Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: mmarx82 on April 16, 2012, 04:03:45 AM
-
Ok so the other day my wifes computer starts getting a bunch of Malicious URL Blocked notifications, they were actually causing a BSoD so yesterday I completely reloaded her computer from scratch. Today I download and install Service Pack 1 for Windows 7 (x86) then go to the avast website (http://www.avast.com/en-us/pro-antivirus#tab4) and download my product (Avast Pro). No web browsing was done on the computer and no other programs or files put on the machine. Almost immediately after installing avast I start getting the same messages after its installed. Avast all I can think of is there is something in your programing that is bad or someone has attached something into the program updates. Help! Notice it's flagging the AvastSVC executable.
Screenshots from the computer with the message I'm getting plus version and definitions I'm running.
-
This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware.
Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.
-
The avastSvc.exe is what controls the avast localhost proxy, though why it is showing avastSvc.exe as the process and not the parent process which was redirected through the proxy
So if the user is browsing this site ukprog.com (?), it would then be why the network shield considers it malicious. Do you have any program that would legitimately be trying to connect to this ukprog.com site ?
Sucuri.net site doesn't find anything there, image1, but the favicon.ico wasn't listed as a file that was scanned. However urlvoid has two that consider it at the least suspect, bitdefender and fsecure_browsing_defender, but doesn't say specifically what, http://sitecheck.sucuri.net/results/http://ukprog.com (http://sitecheck.sucuri.net/results/http://ukprog.com). Nothing on the NoVirusThanks check either, http://vscan.novirusthanks.org/analysis/6aa5c6038308ce146d4e1d1a3d8660a5/aW5kZXg=/ (http://vscan.novirusthanks.org/analysis/6aa5c6038308ce146d4e1d1a3d8660a5/aW5kZXg=/)
I visited the site and the network shield was alerting (one of 5, image2) but also pointing at the ukprog.com/favicon.ico file, which can be a target for hackers as this is loaded with every web page. But I tried to capture that file for further investigation, I just got a server error, so couldn't be captured.
A VirusTotal scan for the site is 1 hit by bitdefender (again), https://www.virustotal.com/url/ba2236052845f92e3915863d4d18185901454e9be02d8347da25aa2ece02343a/analysis/1334575744/ (https://www.virustotal.com/url/ba2236052845f92e3915863d4d18185901454e9be02d8347da25aa2ece02343a/analysis/1334575744/). But for the favicon.ico file it is a 0/42 but there are some suspicious comments, https://www.virustotal.com/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/analysis/1334575748/ (https://www.virustotal.com/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/analysis/1334575748/)
Another possibility I would also be checking if this doesn't need to be reviewed as a possible network shield FP. But I think the big question is does mmarx82 have any knowledge of this site and anything other than his wife's browser that might legitimately connect to it ?
-
Thanks for the info AYSN, btw, before I reloaded the computer I ran Mallwarebytes on it and It came back clean. same thing after reloading it. I had also submitted a support ticket yesterday. I also want to clarify, there were no aps installed on the laptop after the reload, just SP1 and Avast AND no browsing had been done on the computer. When those popups were coming up from Avast no browsers were even open.
Today though, it has updated definitions and so far no popups and some light browsing has been done. So bad definitions? idk i guess we'll see.