Jump to content

therealex

Members
  • Content Count

    22
  • Joined

  • Last visited

Posts posted by therealex


  1. Thanks, I'll give it a try.  But I don't know - MBAM was always the gold standard, as far as I was concerned.  Now it seems they're so busy "making improvements" that there are more issues than ever.  I sure hope they get their act together.  I recommend MBAM to everyone (and as a tech, I meet a LOT of people.)  Now I'm getting calls from clients understandably upset that there are problems.

    I sure don't need the extra work!  MBAM - you changed to a yearly subscription.  Get it working, make it stable, and stop making us play whack-a-mole with things like protection turning off or icons not appearing or false alerts about updates!

     

    Thanks, Porthos.  I'll try the beta.


  2. Hi,

    I have the latest version of MBAM Premium, running on WIn 10 Pro.  The tray icon is suddenly missing.  I went to Settings, and it doesn't even show up as an option in "Select which icons appear in the taskbar" or "Turn system icons on or off".  In the MBAM settings page, it's checked to start with Windows, but I don't see a system tray option. 

    It was there last time I checked, probably a few days ago.  Is this yet ANOTHER update "improvement"? 

    It's version 3.0.6.1469, Component package 1.0.103, Update package version 1.0.1856.  It's set for automatic update.

    Thanks for your help!

     

    - Russ


  3. I've been having this issue, on and off, since December.  There's an upgrade, it may (or may not) go away, then comes back.  Now, at least once a day, I get an alert saying a component of Real TIme Protection is turned off.  If I click "turn on", it's fine. 

    I've already done the "uninstall using MBAM uninstaller" and re-installed, sometime in January.  Right now I'm using ver 3.06.1469, component version 1.0.0, update package 1.0.1508.

    I've used MBAM for years and recommend it to all of my clients (I'm a tech).  I don't know what the heck is going on here, but this isn't the kind of quality I expect from the "gold standard" of anti-malware programs.

    The only thing that has changed on my computer is I'm using Backblaze for backups, having switched from Acronis.  There is absolutely no reason there should be a connection there, but in the interest of solving this, I'm mentioning it.

     

    - Russ


  4. Hi,

    I know this has been covered, but I must be a bit dense here.  I just upgraded from Win7 32 bit to Win7 64 bit (yay, finally have access to the additional 4 gigs of memory!)

     

    I have MBAM pro, and re-installed Avast free.  I did a custom install and de-selected ALL of the optional software choices.  Now, I have three things running: File System Shield, Web Shield, and Mail Shield.  I'm using Outlook 2007 for my mail.

     

    Do any of these interfere with MBAM, as in having two malware protection programs running at once?  If so, is there a way to shut off the malware part of Avast?  Finally, do I need the Mail protection running?

     

    Thanks!

     

    - Russ


  5. Thank you for the reply.  I uninstalled Avast! and it revealed that Firefox was, as the article said, initiating the attempts.  I reinstalled Avast! and MBAM again cited it as the source.  I have a number of pages open in Firefox, so I'm not sure what's causing it.  I've closed a few at a time, and will continue until I figure out which one is doing it.

     

    Odd though - it attempts to make that connection as soon as Firefox opens, BEFORE it's loaded any of the pages (that is, when the "restore previous session" screen is open).  I'm wondering if it's possible that Firefox itself is compromised.


  6. Hi,

     

    I followed the instructions and downloaded TCPView.  I've been running it for about a day now.  Roughly every hour, "avastsvc.exe" (yes, I have avast) tried to connect to 78.138.104.155 and MBAM blocks it.  The remote address does not show up in TCPView, so I can't confirm if it's really Avast.  The IP address is somewhere in Poland, so it's suspicious that Avast would be contacting it.

     

    Since TCPView isn't working, is there any other way to determine what process is actually initiating this request?

     

    Thanks for your help!


  7. I have been dealing with this problem for months. In my case, the random voices were caused by iexplore.exe running in the background (no actual window) and connecting to various sites, then disconnecting again.

    When I say "dealing with this" for months, I really mean it. I've been working with two people on Geeks To Go. I have the full version of MBAM, which has not found anything even though it scans every night. I use Process Blocker to stop IE from running, and failing that I've blocked it in Comodo. Teatimer has apparently blocked all of the sites it tries to go to, because when I disable Process Blocker and allow it to run, Comodo shows that it's trying reach a loopback (127.0.0.1) address. When I don't want it to run at all, I rename it (in Safe Mode, as it regenerates in Normal mode) to iexplore.bad.

    I've used:

    MBAM (of course)

    Combofix

    OTL

    Bootkit Remover

    MBR Check

    Reanimator

    GMER

    Regrun Warrior

    Rootkit Revealer

    Root Repeal

    RK Unhooker

    Super Anti-spyware

    Hitman Pro 3.5

    TDSS Killer

    ESET Online Scanner

    to name a few, all under request by various experts. I've used Process Monitor and Process Explorer to try and "catch" the process that's initiating this - it doesn't do it in Safe Mode, so it's definitely something that's loading at startup. You may notice that it also makes the attempts hourly, at just about the same time within a second or two, and that there are multiple instances running that start within a second of each other.

    That is, if you're situation is the same as mine. I have NOT found the answer yet. Every other instance of this that I've seen written about has resulted in the end user wiping the system, but I'm a stubborn coot and refuse to do so. Why should these creeps win against all the experts out here?

    - Russ


  8. Are you sure you didn't have all your Internet explorer's communications routed via avast!'s Web Shield?

    If so, there's the reason for it :unsure:

    I rarely use IE, so I don't think that's it. I usually use Firefox (don't get me started...)

    - Russ


  9. FYI - I installed the newer version of Avast! (5) and the entire problem stopped dead in its tracks! Weird, but at least it's a solution if anyone else has this problem.

    In fact, ALL blocked IPs stopped appearing.

    Thanks again for your help.

    - Russ


  10. I've removed the attachments due to the sensitive nature of some of the data in the captures.

    I'm not seeing anything in them related to 67.213.214.178 however?, and the only thing I can see related to 208.73.210.27 is a DNS lookup for purchasestationery.com ?? (the 208.* IP isn't blocked by MBAM).

    Yes, I couldn't catch the 67.213.214.178 block, but I'll set it up to try and get it. However, MBAM definitely is block the 208 IP:

    :48:59 Russell Alexander IP-BLOCK 208.73.210.27

    It seems to try and access it four or five times in a row, and MBAM blocks it each time. Here's a quote from another thread about that address:

    antispywarepro.net 208.73.210.27 parkinglot.information.com Rogue Antivirus Bogdan Pankiv / software@fabrica.net.ua 2009-04-28

    This is one line from just one report on IP 208.73.210.27 -

    I hope it will give you a basic idea why it is blocked - McAfee also Red Lists it -

    QUOTE

    clef.ca, wzbt.org, pal9.com, mlbk.com, azais.net and at least 100 other hosts point to 208.73.210.27. It is blacklisted in two lists.

    So, the question is, it seems to be Avast! that's trying to access it (which can't be true). MBAM does a scan every night and has not found anything, but SOMETHING is trying to access this site. I'm sorry that I don't know more about packets, but I gather that there wasn't anything there that would help in pinning it down.

    Any suggestions on how I might find this rogue program would be appreciated. I realize this is not the correct forum, as this is for false positives. I've already posted in the general forum prior to this.

    Thanks!


  11. Got it (finally!) it's for a different address, 208.73.210.27, which I posted about in the general forum.

    I've uploaded the files - they're only 1kb each, but I also included the full capture in case there was something else you wanted to see, bringing the size up to 4.2 megs. I also uploaded just the 1kb files, as "208 files small".

    This is really driving me nuts, as it's something that's pretending to be Avast! and keeps trying to access that IP (and others, too.)

    Any help would be greatly appreciated!

    - Russ


  12. I'm using C-Port to find out what's going on with some reported blocks. This one came up, and here's the info:

    ashWebSv.exe 3244 TCP 2388 192.168.1.2 80 http 67.213.214.178 178-host199440.midphase.com Sent C:\Program Files\Alwil Software\Avast4\ashWebSv.exe avast! Antivirus avast! Web Scanner 4, 8, 1367, 0 ALWIL Software 3/9/2010 20:37:19 NT AUTHORITY\SYSTEM avast! Web Scanner A 3/9/2010 21:12:10 C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

    It seems to be blocking Avast! from contacting midphase.com. Any idea if this is a mistake? Thanks.


  13. Hi therealex -

    Did you note my post #4 above that lists one of the sites from the IP you submitted - It shows that it contains Rogue Antivirus -

    This are the reasons that it is blocked - It is also on the McAfee RED list (means very bad site) -

    PS. This was just from a 5 min Google search -

    Thank You - :)

    Yes, I saw that. I understand why it's blocked, but what I don't understand is which program keeps trying to access it. Am I being dense here (not unusual)?


  14. Okay, as Clint Eastwood once said:

    "A man's got to know his limitations".

    I found the reference to a couple of the attempts in Wireshark, but don't know how to proceed to find the offending program! Here's what I got:

    90317 21:39:57.941489 192.168.1.2 192.168.1.1 DNS Standard query A filmfreephotos.com

    This lines up with malwarebytes' log:

    21:39:57 Russell Alexander IP-BLOCK 208.73.210.27

    Although the log goes on to find more:

    21:40:00 Russell Alexander IP-BLOCK 208.73.210.27

    21:40:06 Russell Alexander IP-BLOCK 208.73.210.27

    21:40:18 Russell Alexander IP-BLOCK 208.73.210.27

    21:40:21 Russell Alexander IP-BLOCK 208.73.210.27

    21:40:27 Russell Alexander IP-BLOCK 208.73.210.27

    And Wireshark finds this oddity:

    90382 21:40:25.238093 192.168.1.2 192.168.1.1 DNS Standard query A cornersnackbar.com

    "cornersnackbar.com"?

    Anyway, I don't expect you kind folks to babysit me through figuring out what it all means, but a gentle push in the right direction would be greatly appreciated!


  15. Thanks for the responses. I don't usually run P2P software, although I have occasionally run bitpump. I stop the process, though, when it's done. It isn't running now. Rebooting does not prevent the attempted IP access.

    I ran tcpview, but since you can't create a log file it didn't help track down which program was trying to access the address. I downloaded wireshark and created a filter for that address, so I'll see what happens. When I get it determined, I'll post the result!

    - Russ

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.