Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win10, Malwarebytes keeps blocking outbound attempts


  • Please log in to reply
3 replies to this topic

#1 Old_Feller

Old_Feller

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lufkin, Texas
  • Local time:07:19 AM

Posted 27 September 2017 - 12:11 PM

Malwarebytes has blocked repeated attempts of this computer to contact several DNSs...as pasted below:

 

 

-Log Details-

Protection Event Date: 9/27/17

Protection Event Time: 11:54 AM

Log File: 896bffc0-a3a4-11e7-b852-1cc1de644829.json

Administrator: Yes

 

-Software Information-

Version: 3.2.2.2018

Components Version: 1.0.188

Update Package Version: 1.0.2899

License: Trial

 

-System Information-

OS: Windows 10 (Build 15063.608)

CPU: x64

File System: NTFS

User: System

 

-Blocked Website Details-

Malicious Website: 1

, , Blocked, [-1], [-1],0.0.0

 

-Website Data-

Domain: xml.pdn-5.com

IP Address: 174.137.155.139

Port: [63557]

Type: Outbound

File: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

 

My question is; doesn't this mean I'm infected with something? Earlier today something got through. I had been frantically surfing and I thought Malwarebytes was blocking something legit because I'd just clicked on a link to bleepingcomputer, when the popup message happened so I cleared it as "okay".  Anyway, suddenly there was a message in front of me, demanding information, including a credit card number. It came with a warning not to attempt to close the page or turn off the computer.

 

I immediately did a hard shutdown.  That always seems to work. Everything is fine except I keep getting the popup messages from Malwarebytes and logs like the one I posted here are accumulating. There are several different domains. Is there something I need to do to disinfect?



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:19 AM

Posted 27 September 2017 - 07:48 PM

Malwarebytes Malicious Website Blocking (IP Protection) is part of the Protection Module in the Premium version and works after it is enabled. When attempting to go to a potential malicious website, Malwarebytes will block the attempt and provide an alert.

What does it mean when I get an alert that Malwarebytes has blocked a malicious site?

Malwarebytes Anti-Malware will alert users when network traffic is blocked to a website, URL, or IP address that has been found to host malicious content. Since the network traffic is blocked, the malicious IP address is unable to connect to your computer - In most cases nothing needs be done, our protection has blocked the threat from infecting you.

An outgoing IP alert indicates that a process on your system (typically your browser) tried to access a known malicious IP address or IP range and was prevented from loading content onto your system. When your browser attempts to connect to a website, Windows uses Domain Name System (DNS) or the HOSTS file to query and convert the domain name into it's corresponding IP address. Malwarebytes intercepts the communications in order to determine whether or not the IP address is known for malicious activity. If confirmed as a known malicious site, Malwarebytes blocks the connection, notifies you and stores that information into it's protection log.

A browser is not required to be running for an alert to occur...just an active Internet connection with processes running. IP alerts may be triggered by banner ads appearing on websites since in some case these ads are malicious. Notification that an outgoing IP address has been blocked does not necessarily mean the computer is infected. Other legitimate programs on your computer (i.e. iTunes, Instant Messenger client, SKYPE, P2P software) have access to the Internet and that action can trigger an IP alert if it tried to access a malicious IP address. No action is required unless you're also experiencing obvious indications (signs of infection and malware symptoms) that something is wrong. Your firewall should be able to give you a list of such programs so you can confirm if they are legitimate.

IP Protection is also designed to block incoming connections (communications) it determines to be malicious and you did not request from entering your computer. it determines to be malicious. Hackers use "port scanning", a popular reconnaissance technique, to search for vulnerable computers with open ports using IP addresses or a group of random IP address ranges so they can break in and install malicious programs. Botnets and Zombie computers scour the net, randomly scanning a block of IP addresses, searching for for vulnerable ports (commonly probed ports) and make repeated attempts to access them.

For information about Malicious Website Protection (IP Protection), please refer to:

Malwarebytes is doing its job by blocking this kind of traffic and alerting you about these intrusion attempts.

 

...suddenly there was a message in front of me, demanding information, including a credit card number. It came with a warning not to attempt to close the page or turn off the computer.
 
I immediately did a hard shutdown.  That always seems to work.

 

That sounds like a common browser pop-up scam. When dealing with browser pop-up scams, closing the web browser and then relaunching it usually eliminates the bogus warning message and is the best way to deal with these scams. If the browser freezes or hangs, you may have to close it with Windows Task Manager by selecting End Task.
 

For more information about how these scams work and resources to protect yourself, please read Beware of Phony Emails & Tech Support Scams...there are suggestions near the bottom for dealing with scams and a list of security scanning tools to use in case the usual methods do not resolve the problem or you allowed remote access into your computer.
 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Old_Feller

Old_Feller
  • Topic Starter

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lufkin, Texas
  • Local time:07:19 AM

Posted 27 September 2017 - 09:42 PM

Thank you!! I had been getting these block notices at the rate of about 6 an hour. 

 

I went ahead and ran Zemana and it found two suspicious entries in my registry: NlaSvc Manual Proxies, http accesswebunlimited dot com and Proxy Auto Config, http accesswebunlimited dot com. They were removed. Hitman Pro also cleaned up some cookies and such and ccleaner was ran.

 

I haven't had one incident since.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:19 AM

Posted 28 September 2017 - 05:51 AM

You're welcome.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users