webshield alerting Script:SNH-gen [Trj]

Hello,

Since July 12 I’ve been occasionally seeing alerts from Avast regarding Script:SNH-gen [Trj] with this message:

Threat blocked We've safely aborted connection on www.whereisip.net because it was infected with Script:SNH-gen [Trj]

I’ve confirmed that the message is coming from the webshield as the same alerts are mentioned in the C:\ProgramData\AVAST Software\Avast\report\WebShield.txt file.
At first I assumed it was from some site I browsed, but I don’t know which as I didn’t see the alert from Avast until later in the day because I had it running in silent mode.

Some days I don’t see the alert at all, and sometimes see the alert right after booting up, for example, last night I went to bed running an Avast boot-time scan. The scan found nothing but I saw that Avast had 3 more instances of the same alert again after the scan completed and the reboot to Windows happened, there was no web browser opened.

I’ve read through your instructions and run MalwareBytes and FRST, and I’ve attached the logs. FRST didn’t seem to find anything, it’s logs were empty? MB didn’t appear to find anything either. I’m thinking this might be a false positive, but I have no idea what app is trying to connect to www.whereisip.net as Avast doesn’t tell me that.

Thank you.

FRST didn't seem to find anything, it's logs were empty?
If empty you probably did it wrong. FRST will not find anything, it is a diagnostic tool for Experts and you ned to know how to read it

Anyway, none of the malware experts listed in the sticky post at top work here anymore so if you want a check i recomend Malwarebytes forum. https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/

Not sure what went wrong with FRST the first time, but I just ran it again and it populated the logs this time. Anyway Pondus, thank you for letting me know to go to MalwareBytes instead now, and for getting back to me quickly!

Cheers!

It is the redirects that are being alerted:
Redirects to-http://www.whereisip.net/mtm/direct/.eJwdirEKgDAMBf8lszR7f0aKRNvBtiQpGcR_9-F2x91DSxtlYtqo6GVAkMopKgqp7tMys60DY-riyHWY773cgiEiUlTczdr8-_sBYeUcDQ:1m67ag:9eAqLOK6IxF_VmfmZNba4Vg1st0/1
Redirects to-http://www77.whereisip.net
Redirects to-http://www1.whereisip.net/?tm=1&subid4=1626856111.0032669327&kw=Chat&KW1=Ip Tracking Software&KW2=Webcams&KW3=Chat Room Software&KW4=Private Video Sharing Platform&KW5=Sexy File Sharing Service&searchbox=0&domainname=0&backfill=0

Also hacking attempt took place from that Richardson Texas IP: https://www.abuseipdb.com/check/173.255.194.134

polonus

Hello again,

Thanks for your response Polonus.

I believe I figured out what the problem is. I was running Avast in silent mode, and it appears silent mode alerts don’t provide some of the useful information Avast normally provides when not running silent. Yesterday I reproduced the alert while silent mode was turned off and it indicated the offending app trying to reach out to www.whereisip.net was the C:\Program Files\Windows Sidebar\sidebar.exe.

I use the sidebar application to display various monitors and one of them is a network monitor that displays my current IP address, I believe the network monitor in particular is the culprit. I don’t think it’s infected with anything, I’m just thinking that it is using www.whereisip.net to determine my external IP address, which in turn sets off Avast because it has that domain blacklisted. Anyway, I turned off that monitor yesterday and so far no recurrence, although I won’t be fully confident until some more time passes with no more of these alerts.

Thanks for your help!