Hello,

I just got a message from Avast telling me this :

Network Shield: blocked access to malicious site dns://security.frbsystem.us [ C:\WINDOWS\system32\svchost.exe ]

I tried to google this but cound’nt find anything.

Is my computer infected with something ? Can I do anything to fix it ?

Please, help !

Network Shield: blocked access to
See the BLOCKED part?
That means it didn’t connect to that server.

Nothing to worry about, unless you are the owner of the site ;D

Interesting that this US domain name is registered in Moscow ???

Eddy : thanks for your reply. I read it was blocked, but I’d be rather interested to know what program on my computer was trying to connect to this wesite, since it wasn’t me… If something on my computer is trying to connect to a malicious website, it may be some kind of worm or trojan, or whatever…

Have a look at:
CurrPorts v1.60 - View Opened TCP/IP ports / connections
http://www.nirsoft.net/utils/cports.html

Your browser was trying to contact the site. In other words the link you clicked on had a bogus URL and was trying to send you to the dns site. Bogus dns sites are common in the porn industry. The idea is to redirect you to porn sites.

-Bob

I have the same problem, but it appears also when I’m not browsing, for example during work in Word - suddenly an avast message appears telling me that avast Network Shield blocked access to one or more malicious sites. This problem appears since two days now, I rember vaguely a normal (non-porn, non-p2p, non everything else that could be suspicious) site I was accessing when I encountered the probelm for the first time. If I remeber correctly (I’m not sure, closed the site quickly), that site had a link to the porn site that appears now as blocked. Apart from this porn site, avast reports blocking webstat.net, that seems to be dubious too according to google search results.

My problem remains: what kind of software tries repeatedly (4-6 times an hour) to connect to these sites and how can it be removed? I used CurrPorts, but since I have no idea what means for exampe “alg.exe”, it is of no help to me. Can anyone help?

alg.exe is your windows firewall. Your browser does not need to be open for a bogus URL in your browser cache to connect to the internet. It uses svchost.exe which is a windows system file. Simply clear your browser cache and temporary internet files.

-Bob

The alg.exe (Application Layer Gateway Service) isn’t actually your windows firewall, it is running even when the windows firewall is disabled.

http://www.liutilities.com/products/wintaskspro/processlibrary/alg/

The alg.exe executable allows applications (such as IM clients, RTSP, BitTorrent, SIP, and FTP) from a client computer to dynamically utilize passive TCP/ UDP ports in communicating with known ports on a server. This allows software to access applications that reside on another computer even if there is a firewall.

@ babel
Worst case scenario, it could be undetected/hidden malware trying to connect to the internet or it could be legit software checking for updates, etc. (less likely), but webstat.net might well feature as some sites actually think it is a legit webstats gathering tool.

What is your firewall ?

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

1. SUPERantispyware On-Demand only in free version.
2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

alg.exe was just an example of all those cryptic names that run in my system

I use the windows-firewall (windows xp).

I installed and run the two recomended softwares - MalwareBytes couldn’t find anything, SUPERantispyware listed 20 cookies, but i couldn’t find here anything special. I used quick-scan however (since i started avast yesterday for a complete, detailed scan of all hard drives and the scanning is still under way for the several hundreds of GB of disk-space).

Any idea what else could be done? Isn’t there a possibility to see a log-file that shows the process that wants to connect to the blocked sites?

For a start, firewall (XP provides zero logs):

TCPView will show what connections are open and what is responsible, it can be found here, http://technet.microsoft.com/en-us/sysinternals/default.aspx under Networking Utilities.

It should be capable of blocking unauthorised outbound Internet Connections. Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

• There are many freeware firewalls such as, Comodo (care required now it is a suite not to install the anti-virus element), PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.

See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0
See http://www.matousec.com/projects/firewall-challenge/results.php.

If you didn’t run SAS and MBAM from safe mode, it is possible some malware might be hiding from it, also if there is any malware detected it is meore effective at removing it from safe mode and as you say you should elect for the full scans.

I guess you are doing the avast! Through scan with Archives or the scan should have completed

Babel: Svchost.exe IS the process trying to connect to the internet. The network shield warning said so. It’s trying because it was ordered to by a URL in the cache or temporary internet file. Cleaning these out solves the problem. Even if you didn’t have Avast, all that would happen is that you would be directed to a porn site or whatever. If it was any other form of malware, one of the other resident scanners would have told you so.

-Bob

I deleted all private dates at least two times from all installed browsers (Firefox, Opera, Chrome, IE): cookies, temporaray internet files, history etc. After this, i used CCleaner to delete again all these data.

Aftet that, I performed a full scan with SAS and MBAM from safe mode - SAS found only one cookie that was suspicious, I deleted this, even though when opening in a text-editor, I couldn’t finde any of the URL’s that are blocked by avast. MBAM didn’t find nothing.

Back again to normal mode, I have the same “blocked access to malicious site”-warning as before.

I also tried tcpview, but since there are so many cryptic names, I can’t identify which one is the process that caused the problem (I don’t even know if this process is listed or listed all the time, since the warning message from avast appears once every 10 to 20 minutes). Any idea where to look or what else could be done?

I don’t know what else to say. You do not have a problem to fix. Avast is working as it should and there is no problem with your computer. There is nothing to search for and delete.

-Bob

Still: if I’m not trying to connect to the blocked sites, who or what is trying to access them? I never had these messages bevor, so something must be wrong - even if it doesn’t harm my computer.

Try reporting the details, of the cryptic names in TCPView.

From the Menu bar at the top of the window, File, Save As, give it a meaningful name and place it somewhere you can find it again (e.g. tcpreport.txt) and either attach the file to your next post or copy and paste the contents.

You can strip out any things like computer name or user details (Notepad, Replace function), etc. see image, where I have replaced my comp/user with ?X? but all the other relevant information is there.

Probably the site has been hacked and it has some form of encoded Javascript or iframe redirect that points to a malicious site.

What is the site?

Use hxxp://example.com <== make sure that it is not http

First a big “Thank you!” to everyone for helping me in this issue!

@YoKenny:
The sites that are blocked are the followings (as I mentioned, I never visited these sites):
hXXp://xxxporn-tube.com
hXXp://wXw.webstat.net (www instead of wXw)

@DavidR:
here is the report (?X? is replaced by me, as you adviced to do):

mDNSResponder.exe:1340 TCP ?X?:5354 ?X?:0 LISTENING
CLI.exe:5552 TCP ?X?:kpop ?X?:0 LISTENING
ashMaiSv.exe:2996 TCP ?X?:12143 ?X?:0 LISTENING
System:4 TCP ?X?:microsoft-ds ?X?:0 LISTENING
svchost.exe:208 TCP ?X?:epmap ?X?:0 LISTENING
DkService.exe:504 TCP ?X?:31038 ?X?:0 LISTENING
CLI.exe:1124 TCP ?X?:1056 ?X?:0 LISTENING
svchost.exe:1016 TCP ?X?:2869 ?X?:0 LISTENING
alg.exe:3976 TCP ?X?:1033 ?X?:0 LISTENING
ibmtcsd.exe:3716 TCP ?X?:6060 ?X?:0 LISTENING
ashMaiSv.exe:2996 TCP ?X?:12110 ?X?:0 LISTENING
ashMaiSv.exe:2996 TCP ?X?:12025 ?X?:0 LISTENING
cvpnd.exe:1284 TCP ?X?:62514 ?X?:0 LISTENING
jqs.exe:2576 TCP ?X?:5152 ?X?:0 LISTENING
ashWebSv.exe:3032 TCP ?X?:12080 ?X?:0 LISTENING
System:4 TCP ?X?:netbios-ssn ?X?:0 LISTENING
ashMaiSv.exe:2996 TCP ?X?:12119 ?X?:0 LISTENING
firefox.exe:2564 TCP ?X?:50001 ?X?:0 LISTENING
ashWebSv.exe:3032 TCP ?X?:12080 ?X?:0 LISTENING
ashWebSv.exe:3032 TCP ?X?:12080 ?X?:0 LISTENING
ashWebSv.exe:3032 TCP ?X?:12080 ?X?:0 LISTENING
ashWebSv.exe:3032 TCP ?X?:12080 ?X?:0 LISTENING
ashWebSv.exe:3032 TCP ?X?:2470 fx-in-f104.google.com:http CLOSE_WAIT
ashWebSv.exe:3032 TCP ?X?:2471 fx-in-f104.google.com:http CLOSE_WAIT
ashWebSv.exe:3032 TCP ?X?:2473 ey-in-f102.google.com:http CLOSE_WAIT
jqs.exe:2576 TCP ?X?:5152 localhost:1482 CLOSE_WAIT
firefox.exe:2564 TCP ?X?:2460 localhost:2459 ESTABLISHED
firefox.exe:2564 TCP ?X?:2459 localhost:2460 ESTABLISHED
firefox.exe:2564 TCP ?X?:2463 localhost:2462 ESTABLISHED
firefox.exe:2564 TCP ?X?:2462 localhost:2463 ESTABLISHED
firefox.exe:2564 TCP ?X?:2466 localhost:12080 ESTABLISHED
firefox.exe:2564 TCP ?X?:2468 localhost:12080 ESTABLISHED
firefox.exe:2564 TCP ?X?:2469 localhost:12080 ESTABLISHED
firefox.exe:2564 TCP ?X?:2472 localhost:12080 ESTABLISHED
ashWebSv.exe:3032 TCP ?X?:2467 212.243.221.238:http ESTABLISHED
jusched.exe:5672 TCP ?X?:1177 212.243.223.170:http CLOSE_WAIT
lsass.exe:1652 UDP ?X?:isakmp :
System:4 UDP ?X?:netbios-ns :
svchost.exe:440 UDP ?X?:1049 :
System:4 UDP ?X?:netbios-dgm :
svchost.exe:440 UDP ?X?:ntp :
cvpnd.exe:1284 UDP ?X?:62514 :
svchost.exe:440 UDP ?X?:ntp :
mDNSResponder.exe:1340 UDP ?X?:5353 :
mDNSResponder.exe:1340 UDP ?X?:1026 :
svchost.exe:440 UDP ?X?:1043 :
explorer.exe:356 UDP ?X?:1047 :
svchost.exe:1016 UDP ?X?:1900 :
lsass.exe:1652 UDP ?X?:4500 :
svchost.exe:440 UDP ?X?:1042 :
svchost.exe:1016 UDP ?X?:1900 :
System:4 UDP ?X?:microsoft-ds :
mDNSResponder.exe:1340 UDPV6 ?X?:1025 :

Maybe you can see something suspicious?

There is nothing wrong. Trust me. Your problem is that you don’t understand how Avast works and you have a very limited understanding of how windows works. I cannot help you there. No one can. Only your personal experience as time goes by can help you.

-Bob

I don’t see anything obvious there either sorry.