Author Topic: Botnet:Blacklist (Read 2582 times)

movitde · « **on:** May 15, 2021, 01:09:06 AM »

Hello,

I am having a big problem with the Avast threat protection. Every 5 minutes a pop up appears that says that it has canceled the connection with tcp://142.250.186.68:443 which was infected with Botnet:Blacklist . The process is C:\windows\system32\svchost.exe . I have run Smart Scan multiple times but it couldnt find anything.

DavidR · « **Reply #1 on:** May 15, 2021, 02:28:55 AM »

Two things:
1. Whilst svchost.exe can have a legitimate reason to connect, but it is very unusual to see it in use like this. Normally you see Processes, your browser, etc.

2. The IP address belongs to Google (Google Cloud), so I don't know if that could be misused.

https://www.google.co.uk/search?q=TCP+port+443
TCP port 443 is used for encrypted web services.

I'm wondering if some google program/service is trying to connect, but why it is using the svchost.exe service is beyond me.

You could try the - Reporting Possible False Positive File or Website - https://www.avast.com/false-positive-file-form.php function, but I don't know if it accepts IP addresses.

That said I have tried to submit it and give the link back to this topic.

movitde · « **Reply #2 on:** May 15, 2021, 11:58:52 AM »

Ok thanks for the help!

DavidR · « **Reply #3 on:** May 15, 2021, 12:12:57 PM »

You're welcome.

polonus · « **Reply #4 on:** May 15, 2021, 12:42:49 PM »

See: https://abongo.com/investigate/142.250.186.68/host
and https://www.shodan.io/host/142.250.186.68

Is Google's Certification authority - Google Trust Services - -https://pki.goog/

polonus

tornadox1 · « **Reply #5 on:** May 15, 2021, 03:49:03 PM »

Same problem at my side, but the false postiv (i think) comes with my battle.net software at start up:

Botnet:Blacklist

URl: tcp://142.250.186.68:443

Process: C:\Program Files (x86)\Battle.net\Battle.net.exe

This morning it runs normal and then comes the last virus definition and the problem begans.

Janoo · « **Reply #6 on:** May 15, 2021, 06:23:37 PM »

Same problem.

I am using Thunderbird with a Google Plugin and recently i become regularly the warning.

Botnet:Blacklist

URL: tcp://142.250.186.68:443

Process: ...thunderbird.exe

tornadox1 · « **Reply #7 on:** May 16, 2021, 03:27:32 PM »

The last virus definition (210516-2) fix it for me.

DavidR · « **Reply #8 on:** May 16, 2021, 05:00:53 PM »

Quote from: tornadox1 on May 16, 2021, 03:27:32 PM

The last virus definition (210516-2) fix it for me.

Thanks for the confirmation.

Janoo · « **Reply #9 on:** May 17, 2021, 03:53:55 PM »

Unfortunately not for me.
My father also has the same problem with the Google Ip (142.250.186.68:443).
He uses Google Earth.

Last virus definition (210516-6)

r@vast · « **Reply #10 on:** May 18, 2021, 04:21:39 PM »

Hi,

This was a false positive.
Our virus specialists have cleared its reputation in our database, and it should no longer be detected.
Please accept our apologies for any inconvenience caused.

Author Topic: Botnet:Blacklist (Read 2582 times)

movitde

Botnet:Blacklist

DavidR

Re: Botnet:Blacklist

movitde

Re: Botnet:Blacklist

DavidR

Re: Botnet:Blacklist

polonus

Re: Botnet:Blacklist

tornadox1

Re: Botnet:Blacklist

Janoo

Re: Botnet:Blacklist

tornadox1

Re: Botnet:Blacklist

DavidR

Re: Botnet:Blacklist

Janoo

Re: Botnet:Blacklist

r@vast

Re: Botnet:Blacklist