Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Avast always detects and blocks malware on svchost.exe after startup

20 Jun 2015   #1
braedensantos

Windows 7 Ultimate x64
 
 
Avast always detects and blocks malware on svchost.exe after startup

This issue had occurred for the past week or two. Everytime my brother starts up his custom-built gaming PC and logs in, Avast opens a notification on the taskbar stating that malware has been detected on svchost.exe.

Avast always detects and blocks malware on svchost.exe after startup-virus-pic.png

When clicking on "More details..." on the above message, the following Avast window opens stating that the infection has been blocked.

Avast always detects and blocks malware on svchost.exe after startup-virus-pic-2.png

According to the above window, the "C:\Windows\System32\svchost.exe" file is infected with infection URL:Mal with the following URL attached http://alwaysisobar.com/4141/LibrarySystem_142668955912748.dll. Avast blocks this infection though, and there is really no way to remove the infection from svchost.exe.

My brother and I have tried the following anti-malware software to attempt to detect this malware: MalwareBytes AntiMalware, TDSS Killer, and ESET Smart Security. None of these programs detected the malware that Avast detects.

Is there a way to remove the malware that had been infecting svchost.exe, or is this notification bogus? If this is bogus, is there a way to stop Avast from detecting the file as infected by malware?




My System SpecsSystem Spec
.
20 Jun 2015   #2
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

This is a browser add-on .... Follow instructions here: Alwaysisobar.com - Virus Lists and Removal Steps
My System SpecsSystem Spec
20 Jun 2015   #3
braedensantos

Windows 7 Ultimate x64
 
 

I don't have that toolbar on that computer. Everytime I start the computer and log in, the URL that Avast detects is attached to svchost.exe changes to some other URL for another malicious program. Then again, I have used a lot of anti-malware programs and they won't detect that particular malware that Avast has been detecting. I believe that this is an issue with Avast.
My System SpecsSystem Spec
.

20 Jun 2015   #4
GokAy

Windows 7 Ultimate x64 SP1
 
 

Did you try enabling Anti rootkit scanning on MBAM? Settings, Detection and Protection - Detection Options.
My System SpecsSystem Spec
20 Jun 2015   #5
cottonball

Windows 7 Home Premium
 
 

braedensantos,

It appears you are correct in assuming it is an avast! issue.

Please use the Farbar Recovery Scan Tool.
Download: Farbar Recovery Scan Tool Download
Select the version that applies to your system.
Save it to your Desktop.
Double-click the downloaded file to run it.

When the tool opens, click Yes to the disclaimer.
Press the Scan button.

When done, the tool makes a log, FRST.txt, in the same directory from which the tool is run (Desktop).

Please provide the FRST.txt in your reply.
The first time the tool is run, it also creates another log: Addition.txt

Also post the Addition.txt in your reply.


Next, please post the MBAM results also.
My System SpecsSystem Spec
20 Jun 2015   #6
braedensantos

Windows 7 Ultimate x64
 
 

Quote   Quote: Originally Posted by cottonball View Post
braedensantos,

It appears you are correct in assuming it is an avast! issue.

Please use the Farbar Recovery Scan Tool.
Download: Farbar Recovery Scan Tool Download
Select the version that applies to your system.
Save it to your Desktop.
Double-click the downloaded file to run it.

When the tool opens, click Yes to the disclaimer.
Press the Scan button.

When done, the tool makes a log, FRST.txt, in the same directory from which the tool is run (Desktop).

Please provide the FRST.txt in your reply.
The first time the tool is run, it also creates another log: Addition.txt

Also post the Addition.txt in your reply.


Next, please post the MBAM results also.
Thanks cottonball! Here is the FRST.txt and Addition.txt files that were created when I ran Farbar Recovery Scan Tool. Also, I had to run a scan on MBAM, here are the MBAM Results.txt. Hopefully, you can come up with a solution based on viewing the attached files.


My System SpecsSystem Spec
20 Jun 2015   #7
cottonball

Windows 7 Home Premium
 
 

Is it possible for you to run FRST in Windows normally, and not as Boot Mode: Safe Mode (with Networking)

This time, check the Addition.txt option, as it is run the first time the program is run, and then becomes an option after that.
My System SpecsSystem Spec
21 Jun 2015   #8
braedensantos

Windows 7 Ultimate x64
 
 

Ran FRST scan in Normal Mode, here are the new FRST.txt and Addition.txt created after the scan. Hopefully, there is a solution based on information from these two text files.


My System SpecsSystem Spec
22 Jun 2015   #9
cottonball

Windows 7 Home Premium
 
 

braedensantos,

My apology for the delay...somewhat busy yesterday.

Please open Notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below to Notepad.
Save it to the Desktop, and name it: fixlist.txt

Code:
start
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-2665363754-771674610-887522616-1001\...\Run: [GalaxyClient] => [X]
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
S3 cpuz136; \??\C:\Windows\TEMP\cpuz136\cpuz136_x64.sys [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 GPUZ; \??\C:\Windows\TEMP\GPUZ.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]
Task: {35E72899-5DFF-425F-99B7-D75B311B5063} - \8474a30d-7a20-4ad3-9e3c-39f00dec7c84-6 No Task File
Task: {3CC675BB-EA09-497E-B3EF-7C92E3506478} - \8474a30d-7a20-4ad3-9e3c-39f00dec7c84-5 No Task File 
Task: {4037B746-3C75-49C1-AB0D-E8D3441BD13C} - \avabvbxvh No Task File 
Task: {4BF81BE4-3CA2-49AC-B026-F856D324001C} - \YourFile DownloaderUpdate No Task File 
Task: {4E3C1C26-DB0D-4D17-860D-22117FA8C827} - \8474a30d-7a20-4ad3-9e3c-39f00dec7c84-1-7 No Task File 
Task: {6F0CB11C-0BF9-46EA-8B33-FADBC3B62EE1} - \8474a30d-7a20-4ad3-9e3c-39f00dec7c84-3 No Task File 
Task: {77E6BCAD-F92E-407E-B4F1-5925E97A8F6C} - \avastBCLRestart_chrome.exe No Task File 
Task: {7FDD2C61-9CFC-4C3C-919A-93DD3C2A6DA7} - \8474a30d-7a20-4ad3-9e3c-39f00dec7c84-5_user No Task File 
Task: {84A1C935-09AA-4603-A1F4-471D26624742} - \3992efa1-667c-47bc-a70a-6cbcd74f8de2-5_user No Task File 
Task: {9115472E-CEFC-4E7A-AA52-5F2419281BC7} - \8474a30d-7a20-4ad3-9e3c-39f00dec7c84-10_user No Task File 
Task: {932848BF-365C-48AA-8485-1E3E5CB8DE13} - \3992efa1-667c-47bc-a70a-6cbcd74f8de2-1-7 No Task File 
Task: {9B456805-F273-45AD-8C48-628C48F73B43} - \GPUpdateCheck No Task File 
Task: {9E51D80F-6F47-4F81-A468-6C3913B06648} - \8474a30d-7a20-4ad3-9e3c-39f00dec7c84-1-6 No Task File 
Task: {BB77F587-A9B0-49E7-B3C8-825CEFD48F45} - \3992efa1-667c-47bc-a70a-6cbcd74f8de2-5 No Task File 
Task: {C2205787-D6F9-4584-9418-D3BDBD433364} - \3992efa1-667c-47bc-a70a-6cbcd74f8de2-3 No Task File 
Task: {C4B7A44A-9200-4327-B915-CAAB48F7B57B} - \3992efa1-667c-47bc-a70a-6cbcd74f8de2-1-6 No Task File 
Task: {C5BA47A5-31FE-40DF-AC4D-83D07631DCFB} - \3992efa1-667c-47bc-a70a-6cbcd74f8de2-6 No Task File 
Task: {CDD2EB22-FE86-446E-B034-064F2E68FC95} - \8474a30d-7a20-4ad3-9e3c-39f00dec7c84-7 No Task File 
Task: {E143E69F-E170-4643-A2E0-016B84DF3EA9} - \8474a30d-7a20-4ad3-9e3c-39f00dec7c84-11 No Task File 
Task: {E95154A3-2594-4DB9-BDC3-AC85DFA5300F} - \3992efa1-667c-47bc-a70a-6cbcd74f8de2-11 No Task File 
Task: {FA056246-A7C0-4F3A-928C-89DD1D2D594A} - \3992efa1-667c-47bc-a70a-6cbcd74f8de2-7 No Task File 
Task: {FE0B7A01-22A7-4B9A-841B-1EB582FCC25F} - \Crossbrowse No Task File 
C:\Users\Cameron Santos\AppData\Local\Temp\7za.exe
C:\Users\Cameron Santos\AppData\Local\Temp\DaS_21.exe
C:\Users\Cameron Santos\AppData\Local\Temp\hijackthis.exe
C:\Users\Cameron Santos\AppData\Local\Temp\NirCmd.exe
C:\Users\Cameron Santos\AppData\Local\Temp\PEVZ.EXE
C:\Users\Cameron Santos\AppData\Local\Temp\Quarantine.exe
C:\Users\Cameron Santos\AppData\Local\Temp\remove.exe
C:\Users\Cameron Santos\AppData\Local\Temp\sed.exe
C:\Users\Cameron Santos\AppData\Local\Temp\shortcut.exe
C:\Users\Cameron Santos\AppData\Local\Temp\sqlite3.dll
C:\Users\Cameron Santos\AppData\Local\Temp\swreg.exe
C:\Users\Cameron Santos\AppData\Local\Temp\swxcacls.exe
C:\Users\Cameron Santos\AppData\Local\Temp\wget.exe
C:\Users\Cameron Santos\AppData\Local\Temp\zoek-delete.exe
emptytemp:
end
NOTICE: This script is written specifically for this computer!!!
Running this on another computer may cause damage to the Operating System.

If for some reason the tool needs a restart, please let the system restart normally. After that let the tool complete its run.

Now, please run FRST or FRST64, and press the Fix button, just once, and wait.

When done, the tool creates a report on the Desktop called: Fixlog.txt
Please post the Fixlog.txt in your reply.


Next, please use the tool: Zoek

First, temporarily disable your AV program.
Info on how to disable your security applications > How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides

Zoek Download > http://download.bleepingcomputer.com/smeenk/zoek.exe
When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator (Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:

Code:
createsrpoint;
emptyfolderscheck;delete
emptyclsid;
emptyalltemp;
autoclean;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on whether you are still having the same issue with avast!
My System SpecsSystem Spec
Reply

 Avast always detects and blocks malware on svchost.exe after startup




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Avast flags Firefox Sync, FFox blocks Untrusted/invalid Cert
MODS: Please move if incorrect forum :) Threads developing @ Avast & BC: https://forum.avast.com/index.php?topic=166531.0 Avast flagging Firefox Sync - Anti-Virus and Anti-Malware Software FFox Sync hosted on Amazon server farm; Doesn't appear to be FP per User Sirmer's reply #22
System Security
MSE detects a threat in Avast folder!
Hi everyone, I currently use 3 free security programs : Avast 6, Microsoft security essentials and Malwarebytes. I just ran a quick computer scan with Avast and just when the scan completed I got an alert from microsoft security essentials : Does this mean that there's a virus located in...
System Security
Live Mail Blocks My Avast Email
Avast Internet Security tries to send me mail and everytime I get this "Multiple Content-Type header - HIGH DANGER!" So I get a blank email. How can I get a copy of my License file from them when this keeps happening? Is there something I can turn off so I can receive email from them? ...
Browsers & Mail


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 05:01.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App