Outgoing IP block

[Easthead6]

I built my computer from parts I ordered from Newegg, I have lots of experience with computers, and my computer is protected. It seems unlikely that something like this would happen to me, but it did, odd enough.

So occasionally, Malwarebytes pops up a standard Windows 7 tooltip saying it succeeded in an IP Block, with the type "Outgoing". Usually the IP is the same, but sometimes it changes. I did my research on MyWOT, and found that most of these IPs were malicious. I've just done a full scan - It took around 5 minutes, and there is no trace of anything. One of the IP Blocks is from hl2.exe, which I know for a fact is Steam - A reputable gaming program. The other is from firefox.exe, which is my main browser. I have little idea of what's causing this, so I'll post the log.

LOG:

2012/08/02 11:06:57 -0400 MRCOMPUTERATOR Austin IP-BLOCK 74.91.114.84 (Type: outgoing, Port: 60863, Process: hl2.exe)

2012/08/02 11:07:05 -0400 MRCOMPUTERATOR Austin IP-BLOCK 74.118.192.166 (Type: outgoing, Port: 60863, Process: hl2.exe)

2012/08/02 11:07:05 -0400 MRCOMPUTERATOR Austin IP-BLOCK 74.118.192.166 (Type: outgoing, Port: 60863, Process: hl2.exe)

2012/08/02 11:07:05 -0400 MRCOMPUTERATOR Austin IP-BLOCK 74.118.192.166 (Type: outgoing, Port: 60863, Process: hl2.exe)

2012/08/02 11:07:05 -0400 MRCOMPUTERATOR Austin IP-BLOCK 74.118.192.166 (Type: outgoing, Port: 60863, Process: hl2.exe)

2012/08/02 11:07:05 -0400 MRCOMPUTERATOR Austin IP-BLOCK 74.118.192.166 (Type: outgoing, Port: 60863, Process: hl2.exe)

2012/08/02 11:08:09 -0400 MRCOMPUTERATOR Austin IP-BLOCK 66.150.164.97 (Type: outgoing, Port: 60863, Process: hl2.exe)

2012/08/02 15:51:43 -0400 MRCOMPUTERATOR Austin IP-BLOCK 74.91.114.84 (Type: outgoing, Port: 63261, Process: hl2.exe)

2012/08/02 15:51:43 -0400 MRCOMPUTERATOR Austin IP-BLOCK 74.118.192.166 (Type: outgoing, Port: 63261, Process: hl2.exe)

2012/08/02 15:51:43 -0400 MRCOMPUTERATOR Austin IP-BLOCK 74.118.192.166 (Type: outgoing, Port: 63261, Process: hl2.exe)

2012/08/02 15:51:43 -0400 MRCOMPUTERATOR Austin IP-BLOCK 74.118.192.166 (Type: outgoing, Port: 63261, Process: hl2.exe)

2012/08/02 15:51:43 -0400 MRCOMPUTERATOR Austin IP-BLOCK 74.118.192.166 (Type: outgoing, Port: 63261, Process: hl2.exe)

2012/08/02 15:51:43 -0400 MRCOMPUTERATOR Austin IP-BLOCK 74.118.192.166 (Type: outgoing, Port: 63261, Process: hl2.exe)

2012/08/02 15:52:47 -0400 MRCOMPUTERATOR Austin IP-BLOCK 66.150.164.97 (Type: outgoing, Port: 63261, Process: hl2.exe)

2012/08/02 16:56:41 -0400 MRCOMPUTERATOR Austin IP-BLOCK 74.118.192.166 (Type: outgoing, Port: 58235, Process: hl2.exe)

2012/08/02 17:04:49 -0400 MRCOMPUTERATOR Austin IP-BLOCK 74.118.192.166 (Type: outgoing, Port: 54361, Process: hl2.exe)

2012/08/02 17:05:13 -0400 MRCOMPUTERATOR Austin IP-BLOCK 213.246.38.124 (Type: outgoing, Port: 54361, Process: hl2.exe)

2012/08/02 17:05:21 -0400 MRCOMPUTERATOR Austin IP-BLOCK 31.214.175.16 (Type: outgoing, Port: 54361, Process: hl2.exe)

2012/08/02 17:06:47 -0400 MRCOMPUTERATOR Austin MESSAGE Executing scheduled update: Daily

2012/08/02 17:06:52 -0400 MRCOMPUTERATOR Austin MESSAGE Scheduled update executed successfully: database updated from version v2012.08.01.07 to version v2012.08.02.09

2012/08/02 17:06:52 -0400 MRCOMPUTERATOR Austin MESSAGE Starting database refresh

2012/08/02 17:06:52 -0400 MRCOMPUTERATOR Austin MESSAGE Stopping IP protection

2012/08/02 17:07:51 -0400 MRCOMPUTERATOR Austin MESSAGE IP Protection stopped

2012/08/02 17:07:52 -0400 MRCOMPUTERATOR Austin MESSAGE Database refreshed successfully

2012/08/02 17:07:52 -0400 MRCOMPUTERATOR Austin MESSAGE Starting IP protection

2012/08/02 17:07:53 -0400 MRCOMPUTERATOR Austin MESSAGE IP Protection started successfully

2012/08/02 17:28:09 -0400 MRCOMPUTERATOR Austin IP-BLOCK 184.82.146.118 (Type: outgoing, Port: 61095, Process: firefox.exe)

2012/08/02 18:13:22 -0400 MRCOMPUTERATOR Austin IP-BLOCK 184.82.146.118 (Type: outgoing, Port: 61268, Process: firefox.exe)

2012/08/02 18:13:22 -0400 MRCOMPUTERATOR Austin IP-BLOCK 184.82.146.118 (Type: outgoing, Port: 61286, Process: firefox.exe)

2012/08/02 19:22:36 -0400 MRCOMPUTERATOR Austin IP-BLOCK 74.91.114.84 (Type: outgoing, Port: 50393, Process: hl2.exe)

2012/08/02 19:22:36 -0400 MRCOMPUTERATOR Austin IP-BLOCK 74.118.192.166 (Type: outgoing, Port: 50393, Process: hl2.exe)

2012/08/02 19:22:36 -0400 MRCOMPUTERATOR Austin IP-BLOCK 74.118.192.166 (Type: outgoing, Port: 50393, Process: hl2.exe)

2012/08/02 19:22:36 -0400 MRCOMPUTERATOR Austin IP-BLOCK 74.118.192.166 (Type: outgoing, Port: 50393, Process: hl2.exe)

2012/08/02 19:22:36 -0400 MRCOMPUTERATOR Austin IP-BLOCK 74.118.192.166 (Type: outgoing, Port: 50393, Process: hl2.exe)

2012/08/02 19:22:36 -0400 MRCOMPUTERATOR Austin IP-BLOCK 74.118.192.166 (Type: outgoing, Port: 50393, Process: hl2.exe)

2012/08/02 19:22:36 -0400 MRCOMPUTERATOR Austin IP-BLOCK 74.118.192.166 (Type: outgoing, Port: 50393, Process: hl2.exe)

2012/08/02 19:23:41 -0400 MRCOMPUTERATOR Austin IP-BLOCK 66.150.164.97 (Type: outgoing, Port: 50393, Process: hl2.exe)

2012/08/02 21:41:51 -0400 MRCOMPUTERATOR Austin IP-BLOCK 184.82.146.118 (Type: outgoing, Port: 63153, Process: firefox.exe)

2012/08/02 21:41:51 -0400 MRCOMPUTERATOR Austin IP-BLOCK 184.82.146.118 (Type: outgoing, Port: 63154, Process: firefox.exe)

[daledoc1]

Hello and welcom, Easthead6:

IP blocks can indicate a number of things:

• They could indicate that MBAM is doing its job of blocking bad content on websites.
  

• They can also occur when running certain P2P and other programs, such as Skype -- For example, please see this recent post by forum Admin AdvancedSetup about IP blocks and Skype. (I don't use Steam, but it sounds as if this might at least partially explain the IP blocks you are seeing.)
  

• In some cases the blocks are a false positive.
  

• However, they can also be a sign of infection, especially if the blocks are outgoing and they occur when no browsers are open.
  

--> There is more information about the IP blocking module in the FAQ - Section G (and in the Helpdesk-FAQ).

It includes instructions on how to set MBAM to ignore a particular IP, if you wish to do so.

It also contains instructions on how to determine what process might be trying to make the connections.

And you may also research the IP in question at www.ip-lookup.net or a similar site.

On the other hand, if you think the IP blocks might be a false positive, then please read this article before starting a new topic in the False Positives forum.

Alternatively, if you think you might be infected, based on the IP blocks and/or other suspicious computer behavior, then please read the following to begin the cleaning process.

• Please print out, read and carefully follow the instructions in the "I'm Infected - What Do I Do Now?" article.
  
• Then please start a new post in the Malware Removal forum.
  
• An authorized, trained malware expert will provide free, one-on-one assistance as soon as one becomes available.
  
• Please be patient - it may be 48 hours or more before a helper can assist you, especially when the forum is very busy.
  
• Please do NOT "bump" your topic or reply back to it for at least 48 hours.
  
• Doing so may cause your topic to be overlooked, as it will appear that you are already being helped.
  

Thanks!

daledoc1

[Easthead6]

There's no other suspicious behavour, this is all. So I believe it's doing it's job and blocking malicious content.

[daledoc1]

Hi:

Well, for the firefox.exe blocks, if something is phoning home to malicious IPs, then it's definitely suspicious.

Some malware can hide pretty well on the computer.

It might be a good idea to have one of our qualified malware experts take a look at your system, for free, just to be sure.

If you'd like to proceed, please follow the instructions in my earlier reply.

Alternatively, if you're a paid user of MBAM PRO, you can open a ticket directly at the help desk, also for free.

Please contact them here.

HTH,

daledoc1