John A

I proved to my satisfaction that Skype was causing this in my case, see the following threa:d http://forums.malwarebytes.org/index.php?s...c=66105&hl= I tried to specifically trap Skype accessing two IP suspect addresses using cports.exe and temporarily turning off MBAM website blocking but it happened too infrequently for this to work. I tried TCPView but the IP blocks caused by Skype are too quick for it to pick up In your case, Quit Skype or stop it starting at startup temporarily and see if these IP blocks stop.

.... I should add that the Skype IP blocks became less frequent over a few days then stopped.

Hi Noknojon No problems now thanks. The help from this forum is appreciated!

Also suggest putting a strong admin password in your router.

The IP blocks definitely never happen if Skype is not running. Thanks

I have got TCPView but this one is difficult to catch as it happens so infrequently. I am confident that my computers are malware free. I am interested from a technical viewpoint, so I will keep hunting! Thanks

Thanks for all the suggestions and help on this. Skype is definitely the culprit! I have been testing three computers, one W7, 2 x XP, all with smilar setup. MBAM reports the following IP blocks ONLY occur on a computer when Skype is running, and they happen in blocks of three or four about 3-4 times a day. IP-BLOCK 89.28.24.180 (Moldova, Republic of ) - this is the most frequent address attempted to be accessed. IP-BLOCK 222.64.164.163 (China, Shanghai). During this entire test no communications were done using Skype so it was associated with Skype background activity. The obvious question to ask is why is Skype attempting to access these suspect sites? And if MBAM wasn't running, what could happen if Skype could access these suspect IP addresses?

Thanks Noknojon

I already have Skype on my suspect list, so it is good to see that you suspect it too. I am in the process of testing on two computers, both connected to the same router, desktop (W7) by cable, notebook (XP) by wireless. I initially got the blocks on the desktop when Skype was active (but GUI not visible and not being used). I Quit Skype on Desktop and since then have not had a block on that computer. But with Skype active (ditto) on the notebook, I am getting the same blocks I will run like this all day, then Quit Skype on the Notebook as well for a day and see if any blocks appear. Then I will turn Skype on on the desktop and off on the Notebook for a day. I have also installed CurrPorts on both computers to see if I can link it's reported activity with MBAM's blocks.

No file sharing applications, Windows 7 Native Firewall, Hardware Firewall

OK Noknojon, thank you

Thanks 1PW, I have some homework to do now.

I just got a different IP block, again, no browsers running 13:36:55 John Marg IP-BLOCK 222.64.164.163 13:36:55 John Marg IP-BLOCK 222.64.164.163 13:37:03 John Marg IP-BLOCK 222.64.164.163 13:37:11 John Marg IP-BLOCK 222.64.164.163 13:37:11 John Marg IP-BLOCK 222.64.164.163 Did another scan with MSE, MBAM & SAS, nothing caught, no wierdos in startup, everything listed in Hijackthis accounted for. Is there any way of determining what was trying to access this site (and the other one in the post above)? PS I now have MBAM Pro on my two notebooks as well

No more questions thanks Yardbird

Thanks Noknojon I will keep watching!

Following is the log from startup this morning. Scheduled scan seemd to attempt to run before I logged in, then successfully scanned later. 06:21:59 (null) MESSAGE Scheduled update executed successfully 06:22:02 (null) ERROR Scheduled scan failed: GetUserToken failed with error code 0 06:23:40 John Marg MESSAGE Protection started successfully 06:23:44 John Marg MESSAGE IP Protection started successfully 06:24:34 John Marg MESSAGE IP Protection stopped 06:24:38 John Marg MESSAGE Database updated successfully 06:24:38 John Marg MESSAGE IP Protection started successfully 07:11:08 John Marg MESSAGE Scheduled update executed successfully 07:11:11 John Marg MESSAGE Scheduled scan executed successfully I read in another thread that this might be caused by "Run flash scan after successful update" is checked Do I need to fix anything here or is this normal?

While I was away from my computer the following three warnings occurred. No web browser was open. Skype and Windows Live Mail were open but not being used. 11:50:33 John IP-BLOCK 89.28.24.180 11:50:41 John IP-BLOCK 89.28.24.180 11:50:41 John IP-BLOCK 89.28.24.180 How would I find out what caused that?

I use IE9 Public Beta and find it very stable. Are there any known problems with MBAM Pro with IE9 (I haven't had a problem yet)?

Thank you Firefox So I don't have to exclude the other ones below listed by Haider in W7 x32? C:\Program Files\Malwarebytes' Anti-Malware\zlib.dll C:\Program Files\Malwarebytes' Anti-Malware\mbam.dll C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref

Thanks Do the MSE exclusions all go in the "Excluded files and locations" section only? I wasn't sure if I should put some/all the exe files in the "Excluded Processes" section as well.

Thanks Haider & Yardbird Does MBAM real-time protection prevent router hijacks? How? 1. I will look at Autoruns 2. I always keep system fully patched - will look at Secunia PSI 3. I have MS Security Essentials and now MBAM Pro 4. I use Windows firewall plus hardware firewall I used to use Kaspersky but too much effort was required to keep it operational and it was too complicated for the other user of my PC

Another purchase of MBAM Full Version coming up!

Starting a new thread as requested. In reply to Noknojon http://forums.malwarebytes.org/index.php?s...20&start=20 post #36 I think I am clean after resetting the router, resetting the TCP/IP stack and flushing the DNS. Everything seems normal. I have scanned all computers with Microsoft Security Essentials, Malwarebytes, Superantispyware and can't see anything unusual with Hijackthis and other tools. I think that I won't bother the malware removal experts at this stage, but will keep an eagle eye on activities on my computer. I will also heed the advise of Haider in post #37 in the above thread. I really appreciate the advice given by others here. I thought I was on top of computer security, but this has opened up another dimension.

OK Noknojon. By the way, in W7, to reset the TCP/IP stack I had to run CMD as Administrator

Thanks Yardbird I will do that.