbes.com/sites/eliseackerman/2013/01/11/us-department-of-homeland-security-calls-on-computer-users-to-disable-java/)
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser (http://www.geekstogo.com/2600/how-to-disable-java-in-your-web-browser/) and How to unplug Java from the browser (http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/))
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent (http://www.foolishit.com/vb6-projects/cryptoprevent/) install this programme to lock down and prevent crypto ransome ware
(https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php).
Update and run weekly to keep your system clean
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To learn more about how to protect yourself while on the internet read this little guide Best security practices (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/)Keep safe :wave: