Aborted connection on 151.139.183.24 URL:Blacklist keeps appearing daily

[Blizzard]

Hi,
On 26th of December I received following Avast alert:

"We've safely aborted connection on 151.139.183.24 because it was infected with URL:Blacklist"

After this I've received this alert daily (at least once per day). It appers after computer has been idle for few minutes. When this happens there are always three (3) detections on same timestamp. I've run Avast full scan and multiple different malware detection programs but haven't been able to find anything. Is this a false alarm or some very clever malware?

[DavidR]

First off I'm an Avast User and not Avast Team member.
The svchost.exe is a commonly used (and misused) system application.  Because it is a system application it has relatively high permissions but it can be misused by malware.

The IP address is somewhat strange a whois check on the IP indicates it "is located in Stockholm, Stockholm County, Sweden."

Why this would be a streaming service used by MS is strange (are you in or near Sweden ?).  Given the tail piece of the URL being detected is cacheHostOrigin=dl.delivery.mp.microsoft.com so it could be legit (I just don't know).

Though this google search returns many hits some related, but not clear why.  Some of the hit appear to be related to "HTTP, Used to download operating system patches, updates, and apps from Microsoft Store".

You could try reporting it to Avast for investigation:
-  Reporting a Possible False Positive File or Website - https://www.avast.com/false-positive-file-form.php.
You should get a response in a day or two.

[Blizzard]

You could try reporting it to Avast for investigation:
-  Reporting a Possible False Positive File or Website - https://www.avast.com/false-positive-file-form.php.
You should get a response in a day or two.

Hi and thank you for pointing me to the right direction! I used that form to report a possible false positive. Avast replied on next day and based on their findings they cleared url reputation. So it was indeed a false positive. It took full 24 hours before database update came effective and after that Avast detection dialogs have stopped. Thank you!

[DavidR]

You could try reporting it to Avast for investigation:
-  Reporting a Possible False Positive File or Website - https://www.avast.com/false-positive-file-form.php.
You should get a response in a day or two.

Hi and thank you for pointing me to the right direction! I used that form to report a possible false positive. Avast replied on next day and based on their findings they cleared url reputation. So it was indeed a false positive. It took full 24 hours before database update came effective and after that Avast detection dialogs have stopped. Thank you!

You're welcome.

[polonus]

Connection interruptions are probably caused by a 404 error for that IP.

Also see the discussion here: https://forums.malwarebytes.com/topic/257311-avast-blocked-svchostexe-trying-to-access-suspicious-ip/ *

See: https://www.shodan.io/host/151.139.183.24 despite of https://www.abuseipdb.com/check/151.139.183.24

* As for the proposed cleansing routine there, it was just meant for that specific unique user.
Do not try to copy routine on your own, you could seriously harm your computer that way.

polonus