Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: joesampson69 on November 01, 2021, 11:18:18 PM
-
Over the last 3 days I keep getting notifications every 3 hours or so that Avast blocked a threat. "We've safely aborted connection on ..... because it was infected with Other:Malware-gen"
How can i find out what program or browser is trying to access this connection? I have looked in the history and is shows all the threats blocked but it does not show who or what was trying to make the connection. I have closed all programs, restarted, scanned with Avast and Malwarebytes and no problems found. I haven't noticed anything strange with my computer or its performance. 15+ years on the internet and never had a virus or any issues.
-
How can i find out what program or browser is trying to access this connection?
That info is usually on the popup message
Screenshots hjelp
-
This is all the information I can see.
-
I dont use avast anymore but it used to have a popup that said process
See screenshot here. https://forum.avast.com/index.php?topic=218384.msg1492541#msg1492541
Here you can see that crome is the process connecting
Have you tried to clear your browser surf history or turning of browser extensions?
-
I dont use avast anymore but it used to have a popup that said process
See screenshot here. https://forum.avast.com/index.php?topic=218384.msg1492541#msg1492541
Here you can see that crome is the process connecting
<snip>
The pop up that gives the process (used, browser in this case and location details of the the malware) is the Avast Alert window (with the more details option selected). Once you have closed that alert window, the notification area gives only basic information.
@ joesampson69
Try checking the Web Shield log file it may give more information than the Notification area.
Location: C:\ProgramData\AVAST Software\Avast\report\WebShield.txt new entries are appended to the bottom of that report file.
-
I dont use avast anymore but it used to have a popup that said process
See screenshot here. https://forum.avast.com/index.php?topic=218384.msg1492541#msg1492541
Here you can see that crome is the process connecting
<snip>
The pop up that gives the process (used, browser in this case and location details of the the malware) is the Avast Alert window (with the more details option selected). Once you have closed that alert window, the notification area gives only basic information.
@ joesampson69
Try checking the Web Shield log file it may give more information than the Notification area.
Location: C:\ProgramData\AVAST Software\Avast\report\WebShield.txt new entries are appended to the bottom of that report file.
Thanks for the help. I checked out the location you pointed out and found the webshield.txt file. It lists the same information that in listed in the image i posted (the same info that is in the main program -notifications/history. )
I cant seem to find where (was it a browser or program and which one) the information is logged , if it is logged at all.
As far as the alerts and the balloon that would pop up, there isnt one anymore. I work at my computer for hours on end and sometimes the icon for the AVAST program (lower right hand side with all other running programs) that is orange will have a blue dot on it and that is what lets you know something is blocked. When i click on it, it only shows the basic info that i shared an image of.
-
Thanks for the help. I checked out the location you pointed out and found the webshield.txt file. It lists the same information that in listed in the image i posted (the same info that is in the main program -notifications/history. )
I cant seem to find where (was it a browser or program and which one) the information is logged , if it is logged at all.
As far as the alerts and the balloon that would pop up, there isnt one anymore. I work at my computer for hours on end and sometimes the icon for the AVAST program (lower right hand side with all other running programs) that is orange will have a blue dot on it and that is what lets you know something is blocked. When i click on it, it only shows the basic info that i shared an image of.
1. I was hoping it would have given additional information.
2. The Avast Alert window is a one shot deal, unfortunately once closed it can't be viewed again. So don't panic (avast has essentially frozen time) and immediately delete the alert window, click the more details option and take a screenshot. That helps and there is also a unique identifier at the bottom that could help Avast.
Were you actually trying to connect to inkestyle.net ? (edit typo in domain)
Were you browsing at the time and if so that is the browser ?
If so, have you added any new (or update any) add-ons ?
If not it could be a redirection from a site you are visiting
-
I was not trying to connect to the website. Something is trying to connect with to it and I dont know what it is.
I will get a blue dot over the Avast icon located lower right hand side (system tray) next to time. There is no popup or sound. When I click on the icon Avast opens up and it shows 3 tabs, alerts, history and ignored issues.
There is not a link or button to press to show more details.
Since I first started this thread there have been 21 alerts and all have been to the inkestyle website.
No other alerts for any other websites.
Is there anywhere in Avast that is lists in detail what program/webpage/extension/ is trying to access the internet.
A few times I noticed the error popup when I was doing work for work in paint and excel. Meaning, I wasn't surfing the web.
The alert doesn't pop up everyday there was 4 attempts on 11/13 and then 1 today 11/17. I use my computer everyday 6 to 14 hours a day.
Is there a program to monitor my computer to see what is trying to access the internet?
Thanks for the help
Thanks for the help. I checked out the location you pointed out and found the webshield.txt file. It lists the same information that in listed in the image i posted (the same info that is in the main program -notifications/history. )
I cant seem to find where (was it a browser or program and which one) the information is logged , if it is logged at all.
As far as the alerts and the balloon that would pop up, there isnt one anymore. I work at my computer for hours on end and sometimes the icon for the AVAST program (lower right hand side with all other running programs) that is orange will have a blue dot on it and that is what lets you know something is blocked. When i click on it, it only shows the basic info that i shared an image of.
1. I was hoping it would have given additional information.
2. The Avast Alert window is a one shot deal, unfortunately once closed it can't be viewed again. So don't panic (avast has essentially frozen time) and immediately delete the alert window, click the more details option and take a screenshot. That helps and there is also a unique identifier at the bottom that could help Avast.
Were you actually trying to connect to inkestyle.net ? (edit typo in domain)
Were you browsing at the time and if so that is the browser ?
If so, have you added any new (or update any) add-ons ?
If not it could be a redirection from a site you are visiting
-
Unfortunately there is no other area that would have any more details outside of the actual Avast Alert, More Details and there is a unique number in the alert window that Avast may be able to interpret.
So it is crucial that you gather as much information at the time of the alert, e.g. what you were doing at the time and make a screenshot of the Avast Alert or Error message/window.
-
Unfortunately there is no other area that would have any more details outside of the actual Avast Alert, More Details and there is a unique number in the alert window that Avast may be able to interpret.
So it is crucial that you gather as much information at the time of the alert, e.g. what you were doing at the time and make a screenshot of the Avast Alert or Error message/window.
There is no alert window that pops up anymore. I remember on older versions of Avast it would beep 2 or 3 times and an alert window would pop up. That doesnt happen anymore. The only reason I know it blocked something is because of a blue dot over the Avast icon in the system tray. pic posted. when I click on the avast icon it opens a window. pic posted.
I checked the settings in avast , pic posted, and I think I have it set up so it should show any alert window popups.
Maybe Ill try a different anti virus and see if it picks up the same things
-
Unfortunately I haven't experienced this Blue dot over the avast tray icon, so I don't know if this is just an indication of 'you have a notification' or something different.
Have you got avast set to Silent Mode ?
If so that could account for no Alert window.
If so 2 - I would suggest taking Avast out of silent mode in the hope of getting the popup again, click the more details option and do a screenshot.
That said I don't know how that would play out given your comment in the first post.
Over the last 3 days I keep getting notifications every 3 hours or so that Avast blocked a threat. "We've safely aborted connection on ..... because it was infected with Other:Malware-gen"
-
I am the OG poster. I have seen this topic come up in a few other forums and people reference this thread. So I thought I should do a update. I still get the "Threat secured" "aborted connection" about every 3 months or so. When it does happen, I will get anywhere from 3 to 15 alerts usually all in a 48 hour period and then nothing happens for months.
It did it again today, so far 3 times in about 2 hours.
Avast says the process is in c:\program files(x86)\Google\Chrome\Application\chrome.exe
Is there a program or way to find out what is using chrome to try and access this website? I have chrome open all day while I am working and today I was writing (using pen and paper) not touching my computer and the ding ding of avast goes off. "Threat Secured"... I dont get it.
https://sitecheck.sucuri.net/results/https/inkestyle.net/23567dbd647db71d0a.js (https://sitecheck.sucuri.net/results/https/inkestyle.net/23567dbd647db71d0a.js)
-
Well it isn't unusual for the browser to be named as that is what is actually doing the connecting.
Your screenshot indicates there were more detections 3 / 3 probably more scripts
However if you aren't having the browser make that connection something else is. This may be an extension/add-on that has been recently added or updated. When the connection is made it is then running that javascript code and that is what avast is alerting on.
There are many others that also consider inkestyle.net malicious - https://www.virustotal.com/gui/url/6055b8e041cbd253a4b93b8f882623cbdc4d6732c26dd7529964073f94f06b53?nocache=1
I don't use chrome, but you should look at the extensions/add-ons that you have installed and remove any that you didn't install or might be suspect or you don't use frequently.
-
Well it isn't unusual for the browser to be named as that is what is actually doing the connecting.
Your screenshot indicates there were more detections 3 / 3 probably more scripts
However if you aren't having the browser make that connection something else is. This may be an extension/add-on that has been recently added or updated. When the connection is made it is then running that javascript code and that is what avast is alerting on.
There are many others that also consider inkestyle.net malicious - https://www.virustotal.com/gui/url/6055b8e041cbd253a4b93b8f882623cbdc4d6732c26dd7529964073f94f06b53?nocache=1
I don't use chrome, but you should look at the extensions/add-ons that you have installed and remove any that you didn't install or might be suspect or you don't use frequently.
Thanks for the reply. Now a few hours later there are a total of 5 detections total all the same script / url
-
Yes but that doesn't tell me anything new.
You need to investigate the browsers extensions as I mentioned, if you aren't physically connecting to that site something is and the most likely culprit are browser extensions.
You could also try a browser reset and see if that stops the connection/s.
As I mentioned I don't use chrome so I have no practical experience of doing this.
Browser Reset - https://support.google.com/chrome/answer/3296214?hl=en
-
L.S.,
One of the oldest tricks in the book, DNS manipulation and therefore abuse is blacklisted:
https://github.com/NethServer/dns-community-blacklist/blob/master/adguarddns.dns
and failed to load the resource, getting a 403 from cloudflarenet.us ->https://urlscan.io/ip/2606:4700:3034::6815:2feb
Address only resolves from Jacksonville, USA, as 104.21.47.235 and 172.67.174.123 and servers from Berlin, Madrid in Spain, Stockholm Sweden, Copenhagen, Kuala Lumpur, Bangkok, Buenes Aires, Lagos Nigeria. That is all we know, wait for a final verdict from Avast Team, they command their detections and flag and blacklist.
polonus (volunteer third party cold reconnaissance website security analyst and website error-hunter)
-
There have been 8 new threats blocked all from a new url koocoofydotcom url:phishing. Thats a total of 18 so far in about 24 hours.
sitecheck.sucuri.net/results/koocoofy.com/boajdtd.json (http://sitecheck.sucuri.net/results/koocoofy.com/boajdtd.json)
At the bottom of the threat warnings there is an Alert ID. That says the support team can use to these to better understand my alerts. Is this just for Avasts internal use or can they use to help pinpoint my issues?
These are the alert id's for some of these new threats
4fec997ce794/2022-07-16T21:30:41.921Z
6a5462f7a18d/2022-07-16T21:30:42.309Z
6d803819c401/2022-07-16T21:30:42.467Z
3b391982963c/2022-07-16T21:30:43.078Z
Thank you to everyone who has helped!!!
-
To those who have responded in this topic these id's are of no help, it may be of help to members of the Virus Labs Team, but their activity in the forums is limited. As Avast Users we are limited in what we can do.
However, something is using your browser to connect to these malicious (or so avast thinks) sites. Which is why I suggest you check your extensions/add-ons or a browser reset.
I can only guess you haven't tried either ?
- another option would to run the browsers extensions/add-ons disabled.
See - https://www.google.co.uk/search?q=how+to+run+chrome+with+extensions+disabled
-
That IP was also blocked by Sophos as given here: https://www.abuseipdb.com/check/139.45.197.151
Re: https://www.shodan.io/host/139.45.197.151
7 av-vendors to detect: https://www.virustotal.com/gui/url/58dac947fe476c6ca252992fe16b2399d350a2d4e2796a65a28f26f1acd90ce1?nocache=1
Quite some domain range to check and eventually block;
see: : https://api.hackertarget.com/reverseiplookup/?q=139.45.197.151
Another malicious one: https://www.virustotal.com/gui/domain/watchmytopapp.top (flagged by Heimdahl).
Not scanned: https://sitecheck.sucuri.net/results/watchmytopapp.top
RETN Limited should watch their domains and accordingly should be watched by security solutions for abuse.
polonus