I have recently encounter a problem where i found that an unknown process is being blocked by Avast from accessing a particular IP address. I have scanned all my PC but Avast was unable to recognize which process is making connections to remote site which is being blocked by it. And this thing happens whenever i start the browsing session using any browser and message pops up after every 1-2 minutes during the session. Can anyone help me out on recognize and fix this thing. I have attached the figure which is shown by Avast while that connection is blocked.

Please follow the instructions here → http://forum.avast.com/index.php?topic=53253.0

Run Malwarebytes, OTL, and aswMBR and attach the logs.

A malware removal expert will be able to assist you once these logs are attached.

Thanks for the suggestion but that didn’t work out. MalwareBytes did find an infection but that didn’t remove the problem. I also tried aswMBR 2 times, but this program caused my OS to crash both times by displaying BSOD and then restarting the system again. The report generated by MalwareBytes is attached with this reply.
Does anyone has any other suggestion because this seems to be a severe problem. Now, everytime i start my Windows with Internet connection ON, this warning message starts to pop up numerous times even when i am not surfing the internet. It seems that a process is trying to develop a connection to a remote site using svchost.exe which lies in C:\Windows\System32 folder. But no program is able to detect what’s going on. What Avast is doing is just blocking the connection and not detecting the cause of it and hence culprit program cannot be tracked. I also ran boot-time scan, but to no effect.
Can anyone help me out…???

If aswMBR fails to run, proceed to the next step in the other tools specified (OTL and attach its log and extras.txt) in the link given above your post.

Have you tried to run aswMBR.exe from safe mode ?

Only when there is something their for a malware removal specialist to analyse can they then start to help.

I have tried aswMBR in safe mode and this time it worked fine and hence i was able to get its log as well. I have attached the logs in 2 parts in my reply because of particular total size limit here.
This is the first time that i am unable to rectify a malware problem, hence it seems to me a serious issue. My PC seems to have become a bot this time.
Please help me rectify this problem.
I hope someone of you would definitely come up with a good solution soon.
Waiting for a reply…

Posting first 2 attachments…of aswMBR and MalwareBytes…

Posting attachment of OTL log…

Posting attachment of OTL (Extras) log…

did you click the “remove selected” button after scan ?..as your Malwarebytes log say “No Action Taken”

OBS: it may take some hours before the removal specialist arrive here…

I will try and get a malware removal specialist to look at the logs.

Hi there is nothing readily apparent which could be a pain to locate. So I will remove the obvious elements first, but I may need to go deeper
After this run let me know if the alerts continue

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=110819&babsrc=SP_ss&mntrId=870ab440000000000000e4d53d78c2b0 FF - prefs.js..browser.search.order.1: "Search the web (Babylon)" [2012-04-26 13:14:05 | 000,002,313 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

Well…i have done and posted the log as the “essexboy” told to do for OTL…
Also i have recently found that i am not the only one who is infected…actually a friend of mine has also been experiencing the similar problem of malicious url connection 3-4 days from now when i started experiencing…and he is also using Avast…
I guess this is the new type of malware whose signature/solution don’t seem to be in Avast database.
Now attachment with this reply include 2 logs…one is the log (Log 1) generated automatically on system start-up when OTL finished with custom scan and rebooted automatically…and the other log (Log 2) is the one which was generated after quick scan after system rebooted automatically…
I hope there would be a solution now…

No there is something there it is just that it is not visible at the moment

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Here is the attached log of ComboFix along with this reply…
I hope i don’t have to collect more logs from next time and this should definitely suffice…
Waiting for some solution this time…

Are you using a proxy for going on the web

yes…i use proxy to connect to the internet. I use my hostel Wi-fi connection where i have to use proxy settings to connect to internet.
But my friend has his own internet connection (i.e no proxy connection)…and there also the similar problem of Malicious Url connection problem exists.

but hey i observed a strange thing writing to u now…now i have not observed even a single Malicious Url blocking signal from Avast today…
So i am just skeptical about the problem…
what do u say…???

I am wondering whether it was a False positive that has now been corrected… Could you monitor for a little longer ?

Well…i was wrong… >:(
This problem still exists…It was only a matter of time that it didn’t pop-up…but i am getting the same problem now again and again…
Please provide a solution…

Hmm this is one little blighter … Does it occur with all browsers ?

Please RIGHT-CLICK HERE and Save As (in IE it’s “Save Target As”, in FF it’s “Save Link As”) to download Silent Runners.
[*]Save it to the desktop.
[*]Run Silent Runner’s by doubleclicking the “Silent Runners” icon on your desktop.
[*]You will receive a prompt:
Do you want to skip supplementary searches?
click NO
[*]If you receive an error just click OK and double-click it to run it again - sometimes it won’t run as it’s supposed to the first time but will in subsequent runs.
[*]You will see a text file appear on the desktop - it’s not done, let it run (it won’t appear to be doing anything!)
[*]Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
NOTE If you receive any warning message about scripts, please choose to allow the script to run.

Here is the attached log file of silent-runner which u asked me to run…the file contents are way too long i am attaching the file rather than pasting its contents here…
The only thing i notice now is that…the frequency of popping-up of “blocking malicious url connection” has considerably decreased now…
I also tried to trace the IP where connection is being made (as Avast pop-up shows while blocking)…and it came out to be somewhere in US…

Yes I backtracked it to the east coast… Bear with me here I am trying a few different solutions in other threads