Jump to content

Infection Pop-Up in System Tray


Recommended Posts

  • Replies 102
  • Created
  • Last Reply

Top Posters In This Topic

Please see the following for an explanation of the IP Protection facility;

http://www.malwarebytes.org/forums/index.php?showtopic=21076

Given the IP you mentioned is a dynamic IP for a residential line, it's highly likely that it's being caused by your P2P program;

http://hosts-file.net/?s=222.78.92.202

You can find the logs for the IP Protection facility at;

Vista users

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs

XP Users

%AllUsersProfile%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware

Note: %AllUsersProfile% refers to the location of the "All Users" Windows profile, and is usually C:\Documents and Settings\All Users\

Link to post
Share on other sites

It's still popping up. All I want to do is stop the popups without stopping the protection. Is this possible?

Please see the following for an explanation of the IP Protection facility;

http://www.malwarebytes.org/forums/index.php?showtopic=21076

Given the IP you mentioned is a dynamic IP for a residential line, it's highly likely that it's being caused by your P2P program;

http://hosts-file.net/?s=222.78.92.202

You can find the logs for the IP Protection facility at;

Vista users

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs

XP Users

%AllUsersProfile%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware

Note: %AllUsersProfile% refers to the location of the "All Users" Windows profile, and is usually C:\Documents and Settings\All Users\

Link to post
Share on other sites

I too am getting these warnings on a regular basis, even if I am not surfing.

A selection of blocked IP's so far today are:

124.217.249.136

124.217.231.48

94.96.94.149

94.96.27.135

94.96.186.87

94.102.146.42

94.96.94.140

95.211.10.39

95.211.83.10

64.202.189.170

222.66.93.130

218.14.79.104

And they just keep coming.

I am runing daily scans, and before the update didn't have any problems with infections so I cannot beleive that all these sites are dangerous as I have not changed the way I use my PC.

Running XP Pro SP3 + Firefox

I also run Azures

I have to say that it is very annoying having these pop ups appear on a regular basis.

Any input would be appreciated.

Thanks

Phil

Link to post
Share on other sites

  • Root Admin

Most likely due to your P2P as it will reach out and touch IPs that you have no idea where they are. Yes there are some false positives and the team is working on removing them.

You should be able to right click on the icon tray and uncheck the IP Scanner to disable it if you like.

Link to post
Share on other sites

Most likely due to your P2P as it will reach out and touch IPs that you have no idea where they are. Yes there are some false positives and the team is working on removing them.

You should be able to right click on the icon tray and uncheck the IP Scanner to disable it if you like.

Thanks for the reply

Phil

Link to post
Share on other sites

I have been running mbam for a while now and it has certainly seemed to help with infections but I came here because of the pop-up reports, i.e. should I do anything. I think I guessed that it was finding potential probs and the wording was a little confusing. I did however run a full scan and also did a full scan with AVG. Of course (?) nothing showed up.

But I did get worried and the forum seems to have allayed my fears. I have found that the pop-up clears itself after a short time although it does seem to repeat. I did get this particular IP:- 66.235.126.58 at IE launch and several times whilst surfing this forum.

I am running XP ( fully updated) Zone Alarm firewall, and of course mbam 1.4

Link to post
Share on other sites

This IP belongs to IAC, suggesting your computer is likely infected with one or more of their "applications".

http://hosts-file.net/?s=66.235.126.58

http://hosts-file.net/?s=66.235.126.58&view=matches

Very likely this one;

http://hosts-file.net/?s=mysearch

I'd strongly suggest following the advice at;

http://www.malwarebytes.org/forums/index.php?showtopic=9573

Link to post
Share on other sites

This IP belongs to IAC, suggesting your computer is likely infected with one or more of their "applications".

http://hosts-file.net/?s=66.235.126.58

http://hosts-file.net/?s=66.235.126.58&view=matches

Very likely this one;

http://hosts-file.net/?s=mysearch

I'd strongly suggest following the advice at;

http://www.malwarebytes.org/forums/index.php?showtopic=9573

I have been running paid for (PRO?) version of MBAM (updated to 1.4 and fully updated as of yesterday when I ran the full scan; and both it and AVG (run separately of course) found no threats / infections. where does one go from there?

Link to post
Share on other sites

  • Root Admin

Hello shadfan66,

Not sure of your question or concern. The IP blocker is blocking IP addresses of sites that are known to participate in undesirable activity that can infect your computer. It sound like it is doing its job. If you don't want it to block a site then you can turn it off while you're running that activity and then turn it back on if you like or reboot which will automatically turn enable it again.

The IP protection is not saying your computer is infected, it's simply preventing access to a known bad site.

If the site in question is not bad and you think its a false positive then you can submit that and the team will review it and if its found to be a false positive they'll remove it if possible. There are some fixes coming in the next version that will help with what it says and how it operates so keep an eye out for the update hopefully within the next couple of weeks.

Link to post
Share on other sites

Hello shadfan66,

Not sure of your question or concern. The IP blocker is blocking IP addresses of sites that are known to participate in undesirable activity that can infect your computer. It sound like it is doing its job. If you don't want it to block a site then you can turn it off while you're running that activity and then turn it back on if you like or reboot which will automatically turn enable it again.

The IP protection is not saying your computer is infected, it's simply preventing access to a known bad site.

If the site in question is not bad and you think its a false positive then you can submit that and the team will review it and if its found to be a false positive they'll remove it if possible. There are some fixes coming in the next version that will help with what it says and how it operates so keep an eye out for the update hopefully within the next couple of weeks.

I was not worried until post 59 suggested that my PC was probably infected, and actually suggested what it might be. The pop-up infection message seems to be fairly random and quite often. I have no idea what the site is that it is warning me about. Can't tie it down to anything that I am trying to view!

From being happy that MBAM was protecting me, I am now worried that it is not finding the (probable)infection.

I followed the instructions suggested but to no avail. I do not know if I am missing the point, but I am getting pretty confused.

Link to post
Share on other sites

  • Root Admin

Okay, well to help remove the concern let's do some scanning to verify if there is anything to be concerned about on your system.

Please follow the directions below. Open a NEW post in the HJT forum as shown and someone will help you to do some scans on your system.

Scan and post logs - read note at bottom in green

If you're having Malware related issues with your computer that you're unable to resolve.

  1. Please read and follow the instructions provided here: I'm infected - What do I do now?
  2. If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs
  3. When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.

  • Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.
  • Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.
  • Using these other tools often makes the cleanup task more difficult and time consuming.
  • If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.
  • Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.
  • There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review

  • NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.

Link to post
Share on other sites

  • 1 month later...
Hi Dylan.

There is no need for concern as your system is not infected nor can it access those sites. Any application accessing the Net can trigger alerts. We're in the process of further tweaking how the IPs are read to cut down on false\positives that some users have experienced.

So no need to post in HijackThis forum.

Two months after my last post, I am constantly getting the same old popups from the IP protection function (and apart from a short hiatus around the time of my Aug 7 post it has BEEN constant). To repeat my situation - even as now when I have no other applications running on the computer, I have quit Yahoo Messenger so no IM programs, no torrent or P2P programs, I only have Firefox running (and of course MBAM 1.41, and NOD32).

The two IPs that popup constantly are 88.214.226.32 and 88.214.203.109. Fairly typically what happens is that the second I open a browser on my home page, www.google.com, I get the malicious IP 88.214.226.32 blocked popup. Then, if I browse to any site, e.g. on our company's homepage - http://www.expattech.com/ - the next IP 88.214.203.109 pops up, and EVERY time I go to a new web page, be it Wikipedia, YouTube, Malwarebytes or whatever. If I browse using IE8 the same popups occur whenever navigating to a new webpage, my tests now were eBay, PayPal, whatever.

Now, assuming that all the bugs have been worked out with the IP protection function, what does this mean for me? I am not navigating to suspicious sites, even with just the homepages of the above sites I get the popup warning. Am I getting remotely attacked from these IPs whenever I browse to a site?

thanks and regards,

Dylan

Link to post
Share on other sites

There's two possible causes;

1. Either you're machine is infected or

2. Connections are coming externally (in which case, I'd check your firewall)

Thanks for the reply Mystery!

1. MBAM scan shows no infections.

Malwarebytes' Anti-Malware 1.41

Database version: 2908

Windows 5.1.2600 Service Pack 3

10/6/2009 1:36:16 PM

mbam-log-2009-10-06 (13-36-16).txt

Scan type: Quick Scan

Objects scanned: 116041

Time elapsed: 5 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

2. I just have the standard Windows firewall. When you say check it, what do you mean? I had a look at the list of exceptions, didn't see anything suspicious there.

I am also connecting to the internet via a Linksys WRT54GL router (to a cable modem), which has it's own firewall, set to "Block Anonymous Internet Requests".

Additional note - even when I am not actively browsing, just have a few tabs open in a browser which is not even my active window, the IP Blocked warning comes up periodically. VERY periodically. As in when I am writing code, emails, whatever.

Please note I have no other symptoms of "infection" at all. My only issue is constant "IP Blocked" popups from MBAM.

Any further suggestions?

thanks and regards,

Dylan

Link to post
Share on other sites

Sorry for taking so long to reply (been away at a conference).

Have you tried running a packet filter (e.g. WireShark - www.wireshark.org) or proxy (e.g. Fiddler - www.fiddlertool.com) to determine the cause?

Sadly, the Windows firewall does not provide the information required, so is essentially useless when it comes to determining sources and causes.

Link to post
Share on other sites

Sorry for taking so long to reply (been away at a conference).

Have you tried running a packet filter (e.g. WireShark - www.wireshark.org) or proxy (e.g. Fiddler - www.fiddlertool.com) to determine the cause?

Sadly, the Windows firewall does not provide the information required, so is essentially useless when it comes to determining sources and causes.

Hi Steve,

I haven't tried anything as I had no idea what to do to analyse the problem, I had assumed it was an issue with the actual IP blocking feature of Malwarebytes itself. Which is why I was posting to this forum in the first place, and again now!

I am downloading WireShark and will see what further information I can glean from that.

I think I'll also get the ZoneAlarm firewall for good measure (unless you have any other recommendation for a good firewall product?).

Thanks for the tip above I will post again soon. At least we are in the same time zone (I'm in Hungary, you're in Geordie-land right?). I would really like to get this issue sorted.

cheers,

Dylan

Link to post
Share on other sites

Hi Steve,

Cheers for the reply! Going to download Online Armor now . . .

I have installed WireShark, run some captures, hundreds of packets per minute coming through, but I don't see any traffic from those two suspicious IP's that Malwarebytes keeps blocking. The popup comes up with annoying regularity, but in WireShark I don't see packets arriving from these two:

88.214.226.32

88.214.203.109

Of course, I really have no idea what I am looking for, or even looking AT for that matter. Is there anything I need to set, or look out for in the packet capture? I just assumed I would be looking for those two suspicious IPs . . .

Maybe I should just simply uninstall MalwareBytes and reinstall?

thanks again,

Dylan

Link to post
Share on other sites

The only thing you need to look for, is the popups from MBAM. There should then be corresponding entries in either Online Armor, or Wireshark, depending on which you're using.

Online Armor doesn't warn me about the IPs in the MBAM popup, and no packets from those IPs appear in WireShark. Online Armor DOES warn me about everything ELSE that I do on the internet though!

So as suspected are we coming to the conclusion that this is just an issue with my MBAM then and in particular it's IP blocking function? When I first reported these IPs and asked about just turning off that function, in a previous post you wrote that:

"I wouldn't recommend turning it off.

That IP is on a Ukranian range that's known to be a part of a crimeware organization known as the Russian Business Network.

http://hosts-file.net/?s=88.214.203.109"

I assume if I uninstall/reinstall MBAM that my existing product key will still be valid and useable for the protection module? One other thing I never clarified is this license a one-time purchase or only valid for a specific term?

thanks again,

Dylan

Link to post
Share on other sites

Greetings :lol: .

I assume if I uninstall/reinstall MBAM that my existing product key will still be valid and useable for the protection module? One other thing I never clarified is this license a one-time purchase or only valid for a specific term?

Correct, your key will still work to activate the product and it is good for life for use on any one PC at a time, which is great should you ever junk the PC you have and purchase a new one :lol: .

As for the other issues, I'll have to leave that to MysteryFCM.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.