Repeating pop ups regarding system 32

Hello,

I am getting pop ups from Avast every couple of minutes, at first there where 6, now it’s 14 (it’s growing!). Thelast message I got was:
URL:http://opticguardzip.net/4141/CutterSystem_142669222919983.dll
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe

I think it is pretty much similar to the problem described in https://forum.avast.com/index.php?topic=171904.0

I already ran ZOEK and really hope someone here can help me.

Here are the ZOEK results:

Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by Franzi on 22.06.2015 at 23:28:54,46.
Microsoft Windows 8.1 6.3.9600 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Franzi\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

22.06.2015 23:30:16 Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~2\Elaborate Bytes deleted successfully
C:\PROGRA~2\SlySoft deleted successfully
C:\PROGRA~3{FE8D473A-6F06-4F99-B5F4-BED72B2A038C} deleted successfully
C:\Users\Franzi\AppData\Roaming\Common deleted successfully
C:\Users\Franzi\AppData\Local\Adobe deleted successfully

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-3758619472-4121103705-1067709490-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{F4E39681-15F8-4fda-B8A3-B5C98378F2F3} deleted successfully

==== Deleting CLSID Registry Values ======================

==== Deleting Services ======================

Hello,

Do you have complete Zoek report?

Oh, sorry, here’s the complete report.

Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by Franzi on 22.06.2015 at 23:28:54,46.
Microsoft Windows 8.1 6.3.9600 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Franzi\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

22.06.2015 23:30:16 Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~2\Elaborate Bytes deleted successfully
C:\PROGRA~2\SlySoft deleted successfully
C:\PROGRA~3{FE8D473A-6F06-4F99-B5F4-BED72B2A038C} deleted successfully
C:\Users\Franzi\AppData\Roaming\Common deleted successfully
C:\Users\Franzi\AppData\Local\Adobe deleted successfully

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-3758619472-4121103705-1067709490-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{F4E39681-15F8-4fda-B8A3-B5C98378F2F3} deleted successfully

==== Deleting CLSID Registry Values ======================

==== Deleting Services ======================

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SProtection deleted successfully

==== Batch Command(s) Run By Tool======================

==== Deleting Files \ Folders ======================

C:\PROGRA~2\Elaborate Bytes not found
C:\PROGRA~2\SlySoft not found
C:\PROGRA~3{FE8D473A-6F06-4F99-B5F4-BED72B2A038C} not found
C:\PROGRA~2\PHotkey deleted
C:\PROGRA~2\COMMON~1\DVDVideoSoft\bin deleted
C:\Users\Franzi\AppData\Roaming\WB.CFG deleted
C:\PROGRA~3\eBay deleted
C:\PROGRA~3\Package Cache deleted
C:\Users\Franzi\AppData\Local\CrashRpt deleted
C:\Users\Franzi\AppData\Local\Google\Chrome Frame\User Data\IEXPLORE\Default\ext_offermosquito deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk deleted
C:\Users\Franzi\Downloads\FreeYouTubeToMP3Converter_3.12.16.1030.exe deleted
C:\WINDOWS\wininit.ini deleted
C:\windows\SysNative\GroupPolicy\machine deleted
C:\windows\SysNative\GroupPolicy\gpt.ini deleted
C:\WINDOWS\Syswow64\InstallUtil.InstallLog deleted

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
wrc@avast.com”=“C:\Program Files\AVAST Software\Avast\WebRep\FF” [18.06.2015 15:06]

==== Chromium Look ======================

Google Chrome Version: 43.0.2357.124

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[11.04.2015 16:01]

Blue-Green - Franzi\AppData\Local\Google\Chrome\User Data\Default\Extensions\bdpjglpfmgblocnpfehhkokdgagijpmn
Avast Online Security - Franzi\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki
Chrome Hotword Shared Module - Franzi\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg
MSS+ Extension - C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Google\Chrome\User Data\Default\Extensions\bopakagnckmlgajfccecajhnimjiiedh
BatBrowse - C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccncljhbalbbkkfgopogabimepmfkmff
avast Online Security - C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki
{scripts [background.js]}content_scripts:[{js:[content.js]matches:[<all_urls>]run_at:document_end}]content_security_policy:script-src ‘self’ ‘unsafe-eval’ https://crazyscore-a.akamaihd.net https://crazyscore-a.akamaihd.net https://cdn.crazyscore.net; object-src 'self’description:homepage_url:http://www.crazyscore.neticons:{48:icon.png}key:MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtYFfdjn0uixTj1/1g+hrBumjkLg5w7A3RI3ElsbectAuTy1iBkw6OOe6k/Xzet4QjbdTgyLQLzaiukCNBM133huOMI0nMIZ9klcH7W7rgF/xGYeh1u+cN3R6Pza+6V+6yOiOxocqs8muyPc753JS1cNoX9M8/oB1tfBkQDJ6n81LENj3m9r+c6WXn+GXHImIZe6SCgYsH4Ai+awQjNEhnfMIOMp4EHvW7meqvYgRGyyH17+CKLhfL5m7lqSJw/h/CHCE2nkAl4A81sHE197EEZ6M5Evl34SPKs47hBrMZGAQHAB8sxnzNFi/Y0QVn1s9gAfFyNHqYmZylxJ3Ts1oaQIDAQABmanifest_version:2name:Crazy Scorepermissions:[managementstoragetabswebRequestwebRequestBlocking<all_urls>]update_url:http://cdn.crazyscore.net/updateversion:1.0.5616.26439} - Franzi\AppData\Roaming\Opera Software\Opera Stable\Extensions\gklebndkmkifcnomkippjabjamgcmflo

==== Chromium Fix ======================

C:\Users\Franzi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_immobilien.trovit.de_0.localstorage deleted successfully
C:\Users\Franzi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_immobilien.trovit.de_0.localstorage-journal deleted successfully
C:\Users\Franzi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.extcontent00.extcontent.com_0.localstorage deleted successfully
C:\Users\Franzi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.extcontent00.extcontent.com_0.localstorage-journal deleted successfully
C:\Users\Franzi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage deleted successfully
C:\Users\Franzi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage-journal deleted successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccncljhbalbbkkfgopogabimepmfkmff deleted successfully
C:\Users\Franzi\AppData\Roaming\Opera Software\Opera Stable\Extensions\gklebndkmkifcnomkippjabjamgcmflo deleted successfully
C:\Users\Franzi\AppData\Roaming\Opera Software\Opera Stable\Local Storage\chrome-extension_gklebndkmkifcnomkippjabjamgcmflo_0.localstorage deleted successfully
C:\Users\Franzi\AppData\Roaming\Opera Software\Opera Stable\Local Extension Settings\gklebndkmkifcnomkippjabjamgcmflo deleted successfully

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Search Page”=“http://www.google.com
“Search Bar”=“http://www.google.com
“Default_Search_URL”=“http://www.google.com
“Use Search Asst”=“yes”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
“Default_Search_URL”=“http://www.google.com
“Search Page”=“http://www.google.com
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main]
“Default_Search_URL”=“http://www.google.com
“Search Page”=“http://www.google.com
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchUrl]
“Default”=“www.google.com
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\SearchUrl]
“Default”=“www.google.com
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
“Default”=“www.google.com
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
“Tabs”=“res://ieframe.dll/tabswelcome.htm”
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs]
“Tabs”=“res://ieframe.dll/tabswelcome.htm”
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search]
“Default_Search_URL”=“http://www.google.com
“SearchAssistant”=“http://www.google.com

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Start Page”=“http://go.microsoft.com/fwlink/?LinkId=69157
“Use Search Asst”=“no”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
“Default_Search_URL”=“http://go.microsoft.com/fwlink/?LinkId=54896
“Search Page”=“http://go.microsoft.com/fwlink/?LinkId=54896
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main]
“Default_Search_URL”=“http://go.microsoft.com/fwlink/?LinkId=54896
“Search Page”=“http://go.microsoft.com/fwlink/?LinkId=54896
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchUrl]
“(Default)”=“http://search.msn.com/results.asp?q=%s
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\SearchUrl]
“(Default)”=“http://search.msn.com/results.asp?q=%s
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
“(Default)”=“http://search.msn.com/results.asp?q=%s
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
“Tabs”=“about:newtab”
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs]
“Tabs”=“about:newtab”
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search]
“Default_Search_URL”=“http://go.microsoft.com/fwlink/?LinkId=54896
“SearchAssistant”=“http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
“DefaultScope”=“{0633EE93-D776-472f-A0FF-E1416B8B2E3A}”
{012E1000-F331-11DB-8314-0800200C9A66} Google Url=“http://www.google.com/search?q={searchTerms}
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url=“http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
{F74ADE27-7D79-4831-A34F-BFFF0A664B65} Google Url=“http://www.google.com/search?q={searchTerms}&amp;sourceid=ie7&amp;rls=com.microsoft:{language}:{referrer:source}&amp;ie={inputEncoding?}&oe={outputEncoding?}

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\Software\wow6432node\Policies\Google deleted successfully

==== Empty IE Cache ======================

C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Franzi\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Franzi\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Franzi\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\Franzi\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully

==== Empty FireFox Cache ======================

No FireFox Profiles found

==== Empty Chrome Cache ======================

C:\Users\Franzi\AppData\Local\Opera Software\Opera Stable\Cache emptied successfully
C:\Users\Franzi\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=1466 folders=183 329993549 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\Franzi\AppData\Local\Temp will be emptied at reboot
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\Temp will be emptied at reboot

How is your PC behaving now?

The problem remains. And for some reason now it seems the PC has a few problems with booting up/ shutting down. Takes a very long time suddenly.

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
[*]Make sure that Addition option is checked.
[*]Press Scan button and wait.
[*]The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

The logs had to much characters, so I uploaded the to mega, hope, that’s ok too.

FRST:
https://mega.co.nz/#!PFUWWbZD!Q7mskHAJTP4a3C0oXXdXCsQUcIqjEvZ2jw_QpVMg3Og

Addition:
https://mega.co.nz/#!WYchHahK!Hh5rplMZDj13OJUrHc6QBh62dmd5L2BHoq7WtKG6_xY

You have option to attach them here.

Oh ok, found it

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[B] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/B]

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
[*]Press the Fix button just once and wait.
[*]If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
[*]When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

Attached the fixlog but it seems unusually short

How is your PC behaving now?

No alarms at the moment, I’ll report back in a few hours.
But since the first scan with ZOEK reebooting/booting/shutdown take ages an the PC always boots with the message, that the operating system did not shut down cleanly. Reebooting results in an error after a few minutes,saying that some problem was detected and information regarding the error are collected, then the PC actually reboots, resulting in the same massage, that shutdown wasn’t clean.

Keep me updated.

So the alarms really seem to have stopped, thank you very much for your help!
Any ideas on the Booting/shutdown issues I described? Researched for a while now but found no working fix.

Do you still have shutdown problem?

yes, still the same problems with shutdown, I fear that I messed something up in the process of trying ro repair the other problems.

Trying to shut down the system results in the monitor going black but the laptop stays powered (led’s still on etc.) for about 5 minutes, then it actually turns off but when booting up again, it says that it didn’t shut down cleanly and starts collecting data.
A reboot takes even longer and also ends in an error, saying there was a problem before finally shutting down and starting again, also claiming that the shut down wasn’t clean.

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
[*]Make sure that Addition option is checked.
[*]Press Scan button and wait.
[*]The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

Here they are

I see some errors. Let’s perform Disk Check

Use the Windows Error Checking utility (Check Disk), with the options to fix file system errors and scan the disk surface for errors, attempt recovery of data and repair the disk:

[*]Click the “Windows Orb” Start button, then click Computer.
[*]Right-click on the drive that you wish to check > Properties > Tools tab
[*]In the “Error checking” section, click on Check now.
[*]Place a checkmark in both boxes > Start.
[*]If the disk you have chosen is the Windows system disk:
[*]A message will notify you that a restart is necessary ask “Do you want to check for hard disk errors the next time you start your computer?”.
[*]Click Schedule disk check > OK and close all windows.
[*]Re-start the computer. The disk will be checked when the system boots.
[]This will take some time to run and at times may appear stalled but just let it run.
[
]When the disk check is complete, the system will re-start automatically and load Windows.

A log of the disk check is recorded only if the scheduled re-start is used, and only for drives on the same HDD as the Operating System.
To open Event Viewer and view the log:

[*]Click the “Windows Orb” Start button → type “eventvwr” without the quotes → press the key.
[*]The Event Viewer window will open.
[*]In the left pane, expand “Windows Logs” and then click on Application.
[*]In the right pane, at the top, click on the column heading Source to sort the list alphabetically.
[*]Look in the Source column for “Wininit”, with an entry corresponding to the date and time of the disk check.
[*]Click on that Wininit entry to select it.
[*]On the top main menu, click Action > Copy > Copy Details as Text.
[*]Paste the contents into your next reply.