Avast Webs Shield blocked harmful webpage with process svchost.exe

Viruses and worms
1

Hi Virus Admins,

I have Avast AV installed and recently it’s started warning that c:\windows\system32\svchost.exe is trying to access harmful webpages (see attached AvastWarning.png). I’ve run the diags recommended in:
https://forum.avast.com/index.php?topic=53253.0
And attached them (I hit the 4 attachment limit so I’ll have to to attach ‘Addition.txt’ to a second post in a mo).

I’d be grateful for your help fixing this.

Thank you,

Nicholas

2

Final diagnostics file attached.

3

Let me know if this stops it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-19\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid} HKU\S-1-5-20\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid} HKU\S-1-5-18\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid} SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ggfc_15_01_ch&cd=2XzuyEtN2Y1L1QzuyByE0EyDyEtAtCyB0E0C0B0E0Fzy0DzztN0D0Tzu0StCtDzyzztN1L2XzutAtFyBtFtCtFtAtN1L1CzutCyEtBzytDyD1V1OtN1L1G1B1V1N2Y1L1Qzu2StAtAzy0B0CtCyEyEtG0F0F0A0BtG0B0C0EyDtGtAyEtC0AtGtAzzyB0DtB0Czz0A0B0ByBzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAtC0DtAtByB0ByCtG0AtCtB0EtGyEtD0A0FtG0AtCyBtDtGyB0E0EyD0C0C0AyDyDtC0FtA2Q&cr=1427459307&ir= SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ggfc_15_01_ch&cd=2XzuyEtN2Y1L1QzuyByE0EyDyEtAtCyB0E0C0B0E0Fzy0DzztN0D0Tzu0StCtDzyzztN1L2XzutAtFyBtFtCtFtAtN1L1CzutCyEtBzytDyD1V1OtN1L1G1B1V1N2Y1L1Qzu2StAtAzy0B0CtCyEyEtG0F0F0A0BtG0B0C0EyDtGtAyEtC0AtGtAzzyB0DtB0Czz0A0B0ByBzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAtC0DtAtByB0ByCtG0AtCtB0EtGyEtD0A0FtG0AtCyBtDtGyB0E0EyD0C0C0AyDyDtC0FtA2Q&cr=1427459307&ir= SearchScopes: HKU\S-1-5-21-3990666223-2133983533-3081085991-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ggfc_15_01_ch&cd=2XzuyEtN2Y1L1QzuyByE0EyDyEtAtCyB0E0C0B0E0Fzy0DzztN0D0Tzu0StCtDzyzztN1L2XzutAtFyBtFtCtFtAtN1L1CzutCyEtBzytDyD1V1OtN1L1G1B1V1N2Y1L1Qzu2StAtAzy0B0CtCyEyEtG0F0F0A0BtG0B0C0EyDtGtAyEtC0AtGtAzzyB0DtB0Czz0A0B0ByBzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAtC0DtAtByB0ByCtG0AtCtB0EtGyEtD0A0FtG0AtCyBtDtGyB0E0EyD0C0C0AyDyDtC0FtA2Q&cr=1427459307&ir= SearchScopes: HKU\S-1-5-21-3990666223-2133983533-3081085991-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ggfc_15_01_ch&cd=2XzuyEtN2Y1L1QzuyByE0EyDyEtAtCyB0E0C0B0E0Fzy0DzztN0D0Tzu0StCtDzyzztN1L2XzutAtFyBtFtCtFtAtN1L1CzutCyEtBzytDyD1V1OtN1L1G1B1V1N2Y1L1Qzu2StAtAzy0B0CtCyEyEtG0F0F0A0BtG0B0C0EyDtGtAyEtC0AtGtAzzyB0DtB0Czz0A0B0ByBzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAtC0DtAtByB0ByCtG0AtCtB0EtGyEtD0A0FtG0AtCyBtDtGyB0E0EyD0C0C0AyDyDtC0FtA2Q&cr=1427459307&ir= FF SelectedSearchEngine: Vosteran FF Homepage: hxxp://vosteran.com/?f=1&a=vst_ggfc_15_01_ch&cd=2XzuyEtN2Y1L1QzuyByE0EyDyEtAtCyB0E0C0B0E0Fzy0DzztN0D0Tzu0StCtDzyzztN1L2XzutAtFyBtFtCtFtAtN1L1CzutCyEtBzytDyD1V1OtN1L1G1B1V1N2Y1L1Qzu2StAtAzy0B0CtCyEyEtG0F0F0A0BtG0B0C0EyDtGtAyEtC0AtGtAzzyB0DtB0Czz0A0B0ByBzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAtC0DtAtByB0ByCtG0AtCtB0EtGyEtD0A0FtG0AtCyBtDtGyB0E0EyD0C0C0AyDyDtC0FtA2Q&cr=1427459307&ir= CHR StartupUrls: Default -> "hxxp://vosteran.com/?f=7&a=vst_ggfc_15_01_ch&cd=2XzuyEtN2Y1L1QzuyByE0EyDyEtAtCyB0E0C0B0E0Fzy0DzztN0D0Tzu0StCtDzyzztN1L2XzutAtFyBtFtCtFtAtN1L1CzutCyEtBzytDyD1V1OtN1L1G1B1V1N2Y1L1Qzu2StAtAzy0B0CtCyEyEtG0F0F0A0BtG0B0C0EyDtGtAyEtC0AtGtAzzyB0DtB0Czz0A0B0ByBzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAtC0DtAtByB0ByCtG0AtCtB0EtGyEtD0A0FtG0AtCyBtDtGyB0E0EyD0C0C0AyDyDtC0FtA2Q&cr=1427459307&ir=" 2015-02-15 18:46 - 2015-01-03 20:45 - 00000000 ____D () C:\Users\NPB\AppData\Roaming\DigitalSites EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

4

Fantastic, thanks Essexboy, I’ve run the FRST tool. I’ll complete with the adware later today and then post diags here.