Url:Mal pop-ups from seemly sound sources

[Sprey]

Interesting that that scanner thought the site was in infected, but yes, it is legitimate activity. This is the same for all the other blocked URLs though (for example those blocked in relation to chrome.exe and svchost.exe): they all appear to be legitimate connections. For example the last blocked URL on chrome.exe was hXXp://safebrowsing.clients.google.com/safebrowsing/downloads?client which, though I am not really sure what it is, it doesn't look too scary if it is on the google domain.

EDIT: and yes, the other ones, as you refer to them, keep popping up from time to time, DavidR. Sometimes when I open chrome Avast will block all URLs, then after taking out and re-connecting my Ethernet cable it will allow them again...

[DavidR]

I don't know if some of these urls with very long strings might be interpreted as suspect/malicious (as this is a common tactic).

I can't speak for chrome I don't use it, I never got on with the interface, so I can't check anything out.

I was only able to investigate the zune,net one.

But given Jeff's work over this topic, there seems to be something going on in your system (though I'm no malware removal specialist), I was thinking possible browser hijack. But I will have to leave you in Jeff's hands for any malware removal.

It was just that I thought there might have been another possibility that the detections might possibly have been an FP so checked out the zune.net alerts.

[jeffce]

I've got a wired internet connection.

Are you actually connected say at a wall or through a router?

As for browser hijacks I am just not seeing it in these logs....We have uninstalled and reinstalled Chrome so that should not be it....Are any popups happening in Firefox??

[Sprey]

To DavidR:
Well to me the whole thing seems like a FP... I've dealt with viruses before (alas, not on this laptop) and I know what they "feel" like. And this doesn't "feel" like a virus. Also I wouldn't say it was a browser related thing since when I use IE instead of chrome I get similar popups, as well as popups from different sources anyway (e.g. zune and svchost).

The only thing is, something is irritating Avast, and whatever it is has developed in the last month (ish): I didn't get these popups when I first installed avast when I got this laptop back in august of last year...

And, as Jeff said in his last post, the logs are coming back clean, yet the popups keep coming...

TO jeffce:
I am connected at a wall port to my university college's network, but this problem did not happen in my first two terms earlier in the year / last year, so I cannot see how it would be related to that...

EDIT, also to jeffce: no I don't use firefox, any files that you see in the logs must be left over from when I tried firefox 4 and disliked it and so uninstalled

[jeffce]

no I don't use firefox, any files that you see in the logs must be left over from when I tried firefox 4 and disliked it and so uninstalled

----------

I am connected at a wall port to my university college's network

When you use this laptop in other places does the same thing happen??

[Sprey]

When you use this laptop in other places does the same thing happen??

well when I was home at Easter I didn't have any problems, but then again that was before I had any problems with it here at university, so that's not a proper test. Maybe I shall take a trip into town tomorrow and use a cafe's wifi or something and check it out, it will be interesting to see the results for sure...

[Sprey]

sorry for a double post, I meant to attach this: my last popup message, this one from svchost.exe, just to let you see the URL...

[jeffce]

Maybe I shall take a trip into town tomorrow and use a cafe's wifi or something and check it out, it will be interesting to see the results for sure...

You know that might not be a bad idea.  If nothing pops up there it could be something on the university's side that is messing with this.  If you were using a router I was thinking it may be infected but since you aren't using one that seems to be shot. 

[DavidR]

To DavidR:
Well to me the whole thing seems like a FP... I've dealt with viruses before (alas, not on this laptop) and I know what they "feel" like. And this doesn't "feel" like a virus. Also I wouldn't say it was a browser related thing since when I use IE instead of chrome I get similar popups, as well as popups from different sources anyway (e.g. zune and svchost).

The only thing is, something is irritating Avast, and whatever it is has developed in the last month (ish): I didn't get these popups when I first installed avast when I got this laptop back in august of last year...

And, as Jeff said in his last post, the logs are coming back clean, yet the popups keep coming...
<snip>

Which is exactly why I started look at the possibility of FP.

The problem with that is, with firefox 13.0 I was able to visit the zune.net site without alert, now generally the Network Shield will be alerting on a domain and not a sub-domain and certainly not on a file as such. However, since I don't have zune or an account I can't exactly replicate your connecting to your zune account.

[Sprey]

To DavidR:
I too can access Zune.net just fine (no block from the network shield), but when the desktop software tries to automatically log me in when I open the application, it causes a popup to show. Also note that this doesn't happen consistently: sometimes it will manage to log me in without firing a popup.

To jeffce:
well the only other place other than the wired connection I am using now which I have used since these popups first occurred is possibly the wireless connection in my university's library (I cannot remember whether or not I have been there or not since these popups started happening, and if I did whether or not I got any popups whilst there) so since that's still related to the university I think I shall take a trip into town tomorrow...

[jeffce]

I think I shall take a trip into town tomorrow...

Sounds good. 

[Moosy]

Hi, you're not the only one with this problem. This cropped up for me not that long ago. For me it's mainly crl.microsoft sub-domains that are cropping up. Seen quite a few relating to home-student, which presumably means my installation of Microsoft Office home and student edition.
Like Sprey's, they all turn up as a URL:mal infection. I ran a full scan on Avast!, which didn't detect anything, although I haven't run a boot time scan yet.
I also get my internet through a wall plug at university.
None of this activity seems to be correlating with Avast updates.
EDIT: Moved section of post to attachements because I don't like hyperlinks.

[Moosy]

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.12.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
nopenopenopenopenope!!! [administrator]

13/06/2012 00:53:03
mbam-log-2012-06-13 (00-53-03).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 211991
Time elapsed: 2 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

waat.png shows what happened when I started the avast console ten minutes ago. Clicking the pop-up led to a blank page.
waaat.png is what occurred when I attempted to update the database about ten minutes ago. Updating worked on the second attempt.

Sorry, not sure if I should have started a new thread for this, but the problem seems very similar and unique.

Additionally, I get this all the time regardless of whether a browser is running or not.

[jeffce]

@Moosy

Please start your own topic.    Thanks.

[Sprey]

Ok, stuff came up in the past two days preventing me from going into town, and I see that you are on holiday from 17th-25th, so...

Considering that I don't think that this is malicious, more a problem with my system/the university network (we await to see which one), I am going to wait until friday 22nd when I get home to try my laptop on a different internet connection, rather than try it in town here.

Have a great, malware free holiday!