Author Topic: Repeated notifications Web Shield has blocked a harmful webpage  (Read 7446 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Repeated notifications Web Shield has blocked a harmful webpage
« on: February 05, 2016, 02:03:33 AM »
I am getting repeated notifications (every 30 seconds or so)...

     Avast Web Shield has blocked a harmful webpage or file.
     Object:      http://reannewscomm.com/ads.php?sid=1921
     Infection:  URL:Mal
     Process:    C:\Windows\explorer.exe

I am guessing I have some kind of virus - does anyone have any suggestions?

Thanks in advance,
cgraham2



REDACTED

  • Guest
Re: Repeated notifications Web Shield has blocked a harmful webpage
« Reply #1 on: February 05, 2016, 02:13:38 AM »
I am attaching the Malwarebytes Protection Log and Scan Log

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: Repeated notifications Web Shield has blocked a harmful webpage
« Reply #2 on: February 05, 2016, 02:28:33 AM »
follow instructions here  https://forum.avast.com/index.php?topic=53253.0
we need Malwarebytes and Farbar Recovery Scan Tool logs, attach the logs, 3 logs total

see below the box you write in ... Attachments and other options

a malware expert will then assist you when online ... tomorrow


REDACTED

  • Guest
Re: Repeated notifications Web Shield has blocked a harmful webpage
« Reply #3 on: February 06, 2016, 01:08:14 AM »
I have attached 4 logs - I wasn't sure which Malwarebytes log you needed.

This computer is connected to my network by an ethernet cable.
I disconnected it last night, and the notifications stopped.
When I plugged it back in to post this today, they started again.

I appreciate any help you can provide.
Thanks!

Offline dbrisendine

  • Malware Fighter
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1258
Re: Repeated notifications Web Shield has blocked a harmful webpage
« Reply #4 on: February 06, 2016, 03:02:05 AM »

FIRST >>>>

Fix with Farbar Recovery Scan Tool
This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.
Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on icon and select Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please attach it to your reply.


SECOND >>>>

AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.


NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

  • Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Waiting for action. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be deleted.
  • When the program has finished cleaning a report appears.
  • Once done it will ask to reboot, allow this

  • On reboot a log will be produced; please attach that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt

    Optional:

    NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.

THINGS TO REPLY WITH >>>>
  • The Fixlog.txt file (attached).
  • The AdwCleaner[C#].txt log attached.
  • How is your system running now?
Win7 x32 Ult. SP1, Brain 2.0 / Win10 x64, Brain2.5
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

REDACTED

  • Guest
Re: Repeated notifications Web Shield has blocked a harmful webpage
« Reply #5 on: February 07, 2016, 04:17:26 AM »
Thank you for your help - your instructions were very clear and easy to follow.

Since the notifications stopped when the computer was disconnected from the Internet, my partner felt we should leave it disconnected.
So I downloaded the fixlist.txt and AdwCleaner onto a USB stick, from a different computer, then moved them to the desktop on this computer.

I ran a Fix with FRST, and have attached the Fixlog.txt

I did a Scan and Cleaning with AdwCleaner, and the computer rebooted as expected.
I have attached that log as well.

Unfortunately, as soon as I reconnected the computer to the Internet, the Web Shield notifications started again
The same one from before:
http://reannewscomm.com/ads.php?sid=1921    pops up about every 30-45 seconds
And less frequently, one for:
http://xml.infinity-info.com/click?i=Y3*De*Qrf74_0

I am now also getting warnings from Malwarebytes that it is blocking malicious websites - with various different websites, for example:
 - monetizemytraffic.com
 - 120883.adsdomain.org
 - xml3.danarimedia.com
 - filter3.danarimedia.com
 - adcash.com
 - tradeadexchange.com

Should I have done all this while the computer was connected to the Internet?
Thanks,
cgraham2

Offline dbrisendine

  • Malware Fighter
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1258
Re: Repeated notifications Web Shield has blocked a harmful webpage
« Reply #6 on: February 07, 2016, 04:53:52 AM »
Forgot to say that it is OK to run this disconnected from the internet for now.  You are doing fine so far.


FIRST >>>>

Let's protect your systems with MCShield (if you need to use a USB stick for transferring data / logs, then let's make sure that only data / logs are transferred!).


Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control center select scanner and tick unhide items on flash drives

Plug in the drive and McShield will start a scan
Select logs and then copy/paste it to your next post

SECOND >>>>

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older versions of Java components and upgrade the application.

Upgrading Java :
Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, then click on Remove Java Runtime.
  • Select the Java version you have from the drop down list, and then click on Run Uninstaller
  • Press Yes if it asks to uninstall the product.
  • Allow the uninstaller to remove the installed version.
  • When its finished, go back to JavaRa, and click Back
  • Click on Update Java Runtime and then select Download and install latest version.
  • Press Next
  • Press Java Manual Download.
  • A browser window will open with the Java download page.
  • Click the Windows offline link to download Java.
  • Run the installer.
  • Close JavaRa
THIRD >>>

Junkware Removal Tool
Please download JRT from here to your desktop.

Note: Temporarily disable/shut down your protection software now to avoid potential conflicts, how to do so can be read here.

Double click the JRT.exe file to run the application.

The application will open an Command Prompt window and run from there (this is normal for this program, so not to be alarmed).

When it is asked, press any key to allow the program to continue / run.

This will create a log on the desktop; please copy and paste the JRT.txt log text in your next post.

Note: After the log file is created, please enable your protection software / reboot your system and verify your protection software is enabled.
« Last Edit: February 07, 2016, 04:55:59 AM by dbrisendine »
Win7 x32 Ult. SP1, Brain 2.0 / Win10 x64, Brain2.5
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

REDACTED

  • Guest
Re: Repeated notifications Web Shield has blocked a harmful webpage
« Reply #7 on: February 08, 2016, 08:58:49 AM »
My apologies for the delays in dealing with this, but I've been in a big exam the last three days.  I will have more time to work on this now.

I downloaded MCShield on my other computer and scanned the USB stick I used for transferring data & logs.

Here is the log (I removed extra line breaks to save space):

>>> MCShield AllScans.txt <<<
-----------------------------
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
>>> v 3.0.5.28 / DB: 2015.12.6.1 / Windows XP <<<
08/02/2016 12:52:50 AM > Drive C: - scan started (ACER ~142 GB, NTFS HDD )...
=> The drive is clean.
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
>>> v 3.0.5.28 / DB: 2015.12.6.1 / Windows XP <<<
08/02/2016 12:53:32 AM > Drive D: - scan started (no label ~961 MB, FAT flash drive )...
=> The drive is clean.


I downloaded JavaRa and JRT on the other computer and transferred them to this computer with the USB stick.
I ran the Java uninstaller, then connected to the Internet to do the Java Manual Download / Windows offline

I disabled Avast and ran the JRT - here is that log (again, I removed extra line breaks):

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.2 (01.06.2016)
Operating System: Windows 7 Home Premium x64
Ran by waap (Administrator) on 08/02/2016 at  1:08:30.61
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File System: 17
Successfully deleted: C:\Users\waap\AppData\Local\{04CF301B-F050-439F-9DDA-04B9B14D2738} (Empty Folder)
Successfully deleted: C:\Users\waap\AppData\Local\{1EBF73C3-42E2-4BBC-9108-B1A1948B04B8} (Empty Folder)
Successfully deleted: C:\Users\waap\AppData\Local\{384CB774-FC63-4412-BF62-F2C5E32BD219} (Empty Folder)
Successfully deleted: C:\Users\waap\AppData\Local\{3F64E34F-F1F6-435B-887B-3601EDCB4762} (Empty Folder)
Successfully deleted: C:\Users\waap\AppData\Local\{4DE90E9A-9DE2-4FEB-B03C-D44E95936428} (Empty Folder)
Successfully deleted: C:\Users\waap\AppData\Local\{5BC142B0-B72C-4A86-8C63-FD13F77E9187} (Empty Folder)
Successfully deleted: C:\Users\waap\AppData\Local\{62CDA217-601D-41F2-B78B-46D6AEAE41D5} (Empty Folder)
Successfully deleted: C:\Users\waap\AppData\Local\{6A786E58-525D-4224-A4A7-BD06ED63BBBC} (Empty Folder)
Successfully deleted: C:\Users\waap\AppData\Local\{A4706E52-AF6B-4D06-8650-1A47E133B876} (Empty Folder)
Successfully deleted: C:\Users\waap\AppData\Local\{AC37A9F3-B60E-419C-814C-2EE336C4867D} (Empty Folder)
Successfully deleted: C:\Users\waap\AppData\Local\{C2D1B131-883A-48D3-9D1A-7D8484166FB0} (Empty Folder)
Successfully deleted: C:\Users\waap\AppData\Local\{D1DBAC5A-B90E-4C7D-8A11-58E153DE231F} (Empty Folder)
Successfully deleted: C:\Windows\wininit.ini (File)
Successfully deleted: C:\Users\waap\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\20GVC5JL (Folder)
Successfully deleted: C:\Users\waap\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQ1RCZIR (Folder)
Successfully deleted: C:\Users\waap\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FOOFI3GX (Folder)
Successfully deleted: C:\Users\waap\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SVEQW754 (Folder)
Registry: 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 08/02/2016 at  1:12:03.58
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


After the log was generated, I enabled Avast and rebooted the system.
When it restarted, the Program Compatibility Assistant said the JRT was missing a Windows component.
I have attached a screen capture of that pop-up window.
When I checked to verify that Avast was enabled, I notice there is a new version available. 
Should I update at this point, or hold off for now?

The Web Shield is still popping up with the reannewscomm.com alert, and Malwarebytes is busy blocking the same malicious websites that I noted in the earlier post. 
I will disconnect this computer from my network again, right after I submit this post.

Thanks again for your help, and your patience!

Offline dbrisendine

  • Malware Fighter
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1258
Re: Repeated notifications Web Shield has blocked a harmful webpage
« Reply #8 on: February 08, 2016, 08:31:20 PM »
Yes, please update Avast to the latest version.

Do not apologize about the delay; real life always come first in these matters.  Good luck on the exams!

I am doing further research on this one and will be back soon with more instructions; let's see if the latest version of Avast does some more work on this issue.

« Last Edit: February 08, 2016, 08:38:26 PM by dbrisendine »
Win7 x32 Ult. SP1, Brain 2.0 / Win10 x64, Brain2.5
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

REDACTED

  • Guest
Re: Repeated notifications Web Shield has blocked a harmful webpage
« Reply #9 on: February 09, 2016, 01:01:07 AM »
I updated Avast and ran a Smart Scan.
No viruses, malware or network threats were detected.

The popups started again:
  from Avast - for reannewscomm.com,
  and from Malewarebytes - the same as before, with a few new ones as well

Most weren't, but I noticed one of the Malewarebytes warnings indicated the Process was from notebook.exe?
I have attached some screenshot images.

Will unplug from the Internet again after posting  :(

Offline dbrisendine

  • Malware Fighter
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1258
Re: Repeated notifications Web Shield has blocked a harmful webpage
« Reply #10 on: February 09, 2016, 07:07:56 AM »
Not all AVs detect everything...  Let's see what a different one finds.


This next step may take a while (just to warn you) .....

ESET Online does not work with IE 11 (Internet Explorer) at the moment (a few weeks ago anyway) so if you have IE 11, Chrome or Firefox has to be used instead.  ESET Online does work with IE 10 and earlier.

You can leave Avast! enabled even though ESET may warn about it. just makes the scan take longer. The pictures below showing what to click may be blue instead of green on the ESET website now, but the procedure is still the same

Please read carefully and Slowly, Notice all the settings listed below to check before starting the scan. Stop and ask if you have any questions.

Take note of the NO tick in the Remove found threats setting below at it needs to have the tick removed.

-------------------------------------------------------------------------------------------------------------------

Hold down Control key and click on the following link to open ESET OnlineScan in a new window.

Link =>> ESET Online Scanner  <<

Click the Run ESET Online Scanner located on the left side of the page (not the free trial).



For browsers other than Internet Explorer only: (Microsoft Internet Explorer users can skip this step)
Click on the esetsmartinstaller link in the popup window that opens. Save it to your desktop.



Double click on the icon on your desktop.



Check (accept) the Terms of Use.



Click the START button.
Accept any security warnings from your browser.

Now in the Computer scan settings window that appears:-
Make sure that the option Enable detection of potentially unwanted applications is selected.
Now click on Advanced Settings and configure the options as follows:

Remove found threats is Not checked
Scan archives is checked
Scan for potentially unsafe applications is checked
Enable Anti-Stealth Technology is checked


Now click on: Start




ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.






When the scan is finished, if any threats are found you will see the screen below.  Click to view the found threats.



At the bottom of the listed threats, there is an option to save the results to a text file.  Please do this so you can attach the results here for review and removal of the items that are not false positives (these will be scripted out so do not worry).



Once the log text file is saved, return to the Scan Finished screen by clicking "<<Back", then click on the uninstall button and click Finish.



Attach the saved log file in your next reply please.  Thanks.
Win7 x32 Ult. SP1, Brain 2.0 / Win10 x64, Brain2.5
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

REDACTED

  • Guest
Re: Repeated notifications Web Shield has blocked a harmful webpage
« Reply #11 on: February 12, 2016, 03:07:11 AM »
I tried holding down the Ctrl key and clicking the link for ESET OnlineScan, but I get a "Problem loading page" error (see attached screenshot).
Other webpages are loading fine.

From the URL bar, it appears to be trying to open:
www."http.com//www.eset.com/us/online-scanner/

Your screen shot for ESET doesn't show that initial www."http.com//, and if I remove that, I can get to:
http://www.eset.com/us/online-scanner/
(see attached screen shot)

Is it okay for me to proceed with the scan from there, or would you like to send a different link?

Thanks

REDACTED

  • Guest
Re: Repeated notifications Web Shield has blocked a harmful webpage
« Reply #12 on: February 12, 2016, 03:08:24 AM »
Not sure why the first attachment didn't go through...

Offline dbrisendine

  • Malware Fighter
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1258
Re: Repeated notifications Web Shield has blocked a harmful webpage
« Reply #13 on: February 12, 2016, 06:43:54 AM »
Not sure what happened to the link but http://www.eset.com/us/online-scanner/ is correct.  Please use that for the scanner download.
Win7 x32 Ult. SP1, Brain 2.0 / Win10 x64, Brain2.5
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

REDACTED

  • Guest
Re: Repeated notifications Web Shield has blocked a harmful webpage
« Reply #14 on: February 13, 2016, 06:06:20 AM »
Wow, that DID take a long time!
But 6 threats were detected - so hopefully we are closer  :)
I have attached the log
C