Greetings Avast Community,

I have noticed during the boot up process that Avast scans the following URL.

http://ipinfo.io/ip

I was wondering if Avast or anything else (such as drivers) could be proactively making this call on boot.

It seems like an application is attempted to get my public IP address by calling the said API.

I have scanned the system with MBAM and haven’t found a single piece of malware. I also checked the msconfig for good measure to see if there was any strange/abnormal boot scripts and finally i checked the services to see if there was any new/strange services.

I’m attaching the image of the URL in question.

https://forum.avast.com/index.php?topic=53253.0

Hi Eddy, MBAM scan is clean as is the Avast one. I’m suspecting it’s more to do with drivers.

Not sure as of yet but wanted to pass the information onto you.

Thanks
Oliver

Hi Eddy, MBAM scan is clean as is the Avast one. I'm suspecting it's more to do with drivers.

is that the farbar utility? I’ll look into downloading it as soon as possible.

Thanks
Oliver

Yes, Farbar will create two log files.
attach them both

Hi Eddy,

Before we start running the diags (sorry was a pretty hectric day yesturday) I noticed that one of the anaylsts is using an uninstall utlity. Will this be required after running the new Farbar Utility? Previously i recall analysts using OTL and uninstalling it by removing the exectuable. Does Farbar install more traces on the system side things.

Many Thanks
Oliver

We have a tool to remove all the used scan utilities.
So, don’t worry.
Just attach the requested logs.

Hi Eddy,

The FarBar Utility was sandboxed as it entered my network. (checked the logs it seems the file is an unsigned executable.) Cyren (GlobalView) is currently claiming FarBar is a trojen.

Farbar it not malware, Cyren is wrong.

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

was able to get a net admin to bypass the rule, I have downloaded the application however it’s not responding. (It’s saying it’s checking for updates)

I’m attaching the logs, do let me know once you have downloaded them so i can remove them from public view.

Thanks

Nothing untoward showing although you do appear to have some bad sectors on the HDD

The IP address is for your router

Hey Essexboy,

Good to hear!

The IP address lookup URL? I located the URL after watching the active scans on Avast’s web shield service, the local one is fine but the ipinfo.io/ip lookup is rather strange.

As for the bad sectors

I have noticed the HDD has been pretty loud during boot (grinding noises). (I did run seatools and WD Lifeguard to no avail and no error messages.) Does the utility mention which hard drive is currently providing bad boot sectors?

I look forward to hearing back from you, Will we be using the uninstaller tool?

Thanks
Oliver

If you click the link you will come out with an IP address

In my case it was 2.223.249.227
If I then go to that address by pasting it into IE my router page opens… Try it
I think this may be Avast just checking the availability of your router, but I could be wrong

You can manually delete FRST from the desktop and the folder created on the C drive

The bad sectors are on the C drive so a chkdsk /r should clear them

Roger that,

Does the FRST ulility leave behind any registry edits?

I do have delfix10.8 downloaded on standby if that helps clear up the utilities (Eddy mentioned using a utility)

Many Thanks
Oliver

If you have delfix you can use that but it will purge your restore points unless you remove the tick from that box

There are no registry entries for FRST

Thanks essexboy!

I have selected to remove disinfected tools only. Is that ok or should i select any of the other options?

Many Thanks
Oliver

Nope that should be good, any hidden files will still be visible unless you wish to reset that

Hi Essexboy, Many thanks for the prompt response!

I’m happy to remove any hidden files manually, would you happen to know the location of them?

Many Thanks
Oliver