Avast WEBforum

Other => Viruses and worms => Topic started by: Sevestra Sin on February 24, 2024, 05:57:22 AM

Title: Is my system compromised? Should I be worried?
Post by: Sevestra Sin on February 24, 2024, 05:57:22 AM

I've been occasionally receiving this URL:Blacklist pop-up notification from Avast Free for about two weeks now. But judging from the URL, it seems to be coming from windows' update server or something, I don't know how to investigate deeper. Is this a false positive? Is my system compromised?

Title: Re: Is my system compromised? Should I be worried?
Post by: mchain on February 24, 2024, 08:53:27 AM

Cannot say there are no issues with your system, but Avast did block an internet connection it considered to be malicious.  This block should have prevented an infection from starting in the first place.

All depends on what you were doing or viewing at the moment.  Did you click a link, or view an ad?

Title: Re: Is my system compromised? Should I be worried?
Post by: Sevestra Sin on February 24, 2024, 09:28:17 AM

Quote from: mchain on February 24, 2024, 08:53:27 AM

Cannot say there are no issues with your system, but Avast did block an internet connection it considered to be malicious.  This block should have prevented an infection from starting in the first place.

All depends on what you were doing or viewing at the moment.  Did you click a link, or view an ad?

It appeared when I left my PC idle and no program were running at the time, not even in the background. I went back and the notification is already sitting on the screen. Surprisingly, I found someone else with the same issue posted theirs on this forum too. Their blacklisted URL has different domain and path, but the same query parameters as mine (cacheHostorigin=dl.delivery.mp.microsoft.com). https://forum.avast.com/index.php?topic=326222.0 (https://forum.avast.com/index.php?topic=326222.0)

Title: Re: Is my system compromised? Should I be worried?
Post by: mchain on February 27, 2024, 01:43:58 AM

Are you using Google Chrome as your browser?

Input this address in Chrome's address bar and press enter:  chrome://settings/content/notifications (http://chrome://settings/content/notifications)  Note:  This setting should work for all Chrome-based browsers.  Will not work for Firefox.

See this topic:  https://forum.avast.com/index.php?topic=326243.0 (https://forum.avast.com/index.php?topic=326243.0)

Go here within topic:  https://forum.avast.com/index.php?topic=326243.msg1715208#msg1715208 (https://forum.avast.com/index.php?topic=326243.msg1715208#msg1715208)

Title: Re: Is my system compromised? Should I be worried?
Post by: Sevestra Sin on February 27, 2024, 03:18:15 AM

Quote from: mchain on February 27, 2024, 01:43:58 AM

Are you using Google Chrome as your browser?

Input this address in Chrome's address bar and press enter:  chrome://settings/content/notifications (http://chrome://settings/content/notifications)  Note:  This setting should work for all Chrome-based browsers.  Will not work for Firefox.

See this topic:  https://forum.avast.com/index.php?topic=326243.0 (https://forum.avast.com/index.php?topic=326243.0)

Go here within topic:  https://forum.avast.com/index.php?topic=326243.msg1715208#msg1715208 (https://forum.avast.com/index.php?topic=326243.msg1715208#msg1715208)

I'm using Firefox as my browser, Google Chrome isn't installed on my system. Oh and I just finished doing a clean install of my windows 11 and it seems that the notification is coming from Microsoft Store because it popped-up 3 times consecutively when all the apps were auto updating themselves, the 3 blocked URLs shows the same IP as the one I originally posted here. The system was still in a pretty clean state where I only have the drivers installed using the CDs that came with the hardware, And Avast free. All of my external drives were also unplugged at the moment, and Firefox was installed much later on.

Title: Re: Is my system compromised? Should I be worried?
Post by: mchain on February 28, 2024, 04:31:39 AM

See:  re:  151.139.180.7

• https://www.google.com/maps/place/32%C2%B047'10.8%22N+96%C2%B049'13.8%22W/@32.7863388,-96.8230781,17z/data=!3m1!4b1!4m4!3m3!8m2!3d32.7863388!4d-96.8205032?entry=ttu
• https://www.ip-tracker.org/lookup.php?ip=151.139.180.7

Google lists your IP as located in the United States.
ip-tracker says Singapore (Asia)

Reset your modem?

Title: Re: Is my system compromised? Should I be worried?
Post by: Sevestra Sin on February 28, 2024, 08:57:13 AM

Quote from: mchain on February 28, 2024, 04:31:39 AM

See:  re:  151.139.180.7

• https://www.google.com/maps/place/32%C2%B047'10.8%22N+96%C2%B049'13.8%22W/@32.7863388,-96.8230781,17z/data=!3m1!4b1!4m4!3m3!8m2!3d32.7863388!4d-96.8205032?entry=ttu
• https://www.ip-tracker.org/lookup.php?ip=151.139.180.7

Google lists your IP as located in the United States.
ip-tracker says Singapore (Asia)

Reset your modem?

Alright, I'll try resetting the modem tonight after work and wait a few days (leaving the PC on) to see if the web shield is still picking it up.

Title: Re: Is my system compromised? Should I be worried?
Post by: polonus on March 02, 2024, 12:43:04 PM

Also consider: https://www.reddit.com/r/techsupport/comments/18meugn/suspicious_microsoft_updates_from_stackpath_ips/

Wait for a final verdict from avast's.

Also: Set GPOS to not configured per above. Reboot system Windows 10 and Netgate running pfSense. You must remove all Squidguard URL blocks for anything that is "azureedge. net", example fp-as-azureedge. net. Set Windows in two places one with "netsh http set proxy" to use with Http Updates.

polonus