Hi, recently(I don’t remember what I installed or what web-page I visited before this started happening) on every Windows start-up(Windows 10) Avast gives me this pop up: “Threat secured. We’ve safely aborted connection on m.msz.su because it was infected with URL: Blacklist.
Threat name: URL: Blacklist
Severity: low
URL: hxtp://m.msz.su/x.exe
Process: C:\Windows\System32\scvhost.exe”
Any idea what it is and how can I make it stop?
Wow! Nothing? Nobody can’t tell me anything huh? Amazing!
That website is indeed malicious: https://www.virustotal.com/gui/url/b501ca83b93f04235e8b880365e6b52288896df1e76ec7f5d383a659c941d12d/detection
Website server has vulnerabilities http://httpd.apache.org/security/vulnerabilities_24.html
Totally reset the webbrowser and cleanse using adwcleaner: https://www.malwarebytes.com/adwcleaner/
You could also choose to cleanse under guidance of a qualified remover.
Then wait for one to appear here in this thread.
polonus
Thank you for your answer. I already had to reinstall windows due to not being able to boot after using adwcleaner. And now my tv/capture card is not working;(
All this for a low level warning pop up! I swear this windows 10 is gonna make me a Linux user pretty soon(if only I din’t game on my pc, due to my consoles becoming obsolete).
Anyway sorry for venting a little, thanks again.
I have this exact problem. Got a feeling it started when I installed some MSI drivers, but I am not sure.
Been troubleshooting for a while now. Quite certain something is wrong with the computer. But no virus programs are detecting anything.
The machine is recently formatted.
ESET Online scan found nothing. Avast doesn’t find anything. Malwarebytes finds nothing. Also tried a few rootkit scans. I can not pinpoint the service trying to connect to this website in process explorer.
Zonealarm does not register this access request.
We should not leave that live malicious link unbroken in this thread.
It is now detected by several engines: https://www.virustotal.com/gui/url/b501ca83b93f04235e8b880365e6b52288896df1e76ec7f5d383a659c941d12d/detection
Moreover dot su (soviet union) after domain names is suspicious and many of such domains are used in a malicious way,
so this should in some way alert us when we meet such domains.
Re: on IP: https://www.shodan.io/host/23.106.124.56
On that hosting server: mod_evasive there is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection tool, and can be easily configured to talk to ipchains, firewalls, routers, and helps to evade Ddos attacks. (mod_evasive2/1.10.1-win)
Missed here: https://www.virustotal.com/gui/ip-address/23.106.124.56/relations
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
the url is not really the problem, though. It’s finding whatever is trying to connect to it, on every startup. Seems to run once on boot. Nothing special in registry startup keys. And I could not spot any malicious services in mmc. Although I don’t know enough about services to spot something out of place, easily.
Hi,
I added Block for whole domain and added some more detections.
Hopefully the whole infection chain would be cleared now.
Regads,
PDI
Did not pop up on the latest restart, at least. 
I still do not find any malware/other detections when scanning the computer, though. Something must be there, trying to connect to this malicious site? Or am I misunderstanding something about how this might work?
Hi,
the detection was caused by malicious powershell script. It’s using the Bits transfer which is way the svchost is reported.
You can try https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns to check if there aren’t records for cmd.exe and/or powershell.exe.
Regrads,
PDI
As I said the detection went away for a few days, but popped up again now, today.
I followed the instructions and searched for all entries of powershell or cmd.exe.
I found two instances. Which I followed to the images, and one of them came up as a virus detection. I moved this to the chest. Not sure what it does.
Hi,
the PNPR.PS1 file is thr one I created the detection for.
Check if there is a record for it in the autoruns and if you find it remove it manualy.
Regards,
PDI
Thanks for all the help.
In case someone else has this issue, I traced the script in the ps1 file to two other locations. They contained 1.reg and 2.reg, with 0 and 00 as the only input.
All files are now deleted. And will hopefully stay that way. Not sure if I can post a picture of the script, so I left it out. The paths were c:\windows\panther\setup.exe\ (not file, a folder), and c:\windows\servicing.
I’m currently having this exact same problem, just installed a new windows, downloaded avast, 2 hardware monitors to test if everything was alright and some specific drivers/programs for my peripherals.
The blacklist error is now poping after every reset but the page changed:
Threat: URL:Blacklist
URL: htxp://m.msz.su/1.reg
Process: C:\Windows\System32\svchost.exe
Detected by: Web Shield
Status: Connection aborted
What can I do to fix it? I checked autoruns as suggested and found this:
Registration for device management Registration for device management: Perform device registration activities for device management. (Verified) Microsoft Windows c:\windows\logs\cmd.exe 4/9/1975 3:47 AM
Hi sevienetito13,
Please block that live link like with -http or hxtp:// etc.
The link probably is not “live” anymore, but we do not want the uninformed click such live links here.
Always keep at the back of your head, that when you see a link ending in dot su not to click,
su (soviet union) domains are known to be suspicious and therefore may come on a deny list by default.
The term blcklist should now preferably be written as deny list, whtelist then becomes allow list.
Even unix kernel code terms no longer will have a term like bl*cklist.
They will adopt to using these new unbiased terminology.
polonus (volunteer 3rd party cold recon website security-analyst and website error-hunter)
Resilience & Security a mere 20%, see: https://dnsspy.io/scan/msz.su
Recommendations
We detected the following errors or warnings about your DNS configuration. These caused your DNS rating to be lowered. Resolving these will grant a higher DNS Spy rating for your domain.All IPv4 nameservers are hosted by the same provider (AS13335 - CLOUDFLARENET, US). Consider spreading the nameservers across multiple DNS providers for increased redundancy.
All IPv6 nameservers are hosted by the same provider (AS13335 - CLOUDFLARENET, US). Consider spreading the nameservers across multiple DNS providers for increased redundancy.
No DNSSEC records found. Consider enabling DNSSEC, as it provides a way to validate DNS responses for data integrity.
All the nameservers are being operated from a single domain (cloudflare.com). If that domain gets compromised or goes offline, the DNS will be unavailable. Consider spreading the nameservers across multiple domains.
Hosted in Singapore @LeaseWeb Asia → https://www.shodan.io/host/23.106.124.56 Apache mod_evasive2/1.10.1-win -
mod_evasive is a module for Apache that provides evasive action in the event of an HTTP Distributed Denial of Service (DDoS/DoS) attack or brute force attack 23.106.124.56
pol
Thanks for answering, I changed the live link as you said and will keep in mind the use of deny/allow list. I don’t understand what the info of dnsspy means, Is Avast Denylisting the page for some reason? But do we know why my pc is trying to connect to that page from a svchost.exe ? Is there something else I should check?
Hi sevienetito13,
I do not know that, because malware or compromise is often rather short-lived.
Seems it has not survived up to now, and the main domain is not malicious.
For you is is important to know that by blocking it at the time avast has kept you out of harm’s way,
and you haven’t become infested at least not by this particular threat.
That is a reassuring thought, isn’t it?
I wish you a pleasant day,
polonus (volunteer 3rd party cold recon website security-analyst and website error-hunter)