Possible ransomware detected - svchost.exe

[REDACTED]

I have been receiving intermittent warnings from Avast Active Protection stating "Possible ransomeware detected - A suspicious activity detected within a process is trying to modify your files. Do you want to allow this activity to continue?  svchost.exe"

I have attached a screen grab of the message and a list of some of the files affected.  To date, I have always blocked the attempted activity.

Does anyone know if this is a false positive or if it is real?

[Pondus]

Your screenshots does not seem to be from avast?

Instructions  >> https://forum.avast.com/index.php?topic=194892.0

 

[REDACTED]

Pondus, thanks for your quick reply.  The link you provided explains how to create Malwarebytes and FRST logs.  Are you asking me to produce those, and if so, will they provide useful information when I have already blocked the suspicious activity or do I need to wait for the next occurrence of the warning message to create the logs?

[Pondus]

If you want assistance from a malware expert to check if you are infected and clean your computer then you need to attach requested logs

[REDACTED]

I have attached the logs as requested.

Please note that the logs were created after I had clicked "Block" in the Avast popup message and then told it to restore the original (temporarily held) files, so the logs may or may not show anything of use.

[Sass Drake]

I dont' se malware traces here. Can you open your documents and pictures?

[REDACTED]

Hi, Sass Drake;

Thanks for the update.  Yes, I can open my documents and pictures.  My system appears to be running fine, but I occasionally (about once or twice a week) get the "Possible ransomware detected" message from Avast Active Protection and it's always about svchost.exe.  I always block the activity.  The next time it occurs, I'll create the logs before I block the activity in case that might show something different.

[REDACTED]

When this message appears, it usually tells me that 12 files are affected.  After I block the attempt to modify, and then recover the files from temporary files, I often get another message telling me that another 15 files are affected.  I have always blocked the attempts to modify.

The problem occurred again today.  I have attached the MBAM and FRST logs which were produced before I blocked the attempts to modify.  Does anyone see any signs of ransomware in these logs?   If not, is it possible these messages are false positives as a result of Windows 10 legitimate updates, and if so, should I allow the changes to be made?

[Sass Drake]

I don't see ransomware in FRST logs. As for Acronis messages I conclude they are false positives because ransomware will target your documents and pictures and not Windows log files. For those 12 files in Acronis warning it is safe to allow changes.

[jperl13]

Hi.


The new Acronis Ransomware Protection free tool can give false positives.

https://forum.avast.com/index.php?topic=214390.0

https://www.downloadcrew.com/article/35480-acronis_ransomware_protection_free :

Whilst you use your PC, you'll be warned of suspicious behaviour. Sadly though, we noticed it picked up random tools which check your system for updates, but you can choose to "Trust" these applications (or processes) which will prevent false positives.

[REDACTED]

I would like to thank everyone who has provided feedback on this issue. 

I also want to apologize!  I posted this issue on the Avast forum by mistake, since this message comes from Acronis Active Protection, not from Avast.  (Pondus noticed that immediately, but I got distracted by the link to the methods to produce logs from Malwarebytes and FRST.)  I'll try to be more diligent in future -- I can only blame old age (I'm over 70) for this obvious error.