SVCHOST.EXE process with URL:MAL infection

Hi

Since early this morning, i have been getting continual Avast Wedshield pop ups warning of a blocked “harmful webpage or file”

Seems to be 5 different ones being flagged.

URL:http://anythicago.com/4141/RelayTurbo_142668814314552.dll
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe

URL:http://simplesitescan.net/4141/LighterInit_142669556111830.dll
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe

URL:http://alwaysisobar.com/4141/CutterGeneration_142669028208336.dll
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe

URL:http://bestdriverstar.net/4141/CutterSystem_142669222915982.dll
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe

URL:http://opticguardzip.net/4141/CutterSystem_142669222919983.dll
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe

I think it looks similar to the problem being highlighted in this thread - https://forum.avast.com/index.php?topic=171851.0

In addition to this, i have been experiencing an issue for several weeks now where when i click a link on a known website, it opens a new tab and takes me to a completely unrelated page (usually TotallyPDA…but there was one other i noticed once)

Looks like the error being reported on this thread - https://forum.avast.com/index.php?topic=170944.0

I have run a full avast scan and bootscan (nothing found)
I have run malware bytes and Spybot S&D (nothing found)

Attached are my malwarebytes scan log from today, FRST and FRST addition text files and the aswMBR.exe scan log file.

Let me know if you need anything else.

Thanks

Hello,

https://sites.google.com/site/cannedfixes/home/hosted-images-tools/51a612a8b27e2-Zoek.png
Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

[*]Right-click on
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/51a612a8b27e2-Zoek.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[]Wait patiently until the main console will appear, it may take a minute or two.
[
]In the main box please paste in the following script:

createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b

[*]Make sure that Scan All Users option is checked.
[*]Push Run Script and wait patiently. The scan may take a couple of minutes.
[*]When the scan completes, a zoek-results logfile should open in notepad.
[*]If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by Chris on 04/06/2015 at 15:54:23.58.
Microsoft Windows 7 Ultimate 6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Chris\Downloads\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

04/06/2015 15:55:43 Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~2\360 deleted successfully
C:\Program Files\Google deleted successfully
C:\PROGRA~3\c0d7a402000057e7 deleted successfully
C:\Users\Chris\AppData\Roaming\Opera Software deleted successfully
C:\Users\Chris\AppData\Roaming\Store deleted successfully
C:\Users\Chris\AppData\Roaming\WTools deleted successfully
C:\Users\Chris\AppData\Local\Opera Software deleted successfully
C:\Users\Chris\AppData\Local\VirtualStore deleted successfully

==== Deleting CLSID Registry Keys ======================

==== Deleting CLSID Registry Values ======================

==== Deleting Services ======================

==== Batch Command(s) Run By Tool======================

Can you run Zoek again?

And please make the links in your original post not clickable.
We do not want visitors/users to go to malicious websites.

Hi

edited links so they shouldn’t be clickable now - sorry.

Looks like the problem has been resolved, but I will run ZOEK again now.

Zoek results attached (can’t paste as exceeds max characters)

We need to run one more Zoek fix.

https://sites.google.com/site/cannedfixes/home/hosted-images-tools/51a612a8b27e2-Zoek.png
Fix with ZOEK

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[B] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/B]

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

[*]Right-click on
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/51a612a8b27e2-Zoek.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[]Wait patiently until the main console will appear, it may take a minute or two.
[
]In the main box please paste in the following script:

createsrpoint;
autoclean;
chrdefaults;

[*]Make sure that Scan All Users option is checked.
[*]Push Run Script and wait patiently. The scan may take a couple of minutes.
[*]When the scan completes, a zoek-results logfile should open in notepad.
[*]If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

results attached.

How is your PC behaving now?

seems fine now…will watch it today and let you know

many thanks for the rapid replies and assistance

Hi everyone. I have the same problem. Would you be so kind as to give me a hand? Thank you very much.

Hello,

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Scan with Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Thank you for your kind reply. The two files are attached.

https://sites.google.com/site/cannedfixes/home/hosted-images-tools/51a612a8b27e2-Zoek.png
Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

[*]Right-click on
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/51a612a8b27e2-Zoek.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[]Wait patiently until the main console will appear, it may take a minute or two.
[
]In the main box please paste in the following script:

createsrpoint;
autoclean;
chrdefaults;
bitsadmin /reset /allusers;b
emptyalltemp;
ipconfig /flushdns;b

[*]Make sure that Scan All Users option is checked.
[*]Push Run Script and wait patiently. The scan may take a couple of minutes.
[*]When the scan completes, a zoek-results logfile should open in notepad.
[*]If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

I have tried to disable Avast for 10 minutes and when I tried to right click on ZOEK to run it as administrator I got this message: “si è verificato un errore improvviso e Windows deve riavviare il computer…e in corso una raccolta…alla fine della raccolta il computer verrà riavviato automaticamente.” Then the computer restarted/rebooted by itself. What shall I do?

Try to download all of three Zoek versions from this link:

http://download.bleepingcomputer.com/smeenk/

One will work. Make sure that Avast is disabled.

Thank you again. So, here’s the content on Zoek. Do I have to reboot the computer now? Zoek says: “A reboot is needed to complete zoek.exe tasks.”

Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by Nick Berchisan on 08/06/2015 at 13.51.30,61.
Microsoft Windows 8 6.2.9200 x64
Running in: Normal Mode No Internet Access Detected
Launched: C:\Users\Nick Berchisan\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

08/06/2015 13.54.57 Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~2\predm deleted successfully
C:\PROGRA~2\COMMON~1\Symantec Shared deleted successfully
C:\Users\Nick Berchisan\AppData\Local\calibre-cache deleted successfully

==== Deleting CLSID Registry Keys ======================

==== Deleting CLSID Registry Values ======================

==== Deleting Services ======================

==== FireFox Fix ======================

ProfilePath: C:\Users\NICKBE~1\AppData\Roaming\Mozilla\Firefox\Profiles\jkhqlbn3.default

user.js not found
---- Lines istart removed from prefs.js ----
user_pref(“browser.search.defaultenginename”, “istartsurf”);
user_pref(“browser.search.selectedEngine”, “istartsurf”);
---- Lines browser.startup.page removed from prefs.js ----
user_pref(“browser.startup.page”, 1);
---- FireFox user.js and prefs.js backups ----

prefs_062015_14.15_.backup

==== Batch Command(s) Run By Tool======================

==== Deleting Files \ Folders ======================

C:\PROGRA~2\predm not found
C:\Users\Nick Berchisan\AppData\Roaming\calibre deleted
C:\PROGRA~3{09aa1dbf-c125-fe30-09aa-a1dbfc1276ff} deleted
C:\Users\Nick Berchisan.android deleted
C:\PROGRA~2\AnyProtectEx deleted
C:\PROGRA~2\SearchProtect deleted
C:\Users\Nick Berchisan\AppData\Roaming\AnyProtectEx deleted
C:\Users\Nick Berchisan\AppData\Roaming\Thinstall deleted
C:\PROGRA~3\Package Cache deleted
C:\Users\Nick Berchisan\AppData\Local\nsy3B63.tmp deleted
C:\Users\Nick Berchisan\AppData\Local\CRE deleted
C:\Users\Nick Berchisan\AppData\Local\tbccint deleted
C:\Users\Nick Berchisan\AppData\Local\SmartWeb deleted
C:\Users\Nick Berchisan\AppData\Local\Thinstall deleted
C:\Users\Nick Berchisan\AppData\Local\NativeMessaging deleted
C:\Users\Nick Berchisan\Downloads\Babylon (OED) Oxford English Dictionary (20-Volume version) 2012.bgl deleted
C:\Users\Nick Berchisan\Downloads\Babylon_English_Italian.BGL deleted
C:\Users\Nick Berchisan\Downloads\Babylon_English_Spanish.BGL deleted
C:\Users\Nick Berchisan\AppData\LocalLow\SmartWeb deleted
C:\Users\Nick Berchisan\AppData\LocalLow\TB deleted
C:\Users\Nick Berchisan\Documents\Optimizer Pro deleted
C:\PROGRA~3\MakeMarkerFile.exe deleted

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\NICKBE~1\AppData\Roaming\Mozilla\Firefox\Profiles\jkhqlbn3.default
user_pref(“browser.search.defaulturl”, “https://www.google.com/search/?trackid=sp-006”);
user_pref(“browser.search.defaultengine”, “Google (avast)”);
user_pref(“keyword.URL”, “https://www.google.com/search/?trackid=sp-006”);

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
searchffv2@gmail.com”=“C:\Users\Nick Berchisan\AppData\Roaming\Mozilla\Firefox\Profiles\jkhqlbn3.default\extensions\searchffv2@gmail.com” [13/05/2015 18.38]
[HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions]
mozilla_cc@internetdownloadmanager.com”=“C:\Users\Nick Berchisan\AppData\Roaming\IDM\idmmzcc5” [19/04/2014 05.38]

==== Firefox Extensions ======================

ProfilePath: C:\Users\NICKBE~1\AppData\Roaming\Mozilla\Firefox\Profiles\jkhqlbn3.default

  • QuickSearch - C:\Users\Nick Berchisan\AppData\Roaming\Mozilla\Firefox\Profiles\jkhqlbn3.default\extensions\searchffv2@gmail.com
  • QuickSearch - %ProfilePath%\extensions\searchffv2@gmail.com

AppDir: C:\Program Files (x86)\Mozilla Firefox

  • Default - %AppDir%\browser\extensions{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

Profilepath: C:\Users\Nick Berchisan\AppData\Roaming\Mozilla\Firefox\Profiles\jkhqlbn3.default
9E2ACEFA9A03FA35133459B0F8613B40 - C:\windows\SysWoW64\Adobe\Director\np32dsw_1215155.dll - Shockwave for Director / Shockwave for Director
9291708CCD967887AF94BE708B43D64D - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npMeetingJoinPluginOC.dll - Microsoft Office 2013
18CF51689186AEB9D1D149AEB0E92D03 - C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL - Microsoft Office 2013
0E8B2D0D9E3415A91EF259CE1112C579 - C:\windows\SysWoW64\Adobe\Director\np32dsw_1210150.dll - Shockwave for Director / Shockwave for Director

==== Chromium Look ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[20/03/2015 11.46]
imdmgjpgpplkmnlcccneaiffmgklaeod - C:\Users\Nick Berchisan\AppData\Local\CRE\imdmgjpgpplkmnlcccneaiffmgklaeod.crx
mjdepfkicdcciagbigfcmdhknnoaaegf - [HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\mjdepfkicdcciagbigfcmdhknnoaaegf\path]
mjdepfkicdcciagbigfcmdhknnoaaegf\path - [HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\mjdepfkicdcciagbigfcmdhknnoaaegf\path]
mjdepfkicdcciagbigfcmdhknnoaaegf\Version - No path found

HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions
imdmgjpgpplkmnlcccneaiffmgklaeod - C:\Users\Nick Berchisan\AppData\Local\CRE\imdmgjpgpplkmnlcccneaiffmgklaeod.crx

==== Chromium Fix ======================

C:\Users\Nick Berchisan\AppData\Roaming\Opera Software\Opera Stable\Local Storage\http_www.azlyrics.com_0.localstorage deleted successfully
C:\Users\Nick Berchisan\AppData\Roaming\Opera Software\Opera Stable\Local Storage\http_www.azlyrics.com_0.localstorage-journal deleted successfully
C:\Users\Nick Berchisan\AppData\Roaming\Opera Software\Opera Stable\Local Storage\http_www.intelliwebsearch.com_0.localstorage deleted successfully
C:\Users\Nick Berchisan\AppData\Roaming\Opera Software\Opera Stable\Local Storage\http_www.intelliwebsearch.com_0.localstorage-journal deleted successfully
C:\Users\Nick Berchisan\AppData\Roaming\Opera Software\Opera Stable\Local Storage\http_static.audienceinsights.net_0.localstorage deleted successfully
C:\Users\Nick Berchisan\AppData\Roaming\Opera Software\Opera Stable\Local Storage\http_static.audienceinsights.net_0.localstorage-journal deleted successfully
C:\Users\Nick Berchisan\AppData\Roaming\Opera Software\Opera Stable\Local Storage\https_static.olark.com_0.localstorage deleted successfully
C:\Users\Nick Berchisan\AppData\Roaming\Opera Software\Opera Stable\Local Storage\https_static.olark.com_0.localstorage-journal deleted successfully
C:\Users\Nick Berchisan\AppData\Roaming\Opera Software\Opera Stable\Local Storage\http_www.edufind.com_0.localstorage deleted successfully
C:\Users\Nick Berchisan\AppData\Roaming\Opera Software\Opera Stable\Local Storage\http_www.edufind.com_0.localstorage-journal deleted successfully

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Start Page”=“http://go.microsoft.com/fwlink/p/?LinkId=255141
“Search Page”=“https://it.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
“Use Search Asst”=“yes”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchUrl]
“Default”=“www.google.com
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\SearchUrl]
“Default”=“www.google.com
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
“DefaultScope”=“{0633EE93-D776-472f-A0FF-E1416B8B2E3A}”
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{0633EE93-D776-472f-A0FF-E1416B8B2E3A}] not found

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Search Page”=“http://go.microsoft.com/fwlink/?LinkId=54896
“Start Page”=“http://go.microsoft.com/fwlink/p/?LinkId=255141
“Use Search Asst”=“no”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchUrl]
“(Default)”=“http://search.msn.com/results.asp?q=%s
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\SearchUrl]
“(Default)”=“http://search.msn.com/results.asp?q=%s
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
“DefaultScope”=“{012E1000-F331-11DB-8314-0800200C9A66}”

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
{012E1000-F331-11DB-8314-0800200C9A66} Google Url=“http://www.google.com/search?q={searchTerms}
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url=“http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC

==== Reset Google Chrome ======================

C:\Users\Nick Berchisan\AppData\Roaming\Opera Software\Opera Stable\Preferences was reset successfully
C:\Users\Nick Berchisan\AppData\Roaming\Opera Software\Opera Stable\Web Data will be reset at reboot
C:\Users\Nick Berchisan\AppData\Roaming\Opera Software\Opera Stable\Web Data-journal will be reset at reboot

==== Deleting CLSID Registry Keys ======================

==== Deleting CLSID Registry Values ======================

HKEY_LOCAL_MACHINE\software\Wow6432Node\mozilla\Firefox\extensions\firefox@gingersoftware.2.0.0.74.com deleted successfully

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\Software\wow6432node\Policies\Google deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Google\Chrome\Extensions\imdmgjpgpplkmnlcccneaiffmgklaeod deleted successfully
HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions\imdmgjpgpplkmnlcccneaiffmgklaeod deleted successfully
HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\7365B9B519B34174A993458933955466 deleted successfully

==== Empty IE Cache ======================

C:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Nick Berchisan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Nick Berchisan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

==== Empty FireFox Cache ======================

No FireFox Cache found

==== Empty Chrome Cache ======================

C:\Users\Nick Berchisan\AppData\Local\Opera Software\Opera Stable\Cache will be emptied at reboot

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=186 folders=67 562494010 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\Nick Berchisan\AppData\Local\Temp will be emptied at reboot
C:\windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\windows\Temp will be emptied at reboot

I forget to say that I use an Internet Stick provided by Wind Italy.

Yes, reboot your PC and let me know how is the situation now?