Constant malware alerts when connecting to internet from scvhost.exe

Hi

I keep getting alerts from avast saying that some malware urls have been blocked and it happens every time I connect to wifi of any kind. It gives about 10, 12, 14, 16 or 18 alerts at a time for the urls:

http://reddie.net/3333/TerminusMaker_142259676513619.dll

http://blackfight.info/3333/TampEditor_142260151188149.dll

http://epictory.com/3333/TampEditor_142260151188149.dll

It seems to be that each of these files pop up multiple times in varying proportions to one another until it reaches the 10/12/14/16/18 alerts from avast. But it’s always an even number of alerts - don’t know what that might mean.

All from the same process:
Process C:\Windows\System32\scvhost.exe

I scanned the system32 folder and no issues were detected so I don’t know what the cause of this is.
I haven’t recently installed anything out of the ordinary, and I checked the sensitive folders and program files for anything I don’t know of and nothing out of the ordinary was present either.

I saw fixes for problems very similar to my problem but I will heed the warning of not trying them since they might be very system specific. Please respond asap. I’m not certain of what I need to attach or how to get whatever logs might be required to attach though so if that’s necessary I’ll need some guidance where that is concerned.

I haven’t noticed many connectivity or net speed issues and my computer performs just as fine as it did before so I suppose this is mostly a worrying nuisance than anything else but I hope someone could please help me fix it and soon.

Attach your basic diagnostic logs. (MBAM, FRST and aswMBR)
Instructions: https://forum.avast.com/index.php?topic=53253.0

Hello. Thanks for the prompt reply. Now immediately after the FRST64 finished with the logs my computer blue screened and restarted. I also forgot to mention that Chrome has this extension that keeps on popping back up even after I delete it called SSalePiLUS and every time I start Chrome avast blocks it. Chrome recommends that I disable it as it appears to be a developer extension and I do and I delete the extension - and this happens when I open chrome upon starting my computer. Uninstalling and reinstalling chrome did not prevent the extension from reappearing.

I attached the logs I got from FRST64 and a screenshot of the chrome related malware issue. The blue screen happened while the mbam and aswMBR scans were running however so I didn’t get the logs from those. I will attempt to get the other logs but I probably won’t be able to post them before tomorrow. If there’s any precaution I must take please let me know.

Just a note: current processes just before the blue screen
Skype, mbam, FRST64, aswMBR, MS Powerpoint 2013, MS Word 2013 and iTunes

The mbam scan was in the last stage before it bluescreened; the FRST64 had opened the .txt files I attached before it went and the computer was going at normal speed and functionality the moment it went - it was very sudden.

The most important logs (FRST) are up, now you’ve to wait a bit…

Let me know if this stops it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Avast didn’t show any alerts when I restarted and reconnected to the net but chrome still has the SSalePiLUS extension and it still gives the alert on avast - the url is different though.

Chrome is now becoming so easy to corrupt I wonder why people still use it. Let me know if this kills the alert

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: CHR StartupUrls: Default -> "hxxp://websearch.coolsearches.info/?pid=22091&r=2015/03/22&hid=4988052836863109614&lg=EN&cc=JM&unqvl=85" CHR HKU\S-1-5-21-377930122-2271119068-893584048-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bcfjehbfanfhgoehogmbiebedkidedjb] - C:\Users\User\AppData\Local\CRE\bcfjehbfanfhgoehogmbiebedkidedjb.crx [2015-03-26] CHR HKU\S-1-5-21-377930122-2271119068-893584048-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bcfjehbfanfhgoehogmbiebedkidedjb] - C:\Users\User\AppData\Local\CRE\bcfjehbfanfhgoehogmbiebedkidedjb.crx [2015-03-26] CHR HKLM-x32\...\Chrome\Extension: [bcfjehbfanfhgoehogmbiebedkidedjb] - C:\Users\User\AppData\Local\CRE\bcfjehbfanfhgoehogmbiebedkidedjb.crx [2015-03-26] Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

I followed the instructions. Here are the logs.

Are you still getting the alerts ?

No, everything has stopped now. Seems to have worked like a charm. :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix
Select the options as shown

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version

https://dl.dropboxusercontent.com/u/73555776/javara.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme :wink:

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

Thanks you guys, and keep up the good work :slight_smile:

:slight_smile: