Constant pop-ups; HTML:RedirME-inf[Trj] svchost.exe

[REDACTED]

Hello guys,
I use Avast free, and I've been getting these pop-ups for over a month now, they pop up whenever I start my Windows 7 and then spontaneously.

Infection: HTMl:RedirME-inf[Trj]
Process: C:\Windows\System32\svchost.exe

objects are
hxxp://crl.microsoft.com/pki/crl/products/micCodSigPCA

hxxp://crl.microsoft.com/pki/crl/products/microsofttimestamppca.crl

hxxp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl

hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl

I scanned my PC with Avast, Malwarebytes and Microsoft security essentials, and no malwares were found. Am I infected? Is it a false positive? Or it has to do with "Microsoft certificate revocation list" (whatever this means!)?

I'd appreciate it if you explain to me what's happening in my machine before we delve deeper into Farber and other tools 

[Pondus]

Or it has to do with "Microsoft certificate revocation list" (whatever this means!)?

and when do you see this?

I'd appreciate it if you explain to me what's happening in my machine before we delve deeper into Farber and other tools

No, we need diagnostic logs first, then maybe we can explain   

[Asyn]

Or it has to do with "Microsoft certificate revocation list" (whatever this means!)?

-> http://social.technet.microsoft.com/wiki/contents/articles/2303.understanding-access-to-microsoft-certificate-revocation-list.aspx

[REDACTED]

Or it has to do with "Microsoft certificate revocation list" (whatever this means!)?

and when do you see this?


They usually (not always) appear first thing when Windows starts, even BEFORE I start Chrome (my default browser). Then pop-ups appear in an unpredictably spontaneous manner, sometimes I hear "threat has been detected" while I'm away from my laptop with only 2 or 3 Chrome tabs open (Facebook and Google)! Most of the time the pop-ups are unprompted, they appear without performing any action (visiting a website, downloading a file, etc.)

[REDACTED]

Or it has to do with "Microsoft certificate revocation list" (whatever this means!)?

-> http://social.technet.microsoft.com/wiki/contents/articles/2303.understanding-access-to-microsoft-certificate-revocation-list.aspx

Thank you so much, I thought my problem had to do with MS certificate because when I googled "hxxp://crl.microsoft.com/pki/crl/products/....", I found similar topics on different security websites and the term "Microsoft certificate revocation" kept coming up, like this topic on another AV forum https://forums.comodo.com/firewall-help-cis/why-is-explorerexe-trying-to-connect-to-an-external-ip-t81288.0.html

[Asyn]

You're welcome.

[REDACTED]

I hope someone will help me solve my problem before tomorrow, I'm waiting for instructions, any suggested tests? Farbar, Adwcleaner, ZOEK....?

[Pondus]

Farbar instructions are here  https://forum.avast.com/index.php?topic=53253.0

[REDACTED]

 

[essexboy]

You are running three antivirus programmes :

AV: Avira Antivirus (Enabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859}
AV: Microsoft Security Essentials (Enabled - Up to date) {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A}
AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Microsoft Security Essentials (Enabled - Up to date) {0C8D1929-27B2-688D-E114-9117BD2BB1B7}
AS: Avira Antivirus (Enabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

More is not better..  Two must go

Could you screenshot the Avast popup and attach that

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
FF user.js: detected! => C:\Users\PC\AppData\Roaming\Mozilla\Firefox\Profiles\e61rdlro.default\user.js [2014-06-26]
FF HKU\S-1-5-21-2584316828-3291426782-3374062165-1000\...\Firefox\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\PC\AppData\Roaming\IDM\idmmzcc5 => not found
FF HKU\S-1-5-21-2584316828-3291426782-3374062165-1000\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\PC\AppData\Roaming\IDM\idmmzcc5 => not found
2015-09-23 04:13 - 2014-06-26 02:10 - 00000000 __SHD C:\Users\PC\AppData\Local\EmieUserList
2015-09-23 04:13 - 2014-06-26 02:10 - 00000000 __SHD C:\Users\PC\AppData\Local\EmieSiteList
2015-02-05 06:24 - 2015-02-05 06:24 - 6103040 _____ () C:\Program Files (x86)\GUT1533.tmp
Task: {96C968DA-9B44-4469-8C61-81BD8A9922EB} - \GoforFilesUpdate -> No File <==== ATTENTION
Task: {9E0D4609-00B8-4743-948A-7B4D2B82F672} - \YourFile DownloaderUpdate -> No File <==== ATTENTION
C:\Program Files (x86)\YourFileDownloader
C:\Program Files (x86)\GoforFiles
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
  
• Click on Scan.
  
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
  
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S0].txt as well.
  

[REDACTED]

Thank you so much @essexboy, the screenshot wouldn't show the object's title (it shows only part of it), and when I try "more details", I get "The online content is unavailable", my internet speed is just fine, I've always got this message no matter how fast my internet is. I went through chrome browsing history (I searched for each of these pop-ups when then showed up), and wrote them down to the letter, I hope this helps

hxxp://crl.microsoft.com/pki/crl/products/MicWinHarComPCA_2008-01-08.crl

hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl

hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl

hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl

hxxp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl


The infection is always the same HTML:RedirME-inf[Trj]
And the process is always the same C:\Windows\System32\svchost.exe

Would this work? (Thank you for your patience)

[REDACTED]

I guess I scanned (but not cleaned) my device with Adwcleaner before, because I see three logs at Adwcleaner, I'll attach the three of them, and the fixlog.


Adware has deleted Babylon because it's labelled a "PUP", can I re-install it now, is it really that harmful?

[REDACTED]

I thought everything was fine till I got another pop-up while reading an article on Wikipedia 

Object: hxxp://crl.microsoft.com/pki/crl/products/MicWinHarComPCA_2010-11-01.crl

Infection: HTML:RedirME-inf[Trj]

Process: C:\Windows\System32\svchost.exe

[essexboy]

Could you download and run this update from MS  http://www.microsoft.com/downloads/details.aspx?FamilyId=d3f212e9-2c49-4cd6-bd2f-51cf8a712ba6

Let me know if it cures the problem

[REDACTED]

It said "the update is not applicable to your computer"