Hi

When I use IE Avast says it has stopped a URL:Mal to http://208.91.196.4/?dn, Chrome seems to be fine. MBAM does not seem to have fixed it. Any assistance would be appreciated, attached are the MBAM, OTL, Extra and aswMBR logs.

Thanks

You could also monitor this topic - http://forum.avast.com/index.php?topic=147374.0 - as this appears to be IE11 Enhanced Protection related.

• So there may not be anything actually on the system, it appears to be the Enhanced Protection module in IE11 checking that IP address (which avast considers malicious).

Hopefully one of the malware removal specialists can take a look at your logs.

Hi,

I see you have been run ComboFix. Read this:
http://www.techsupportforum.com/1829551-post6.html
http://www.bleepingcomputer.com/forums/topic273628.html

Post me the C:\ComboFix.txt logreprot.

This is the same issue that DavidR’s URL is referencing The issue doesnt exist until you update avast to the definitions starting from yesterday afternoon. Appears to be a false positive. Just report it as such.

It rather depends on what that IP address is; new sites/IPs would be constantly added/updated in the auto/streaming updates. Which doesn’t clearly mean it is an FP, just that it has just started, sites and hosts can get hacked. Plus we don’t know what it is during your browsing that is trying to access that IP address (and why) that triggers the Enhanced Protection module in IE11.

Edit: attached whois image

Sorry, my bad, please find attached.

Thanks guys for the other link, glad it is not just me. To be fair I was pretty sure I had not updated/installed anything or seen anything that was a bit doggy so logical that it is a new vulnerability that has been detected. I think it is wise to stick to using Chrome for a while until there is a patch or something for IE.

In the mean time also consider this info I have for you. concerning the IP you mentioned.

Well most malware from that IP now seems to be dead: 208.91.196.4/
Historical threats from that IP were classified as Parasites, danger level 1; AlienVault, danger level 4, PhishTank, danger level 1.
ETPRO TROJAN Pagesinxt Malicious Redirect IDS alert given for IP also,

polonus

First I would attach the combofix log requested by ‘magna86’ (Malware Removal Specialist), if confirmation only that it found nothing, etc.

If you want to use IE11, you could presumably disable the Enhanced Protection module/function.

The issue for me is what during the course of normal browsing why some site you were visiting is/was trying to access that IP address.

I defined what the IP address is in my thread…

The IP address in my screenshot is:
http://208.91.196.4/?dn=enhancedprivacy.eu&pid=7PO84Q7C6

If you go into the Privacy list addons in IE > Get more tracking lists > click on Enhanced Privacy List, this particular privacy list’s URL is (as listed on Microsoft):
http://www.searchremagnified.com/?dn=enhancedprivacy.eu&pid=7PO84Q7C6

Per http://netiplist.com/domain/searchremagnified.com
searchremagnified = 208.91.196.4 in the British Virgin Islands

The Avast pop ups can be stopped by going into IE11 > manage add ons > tracking protection > and removing the enhanced eu item (wont work if you just disable it you have to remove it).

The only real question on this is… is it normal for tracking lists to call home while surfing (which it would have to be because they need to update) and/or did something occur with the website to cause this… As far as I can tell since it’s a tracking list trusted by Microsoft my first inclination is that is a FP by Avast.

Either way it’s not a virus on the OP’s, or my, computers. It’s an Avast / Enhanced EU Website issue.

This is log from second run. I need to see the log created from first CF run.

Post the contents of the following files

ComboFix-quarantined-files.txt
ComboFix1.txt or/and ComboFix2.txt

These are located in the folder C:\Qoobox\

To get the issue to occur all I have to do is open IE (even with the no add-in option makes no difference) and let is sit at my home page of Google for about 10 seconds and AV will say there is the issue. If I watch the ports, I can see that iexplorer.exe opens a port to this public IP address via port 80. So it is not a website issue because I have not ever searched for anything by this time and it goes wrong. So it must be something iexplorer.exe is doing, either iexplorer.exe is bad in someway (don’t thinks so as I have reinstalled) or is something that IE is doing be design (but only when configured to do so, i.e. enhanced protection).

So as dprout69 says, I think it is the enhanced protection which is updating its lists on a regular basis to a trusted site which is now infected with something, when IE trys to do this Avast intercepts the bad traffic and saves the day. So the site admins need to fix there outbreak and then it will be ok

Sorry, I can only find the one log file, please find attached.

lol… avast saves the day…your bias is showing.

It could be one of two things… either the avast update yesterday afternoon was flawed or the website is actually infected but I stress this again, it just started with yesterday’s update.

pm see my post above… if u just go into manage add ons in IE and remove the enhanced eu list it will stop the pop ups (because IE will no longer try and update that list by calling home).

Agreed, in fact I have run a repair on IE11 and reset it back to an out of the box state which also removes all addons and TP lists etc (I used this http://support.microsoft.com/kb/923737).

At this point Avast and IE11 seemed happy again and everything worked as I would expect and could browse fine.

What was interesting is that if I try and add each of the TP provides from this link http://www.iegallery.com/trackingprotectionlists, each of them add in fine apart from the 3rd one “Enhanced Privacy” and Avast stops this one and it does not even get added into the list in IE (an IE popup says try again later). So for sure Avast does not like it, if it is the site or a FP in Avast I don’t know but was fun tracking down the problem >:(

Thanks for all the help mind, much appreciated.

Hi,

You may wanna check what this folder holds:
c:\users\philip[b].zenmap[/b]

Posted logs (aswMBR, OTL and CF) doesn’t show the malware presence.

• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

Btw, if I was you, I would reset IE to the default settings. Use google to see how to do it …

That one is ok, I downloaded nmap to make sure I did not have some open ports or something, see http://nmap.org/zenmap/.

That is good news, thanks.

Done, thanks

Yes, I did this yesterday (see my other post) and IE seems healthy since then.

Thanks for checking, much appreciated. Just glad it was not something serious.