Recurring "threat secured" message

[Shahenda]

Hello

I recently downloaded something and, like an idiot, I added the location to Avast exceptions list. I removed it quickly when I realized how reckless and stupid I was but it was TOO LATE. (It happened when I saw a Facebook Ad to download chatGPT for desktop and redirected me to a Trello Board where I downloaded it unfortunately)


Now, my problem is I keep seeing the Avast pop-up message "threat secured... we've safely aborted connection on megaplusredirection .tedata .net" BUT with different sources at two different times (it was my Huion tablet driver at first before I deleted it, and now it's C:\ Program Files\ Malwarebytes \ Anti-malware \ MBAMSservice . exe )
I don't know how to provide a picture here.

Please note that:
1. Tedata is just my internet company.
2. I am not doing anything specific to trigger this pop-up message.
3. Huion was never a problem because it never triggered Avast and neither is malwarebytes. Just an observation.

I followed the process provided in topic: "Logs to assist in cleaning malware"


Here are my results that I hope can help you help me:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 4/3/23
Scan Time: 2:02 AM
Log File: d89da638-d1b2-11ed-aa0e-a81e84be1f63.json

-Software Information-
Version: 4.5.25.256
Components Version: 1.0.1957
Update Package Version: 1.0.67495
License: Trial

-System Information-
OS: Windows 10 (Build 19044.2728)
CPU: x64
File System: NTFS
User: LAPTOP-JE3KE8GV\Shahenda

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 335586
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 4 min, 3 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)


__________________________

[Shahenda]

Please follow the continuation of the analysis on google documents I posted here:

https://docs.google.com/document/d/1X8jqUxY7j6lL48V4SB-cWPOT6jknSn1kxEQOcvEAXqQ/edit?usp=sharing

and here:

https://docs.google.com/document/d/1A0J1e-0MuI6lZcNSvwAaiStd4RMk-rqb5XlA09EI388/edit?usp=sharing

What do I do?

[rocksteady]

If you are also running Malwarebytes with realtime protection enabled then that may be fighting with Avast antivirus. 
See here why it is not reccommended to have more than one active realtime antivirus running.
https://forum.avast.com/index.php?topic=211973.0

[Shahenda]

Oh, I only downloaded Malwarebytes after I saw a problem and after I googled the solution which led me here. I've only ever had Avast antivirus.

I should also point out that I have removed all exclusions from the Avast list. The pop-up window still keeps spamming my desktop screen at different times even while I'm away. It's like something on my computer is trying to open a blacklisted website but can't. I just can't seem to get a clue what it is in order for me to be able to remove it.

The tedata website redirection is just a stupid malfunction from the internet company that sometimes hinders opening unknown links -fortunately. This is just a side note though.

Thank you for your response!

[rocksteady]

I don't know how to provide a picture here.

To attach a screenshot or other file.
Open the post REPLY box and click "Attachments and other options" link below.
Then go to "Attach" and browse to the file you want to upload with your post.

If you can post the Avast warning pop-up with Details part included, that would be useful.

[DavidR]

Screenshot - example

[Shahenda]

Thank you.

Hope these screenshots help!

I would like to point out that I haven't had a pop-up msg for two days now and I haven't done anything new on my laptop. The screenshots were recorded on April 2nd.

[rocksteady]

You can try checking that URL here: https://sitecheck.sucuri.net/

If you think it is a false positive detection, you can also submit a false positive form to Avast for them to review:
https://www.avast.com/false-positive-file-form.php

[DavidR]

@    Shahenda
Two things that I find strange about your screenshot information:
1.  Whilst it isn't unheard of for svchost.exe to make internet connections, however they usually tend to be Operating System related.  It also isn't unusual for malware to use this service to connect.  Plus this redirection URL could lead almost anywhere.
2.  The second screenshot appears to being used/initiated by Malwarebytes MBMAService.exe heading to the same URL as screenshot 1.

Questions:
Are you using MBAM and Avast together (presumably so) as using to anti-virus/malware applications can lead to conflict and strange detections in each others activity.
I don't know if the svchost.exe might well be being used by MBAM, given they are trying to connect to the same URL.  The why is beyond my personal experience as I haven't use MBAM in many, many years.  So why it would be trying to connect to this URL is beyond me.

[Shahenda]

I checked the URL and the website said the host is not found and the site is not blacklisted.

The URL is mainly related to my internet company (tedata) which is an error page or something that is triggered SOMETIMES when I open a link for something on a normal day. It redirects me to this error page -which I assume is a malfunction in the internet company's system. This is why my concern is not this particular link.

My guess is that back when I first downloaded the fake ChatGPT desktop and tried to run it, it planted a virus. After removing that recent download and starting a scan on Avast, I noticed this pop-up window an hour later. I expanded the details section and the source claimed to come from my Huion tablet driver file so I removed it but the pop-up appeared again from a different source or process (which I've referred to in the screenshots)

Something on the laptop was trying to open a link that is different from what appears here. The internet company's system, unfortunately, changes links at random sometimes as I have previously noted, which stopped the virus from opening its own link but did NOT stop Avast's detection -thankfully. That is my conclusion. I wish I knew how to explain it better.

After that, I followed the advice I found on the forum and downloaded Malwarebytes as result. Malwarebytes scan might've removed some problems, but when the pop-ups persisted, I decided to post about it here.

Note: I've only been running Malwarebytes for two and a half days now and don't particularly believe they are conflicting because I've received no pop-ups recently whilst running them together. I will disable it, however, as a best practice.

It's quieter today though... should I leave it as it is until something new pops up?