malwarebytes:successfully blocked...malicious attempt...162.210.19 source: avast

This has been going on for a few days now, I would like to get it resolved… thanks for all help!!
Avast was giving me notifications like “avast has blocked a harmful webpage” quite frequently. I installed Malwarebytes Anti-Malware and scanned, checked everything, and deleted what it found. However, the problem did not end there. Now, avast no longer notifies me with “avast has blocked a harmful webpage.” Instead, I get Malwarebytes saying something like “Successfully Blocked Access to 162.210.192.21.” When I get this message, it says the source is avastsvc.exe. When I disable avast, it then says my browser (firefox) is the source.

My computer works fine, it boots up normally and such. I have attached the OTL logs… thanks again

Wait for a qualified removal expert to help you here.
In the mean time you could read: https://forums.malwarebytes.org/index.php?showtopic=137397
Mind that that thread there was meant for another individual user and the info cannot be adopted by you, you can seriously do damage to your OS!
You have to wait for a qualified remover to appear here to-morrow to assist you on the basis of the very logs that you provided.

polonus

Okay, thank you. Yes I saw that and was reading over it. Just wondering, do you have any suggestions for the meantime?

I’ve had those issues as well. Except they are pretty scarce

Hi,
@needshelp3
While I’m looking into OTL logs, please attach here aswMBR log as well.
http://forum.avast.com/index.php?topic=53253.0

Hi magna86,
thank you for looking at the OTL logs! I was trying a scan with aswMBR but my computer suddenly blue-screened (hasn’t done that in at least 1.5 years)… now I am not sure if I should try it again? Let me know if I should.

Ok, we shall preform AntiRootkit Scan later.

Please download zoek.zip or zoek.rar by smeenk (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive…

[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

emptytemp;
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer];r
"EnableShellExecuteHooks"=-;r
filesrcm;
c:\Program Files (x86)\WxDownload\sprotector.dll;i
C:\Windows\*.tmp;f
iedefaults;
aohghmighlieiainnegkcijnfilokake;chr
apdfllckaahabafndbhieahigkjlhalf;chr
blpcfgokakmgnkcojhhkbfbldkacnbeo;chr
caehdcpeofiiigpdhbabniblemipncjj;chr
coobgpohoikkiipiblmjeljniedjpjpf;chr
gomekmidlodglbbmalcneegieacbdmki;chr
lifbcibllhkdhoafpjfnlhfpfgnpldfl;chr
nmmhkkegccagdldgiimedpiccmgmieda;chr
pjkljhegncpnkpknbcohdijeoejaedia;chr
chromelook;
firefoxlook;
{DBC80044-A445-435b-BC74-9C25C1C588A9};c
{E6FB5E20-DE35-11CF-9C87-00AA005127ED};c
startupall;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

just some info…

Instead, I get Malwarebytes saying something like "Successfully Blocked Access to 162.210.192.21." When I get this message, it says the source is [b]avastsvc.exe.[/b]
all in /outgoing requests goes true avast webshield and MBAM see this as coming from avast ....it is not many posts about this here

also read this
Oh, the Sites You Will Never See. http://blog.malwarebytes.org/development/2013/05/oh-the-sites-you-will-never-see/

@magna86,
I have run the program and attached the log, thanks again for your help

@Pondus,
Hi, thank you for the information. Admittedly I do not know about this topic so this is helpful!

Ok, now run this zoek script:

emptyclsid;
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows];r
"AppInit_DLLs"=-;r
c:\Program Files (x86)\WxDownload;fs
autoclean;

Zoek shall restart your computer and after that post me fresh created zoek log.

We will continue tomorrow and for the time, monitor your computer and AV alerts and tell me how your computer is running now? Any warnings?

Edit:
Advice:
Do not download and/or run various malware removal tool you see on web if you do not know what they can and what they realy do.

Sorry for the delay; I have attached the log. Something new has happened: the malwarebytes notification used to only come up when I had a browser open. However, a few minutes after I closed my browser and started the zoek program, I got a notification that was similar to the previous one but with two differences: the address was 41.203.69.2, and the source was skype.exe. This was new and has not happened since.

Thank you for helping me today and I look forward to speaking with you again tomorrow.

edit: on this particular notification, it also said “incoming,” I can’t say for certain but I think that is also new

Okay I am going to sleep now, here are some updates on my computer performance:
-the notifications are less frequent. I thought they were gone but I left my computer on while I took a shower and came back and there was one like what I described previously; this time, the blocked address was 59.125.229.78, also skype.exe, also incoming.
-no notifications like the original ones (outgoing, 162.210.192.21, browser)
-no blue screen

Some adware or bad browser extensions creates the MBAM’s alerts. Zoek has remove them …

Ok run this zoek script and when tool finish his work, post me fresh created zoek log.

ffdefaults;
chrdefaults;
shortcutfix;

Then …

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.

[*]Click on the Scan button.
[*]After the scan has finished click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

[*]After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
[*]Post logfile will also be saved in the C:\AdwCleaner folder.


Any improvements?

Both logs are attached. I will see if any more notifications come up, hopefully none do.

Thanks again

Okey, monitor your computer for mbam alerts and report here tomorow. :wink:

Heading to bed now, no alerts! :slight_smile:

what should my next move be?

You are malware free. Posted logs are now appear cleans and show no signs of active infection.

Good workman always cleans up after himself.
The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.


To help AntiVirus to protect your computer and speed it up, I recommend that you download, install and keep the following free programs:

  1. Keep Malwarebytes Anti-Malware, update it regularly or from time to time and run a Quick Scan weekly.
    Malwarebytes will detect and remove all traces of known malware. MBAM isn’t AntiVirus and it can NOT replace it.

  2. Keep MCShield Anti-Malware, the tool will be updated regularly and perform auto-checking for malware to each attached USB memory device.
    MCShield, has been designed as a lightweight scanner that’s smart enough to catch even new worms and work in fully automatic removal mode.

  3. It’s recommended to delete Temporary Files every once in a while. Run the tool and click on the Start button and TFC will begin to clean. Then restart the computer.
    Temp File Cleaner aka TFC by OldTimer
    TFC is small & usefull utility that shall clean up temp files from all userprofiles and system folders.


How to protect yourself?

  1. Adjust avast! to target PUP software:
    Run avast! 2014 by clicking the system tray icon in the lower right corner of the screen.
    Click on Settings, in the new window that opens, click on Active Protection, then under File System Shield click on gear wheel…
    Under Sensitivity part of option check box for Scan for potentialy unwanted programs PUP.

  2. avast! Software Updater. Run avast!, click on Tools > Software Updater.
    For security reasons, make sure you do update your browser(s), Java, Flash Player, and basically every software you use often.

  3. avast! Browser Cleanup. Run avast!, click on Tools > BrowserCleanup.
    Browser Cleanup tool is an integrated tool in avast! AV that allows you the control on browsers unwanted addons.

  4. avast! Malware Scan. Run avast!, click on Scan and preform QuickScan by clicking on Start button.
    Every once in a whilere, it’s recommended to preform virus scan with avast! 2014.

I’ll do my best to keep my computer clean from here on out! Thanks for all your help.