Another svchost.exe problem

[REDACTED]

Like a lot of people I too have been getting avast! pop ups telling me that svchost.exe is trying to download files from anythicago, simplesitescan, alwaysisobar, bestdriverstar, and opticguardzip. I have scanned with avast, Malware Bytes, ADWcleaner, and Windows Defender (whatever that was worth). They all came back clean, The requested files are attached. Aswmbr took 3 attempts before finishing the scan without crashing, I don't know if that means anything.
Thank you for your help.

[REDACTED]

Hello,


Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Right-click on icon and select Run as Administrator to start the tool.
  
• Wait patiently until the main console will appear, it may take a minute or two.
• In the main box please paste in the following script:

Code: [Select]

createsrpoint;
autoclean;
emptyalltemp;
bitsadmin /reset /allusers;b
ipconfig /flushdns;b

• Make sure that Scan All Users option is checked.
  
• Push Run Script and wait patiently. The scan may take a couple of minutes.
  
• When the scan completes, a zoek-results logfile should open in notepad.
  
• If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

[REDACTED]

I ran the scan and the results are attached below, however upon reboot after the scan I was presented with the error that I also attached as a photo. If you could take a look at that I would appreciate it.

[REDACTED]

Ok, no problem.


Re-run zoek and run this script:

Code: [Select]

C:\Users\Curtis\AppData\Local\Google\Chrome\User Data\Default\Preferences;f
createsrpoint;
autoclean;
emptyalltemp;


Post its content into your next reply.

[REDACTED]

Here are the results.

[REDACTED]

How is the situation now?

[REDACTED]

I have not received any pop ups yet, but my PC has only been on for about 15 minutes. Ill let you know if anything comes up.

[REDACTED]

Well, I made it through the day and I haven't had any issues. Thank you for your help. Do you have any idea as to where this came from? it seems like a ton of people are suffering from it.

[REDACTED]

Chromium Startpages

C:\Users\Curtis\AppData\Local\Google\Chrome\User Data\Default\Preferences
removed_old_component_pepper_flash_settings":true},"profile":{"avatar_index":0,"content_settings":{"exceptions":{"app_banner":{},"auto_select_certificate":{},"automatic_downloads":{},"cookies":{},"fullscreen":{"[*.]www.netflix.com,*":{"setting":1},"https://[*.]www.youtube.com:443,*":{"setting":1}},"geolocation":{},"images":{},"javascript":{},"media_stream":{},"media_stream_camera":{},"media_stream_mic":{},"metro_switch_to_desktop":{},"midi_sysex":{},"mixed_script":{},"mouselock":{},"notifications":{},"plugins":{"[*.]oldschool94.runescape.com,*":{"setting":1}},"popups":{},"ppapi_broker":{},"protocol_handlers":{},"push_messaging":{},"ssl_cert_decisions":{}},"pattern_pairs":{"[*.]oldschool94.runescape.com,*":{"plugins":1},"[*.]www.netflix.com,*":{"fullscreen":1},"https://[*.]www.youtube.com:443,*":{"fullscreen":1}},"pref_version":1},"created_by_version":"40.0.2214.91","exit_type":"Normal","exited_cleanly":true,"gaia_info_picture_url":"https://lh4.googleusercontent.com/-J4OiwwQRSqU/AAAAAAAAAAI/AAAAAAAAABI/LJrDUQbubx8/s256-c/photo.jpg","gaia_info_update_time":"13077948370477147","icon_version":3,"managed_user_id":"","managed_users":{},"migrated_content_settings_exceptions":true,"migrated_default_content_settings":true,"migrated_default_media_stream_content_settings":true,"name":"First user","per_host_zoom_levels":{}},"protection":{"macs":{}},"reverse_autologin":{"enabled":false},"safebrowsing":{"enabled":false},"savefile":{"default_directory":"C:\\Users\\Curtis\\Downloads","type":1},"search":{"suggest_enabled":false},"selectfile":{"last_directory":"C:\\Users\\Curtis\\Documents"},"session":{"restore_on_startup_migrated":true,"startup_urls_migration_time":"13066537519449223"},"signin":{"signedin_time":"13066537767004644"},"sync":{"acknowledged_types":["Bookmarks","Preferences","Passwords","Autofill Profiles","Autofill","Themes","Typed URLs","Extensions","Search Engines","Sessions","Apps","App settings","Extension settings","History Delete Directives","Dictionary","Favicon Images","Favicon Tracking","Device Info","Priority Preferences","Managed User Settings","Managed Users","Managed User Shared Settings","Articles","App List","WiFi Credentials","Tabs","Encryption keys"],"app_list":true,"app_settings":true,"apps":true,"autofill":true,"autofill_profile":true,"autofill_wallet":true,"bookmarks":true,"dictionary":true,"encryption_bootstrap_token":"AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAxqWjdmZeikmBIvFER6KilQAAAAACAAAAAAAQZgAAAAEAACAAAAAHkh5z2qj1d08haaHXqPP0i57PY5rrNaXJ9+Bw3kTOLQAAAAAOgAAAAAIAACAAAAD8HV8/9h6LH6u5r8C5I0ublS/L+bR5UNOAzSiKq8rieUAAAAAaLvqbXPHUiP8+VzaMydao7llPPTvT8w+cvdxtwllpHUwKc1yRwrNxwRe4gM/F6kcBWOlsECUPAu8F3T19ZLXMQAAAACArIPiuNrtF0AgDSmY+bP5KHwFiUIOqVujKjcflUko27+7R/WI9ajcIo8B1lakQd8iRVsZ1q5i8/ABrLZKxF88=","extension_settings":true,"extensions":true,"favicon_images":true,"favicon_tracking":true,"first_sync_time":"13066537767014644","has_setup_completed":true,"history_delete_directives":true,"keep_everything_synced":true,"keystore_encryption_bootstrap_token":"AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAxqWjdmZeikmBIvFER6KilQAAAAACAAAAAAAQZgAAAAEAACAAAAD5VxbBfVfR38pd4JauOnqwgtzloofFf46JII8fB0B2QwAAAAAOgAAAAAIAACAAAACMKJGzL2osUMRGGIgs3NJdwH0VJ8PEnJqRs97mSUZrGFAAAAAZg7cmRv90+JHbyld67WMweOaYYrdI3lFFVzAVpv/Fjb0P1TX1eqbCEFyD6rPZ9tY1JyELnWcw2vuLM2c9Fgwry9IIlkSWXcXpXw8dtyOlHkAAAABKW+6Fi4e+nf+cXPO8Fg83Q2XXvB9MgTOS9r1EhsapZXhv72aAOEa64n+sAvVajJ3fcJD6Uj+E7ww+OWL2AYVv","last_synced_time":"13077948384908147","managed_user_settings":true,"managed_user_shared_settings":true,"managed_user_whitelists":true,"managed_users":true,"passwords":true,"preferences":true,"priority_preferences":true,"search_engines":true,"session_sync_guid":"session_syncquh0qljhXbE2GrY+IrZ3fQ==","sessions":true,"suppress_start":false,"tabs":true,"themes":true,"typed_urls":true},"sync_promo":{"startup_count":1,"user_skipped":true},"translate_blocked_languages":["en"],"translate_whitelists":{}}
4","session":{"restore_on_startup":"9AC39A5FA66D4647E7D7E9D7A132D943244714250D5F5B28452AE90B98F77F82","startup_urls":"26F7E978AB6B5DBC7C7BF544BA11041131B4E8C8D50655C6F4EF90593B3EBC9D"},"software_reporter":{"prompt_reason":"480F6265A3BC97E4BF8E22AAA3475336D9DE0E609B1A47A5AF67BD081F1F593B","prompt_seed":"DD8930987D1CBDFD30B73047AED08FFDA6400B8A9816D50FB85C11EE6F54658F","prompt_version":"5CD2DFEF61C92B90301773864FA38107153E8722A4725C0F94C1B0FFE2831093"},"sync":{"remaining_rollback_tries":"397A9E5EA7D02E6B4E167787B2B4DB80BE6D5124853BD0E1FB454FDDC25A53BB"}},"super_mac":"1D91F098DB57874BF6593CD28DCD45567CA6D16E472DB07B645340537E45A579"},"session":{"restore_on_startup":4,"startup_urls":["http://www.youtube.com/","https://www.hvcc.edu/students.html","https://freedoge.co.in/"]},"sync":{"remaining_rollback_tries":0}}

The following will implement some post-cleanup procedures:


Download DelFix by Xplode and save it to your desktop.

• Run the tool by right click on the icon and Run as administrator option.
  
• Make sure that these ones are checked:
• Remove disinfection tools
• Purge system restore
• Reset system settings
• Push Run and wait until the tool completes his work.
  
• All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt)
  

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

[REDACTED]

Alright, everything seems to be good. Thank you for your help!