Author Topic: Regarding blocking connection  (Read 5386 times)

0 Members and 1 Guest are viewing this topic.

Max Bhatia

  • Guest
Regarding blocking connection
« on: June 21, 2012, 08:54:46 PM »
I have recently encounter a problem where i found that an unknown process is being blocked by Avast from accessing a particular IP address. I have scanned all my PC but Avast was unable to recognize which process is making connections to remote site which is being blocked by it. And this thing happens whenever i start the browsing session using any browser and message pops up after every 1-2 minutes during the session. Can anyone help me out on recognize and fix this thing. I have attached the figure which is shown by Avast while that connection is blocked.

Offline Charyb-0

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2508
Re: Regarding blocking connection
« Reply #1 on: June 22, 2012, 02:28:46 AM »
Please follow the instructions here -> http://forum.avast.com/index.php?topic=53253.0

Run Malwarebytes, OTL, and aswMBR and attach the logs.

A malware removal expert will be able to assist you once these logs are attached.
« Last Edit: June 22, 2012, 03:10:23 AM by Charyb »

Max Bhatia

  • Guest
Re: Regarding blocking connection
« Reply #2 on: June 22, 2012, 09:11:39 AM »
Thanks for the suggestion but that didn't work out. MalwareBytes did find an infection but that didn't remove the problem. I also tried aswMBR 2 times, but this program caused my OS to crash both times by displaying BSOD and then restarting the system again. The report generated by MalwareBytes is attached with this reply.
Does anyone has any other suggestion because this seems to be a severe problem. Now, everytime i start my Windows with Internet connection ON, this warning message starts to pop up numerous times even when i am not surfing the internet. It seems that a process is trying to develop a connection to a remote site using svchost.exe which lies in C:\Windows\System32 folder. But no program is able to detect what's going on. What Avast is doing is just blocking the connection and not detecting the cause of it and hence culprit program cannot be tracked. I also ran boot-time scan, but to no effect.
Can anyone help me out...??????????

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89420
  • No support PMs thanks
Re: Regarding blocking connection
« Reply #3 on: June 22, 2012, 12:39:44 PM »
If aswMBR fails to run, proceed to the next step in the other tools specified (OTL and attach its log and extras.txt) in the link given above your post.

Have you tried to run aswMBR.exe from safe mode ?

Only when there is something their for a malware removal specialist to analyse can they then start to help.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Max Bhatia

  • Guest
Re: Regarding blocking connection
« Reply #4 on: June 22, 2012, 04:45:40 PM »
I have tried aswMBR in safe mode and this time it worked fine and hence i was able to get its log as well. I have attached the logs in 2 parts in my reply because of particular total size limit here.
This is the first time that i am unable to rectify a malware problem, hence it seems to me a serious issue. My PC seems to have become a bot this time.
Please help me rectify this problem.
I hope someone of you would definitely come up with a good solution soon.
Waiting for a reply........ :(

Posting first 2 attachments........of aswMBR and MalwareBytes.....

Max Bhatia

  • Guest
Re: Regarding blocking connection
« Reply #5 on: June 22, 2012, 04:49:03 PM »
Posting attachment of OTL log.......

Max Bhatia

  • Guest
Re: Regarding blocking connection
« Reply #6 on: June 22, 2012, 04:49:57 PM »
Posting attachment of OTL (Extras) log........

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37641
  • F-Secure user
Re: Regarding blocking connection
« Reply #7 on: June 22, 2012, 05:01:40 PM »
did you click the "remove selected" button after scan ?....as your Malwarebytes log say "No Action Taken"


OBS: it may take some hours before the removal specialist arrive here......

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89420
  • No support PMs thanks
Re: Regarding blocking connection
« Reply #8 on: June 22, 2012, 05:03:26 PM »
I will try and get a malware removal specialist to look at the logs.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Regarding blocking connection
« Reply #9 on: June 22, 2012, 05:20:07 PM »
Hi there is nothing readily apparent which could be a pain to locate.  So I will remove the obvious elements first, but I may need to go deeper
After this run let me know if the alerts continue 

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from "Start with Windows"
Reboot and then run OTL


Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    Quote
    :OTL
    IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=110819&babsrc=SP_ss&mntrId=870ab440000000000000e4d53d78c2b0
    FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
    [2012-04-26 13:14:05 | 000,002,313 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml
    O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Max Bhatia

  • Guest
Re: Regarding blocking connection
« Reply #10 on: June 23, 2012, 07:56:23 AM »
Well.....i have done and posted the log as the "essexboy" told to do for OTL............
Also i have recently found that i am not the only one who is infected...............actually a friend of mine has also been experiencing the similar problem of malicious url connection 3-4 days from now when i started experiencing.........and he is also using Avast......
I guess this is the new type of malware whose signature/solution don't seem to be in Avast database.
Now attachment with this reply include 2 logs.........one is the log (Log 1) generated automatically on system start-up when OTL finished with custom scan and rebooted automatically.............and the other log (Log 2) is the one which was generated after quick scan after system rebooted automatically.......
I hope there would be a solution now........ :(

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Regarding blocking connection
« Reply #11 on: June 23, 2012, 01:32:30 PM »
No there is something there it is just that it is not visible at the moment

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks




  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Max Bhatia

  • Guest
Re: Regarding blocking connection
« Reply #12 on: June 23, 2012, 09:18:49 PM »
Here is the attached log of ComboFix along with this reply.......
I hope i don't have to collect more logs from next time and this should definitely suffice......... :(
Waiting for some solution this time.......

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Regarding blocking connection
« Reply #13 on: June 23, 2012, 09:26:47 PM »
Are you using a proxy for going on the web

Max Bhatia

  • Guest
Re: Regarding blocking connection
« Reply #14 on: June 24, 2012, 03:48:45 PM »
yes.........i use proxy to connect to the internet. I use my hostel Wi-fi connection where i have to use proxy settings to connect to internet.
But my friend has his own internet connection (i.e no proxy connection)....and there also the similar problem of Malicious Url connection problem exists.

but hey i observed a strange thing writing to u now.......now i have not observed even a single Malicious Url blocking signal from Avast today.......
So i am just skeptical about the problem......
what do u say....????