Hornsj2

@gatortail Thank you. I was referring to the advantage of being able to configure my router. While at home I don't need to have an application on any device. Anything on my internal network will automatically be on the VPN. s

Thank you for the quick response. I will take a look at WireGuard and see if it's worth it to stop using my current provider. I trust MB more than them, but It's really convenient to have my smart devices and phone on my vpn with no effort or installation. Have a good one.

Is this based on OpenVPN? I am interested in possibly switching from my current provider, but I want to configure this at my router level, and not just have it as a desktop app.

OK please close this thread. Malwarebytes staff and volunteers always do a great job and provide a much needed service. This is not your issue, but as for that link, it probably isn't related but either I misconfigured something or it was malicious because my router started attempting to perform a very large number of DNS queries. Restored from previous config. I posted the url to virustotal and it had no problem with it, and I used MB, Norton Power Eraser, and a full Norton system scan and they came up with nothing so I think I'm good to go. I thought last time I was here I saw donates on signatures. Please let me know if you have a place to make a small donation.

Hi, thank you for the reply. If you wouldn't mind leaving this open for another day or so, I am troubleshooting some router configuration changes and in the middle of it I clicked on some link to explain some settings and my browser has been unable to navigate to some sites. I ask for the day so I can make sure I didn't misconfigure something.

Hi there. Thank you for the response, and for MB checking that IP address. I think I did it AGAIN (posted to wrong forum). I took this section of the forum description "...get advice from tech experts and fellow users. Learn how to optimize Malwarebytes 3 for your needs and ensure it’s doing everything it can to protect you from online threats like spyware, ransomware, and Trojans. ..." to mean it was for generally safety discussion and not for malware removal. My license is for Malwarebytes 3.x premium for Windows. I did open a thread shortly after my last post to this thread asking for help. To be honest, I'd like to know if something is on my machine. I've been waiting in the Windows help section for someone to free up. I've already posted there and figured as soon as everyone was done with the obvious infection cases they would pick out my situation. I mean I see over there that some people clearly have problems and maybe I'm just paranoid about malware.

I've spent the last 14 hours or so analyzing my network and doing research on this topic. It turns out firefox makes 2 connections when it starts up. One of them is to akamai technologies. The request is over https, and looking at shodan output for that website it lists the following certificate information: Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt So that would explain why it's doing what it's doing. I used wireshark and burp to look at the request/responses for OCSP and also to monitor the traffic going to this IP address and it all looks to me like it's legit. All of that being said, since I put the logs up would it be possible to still get a fixlist? I did run power eraser a couple days ago and it found a bad registry entry for internet explorer, which I don't use, that allowed downloading files from internet zone (zone 3?). not overly familiar with that but I'm pretty sure I've run power eraser since I installed my OS a few months ago and that was not present. Would be willing to donate.

First one is of one of my VMs. I also had that IP connection over port 80 on my windows host that runs firefox with the same extensions (and has MB3 on it). Second one is the Burp Suite request to the address. This is the address listed in the certificate. Problems are. 1. This doesn't happen on my other computer (but it does happen on every virtual machine I run on THIS host, regardless of the OS). 2. On my home page, even when set to a local file, it sends out this request. 3. A connection over http is made and maintained with this IP. I haven't read the OCSP protocol spec so maybe that's normal.

FRST.txtAddition.txtMBThreat.txt

OK I have decided to seek help to determine if my computer is infected. Attached are the logs. Since the last time I was here 4 months ago I have done a nuke and pave on my system so everything should have been installed within the last few months. You will notice a c:\hackAgain folder. I created this folder myself to store research into this ip connection issue I have put on the other section of the forums (about firefox connecting to ocsp.digicert.com). I must say I see no evidence of malware on my system but given what people are writing (even as up to date as 2 hours at the time I write this) about that ip address and what it's doing to people, and that I have had a connection established to it for god knows how long, I want to make sure. I have some tools downloaded here like Kali, GHIDRA, Burp etc because I'm starting to get really interested in security and bug bounty since my last potential hack incident.

You can go ahead and close this. I don't think this is a MB problem and although I'm going to do more analysis of my network, I can't say right now I think I'm infected with anything.

I apologize for putting this in the wrong section of the forums.

Sorry for cross posting this with the other forum section but I think I put it in the wrong place and I didn't now how to move it, or if that is possible. Should MB take another look at this IP address? I run MB3 on my host and on that host + every vm I run off that host (flavors of linux) firefox tries to connect to that site. HOWEVER, my laptop is running just linux and it does not exhibit the same behavior with Firefox. Same flavor as two vms I've looked at on my windows host that is running MB3. The VM I just created from image does the same thing. I can't explain it. What I said in a reply to my own thread in the blocked website section (original thread mentioned above) was that if I turn off two privacy features it stops attempting to connect. One of them is OCSP responders so maybe that makes sense but the reports of DDOS, hacking, extortion, etc from this IP are pretty alarming. Am I being gas-lighted by this abuseipdb.com ? From what I read on this site (MB) this is not an issue, but according to that (abuseipdb) site there is a big problem with this ip. Are hackers doing social engineering planted reports on that site to freak people out because they know connections to it are widespread? Or is this really an issue? I have read two other forum posts about this ip address. One said MB was producing a lot of false positives with Mozilla products on this IP. nslookup ocsp.digicert.com Server: 127.0.1.1 Address: 127.0.1.1#53 Non-authoritative answer: ocsp.digicert.com canonical name = cs9.wac.phicdn.net. Name: cs9.wac.phicdn.net Address: 72.21.91.29 I noticed today that every version of firefox I run, from my windows host running MB, to my two linux VMs show this IP address as having a connection in firefox. After investigating, I have mixed information about whether or not this IP address should be blocked by MB or if it is really a certificate authority (or whatever you call it). When I start Firefox I do lsof (linux) or netstat (windows) and see that it starts a connection to this ip address (a connection which is maintained over port 80). My extensions are https everywhere, ublock origin, decentraleyes, cookie autodelete. Given the above information I would be at ease but then I read the reports on this website about people getting hacked through it: https://www.abuseipdb.com/check/72.21.91.29 Some examples (there are more, and they are all pretty recent) 27 Nov 2018 This guy bought an ssl certificate, BUT... if you run an Nmap scan, you will see that it is just a router, not an ssl server 06 Jan 2019 Secretly records unwanted video and spoofs users on Facebook purporting to be a real person when it is actually a bot. Uses server techniques to create a fake account that can hack into user's personal data without appearing on Facebook. Is determined to exploit servers in order to reveal nudity/other-sexual-content on public social media (e.g. YouTube, Facebook, WhatsApp) to humiliate. Exploits personal information in order to commit extortion by threatening users to give away bank information. The threat includes the user being publicly humiliated/ by accessing personal information, without consent of the user, if he/she does not pay a large sum of money ($8000-10000) to prevent the information from being revealed publicly . Repeatedly contacts the user if the user disconnects from the call/text message, through other forms of social media that the user may be logged into. The user is blackmailed to send a large sum of money through either a fraudulent phone number or email. 22 Feb 2019 This IP was just seen on my Windows system using netstat. Unplugged my router/modem. Why would Verizon be connected to my pc. I've ran scans with Malwarebytes, rogue killer, I've ran rootkit scans and nothing malicious is found. Guess I should wipe the system and start over. DDoS Attack FTP Brute-Force Fraud VoIP Port Scan Hacking Brute-Force Exploited Host Web App Attack SSH"

Would it be a big problem if someone hacked the cert site that Firefox uses to confirm web pages? Seems like this could make for a widespread problem but admittedly I don't know. Some people I talk to, and in fact one of my other computers, don't have this ip connection even with those options checked.

I have found when I disable two options under privacy and security in FireFox, these connections go away. "Block dangerous and deceptive content" "Query OCSP responder servers to confirm the current validity of certificates" So I guess it's likely this abuseipdb is being exploited to sow fear?

Should MB take another look at this IP address? Am I being gas-lighted by this abuseipdb.com ? From what I read on this site this is not an issue, but according to that site there is a big problem with this ip. Are hackers doing social engineering planted reports on that site to freak people out because they know connections to it are widespread? Or is this really an issue? I run MB3 on my host. I have read two other forum posts about this ip address. One said MB was producing a lot of false positives with Mozilla products on this IP. nslookup ocsp.digicert.com Server: 127.0.1.1 Address: 127.0.1.1#53 Non-authoritative answer: ocsp.digicert.com canonical name = cs9.wac.phicdn.net. Name: cs9.wac.phicdn.net Address: 72.21.91.29 I noticed today that every version of firefox I run, from my windows host running MB, to my two linux VMs show this IP address as having a connection in firefox. After investigating, I have mixed information about whether or not this IP address should be blocked by MB or if it is really a certificate authority (or whatever you call it). When I start Firefox I do lsof (linux) or netstat (windows) and see that it starts a connection to this ip address (a connection which is maintained over port 80). My extensions are https everywhere, ublock origin, decentraleyes, cookie autodelete. Given the above information I would be at ease but then I read the reports on this website about people getting hacked through it: https://www.abuseipdb.com/check/72.21.91.29 Some examples (there are more, and they are all pretty recent) 27 Nov 2018 This guy bought an ssl certificate, BUT... if you run an Nmap scan, you will see that it is just a router, not an ssl server 06 Jan 2019 Secretly records unwanted video and spoofs users on Facebook purporting to be a real person when it is actually a bot. Uses server techniques to create a fake account that can hack into user's personal data without appearing on Facebook. Is determined to exploit servers in order to reveal nudity/other-sexual-content on public social media (e.g. YouTube, Facebook, WhatsApp) to humiliate. Exploits personal information in order to commit extortion by threatening users to give away bank information. The threat includes the user being publicly humiliated/ by accessing personal information, without consent of the user, if he/she does not pay a large sum of money ($8000-10000) to prevent the information from being revealed publicly . Repeatedly contacts the user if the user disconnects from the call/text message, through other forms of social media that the user may be logged into. The user is blackmailed to send a large sum of money through either a fraudulent phone number or email. 22 Feb 2019 This IP was just seen on my Windows system using netstat. Unplugged my router/modem. Why would Verizon be connected to my pc. I've ran scans with Malwarebytes, rogue killer, I've ran rootkit scans and nothing malicious is found. Guess I should wipe the system and start over. DDoS Attack FTP Brute-Force Fraud VoIP Port Scan Hacking Brute-Force Exploited Host Web App Attack SSH"

This should be {redacted actual email SENDER before the @ symbol } @bounce.malwarebytes.com

Forgive me if this is in the wrong section but I believe this is at least tangentially related to my MB subscription. I am looking at my spam filter's logs today and I see what looks like a rejected email from Malwarebytes today. I don't want to miss notifications about possible attacks so I am wondering if this is a legit email. I ask because it's going to an email address I had when I signed up for Malwarebytes, but one which is not associated with my subscriptions now. I unfortunately don't have the raw header, at least in my noobishness I don't think I do. I do have the logs though. the email address was {redacted actual email subject before the @ symbol } @bounce.malwarebytes.com Here's the rest of the log info I have that I think is relevant: mta.malwarebytes.com 136.147.184.35 United States spam (no subject) rejected Additionally there is no From in the logs. So no subject and no from makes me think it's spam. Also, the IP address whois information is some other marketing company called ExactTarget and not Malwarebytes. Last thing, though. An nslookup resulted in the following: Non-authoritative answer: Name: mta.malwarebytes.com Address: 136.147.184.35 Should I ignore this or try to figure out why MB may be sending emails to an old address?

Forgot to mention that it is possible that if your email address and password were taken in a breach they CAN do bad things so as everyone is saying make sure you change your password. Also, it is a really bad idea to share passwords amongst different sites. It is a pain to do, but you should have a strong password that is unique to each account you have online. By the way, these people are stealing not only passwords and email but phone numbers, challenge question answers(think mother's maiden name etc), and other personal information. None of that is proof they have hacked your device.

If you have the ability to open your SMTP header for the email you will most likely see (I would bet my house on it) that they are "spoofing" your email address. There are many different types of these email scams going around now. Some ask for bitcoin, some tell you to click on a link to see evidence. If you click on any links you WILL get malware. Report this to your email provider or buy a SPAM filter if you run your own server.

Oh all those files not quarantined are gone. I deleted that mail account from Mail and after backing up that account to PST (yes, need to be careful with this pst) I deleted that and 2 other mail accounts. Thank you again.

Thank you for your reply. I'm saying in this folder is where WIndows Mail stores all of the downloaded emails and attachments subfolder 3 for emails and subfolder 7 for attachments. C:\Users\Josh\AppData\Local\Comms\Unistore\data So Emails are in C:\Users\Josh\AppData\Local\Comms\Unistore\data\3\ Attachments are in C:\Users\Josh\AppData\Local\Comms\Unistore\data\7 The files in those folders are for Mail program's use and are hidden protected operating system files. The viruses were found in subfolder 7, which means some email had a virus attachment. Since I downloaded 10 years of emails via POP a few weeks ago, I'm guessing someone sent me viruses over the last 10 years and those were downladed to this folder (but maybe not executed?). Protection of Norton and Malwarebytes!

Nasdaq, I have a question. I just did more research on the location of this virus, as detected. It was in appdata/local/comms/unistore folder 7. Apparently that is where Microsoft Mail stores attachments when downloading POP. One file was MyDocs.SCR and another infected file was a .zip. I don't recall ever executing either. Is it possible this RAT was never active? I started using Windows Mail about 3 weeks ago (before I used thunderbird on my VM). I had about 7000 emails from over 10 years on the server when mail downloaded via POP. Nothing has found an active RAT process. Is it possible to have had the RAT running without MalwareBytes or Norton to be aware of it? Would I have had to execute the .SCR or unzip the .zip for it to infect me? Thank you for your help.

Fixlog.txt I have read this and I have no idea what it did. It looks like it removed some chrome stuff and maybe a spy that Microsoft installed (campainManager?). By the way, Norton REALLY hates FRST64.exe. First, it warned me to discard the download. Second, it warned me when I started the process that the process was reaching out over port 80 to bleepingcomputer. Thank you, I will contact you if I have further issues with the computer. I think I have further issues with my life after having a RAT for who knows how long... Time to call banks etc...