Jump to content

Infection Pop-Up in System Tray

Towle
 Share

Recommended Posts

MysteryFCM

MysteryFCM

Posted
Posted

Apologies for taking so long.

This has me a little puzzled at present. Re-installing MBAM may be worth a try, but there's got to be something, somewhere, trying to connect to those IP's, or MBAM wouldn't pick them up.

Could you try one last thing please?

Disable IP Protection in MBAM, then monitor Wireshark/Online Armor, and see if the IP pops up.

Link to post
Share on other sites
  • Replies 102
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

el_presidente

el_presidente

Posted
Posted
Apologies for taking so long.

This has me a little puzzled at present. Re-installing MBAM may be worth a try, but there's got to be something, somewhere, trying to connect to those IP's, or MBAM wouldn't pick them up.

Could you try one last thing please?

Disable IP Protection in MBAM, then monitor Wireshark/Online Armor, and see if the IP pops up.

Hi Steve,

I was away sick, this is actually on my work computer, so just got back to it today. I have uninstalled/reinstalled MBAM and the suspicious IPs are still being blocked. I had actually thought that of of course MBAM is BLOCKING access to that IP, and I should try this step, but didn't get around to it! Thanks for the tip.

And now, with the IP Protection turned OFF, WireShark is capturing packets from those two IPs. I exported the packets from just those two IPs to a file, and have attached this here.

No, tried to attach. I apparently am not able to upload this type of file. Saved it as a .txt file, not as elegant as the WireShark format, I hope it is readable for you.

Let me know if this sheds any light on the subject.

cheers,

Dylan

capture_IP_off.txt

Link to post
Share on other sites
MysteryFCM

MysteryFCM

Posted
Posted

You can't really stop anyone scanning your ports. However, if you've not already got one, I'd suggest getting a router with a built in Firewall (i.e. most of the Netgear RangeMax or DG range). These will allow you to block ports (rendering their scanners useless) among other things.

The reason they scan your ports, is to find open ports with potentially vulnerable services running on them.

Link to post
Share on other sites
el_presidente

el_presidente

Posted
Posted

This is what I don't get. I AM connecting wirelessly to the internet via router that does have a firewall, a LinkSys WRT54GL. As previously posted:

I am also connecting to the internet via a Linksys WRT54GL router (to a cable modem), which has it's own firewall, set to "Block Anonymous Internet Requests".

In addition, the only other settings in the firewall settings section of the router are:

Filter Multicast

Filter Internet NAT Redirection

Filter IDENT(Port 113)

The latter is ticked to be active, and the other two don't seem to be relevant at all. So how is any scanner getting past this, and also past Onine Armor which I recently installed? Any suggestions for what I could set in the router?

Lastly, this malicious IP popup ONLY occurs whenever I open a browser. I can have any number of other applications running that access the internet and no popup from MBAM. Why is scanning of my ports related to browsing?

thanks again!

Dylan

Link to post
Share on other sites
MysteryFCM

MysteryFCM

Posted
Posted

This certainly is a bit strange, especially given the lack of infection. Have you checked your routers firewall has all incoming ports blocked? (it could simply be that the packets are simply echo's from the router, but that wouldn't explain their only showing up when loading the browser).

Link to post
Share on other sites
el_presidente

el_presidente

Posted
Posted

I believe my router is set to block all incoming ports. This is copied from the help menu in the router:

"Block WAN Request

By enabling the Block WAN Request feature, you can prevent your network from being "pinged," or detected, by other Internet users. The Block WAN Request feature also reinforces your network security by hiding your network ports. Both functions of the Block WAN Request feature make it more difficult for outside users to work their way into your network."

This function is enabled. There are no further options to specify ports, apart from:

"Filter IDENT (Port 113)

Prevents outside intruders from attacking the router through the internet using service port 113. Select Enable to prevent attack through this service port. However, some applications may require this service port to be available. If needed, uncheck to allow those applications to work"

I have also enabled this function. The popups continue!

If these packets were echoes from the router, why do they correspond to IPs from that Ukrainian syndicate, the Russian Business Network?

Within Online Armor, is there anything I can set to block access from these IPs? I have looked through the menus and didnt see anything.

Link to post
Share on other sites
MysteryFCM

MysteryFCM

Posted
Posted

By "echoes", I meant, echoes of packets the router has already blocked.

I don't have OA installed on this machine, but believe it's got options to block specific IP's, yes. However, if MBAM is already blocking them before OA gets to them, you'd be best off leaving MBAM's IP Protection enabled.

Link to post
Share on other sites
el_presidente

el_presidente

Posted
Posted

Apart from the fact that it goes off, along with a pop SOUND, approximately every 30 seconds, or whenever I navigate to a new web page. Which has been driving me crazy ever since this function was instituted. In addition to the sound, and the popup itself, it interferes with mouse scrolling because the popup becomes the active window according to my touchpad.

You know what? I'm just simply going to turn off the IP protection function then. If there is no fix, then I will just turn it off. I think I can safely surf the net without this function. Bring on MBAM 1.42, I hope THAT fixes it . . .

Link to post
Share on other sites
el_presidente

el_presidente

Posted
Posted

@MysteryFCM - thanks for the tip, a quick edit of my registry and no more popups!

@mona7865 - thanks for YOUR tip, I only have the free version of Online Armor . . . and will probably uninstall that as it is a little intrusive and slows things down. Seems bizarre the Online Armor team doesn't recognise Adobe Acrobat as a safe product for instance! Oh and cute little kitty in your pic! Just had ours spayed poor thing . . . lots of TLC this weekend.

Thanks to all, have a good weekend . . .

Dylan

Link to post
Share on other sites
  • 3 months later...
jemorse

jemorse

Posted
Posted

Having read this topic through I notice that it stops in October.... I am currently getting MANY notices about 88.214.203.109... I googled that ip address and found that the address apparently belongs to a UK (United Kingdom - NOT Ukraine) company - see this link

http://whois.domaintools.com/88.214.203.109

If I exit my browser (Firefox 3.5.3) I do not get the "warnings" even though I still have my email application (Thunderbird) still running.

I currently have Malware Anti-Malware 1.44

So, what is the fix --- Other than turning off IP protection...or adding that IP address to the ignore list???

John

Link to post
Share on other sites
MysteryFCM

MysteryFCM

Posted
Posted

It's registered location may be the UK, but I can assure you, the company that actually owns it, is most certainly not :) (take no notice of their registered UK address, the address is simply a location service, much like the telephony services around)

You are of course, free to add the IP to the exclusion list if you wish, but this range isn't going to be removed any time soon, nor are any of their others.

Link to post
Share on other sites
WartEye

WartEye

Posted
Posted
It's registered location may be the UK, but I can assure you, the company that actually owns it, is most certainly not :( (take no notice of their registered UK address, the address is simply a location service, much like the telephony services around)

You are of course, free to add the IP to the exclusion list if you wish, but this range isn't going to be removed any time soon, nor are any of their others.

It's not in the UK, and it's not in Ukraine! Network Solutions says the 88.214.203.109 is registered to...

OrgName: RIPE Network Coordination Centre

OrgID: RIPE

Address: P.O. Box 10096

City: Amsterdam

...which seems like an utterly benign and harmless organization. Yet, every time Firefox opens any page, Malwarebytes tells me it's "successfully blocked access to malicious IP"! Am I to believe that RIPE, in business since 1992, suddenly became "malicious" today?

Link to post
Share on other sites
jemorse

jemorse

Posted
Posted
Ripe aren't the owners, UAOnline (aka NatCoWeb) are. Ripe are one of the network registrars (same as Arin, Lacnic etc)

So what if anything can be done to stop getting the notices. Can Firefox be set up to blacklist the IP address so it doesn't get through - or perhaps my router... As WartEye said it gets to be a pain to have the block message every time the page changes in Firefox. If it really is malicious I really don't want to turn off the detection/blocking that MalWareBytes provides.

John

Link to post
Share on other sites
exile360

exile360

Posted
Posted

To disable the notifications but still keep protection on you can use the silentipmode registry setting as described under Registry Switches for Controlling IP-Blocking in the FAQ located here :) . Do keep in mind however that this will disable all IP notifications but they will still be blocked. You can reverse the setting by either deleting the entry in the registry later or changing it to a 0 instead of a 1 if you want the notifications back.

Link to post
Share on other sites
WartEye

WartEye

Posted
Posted
To disable the notifications but still keep protection on you can use the silentipmode registry setting as described under Registry Switches for Controlling IP-Blocking in the FAQ located here :D . Do keep in mind however that this will disable all IP notifications but they will still be blocked. You can reverse the setting by either deleting the entry in the registry later or changing it to a 0 instead of a 1 if you want the notifications back.

It appears that Malwarebytes is doing exactly the right thing in blocking access to 88.214.203.109. But silentmode merely masks a problem. I'd rather find and kill the culprit.

Since the pop-up only appears every time Firefox --- but not IE or Opera --- opens a page, I have to conclude the problem is in the Firefox (or an add-on). The fact that warnings about 88.214.203.109 started suddenly, only a few days ago, suggests blame lies with a recent update...but which one? Is there any way to determine what (Firefox itself, or an extension) is trying to reach 88.214.203.109?

(I could uninstall the add-ons and browser, and re-install each, one at time. But that's time-consuming!)

Link to post
Share on other sites
angry sleestak

angry sleestak

Posted
Posted

I'm having a similar problem, but it happens when using both IE and Firefox. I frequently get a bubble from Malwarebytes' system tray icon that reads: successfully blocked access to malicious IP 93.190.141.134 or 93.190.141.103. What's going on? Is something on my computer trying to access those sites and are they dangerous?

A little background: I'm using Windows XP, have cable internet access, and my computer is wired to a router. I got a virus last week, but have cleaned my system with Malwarebytes, Norton, SpyBot, and AVG.

Link to post
Share on other sites
MysteryFCM

MysteryFCM

Posted
Posted
It appears that Malwarebytes is doing exactly the right thing in blocking access to 88.214.203.109. But silentmode merely masks a problem. I'd rather find and kill the culprit.

Since the pop-up only appears every time Firefox --- but not IE or Opera --- opens a page, I have to conclude the problem is in the Firefox (or an add-on). The fact that warnings about 88.214.203.109 started suddenly, only a few days ago, suggests blame lies with a recent update...but which one? Is there any way to determine what (Firefox itself, or an extension) is trying to reach 88.214.203.109?

(I could uninstall the add-ons and browser, and re-install each, one at time. But that's time-consuming!)

The IP is on a NatCoWeb IP range, and the IP itself is known for an addon called "SEO Quake";

http://forums.malwarebytes.org/index.php?showtopic=34377

The easiest method of finding out what's accessing it, is either via a packet monitor such as Wireshark, or a firewall (i.e. Online Armour or Outpost).

Link to post
Share on other sites
  • 3 weeks later...
WartEye

WartEye

Posted
Posted
The IP is on a NatCoWeb IP range, and the IP itself is known for an addon called "SEO Quake";

http://forums.malwarebytes.org/index.php?showtopic=34377

The easiest method of finding out what's accessing it, is either via a packet monitor such as Wireshark, or a firewall (i.e. Online Armour or Outpost).

Since it had to be Firefox or a Firefox add-on, I began disabling and re-enabling add-ons. The problem went away after I disabled LinkExtender, came back when I re-enabled it, and went away again after I disabled it. Seemed like a pretty good bet that LinkExtender was my problem!

I thought this information might prove useful to others who've been experiencing the same problem. But, to be fair, I emailed them, asking if they'd like to offer an explanation before I published their name here. No response; so...

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.