If my laptop hibernates or if I turn off my laptop’s wifi, upon returning to web connectivity I get a popup with the following infection details:
URL: http://[this field changes]/4141/Systemvisual_[a string of numbers.dll]
Infection: URL:mal
Process: C:\Windows\System32\svchost.exe
I’ve run Malwarebytes, removing two trojans and various PUPs and attached all of the recommended logs.
Hello,
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/51a612a8b27e2-Zoek.png
Scan with ZOEK
Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
[*]Right-click on
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/51a612a8b27e2-Zoek.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[]Wait patiently until the main console will appear, it may take a minute or two.
[]In the main box please paste in the following script:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
[*]Make sure that Scan All Users option is checked.
[*]Push Run Script and wait patiently. The scan may take a couple of minutes.
[*]When the scan completes, a zoek-results logfile should open in notepad.
[*]If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)
Post its content into your next reply.
Hello, TwinHeadedEagle, and thanks!
I ran the Zoek tool as you said. After reboot the problem continues (I know you didn’t say that tool would solve it, for all I know it’s simply a diagnostic). That’s the update. I attempted to paste the Zoek log contents below, but its text exceeds the 20000 character limit. I have attached a notepad file of that log.
How is your PC behaving now?
Hi TwinHeadedEagle! Thanks for the help and the follow through.
PC still has same problem that originally caused me to seek help in this forum.
When I close the lid, the system hibernates. When I open it and regain web connectivity (or if I turn off and then turn on the wireless antenna again) I get an Avast popup message such as:
URL: http://simplesitescan.net/4141/RelayDouble_[string of numbers].dll
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe
Avast always blocks the connection to the malware site (alwaysisobar.com is another common one, as is optiguardzip.net), but I’d rather not have the infection in the first place. Any other possible moves?
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Scan with Farbar Recovery Scan Tool
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.
[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
[*]Make sure that Addition option is checked.
[*]Press Scan button and wait.
[*]The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
Please include their content into your next reply.
Your dedication to this is much appreciated.
I’ve rerun Farbar. The log is attached.
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[B] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/B]
Download attached fixlist.txt file and save it to the Desktop:
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
[*]Press the Fix button just once and wait.
[*]If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
[*]When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please attach it to your reply.
Thanks, again, TwinHeadedEagle, you have solved the issue. I no longer get the popups from Avast indicating that my system is attempting to contact sites with harmful content.
Now that the problem is fixed, I doubt you are interested, but I’ve attached the fixlist.txt log you requested, just in case it might be of any use to you in your future crime-fighting endeavors.
Also, I’ve sent you a token of my appreciation through Paypal. I hope others might also.
May your talons occasionally get to grip some nice and squishy treats, rather than those pokey arrows and lightening bolts most double-headed eagles are normally seen with.
Later!
Thank you 
Post-cleanup procedures:
Download DelFix by Xplode and save it to your desktop.
[*]Run the tool by right click on the
http://www.imgdumper.nl/uploads6/51a5ce45267c1/51a5ce45263de-delfix.png
icon and Run as administrator option.
[*]Make sure that these ones are checked:
[]Remove disinfection tools
[]Purge system restore
[*]Reset system settings
[*]Push Run and wait until the tool completes his work.
All tools we used should be gone. Tool will create an report for you (C:[B]DelFix.txt)
The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.