svchost.exe can not get rid of

4 to 5 days ago I was on my drawing program drawing with my normal webpages open (Yahoo email, Google+ drive) (and mangago my normal page on my tablet for I rarely have it open on my laptop, I think I got hit from mangago) when my Avast popped up screaming at me of a high level threat detected. Avast did it’s thing on the startup rebot which took 6 hours. I then got back onto my laptop and THAT IS WHEN THIS svchost thing started.

I now get non stop pop-up blocked warnings from Avast with this: (I included a screen capture)

Object: http://wpad.browserudatecheck.in/wpad.dat
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe

I have tried everything to get rid of it
-Avast
-Malwarebytes Anti-mal
-ESET Powelliks cleaner
-HitmanPro (did get rid of 2 Trojans and 400 cookies)
-RougeKiller
-Emisisoft Emergency kit
-RKill
-TSDSKiller
-AdwCleaner
-Malwarebytes Anti-Rootkit
-ESET NOD32 ANTIVIRUS 8
but nothing can find it!! It is as if it is not even there but I still keep getting that warning pop-up so I know it is there.

I am at my wits end with this virus… I just want to get rid of it so I can use my laptop again for I have things I need to do.

Can someone PLEASE HELP ME!!!

Hello katherinejaggers and welcome to avast!. I will be working on your Malware issues.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the ‘all clear’ even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper


Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

[*]Type browserudatecheck.in;wpad.dat into the Search: field in FRST then click the Search Registry button.
[*]FRST will search your computer for registry and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.

here are the 3

notice to self: unicode dir.

Ok, let’s start …

Step#1

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start CreateRestorePoint: Reg: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 /f Reg: reg delete "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f Reg: reg delete "HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f Reg: reg add "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f Reg: reg add "HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f CMD: bitsadmin /reset /allusers CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /flushdns CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset

CloseProcesses:
HKLM-x32.…\Run: =>
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKU.DEFAULT → {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU.DEFAULT → {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL =
SearchScopes: HKU\S-1-5-19 → DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 → DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
Toolbar: HKU.DEFAULT → No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Toolbar: HKU.DEFAULT → No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKU\S-1-5-21-4043493293-2585772767-1967288729-1001 → No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
FF Extension: No Name - C:\Users\Katherine\AppData\Roaming\Mozilla\Firefox\Profiles\fqws5s3z.default\extensions\crossriderapp12832@crossrider.com [not found]
FF Extension: No Name - C:\Users\Katherine\AppData\Roaming\Mozilla\Firefox\Profiles\fqws5s3z.default\extensions{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}.xpi [not found]
FF Extension: No Name - C:\Users\Katherine\AppData\Roaming\Mozilla\Firefox\Profiles\fqws5s3z.default\extensions\c99f2e2c-e43b-45cb-a50f-b10bac2f33c1@a4314fc7-1c01-4fda-8022-f0e9bd0cb09f.com [not found]
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\browser\extensions{972ce4c6-7e08-4474-a285-3208198ce6fd} [not found]
CHR HKU\S-1-5-21-4043493293-2585772767-1967288729-1001\SOFTWARE\Google\Chrome\Extensions.…\Chrome\Extension: [eeafbffkmccheohnooflcnppngmobeoe] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-4043493293-2585772767-1967288729-1001\SOFTWARE\Google\Chrome\Extensions.…\Chrome\Extension: [ellbonkjdmgdghkojcjmomekmjpdffde] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-4043493293-2585772767-1967288729-1001\SOFTWARE\Google\Chrome\Extensions.…\Chrome\Extension: [fllgpcmelbfhcligbphaaplminjpbiad] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-4043493293-2585772767-1967288729-1001\SOFTWARE\Google\Chrome\Extensions.…\Chrome\Extension: [hpjocjloojeicikiokfiekcdpojgfefc] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-4043493293-2585772767-1967288729-1001\SOFTWARE\Google\Chrome\Extensions.…\Chrome\Extension: [jmnkgjdfgnjhmnopgmkcpigenfhgajdj] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-4043493293-2585772767-1967288729-1001\SOFTWARE\Google\Chrome\Extensions.…\Chrome\Extension: [kfbhfniohjdklgcmbmemnpaimpdaikea] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-4043493293-2585772767-1967288729-1001\SOFTWARE\Google\Chrome\Extensions.…\Chrome\Extension: [manaobgbdfpjjjnheogfghmjbikhjnlf] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-4043493293-2585772767-1967288729-1001\SOFTWARE\Google\Chrome\Extensions.…\Chrome\Extension: [oaobejgaaiojgggjojlcpbembaoajbmc] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32.…\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32.…\Chrome\Extension: [eeafbffkmccheohnooflcnppngmobeoe] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32.…\Chrome\Extension: [ellbonkjdmgdghkojcjmomekmjpdffde] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32.…\Chrome\Extension: [fllgpcmelbfhcligbphaaplminjpbiad] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32.…\Chrome\Extension: [hpjocjloojeicikiokfiekcdpojgfefc] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32.…\Chrome\Extension: [jmnkgjdfgnjhmnopgmkcpigenfhgajdj] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32.…\Chrome\Extension: [kfbhfniohjdklgcmbmemnpaimpdaikea] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32.…\Chrome\Extension: [manaobgbdfpjjjnheogfghmjbikhjnlf] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32.…\Chrome\Extension: [oaobejgaaiojgggjojlcpbembaoajbmc] - https://clients2.google.com/service/update2/crx

AlternateDataStreams: C:\Windows:nlsPreferences

Hosts:
C:\Program Files\PC Optimizer Pro
C:\Program Files (x86)\GUT15C8.tmp
C:\Program Files (x86)\GUT1B9C.tmp
C:\Program Files (x86)\GUT3690.tmp

RemoveDirectory: C:\zoek_backup
RemoveDirectory: C:\malwarebtes anti-rootkit
RemoveDirectory: C:\Users\Katherine\mbar
RemoveDirectory: C:\AdwCleaner

RemoveProxy:
Task: {C4855FB8-1A92-4B62-8448-C5FFC4D4C0A4} - System32\Tasks\PC Optimizer Pro64 startups => C:\Program Files\PC Optimizer Pro\StartApps.exe <==== ATTENTION
Task: C:\Windows\Tasks\PC Optimizer Pro64 startups.job => C:\Program Files\PC Optimizer Pro\StartApps.exe <==== ATTENTION
IE trusted site: HKU\S-1-5-21-4043493293-2585772767-1967288729-1001.…\clonewarsadventures.com → clonewarsadventures.com
IE trusted site: HKU\S-1-5-21-4043493293-2585772767-1967288729-1001.…\freerealms.com → freerealms.com
IE trusted site: HKU\S-1-5-21-4043493293-2585772767-1967288729-1001.…\scottsdalecc.edu → hxxps://myscc.scottsdalecc.edu
IE trusted site: HKU\S-1-5-21-4043493293-2585772767-1967288729-1001.…\soe.com → soe.com
IE trusted site: HKU\S-1-5-21-4043493293-2585772767-1967288729-1001.…\sony.com → sony.com

EmptyTemp:
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Step#2

Download the following file (Tcpip.reg) and save it to your Desktop. Run the file and allow it to merge to registry and make changes. Again, reboot your PC.
http://download.bleepingcomputer.com/win-services/7/Tcpip.reg

NOTICE: This reg file was written specifically for this OS, for use on that particular machine. Running this on another machine may cause damage to the operating system

Post me the results and tell me is alearts still occours?

DAMN NO GOOD!!!

It is STILL ON MY LAPTOP!!!

It just keeps changing where it is hiding.
It was going crazy with running and the changing of the name when i did the fixlist.
…i don’t think this is good…is it…

@katherinejaggers,

As I wrote clearly, follow my instructions. You didn’t post me the FixLog.txt and you didn’t tell have you executed the Tcpip.reg as it must be?

Bdw, this I don’t understand;

It was going crazy with running and the changing of the name when i did the fixlist.

Changing what names?

sorry didn’t see that one part… i attached the fixlog

I will retry the Tcpip.reg

as for the changing did you see the images i attached?
Now when I get non stop pop-up blocked warnings from Avast the Object and Infection stays the same but the “Process:” name keeps changing now… it no longer keeps saying the same old

“Process: C:\Windows\System32\svchost.exe”

but now stuf like C:\Program Files.…\iexplore.exe
or
C:\Program Files (x86).…\Skype.exe
and others…

it is really freaking me out… it is like it is jumping round hiding or something…

Redid the tcpip to make sure I didn’t miss it…
Just says…
"The keys and values contained in F:\Downloads\Tcpip.reg have been successfully added to the registry.
Also restarted my laptop.

It is still poping up…

I followed all the steps… Did I do something wrong?

Sorry I am not good when it comes to this kind of stuff…

Hello katherinejaggers,

After these fixes, things should be fixed. So, we need to hunt this thing again.

Step#1

Run FRST tool again and post me fresh FRST.txt and Addition.txt for re-analysis.

Step#2

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

[*]Type browserudatecheck;wpad into the Search: field in FRST then click the Search Registry button.
[*]FRST will search your computer for registry and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.

Step#3

Download ZHPDiag to your desktop.

Take action to disable your antivirus and antispyware programs, as they may conflict with ZHPDiag

Info on how to disable your security applications > http://www.bleepingcomputer.com/forums/topic114351.html

Installing ZHPDiag

[*] Double-click zhpdiag.exe to start the installation.
[*] Windows Vista, 7 and 8 users right-click the file and select: Run as Administrator.
[*]Click multiple times “Suivant” in the installation process.
[*]Click “Installer” when asked and “Terminer” once the installation is complete.

Running ZHPDiag

[*]Double-click the shortcut ZHPDiag on your desktop.
[*]The user interface will appear, now select “Configureren”.
[*]If the tools default language isn’t set to English, click in the bottom right corner on the
http://www.imgdumper.nl/uploads7/52c0016c76e8d/52c0016c69f81-huisje.png
icon “Sélectionner une langue” and choose “Anglais”.
[*]Next, click on the
http://www.imgdumper.nl/uploads7/52c001f7f0bd3/52c001f7eec91-vergrootglas.png
icon in the bottom left “Diagnostic Options”.
[*]ZHPDiag is now scanning your computer. Please wait patiently until the scan is finished.

[thumb]http://hijackthis.nl/smeenk/ZHPDiag.PNG[/thumb]

The ZHPDiag.txt logfile

[*] When finished, a logfile named “ZHPDiag.txt” will appear on your desktop.
[*]Please post the logfile for further review in your next comment.

Step 1 complete

Step 2 complete

Step 3 complete

This fix should fix the things now.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start
CreateRestorePoint:
Reg: reg delete "HKEY_USERS\S-1-5-21-4043493293-2585772767-1967288729-1001\Software\Microsoft\Internet Explorer\TypedURLs" /v "url2" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-4043493293-2585772767-1967288729-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg add "HKEY_USERS\S-1-5-21-4043493293-2585772767-1967288729-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E30ED111-BD63-48C2-A6CB-AB3C9FFFB07C}" /f
Reg: reg delete "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{E30ED111-BD63-48C2-A6CB-AB3C9FFFB07C}" /f
Reg: reg delete "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110111281132}" /f
Reg: reg delete "HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110111281132}" /f

CloseProcesses:
HKLM-x32\...\Run: [HF_G_Jul] => "C:\Program Files (x86)\AVG Secure Search\HF_G_Jul.exe"  /DoAction

Hosts:
C:\Program Files (x86)\AVG Secure Search
C:\Program Files (x86)\*.tmp
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Here is the fixlog

And? How are the things now? All looks good to me now.

Same here thanks SO MUCH for the help!! :heart:

Your welcome.

Same you say? Do you telling me you still getting avast! alearts?

Opps no I meant same it all is good on my end… No more notifications or alerts. Yay!!

Nice. :wink:

Could you please keep monitor your PC for one day more and report here tomorrow is everything still Ok?

This is new traces of new adware (broken adware/malware instalation but traces does remains) and we’re still investigate it.

The detections where real and we’re remove the source of detections and this should be it. Tomorrow I’ll remove used tools here and give you some tips how to protect yourself in the future.

Will do! ;D

Figures I would get hit with something new…good luck with the investigation. If you need any other info to help you with your investigation let me know.

And tips would be great!! I really don’t like how I was attacked when doing nothing but have my websites open on chrome.