Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes keeps blocking suspected inbound connections, why isn't my firewall


  • Please log in to reply
18 replies to this topic

#1 KainYusanagi

KainYusanagi

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 08 June 2018 - 06:39 PM

Updated Malwarebytes, got a free premium trial a few days back. Now it keeps popping up a notice that it's blocking incoming traffic on various ports trying to connect to svchost.exe as detected riskware or malware. I tried adding the IP addresses and blocked those ports in Windows Firewall on Windows 7, but I'm still getting those popups from Malwarebytes. How are these inbound connections making it through my software firewall for Malwarebytes to even detect and block them?

 

I also ran a full suite of anti-malware and anti-virus programs, nothing detected on any of them (including Malwarebytes itself), other than Hitman Pro, which detected some stuff in legacy keys that I can't remove at all, all for something called "Goobzo" (which I've never heard of until now, nor have ever had infect this computer, which makes me curious what's going on there).

The keys are as follows:
   HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SMUPDD\ (Goobzo)
   HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_SMUPDD\ (Goobzo)
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SMUPDD\ (Goobzo)


Edited by KainYusanagi, 08 June 2018 - 06:39 PM.


BC AdBot (Login to Remove)

 


#2 cunikcz

cunikcz

  • Members
  • 34 posts
  • OFFLINE
  •  

Posted 09 June 2018 - 07:29 AM

Hi,

 

Go to this forum and someon help you

https://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-assistance/



#3 KainYusanagi

KainYusanagi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 09 June 2018 - 04:43 PM

I would, if I was seriously concerned about the legacy keys. I only mentioned it because the Hitman Pro scan found it, and nothing else of note; every other tool reports the system is clean. What I want to deal with is these incessant inbound connections from riskware/malware that Malwarebytes is detecting, but my firewall, which is configured to block them according to the information provided by Malwarebytes, is doing nothing to stop, apparently.



#4 cunikcz

cunikcz

  • Members
  • 34 posts
  • OFFLINE
  •  

Posted 09 June 2018 - 04:48 PM

Maybe it is false positive from Hitman Pro. What are the IP addresses?



#5 KainYusanagi

KainYusanagi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 10 June 2018 - 03:51 AM

Maybe it is false positive from Hitman Pro. What are the IP addresses?

46.161.27.30

192.186.183.98

46.161.27.49

and a few other variations on the 46 line of IPs.

I'm getting these probes being reported by Malwarebytes multiple times daily, even when blocked in my software firewall, on the ports they're attacking and on their IP, as I said.


Edited by KainYusanagi, 10 June 2018 - 03:51 AM.


#6 muroga

muroga

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:25 PM

Posted 10 June 2018 - 10:03 AM

Well given that Goobzo is well known malware/adware and has managed to alter the registry its not far fetched to suspect the two issues might be related. Dealing with the potentially infected reg entries wont leave any worse, Id start there.....

There may also be one other possibility related to the real time protection from MB ie the native windows firewall doesnt seem to be working because MB is superceeding it. Im not familiar with the ins and outs of win7 buts its a thought.

#7 midimusicman79

midimusicman79

  • Members
  • 813 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:03:25 PM

Posted 10 June 2018 - 10:54 AM

Hi, KainYusanagi and Welcome to BC! :welcome:

Both of the IP addresses starting with 46 originate from the Russian Federation, and all the IP addresses are clearly associated with malware.

As such, I would strongly recommend posting a new topic on the Virus, Trojan, Spyware, and Malware Removal Assistance forum, to get personal help from professionally trained members of the Malware Response Team.

Please follow this Preparation Guide:

https://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Good luck! :)

Regards,
midimusicman79

Edited by midimusicman79, 11 June 2018 - 10:47 AM.

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with CanDef, uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#8 midimusicman79

midimusicman79

  • Members
  • 813 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:03:25 PM

Posted 11 June 2018 - 11:32 AM

Hi again, KainYusanagi!

I do not know why you are not answering, however, please note that even if you are not seriously concerned with the legacy registry keys, but seriously concerned with the incoming IP addresses, you should still follow the three advices to post a new topic in the Malware Removal Logs forum. :thumbup2:

Because otherwise, I am not sure how we can help you any further in this topic. :unsure:

Regards,
midimusicman79

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with CanDef, uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#9 KainYusanagi

KainYusanagi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 11 June 2018 - 06:05 PM

Hi again, KainYusanagi!

I do not know why you are not answering, however, please note that even if you are not seriously concerned with the legacy registry keys, but seriously concerned with the incoming IP addresses, you should still follow the three advices to post a new topic in the Malware Removal Logs forum. :thumbup2:

Because otherwise, I am not sure how we can help you any further in this topic. :unsure:

Regards,
midimusicman79

I didn't answer because I didn't really see a point to replying to your message when I'd already made myself clear; I asked for why MWB would be taking priority over my firewall or, if it's being bypassed, how that could happen and how to resolve that. I further noted that I've already ran a wide suite of tools, from RKill to MBar to MBAM to HijackThis to SuperAntiSpyware to ADWCleaner and so on, to ensure I got multiple databases looking at my system and declaring it clean (aside from the legacy keys via Hitman Pro, and they're dormant). As I said. I can deal with the legacy registry keys at a later point in time, in the correct location for it; I only included that information to be thorough with the results that my scans brought up.



#10 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 9,894 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:09:25 AM

Posted 11 June 2018 - 06:13 PM

 I asked for why MWB would be taking priority over my firewall or, if it's being bypassed, how that could happen and how to resolve that. 

 

 

 

 

Which might be better pursued, and in more depth and with more expertise, at https://forums.malwarebytes.com/.

 

I suspect you might have a malware infection of some kind like others here.  But it's not likely that anyone here can answer why what you are most interested in knowing the root cause for is happening.  That's territory for those who know the internals of Malwarebytes.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1809, Build 17763 

Travel is fatal to prejudice, bigotry, and narrow-mindedness, and many of our people need it sorely on these accounts.  Broad, wholesome, charitable views of men and things cannot be acquired by vegetating in one little corner of the earth all one's lifetime.

       ~ Mark Twain

 

 

 

              

 


#11 KainYusanagi

KainYusanagi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 12 June 2018 - 04:57 AM

 

 I asked for why MWB would be taking priority over my firewall or, if it's being bypassed, how that could happen and how to resolve that. 

 

 

 

 

Which might be better pursued, and in more depth and with more expertise, at https://forums.malwarebytes.com/.

 

I suspect you might have a malware infection of some kind like others here.  But it's not likely that anyone here can answer why what you are most interested in knowing the root cause for is happening.  That's territory for those who know the internals of Malwarebytes.

 

Why would they be better equipped to pursue why my firewall isn't working to block these things instead when I've specifically set it to block those ports and those IPs? Where all tools scan clean, and they're solely inbound connections trying to connect to me, not outbound?



#12 Replicator

Replicator

  • Members
  • 307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dark Basement
  • Local time:01:25 AM

Posted 12 June 2018 - 05:14 AM

Your software firewall maybe being disabled every time the malware runs, and sees it.

 

Your using a router right? Are its hardware firewall settings enabled?

 

What do the router logs tell you about incoming connections?

 

Edit....also check the outgoing connections for unusual requests such as malware trying to phone home etc!


Edited by Replicator, 12 June 2018 - 06:58 AM.

The quieter you become, the more you are able to hear!
CEH, CISSP @ WhiteHat Computers Pty Ltd

 


#13 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 9,894 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:09:25 AM

Posted 12 June 2018 - 09:02 AM

 

Why would they be better equipped to pursue why my firewall isn't working to block these things instead when I've specifically set it to block those ports and those IPs? Where all tools scan clean, and they're solely inbound connections trying to connect to me, not outbound?

 

 

 

You stated that Malwarebytes is blocking instead of your firewall.  Why, given the information you've given is an utter mystery, and you insist on not following the suggestions that anyone has given you.

 

Your case is not likely to be unique.  Since Malwarebytes appears to be taking precedence over your firewall, and you're highly unlikely to be the only person who's ever experienced this, deep Malwarebytes knowledge would be the thing I'd be looking for to solve the first layer of the mystery.

 

You can feel free to pursue this in any way you see fit.  Others will feel free to offer assistance as they see fit, and for reasons they need not explain to you, either.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1809, Build 17763 

Travel is fatal to prejudice, bigotry, and narrow-mindedness, and many of our people need it sorely on these accounts.  Broad, wholesome, charitable views of men and things cannot be acquired by vegetating in one little corner of the earth all one's lifetime.

       ~ Mark Twain

 

 

 

              

 


#14 KainYusanagi

KainYusanagi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 12 June 2018 - 11:49 AM

 

 

Why would they be better equipped to pursue why my firewall isn't working to block these things instead when I've specifically set it to block those ports and those IPs? Where all tools scan clean, and they're solely inbound connections trying to connect to me, not outbound?

 

 

 

You stated that Malwarebytes is blocking instead of your firewall.  Why, given the information you've given is an utter mystery, and you insist on not following the suggestions that anyone has given you.

 

Your case is not likely to be unique.  Since Malwarebytes appears to be taking precedence over your firewall, and you're highly unlikely to be the only person who's ever experienced this, deep Malwarebytes knowledge would be the thing I'd be looking for to solve the first layer of the mystery.

 

You can feel free to pursue this in any way you see fit.  Others will feel free to offer assistance as they see fit, and for reasons they need not explain to you, either.

 

So, in short, you think that because Malwarebytes is blocking it, they can somehow magically know more about why my firewall isn't. Okay. So I shouldn't have even bothered making an account for this forum then. Thanks for showing me that this has all been pointless.



#15 midimusicman79

midimusicman79

  • Members
  • 813 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:03:25 PM

Posted 12 June 2018 - 11:57 AM

Hi again, KainYusanagi!

The following is nothing else whatsoever than a simple fact about your issue:

If you are not going to follow the four advices to post a new topic in the Malware Removal Logs forum, then at least you should purchase a license for Malwarebytes Premium.

Because otherwise, after the 14-day Premium trial is over, Malwarebytes Free will no longer block the incoming IP addresses, and then you may possibly risk the incoming IP addresses infecting your computer.

Additionally, just for the record, Malwarebytes' behavior is designed to block incoming (and outgoing) IP adresses even if you specifically have blocked them in your firewall, and is therefore not really unwanted, so please read this article:

https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true

Regards,
midimusicman79

Edited by midimusicman79, 13 June 2018 - 07:40 AM.

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with CanDef, uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users