Author Topic: malwarebytes:successfully blocked...malicious attempt...162.210.19 source: avast  (Read 7303 times)

0 Members and 1 Guest are viewing this topic.

needshelp3

  • Guest
This has been going on for a few days now, I would like to get it resolved... thanks for all help!!
Avast was giving me notifications like "avast has blocked a harmful webpage" quite frequently. I installed Malwarebytes Anti-Malware and scanned, checked everything, and deleted what it found. However, the problem did not end there. Now, avast no longer notifies me with "avast has blocked a harmful webpage." Instead, I get Malwarebytes saying something like "Successfully Blocked Access to 162.210.192.21." When I get this message, it says the source is avastsvc.exe. When I disable avast, it then says my browser (firefox) is the source.

My computer works fine, it boots up normally and such. I have attached the OTL logs... thanks again

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Wait for a qualified removal expert to help you here.
In the mean time you could read: https://forums.malwarebytes.org/index.php?showtopic=137397
Mind that that thread there was meant for another individual user and the info cannot be adopted by you, you can seriously do damage to your OS!
You have to wait for a qualified remover to appear here to-morrow to assist you on the basis of the very logs that you provided.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

needshelp3

  • Guest
Okay, thank you. Yes I saw that and was reading over it. Just wondering, do you have any suggestions for the meantime?

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
I've had those issues as well. Except they are pretty scarce
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Hi,
@needshelp3
While I'm looking into OTL logs, please attach here aswMBR log as well.
http://forum.avast.com/index.php?topic=53253.0

needshelp3

  • Guest
Hi magna86,
thank you for looking at the OTL logs! I was trying a scan with aswMBR but my computer suddenly blue-screened (hasn't done that in at least 1.5 years)... now I am not sure if I should try it again? Let me know if I should.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Ok, we shall preform AntiRootkit Scan later.




Please download zoek.zip or zoek.rar by smeenk () from here or here and save it to your Desktop.
Unpack the archive...
  • Close any open browsers
  • Temporarily disable your AntiVirus program. (If necessary)
    If you are unsure how to do this please read this or this Instruction.

  • Double click on zoek.exe to run the tool .
    Please wait while the tool does not start...

  • Copy the text present inside the code box below and paste it into the large window in the zoek tool:
Code: [Select]
emptytemp;
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer];r
"EnableShellExecuteHooks"=-;r
filesrcm;
c:\Program Files (x86)\WxDownload\sprotector.dll;i
C:\Windows\*.tmp;f
iedefaults;
aohghmighlieiainnegkcijnfilokake;chr
apdfllckaahabafndbhieahigkjlhalf;chr
blpcfgokakmgnkcojhhkbfbldkacnbeo;chr
caehdcpeofiiigpdhbabniblemipncjj;chr
coobgpohoikkiipiblmjeljniedjpjpf;chr
gomekmidlodglbbmalcneegieacbdmki;chr
lifbcibllhkdhoafpjfnlhfpfgnpldfl;chr
nmmhkkegccagdldgiimedpiccmgmieda;chr
pjkljhegncpnkpknbcohdijeoejaedia;chr
chromelook;
firefoxlook;
{DBC80044-A445-435b-BC74-9C25C1C588A9};c
{E6FB5E20-DE35-11CF-9C87-00AA005127ED};c
startupall;
  • Click on button.
    Please wait until a logreport will open (this can be after reboot)

  • Save notepad to your Desktop and attach here zoek-results.log
    Note: It will also create a log in the C:\ directory named "zoek-results.log"

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
just some info....

Quote
Instead, I get Malwarebytes saying something like "Successfully Blocked Access to 162.210.192.21." When I get this message, it says the source is avastsvc.exe.
all in /outgoing requests goes true avast webshield and MBAM see this as coming from avast ....it is not
many posts about this here

also read this
Oh, the Sites You Will Never See.    http://blog.malwarebytes.org/development/2013/05/oh-the-sites-you-will-never-see/





needshelp3

  • Guest
@magna86,
I have run the program and attached the log, thanks again for your help

@Pondus,
Hi, thank you for the information. Admittedly I do not know about this topic so this is helpful!

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Ok, now run this zoek script:

Code: [Select]
emptyclsid;
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows];r
"AppInit_DLLs"=-;r
c:\Program Files (x86)\WxDownload;fs
autoclean;

Zoek shall restart your computer and after that post me fresh created zoek log.

We will continue tomorrow and for the time, monitor your computer and AV alerts and tell me how your computer is running now? Any warnings?





Edit:
Advice:
Do not download and/or run various malware removal tool you see on web if you do not know what they can and what they realy do.
« Last Edit: December 13, 2013, 03:44:16 AM by magna86 »

needshelp3

  • Guest
Sorry for the delay; I have attached the log. Something new has happened: the malwarebytes notification used to only come up when I had a browser open. However, a few minutes after I closed my browser and started the zoek program, I got a notification that was similar to the previous one but with two differences: the address was 41.203.69.2, and the source was skype.exe. This was new and has not happened since.

Thank you for helping me today and I look forward to speaking with you again tomorrow.

edit: on this particular notification, it also said "incoming," I can't say for certain but I think that is also new
« Last Edit: December 13, 2013, 04:49:03 AM by needshelp3 »

needshelp3

  • Guest
Okay I am going to sleep now, here are some updates on my computer performance:
-the notifications are less frequent. I thought they were gone but I left my computer on while I took a shower and came back and there was one like what I described previously; this time, the blocked address was 59.125.229.78, also skype.exe, also incoming.
-no notifications like the original ones (outgoing, 162.210.192.21, browser)
-no blue screen

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Some adware or bad browser extensions creates the MBAM's alerts. Zoek has remove them ...


Ok run this zoek script and when tool finish his work, post me fresh created zoek log.

Code: [Select]
ffdefaults;
chrdefaults;
shortcutfix;


Then ...


Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.
  • Click on the Scan button.
  • After the scan has finished click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Post logfile will also be saved in the C:\AdwCleaner folder.
----------------------


Any improvements?

needshelp3

  • Guest
Both logs are attached. I will see if any more notifications come up, hopefully none do.

Thanks again

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Okey, monitor your computer for mbam alerts and report here tomorow.  ;)