Threat? clients2.googleusercontent.com w/JS:ShellCode-S[Expl]

[REDACTED]

Been getting this Avast popup (see screenshot) for about a week now whenever I'm online. Usually appears within seconds of opening Chrome. I can be surfing anywhere, any site, NO particular place & it appears on average every 20 minutes or so. I've done this so far: made sure Windows 10 all updated (it was), originally had AVG Free installed when this started happening & updated it, then today UNinstalled AVG and installed Avast - problem still happens... ha! The warning JUST popped up right now AGAIN...anyway...I've run virus scans - finds nothing. Nothing gets put in Quarantine either from this popup. MalwareBytes finds nothing. Driving me bonkers... Help!
Attached is the threat popup AND diagnostics I just ran using Farbar Recovery Scan tool as per moderator on a different section of the Avast forum...

[Pondus]

From the screenshot it seem you may have a chrome extension that try to connect to that url, that containe the exploit avast is blocking

Malware experts are notified, it may take some hours before anyone is online

[REDACTED]

Thanks... no rush, as it seems this is unlikely anything major (I hope).

[Pondus]

while waiting you can try this

https://support.google.com/accounts/answer/32050?co=GENIE.Platform%3DDesktop&hl=en

[REDACTED]

Yep, already cleared cache & cookies... also use CCleaner (updated version) and run the Windows Disk Cleanup tool.

[Sass Drake]

• Open Notepad (click Start button -> type notepad.exe -> press Enter)
• Copy text from code block below and paste it into Notepad

Code: [Select]

CHR HKU\S-1-5-21-3719281007-1545348927-2765418579-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx

• Go to File -> Save As
• Make sure that  UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

Then,
Follow instructions from to open Chrome extension manager:
https://support.google.com/chrome_webstore/answer/2664769?hl=en
and remove following extensions:

hxxps://keep.google.com/u/0/
hxxps://news.google.com/nwshp?hl=en&tab=wn&ei
KDSPY

[REDACTED]

OK... just followed your instructions except I paused before removing the 3 extensions you mentioned... as you said to post the fixlog.txt before I continued. It's attached...

[REDACTED]

Well, the Avast threat popup was STILL popping up every 20 minutes or so... and so I decided instead of waiting to hear back from you as to whether I should go ahead and remove those extensions you suggested (which you said to post the Fixlog.txt FIRST & basically wait to hear back from you before moving forward.....) So, just about a minute ago, I went ahead and did the second part of your suggestion before I got your last post... to remove Keep, remove News from extensions/apps. That's now done. But I only disabled KDSPY instead of removing as you suggested (I'm an author and use that frequently on Amazon). So, we'll see in the next half hour or so if it pops up again...

[REDACTED]

Nope, this did NOT fix it. I was off the net for about an hour (meal time!) and just got back on the computer. About 3 seconds after opening Chrome, the same Avast pop-up appeared. And I DID remove the Keep and the News as you said. And the KDspy is not enabled. Soooo... not sure what to do now 

[Sass Drake]

Try now to disable extensions one by one until you reach point where Avast doesn't show messages. WHen you find it tell which one was that so we can report it to Google or Avast (if it is false positive).

Also, please attach following file to your post.

C:\ProgramData\AVAST Software\Avast\report\WebShield.txt

[REDACTED]

I will give it a try... Also, the only extensions I have ENabled at chrome://extensions are: Avast Online Security, Google Docs and Google Offline Docs. That's it. There are several other extensions listed (which all seem to be ones that are OK) that are NOT enabled right now.

At chrome://apps, I show Asana, Google Calendar, Google Web Store, Google Docs, Google Drive.

You requested the attached:

[Sass Drake]

Now this is really strange. Do you have or had extension named Blasty? I don't see it in FRST logs.

[REDACTED]

Yes!! I had Blasty!! But it isn't listed in the extensions or apps anymore. I can't recall if I removed it in the last several months or not... of if it just disappeared. I know I had gotten an email from them in the last week or so saying the Beta period I had participated in during the last year was ending towards the end of this month (I think) and then if I wanted to continue their service I would need to pay (they don't have any credit card info).

So what do you think?

[REDACTED]

Here's the copy of the email from Blasty - received it yesterday...

Hi Gina,

Blasty is now out of Beta.

For this occasion, we launched a new version of the product with new features:
     - Each Blast now triggers a DMCA takedown notice to Google, Bing, Yahoo AND the site hosting the infringement ;
     - Blasty Full Power users can now override the algorithm's rating ;
     - The scanning speed has been significantly improved.
NB: expect continuous improvements.

As a former Beta-tester, you'll be able to enjoy Blasty Basic for free until November 21st 2017.

Please keep sharing your feedback with us, good or bad. We're taking every comment into consideration.

Happy Blasting,


photo    
Olivier Zetlers - CEO & cofounder
Blasty, 41E 11th Street New York, NY 10011

[Sass Drake]

• Go to Chrome menu and go to Clear browsing data or use keyboard shortcut Ctrl + Shift + Delete.
• In drop down menu select From the beggining of time and select only Cached images and files and Hosted app data. See attached screenshot.
• Please report if problem was solved.