Jump to content

Recommended Posts

Hi

Wasn't sure if should post this here or in false positive forum, but decided to post it here. I noticed that Malwarebytes has recently started blocking Avasts 'avastsvc.exe from accessing internet. If not mistaken, this is Avasts main service so guess it would be a good idea to let it do its thing, correct? lol

There was another post here about blocking avastsvc.exe as well, but it was locked due to no response from poster before resolved. You had asked them to run a quick scan and post log and to download and run DDS and posts its .txt log so I have posted both of those below.

Any help appreciated!!! THANKS!!!

Quick scan log:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8241

Windows 6.1.7601 Service Pack 1

Internet Explorer 9.0.8112.16421

11/25/2011 5:25:17 PM

mbam-log-2011-11-25 (17-25-17).txt

Scan type: Quick scan

Objects scanned: 165740

Time elapsed: 46 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS .txt log

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421

Run by Scott at 17:26:28 on 2011-11-25

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8170.5684 [GMT -5:00]

.

AV: avast! Internet Security *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Internet Security *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

FW: avast! Internet Security *Enabled* {131692B0-0864-D491-4E21-3A3A1D8BBB47}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\UnsignedThemesSvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\atieclxx.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\Program Files\AVAST Software\Avast\afwServ.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe

C:\Program Files (x86)\ASUS\AAHM\1.00.13\aaHMSvc.exe

C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe

C:\Windows\system32\IProsetMonitor.exe

C:\Windows\SysWOW64\nlssrv32.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\taskeng.exe

C:\Windows\system32\taskhost.exe

C:\Program Files (x86)\ASUS\AI Suite II\AsRoutineController.exe

C:\Program Files\Core Temp\Core Temp.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files (x86)\Steam\steam.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe

C:\Program Files\AVAST Software\Avast\AvastUI.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files (x86)\Black Glass Enhanced v0.5\BlackGlassEnhanced.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Winamp\winampa.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Program Files (x86)\Common Files\Steam\SteamService.exe

C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Windows\system32\svchost.exe -k SDRSVC

C:\Windows\system32\taskhost.exe

C:\Program Files (x86)\Trillian\trillian.exe

C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe

C:\Users\Scott\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Scott\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Scott\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Scott\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Scott\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Scott\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Scott\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\VSO\ConvertX\4\ConvertXtoDvd.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

C:\Users\Scott\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

mWinlogon: Userinit=userinit.exe,

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll

uRun: [steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent

uRun: [EPSON Stylus CX5000 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIBVA.EXE /FU "C:\Windows\TEMP\E_S5FDB.tmp" /EF "HKCU"

uRun: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

uRun: [AdobeBridge]

mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"

mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui

mRun: [blackGlass] "C:\Program Files (x86)\Black Glass Enhanced v0.5\BlackGlassEnhanced.exe"

mRun: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe"

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~3\Office12\REFIEBAR.DLL

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 24.178.162.3 66.189.0.100 24.217.201.67

TCP: Interfaces\{D9B3DF97-740F-43D5-934B-13CDDA83286F} : DhcpNameServer = 24.178.162.3 66.189.0.100 24.217.201.67

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll

mRun-x64: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

mRun-x64: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"

mRun-x64: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui

mRun-x64: [blackGlass] "C:\Program Files (x86)\Black Glass Enhanced v0.5\BlackGlassEnhanced.exe"

mRun-x64: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe"

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

.

============= SERVICES / DRIVERS ===============

.

R0 aswNdis;avast! Firewall NDIS Filter Service;C:\Windows\system32\DRIVERS\aswNdis.sys --> C:\Windows\system32\DRIVERS\aswNdis.sys [?]

R0 aswNdis2;avast! Firewall Core Firewall Service;C:\Windows\system32\drivers\aswNdis2.sys --> C:\Windows\system32\drivers\aswNdis2.sys [?]

R0 mv91cons;Marvell 91xx Config Device Driver;C:\Windows\system32\DRIVERS\mv91cons.sys --> C:\Windows\system32\DRIVERS\mv91cons.sys [?]

R0 mv91xx;mv91xx;C:\Windows\system32\DRIVERS\mv91xx.sys --> C:\Windows\system32\DRIVERS\mv91xx.sys [?]

R1 aswFW;avast! TDI Firewall driver;C:\Windows\system32\drivers\aswFW.sys --> C:\Windows\system32\drivers\aswFW.sys [?]

R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]

R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]

R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]

R2 asComSvc;ASUS Com Service;C:\Program Files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe [2011-5-18 918144]

R2 asHmComSvc;ASUS HM Com Service;C:\Program Files (x86)\ASUS\AAHM\1.00.13\aaHMSvc.exe [2011-5-18 915584]

R2 AsSysCtrlService;ASUS System Control Service;C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe [2011-5-18 586880]

R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]

R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]

R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2011-9-8 44768]

R2 avast! Firewall;avast! Firewall;C:\Program Files\AVAST Software\Avast\afwServ.exe [2011-9-8 127192]

R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-5-16 13336]

R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;C:\Windows\system32\IProsetMonitor.exe --> C:\Windows\system32\IProsetMonitor.exe [?]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-9-14 366152]

R2 nlsX86cc;Nalpeiron Licensing Service;C:\Windows\SysWOW64\nlssrv32.exe [2009-6-7 66560]

R2 UnsignedThemes;Unsigned Themes;C:\Windows\UnsignedThemesSvc.exe [2009-7-13 24168]

R2 uxpatch;uxpatch;\??\C:\Windows\system32\drivers\uxpatch.sys --> C:\Windows\system32\drivers\uxpatch.sys [?]

R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]

R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]

R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]

R3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;C:\Windows\system32\DRIVERS\e1c62x64.sys --> C:\Windows\system32\DRIVERS\e1c62x64.sys [?]

R3 e1qexpress;Intel® PRO/1000 PCI Express Network Connection Driver Q;C:\Windows\system32\DRIVERS\e1q62x64.sys --> C:\Windows\system32\DRIVERS\e1q62x64.sys [?]

R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]

R3 MEIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]

R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]

R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]

R3 Razerlow;Razer Pro|Solutions;C:\Windows\system32\drivers\Razerlow.sys --> C:\Windows\system32\drivers\Razerlow.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

.

=============== Created Last 30 ================

.

2011-11-25 22:24:21 41272 -c--a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys

2011-11-25 04:54:14 -------- dc----w- C:\temp

2011-11-23 23:07:49 -------- dc----w- C:\Users\Scott\AppData\Local\stardock

2011-11-23 22:55:23 -------- dc----w- C:\ProgramData\Stardock

2011-11-23 22:55:22 -------- dc-h--w- C:\ProgramData\{15BC919D-FAE4-4687-8DDE-2D27F6728A61}

2011-11-23 22:55:21 -------- dc----w- C:\Program Files (x86)\Stardock

2011-11-10 08:15:10 886784 ----a-w- C:\Program Files\Common Files\System\wab32.dll

2011-11-10 08:15:10 708608 ----a-w- C:\Program Files (x86)\Common Files\System\wab32.dll

2011-11-10 08:15:10 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2011-11-10 08:15:09 3144704 ----a-w- C:\Windows\System32\win32k.sys

.

==================== Find3M ====================

.

2011-10-16 01:58:43 178800 -c--a-w- C:\Windows\SysWow64\CmdLineExt_x64.dll

2011-09-06 20:45:29 41184 ----a-w- C:\Windows\avastSS.scr

2011-09-06 20:39:00 140120 ----a-w- C:\Windows\System32\drivers\aswFW.sys

2011-09-06 20:38:18 601944 ----a-w- C:\Windows\System32\drivers\aswSnx.sys

2011-09-06 20:37:45 258392 ----a-w- C:\Windows\System32\drivers\aswNdis2.sys

2011-09-06 20:36:30 65368 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys

2011-09-01 05:24:07 2309120 ----a-w- C:\Windows\System32\jscript9.dll

2011-09-01 05:17:57 1389056 ----a-w- C:\Windows\System32\wininet.dll

2011-09-01 05:12:04 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2011-09-01 02:35:59 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll

2011-09-01 02:28:15 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll

2011-09-01 02:22:54 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2011-08-31 21:00:50 25416 -c--a-w- C:\Windows\System32\drivers\mbam.sys

.

============= FINISH: 17:27:46.52 ===============

Link to post
Share on other sites

Oh, here is an example of what I keep getting in my Malwarebytes logs:

21:15:20 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55083, Process: avastsvc.exe)

21:15:20 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55084, Process: avastsvc.exe)

21:15:28 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55100, Process: avastsvc.exe)

21:15:28 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55101, Process: avastsvc.exe)

21:15:28 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55102, Process: avastsvc.exe)

21:15:28 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55103, Process: avastsvc.exe)

21:15:28 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55104, Process: avastsvc.exe)

21:15:28 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55105, Process: avastsvc.exe)

21:15:28 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55111, Process: avastsvc.exe)

21:15:28 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55112, Process: avastsvc.exe)

21:15:28 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55116, Process: avastsvc.exe)

21:15:28 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55117, Process: avastsvc.exe)

21:15:28 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55125, Process: avastsvc.exe)

21:15:28 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55126, Process: avastsvc.exe)

21:15:28 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55130, Process: avastsvc.exe)

21:15:28 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55131, Process: avastsvc.exe)

21:15:28 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55134, Process: avastsvc.exe)

21:15:28 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55135, Process: avastsvc.exe)

21:15:28 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55136, Process: avastsvc.exe)

21:15:28 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55137, Process: avastsvc.exe)

21:15:28 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55139, Process: avastsvc.exe)

21:15:28 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55140, Process: avastsvc.exe)

21:15:28 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55150, Process: avastsvc.exe)

21:15:28 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55152, Process: avastsvc.exe)

21:16:08 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55187, Process: avastsvc.exe)

21:16:08 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55188, Process: avastsvc.exe)

21:16:08 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55202, Process: avastsvc.exe)

21:16:08 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55203, Process: avastsvc.exe)

21:16:08 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55208, Process: avastsvc.exe)

21:16:08 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55209, Process: avastsvc.exe)

21:18:32 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55406, Process: avastsvc.exe)

21:18:32 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55404, Process: avastsvc.exe)

21:18:32 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55407, Process: avastsvc.exe)

21:18:32 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55408, Process: avastsvc.exe)

21:18:32 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55409, Process: avastsvc.exe)

21:18:32 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55410, Process: avastsvc.exe)

21:18:32 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55411, Process: avastsvc.exe)

21:18:32 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55412, Process: avastsvc.exe)

21:18:32 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55414, Process: avastsvc.exe)

21:18:32 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55415, Process: avastsvc.exe)

21:18:32 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55419, Process: avastsvc.exe)

21:18:32 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55418, Process: avastsvc.exe)

21:18:32 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55420, Process: avastsvc.exe)

21:18:32 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55421, Process: avastsvc.exe)

21:18:32 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55424, Process: avastsvc.exe)

21:18:32 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55425, Process: avastsvc.exe)

21:18:32 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55426, Process: avastsvc.exe)

21:18:32 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55427, Process: avastsvc.exe)

21:18:32 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55429, Process: avastsvc.exe)

21:18:32 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55430, Process: avastsvc.exe)

21:18:32 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55434, Process: avastsvc.exe)

21:18:32 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55435, Process: avastsvc.exe)

21:18:40 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55459, Process: avastsvc.exe)

21:18:40 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55460, Process: avastsvc.exe)

21:18:40 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55461, Process: avastsvc.exe)

21:18:40 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55462, Process: avastsvc.exe)

21:18:40 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55464, Process: avastsvc.exe)

21:18:40 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55465, Process: avastsvc.exe)

21:19:29 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55572, Process: avastsvc.exe)

21:19:29 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55573, Process: avastsvc.exe)

21:19:29 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55578, Process: avastsvc.exe)

21:19:29 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55579, Process: avastsvc.exe)

21:19:29 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55584, Process: avastsvc.exe)

21:19:29 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55585, Process: avastsvc.exe)

21:19:29 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55593, Process: avastsvc.exe)

21:19:29 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55594, Process: avastsvc.exe)

21:20:57 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55728, Process: avastsvc.exe)

21:20:57 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55729, Process: avastsvc.exe)

21:20:57 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55743, Process: avastsvc.exe)

21:20:57 Scott IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 55744, Process: avastsvc.exe)

Link to post
Share on other sites

Hello and welcome to MBAM:

IP blocking such as that you are reporting can occur as a result of certain legitimate programs such as Skype and P2P programs, and it can happen when MBAM is doing its job by preventing bad content from websites from infecting your computer.

But it can also be the result of infection on your system, especially if the IP blocks are "outgoing", and if they occur when no browsers are open.

Please have a look at the FAQ - Section G for information about the IP blocking module.

It explains why it looks as if MBAM is blocking your AV (it isn't really).

It contains instructions for configuring MBAM to ignore an individual IP address, if you wish to do so.

It also contains instructions on how to run a diagnostic tool to determine what process might actually be trying to make the connections to bad IPs.

Alternatively, if, after reading the FAQ Section, you think these IP blocks are false positives, then please read this sticky and then please start a new thread here.

--------------------------------

On the other hand, if you think your system might be infected -- based on the IP blocks or other suspicious computer behavior -- then please do the following, as we do not work on malware removal in this part of the forum.

1. First, please go to THIS PAGE, print out, read and carefully follow as many instructions as you can, skipping any you are unable to complete.

2. Then, please describe your computer's symptoms as best you can and post the requested MBAM and DDS logs by starting a NEW thread at the Malware Removal-HJT forum . Please post the results of the requested scans directly into your post, using copy/paste, rather than attaching them.

One of the authorized, trained experts will then assist you as soon as possible for free, one-on-one malware detection and removal.

When you post, please be sure to select Track This Topic & choose one of the email options, so that you will be notified when someone responds.

Please be patient and allow at least 48 hours before bumping your thread -- otherwise it may appear to the experts that you are already being helped

(The "0" reply count is the easiest way for the experts to spot your thread as still needing help.)

Other Support Options:

--- Alternatively, if you are a paying customer using MBAM PRO, you may wish instead to start a free support ticket by contacting support at: support@malwarebytes.org; or

--- Premium, fee-based support options are available here.

Thanks, daledoc1

PS: Please use the zMn2t.jpg button instead of other ones when you reply here and at the other forums, so that it will be easier to read. :)

Link to post
Share on other sites

Thanks for replying!

Your post however was not very helpful! Is it a prewritten general reply, it sure looks like it. You basically say it could be a legitimate block or a false positive, well gee, that's a given. Was hoping with the logs provided, someone here could tell me which it is, legit or false. You also say it may look like it's blocking Avast, but it might not be. That it may just look like it is because the REAL process is running through Avast so it just appears to Malwarebytes to be from Avast. OK, if that's the case, how do I find out if it is blocking Avast itself or a bad process running through Avast? I tried downloading and running TCPview as suggested in link, but it wasn't any help, still shows process as Avast, same as Malwarebytes. I've run a scan with both updated Malwarebytes and Avast and neither found anything. Why would Malwarebytes determine a process coming from Avast to be bad, but not be able to detect it using a scan?

Also, my computer runs fine, just worried about logs showing Malwarebytes blocking my antivirus.

Link to post
Share on other sites

Hello again:

Thanks for the update.

Sorry the information provided was not helpful for you.

I was merely pointing you towards tutorials and other informational articles written by the MBAM experts & staff.

This included an explanation of why MBAM appears to be blocking your AV, as shown in the attached screenshot from the FAQ.

This particular sub-forum is designated for general problems with the MBAM program, as opposed to malware diagnostics and disinfection.

So, even the experts and MBAM staff generally cannot and do not review scan logs in this particular section.

If you think you might be infected, then please follow the advice in my original reply to start a new topic in the malware removal section.

One of the authorized, trained malware experts will review your logs and help to determine the cause of the IP blocks.

If you think the problem is NOT malware-related, then please wait for assistance here from one of the MBAM staff or other experts.

I'm sure they will be able to assist you better. :)

Thanks for your patience,

daledoc1

post-29793-0-16489000-1322269252.png

Link to post
Share on other sites

Again. thanks for response!

This included an explanation of why MBAM appears to be blocking your AV, as shown in the attached screenshot from the FAQ.

Response: Again, you are hinting, but not outright saying that MBAM is not actually blocking avast.svc but another process running through Avast. What I don't understand is, if it is something bad, how it would recognize and block it when it's running through Avast, but not catch it outside Avast when running a scan? And how do I go about finding out for sure if it's falsely blocking Avast program or something else running through Avast, and if so, how to identify and remove it if scans don't find it.

This particular sub-forum is designated for general problems with the MBAM program, as opposed to malware diagnostics and disinfection.

So, even the experts and MBAM staff generally cannot and do not review scan logs in this particular section.

Response: As I said, I posted here because I don't know if it's a Malware or Malwarebytes error. I was hoping someone here could tell me and go from there. For all I know, it may not even be anything to worry about and I can just ignore the log entries. Would just like to know for sure that Avast itself is not being impeded.

If you think you might be infected, then please follow the advice in my original reply to start a new topic in the malware removal section.

One of the authorized, trained malware experts will review your logs and help to determine the cause of the IP blocks.

Response: Again, don't know if problem is malware, Malwarebytes error or something I don't even need to worry about. That's why I posted here, to find out.

If you think the problem is NOT malware-related, then please wait for assistance here from one of the MBAM staff or other experts.

See previous response

Additional Info:

OS: Windows 7 HP(64bit)

System: Self Built/Assembled. Including: Custom(by me) solid oak case, Intel 2600k Quad Cpu w/Coolermaster V8, Asus WS Revolution board, 8GB Corsiar RAM, Samsung SSD OS drive, XFX Radeon HD 6850 graphics, Antec High Current Pro 1200watt power supply, 1 internal 500GB Maxtor storage drive, 1 external 1TB Seagate file backup drive & 1 external 500GB Seagate system backup drive.

Have ran scans with both my Malwarebytes(pro version) & Avast Internet Security and neither found anything.

Link to post
Share on other sites

I copied one of ur ip address that malwarebytes blocked and put it in my browser and malwarebytes blocked it but did not show me the popup window but did make refernce to my AVAST software like your made reference to YOUR anti virus program and as soon as I went to that ip adress I lost the ability to right click my malwarebytes icon in my system tray but apparently it still did what it was supose to do according to my log. ANYWAYS I am having a different issue with my system tray icon BUT duplicated YOUR issue with malwarebytes making reference to your antvirus program while blocking a malicious website. HMMMM,,, Here is my log and a link to MY icon issue. I hope this all made sense.

20:56:21 Greg IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 50467, Process: avastsvc.exe)

20:56:21 Greg IP-BLOCK 212.95.32.213 (Type: outgoing, Port: 50468, Process: avastsvc.exe)

My Issue>>> http://forums.malwarebytes.org/index.php?showtopic=100541

Link to post
Share on other sites

  • Root Admin

I see - well it looks like you probably are infected. Your AV is always the one shown because it accesses the network card before our product does.

You need to follow Daledocs advice and have someone assist you in checking your system for malware.

Here are the steps needed to get your computer cleaned....

Please read the following so that you can begin the cleaning process:

Don't use any temporary file cleaners unless requested - this can cause data loss and make recovery difficult

You have 3 Options that you can choose from as listed below:

  • Option 1 —— Free Expert advice in the Malware Removal Forum
  • Option 2 —— Paying customer -- Contact Support via email
  • Option 3 —— Premium, Fee-Based Support

OPTION 1

As we don't deal with malware removal in the
General Malwarebytes' Anti-Malware Forum
, you need to start a topic in the

Malware Removal forum

so a qualified helper can help you fix any malware related problems/infections you may have.

  • Please read and follow the
    directions here
    , skipping any steps you are unable to complete.

  • After posting your new post, make sure under
    options
    , you select
    Track this topic
    and choose
    Immediate Email Notification
    ,

    so that you're alerted when someone has replied to your post.

NOTE:

Please do not post back to (bump) your topic within the first 48 hours.

Replying to your own posts changes the post count and helpers are looking for topics with zero replies.

If you reply to your own post helpers may think that you're already being helped and thus overlook your post.
    • If there is no reply from any experts after 48 hours, you can reply to the topic, asking for help again.

      Or

    • You may send a Private Message to a Moderator asking for assistance.


OPTION 2

Alternatively, as a paying customer, you can contact the help desk at
support@malwarebytes.org
or
here
.

OPTION 3

If you would like to use our
Malwarebytes Premium Services
, Comprehensive solutions to all your computer support needs—from installation and set-up to troubleshooting and tune-ups go to our
Malwarebytes Premium Services
support site.

Please be patient, someone will assist you as soon as possible.

PS: Please use the "Add Reply" Add-Reply.png button not the Reply button when you start replying.

Link to post
Share on other sites

OK, I reposted to tech support as suggested. In my case, I was told I'm not infected with anything more than likely. The reason for log entries blocking Avast, is that not really blocking Avast just blocking webpage or webpage content that are trying to load through Avasts filters. Which is ONE of the things you here were saying. You all were just confusing me because in same post you would say "but may be malware..." or something to that affect, so didn't know which it was.

Thanks for your help though!!! Guess you guys can consider this topic closed/solved as far as I'm concerned. :D

Link to post
Share on other sites

  • Root Admin

As an example - you have OUTGOING IP blocks, not Incoming that go to Europe when your IP would indicate you're probably on the East Coast in the US.

No one can say 100% proof positive that you are infected without doing some analysis thus that is why we/they say "possibly" - if you think it's okay for your computer to reach out on it's own and talk to an Advertising network in Germany then that's up to you but most would probably think its not okay and would seek further analysis in the HJT forum but again that's up to you.

IP address: 212.95.32.213

Host name: ih3.linktarget.com

212.95.32.213 is from Germany(DE) in region Western Europe

MediaTarget Advertising Services

Link to post
Share on other sites

I'm just basing decision on what Malwarebytes tech told me. They said that both Malwarebytes and Avast are doing their job and so I don't need to worry about it.

Guessing you disagree with that analysis and think I should seek further assistance, correct. So what, now I need to go start another topic at yet a third place, the HijackThis forum? Can you send me a link, so I at least know I'm submitting to correct place?

As always, thanks for your help!!!

Scott

Link to post
Share on other sites

Hello, again, TBurrfootsIre:

So what, now I need to go start another topic at yet a third place, the HijackThis forum? Can you send me a link, so I at least know I'm submitting to correct place?

Following AdvancedSetup's advice would be a very good idea. As you can see from his profile, he is a MBAM staffer, forum administrator here and HIGHLY experienced & expert in computer security. :)

Here are the links you need to get started in the malware removal section: :)

1. First, please go to THIS PAGE, print out, read and carefully follow as many instructions as you can...

2. ...by starting a NEW thread at the Malware Removal-HJT forum .

That said, if you already have an open ticket with the support team via email, then that person will likely advise that you stay with him/her and he/she may even close this topic here at the forum.

That way, you'll only be working with 1 expert in 1 place to check and (if necessary) clean your machine.

This will minimize any confusion or duplication of effort.

Please be aware that it is a long holiday weekend here in the U.S., where many of the support folks are based.

So, please be patient.

Thanks very much - I hope you get it all sorted out soon,

daledoc1

Link to post
Share on other sites

Hi, I reside in Charleston. Who's going to win the game tonight - USC or Clemson?

What were you doing when you saw the IP blocks to 212.95.32.213? Or did you just notice the block events in your MBAM protection log but received no popup alert from MBAM?

That IP is listed by RIPE as registered to some German company called Leaseway or something similar.

I checked out 212.95.32.213 and it is not blacklisted as malicous. Of course, the site's web page could be recently infected.

In any case, MBAM is only blocking one IP address. Really don't see a problem here.

Link to post
Share on other sites

Hi, I reside in Charleston. Who's going to win the game tonight - USC or Clemson?

Watching game. Hoping Clemson wins. GO TIGERS!!!!!!!!!!!!!! :D

What were you doing when you saw the IP blocks to 212.95.32.213? Or did you just notice the block events in your MBAM protection log but received no popup alert from MBAM?

Don't remember what I was doing. Yes, I received popup, that's why I checked the logs.

...In any case, MBAM is only blocking one IP address. Really don't see a problem here.

Yeah, I had come to same conclusion, but I have resubmitted issue to the HJTF based on Advanced Setup's last post. Still awaiting a response though.

Also, should say that since I added the exclusions to Avast6 & Malwarebytes recommended in false positive/ignore guide I have not had the blocks show on Malwarebytes log. Guessing the events are still happening, just being ignored by Malwarebytes now due to exclusions.

Link to post
Share on other sites

  • Root Admin

It normally can take a few days to get assistance in the HJT forum so please try to be patient. Though if you did submit to the help desk then you shouldn't submit to the forum as well - choose one or the other.

Getting a block now and then is normal but in most cases it's INCOMING not OUTGOING in your case TBurrfootsIre you have 70+ blocks to that IP and all OUTGOING.

If nothing is found then no harm done except a bit of time spent looking into it - on the other hand IF you're infected and you let it go and someone is able to extract passwords or other critical information from your system and then causes you financial or fraud issues you would have wished you did spend the time looking in to it is all.

Just saying: Better Safe than Sorry

Link to post
Share on other sites

It normally can take a few days to get assistance in the HJT forum so please try to be patient. Though if you did submit to the help desk then you shouldn't submit to the forum as well - choose one or the other.

Yeah, I'm in no rush. Plus, holiday so realize most people want to spend time with family or whatnot. Yes, I submitted to help desk, but as I said, Tom there basically told me he didn't feel it was anything to worry about since attempts were being blocked properly. His exact post was:

From the way I understand it, your Avast webguard is checking the site, but not the same way we do, we just block IPs based on our research, your Avast scans for vulnerabilities, it won't hit every site because neither app has the same IPs listed at all times. Our blocker is being triggered by the webguard but for the same IP. Could be from a banner ad on any given site. Hope that clears it up some. Bottom line here is that there isn't anything to b worried about, both apps are working as intended.
If nothing is found then no harm done except a bit of time spent looking into it - on the other hand IF you're infected and you let it go and someone is able to extract passwords or other critical information from your system and then causes you financial or fraud issues you would have wished you did spend the time looking in to it is all.

Just saying: Better Safe than Sorry

I decided to take your advice, so submitted to HJTF to see what they think and if they agree with Tom's assessment.

Link to post
Share on other sites

AdvancedSetup, I told Tom at tech support what you recommended and below is his response, again saying blocks are nothing to worry about. Don't know what to do. Guess I'll just wait and see if anyone answers post on HJTF, if no one does, just forget about it and hope for the best.

Tom Mercado, Nov-26 08:26 pm (PST):

Hi, I don't see any reason to look deeper for malware at all. This issue is commonly addressed in the forums, specifically with the Avast process.

Link to post
Share on other sites

AdvancedSetup, I told Tom at tech support what you recommended and below is his response, again saying blocks are nothing to worry about. Don't know what to do. Guess I'll just wait and see if anyone answers post on HJTF, if no one does, just forget about it and hope for the best.

This may or may not be a sign of infection, it all depends on the context of when it occurs. If it happens when you aren't browsing the internet or using any peer-to-peer software (like Bittorrent, Skype etc.), then that does increase the probability of an infection. If it occurs when you're browsing to a particular website on the internet then this reduces the likelihood of an infection. If, however this occurs when you're browsing the internet when visiting basically any website (i.e., if it happens when visiting Google.com, Microsoft.com and any other website you visit), then this increases the probability that an infection is the cause.

It's all about when and how the blocks occurred and there is one way to know for sure besides having your PC checked in the HJT/Malware Removal forum (though that is the safer, recommended option), and that would be to turn off Avast! and then see what process Malwarebytes Anti-Malware says is contacting those IP addresses. You may also attempt to find out the process by following the instructions in Section G of our FAQ where it says Use TCPView to Determine what Process is Connecting to a Malicious IP Address. I'm not certain that it will tell you which process it is (it may simply report Avast!'s process the same as Windows and MBAM do), but it may.

Link to post
Share on other sites

Well, the safest option would be to get checked for infections, but if you only see the blocks when using peer-to-peer sites, then you should be OK. Try staying away from them for a couple days and exit any peer-to-peer programs that might be running in the background and see if the blocks continue. If they do, then it's best to get checked, if they do not, then the peer-to-peer stuff was likely the cause.

Link to post
Share on other sites

Well, I followed the instructions for Avast6 in the false positive/ignore guide and added the exceptions to Avast and Malwarebytes yesterday and haven't had any of those entries since. However now I have the following entries, is it normal for IP protection to stop and start like that? I understand why it did it when updating, but why the other times? I may have been running a scan or running that DDS script at those times, not sure. Would a scan or the script cause protection to stop/start like that? Other than that though, as you can see, log is pretty bare for yesterday.

02:14:25 Scott MESSAGE IP Protection stopped

02:14:25 Scott MESSAGE IP Protection started successfully

05:42:23 Scott MESSAGE IP Protection stopped

05:42:23 Scott MESSAGE IP Protection started successfully

05:42:38 Scott MESSAGE IP Protection stopped

05:42:39 Scott MESSAGE IP Protection started successfully

05:42:54 Scott MESSAGE IP Protection stopped

05:42:54 Scott MESSAGE IP Protection started successfully

06:46:43 Scott MESSAGE Scheduled update executed successfully

06:46:58 Scott MESSAGE IP Protection stopped

06:47:00 Scott MESSAGE Database updated successfully

06:47:00 Scott MESSAGE IP Protection started successfully

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.