help with c:\\windows\system32\svchost.exe Virus

Viruses and worms
1

hello,

avast! keeps informing me that c:\windows\system32\svchost.exe tries to contact malicious websides. I tried to solve the problem myself (which admittedly means looking for others to tell me how to solve this), and this is how far I’ve come:

I found this thread
https://forum.avast.com/index.php?topic=146342.0

and then followed instructions in this information topic
https://forum.avast.com/index.php?topic=53253.0

which told me to eventually post the results of my various scans here – which I am doing right now.

could someone please help me out from here?

awesome, thanx in advance!

2

Let me know if this stops it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

3

thanks a lot for the suggestion.

here’s what happened: I saved the fixlist, ran frst and pressed fix.

chrome crashed and when I re-opened it (to post the fixlog), instead of restoring the previous session, it re-installed adblock and adblock plus (wtf?).

the computer automatically re-started once I closed frst. upon restarting, I got another warning from avast! that “a threat was discovered and c:\windows\system32\svchost.exe tried to contact a malicious webside”.

what now?

4

OK that sounds weird

Could you rerun the fix again with Chrome closed

After the reboot could you run FRST scan again please

5

okay! I did that!

more or less the same thing happened, just in another order: I rebooted, reopened my browsers, couldn’t connect to the internet for a while, and upon reopening chrome, it re-installed adblock plus again (is that cuz all temporary files were deleted and for some reason that includes adblock plus? or does it just make no sense at all?)

anyway, I got eight alerts in a row that “a danger was detected” (same as ever), so I’m guessing - I’m still not there yet.

6

oh, there’s something new:

now the threat avast! is informing me about isn’t only from c:\windows\system32\svchost.exe

but also
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

and
C:\Program Files\AVAST Software\Avast\avastui.exe

…that’s no good, is it?

7

Is Chrome set to synch on start ? If so could you disable/delete the synch data

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

8

hm, okay. thank you, I did that (see log attached).

however, when restarting chrome upon running the fix, I did re-install adblock (not adblock plus this time - don’t ask me why) and I got another 12 security warnings from avast…

obviously I have no idea what I’m doing here, but if the problem is chrome, wouldn’t it maybe help if I deinstalled it? or is that too naiv to even consider?

thanks again. a lot.

9

Avast! shouldn’t be alerting on itself… Avastui.exe is the Avast! User Interface…

10

Could you attach a screenshot of the alert please

11

sure thing!

here is the alert as a jpg. I’m sorry it’s in german… the alert says:

"avast web-security has blocked a malicious webside or file.

object:
infection:
process:

further details
report file as false alarm"

ps: sorry, just realized I didn’t do a screenshot but only the alert. it pops up pretty irregularely, I can do a screenshot the next time…

12

here’s the screenshot. please disregard my friend dani on skype :slight_smile:

13

OK that is a different type of malware to what I expected

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: FF NetworkProxy: "type", 0 FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2015-01-28] EmptyTemp: CMD: del \wpad*.dat /s CMD: nbtstat -R CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

14

here’s the fixlog.

and the screenshot of the avast! alerts popping up after the computer rebooted and I went online again.

15

Could I have a fresh FRST scan please

16

here we go!

17

Do you recognise this folder : C:\Users\Anna\Orgakram
If not then run the fix below

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: 2015-02-12 20:18 - 2015-02-12 20:18 - 00000000 ____D () C:\9937829a2006d58763d2 2015-02-08 20:52 - 2013-11-07 10:10 - 00000000 ____D () C:\Users\Anna\Orgakram EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

18

C:\Users\Anna\Orgakram is one of my personal folders that contains all my official bureaucratic correspondence.

I could delete it if that meant getting rid of this malware (I have a backup on my external harddrive +/- one or two files).

should I do it? why did you assume it was a good idea to destroy it?

19

It was just a name that I could only find as anickname… I always find those suspicious. There is no need to delete that folder

At the moment I am ata a loss as to what is causing it. I know that it is a programme trying to update a list of URL’s however, it could be any of the programmes on your system that is using it.

What programmes had you installed/updated prior to this occurring

20

I really thought about it and tried to figure it out, but I actually haven’t installed anything new recently and I only updated boring stuff. like adobe flash player, firefox, the cisco secure mobility client I need to log into my university account… stuff…

I attached a picture of all updated programs from the control panel - maybe that would help.

any other ideas what I could try / do / run? thanx a lot*