Hi, this is my first time using the forum but i’m not an inexperienced PC user. Either way, Avast keeps detecting a threat and stopping the connection (as seen in the image). This occurs once ever 11 minutes and 1 second. I’ve tried doing Avast full scan, boot scan, explorer scan etc. I’ve uninstalled Google Chrome and deleted all folders associated with it but the threat still persisted. I used Malwarebytes, Adaware and adwcleaner, but all found nothing. I’ve included a screenshot of my logs for the ‘Webshield’. Hopefully, one of you can help me. By the way this issue started this morning.
Please attach your screenshot(s), some of us don’t follow external links. 
Ah, I didn’t see the option for attachments earlier. My bad. Hopefully, this is better now.
Hi Adach,
Destination is not just flagged by avast webshield.
The address is also flagged as a malicious website (High Fraud risk) by other engines,
see: https://www.virustotal.com/gui/url/edb20ebbc443d1c7613f535c3644ba652d4d6762809348bb6e8a4b799238a32e/detection
Cannot be reached and scanned, that is probably why webshield tries to reconnect:
https://sitecheck.sucuri.net/results/m.msz.su/1.reg Ukranian abuse → https://scamalytics.com/ip/139.28.38.1
However, do you use it as anonimyzing VPN, that would declare much. (-139.28.38.1.deltahost-ptr)
https://urlscan.io/result/af886474-7e1d-47ae-9784-6845feb98726/ (no classification for this freehost address).
Wait for a final verdict by one of avast’s team members, as they are the only ones to eventually un(b)lock,
we here are just user/volunteers with relevant knowledge in the field of website security.
You could report an alleged FP from inside the webshield alert screen.
Have a nice day,
polonus (3rd party cold recon website security analyst and website error-hunter)
Thanks for the reply polonus,
The only VPN I used was Avast secure line and i do not remember ever switching to an Ukrainian Ip address. What you said makes sense but I’m confused about how I got it. I left my pc on for the night and the only thing i remember is having open was Twitch.tv, When i woke up Avast started blocking the connection to the above mentioned website/link. I do hope that it’s a false positive, but it seems odd that it keeps trying to reconnect every 11 minutes. I don’t know if this is a file on my computer or what, because i’ve checked for that (maybe I missed it).
Anyways, thanks for the help, I’ll wait for an Avast team member to confirm or deny if this is a FP
@ Adach
Seeing your second attached image (Details information), the process responsible for the connection is c:\windows\system32\svchost.exe and this in itself is suspicious.
Whilst this windows process has legitimate reasons to connect to the internet, to be visiting a site like this is very unusual. More so given the information given in polonus’s post above.
There is a possibility that there is an undetected/hidden piece of malware on your system using svchost.exe to connect to the internet. This is not an area that I’m qualified in so it would require analysis by a qualified malware removal specialist. Though it is strange that Avast or any of the other scans that you have run detect anything.
Clutching at a straw here (given the specific time frame of the attempts to connect), do you have any unknown Scheduled Tasks in windows ?
@DavidR
I’ve used ‘autoruns’ to check my scheduled tasks (I’m assuming this is what you referred to). I found a string of unverified files. I don’t know if this is normal:
I generally just use the windows key and type task scheduler, before you finish typing it should offer it as an option. So I don’t know if this is pulling information from the same source.
I also use WinPatrol Plus and that has a section for scheduled tasks.
Your image doesn’t show any that use the svchost.exe function.
I never looked into Task Scheduler. Honestly, I didn’t even know it was a thing. I opened it but i’m not sure what to look for. I’m guessing it’d be easier if i was familiar with it. I displayed all running tasks and it showed me 4 unavailable ones. I attached a screenshot but i doubt this has any relevance.
I also checked active tasks but i didn’t see anything that would line up with the last time avast blocked the threat. I might wait if anything pops up at the time when Avast blocks the connection.
My image wasn’t that clear as the first option thrown up in the list was Task Manager when it is the Task Scheduler where I thought it might be.
But in reality this needs to be looked at by a malware removal specialist.
Any idea how I could get hold of a malware removal specialist?
Ordinarily we used to have a few regular members who are qualified, but since we actually don’t see many true malware infections in the forums they aren’t as regular visitors.
Go to this topic https://forum.avast.com/index.php?topic=194892.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.
- There may be some delay due to differing time zones and availability of the volunteer malware removal specialists. Plus what mentioned about regularity of visits.
I’ll give it a shot. Here are the logs. Thanks for helping me out so far.
You’re welcome.
EDIT, can you run the MBAM scan again and also attach that log.
Thanks, and done.
No problem, I have tried to attract some attention to this topic, but I don’t know how effective that will be.
Wow, thank you so much! If it comes to it I’ll just clean reinstall windows, although i’d rather wait a bit and see if anyone can help me first.
Hopefully it will be fruitful.
So, I got a bit impatient and clean reinstalled windows. Truth be told, my previous windows was from few years ago and it was pre-activated, meaning that some windows files were tampered with and I assume it wouldn’t be too difficult to set up a script in the registry to try and connect me to a malicious website that doesn’t exist anymore. I recently upgraded some of my hardware so i did a clean reinstall but used the above mentioned pre-activated windows since i didn’t have a key. I assume the activation of the malicious connection was delayed (because i had no threat pop-ups for the first few days.
Of course, those are all assumptions, so i’ll respond back here if history repeats itself (although i have an actual official clean windows this time). Hopefully my logs from earlier can be of some use.
I can understand the urgency and the drip, drip, drip of the 11min 1sec alerts, to get it resolved quickly.