Not sure what's going on

[Wafflay]

Lately, there's been multiple popups which says a malicious url has been blocked. Normally, if it's just once, I'd ignore it, today, it has happened every 10 minutes or more, from the same process, the url sometimes changes but it's basically the same, by that I mean, the same 213.174.blahblahblah. I'm not sure what to do but currently, I'm running a full scan. Thoughts?

[Tarq57]

Thoughts are that Avast has blocked a malicious URL.
That it is happening repeatedly suggests your firewall is possibly not configured correctly, or that possibly malware on the computer is attempting to connect out to that site.

Let us know what the scan turns up.
What firewall do you use?
Also scan with MBAM www.malwarebytes.org
Download and install the free version, update it and run a quick scan, just to be sure.

[Dch48]

IP Information - 213.174.149.103IP address:                     213.174.149.103
Reverse DNS:                    [No reverse DNS entry per ns1.advancedhosters.com.]
Reverse DNS authenticity:       [Unknown]
ASN:                            39572
ASN Name:                       ADVANCEDHOSTERS-AS (ADVANCEDHOSTERS LIMITED)
IP range connectivity:          1
Registrar (per ASN):            RIPE
Country (per IP registrar):     UA [Ukraine]
Country Currency:               Unknown
Country IP Range:               213.174.128.0 to 213.174.159.255
Country fraud profile:          High
City (per outside source):      Unknown
Country (per outside source):   -- []
Private (internal) IP?          No
IP address registrar:           whois.ripe.net
Known Proxy?                    No
Link for WHOIS:                 213.174.149.103

I'm not sure if that helps but at least it shows where they're located.

[DavidR]

There would appear to be something either hidden or undetected on your system that is maliciously using svchost to connect to the internet. The svchost file is normally only used for windows updates, so it looks like it is being misused, hopefully MBAM may dig up something.

[Wafflay]

I'm just using the regular windows firewall... Heh, I'll do a full MBAM scan once the avast one is done.

Here's the results for the avast scan, I'm hoping by deleting them it'll solve the problem.

[SafeSurf]

Now run an MBAM scan.

Check your computer for malware with Malwarebytes’ Anti-Malware (MBAM).
·   Download free http://www.malwarebytes.org/ for an on-demand scanner.
·   Double Click mbam-setup.exe to install the application.
·   After install, click update so you have latest database before scanning.
·   Under Settings:
o   General: Automatically Save File After Scan Completes is checked off
o   Scanner Settings:  Check all boxes
o   Updater: Download and install update if available is checked off
·   Once the program has loaded, select "Perform FULL Scan", then click Scan.
·   The scan may take some time to finish, so please be patient.
·   When the disinfection scan is complete, a log will appear in Notepad and you may be prompted to Restart. (See Extra Note).
·   Click the “remove selected” button to quarantine anything found.  You will find the infection details under the Quarantine tab.
·   The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
·   Copy & Paste the entire report in your next reply.

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts -- Click OK to either and let MBAM proceed with the disinfection process; If asked to restart the computer, please do so immediately.

Also please let us know in your next post what your OS is, 32 or 64- bit, any other security software on your machine (both current and previous), what version of Avast are you running (Free, Pro, AIS), and what version (5.0.594 is the latest).  Thanks.

[DavidR]

I'm just using the regular windows firewall... Heh, I'll do a full MBAM scan once the avast one is done.

Here's the results for the avast scan, I'm hoping by deleting them it'll solve the problem.

That is a promising start, presumably you clicked the Apply button and they should have been moved to the chest, you can check via the avastUI, Maintenance, Virus Chest.

The syssvc,exe is one that I think may have a hand in this as it is almost tempting to compare it with windows naming conventions to equate to system (sys) service (svc) so I don't know if that is somehow using svchost to connect, but that is very much speculation. So the sooner you run the other scan the better.

The windows firewall is primarily set to protect from inbound attacks (XP's doesn't have outbound protection at all, Vista and Win7 don't have outbound checking enabled by default), so there is nothing stopping malicious/unauthorised outbound connections. Any malware that happens to get past your defences is effectively free to try and download more malware and or transmit information from your system.

[manofkent]

I'm getting the same problem as Wafflay. I ran a quick MBAM scan this morning but found nothing. I'm currently doing an Avast scan of the entire documents and settings folder.

[DavidR]

It would be best to start your own new topic so as not to confuse this one. There you can post the information about your OS, avast version, file name and location relating to the alert (much as it is in this topic) and we will try to help.

Scanning just the documents and settings folder is not advisable it should be a full system scan or even schedule a boot-time scan.

[Wafflay]

I found nothing with the MBAM scan.
I'm not sure if this is what you wanted me to copy-paste.
My OS is Windows, 32-bit, I currently have Spybot-SD Resident and PC Tools Spyware Doctor running along with Avast!, the free version, and it's the latest version, 5.0.594.

Malwarebytes' Anti-Malware 1.30
Database version: 1401
Windows 5.1.2600 Service Pack 3

8/4/2010 11:19:14 AM
mbam-log-2010-08-04 (11-19-14).txt

Scan type: Full Scan (C:\|)
Objects scanned: 293945
Time elapsed: 2 hour(s), 40 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[DavidR]

It is possible that this might be hidden by a rootkit so you could try this anti-rootkit tool:
-- GMER Anti-Rootkit

GMER Rootkit Scanner - Download - Homepage

• Download GMER
• Extract the contents of the zipped file to desktop.
• Double click GMER.exe.

• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
  
  Click the image to enlarge it
  

• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt" 
  
• Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

[Wafflay]

Alright, I'll try that.

[SafeSurf]

I currently have Spybot-SD Resident and PC Tools Spyware Doctor running along with Avast!, the free version, and it's the latest version, 5.0.594.

If the GMER Rootkit Scanner comes back clean, we have seen multiple problems with Spybot SD conflicting with Avast, so you may want to uninstall this.  With PC_Tools SWDoctor, did you install the AV part with it as this will also conflict with Avast?

[Wafflay]

I ran GMER, however my computer restarted for some reason while I was sleeping and I didn't look at the results yet. I think my computer is fine now, there hasn't been any popups concerning the problem I was having so far.

[SafeSurf]

Make sure your Avast definitions are up to date and run a Boot-time scan and a Quick scan to be sure.

With PC_Tools SWDoctor, did you install the AV part with it as this will also conflict with Avast?

Awaiting your answer.

The windows firewall is primarily set to protect from inbound attacks (XP's doesn't have outbound protection at all, Vista and Win7 don't have outbound checking enabled by default), so there is nothing stopping malicious/unauthorised outbound connections. Any malware that happens to get past your defences is effectively free to try and download more malware and or transmit information from your system.

For better security, you should install a third-party firewall (FW).  Several have been suggested on the forum that do not conflict with Avast such as Online Armor; PC_Tools_Plus; Comodo (D+ without AV); Outpost.  Others have mentioned conflicts with Ashampoo and some with ZA.