Avast blocking URL svchost.exe

Dear experts,

I first obtained the pop-up alert 2 weeks ago. Then it has been going on quite recently.
I have been following your guide and attached the related files to this post.
One detail : even though it is mostly related to svchost.exe, I have seen other names but very rarely.

Thank you for your help.

Best regards,
Ronan

2 additional screen captures to share the detail of the pop-up.
Hope this helps.

Were you updating windows at the time ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: BHO-x32: FlashGetBHO -> {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} -> C:\Users\Ronan\AppData\Roaming\FlashGetBHO\FlashGetBHO.dll No File Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File 2015-02-14 17:08 - 2014-08-14 15:56 - 00000000 ____D () C:\Users\Ronan\AppData\Roaming\Search Protection 2013-03-02 15:31 - 2013-03-02 15:31 - 0000020 _____ () C:\Users\Ronan\AppData\Roaming\004D5649544E41696E66 2012-11-10 21:59 - 2014-12-13 17:13 - 0000256 _____ () C:\Users\Ronan\AppData\Roaming\0408EDB97439FC 2014-05-04 17:23 - 2014-05-04 17:23 - 0000040 _____ () C:\ProgramData\DT0001.dat CustomCLSID: HKU\S-1-5-21-3777026070-661087563-4202175341-1002_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Ronan\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File CustomCLSID: HKU\S-1-5-21-3777026070-661087563-4202175341-1002_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Ronan\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll No File CustomCLSID: HKU\S-1-5-21-3777026070-661087563-4202175341-1002_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Ronan\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File CustomCLSID: HKU\S-1-5-21-3777026070-661087563-4202175341-1002_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Ronan\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll No File CustomCLSID: HKU\S-1-5-21-3777026070-661087563-4202175341-1002_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Ronan\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll No File EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Thank you, and I did per your instructions. Attached find the fixlog file.

To answer your question, I don’t know if windows was updating or not since I set the setting as automatic and in the background.

Best regards,
Ronan

Quick update : after sending the logfile to you, the alert pop-up is still present.

Thanks & regards,
Ronan

That IP resolves to Harbin

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

I followed the instructions and had an unfortunate chain of events :

  • Combofix ran (in chinese), and on 3 key registry which looked like the system one, did not have permission to change
  • Combofix restarted my system, and I was prompted that the report had been created (I think I attached the right file, hopefully)
  • Last warning message was showing a problem related to ERUN (sorry no details)
  • From this point onward, I could open no file at all. Music, video, chrome : nothing. So I was left with no choice : system restore
  • The restore could not go 100% and right now I can open file and access internet (thank god) but I was prompted several times that command sent to the file/software were facing problems.
  • When I restore, the Avast pop-up warning was still there.

You had me scared for a minute guys.
EDIT : Okay, so now that I can open the browser, I have seen the marked for deletion line in red. (stupid me) I will undo the system restore and restart it to see if the item marked for deletion can open. Will let you know of progress. The log should be the same anyway.

Best regards,
Hed.

So, I could not undo the restore. Hence I simply rerun a Comboxfix. Attached, please find the log.

Some additional info on the Combofix process :

The following error message appeared :
" Exception EAccessViolation in module ERUNT.3XE at 00003A38.
Access violation at address 00403A38 in module ‘ERUNT.3XE’. Read of address 0076005D"

It appeared at 3 stages :

  1. When the CBFix blue screen was at the 3rd step. (very beginning)
  2. When the CBFix blue screen was completed. (right before the restart)
  3. When the CBFix blue screen notified that the report was created.

This time, the CBFix log opened itself. (It did not on first run)
This time, I could normally interact with softwares and files. (no marked for deletion warnings)
AVAST did not restart automatically, I had to manually look for it and restart.
I am using a VPN to access foreign websites (FB, Youtube, Google), but this operation somehow messed with my connections setting and now the VPN is not working anymore, so I uninstalled it.

And… the pop-up alert from AVAST is still poping.

Hed.

New pop up warning from Avast : AvastEmUpdate.exe

Was this the problem after combofix ran :

  1. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Did per instructions, attached is the log file.

Thanks,
Hed.

Are the alerts still appearing ?

This morning I restarted the computer and in 40 minutes I did not see svchost.exe pop alert yet. So far, it is gone.
However, the 2nd type : AvastEmUpdate pop up error was displayed once.

I will edit this message if svchost.exe comes back.
EDIT: svchost.exe pop up comes back.

Hed.

This programme will generate a zip file for me to analyse, could you upload it to a file sharing site for me to collect (e.g. Mediafire)

Download AVZ tool from here to your desktop
Unzip all files to a folder on your desktop
Open the folder and double click the AVZ icon
https://dl.dropboxusercontent.com/u/73555776/avz.JPG

When the tool opens select “File” > “Standards scripts”

https://dl.dropboxusercontent.com/u/73555776/avz1.jpg

Place a tick in :


5. Update signature database

Then press “Execute selected scripts”

https://dl.dropboxusercontent.com/u/73555776/avz2.JPG

Once that has execute then
select “File” > “Standards scripts”
Place a tick in :

3. Advanced System Analysis with malware removal mode enabled

There will be several warnings, OK them all and the system will reboot on completion of the analysis

After the reboot look in the folder AVZ4 on your desktop
Open the LOG folder
Upload KL_syscure.zip to a file sharing site for collection

https://dl.dropboxusercontent.com/u/73555776/vz3.JPG

I followed your instructions, but it did not go as planned :

  1. “there will be several warnings” : I got none
  2. “the system will reboot upon completion analysis” : it did not
  3. No file was created in the log. Hence I pressed the “save log” icon and it created a .txt file. (that I attach to this post)

Thanks,
Hed.

Was there no zip file in the AVZ folder ?

You can check this file, but I am not sure.

upload files free

http://www.filedropper.com/virusinfosyscure

Could you temporarily disable the Astril VPN please

FIX

Open AVZ as before
Click “File” > “Custom scripts”

https://dl.dropboxusercontent.com/u/73555776/avzfix1.png

A dialogue will open
Copy and paste the following script into the marked space then press run

https://dl.dropboxusercontent.com/u/73555776/avzfix2.JPG

Script for insertion :


begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 DeleteFile('C:\Users\Ronan\AppData\Roaming\duowan\YYExplorer\YYExplorerUpliveTrigger.exe','32');
 DeleteFile('C:\Windows\Tasks\YYEUpdate{C194A6FD-0158-4D03-9A8D-AED52E0588CB}.job','64');
 DeleteFile('C:\Windows\system32\Tasks\YYEUpdate{C194A6FD-0158-4D03-9A8D-AED52E0588CB}','64');
 DeleteFile('C:\Users\Ronan\Downloads\YYSetup-6.32.0.3-zh-CN.exe','32');
 DeleteFile('C:\Windows\system32\Tasks\{202A373B-6B5D-4314-8BDA-D6D28EA4C4B5}','64');
ClearHostsFile;
ExecuteSysClean;
RebootWindows(true);
end.

Ensure that you copy from begin to end

Done, it rebooted properly. No log file was created.

Hed.

Are you still receiving the alerts ?