Network Shield on a system I’m working on keeps giving the attached message with varying IP addresses…
svchost.exe is a clean scan with avast,superantispyware and virustotal.
What is going on here? Are these false positives or what? What is causing the various warnings?
This system just had a fake System Defender malware on it that has since been removed.
What and how many IP addresses has this happened? Are you sure it’s the “exact” same url?
Having just one screen shot isn’t much to go on. If you include the url change it to “hxxp”. ???
The isn’t a false positive the 66.230.138.163 IP belongs to ISPrime and a search of the forums will find many such instances of this.
So this will require further analysis:
Note: this says attach the file (to big for copy and paste, use the Additional Options in the Reply window to attach the file.
EDIT: Also see, http://forum.avast.com/index.php?topic=83359.0, don’t use any of these fix scripts as they are unique to that users system.
You may also need to run OTL.
ok I’ll give that a go as soon as I’m done download vista sp2 and doing a scan with Malwarebytes, it has come up with 3 results already.
And the avast warning does not give me any urls, just various ip address. The last one was 68.169.92.53. These warnings popup without having any browser windows open.
That is a URL, the object in your image is an IP address, which a URL, it equated to address in my image at ISPrime. The latest IP address you gave is also ISPrime.
Here is the result from OTS
and the result from Malwarebytes
It will need someone to analyse your OTS log, it is 23:40am in the UK, so essexboy may not be back on-line until tomorrow.
Looking at your MBAM log shows your OS is missing an SP, SP2 was released ages ago, so when this is resolved you need to update your OS. The same is true of IE8 since you can use IE9 with Vista and that and Vista SP2 (plus later security updates) should mean your system is less vulnerable to attack.
yea this is a clients computer. I’m updating to sp2 as we speak.
Ok well then if it takes that long for someone to get a fix back, I’ll either have to come back with a fix or do it remotely.
see here for additional info that may be relevant
Nov 25th, 2010 Avast URL:Mal and svchost[url=http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/327512] http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/327512[/url]
good luck
On completion of this run can you let me know if the alerts have ceased
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< HOSTS File > ([2011/08/20 11:44:09 | 000,000,916 | RH-- | M] - 25 lines) -> C:\Windows\System32\drivers\etc\hosts
YN -> Reset Hosts ->
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab [Java Plug-in 1.6.0_07]
[Files/Folders - Modified Within 30 Days]
NY -> 8o2qb081k087ev6 -> C:\ProgramData\8o2qb081k087ev6
[Files - No Company Name]
NY -> 8o2qb081k087ev6 -> C:\ProgramData\8o2qb081k087ev6
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.
This is no sign of malfunction, do not panic!
thanks essex. I’ll report back later with the results.
Well I was still getting the warning after running that OTS fix but after a few scans of TDSSKiller and Malwarebytes, along with making sure all of the latest security updates were installed for Windows. The alerts are gone and all malware scans are coming up with no results.
The MBR infections are now appearing to be the norm as opposed to rare
I have added aswMBR to the logs required post