Hey there,

I’ve recently been having issues with Avast constantly detecting svchost.exe as URL:MAL, some places I’ve checked said this is a false positive, but I just want to be sure, so I came here.

I’ve already used Avast scan itself and Malwarebytes Anti-Malware Premium to try fix this issue, but the message still seems to be coming up every now and then consistently. I had a few infections quarantined by MBAM, here’s the log, however do note Avast still seems to be detecting the svchost.exe as malware:

Thanks in advance for any help.

Attach your basic logs. (MBAM, FRST and aswMBR…!!)
Instructions: https://forum.avast.com/index.php?topic=53253.0

Hello Asyn,

I’ve attached all the logs in the OP. I’ve attached two MBAM, one for the scan before creating this thread (“MBAM”) and one after (“MBAM2”), just for any additional information that might be useful.

Update MBAM, then run the scan again, then attach it to your post. It appears that you did a custom scan.

After you post your new MBAM scan, one of the malware removal specialists will take a look at your logs sometime in the day or evening, depending on where they live in the world. Please be patient. In the meantime, don’t sync your phone with your PC if you do and take it off the iCloud for now until we know things are OK. Do you have any questions?

MBAM added, all attachments are in this post.

@SafeSurf - Gotcha, thanks for your help!

You’re welcome. So now we wait for a malware specialist to assist. Thank you for your logs. :slight_smile:

Alright, thank you for your assistance also. ;D

Hi,

First you need to uninstall from Control Panel / Programs and Features the following bad PUP/AdWare:

FindBesteDeeal
UpdateChecker

Next …

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start File: C:\Users\Zahbia\Downloads\7693vA3\7693vA3\AFUDE238.exe CMD: bitsadmin /reset /allusers Hosts: HKLM-x32\...\Run: [mobilegeni daemon] => C:\Program Files (x86)\Mobogenie\DaemonProcess.exe HKU\S-1-5-21-1477093328-2730021769-2087165081-1000\...\MountPoints2: {6be6ebb2-74cd-11e3-869d-806e6f6e6963} - D:\Autorun.exe HKU\S-1-5-21-1477093328-2730021769-2087165081-1000\...\MountPoints2: {e8235206-7961-11e3-b957-00e04c0781fb} - E:\setup.exe AppInit_DLLs-x32: c:\progra~2\sw-boo~1\assist~1.dll => "c:\progra~2\sw-boo~1\assist~1.dll" File Not Found AppInit_DLLs-x32: c:\progra~2\gssupp~1\assist~1.dll => "c:\progra~2\gssupp~1\assist~1.dll" File Not Found GroupPolicy: Group Policy on Chrome detected <======= ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION BHO: No Name -> {2357991F-F213-A49A-7EA1-DD7330E1F477} -> No File BHO: TrustedShopper -> {BBE09607-D9BF-4B2E-88C2-C8D5DF7A7D37} -> C:\Program Files (x86)\SqueakyChocolate\TrustedShopper\adxloader64.dll () BHO: No Name -> {D72BEA76-EF2F-1956-4B38-0B007BB0BE50} -> No File BHO-x32: No Name -> {2357991F-F213-A49A-7EA1-DD7330E1F477} -> No File BHO-x32: TrustedShopper -> {BBE09607-D9BF-4B2E-88C2-C8D5DF7A7D37} -> C:\Program Files (x86)\SqueakyChocolate\TrustedShopper\adxloader.dll () BHO-x32: No Name -> {D72BEA76-EF2F-1956-4B38-0B007BB0BE50} -> No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File Task: {2577D185-5AC9-4617-8934-AE7E14DCE248} - System32\Tasks\SomotoUpdateCheckerAutoStart => C:\Users\Zahbia\AppData\Local\FilesFrog Update Checker\update_checker.exe <==== ATTENTION S2 hshld; C:\Program Files (x86)\Hotspot Shield\bin\cmw_srv.exe [X] Reboot: C:\Users\Zahbia\AppData\Local\Temp 2014-07-17 05:40 - 2014-05-22 16:14 - 00000000 ____D () C:\ProgramData\ROboSeaver 2014-07-17 05:40 - 2014-04-21 14:33 - 00000000 ____D () C:\ProgramData\FindBesteDeeal 2014-07-17 05:40 - 2014-04-16 13:12 - 00000000 ____D () C:\ProgramData\saaVeu nett 2014-07-17 05:40 - 2014-04-15 16:39 - 00000000 ____D () C:\ProgramData\savae net 2014-07-17 05:40 - 2014-03-21 17:40 - 00000000 ____D () C:\ProgramData\JoniCouPaon 2014-07-17 05:40 - 2014-03-10 17:50 - 00000000 ____D () C:\ProgramData\DiscountEXtennsI C:\Users\Zahbia\AppData\Local\FilesFrog Update Checker C:\Program Files (x86)\Mobogenie c:\progra~2\sw-boo~1 c:\progra~2\gssupp~1 C:\Program Files (x86)\SqueakyChocolate C:\Users\Zahbia\jagex_cl_runescape_LIVE.dat C:\Users\Zahbia\jagex_cl_runescape_LIVE1.dat C:\Users\Zahbia\random.dat C:\Program Files (x86)\Hotspot Shield End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

.

Then …

Please download zoek by smeenk (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive…

[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

QuickScan;
Uninstall-List;
AutoClean;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

Fixlog and zoek results attached.

Good. Now run this zoek-script and post me the fresh created zoek log after reboot;

C:\Users\Zahbia\Downloads\7693vA3\7693vA3;vs
CHRDefaults;
AutoClean;

Then tell me, are the avast! warning still occurs?

Zoek results attached. So far so good - No warnings yet.

Cool. Monitor that, will you.

The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

You’re awesome. Have also completed the DelFix scan.

Seems all good now. Thanks! :smiley: