Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Problem Possibly With Email Phishing /(DNS) Spoofing Attack

  • This topic is locked This topic is locked
2 replies to this topic

#1 Seek2workingComp


  • Members
  • 2 posts
  • Local time:02:47 PM

Posted 24 July 2018 - 06:02 PM

  Currently I have an open ticket item (about 2 months) with who I hope is really Malwarebytes Support concerning my Malwarebytes Premium 3 but need/want confirmation. 


  Earlier when I had been corresponding with Malwarebytes Support, I was getting email replies from Malwarebytes Support but then I started seeing emails from Malwarebytes from a domain mwb.zendesk. Here is an email I sent to them back a couple of months ago:


"  Somebody has deleted some of my emails/correspondence with you to this email address; now all my emails come in the form of (from mwb.zendesk.com). For example (Malwarebytes Support <support+id2289024@mwb.zendesk.com> ). Is this correct? "


  I was assured that this was okay and that they were one in the same - but the email replies did start coming from what looked like 'support@malwarebytes.com' per the email header. 


Then after other problems encountered with Malwarebytes (whose settings seemed to be changing 'by itself' ), I encountered another problem which my TrendMicro at first detected as Riskware but then Malwarebytes also started showing detection of these riskware - which looked like spoofing. Here's an excerpt of an email I sent to 'Malwarebytes Support' on July 11th, 2018:


 And recently I saw something that gives me concern that could be affecting my network/directories - As I showed before, I had directories that were made and many users/groups that I didn't recognize seemed to get added to my Files and Folders Permissions. Anyways, this last time around, I saw first that TrendMicro had blocked and then later MalwareBytes had blocked some outbound messages going to an IP address of which had several different domain names including ones that looked like related to my former ISP (earthlink.net) and related to Malwarebytes! I guess these are 'riskware' which I don't think I've heard of before. I'm attaching some reports here for you to review. Also these suspicious outbound messages originated in different directories which makes me concerned what's going on here.  For example, here's snippet from the report. There's an outbound message from a file  " C:\Users\Samuel\Desktop\mbar\mbar.exe " and it's trying to go to a domain called ' llnw.data-cdn.mbamupdates.com ' which seems plausible, but the actual IP address is which is the same IP address blocked at another time but then the domain was called 'wpad.earthlink.net' (IP address: !
-Website Data-
Category: RiskWare
IP Address:
Port: [49767]
Type: Outbound
File: C:\Users\Samuel\Desktop\mbar\mbar.exe
[Note: Previous to seeing this, I did update one of DNS servers (under iPv4 - properties) to Cloudflare ( instead of one of the Earthlink.net DNS servers about 5-7 days ago]
  In reply to this email, I did get support from 'Malwarebytes Support' but it didn't seem satisfying, so I did an email trace on one of the emails I got from this 'new' Malwarebytes Support and a few problems seemed to show up.  One was that the 'SPF' showed a status of FAIL. And the email came from apparently from an IP address that did not look like Malwarebytes ( - I believe the email trace showed it originated from 192. 161. 153. . 63 which seemed to be from a city called Black Earth in Minnesota.  Why would this be?
   Anyways, even though FRST and FRST64 (even FRSTEnglish - which was requested that I run by 'Malwarebytes Support' ) was run before, I have run it last night per the recommended steps per this blog. I appreciate help and confirmation about this whether there's been spoofing going on - or is it okay somehow. Anyways I have attached some Malwarebyte text reports/logs about the riskware which seemed to indicate 'good' files were requesting outbound connections to that mysterious 123.123.xxx.xxx site even though they had legitimate looking domain names associated with them. Thank you for any or all help on this!

Attached Files

BC AdBot (Login to Remove)


#2 HelpBot


    Bleepin' Binary Bot

  • Bots
  • 12,769 posts
  • Gender:Male
  • Local time:05:47 PM

Posted 29 July 2018 - 06:05 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:


step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> https://www.bleepingcomputer.com/logreply/681156 <<< CLICK THIS LINK

If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.


step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.


We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 HelpBot


    Bleepin' Binary Bot

  • Bots
  • 12,769 posts
  • Gender:Male
  • Local time:05:47 PM

Posted 03 August 2018 - 06:10 PM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users