Jump to content


Photo
- - - - -

208.73.210.29 (firefox.exe) blocked by Malwarebytes every 10 minutes


  • This topic is locked This topic is locked
57 replies to this topic

#41 solomon7

solomon7

    New Member

  • Members
  • Pip
  • 38 posts

Posted 27 April 2012 - 02:53 PM

Will try firefox safe mode now

#42 solomon7

solomon7

    New Member

  • Members
  • Pip
  • 38 posts

Posted 27 April 2012 - 03:07 PM

There is no Firefox Safe Mode in the apps menu, but I got it into safe mode via Firefox \ Help \ "Restart with Addons Disabled".. Will wait 15min and see what happens.

I don't recall any extensions or addons being installed or updated at the time the popups first began. I looked at the protection logs of MBAM and they show the first blocked connections happening on April 21st:

2012/04/21 21:33:31 -0400 MEDIAQUBE Mediacube MESSAGE Database refreshed successfully
2012/04/21 21:33:31 -0400 MEDIAQUBE Mediacube MESSAGE Starting IP protection
2012/04/21 21:33:32 -0400 MEDIAQUBE Mediacube MESSAGE IP Protection started successfully
2012/04/21 23:00:48 -0400 MEDIAQUBE Mediacube IP-BLOCK 208.73.210.29 (Type: outgoing, Port: 49249, Process: firefox.exe)

but there were no MBAM popups reporting the blocked connections until the 24th, which is the same day Firefox was updated to the latest version.

#43 solomon7

solomon7

    New Member

  • Members
  • Pip
  • 38 posts

Posted 27 April 2012 - 03:18 PM

The blocked IP just appeared again in safe mode

#44 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 28 April 2012 - 04:10 AM

Given the owner of the blocked domain (Oversee Net) could you please test if you get this block only when accessing certain sites?
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#45 solomon7

solomon7

    New Member

  • Members
  • Pip
  • 38 posts

Posted 28 April 2012 - 06:25 AM

Yes, everything else about the machine is fine. Firefox can access any other website and there are no redirects/hijacks taking place.

Also, perhaps I'm misreading your message, but I'm not "accessing" that Oversee site/domain.. Whatever has infected this machine is connecting out to it every 15 minutes even with Firefox sitting idle.

At this point I'm beginning to think I need to wipe out the machine and reinstall it. Even if we could find what the issue is, I don't think I would trust this machine on my network again and there's no way to tell what else may have been downloaded onto it and still remains hidden. Whatever it is wouldn't survive a format and reinstall, would it?

#46 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 28 April 2012 - 06:57 AM

I would start with just uninstalling Firefox and removing all your firefox user data as well. There is a new Firefox/Chrome hijacker doing the rounds that does not show up in any of the normal locations, which means its extremely hard to remove it without also removing the program. However this is limited to firefox so your machine should be fine otherwise.
After completely uninstalling firefox and all its components you can reinstall it and see if the problem returns or not.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#47 solomon7

solomon7

    New Member

  • Members
  • Pip
  • 38 posts

Posted 28 April 2012 - 09:57 PM

Ok, so I wiped the machine today.. reinstalled win7 while disconnected from the network.. then installed MBAM.. then installed Outpost Security Suite.. then installed Firefox.. copied my places.sqlite bookmark file, and 15 minutes later, on a brand new machine, the same connections began again.. I've just shut down firefox, removed my bookmarks, replaced the original/default places.sqlite file, and restarted firefox.. am waiting to see what happens..

So, if this is what happened, how is it that a bookmarked link is trying to connect out? Or could it be the bookmark database file itself that is infected with something.. (I don't have any custom live bookmarks.. only the pre-installed live bookmarks that are installed with Firefox)...

So if this proves to be the case, is there a way to figure out which bookmark is causing the problem?

#48 solomon7

solomon7

    New Member

  • Members
  • Pip
  • 38 posts

Posted 28 April 2012 - 10:02 PM

On doing some reading, it seems that by default, Live Bookmarks in Firefox update every 60 minutes.. I'm not sure if there's a way to change this, but if there is not, then it wouldn't seem to be any of the preinstalled Live Bookmarks...

Firefox has now been running for 25 minutes with the default places.sqlite file instead of my personal bookmark file, and there have been no connections.. so I *think* I've identified the culprit... So now I need to figure out which bookmarked link is causing it, or if it's the bookmark database itself.

#49 solomon7

solomon7

    New Member

  • Members
  • Pip
  • 38 posts

Posted 28 April 2012 - 10:43 PM

Firefox has now been running over an hour with the default bookmark file and no blocked connection attempts...

#50 solomon7

solomon7

    New Member

  • Members
  • Pip
  • 38 posts

Posted 28 April 2012 - 11:44 PM

Ok.. I ran Firefox with the default places.sqlite file for over 90 minutes and not a single outbound connection attempt.. I then shut down firefox, renamed the default bookmark file to places.sqlite.ORIG and copied my backup bookmark file into the profile folder.. I started firefox again and went to Bookmarks \ Show All Bookmarks \ Import and Backup \ Export Bookmarks to HTML and saved the file as bookmarks.html

I then shut down Firefox, deleted my custom places.sqlite file, and renamed places.sqlite.ORIG back to places.sqlite.. I then restarted firefox and let it run for 25 minutes.. no outbound connection attempts.. again confirming the problem seems to be either the bookmark file itself, or a bookmarked site in the bookmark file..

After the 25 minutes, I went to Bookmarks \ Show All Bookmarks \ Import and Backup \ Import Bookmarks from HTML and imported the html file I saved..

Immediately an outbound connection was blocked by MBAM..

So this now confirms, I think, that the problem is with one of the bookmarked sites / links in the bookmark file, and not the bookmark database file itself...

Does this seem logical?

So now how do I go about finding which one it is...?

#51 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 29 April 2012 - 01:06 AM

Yes, that seems logical indeed. :) It may be tedious to sort this out, but the best way is to copy your book marks (keep the original as backup) and start deleting what may look suspicious.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#52 solomon7

solomon7

    New Member

  • Members
  • Pip
  • 38 posts

Posted 29 April 2012 - 01:52 AM

But does it make sense that a simple bookmark in a bookmarks file would be triggering outbound connections? They're not Live Bookmarks, just regular old static bookmarks... so why would a bookmark be connecting out..?

#53 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 29 April 2012 - 03:23 AM

If malware has found a way to run from out the bookmarks folder, then yes. Could you upload the bookmarks file to http://www.bleepingc...hp?channel=105?

(note, if for privacy reasons you do not want to submit this, let me know, or alternatively remove any confidential bookmarks before uploading the file).
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#54 solomon7

solomon7

    New Member

  • Members
  • Pip
  • 38 posts

Posted 29 April 2012 - 10:16 AM

Fingers crossed.. I think I've solved it.. There was in fact an RSS folder with very old links in it.. I didn't notice it until I went to Bookmarks \ Show All Bookmarks \ and then filtered the search box with the term 'http' which showed me everything in the bookmarks folder.. then sorted that by date, and saw approx 200 links from bookmarked blog posts showing with today's date, and I knew I hadn't been to them recently...

These RSS feeds were updating every 15 minutes or so..

I did the same procedure as yesterday, replaced the default bookmark with my custom one, deleted the RSS folder, and ran firefox for 25 minutes with the RJ45 pulled, and now 30+ minutes with the RJ45 connected, and no connections...

So this leads to an interesting question... can a spammer spam a blog with comments that contain links to the 208.73.210.29 site in the title or body of the comment and then anyone who has that blog post linked or bookmarked becomes a "carrier".. their bookmarked RSS feed for that post then connects out to the malware site and spreads the virus.. so popular blog posts can become distribution points for the virus / malware.. Not sure I'm describing it correctly, but you get the idea...

#55 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 29 April 2012 - 10:30 AM

Yes, that is indeed possible, and can happen if the site hosting the blog has been hacked/exploited. It can also mean the blog is hosted at Oversee, its hard to say without analysis of the blog/site that actually causes the block.

Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.
Some more links you might find of interest:
Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#56 solomon7

solomon7

    New Member

  • Members
  • Pip
  • 38 posts

Posted 30 April 2012 - 11:27 AM

It's been a full day now with the RSS links removed and no unwanted outbound connections, so I think this is probably resolved.. Thank you for all your assistance!

#57 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 30 April 2012 - 11:53 AM

You are most welcome! :)

I will request this topic to be closed.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#58 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 30 April 2012 - 12:09 PM

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users