Avast alerts - svchost.exe

Hello!
My Avast AV shows alerts regarding scvhost.exe and some others.

What should I do?

these are screens of alerts

Essexboy is notified…may take some hours before he is online

Hi there - nothing is readily apparent in those logs so lets look deeper

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Here’s Combo’s log.
Some programmes were marked for deletion, after reboot everything is ok. But alerts from Avast still appear.

Hmm intriguing - OK I will now reset your dchp. But I will create a restore point first just in case I am in error

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [emptytemp] [CREATERESTOREPOINT]

:OTL
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 78.29.2.21 78.29.2.22
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces{37BF58C0-805A-406E-AEF0-6C54E6F4B3D7}: NameServer = 78.29.2.21 78.29.2.22
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces{B53D360E-DEC1-4780-90BA-3CF52403724B}: DhcpNameServer = 78.29.2.21 78.29.2.22

:Files
ipconfig /flushdns /c


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

new OTL logs

Could you run the MS Fixit here please http://support.microsoft.com/kb/299357

Once done then reboot and let me know if the alerts still occur

Alerts disappeared. I did not run MS Fixit. Should I?

What these alerts were? Some malware? Or may be bug of Avast?

I feel it was an aversion on Avast’s part to the Russian IP

If the alerts have ceased then there is no need for the Fixit.

I would like you to run for a day or so though to ensure that it has gone

Run MS Fixit, made reboot, alerts again appear…

If this is an aversion on Avast’s part to the Russian IP - I’ve used Avast for several years and there were no problems like this. These alerts showed up a month ago

The reason I say that is because one of the alerts is for avast setup (i.e. the updater)

78.29.2.21 is what Avast is getting uppity about and it relates to Intersvyaz in Moscow

Which appears clean according to Wepawet http://wepawet.iseclab.org/view.php?hash=e43f7936d79e603afdacbf9c7b02ca3d&t=1329747808&type=js

So this may well be a false positive

From the chest could you upload the detection as a potential false positive

I think the blocked IP is clean - Intersvyaz iz my provider.
I didn’t understand what and where shoul I upload?

And do I have to worry about these alerts or don’t pay attention to them as false positive?

No problem I will upload it for analysis

Confirmed as a false positive and will be fixed on next VPS update