Author Topic: Constant urlmal-avast-process-cwindowssystem32svchostexe/ alert when browsing  (Read 26955 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Recently I keep getting Avast alerts about Url:Mal when browsing regular sites.  I've noticed its when I'm browsing Imgur and a GIF is loading.

Thats normally when the alert happens.

Also I'm not sure if its related but my webcam has also stopped working.


REDACTED

  • Guest
I've looked at some similar posts and the all say to run FRST64 and ZOEK

here is the ZOEK report, and the FRST64 file is attached :)




Zoek.exe v5.0.0.1 Updated 31-December-2015
Tool run by Thi on 11/05/2016 at  0:58:53.96.
Microsoft Windows 10 Home Single Language 10.0.10586  x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Thi\Downloads\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

11/05/2016 00:59:59 Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~2\Lenovo deleted successfully
C:\Program Files\McAfee deleted successfully
C:\PROGRA~3\Comms deleted successfully
C:\Users\Thi\AppData\Local\ActiveSync deleted successfully
C:\Users\Thi\AppData\Local\Lenovo deleted successfully
C:\Users\Thi\AppData\Local\NetworkTiles deleted successfully
C:\Users\Thi\AppData\Local\PACE Anti-Piracy deleted successfully
C:\Users\Thi\AppData\Local\Skype deleted successfully
C:\Users\Thi\AppData\Local\ZDUbywVu deleted successfully
C:\WINDOWS\serviceprofiles\Localservice\AppData\Local\NetworkTiles deleted successfully

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-2493981056-2368578621-3932591581-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{798F58DB-64D6-4E71-AC8A-B77AFD35CD54} deleted successfully

==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== Batch Command(s) Run By Tool======================


==== Deleting Files \ Folders ======================

C:\PROGRA~2\Lenovo not found
C:\Users\Thi\AppData\Local\Lenovo not found
C:\PROGRA~3\Package Cache deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk deleted

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"wrc@avast.com"="C:\Program Files\AVAST Software\Avast\WebRep\FF" [06/05/2016 01:43]
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"sp@avast.com"="C:\Program Files\AVAST Software\Avast\SafePrice\FF" [06/05/2016 01:43]

==== Chromium Look ======================

Google Chrome Version: 46.0.2490.86

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
eedgghdcpmmmilkmfpnklknlenbiolec - No path found[]
eofcbnmajmjmplflapaojjnihcjkigck - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx[06/05/2016 01:43]
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[06/05/2016 01:43]
lifbcibllhkdhoafpjfnlhfpfgnpldfl - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx[29/04/2016 15:53]

Sad Panda - Thi\AppData\Local\Google\Chrome\User Data\Default\Extensions\bohapeiooecafommnlaiccilacgmkaoc
Avast Online Security - Thi\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki

==== Chromium Fix ======================

C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_toolbar.yahoo.com_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_toolbar.yahoo.com_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.azlyrics.com_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.azlyrics.com_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_lqmwbyzusd-a.akamaihd.net_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_lqmwbyzusd-a.akamaihd.net_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_apartmentfinder.vn_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_apartmentfinder.vn_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_gameslikefinder.com_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_gameslikefinder.com_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_en.savefrom.net_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_en.savefrom.net_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_savelocations.wikia.com_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_savelocations.wikia.com_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.xpgamesaves.com_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.xpgamesaves.com_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.moddb.com_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.moddb.com_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.subiz.com_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.subiz.com_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.foodity.com_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.foodity.com_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_ads1.msads.net_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_ads1.msads.net_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_d2m2wsoho8qq12.cloudfront.net_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_d2m2wsoho8qq12.cloudfront.net_0.localstorage-journal deleted successfully

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="https://vn.yahoo.com/?fr=yset_ie_syc_oracle&type=orcl_hpset"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com"

==== All HKLM and HKCU SearchScopes ======================

HKLM\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=ASU2JS
HKLM\Wow6432Node\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\Wow6432Node\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=ASU2JS
HKCU\SearchScopes "DefaultScope"="{012E1000-F331-11DB-8314-0800200C9A66}"
HKCU\SearchScopes\{012E1000-F331-11DB-8314-0800200C9A66} - http://www.google.com/search?q={searchTerms}
HKCU\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================

HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\{4ED1F68A-5463-4931-9384-8FFF5ED91D92} deleted successfully
HKEY_LOCAL_MACHINE\software\Wow6432Node\mozilla\Firefox\extensions\{4ED1F68A-5463-4931-9384-8FFF5ED91D92} deleted successfully

==== Empty IE Cache ======================

C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Thi\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Thi\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Thi\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\Thi\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully

==== Empty FireFox Cache ======================

No FireFox Profiles found

==== Empty Chrome Cache ======================

C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

No Flash Cache Found

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=65 folders=43 43231682 bytes)

==== Empty Temp Folders ======================

C:\WINDOWS\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\WINDOWS\Temp successfully emptied
C:\Users\Thi\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== EOF on 11/05/2016 at  1:19:16.83 ======================

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37504
  • Not a avast user
if you have a screenshot of avast poup warning, post that also

expert should be online soon ...


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Could you let me know if this stops it

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
CreateRestorePoint:
HKLM-x32\...\Run: [mcui_exe] => "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
AppInit_DLLs: C:\PROGRA~2\NVIDIA~1\3DVISI~1\NVSTIN~1.DLL => No File
ShellIconOverlayIdentifiers: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\Thi\AppData\Local\MEGAsync\ShellExtX64.dll No File
ShellIconOverlayIdentifiers: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\Thi\AppData\Local\MEGAsync\ShellExtX64.dll No File
ShellIconOverlayIdentifiers: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\Thi\AppData\Local\MEGAsync\ShellExtX64.dll No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\Thi\AppData\Local\MEGAsync\ShellExtX32.dll No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\Thi\AppData\Local\MEGAsync\ShellExtX32.dll No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\Thi\AppData\Local\MEGAsync\ShellExtX32.dll No File
FF HKLM\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor => not found
FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor => not found
C:\Users\Thi\AppData\Local\ZDUbywVu
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S0].txt as well.

REDACTED

  • Guest
# AdwCleaner v5.116 - Logfile created 11/05/2016 at 08:46:50
# Updated 09/05/2016 by Xplode
# Database : 2016-05-09.1 [Server]
# Operating system : Windows 10 Home Single Language  (X64)
# Username : Thi - THI-PC
# Running from : C:\Users\Thi\Desktop\AdwCleaner.exe
# Option : Clean
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\Users\Thi\AppData\Local\YSearchUtil

***** [ Files ] *****


***** [ DLLs ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\hdcode
[-] Key Deleted : HKLM\SOFTWARE\SupDp
[-] Key Deleted : HKLM\SOFTWARE\V9
[-] Key Deleted : HKLM\SOFTWARE\winzipersvc
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\delta-homes.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.delta-homes.com

***** [ Web browsers ] *****

[-] [C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Default_Search_Provider] Deleted : hxxp://search.delta-homes.com/webfavicon.ico

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [1307 bytes] - [11/05/2016 08:46:50]
C:\AdwCleaner\AdwCleaner[S1].txt - [1322 bytes] - [11/05/2016 08:43:10]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1453 bytes] ##########

REDACTED

  • Guest
Thanks essexboy! Though I've just tried chrome again and the alert still pops up :(

heres a screen shot


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37504
  • Not a avast user
Do you have Facebook Video Downloader extension installed?


REDACTED

  • Guest
I don't know, I don't think so.

Should I uninstall this or make sure I have it installed.

Thankyou!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37504
  • Not a avast user
If you have it, uninstall and see if the popup goes away

essexboy will be back online later today


REDACTED

  • Guest
I looked on 'Programs and Features", 'Extensions' and did a search but no 'Facebook Video Downloader extension', so I don't think I have it

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Nope, the much vaunted security of Chrome has failed again..  First run Chrome in Incognito mode https://support.google.com/chrome/answer/95464?hl=en-GB
Does that stop the alerts ?

If not then :

Re-install Chrome

1. If you have bookmarks, let's save them by exporting them - Export Bookmarks
2. Go into the dashboard. Log in. https://www.google.com/settings/dashboard?hl=en
3. Scroll down to “Chrome Sync” and click Stop sync and delete data from Google link“
4. Click Stop sync and delete data from Google button
5. Now we need to uninstall chrome.
Note: When asked about user data or settings you must remove this also so please check the box.
6. Restart the computer and reinstall chrome, You can download The latest version from here - Google Chrome
7. Import your bookmarks back into Chrome
8. Sign back in to your Chrome browser so that your bookmarks sync with your online account.

REDACTED

  • Guest
Ok I've done the uninstall and restarted though when I reinstalled chrome, the bookmarks were still up, there wasn't an option to remove user data or settings, just browser history.

Did I do it wrong? :S

 .... and the alert still happens! -.-

Shall I just flag it as a false positive?

Was there anything malicious on my laptop?

Really appreciate the help guys, thank you for taking some time to help me
« Last Edit: May 11, 2016, 02:59:58 PM by Thi3 »

Offline Lotan

  • Sr. Member
  • ****
  • Posts: 289
do you still get the alerts when you run in incogneto mode?

REDACTED

  • Guest
Yep unfortunately, still happens in incognito mode

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
When you uninstalled chrome did you do this

When asked about user data or settings you must remove this also so please check the box.