Author Topic: Constant urlmal-avast-process-cwindowssystem32svchostexe/ alert when browsing (Read 27136 times)

essexboy · « **Reply #75 on:** June 05, 2016, 03:55:26 PM »

Could I have a fresh FRST log please, as a reinstall and reset of the router should have cured this. The only thing I can think of is a programme that you reinstalled after the format or something in Chromes synch

REDACTED · « **Reply #76 on:** June 05, 2016, 04:05:39 PM »

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-06-2016 02
Ran by Thi Tran (administrator) on Thi-Laptop (05-06-2016 21:01:53)
Running from C:\Users\Thi Tran\Downloads
Loaded Profiles: Thi Tran (Available Profiles: Thi Tran)
Platform: Windows 8.1 Single Language (Update) (X64) Language: English (United Kingdom)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVAST Software) C:\Program Files\AVAST Software\Avast\afwServ.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [7391632 2016-06-03] (AVAST Software)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-06-03] (AVAST Software)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{6EE958FB-6FFC-497A-862C-7C4198CD23A4}: [DhcpNameServer] 192.168.0.1

Internet Explorer:
==================
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2016-06-03] (AVAST Software)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2016-06-03] (AVAST Software)

FireFox:
========
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-06-03] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-06-03] (Google Inc.)
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-06-03]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF

Chrome:
=======
CHR DefaultSearchURL: Default -> hxxps://forum.avast.com/index.php?topic=186338.75
CHR Profile: C:\Users\Thi Tran\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Thi Tran\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-06-03]
CHR Extension: (Google Docs) - C:\Users\Thi Tran\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-06-03]
CHR Extension: (Google Drive) - C:\Users\Thi Tran\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-06-03]
CHR Extension: (YouTube) - C:\Users\Thi Tran\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-06-03]
CHR Extension: (Google Sheets) - C:\Users\Thi Tran\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-06-03]
CHR Extension: (Google Docs Offline) - C:\Users\Thi Tran\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-06-05]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Thi Tran\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-03]
CHR Extension: (Gmail) - C:\Users\Thi Tran\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-06-03]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [243296 2016-06-03] (AVAST Software)
R2 avast! Firewall; C:\Program Files\AVAST Software\Avast\afwServ.exe [370656 2016-06-03] (AVAST Software)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347880 2014-11-21] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2014-11-21] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2016-06-03] (AVAST Software)
S1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [37144 2016-06-03] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [107792 2016-06-03] (AVAST Software)
R1 aswNetSec; C:\Windows\system32\drivers\aswNetSec.sys [536312 2016-06-03] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2016-06-03] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-06-03] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1070904 2016-06-03] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [465792 2016-06-03] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [166432 2016-06-03] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [287528 2016-06-03] (AVAST Software)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
S1 nvkflt; C:\Windows\system32\DRIVERS\nvkflt.sys [314816 2016-04-21] (NVIDIA Corporation)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [35856 2014-11-21] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [257880 2014-11-21] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [123224 2014-11-21] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-05 21:01 - 2016-06-05 21:02 - 00006663 _____ C:\Users\Thi Tran\Downloads\FRST.txt
2016-06-05 21:01 - 2016-06-05 21:01 - 02384896 _____ (Farbar) C:\Users\Thi Tran\Downloads\FRST64.exe
2016-06-05 21:01 - 2016-06-05 21:01 - 00000000 ____D C:\FRST
2016-06-05 19:18 - 2016-06-05 19:18 - 00000000 _____ C:\Windows\SysWOW64\last.dump
2016-06-03 22:18 - 2016-06-03 21:28 - 00000000 ____D C:\Windows\Panther
2016-06-03 22:06 - 2016-06-03 22:06 - 00000000 ____D C:\Program Files (x86)\Intel
2016-06-03 22:06 - 2016-06-03 22:06 - 00000000 ____D C:\Intel
2016-06-03 22:06 - 2013-10-01 13:02 - 00064000 _____ (Khronos Group) C:\Windows\system32\OpenCL.DLL
2016-06-03 22:06 - 2013-10-01 13:02 - 00060416 _____ (Khronos Group) C:\Windows\SysWOW64\OpenCL.DLL
2016-06-03 22:05 - 2016-06-03 22:05 - 00000000 ____D C:\Windows\LastGood
2016-06-03 22:05 - 2016-06-03 22:05 - 00000000 ____D C:\Program Files\Intel
2016-06-03 22:01 - 2016-06-03 22:01 - 00000000 ____D C:\ProgramData\NVIDIA Corporation
2016-06-03 22:01 - 2016-06-03 22:01 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2016-06-03 22:01 - 2016-06-03 22:01 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2016-06-03 21:30 - 2016-06-05 19:19 - 00003946 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{F1350FB6-7D0C-4511-8A35-BD7B473DB763}
2016-06-03 21:30 - 2016-06-03 21:30 - 00000000 __SHD C:\Users\Thi Tran\AppData\Local\EmieUserList
2016-06-03 21:30 - 2016-06-03 21:30 - 00000000 __SHD C:\Users\Thi Tran\AppData\Local\EmieSiteList
2016-06-03 21:30 - 2016-06-03 21:30 - 00000000 __SHD C:\Users\Thi Tran\AppData\Local\EmieBrowserModeList
2016-06-03 21:30 - 2016-06-03 15:33 - 00000000 __SHD C:\Users\Thi Tran\AppData\LocalLow\EmieSiteList
2016-06-03 21:29 - 2016-06-03 21:29 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2016-06-03 21:28 - 2016-06-03 21:29 - 00000000 ____D C:\Users\Thi Tran\AppData\Local\Packages
2016-06-03 21:28 - 2016-06-03 21:28 - 00001442 _____ C:\Users\Thi Tran\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-06-03 21:28 - 2016-06-03 21:28 - 00000020 ___SH C:\Users\Thi Tran\ntuser.ini
2016-06-03 21:28 - 2016-06-03 21:28 - 00000000 ____D C:\Users\Thi Tran\AppData\Roaming\Adobe
2016-06-03 21:28 - 2016-06-03 21:28 - 00000000 ____D C:\Users\Thi Tran\AppData\Local\VirtualStore
2016-06-03 21:28 - 2016-06-03 21:28 - 00000000 ____D C:\Users\Thi Tran
2016-06-03 21:28 - 2014-11-21 09:57 - 00000369 _____ C:\Users\Thi Tran\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pictures.lnk
2016-06-03 21:28 - 2014-11-21 09:57 - 00000369 _____ C:\Users\Thi Tran\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Documents.lnk
2016-06-03 16:06 - 2016-06-03 16:06 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_LocationProvider_01_11_00.Wdf
2016-06-03 15:51 - 2016-06-03 15:51 - 00002287 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-06-03 15:51 - 2016-06-03 15:51 - 00002275 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-06-03 15:49 - 2016-06-03 15:56 - 00003910 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-06-03 15:49 - 2016-06-03 15:56 - 00003674 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-06-03 15:49 - 2016-06-03 15:56 - 00000938 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-06-03 15:49 - 2016-06-03 15:56 - 00000934 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-06-03 15:49 - 2016-06-03 15:49 - 00987728 _____ (Google Inc.) C:\Users\Thi Tran\Downloads\ChromeSetup.exe
2016-06-03 15:48 - 2016-06-03 15:48 - 00000000 ____D C:\Program Files\Common Files\Atheros
2016-06-03 15:43 - 2016-06-05 19:54 - 00000000 ____D C:\Users\Thi Tran\AppData\Local\Google
2016-06-03 15:43 - 2016-06-03 15:50 - 00000000 ____D C:\Program Files (x86)\Google
2016-06-03 15:43 - 2016-06-03 15:43 - 00003904 _____ C:\Windows\System32\Tasks\SafeZone scheduled Autoupdate 1464943387
2016-06-03 15:43 - 2016-06-03 15:43 - 00001053 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast SafeZone Browser.lnk
2016-06-03 15:42 - 2016-06-03 15:42 - 00037144 _____ (AVAST Software) C:\Windows\system32\Drivers\aswKbd.sys
2016-06-03 15:35 - 2016-06-03 15:35 - 01070904 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2016-06-03 15:35 - 2016-06-03 15:35 - 00536312 _____ (AVAST Software) C:\Windows\system32\Drivers\aswNetSec.sys
2016-06-03 15:35 - 2016-06-03 15:35 - 00465792 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2016-06-03 15:35 - 2016-06-03 15:35 - 00398152 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2016-06-03 15:35 - 2016-06-03 15:35 - 00287528 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2016-06-03 15:35 - 2016-06-03 15:35 - 00166432 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2016-06-03 15:35 - 2016-06-03 15:35 - 00107792 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2016-06-03 15:35 - 2016-06-03 15:35 - 00103064 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2016-06-03 15:35 - 2016-06-03 15:35 - 00074544 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2016-06-03 15:35 - 2016-06-03 15:35 - 00052184 _____ (AVAST Software) C:\Windows\avastSS.scr
2016-06-03 15:35 - 2016-06-03 15:35 - 00037656 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2016-06-03 15:35 - 2016-06-03 15:35 - 00003924 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2016-06-03 15:35 - 2016-06-03 15:35 - 00000000 ____D C:\Windows\System32\Tasks\AVAST Software
2016-06-03 15:35 - 2016-06-03 15:35 - 00000000 ____D C:\Users\Thi Tran\AppData\Roaming\AVAST Software
2016-06-03 15:35 - 2016-06-03 15:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2016-06-03 15:35 - 2016-06-03 15:35 - 00000000 ____D C:\Program Files\Common Files\AV
2016-06-03 15:34 - 2016-06-03 22:11 - 00003596 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-128003330-4183474367-756348430-1001
2016-06-03 15:33 - 2016-06-03 15:42 - 00000000 ____D C:\ProgramData\AVAST Software
2016-06-03 15:33 - 2016-06-03 15:42 - 00000000 ____D C:\Program Files\AVAST Software
2016-06-03 15:33 - 2016-06-03 15:33 - 00000000 __SHD C:\Users\Thi Tran\AppData\LocalLow\EmieUserList
2016-06-03 15:33 - 2016-06-03 15:33 - 00000000 __SHD C:\Users\Thi Tran\AppData\LocalLow\EmieBrowserModeList

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-03 22:39 - 2013-08-22 22:36 - 00000000 ___HD C:\Program Files\WindowsApps
2016-06-03 22:16 - 2013-08-22 22:36 - 00262144 _____ C:\Windows\system32\config\BCD-Template
2016-06-03 22:06 - 2013-08-22 20:36 - 00000000 ____D C:\Windows\Inf
2016-06-03 21:29 - 2013-08-22 22:36 - 00000000 ____D C:\Windows\rescache
2016-06-03 21:25 - 2013-08-22 21:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-06-03 21:23 - 2013-08-22 20:25 - 00262144 ___SH C:\Windows\system32\config\BBI
2016-06-03 16:13 - 2013-08-22 22:20 - 00000000 ____D C:\Windows\CbsTemp
2016-06-03 15:52 - 2014-11-21 09:49 - 00818732 _____ C:\Windows\system32\PerfStringBackup.INI
2016-06-03 15:40 - 2013-08-22 22:36 - 00000000 ____D C:\Windows\AppReadiness

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-06-03 21:19

==================== End of FRST.txt ============================

REDACTED · « **Reply #77 on:** June 05, 2016, 04:06:06 PM »

Additional scan result of Farbar Recovery Scan Tool (x64) Version:05-06-2016 02
Ran by Thi Tran (2016-06-05 21:03:37)
Running from C:\Users\Thi Tran\Downloads
Windows 8.1 Single Language (Update) (X64) (2016-06-03 14:28:13)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-128003330-4183474367-756348430-500 - Administrator - Disabled)
Guest (S-1-5-21-128003330-4183474367-756348430-501 - Limited - Disabled)
Thi Tran (S-1-5-21-128003330-4183474367-756348430-1001 - Administrator - Enabled) => C:\Users\Thi Tran

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: avast! Antivirus (Disabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Disabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
FW: avast! Antivirus (Disabled) {2F96FC65-F07D-9D1E-5A6E-3DA5C487EAF0}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Avast Premier (HKLM-x32\...\Avast) (Version: 11.2.2262 - AVAST Software)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 51.0.2704.79 - Google Inc.)
Google Update Helper (x32 Version: 1.3.30.3 - Google Inc.) Hidden
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3308 - Intel Corporation)
SafeZone Stable 1.48.2066.101 (x32 Version: 1.48.2066.101 - Avast Software) Hidden

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {411E7A85-F28B-489D-9DEF-EED751C83BAF} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-06-03] (Google Inc.)
Task: {AC44D24D-4A7C-423F-8CDF-788969509FD1} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2016-06-03] (AVAST Software)
Task: {C8375E84-A417-49FA-B368-1BC1164BF86A} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe [2016-06-03] (AVAST Software)
Task: {E17ED678-1395-4171-AEDD-3A1B0E7ED0F4} - System32\Tasks\SafeZone scheduled Autoupdate 1464943387 => C:\Program Files\AVAST Software\SZBrowser\launcher.exe [2016-04-15] (Avast Software)
Task: {E4420DE9-6F3D-41B1-BCD9-B3828A3BCA76} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-06-03] (Google Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2016-06-03 15:35 - 2016-06-03 15:35 - 00123344 _____ () C:\Program Files\AVAST Software\Avast\log.dll
2016-06-03 15:35 - 2016-06-03 15:35 - 00135816 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2016-06-03 15:35 - 2016-06-03 15:35 - 00309912 _____ () C:\Program Files\AVAST Software\Avast\browser_pass.dll
2016-06-03 15:35 - 2016-06-03 15:35 - 00479680 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2016-06-05 19:17 - 2016-06-05 19:17 - 02923008 _____ () C:\Program Files\AVAST Software\Avast\defs\16060500\algo.dll
2016-06-03 15:35 - 2016-06-03 15:35 - 40539648 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll

==================== Alternate Data Streams (Whitelisted) =========

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 20:25 - 2013-08-22 20:25 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-128003330-4183474367-756348430-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 192.168.0.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{67E975FF-B9CE-4CD7-B165-05A96DFBB640}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Restore Points =========================

ATTENTION: System Restore is disabled

==================== Faulty Device Manager Devices =============

Name: NVIDIA GeForce GT 650M
Description: NVIDIA GeForce GT 650M
Class Guid: {4d36e968-e325-11ce-bfc1-08002be10318}
Manufacturer: NVIDIA
Service: nvlddmkm
Problem: : This device cannot work properly until you restart your computer. (Code14)
Resolution: Restart your computer.

Name: Microsoft PS/2 Mouse
Description: Microsoft PS/2 Mouse
Class Guid: {4d36e96f-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

==================== Event log errors: =========================

Application errors:
==================
Error: (06/03/2016 09:29:40 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x80072EE7
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=71f411ae-7b4b-41bd-b68c-c519c499f950;NotificationInterval=1440;Trigger=UserLogon;SessionId=1

Error: (06/03/2016 09:29:40 PM) (Source: Software Protection Platform Service) (EventID: 1014) (User: )
Description: Acquisition of End User License failed. hr=0x80072EE7
Sku Id=71f411ae-7b4b-41bd-b68c-c519c499f950

Error: (06/03/2016 09:29:40 PM) (Source: Software Protection Platform Service) (EventID: 8200) (User: )
Description: License acquisition failure details.
hr=0x80072EE7

System errors:
=============
Error: (06/05/2016 07:38:20 PM) (Source: DCOM) (EventID: 10010) (User: Thi-Laptop)
Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}

Error: (06/03/2016 09:22:01 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: {A47979D2-C419-11D9-A5B4-001185AD2B89}

Error: (06/03/2016 09:20:01 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Network List Service service terminated with the following error:
%%21

Error: (06/03/2016 09:19:53 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The IP Helper service terminated with the following error:
%%1058

Error: (06/03/2016 09:19:04 PM) (Source: volmgr) (EventID: 46) (User: )
Description: Crash dump initialization failed!

==================== Memory info ===========================

Processor: Intel(R) Core(TM) i7-3630QM CPU @ 2.40GHz
Percentage of memory in use: 15%
Total physical RAM: 7629.59 MB
Available physical RAM: 6443.28 MB
Total Virtual: 9485.59 MB
Available Virtual: 8173.43 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:442.72 GB) (Free:422.73 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: CDFAD22C)

Partition: GPT.

==================== End of Addition.txt ============================

essexboy · « **Reply #78 on:** June 05, 2016, 04:51:27 PM »

Definitely nothing showing in Chrome

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

Quote

CreateRestorePoint:
2016-06-03 21:30 - 2016-06-03 21:30 - 00000000 __SHD C:\Users\Thi Tran\AppData\Local\EmieUserList
2016-06-03 21:30 - 2016-06-03 21:30 - 00000000 __SHD C:\Users\Thi Tran\AppData\Local\EmieSiteList
2016-06-03 21:30 - 2016-06-03 21:30 - 00000000 __SHD C:\Users\Thi Tran\AppData\Local\EmieBrowserModeList
2016-06-03 21:30 - 2016-06-03 15:33 - 00000000 __SHD C:\Users\Thi Tran\AppData\LocalLow\EmieSiteList
2016-06-03 15:33 - 2016-06-03 15:33 - 00000000 __SHD C:\Users\Thi Tran\AppData\LocalLow\EmieUserList
2016-06-03 15:33 - 2016-06-03 15:33 - 00000000 __SHD C:\Users\Thi Tran\AppData\LocalLow\EmieBrowserModeList
2016-06-03 22:06 - 2013-10-01 13:02 - 00064000 _____ (Khronos Group) C:\Windows\system32\OpenCL.DLL
2016-06-03 22:06 - 2013-10-01 13:02 - 00060416 _____ (Khronos Group) C:\Windows\SysWOW64\OpenCL.DLL
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

REDACTED · « **Reply #79 on:** June 05, 2016, 05:00:05 PM »

Fix result of Farbar Recovery Scan Tool (x64) Version:05-06-2016 02
Ran by Thi Tran (2016-06-05 21:54:20) Run:1
Running from C:\Users\Thi Tran\Downloads
Loaded Profiles: Thi Tran (Available Profiles: Thi Tran)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
2016-06-03 21:30 - 2016-06-03 21:30 - 00000000 __SHD C:\Users\Thi Tran\AppData\Local\EmieUserList
2016-06-03 21:30 - 2016-06-03 21:30 - 00000000 __SHD C:\Users\Thi Tran\AppData\Local\EmieSiteList
2016-06-03 21:30 - 2016-06-03 21:30 - 00000000 __SHD C:\Users\Thi Tran\AppData\Local\EmieBrowserModeList
2016-06-03 21:30 - 2016-06-03 15:33 - 00000000 __SHD C:\Users\Thi Tran\AppData\LocalLow\EmieSiteList
2016-06-03 15:33 - 2016-06-03 15:33 - 00000000 __SHD C:\Users\Thi Tran\AppData\LocalLow\EmieUserList
2016-06-03 15:33 - 2016-06-03 15:33 - 00000000 __SHD C:\Users\Thi Tran\AppData\LocalLow\EmieBrowserModeList
2016-06-03 22:06 - 2013-10-01 13:02 - 00064000 _____ (Khronos Group) C:\Windows\system32\OpenCL.DLL
2016-06-03 22:06 - 2013-10-01 13:02 - 00060416 _____ (Khronos Group) C:\Windows\SysWOW64\OpenCL.DLL
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
*****************

Restore point was successfully created.
C:\Users\Thi Tran\AppData\Local\EmieUserList => moved successfully
C:\Users\Thi Tran\AppData\Local\EmieSiteList => moved successfully
C:\Users\Thi Tran\AppData\Local\EmieBrowserModeList => moved successfully
C:\Users\Thi Tran\AppData\LocalLow\EmieSiteList => moved successfully
C:\Users\Thi Tran\AppData\LocalLow\EmieUserList => moved successfully
C:\Users\Thi Tran\AppData\LocalLow\EmieBrowserModeList => moved successfully
C:\Windows\system32\OpenCL.DLL => moved successfully
C:\Windows\SysWOW64\OpenCL.DLL => moved successfully

========= netsh advfirewall reset =========

Ok.

========= End of CMD: =========

========= netsh advfirewall set allprofiles state ON =========

Ok.

========= End of CMD: =========

========= ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

========= netsh winsock reset catalog =========

Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.

========= End of CMD: =========

========= netsh int ip reset c:\resetlog.txt =========

Resetting Global, OK!
Resetting Interface, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting , failed.
Access is denied.

Resetting , OK!
Restart the computer to complete this action.

========= End of CMD: =========

========= ipconfig /release =========

Windows IP Configuration

No operation can be performed on Local Area Connection* 3 while it has its media disconnected.
No operation can be performed on Bluetooth Network Connection while it has its media disconnected.
No operation can be performed on Ethernet while it has its media disconnected.

Wireless LAN adapter Local Area Connection* 3:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Wireless LAN adapter WiFi:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::89d0:1193:386e:f667%4
Default Gateway . . . . . . . . . :

Ethernet adapter Ethernet:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6ab8:10a6:1cb6:3f57:ff93
Link-local IPv6 Address . . . . . : fe80::10a6:1cb6:3f57:ff93%21
Default Gateway . . . . . . . . . : ::

========= End of CMD: =========

========= ipconfig /renew =========

Windows IP Configuration

No operation can be performed on Local Area Connection* 3 while it has its media disconnected.
No operation can be performed on Bluetooth Network Connection while it has its media disconnected.
No operation can be performed on Ethernet while it has its media disconnected.

Wireless LAN adapter Local Area Connection* 3:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Wireless LAN adapter WiFi:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::89d0:1193:386e:f667%4
IPv4 Address. . . . . . . . . . . : 192.168.0.108
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1

Ethernet adapter Ethernet:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Tunnel adapter isatap.{6EE958FB-6FFC-497A-862C-7C4198CD23A4}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6abd:2029:3b8a:3f57:ff93
Link-local IPv6 Address . . . . . : fe80::2029:3b8a:3f57:ff93%21
Default Gateway . . . . . . . . . : ::

========= End of CMD: =========

========= netsh int ipv4 reset =========

Resetting Interface, OK!
Resetting , failed.
Access is denied.

Restart the computer to complete this action.

========= End of CMD: =========

========= netsh int ipv6 reset =========

Resetting Interface, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting , failed.
Access is denied.

Resetting , OK!
Restart the computer to complete this action.

========= End of CMD: =========

========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.

========= End of Reg: =========

========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.

========= End of Reg: =========

========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-128003330-4183474367-756348430-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-128003330-4183474367-756348430-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully

========= End of RemoveProxy: =========

========= bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.7.9600 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========

EmptyTemp: => 390.7 MB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 21:55:13 ====

REDACTED · « **Reply #80 on:** June 05, 2016, 05:05:00 PM »

Just happened again

essexboy · « **Reply #81 on:** June 05, 2016, 05:30:36 PM »

Totally uninstall Chrome please and ensure all remnants have gone. I believe that Revo installer would be best for this

http://www.revouninstaller.com/start_freeware_download.html

REDACTED · « **Reply #82 on:** June 05, 2016, 05:38:52 PM »

REDACTED · « **Reply #83 on:** June 05, 2016, 05:49:33 PM »

So I am no longer allowed to use chrome on this laptop?

Is chromium ok to use?

If not, any browsers you'd recommend?

essexboy · « **Reply #84 on:** June 05, 2016, 06:17:21 PM »

No it is not that, it is the fact that when you re-installed windows it probably left some Chrome folders behind. So when you re-installed Chrome the bad stuff was still there

Have the alerts ceased ?

Eddy · « **Reply #85 on:** June 05, 2016, 06:23:34 PM »

When (re-)installing Windows, did you format the drive/partition ?
Is there just one partition on that drive or are there multiple ?
Did you check if the problem was there right after installing Windows and all drivers ? (meaning before installing any application e.g. Chrome)

REDACTED · « **Reply #86 on:** June 05, 2016, 06:42:39 PM »

So far nothing yet, I'll keep you guys posted

I first re-installed using a factore defaults reset. there was no option to format the partitions but a option to do a "clean install" which I chose

After installing windows I installed avast

I checked the problem asap before installing anything else

I browsed on Microsoft Edge for a bit and that's when the alert popped up

I then reinstalled again using a usb and this http://windows.microsoft.com/en-US/windows-8/create-reset-refresh-media

I deleted the partitions and then made new ones and formatted

Though I think it was a "quick" format and not a thorough one.

There are 2 main partitions and 3 extra ones for system files or something. Though they're like 200mb, 10 mb, ect and are not visible.

REDACTED · « **Reply #87 on:** June 06, 2016, 08:35:18 AM »

Just happened again.

This time using Microsoft Internet Explorer and while downloading NVidia drivers

Lotan · « **Reply #88 on:** June 06, 2016, 11:43:22 AM »

If you live in Vietnam I was wondering if it could be your ISP as that ip adress belongs to Vietnam Posts and Telecommunications which is part of the Vietnamese Government and it could to routing internet content through their own servers.

If you dont live in Vietnam then ignore my idea.

REDACTED · « **Reply #89 on:** June 06, 2016, 12:01:16 PM »

I do live in Vietnam, I considered this a possibility but I've lived here for 3 years and this has only started happening recently

Author Topic: Constant urlmal-avast-process-cwindowssystem32svchostexe/ alert when browsing (Read 27136 times)

essexboy

Re: Constant urlmal-avast-process-cwindowssystem32svchostexe/ alert when browsing

REDACTED

Re: Constant urlmal-avast-process-cwindowssystem32svchostexe/ alert when browsing

REDACTED

Re: Constant urlmal-avast-process-cwindowssystem32svchostexe/ alert when browsing

essexboy

Re: Constant urlmal-avast-process-cwindowssystem32svchostexe/ alert when browsing

REDACTED

Re: Constant urlmal-avast-process-cwindowssystem32svchostexe/ alert when browsing

REDACTED

Re: Constant urlmal-avast-process-cwindowssystem32svchostexe/ alert when browsing

essexboy

Re: Constant urlmal-avast-process-cwindowssystem32svchostexe/ alert when browsing

REDACTED

Re: Constant urlmal-avast-process-cwindowssystem32svchostexe/ alert when browsing

REDACTED

Re: Constant urlmal-avast-process-cwindowssystem32svchostexe/ alert when browsing

essexboy

Re: Constant urlmal-avast-process-cwindowssystem32svchostexe/ alert when browsing

Eddy

Re: Constant urlmal-avast-process-cwindowssystem32svchostexe/ alert when browsing

REDACTED

Re: Constant urlmal-avast-process-cwindowssystem32svchostexe/ alert when browsing

REDACTED

Re: Constant urlmal-avast-process-cwindowssystem32svchostexe/ alert when browsing

Lotan

Re: Constant urlmal-avast-process-cwindowssystem32svchostexe/ alert when browsing

REDACTED

Re: Constant urlmal-avast-process-cwindowssystem32svchostexe/ alert when browsing