SVCHOST.EXE process with URL:MAL infection

OK. Rebooted. Even though I had to click on “Show Desktop” after rebooting, now everything seems to work fine. Let’s wait a couple of days to see if the problem (hope not) shows up again. Thank you very much! :slight_smile:

No need to wait couple of days. Couple of minutes/hours will be enough.

OK then. I’ll get back to you later on today. Thanks a million. :slight_smile:
Edit: Until now everything seems to be working just fine. :slight_smile:

Hey,

I have the same problem, as the thread owner. I already ran Zoek and would ask kindly for your help.

Here are my first logs:
Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by user on 14.06.2015 at 12:38:40,11.
Microsoft Windows 8.1 6.3.9600 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\user\Downloads\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

14.06.2015 12:40:20 Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~2\Ashampoo deleted successfully
C:\Program Files\stinger deleted successfully
C:\PROGRA~3\CLSK deleted successfully
C:\PROGRA~3\Riot Games deleted successfully
C:\Users\user\AppData\Local\GGEmpire deleted successfully
C:\Users\user\AppData\Local\Sparta deleted successfully
C:\Users\user\AppData\Local\VirtualStore deleted successfully

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-8586824-2265057808-709542309-1002\Software\Microsoft\Internet Explorer\SearchScopes{015DB5FA-EAFB-4592-A95B-F44D3EE87FA9} deleted successfully
HKEY_USERS\S-1-5-21-8586824-2265057808-709542309-1002\Software\Microsoft\Internet Explorer\SearchScopes{0633EE93-D776-472f-A0FF-E1416B8B2E3A} deleted successfully
HKEY_USERS\S-1-5-21-8586824-2265057808-709542309-1002\Software\Microsoft\Internet Explorer\SearchScopes{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} deleted successfully
HKEY_USERS\S-1-5-21-8586824-2265057808-709542309-1002\Software\Microsoft\Internet Explorer\SearchScopes{8FDCBBB7-E601-4983-8491-E3431DAB6774} deleted successfully
HKEY_USERS\S-1-5-21-8586824-2265057808-709542309-1002\Software\Microsoft\Internet Explorer\SearchScopes{E733165D-CBCF-4FDA-883E-ADEF965B476C} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes{0633EE93-D776-472f-A0FF-E1416B8B2E3A} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{0633EE93-D776-472f-A0FF-E1416B8B2E3A} deleted successfully

==== Deleting CLSID Registry Values ======================

==== Deleting Services ======================

==== FireFox Fix ======================

ProfilePath: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\u4m3q2a2.default

---- Lines myhome removed from prefs.js ----
user_pref(“browser.search.searchengine.iconURL”, “http://myhome.vi-view.com/favicon.ico”);
user_pref(“browser.search.searchengine.url”, "http://myhome.vi-view.com/web/?type=ds&ts=1421436880&from=cor&uid=ST1000DM003-1ER162_Z4Y1X3K9XXXXZ4Y1X3K
---- FireFox user.js and prefs.js backups ----

user__1253_.backup
prefs__1253_.backup

==== Batch Command(s) Run By Tool======================

==== Deleting Files \ Folders ======================

C:\PROGRA~2\Ashampoo not found
C:\windows\SysNative\Tasks\Periodic Synchronize Task deleted
C:\PROGRA~3{faf1bc49-621b-8e49-faf1-1bc49621f125} deleted
C:\PROGRA~2\GreenTree Applications deleted
C:\Users\user\AppData\Roaming\sparta111 deleted
C:\PROGRA~3\simplitec deleted
C:\PROGRA~3\YTD Video Downloader deleted
C:\PROGRA~3\Package Cache deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YTD Video Downloader deleted
C:\windows\SysNative\Tasks\avastBCLRestartS-1-5-21-8586824-2265057808-709542309-1002 deleted
C:\windows\SysNative\drivers\innfd_1_10_0_14.sys deleted
C:\Windows\AppPatch\Custom{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb deleted
C:\Windows\SysNative\config\systemprofile\Searches deleted
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\u4m3q2a2.default\jetpack deleted

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
wrc@avast.com”=“C:\Program Files\AVAST Software\Avast\WebRep\FF” [27.01.2015 20:32]

==== Firefox Extensions ======================

ProfilePath: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\u4m3q2a2.default

  • Rocket Beans TV Sendeplan fr Firefox - %ProfilePath%\extensions\javos-firebeans-rbtvfx@jetpack.xpi
  • Adblock Plus - %ProfilePath%\extensions{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

AppDir: C:\Program Files (x86)\Mozilla Firefox

  • Default - %AppDir%\browser\extensions{972ce4c6-7e08-4474-a285-3208198ce6fd}
  • Skype Click to Call - %AppDir%\browser\extensions{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi

==== Firefox Plugins ======================

Profilepath: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\u4m3q2a2.default
F4C5E12008B713FE1B2F2A5990F00A43 - C:\Windows\SysWOW64\Adobe\Director\np32dsw_1218158.dll - Shockwave for Director / Shockwave for Director
2E661988463BCFA1B95D4DAAB9B0B6FA - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_188.dll - Shockwave Flash

==== Chromium Look ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
eofcbnmajmjmplflapaojjnihcjkigck - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx[22.11.2014 18:00]
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[22.11.2014 18:00]

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Start Page”=“https://www.google.com/?trackid=sp-006
“Search Page”=“https://www.google.com/search?trackid=sp-006&q={searchTerms}
“Search Bar”=“https://www.google.com/?trackid=sp-006
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
“Start Page”=“https://www.google.com/?trackid=sp-006
“Search Page”=“https://www.google.com/search?trackid=sp-006&q={searchTerms}
“Search Bar”=“https://www.google.com/?trackid=sp-006
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main]
“Start Page”=“https://www.google.com/?trackid=sp-006
“Search Page”=“https://www.google.com/search?trackid=sp-006&q={searchTerms}
“Search Bar”=“https://www.google.com/?trackid=sp-006

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Search Page”=“http://go.microsoft.com/fwlink/?LinkId=54896
“Search Bar”=“http://go.microsoft.com/fwlink/?LinkId=54896
“Start Page”=“https://www.google.com/?trackid=sp-006
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
“Search Page”=“http://go.microsoft.com/fwlink/?LinkId=54896
“Search Bar”=“http://go.microsoft.com/fwlink/?LinkId=54896
“Start Page”=“http://go.microsoft.com/fwlink/?LinkId=69157
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main]
“Search Page”=“http://go.microsoft.com/fwlink/?LinkId=54896
“Search Bar”=“http://go.microsoft.com/fwlink/?LinkId=54896
“Start Page”=“http://go.microsoft.com/fwlink/?LinkId=69157

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
“DefaultScope”=“{E9410C70-B6AE-41FF-AB71-32F4B279EA5F}”
{012E1000-F331-11DB-8314-0800200C9A66} Google Url=“http://www.google.com/search?q={searchTerms}
{E9410C70-B6AE-41FF-AB71-32F4B279EA5F} Google Url=“https://www.google.com/search?trackid=sp-006&q={searchTerms}

==== Empty IE Cache ======================

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully

==== Empty FireFox Cache ======================

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\u4m3q2a2.default\cache2 emptied successfully

==== Empty Chrome Cache ======================

No Chrome User Data found

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=102 folders=53 57695648 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\user\AppData\Local\Temp will be emptied at reboot
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp will be emptied at reboot
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\user\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:$RECYCLE.BIN successfully emptied

==== Deleting Files / Folders ======================

“C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp\Low” not deleted

==== EOF on 14.06.2015 at 12:58:38,89 ======================

Your help would be much appreciated!

Start a new topic in V&W and post your logs there: https://forum.avast.com/index.php?action=post;board=4.0

Hi,
I’ve been having a similar problem when logging onto my computer, with Avast popping up with several (usually 14 messages) that it has blocked a harmful webpage such as simplesmartscan, optiguardzip, alwaysisobar etc all with the SVCHOST.exe process. I’ve run full avast scans, malwarebites, hitman pro etc however the problem seems to persist.
After reading all the previous posts it seems that each solution is computer specific, so would someone be able to help please. It would be much appreciated.

Start a new topic in V&W and post your logs there: https://forum.avast.com/index.php?action=post;board=4.0