Since July 12 I’ve been occasionally seeing alerts from Avast regarding Script:SNH-gen [Trj] with this message:
Threat blocked
We've safely aborted connection on www.whereisip.net because it was infected with Script:SNH-gen [Trj]
I’ve confirmed that the message is coming from the webshield as the same alerts are mentioned in the C:\ProgramData\AVAST Software\Avast\report\WebShield.txt file.
At first I assumed it was from some site I browsed, but I don’t know which as I didn’t see the alert from Avast until later in the day because I had it running in silent mode.
Some days I don’t see the alert at all, and sometimes see the alert right after booting up, for example, last night I went to bed running an Avast boot-time scan. The scan found nothing but I saw that Avast had 3 more instances of the same alert again after the scan completed and the reboot to Windows happened, there was no web browser opened.
I’ve read through your instructions and run MalwareBytes and FRST, and I’ve attached the logs. FRST didn’t seem to find anything, it’s logs were empty? MB didn’t appear to find anything either. I’m thinking this might be a false positive, but I have no idea what app is trying to connect to www.whereisip.net as Avast doesn’t tell me that.
Not sure what went wrong with FRST the first time, but I just ran it again and it populated the logs this time. Anyway Pondus, thank you for letting me know to go to MalwareBytes instead now, and for getting back to me quickly!
I believe I figured out what the problem is. I was running Avast in silent mode, and it appears silent mode alerts don’t provide some of the useful information Avast normally provides when not running silent. Yesterday I reproduced the alert while silent mode was turned off and it indicated the offending app trying to reach out to www.whereisip.net was the C:\Program Files\Windows Sidebar\sidebar.exe.
I use the sidebar application to display various monitors and one of them is a network monitor that displays my current IP address, I believe the network monitor in particular is the culprit. I don’t think it’s infected with anything, I’m just thinking that it is using www.whereisip.net to determine my external IP address, which in turn sets off Avast because it has that domain blacklisted. Anyway, I turned off that monitor yesterday and so far no recurrence, although I won’t be fully confident until some more time passes with no more of these alerts.