help with c:\\windows\system32\svchost.exe Virus

[REDACTED]

hello,

avast! keeps informing me that c:\\windows\system32\svchost.exe tries to contact malicious websides. I tried to solve the problem myself (which admittedly means looking for others to tell me how to solve this), and this is how far I've come:

I found this thread
https://forum.avast.com/index.php?topic=146342.0

and then followed instructions in this information topic
https://forum.avast.com/index.php?topic=53253.0

which told me to eventually post the results of my various scans here -- which I am doing right now.

could someone please help me out from here?

awesome, thanx in advance!

[essexboy]

Let me know if this stops it

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

thanks a lot for the suggestion.

here's what happened: I saved the fixlist, ran frst and pressed fix.

chrome crashed and when I re-opened it (to post the fixlog), instead of restoring the previous session, it re-installed adblock and adblock plus (wtf?).

the computer automatically re-started once I closed frst. upon restarting, I got another warning from avast! that "a threat was discovered and c:\\windows\system32\svchost.exe tried to contact a malicious webside".

what now?

[essexboy]

OK that sounds weird

Could you rerun the fix again with Chrome closed

After the reboot could you run FRST scan again please

[REDACTED]

okay! I did that!

more or less the same thing happened, just in another order: I rebooted, reopened my browsers, couldn't connect to the internet for a while, and upon reopening chrome, it re-installed adblock plus again (is that cuz all temporary files were deleted and for some reason that includes adblock plus? or does it just make no sense at all?)

anyway, I got eight alerts in a row that "a danger was detected" (same as ever), so I'm guessing - I'm still not there yet.

[REDACTED]

oh, there's something new:

now the threat avast! is informing me about isn't only from c:\\windows\system32\svchost.exe

but also
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

and
C:\Program Files\AVAST Software\Avast\avastui.exe

...that's no good, is it?

[essexboy]

Is Chrome set to synch on start ?  If so could you disable/delete the synch data

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

hm, okay. thank you, I did that (see log attached).

however, when restarting chrome upon running the fix, I did re-install adblock (not adblock plus this time - don't ask me why) and I got another 12 security warnings from avast...

obviously I have no idea what I'm doing here, but if the problem is chrome, wouldn't it maybe help if I deinstalled it? or is that too naiv to even consider?

thanks again. a lot.

[Michael (alan1998)]

Avast! shouldn't be alerting on itself... Avastui.exe is the Avast! User Interface...

[essexboy]

Could you attach a screenshot of the alert please

[REDACTED]

sure thing!

here is the alert as a jpg. I'm sorry it's in german... the alert says:

"avast web-security has blocked a malicious webside or file.

object:
infection:
process:

further details
report file as false alarm"

ps: sorry, just realized I didn't do a screenshot but only the alert. it pops up pretty irregularely, I can do a screenshot the next time...

[REDACTED]

here's the screenshot. please disregard my friend dani on skype :-)

[essexboy]

OK that is a different type of malware to what I expected

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
FF NetworkProxy: "type", 0
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2015-01-28]
EmptyTemp:
CMD: del \wpad*.dat /s
CMD: nbtstat -R
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

here's the fixlog.

and the screenshot of the avast! alerts popping up after the computer rebooted and I went online again.

[essexboy]

Could I have a fresh FRST scan please