I keep getting the identical "threat detected warning"

[bgranat]

I looked at the instructions. I don't want to do all that. I think I'll call Avast Total Support if it happens again and let them do it. That's why I bought the package. I probably shouldn't have posted here, but I thought it might just be a quick setting to stop the notifications and still let Avast do its job. I don't have time or the expertise to mess around with all these programs. ; ) I started in Google looking for answers and stumbled upon this forum.....

[mchain]

The pop-ups have stopped. I have Avast Total Support. Maybe I should call them, because I don't know where or how to "get help" here. Who are the people giving help? How do I know they know their stuff. Thanks for your reply. Yes, I'm pleased that Avast is doing its job, but I didn't know that the popup meant there was something BAD on my computer. That's what you all are saying is the case, right?

Whether you use Total Support or not is up to you.  Here at the forums, we use log-based detection programs where you run the first three programs and attach the logs.  Then a certified malware removal expert is contacted for you (link you were provided is from essexboy, one of several certified malware removal experts and is the main one here) and will guide you through the cleansing process.  All this is for free.

What we are saying is that avast! is likely blocking some unknown malware on your system from calling home, likely to a malicious server, and downloading even more bad stuff onto your system.  We don't want that to happen.

Again, up to you which way you choose to go.

[polonus]

Like to make something clear about the help here provided. Your remarks fill me with a bit of sadness.
There is a well-known proverb for this attitude: "You can lead a horse etc. etc.".
When after ten years of daily experience with these issues, the official avast support forum is not able to help the victims of such continuous alerts? Well, then I do not know what these users are doing here.
We have a small group of rather experienced helpers on these here forums. People who were in training and went through an online bootcamp, like the folks from G2G etc, and they were only allowed to help others when they have proven beyond any doubt to their teachers they can do this according to certain standards. These people are qualified removal helpers, they have a qualification that is being recognized all over the Internet, yes also by MS and other organizations. Then we have website analysis, also by volunteers, with relevant knowledge in website security matters, they went through thousands and thousands of websites with a malcode flea-comb and can see directly from some snip of code what attack was being performed, what exploit was being abused and what security measures had not been taken and what software was not properly being updated or fully patched or what combination of CMS and server software meant a risk, what DNS errors there are, security header and domain issues, IP blocks etc. etc. etc.

In the case of the earlier mentioned qualified malware removers, other users without these qualifications are not allowed to help because they may easily ruin a computer beyond repair because a malware removal routine is made up for a particular victim's  computer with a particular configuration etc. etc. So all cures are uniquely made up for so-and-so victim on such-and-such a computer.

To question the offered help here is actually showing quite some disrespect for those qualified helpers and others that try to help victims here on the community forum just for the good of their souls and invest their free time to get the gratitude of a victim for a problem solved. All these people are volunteers yes, but they are not amateurs or incompetent helpers.

polonus

[bgranat]

Polonus,

I apologize if I appeared to lack respect. I just don't know who is who here. I couldn't discern who was saying what to me. I should have probably spent the time to acquaint myself with the forum and how it was set up, but I didn't have the time to delve into that. Again, I apologize.

[bgranat]

I think it would be a good idea to have a thread that stands out that introduces new people to the forum and how it operates. If there was one, I surely didn't see it. I just looked again and didn't see anything. It would help a person like me who is new and just looking for help. Just a thought.

[bob3160]

This is the URL: hxxp://54.191.159.30/trinity.js?key_maker={%221131607300%22:%221010459795e3ea206a0c%22,%221131607728%

Can I tell Avast to not alert me each time it blocks a threat?

Thanks.

Is this a key generator for a paid program ? If so, it is probably phoning home to report some of the information it's harvested from your system.
Just a wild guess but that's one of the things key generators are capable of doing.

[REDACTED]

I am getting the same exact message...

"    hxxp://54.191.159.30/trinity.js?key_maker={%221131607300%22:%221010459795e3ea206a0c%22,%221131607728%22:%22e5cf0cdccb52586027d4%22,%221131607970%22:%22ae3696a06336bfc412b5%22,%221131609%22:%2202c0f2ee1ae5de23b262%22,%221131611%22:%22dde8f5bb5cf170fdf55a%22,%221131606%22:%223f07f64cebcf3724869b%22,%221131606300%22:%220b7f634b227a15f5c597%22}"

I am a clueless bastard when it comes to this stuff.  I have Spybot and Avast free on my HP laptop.  I only get this warning when I go to or have open a firefox window with http://www.drudgereport.com/ on it.  This seems odd to me, but I don't know how this stuff works.  I have updated and scanned with spybot and avast, and keep getting the message.

[bgranat]

Pupton,
 
I got only one notification this evening. I just went to Drudge, and  --- yup, there it was -- another notification. If it's a piece of coding on his page, then it really isn't in my computer or yours. It would appear it's something in the webpage's coding that is trying to do something. So I'm not going to worry too much about it. I think it's probably really one of those false positives, because Drudge is not interested in giving his visitors problems. He wants us to come back again and again. I didn't associate it with his page before this, but I am going to keep track and see if it happens when his page is open.

Just got another one. Went to whois.com, and  54.191.159.30 is amazon.com.

Whois IP 54.191.159.30
   Updated 4 hours ago

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# http://www.arin.net/public/whoisinaccuracy/index.xhtml
#


#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=54.191.159.30?showDetails=true&showARIN=false&ext=netref2
#


# start

NetRange:       54.188.0.0 - 54.191.255.255
CIDR:           54.188.0.0/14
NetName:        AMAZO-ZPDX8
NetHandle:      NET-54-188-0-0-1
Parent:         AMAZON-2011L (NET-54-176-0-0-1)
NetType:        Reallocated
OriginAS:       AS16509
Organization:   Amazon.com, Inc. (AMAZO-47)
RegDate:        2013-11-27
Updated:        2013-11-27
Ref:            http://whois.arin.net/rest/net/NET-54-188-0-0-1

OrgName:        Amazon.com, Inc.
OrgId:          AMAZO-47
Address:        EC2, EC2 1200 12th Ave South
City:           Seattle
StateProv:      WA
PostalCode:     98144
Country:        US
RegDate:        2011-05-10
Updated:        2014-10-17
Ref:            http://whois.arin.net/rest/org/AMAZO-47

OrgNOCHandle: AANO1-ARIN
OrgNOCName:   Amazon AWS Network Operations
OrgNOCPhone:  +1-206-266-2187
OrgNOCEmail:  email@amazon.com
OrgNOCRef:    http://whois.arin.net/rest/poc/AANO1-ARIN

OrgTechHandle: ANO24-ARIN
OrgTechName:   Amazon EC2 Network Operations
OrgTechPhone:  +1-206-266-4064
OrgTechEmail:  email@amazon.com
OrgTechRef:    http://whois.arin.net/rest/poc/ANO24-ARIN

OrgAbuseHandle: AEA8-ARIN
OrgAbuseName:   Amazon EC2 Abuse
OrgAbusePhone:  +1-206-266-4064
OrgAbuseEmail:  email@amazon.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/AEA8-ARIN

# end


# start

NetRange:       54.176.0.0 - 54.191.255.255
CIDR:           54.176.0.0/12
NetName:        AMAZON-2011L
NetHandle:      NET-54-176-0-0-1
Parent:         NET54 (NET-54-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS16509
Organization:   Amazon Technologies Inc. (AT-88-Z)
RegDate:        2013-11-25
Updated:        2013-11-25
Ref:            http://whois.arin.net/rest/net/NET-54-176-0-0-1


OrgName:        Amazon Technologies Inc.
OrgId:          AT-88-Z
Address:        410 Terry Ave N.
City:           Seattle
StateProv:      WA
PostalCode:     98109
Country:        US
RegDate:        2011-12-08
Updated:        2014-10-20
Comment:        All abuse reports MUST include:
Comment:        * src IP
Comment:        * dest IP (your IP)
Comment:        * dest port
Comment:        * Accurate date/timestamp and timezone of activity
Comment:        * Intensity/frequency (short log extracts)
Comment:        * Your contact details (phone and email) Without these we will be unable to identify the correct owner of the IP address at that point in time.
Ref:            http://whois.arin.net/rest/org/AT-88-Z

OrgTechHandle: ANO24-ARIN
OrgTechName:   Amazon EC2 Network Operations
OrgTechPhone:  +1-206-266-4064
OrgTechEmail:  email@amazon.com
OrgTechRef:    http://whois.arin.net/rest/poc/ANO24-ARIN

OrgAbuseHandle: AEA8-ARIN
OrgAbuseName:   Amazon EC2 Abuse
OrgAbusePhone:  +1-206-266-4064
OrgAbuseEmail:  email@amazon.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/AEA8-ARIN

OrgNOCHandle: AANO1-ARIN
OrgNOCName:   Amazon AWS Network Operations
OrgNOCPhone:  +1-206-266-2187
OrgNOCEmail:  email@amazon.com
OrgNOCRef:    http://whois.arin.net/rest/poc/AANO1-ARIN

# end



#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# http://www.arin.net/public/whoisinaccuracy/index.xhtml

[bgranat]

I'm sending e-mail to Amazon.com at email@amazon.com:

 Subject: Threats from 54.191.159.30

This is the complete URL:  hxxp://54.191.159.30/trinity.js?key_maker={%221131607300%22:%221010459795e3ea206a0c%22,%221131607728%

This tells me it’s Amazon.com:  http://www.whois.com/whois/54.191.159.30#

(Below is the Avast notification.)

[REDACTED]

Glad you're getting this from Drudge too.  It's not just me.  Do you ever visit drudge?  I go there several times a day.  Tonight if I open it I will get the notice, and if I leave it open I will get the notice periodically.  Also, I noticed that it was an IP linked to Amazon.com too.  I have no idea what this means.  This is weird, and way out of my knowledge.  I'm not IT savvy at all, but smart enough to find my way here, which I suppose is a start.  I downloaded the Malwarebytes program and ran the scan with 0 infections.  Log below.  Is this worth starting my own post for?  Or is this something less than threatening to my PC?

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/29/2014
Scan Time: 12:38:13 AM
Logfile:
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.10.29.02
Rootkit Database: v2014.10.22.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: <my name>

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 399195
Time Elapsed: 20 min, 59 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

[bgranat]

I go to Drudge a few times a day and sometimes it sits open all day. The notfications just started up today. I think it probably is some error in programming on amazon's part. I'm an amazon customer (who isn't?). I'll post if I get a response from amazon to my message. I don't expect I would, but if I do, I will post. The notifications were coming fast and furious earlier today, but they've virtually stopped now. I personally think it's benign and am not going to worry. I have the paid version of Malwarebytes and it's finding nothing on my computer, also. I've decided that if it starts up again I'll call Avast and have them remotely work on my computer and use their wonderful toolbox on my system. I've had them work on my computer before and they are the best. I think it's worth the money I spent to have the peace of mind. I'm like you, not IT-savvy enough to get involved with all this cleaning up on my own. You might want to think about buying their support package, Total Support. I really highly recommend it.

[bgranat]

Well, I got my response, but it wasn't from Amazon.



-----

Thank you for writing to Audible.

Your email has reached an unmonitored email address, however please visit us at http://www.audible.co.uk

Thanks again
Customer Care Team
http://audible-uk.custhelp.com/app/answers/list

P.S. You received this message because Audible.co.uk received the following message:

Date: Wed, 29 Oct 2014 00:57:49 -0400
From: "Bonnie Granat" <bgranat@granatedit.com>
To: <email@amazon.com>
Subject: Threats from 54.191.159.30

----

I went to the website, and it says it's an Amazon.com company. But I'm not interested in audiobooks, so that's that.

I don't know how to reach amazon.com. I'm going to write them back and ask if they would forward my message to amazon.com. LOL.

[Pondus]

@pupton   


if you want free help, start your own topic in viruses and worms forum section and explain the problem

follow instrcutions here  https://forum.avast.com/index.php?topic=53253.0
scroll down to Farbar Recovery Scan Tool ..... run it as instructed and attach the two diagnostic logs

[REDACTED]

Im getting the same message....started a week ago I guess....did you figure out how to stop it?

hxxp://54.191.159.30/trinity.js?key_maker

[Asyn]

Im getting the same message....started a week ago I guess....did you figure out how to stop it?

hxxp://54.191.159.30/trinity.js?key_maker

Please start your own topic and post your logs there: https://forum.avast.com/index.php?action=post;board=4.0