Avast web sheild non stop blocking from process svchost.exe

[ted2u]

This is similar to post by Mriddl02 on April 30, 2014, 01:45:11 PM. Same problem different web pages. Example:  http://dereban16.net/task/35/  My OS is XP, SP3 on a Dell 9100. Browsers are IE8, Chrome, and Firefox. Was using Symantec AV. Installed Avast free about one month ago and problem started about 5 days ago. Deleted all cookies and temp internet. Then ran full scan using latest Avast and Malwarebytes, no problems found. Did system restore back one week, did not correct problem. What kind of infection is this and why didn't Avast stop it from getting into my computer? How do I correct this problem? Thanks for your help.

[Asyn]

Attach your logs. (MBAM, OTL and aswMBR..!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0

[Pondus]

Was using Symantec AV.

did you run symantec/norton removal tool before installing avast      http://www.avast.com/en-eu/faq.php?article=AVKB11#artTitle

[Michael (alan1998)]

Asyn, I believe from the info he has provided he most likely has blackbeard. Do not run MBAM/Malwarebytes. It may leave your computer unbootable. Just attach OTL

[ted2u]

Asyn, thank you for the quick reply. The log files you requested are attached. My Malwarebytes is free version, let me know if I need premium version. Also, OTM only produced one log file, no extras log. I also attached a screen shot of the type of web shield popup I keep getting. 

Re Michael: I ran Malwarebytes before I saw your message. No problem encountered.

Re Pondus: I did not use the Symantec removal tool, but Avast was working fine for about three weeks, so I do not think Symantec is related to my problem.

Thanks you for your assistance. 

[Michael (alan1998)]

Avast! File were overwritten.. According to OTL logs.

You also have Limewire, please remove it. (There from 2005, so going on a decade now that it's be installed)

[2014/04/27 20:22:52 | 000,054,832 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswrdr.sys.1400181962281
[2014/04/27 20:22:52 | 000,054,832 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswrdr.sys
[2014/04/27 20:22:53 | 000,777,488 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswsnx.sys
[2014/04/27 20:22:53 | 000,776,976 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswsnx.sys.1400181962281

[ted2u]

Michael, I will delete Limewire. Re the Avast overwrites, I did try to install Avast before I deleted Symantec. I tried to keep Symantec because it had a firewall, but the Avast install did not work. I then deleted Symantec and re-installed Avast. Maybe that caused the overwrites.

[Michael (alan1998)]

Sorry,

I will fetch a remover for yu. THank you

[magna86]

Hi



Please download Farbar Recovery Scan Tool () by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

.



Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

• Type rpcss.dll into the Search: field in FRST then click the Search File(s) button.
  
• FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
  
• Please attach it to your reply.

[ted2u]

Hello Magna86, The Farbar Recovery Scan Tool encountered a problem and terminated. I rebooted the system with same result. I re-downloaded the program with same result. I have attached a screen shot of the error message. Thank you for your assistance.
   

[Pondus]

try run it from safe mode.....

[REDACTED]

For the last 2 days, I have been continually receiving the Avast alert "Web Shield has blocked a harmful webpage or file" when browsing in both Firefox and Explorer. It gives me a very long URL starting with "hxxp://38.71.2.31...." My computer seems to run fine. An Avast full scan shows no viruses or problems. I installed and ran Malwarebytes, which came up with 1 risky file, since deleted. When I examine my "processes" in Task Manager" I see nothing inappropriate. I have deleted most files in my Temp folders. Yet, the alert continues to pop up. What is going on? Is there something on my computer? Or is this an overly sensitive setting in Avast? Perhaps as a result of recent Avast updates? I've read by others to just report these as false positives, but I'm hesitant to do this in case I'm wrong. What should I do?

[Asyn]

What should I do?

Start a new topic and attach your logs there.

[REDACTED]

Hello

I was working my problem with the forum when the forum went down. I waited a few days but the forum did not come back up so I ran Kaspersky TDSS Scanner and it found a root virus in sys32 file rpcss.dll. It quarantined the virus and tried to correct the file. The Avast warning pop-ups stopped but then I started getting an svchost application error. The svhost error was corrected by replacing rpcss.dll with a known good file. My system seems to be back to normal. Do you think I need to do anything else? Thanks.   

[magna86]

Hi,

Yes, TDSSKiller has received a few improvements in adressing this malware. This should be good now.


But if you still need help or additional checks, could you post the fresh FRST logs as instructed above. Know that FRST has resive the major updates in the meanwhile so make shure you download & use the latest version. FRST shall attempt to update itself but you can download fresh version if you wll. You can delete the old version.