For the past month, I’ve been randomly getting popups about the websites mentioned in the title attacking my svchost.exe file. Before following the instructions in this thread, I have ran scans with Avast and Malwarebytes and it says that my system has no threats.
Logs attached.
Q&A from this thread:
- How was it detected? What was scanning, you yourself or the back-ground scanner?:
The background scanner.
Did the message come from the avast Network Shield or Webshield or were you alerted via an avast Webreputation alert?:
Avast Web Shield.
When did the message occur on a download, unzipping, opening a file, mail or mail-attachment, etc.?:
The message occurs randomly, whether I’m playing a game, editing a Word document, or just have the computer running in idle with all windows closed.
A capture of the message screen as image can be helpful or what the message says and where the suspicious file was detected.:
hxxps://xxx.(imageshack).com/i/eydrFA0Fp
hxxps://xxx.(imageshack).com/i/p3LMtb5qp
-
What was the source of the file, where did the file come from?.: e.g. address, URL, source.:
hxxp://xxx.(reduled).info
hxxp://xxx.(blackfight).info
hxxp://xxx.(reddie).net
hxxp://xxx.(epictory).com -
When was it downloaded or received?:
March 2015. I didn’t log an exact date/time. -
What is the exact file name with extension.:
svchost.exe -
What was the exact wording of the message that the AV program came up with? This is important for later. Right click the asvast ball and left-click show last pop-up message!:
“Avast Web Shield has blocked a harmful webpage or file.” -
Now go back and do nothing yet. Scan the particular file once again with your AV product.
A. The message is in the same wording: maybe positive alert
B. If the message is not in the same wording or the scan does not find up anything this could be a false positive.
I scanned the folder where the svchost.exe file was located and the AV said that it contained no threats. (hxxps://xxx.(imageshack).com/i/p8l4rgmtp) -
Check with an on line scanner or update to Virustotal for a second opinion. VT resides at hxxp://xxx.virustotal.com/index.html
VT says that svchost.exe is not a threat. (hxxps://xxx.(virustotal).com/en/file/121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2/analysis/1429379002/)