nshield.log a threat?

Viruses and worms
1

I did a full system scan and avast picked up nshield.log as a high threat, the directory being “C:\ProgramData\AVAST Software\Avast\log\nshield.log” I’m not too sure if this is a high threat, I mean it’s found under avast’s own directory, what should I do? So far, Avast is saying it’s a high-threat, saying it’s a “MSIL:Agent-NK[Trj]”

Oh, if it’s any help, I’m using avast Free Edition

2

That is the Network Shield log, I suspect you have had some network shield alerts recently ?

The avast scan may be picking up on the URLs in the text file, it shouldn’t be a threat.
What avast scan are you doing Quick/Full/Custom and have you changed any of the scan default settings ?

I suspect you have had avast scan all files as I wouldn’t expect avast to scan .log (text) files in a default Quick/Full System scan.

3

Thank you for replying, yes I did do a full system scan, and you were right about avast blocking something; I was unzipping a file which I thought had source code to a actionscript game but it turns out that it was infected with a trojan, at least that’s what avast told me so it blocked it. I’ve learnt my lesson >.<

So do I need to worry about this nshield.log? Can I delete/ move to chest? or should I just ignore it?

However, I’ve opened up this log and get the following:

12.02.2012  22:25:20  Network Shield: blocked access to malicious site http://tds.alcuda.com/in.cgi?7&group=xvid_uk [ C:\Users\Tareq\AppData\Local\Google\Chrome\Application\chrome.exe ( 1184 ) ]
13.02.2012  18:37:15  Network Shield: blocked access to malicious site http://artilato.in/hswkkczxwuy8g2/ [ C:\Program Files (x86)\Mozilla Firefox\firefox.exe ( 2060 ) ]
26.02.2012  22:31:00  Network Shield: blocked access to malicious site http://letitbitufilerload.foldere-boxt-upload.ru/?wkey=103984&query=3d%20rikku%20animated%20movie%20rikuest%20download%20torrent [ C:\Users\Tareq\AppData\Local\Google\Chrome\Application\chrome.exe ( 7804 ) ]
22.03.2012  23:57:49  Network Shield: blocked access to malicious site http://www.prettyunicorn.net/?ref2=lb&ref3=lb_global&ref4=10147&ref5=13148&link_type=offer&sa=onwlosulvrlo&&od=11mirks [ C:\Users\Tareq\AppData\Local\Google\Chrome\Application\chrome.exe ( 3960 ) ]
30.03.2012  01:14:08  Network Shield: blocked access to malicious site http://afaklbl322.mynumber.org/wpfooter.php?id=16750 [ C:\Users\Tareq\AppData\Local\Google\Chrome\Application\chrome.exe ( 8560 ) ]
17.04.2012  23:45:27  Network Shield: blocked access to malicious site http://yoursurveypanel.com/d/ishotspot.com [ C:\Users\Tareq\AppData\Local\Google\Chrome\Application\chrome.exe ( 7632 ) ]
18.04.2012  23:42:39  Network Shield: blocked access to malicious site http://hcihw.in/soraolzxw19x5rgmf/ [ C:\Program Files (x86)\Mozilla Firefox\firefox.exe ( 6076 ) ]
20.04.2012  14:32:03  Network Shield: blocked access to malicious site http://positories.in/dzavrzxwthsho/ [ C:\Program Files (x86)\Mozilla Firefox\firefox.exe ( 3152 ) ]
11.05.2012  22:25:41  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 1692 ) ]
11.05.2012  22:28:58  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 1692 ) ]
11.05.2012  22:33:34  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 1692 ) ]
11.05.2012  22:39:07  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 1692 ) ]
11.05.2012  22:44:55  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 1692 ) ]
11.05.2012  22:48:57  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 1692 ) ]
11.05.2012  22:52:29  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 1692 ) ]
11.05.2012  22:55:46  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 1692 ) ]
11.05.2012  23:01:38  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 1692 ) ]
11.05.2012  23:02:08  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 1692 ) ]
11.05.2012  23:02:39  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 1692 ) ]
11.05.2012  23:02:54  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 1692 ) ]
11.05.2012  23:03:09  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 1692 ) ]
11.05.2012  23:03:24  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 1692 ) ]
11.05.2012  23:04:24  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 1692 ) ]
11.05.2012  23:04:55  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 1692 ) ]
11.05.2012  23:07:26  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 1692 ) ]
12.05.2012  19:10:04  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 10900 ) ]
25.05.2012  22:23:31  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 2820 ) ]
25.05.2012  22:24:46  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 2820 ) ]
25.05.2012  22:25:02  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 2820 ) ]
25.05.2012  22:25:32  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 2820 ) ]
25.05.2012  22:26:48  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 2820 ) ]
07.06.2012  22:57:50  Network Shield: blocked access to malicious site http://lewisentitled.com/cgi-bin/r.cgi?p=10003&i=3831edc0&j=340&m=859dcc6fde0c9fcf74f8730381a3091a&h=www.fookunity.com&u=/forum/archive/index.php/t-5300.html&q=&t=20120607235748 [ C:\Program Files (x86)\Mozilla Firefox\firefox.exe ( 4052 ) ]
11.06.2012  22:42:11  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 9188 ) ]
11.06.2012  22:45:27  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 9188 ) ]
11.06.2012  22:52:28  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 9188 ) ]
11.06.2012  22:56:14  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 9188 ) ]
11.06.2012  23:00:14  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 9188 ) ]
11.06.2012  23:03:18  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 9188 ) ]
11.06.2012  23:07:19  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 9188 ) ]
11.06.2012  23:10:35  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 9188 ) ]
11.06.2012  23:12:35  Network Shield: blocked access to malicious site http://eu.triplemining.com:8344/ [ C:\programs\phoenix.exe ( 9188 ) ]
27.06.2012  17:54:30  Network Shield: blocked access to malicious site http://rwviii.in/index.php?time=06271519-1278087998&src=81&surl=www.damnlol.com&sport=80&key=6F945CEA&suri=/thumb.php%3fheight=88%26width=120%26cropratio=2.6:1.9%26quality=95%26image=/thumbs/381/t2_bc4b833b82337ed8b1b75b101aa1e0c5.png [ C:\Program Files (x86)\Mozilla Firefox\firefox.exe ( 5520 ) ]

I know that now I’m slightly going off topic, but what is this phoenix.exe?

4

If you tried to send to the chest or delete, I think that the self-defence module would have something to say, but perhaps not as it is only a log file (so may not be protected). You would also get a file in use issue error as the network shield is running. Even then if the network shield is stopped, it is locked by the avastSvc.exe process, so lots of hoops to jump through (so I wouldn’t do that).

But I’m still unsure why this file was scanned in the first place as even a Full System scan on default settings (you didn’t say you changed any settings) shouldn’t have scanned a text file as it doesn’t present an immediate risk (it isn’t executable) ?

I was going to ask you what pheonix.exe is, http://www.processlibrary.com/directory/files/phoenix/221185/, does this information ring any bells ?

5

Yeah, full system scan as it is with avast when I first installed it, no settings were changed. I worried, is the file as it is harmful? Should I be worried?

Also the phoenix.exe doesn’t ring a bell. I do get the off pop-up here saying that avast has block it. Not exactly sure what it is, although something quite odd did happen. When I installed Windows, on boot up everything was fine then one day, for no apparent reason, command prompt opens and then closes (lasts about a second). Any ideas?

6

No the file isn’t harmful as it is a text file (not executable) and the urls in there are just those which were blocked by the network shield. So even if something was to try and connect to these urls avast would alert, blocking them again.

Well it is in c:\programs which is a very old style location before the more common C:\Program Files folder was used.

Check first if this file is still present in that location and if there is an entry for this in add remove programs ?

7

Well, yeah it’s still there (Couldn’t move it to chest >.< ) So it’s safe to assume that a manual delete is fine?

8

You will find a manual delete hard to do because of the reasons I mentioned before, avast self-defence and file in use. Even with the network shield and self-defence stopped it is locked by avastSvc.exe and unless you have a tool like unlocker to unlock it a manual delete isn’t going to prove fruitful.

Assuming that you were able to delete it, you would also have to restart avast to recreate it I believe.

For all of those reasons plus it really isn’t harmful I would just leave it alone, personally I would question the need for the Full System Scan:
With a resident on-access antivirus like avast, the need for frequent on-demand scans is much depreciated. For the most part the on-demand scan is going to be scanning files that would be otherwise be dormant or inert. If they were active files then the on-access file system shield would be scanning them before being created, modified, opened or executed.

I have avast set to do a scheduled weekly Quick scan, set at a time and day that I know the computer will be on. If for some reason my system wasn’t on, no big deal I will catch up on the next scheduled scan.

You could of course exclude that file from being scanned, add C:\ProgramData\AVAST Software\Avast\log\nshield.log to the avastUI > Settings > Exclusions.

9

Reason for the full scan was because I haven’t done one in a few months, but I guess I understand from your point of view, at least my impression of what you’re saying, is not to worry and rather just focus on quick-scans, right?

Forgive my lack of understanding, your help is very much appreciated ^.^

10

You’re welcome.

That is pretty much it, just use the quick scan and that would be avoiding what I consider to be a miss-detection.

11

Thank you very much! ^.^

12

No problem, glad I could help.