4 to 5 days ago I was on my drawing program drawing with my normal webpages open (Yahoo email, Google+ drive) (and mangago my normal page on my tablet for I rarely have it open on my laptop, I think I got hit from mangago) when my Avast popped up screaming at me of a high level threat detected. Avast did it’s thing on the startup rebot which took 6 hours. I then got back onto my laptop and THAT IS WHEN THIS svchost thing started.
I now get non stop pop-up blocked warnings from Avast with this: (I included a screen capture)
I have tried everything to get rid of it
-Avast
-Malwarebytes Anti-mal
-ESET Powelliks cleaner
-HitmanPro (did get rid of 2 Trojans and 400 cookies)
-RougeKiller
-Emisisoft Emergency kit
-RKill
-TSDSKiller
-AdwCleaner
-Malwarebytes Anti-Rootkit
-ESET NOD32 ANTIVIRUS 8
but nothing can find it!! It is as if it is not even there but I still keep getting that warning pop-up so I know it is there.
I am at my wits end with this virus… I just want to get rid of it so I can use my laptop again for I have things I need to do.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:
[*]Type browserudatecheck.in;wpad.dat into the Search: field in FRST then click the Search Registry button.
[*]FRST will search your computer for registry and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.
1. Open notepad and copy/paste the text present inside the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
2. Save notepad as fixlist.txt to your Desktop. NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply. Note: If the tool warned you about the outdated version please download and run the updated version.
NOTICE: This reg file was written specifically for this OS, for use on that particular machine. Running this on another machine may cause damage to the operating system
Post me the results and tell me is alearts still occours?
It just keeps changing where it is hiding.
It was going crazy with running and the changing of the name when i did the fixlist.
…i don’t think this is good…is it…
sorry didn’t see that one part… i attached the fixlog
I will retry the Tcpip.reg
as for the changing did you see the images i attached?
Now when I get non stop pop-up blocked warnings from Avast the Object and Infection stays the same but the “Process:” name keeps changing now… it no longer keeps saying the same old
“Process: C:\Windows\System32\svchost.exe”
but now stuf like C:\Program Files.…\iexplore.exe
or
C:\Program Files (x86).…\Skype.exe
and others…
it is really freaking me out… it is like it is jumping round hiding or something…
Redid the tcpip to make sure I didn’t miss it…
Just says…
"The keys and values contained in F:\Downloads\Tcpip.reg have been successfully added to the registry.
Also restarted my laptop.
It is still poping up…
I followed all the steps… Did I do something wrong?
Sorry I am not good when it comes to this kind of stuff…
After these fixes, things should be fixed. So, we need to hunt this thing again.
Step#1
Run FRST tool again and post me fresh FRST.txt and Addition.txt for re-analysis.
Step#2
Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:
[*]Type browserudatecheck;wpad into the Search: field in FRST then click the Search Registry button.
[*]FRST will search your computer for registry and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.
[*] Double-click zhpdiag.exe to start the installation.
[*] Windows Vista, 7 and 8 users right-click the file and select: Run as Administrator.
[*]Click multiple times “Suivant” in the installation process.
[*]Click “Installer” when asked and “Terminer” once the installation is complete.
1. Open notepad and copy/paste the text present inside the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
2. Save notepad as fixlist.txt to your Desktop. NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply. Note: If the tool warned you about the outdated version please download and run the updated version.
Could you please keep monitor your PC for one day more and report here tomorrow is everything still Ok?
This is new traces of new adware (broken adware/malware instalation but traces does remains) and we’re still investigate it.
The detections where real and we’re remove the source of detections and this should be it. Tomorrow I’ll remove used tools here and give you some tips how to protect yourself in the future.
Figures I would get hit with something new…good luck with the investigation. If you need any other info to help you with your investigation let me know.
And tips would be great!! I really don’t like how I was attacked when doing nothing but have my websites open on chrome.