I received this pop up today…which is extremly odd. Called the software maker…says some Av giving false positives since last update of their software. The software was NOT running at the time of pop up. Software did crash last night, however. Scan underway.
Infection Details
URL: http://www.evasionk.be/m1105.htm
Process: C:\Programs\PartyGaming\PartyGaming.exe
Infection: URL:Mal
Detection is legit. The IP has been blacklisted.
See: http://www.urlvoid.com/ip/213.186.33.48/
And: http://urlquery.net/report.php?id=1010532
~!Donovan
It isn’t the software that avast is alerting on but the site that it is connecting to hXXp://www.evasionk.be/m1105.htm
I think that your problem stems from the fact that there are 15 other domains on that IP address and several of them are/have been infected. http://www.urlvoid.com/scan/evasionk.be/, scroll to the bottom of the page to see the other domains.
This is likely to be an IP block rather than a domain block, this shows clean, http://sitecheck.sucuri.net/results/www.evasionk.be/m1105.htm.
####
There is an on-line contact form, http://www.avast.com/contact-form.php?loadStyles for: * Sales inquiries; Technical issues; Website issues; Report false virus alert in file; Report false virus alert on website; Undetected Malware; Press (Media), issues.
You will have to excuse me, David, I am a little new at this. I guess what I an wondering is why the software PartyGaming.exe showed up as the process listed. It wasn’t running at the time. A full scan came back clean, so i don’t get the connection between the process and the blocked URL. Party Gaming (Party Poker) is a widely used program. I get warnings like this often enough when using StumbleUpon but it always lists the browser as the process, but in this case I had just popped open a blank tab. Some or all of the timing may be coincidence…
You don’t necessarily have to be using it for it to be active, unfortunately I have never used this program so have zero knowledge of it. All I can say from the avast alert is that that process was responsible for that connection being made.
Thank you for that clarification David. I have never once had Avast fail me, so I took the threat as real. I still cannot get the process to show positive in scan, but that stuff is way over my head. I have informed tech support at Party Gaming and advised them of this thread. Party Gaming is probably the worlds largest online Poker and Casino site, so I am sure this will grab their attention.
Perhaps they should be running Avast as well 
You won’t get a positive alert on the process as I said in my first post:
It isn't the software that avast is alerting on but the site that it is connecting to hXXp://www.evasionk.be/m1105.htm
So why it is connecting to that site is the question and one that we avast users can’t answer.
Think this mainly is IP-related: http://urlquery.net/report.php?id=1010853
I think an exclusion for that domain should be requested via a mail to virus AT avast dot com,
polonus
!Donovan and I have both indicated that this is most likely to be an IP Block.
IP related or not it would be nice to understand why that program is making a connection there when the user isn’t using the program.
Since this happened immediately following a software upgrade, it is suspicious, is it not? Not happy it skipped past my firewall like it wasn’t there. All outgoing requests are SUPPOSED to be manually approved. (Not your firewall).
As we have said there is likely to be an IP block which includes that domain, which otherwise may not be detected if visited. The URL:MAL indicates it is on a block list, the avast malicious sites list, we ‘avast users’ don’t know if that is an IP or a Domain name block.
That is why I suggested reporting it for a network shield review, which may remove an IP block and only block infected domain names on that IP address.
As for skipping past your firewall (but you don’t say what it is or I missed it), that isn’t so strange as you have probably already allowed that process internet access, not what it can or can’t access.
This could be the case as an attacker could impersonate the update server. Has been reported before in 2008: http://security-objectives.com/advisories/SECOBJADV-2008-03.txt
pol
Hi Polonus,
A very interesting resource, but I do have one question. Do they still continue the site? It looks abandoned.
http://security-objectives.com/advisories/
~!Donovan
Hi !Donovan,
Their main cloud security solution “Block Watch” was acquired by IOActive: http://www.prweb.com/releases/ioactive/blockwatch/prweb9735830.htm
This was the reason for the discontinuation of this site, and there I get a 404: http://www.ioactive.com/404
Rather see: http://info.ioactive.com/bh-2012.html
pol
Hi Polonus,
Let’s continue discussion via PM.
~!Donovan