Constant urlmal-avast-process-cwindowssystem32svchostexe/ alert when browsing

Recently I keep getting Avast alerts about Url:Mal when browsing regular sites. I’ve noticed its when I’m browsing Imgur and a GIF is loading.

Thats normally when the alert happens.

Also I’m not sure if its related but my webcam has also stopped working.

I’ve looked at some similar posts and the all say to run FRST64 and ZOEK

here is the ZOEK report, and the FRST64 file is attached :slight_smile:

Zoek.exe v5.0.0.1 Updated 31-December-2015
Tool run by Thi on 11/05/2016 at 0:58:53.96.
Microsoft Windows 10 Home Single Language 10.0.10586 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Thi\Downloads\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

11/05/2016 00:59:59 Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~2\Lenovo deleted successfully
C:\Program Files\McAfee deleted successfully
C:\PROGRA~3\Comms deleted successfully
C:\Users\Thi\AppData\Local\ActiveSync deleted successfully
C:\Users\Thi\AppData\Local\Lenovo deleted successfully
C:\Users\Thi\AppData\Local\NetworkTiles deleted successfully
C:\Users\Thi\AppData\Local\PACE Anti-Piracy deleted successfully
C:\Users\Thi\AppData\Local\Skype deleted successfully
C:\Users\Thi\AppData\Local\ZDUbywVu deleted successfully
C:\WINDOWS\serviceprofiles\Localservice\AppData\Local\NetworkTiles deleted successfully

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-2493981056-2368578621-3932591581-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{798F58DB-64D6-4E71-AC8A-B77AFD35CD54} deleted successfully

==== Deleting CLSID Registry Values ======================

==== Deleting Services ======================

==== Batch Command(s) Run By Tool======================

==== Deleting Files \ Folders ======================

C:\PROGRA~2\Lenovo not found
C:\Users\Thi\AppData\Local\Lenovo not found
C:\PROGRA~3\Package Cache deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk deleted

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
wrc@avast.com”=“C:\Program Files\AVAST Software\Avast\WebRep\FF” [06/05/2016 01:43]
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
sp@avast.com”=“C:\Program Files\AVAST Software\Avast\SafePrice\FF” [06/05/2016 01:43]

==== Chromium Look ======================

Google Chrome Version: 46.0.2490.86

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
eedgghdcpmmmilkmfpnklknlenbiolec - No path found
eofcbnmajmjmplflapaojjnihcjkigck - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx[06/05/2016 01:43]
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[06/05/2016 01:43]
lifbcibllhkdhoafpjfnlhfpfgnpldfl - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx[29/04/2016 15:53]

Sad Panda - Thi\AppData\Local\Google\Chrome\User Data\Default\Extensions\bohapeiooecafommnlaiccilacgmkaoc
Avast Online Security - Thi\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki

==== Chromium Fix ======================

C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_toolbar.yahoo.com_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_toolbar.yahoo.com_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.azlyrics.com_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.azlyrics.com_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_lqmwbyzusd-a.akamaihd.net_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_lqmwbyzusd-a.akamaihd.net_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_apartmentfinder.vn_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_apartmentfinder.vn_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_gameslikefinder.com_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_gameslikefinder.com_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_en.savefrom.net_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_en.savefrom.net_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_savelocations.wikia.com_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_savelocations.wikia.com_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.xpgamesaves.com_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.xpgamesaves.com_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.moddb.com_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.moddb.com_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.subiz.com_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.subiz.com_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.foodity.com_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.foodity.com_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_ads1.msads.net_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_ads1.msads.net_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_d2m2wsoho8qq12.cloudfront.net_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_d2m2wsoho8qq12.cloudfront.net_0.localstorage-journal deleted successfully

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Start Page”=“https://vn.yahoo.com/?fr=yset_ie_syc_oracle&type=orcl_hpset

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Start Page”=“http://www.google.com

==== All HKLM and HKCU SearchScopes ======================

HKLM\SearchScopes “DefaultScope”=“{0633EE93-D776-472f-A0FF-E1416B8B2E3A}”
HKLM\SearchScopes{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=ASU2JS
HKLM\Wow6432Node\SearchScopes “DefaultScope”=“{0633EE93-D776-472f-A0FF-E1416B8B2E3A}”
HKLM\Wow6432Node\SearchScopes{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=ASU2JS
HKCU\SearchScopes “DefaultScope”=“{012E1000-F331-11DB-8314-0800200C9A66}”
HKCU\SearchScopes{012E1000-F331-11DB-8314-0800200C9A66} - http://www.google.com/search?q={searchTerms}
HKCU\SearchScopes{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02

==== Deleting CLSID Registry Keys ======================

==== Deleting CLSID Registry Values ======================

HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions{4ED1F68A-5463-4931-9384-8FFF5ED91D92} deleted successfully
HKEY_LOCAL_MACHINE\software\Wow6432Node\mozilla\Firefox\extensions{4ED1F68A-5463-4931-9384-8FFF5ED91D92} deleted successfully

==== Empty IE Cache ======================

C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Thi\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Thi\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Thi\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\Thi\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully

==== Empty FireFox Cache ======================

No FireFox Profiles found

==== Empty Chrome Cache ======================

C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

No Flash Cache Found

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=65 folders=43 43231682 bytes)

==== Empty Temp Folders ======================

C:\WINDOWS\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\WINDOWS\Temp successfully emptied
C:\Users\Thi\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:$RECYCLE.BIN successfully emptied

==== EOF on 11/05/2016 at 1:19:16.83 ======================

if you have a screenshot of avast poup warning, post that also

expert should be online soon …

Could you let me know if this stops it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM-x32\...\Run: [mcui_exe] => "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey AppInit_DLLs: C:\PROGRA~2\NVIDIA~1\3DVISI~1\NVSTIN~1.DLL => No File ShellIconOverlayIdentifiers: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\Thi\AppData\Local\MEGAsync\ShellExtX64.dll No File ShellIconOverlayIdentifiers: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\Thi\AppData\Local\MEGAsync\ShellExtX64.dll No File ShellIconOverlayIdentifiers: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\Thi\AppData\Local\MEGAsync\ShellExtX64.dll No File ShellIconOverlayIdentifiers-x32: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\Thi\AppData\Local\MEGAsync\ShellExtX32.dll No File ShellIconOverlayIdentifiers-x32: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\Thi\AppData\Local\MEGAsync\ShellExtX32.dll No File ShellIconOverlayIdentifiers-x32: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\Thi\AppData\Local\MEGAsync\ShellExtX32.dll No File FF HKLM\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor => not found FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor => not found C:\Users\Thi\AppData\Local\ZDUbywVu Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

AdwCleaner v5.116 - Logfile created 11/05/2016 at 08:46:50

Updated 09/05/2016 by Xplode

Database : 2016-05-09.1 [Server]

Operating system : Windows 10 Home Single Language (X64)

Username : Thi - THI-PC

Running from : C:\Users\Thi\Desktop\AdwCleaner.exe

Option : Clean

Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

[-] Folder Deleted : C:\Users\Thi\AppData\Local\YSearchUtil

***** [ Files ] *****

***** [ DLLs ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\hdcode
[-] Key Deleted : HKLM\SOFTWARE\SupDp
[-] Key Deleted : HKLM\SOFTWARE\V9
[-] Key Deleted : HKLM\SOFTWARE\winzipersvc
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\delta-homes.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.delta-homes.com

***** [ Web browsers ] *****

[-] [C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Default_Search_Provider] Deleted : hxxp://search.delta-homes.com/webfavicon.ico


:: “Tracing” keys deleted
:: Winsock settings cleared


C:\AdwCleaner\AdwCleaner[C1].txt - [1307 bytes] - [11/05/2016 08:46:50]
C:\AdwCleaner\AdwCleaner[S1].txt - [1322 bytes] - [11/05/2016 08:43:10]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1453 bytes] ##########

Thanks essexboy! Though I’ve just tried chrome again and the alert still pops up :frowning:

heres a screen shot

Do you have Facebook Video Downloader extension installed?

I don’t know, I don’t think so.

Should I uninstall this or make sure I have it installed.

Thankyou!

If you have it, uninstall and see if the popup goes away

essexboy will be back online later today

I looked on 'Programs and Features", ‘Extensions’ and did a search but no ‘Facebook Video Downloader extension’, so I don’t think I have it

Nope, the much vaunted security of Chrome has failed again… First run Chrome in Incognito mode https://support.google.com/chrome/answer/95464?hl=en-GB
Does that stop the alerts ?

If not then :

Re-install Chrome

  1. If you have bookmarks, let’s save them by exporting them - Export Bookmarks
  2. Go into the dashboard. Log in. https://www.google.com/settings/dashboard?hl=en
  3. Scroll down to “Chrome Sync” and click Stop sync and delete data from Google link“
  4. Click Stop sync and delete data from Google button
  5. Now we need to uninstall chrome.
    Note: When asked about user data or settings you must remove this also so please check the box.
  6. Restart the computer and reinstall chrome, You can download The latest version from here - Google Chrome
  7. Import your bookmarks back into Chrome
  8. Sign back in to your Chrome browser so that your bookmarks sync with your online account.

Ok I’ve done the uninstall and restarted though when I reinstalled chrome, the bookmarks were still up, there wasn’t an option to remove user data or settings, just browser history.

Did I do it wrong? :S

… and the alert still happens! -.-

Shall I just flag it as a false positive?

Was there anything malicious on my laptop?

Really appreciate the help guys, thank you for taking some time to help me

do you still get the alerts when you run in incogneto mode?

Yep unfortunately, still happens in incognito mode

When you uninstalled chrome did you do this

When asked about user data or settings you must remove this also so please check the box.

There wasn’t a prompt or option, I used the “programs and features” to uninstall and it only prompted to remove browser history.

I tried a manual deletion of anything chrome related using the search function and that has seemed to work because when I reinstalled all the bookmarks and previous data seemed to have gone.

But on visiting ‘www.imgur.com’ the ‘url:mal’ still happens.

Does this occur on any other site ?

No, not so far, only the imgur site

DO you have an imgur add on of any description ?

Nope only the standard google ones, skype and he Avast online security