Author Topic: help with c:\\windows\system32\svchost.exe Virus  (Read 29955 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
help with c:\\windows\system32\svchost.exe Virus
« on: February 18, 2015, 07:10:53 PM »
hello,

avast! keeps informing me that c:\\windows\system32\svchost.exe tries to contact malicious websides. I tried to solve the problem myself (which admittedly means looking for others to tell me how to solve this), and this is how far I've come:

I found this thread
https://forum.avast.com/index.php?topic=146342.0

and then followed instructions in this information topic
https://forum.avast.com/index.php?topic=53253.0

which told me to eventually post the results of my various scans here -- which I am doing right now.

could someone please help me out from here?

awesome, thanx in advance!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: help with c:\\windows\system32\svchost.exe Virus
« Reply #1 on: February 18, 2015, 07:44:12 PM »
Let me know if this stops it

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
CreateRestorePoint:
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

REDACTED

  • Guest
Re: help with c:\\windows\system32\svchost.exe Virus
« Reply #2 on: February 18, 2015, 08:44:45 PM »
thanks a lot for the suggestion.

here's what happened: I saved the fixlist, ran frst and pressed fix.

chrome crashed and when I re-opened it (to post the fixlog), instead of restoring the previous session, it re-installed adblock and adblock plus (wtf?).

the computer automatically re-started once I closed frst. upon restarting, I got another warning from avast! that "a threat was discovered and c:\\windows\system32\svchost.exe tried to contact a malicious webside".

what now?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: help with c:\\windows\system32\svchost.exe Virus
« Reply #3 on: February 18, 2015, 08:52:37 PM »
OK that sounds weird

Could you rerun the fix again with Chrome closed

After the reboot could you run FRST scan again please

REDACTED

  • Guest
Re: help with c:\\windows\system32\svchost.exe Virus
« Reply #4 on: February 18, 2015, 09:39:32 PM »
okay! I did that!

more or less the same thing happened, just in another order: I rebooted, reopened my browsers, couldn't connect to the internet for a while, and upon reopening chrome, it re-installed adblock plus again (is that cuz all temporary files were deleted and for some reason that includes adblock plus? or does it just make no sense at all?)

anyway, I got eight alerts in a row that "a danger was detected" (same as ever), so I'm guessing - I'm still not there yet.

REDACTED

  • Guest
Re: help with c:\\windows\system32\svchost.exe Virus
« Reply #5 on: February 18, 2015, 09:59:47 PM »
oh, there's something new:

now the threat avast! is informing me about isn't only from c:\\windows\system32\svchost.exe

but also
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

and
C:\Program Files\AVAST Software\Avast\avastui.exe

...that's no good, is it?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: help with c:\\windows\system32\svchost.exe Virus
« Reply #6 on: February 18, 2015, 11:18:26 PM »
Is Chrome set to synch on start ?  If so could you disable/delete the synch data

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
CreateRestorePoint:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

REDACTED

  • Guest
Re: help with c:\\windows\system32\svchost.exe Virus
« Reply #7 on: February 19, 2015, 08:53:42 AM »
hm, okay. thank you, I did that (see log attached).

however, when restarting chrome upon running the fix, I did re-install adblock (not adblock plus this time - don't ask me why) and I got another 12 security warnings from avast...

obviously I have no idea what I'm doing here, but if the problem is chrome, wouldn't it maybe help if I deinstalled it? or is that too naiv to even consider?

thanks again. a lot.

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: help with c:\\windows\system32\svchost.exe Virus
« Reply #8 on: February 19, 2015, 01:28:09 PM »
Avast! shouldn't be alerting on itself... Avastui.exe is the Avast! User Interface...
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: help with c:\\windows\system32\svchost.exe Virus
« Reply #9 on: February 19, 2015, 04:31:38 PM »
Could you attach a screenshot of the alert please

REDACTED

  • Guest
Re: help with c:\\windows\system32\svchost.exe Virus
« Reply #10 on: February 19, 2015, 06:36:46 PM »
sure thing!

here is the alert as a jpg. I'm sorry it's in german... the alert says:

"avast web-security has blocked a malicious webside or file.

object:
infection:
process:

further details
report file as false alarm"

ps: sorry, just realized I didn't do a screenshot but only the alert. it pops up pretty irregularely, I can do a screenshot the next time...
« Last Edit: February 19, 2015, 06:38:43 PM by annabellawe »

REDACTED

  • Guest
Re: help with c:\\windows\system32\svchost.exe Virus
« Reply #11 on: February 19, 2015, 06:52:45 PM »
here's the screenshot. please disregard my friend dani on skype :-)

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: help with c:\\windows\system32\svchost.exe Virus
« Reply #12 on: February 19, 2015, 08:22:32 PM »
OK that is a different type of malware to what I expected

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
CreateRestorePoint:
FF NetworkProxy: "type", 0
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2015-01-28]
EmptyTemp:
CMD: del \wpad*.dat /s
CMD: nbtstat -R
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

REDACTED

  • Guest
Re: help with c:\\windows\system32\svchost.exe Virus
« Reply #13 on: February 19, 2015, 11:05:24 PM »
here's the fixlog.

and the screenshot of the avast! alerts popping up after the computer rebooted and I went online again.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: help with c:\\windows\system32\svchost.exe Virus
« Reply #14 on: February 20, 2015, 03:06:35 PM »
Could I have a fresh FRST scan please