avast scan finds SVC:MBAMSwissArmy - rootkit/hidden service

[Nikilet]

A quick scan with avast found this threat today. In addition, twice recently MBAM has produced a window advising that it has blocked an avast exe file. I wonder if the two have anything to do with each other. I have attached screenshots.

After the scan I moved the SwissArmy threat to the Virus Chest. I scheduled a boot scan with avast and restarted. I selected ALL of the options offered for the boot scan. I selected that it should "Ask" me if something was found. I couldn't sit right at the computer during that whole scan, but I assumed that since I advised it to ask me that if something were found it would remain on my screen until I had selected some option. If that is the way it works, nothing was found.

After the scan I did another virus scan with avast and it found no threats. I looked in the Virus Chest and that item I had placed in there was gone.

I would appreciate it if someone would tell me if I need to go any further to make sure this rootkit is gone. Also, advise about that avast exe file that mbam is telling me it has blocked.

Thank you

[DavidR]

MBAM malicious website IP Detection reporting avastSvc.exe as process:
No avast isn't infected. MBAM isn't blocking avast as such, as the avastSvc.exe is the main avast service and it controls the various shields. The Web Shield routes all http traffic through its localhost proxy, so all MBAM sees is avastSvc.exe as the originating process, which is incorrect.

This is either you trying to connect to this IP via your browser or possibly a link in a site you're viewing redirecting of getting content from that IP address.

What site were you on when this alert occurred ?

Personally with the avast! and the network shield and web shield, I feel this mbam pro feature is redundant, it also doesn't do what it says on the tin, it blocks far more categories than just malicious website blocking.  Not to mention it causes more grief than reassurance.

As for the avast alert on MBAM SwissArmy had you just run an mbam scan as this may only be present during or shortly after a scan and why nothing was found in subsequent scans.

Because these scans (including avast) have to operate at a low level they have drivers control the scans these are often hidden making them look suspect to other security software. In the avast scan results window you should choose Ignore.

[Nikilet]

MBAM malicious website IP Detection reporting avastSvc.exe as process:
I'm not sure I even had my browser open when this occurred, so if it happens again I will pay very close attention.

On the other (SwissArmy) item, I can't say for sure either. I hadn't had my laptop on for nearly two weeks and was trying to bring it up to date with scans and such so it's all a little confused as to what was going on where.

From now on I will make special note of what had happened just prior to so that I am better able to explain to those who offer me help.

Thank you for your help today.

[DavidR]

You're welcome.

It isn't necessary to have your browser open as avast's web shield would be monitoring and redirecting http communication (not necessarily browsers) so that it can be scanned. So something on your system is reaching out, possibly checking for updates, etc. and the web shield localhost proxy redirects it. What you can do when it occurs is to do a whois check on the IP address, this may give you an idea what program is reaching out.

I'm very strict on what I allow to auto update on my system, so I don't get this kind of issue occur.

[Nikilet]

DavidR: I find that I have to come back to this topic. I'm sure it is frustrating for people like you to have people like me asking for some kind of reasonable, understandable explanation. I have had several more of these pop up since I started this topic and find out that they are trying to reach out to such places as the Czech Republic and the Netherlands. This situation just started happening and I have not, to my knowledge, installed any new programs, or even games. So the question remains, what on my system is trying to reach out, and is there any program I can run that will tell me the answer?

I have been working with MBAM since the alerts about blocking malicious sites have been coming from that program. They have had me run numerous things and post logs. Apparently nothing has been found because they haven't let me know if it has.

I also have received several more of these warnings from Avast about a rootkit infection found. After choosing the removal option, I have run two boot scans with Avast with all the options checked and both scans have come back clean.

[DavidR]

As I have said on numerous times I feel that malicious websites blocking by MBAM yo be a total pain, the main reason it doesn't do what it saws and block malicious sites (only), apparently it blocks many other categories. I also feel it is redundant when you have avast with the network and web shields enabled.

[Nikilet]

As a home computer user, I'd like to tell you what scares me. Mbam seems to be the one blocking these sites. If I disable this function, will Avast take care of it? I'm going to try disabling it and see what happens.

You did not address my question about finding out what, on my system, is reaching out to these foreign countries. Is there some scan that can be done to find the software culprit, or malware that is doing this?

Also, what about the continued threat notices from Avast on the rootkit? Can I feel safe being that I have done the boot scans? If this is a false-positive situation, on whose end? Is it something that Avast needs to address, or MBAM?

[DavidR]

As I said, mbam appears not to just block malicious sites, if you take the time to investigate many of these sites you will find that many aren't malicious, but some other form of categorisation.

I got rid of this function ages ago as avast really has this covered, not to mention most browsers also have an anti-phishing and malicious sites (firefox and chrome for two), so for me the mbam malicious website blocking is redundant.

[Nikilet]

I did disable that function in my mbam last evening, as I said I was going to. You did not comment on my other two concerns. Could you please do so or do I need to go to the virus forum?

[DavidR]

I can't comment as I haven't had a problem with avast and mbam pro and the only exclusion I have made is to add c:\windows\temp\_avast_ to the mbam Ignore list.