Malwarebytes Pro Alerts Me To An Outgoing Threat But Can't Find The Infection

[Boreas]

HI -

Over the past 2 or 3 days, I've been getting repeated warnings as follows:

Malwarebytes Anti-Malware

Successfully blocked access to a potentially malicious website:

50.97.214.152

50.97.218.220

Type: outgoing

The alerts are only occurring on some sites. I get them on eBay, Yahoo, C-Net and maybe a few others. Visits to most sites don't generate a warning.

Of course, there is only one IP address with each warning. The two IP addresses above have appeared more than once and I believe there are some other IP addresses that have appeared but that I haven's recorded. The two above are registered to Blue Kai, Inc. which looks like a VERY nasty place. Here's a "whois" for one of the IP addresses.

[Querying whois.arin.net]

[Redirected to rwhois.softlayer.com:4321]

[Querying rwhois.softlayer.com]

[rwhois.softlayer.com]

%rwhois V-1.5:003fff:00 rwhois.softlayer.com (by Network Solutions, Inc. V-1.5.9.5)

network:Class-Name:network

network:ID:NETBLK-SOFTLAYER.50.97.192.0/18

network:Auth-Area:50.97.192.0/18

network:Network-Name:SOFTLAYER-50.97.192.0

network:IP-Network:50.97.218.220/32

network:IP-Network-Block:50.97.218.220-50.97.218.220

network:Organization;I:Blue Kai, Inc.

network:Street-Address:20883 Stevens Creek Blvd Suite 200

network:City:Cupertino

network:State:CA

network:Postal-Code:95014

network:Country-Code:US

network:Tech-Contact;I:sysadmins@softlayer.com

network:Abuse-Contact;I:tenersen@bluekai.com

network:Admin-Contact;I:IPADM258-ARIN

network:Created:2011-09-01 15:35:23

network:Updated:2012-10-09 17:47:11

network:Updated-By:ipadmin@softlayer.com

Here's the weird part. Malwarebytes says my computer is clean. So do Avast, SpyBot, SUPERantispyware and Kaspersky TDDSKiller. How do I cure an infection I can't find short of formatting the HD? Any help will be much appreciated!

Thanks,

John

[AdvancedSetup]

These site are blocked and why you're getting the alert. Often ads and other things on the site. We've contacted the ISP, Hosting Provider to get their assistance with shutting down the bad sites on the range but have not gotten it resolved yet.

[Boreas]

These site are blocked and why you're getting the alert. Often ads and other things on the site. We've contacted the ISP, Hosting Provider to get their assistance with shutting down the bad sites on the range but have not gotten it resolved yet.

Thanks for the reply. So, the fact that Malwarebytes can't find an infection is that there isn't one? I'm confused, though. I thought that the "outgoing" meant that the threat was coming from my computer.

Thanks,

John

[Maurice Naggar]

@ Boreas

Make sure to close any instant messenger program. Close all your browsers.

Then observe your system for say, 20 30 minutes.

Do you then get any Outgoing IP blocks?

[Boreas]

@ Boreas

Make sure to close any instant messenger program. Close all your browsers.

Then observe your system for say, 20 30 minutes.

Do you then get any Outgoing IP blocks?

Hi -

Thanks for the suggestion. I did as you asked and got no warnings.

As I mentioned in my initial post, I only seem to get them when I visit vertain websites. Yahoo, eBay and C-Net are examples. I can usually provoke a warning by visiting one of these sites. As soon as the page opens the balloon will pop up. In the case of eBay, I usually (but not always) have to open the page for a listing, not just the main eBay page. Same for C-Net. The balloon will pop up while the page is still loading and often the page won't finish loading. If the page is allowed to continue trying to load, more balloonns pop up.

Oh, and a correction to my initial post. The first IP address is 50.97.214.162.

Thanks,

John

[MarkD]

I am seeing this too. The ad is trying to load a site that MB is blocking. No issue on your PC

[Boreas]

I am seeing this too. The ad is trying to load a site that MB is blocking. No issue on your PC

So, it's ads on these commercial sites that are trying to infiltrate my machine? Well, that sucks! At least Malwarebytes is stopping them!

I'm still confused about the "outgoing" indication. I'd expect that would mean something that my computer is trying to transmit and that "incoming" would refer to an outside threat.

Thanks!

John

[Maurice Naggar]

To John,

From what you said, it was while you were at some websites that you got the "ip blocks". It is certainly likely that it was some embedded ads on those sites that caused this.

Remember that your browser is running and thus it was being told to go out to the ad-sites, grab the ads, and try to display them.

Hence the Outbound block.

What browser do you typically use to go to your favorite sites?

You need to beef up your security settings in the browsers.

[Maurice Naggar]

Some tips on securing your browsers. http://www.cert.org/tech_tips/securing_browser/

[Boreas]

To John,

From what you said, it was while you were at some websites that you got the "ip blocks". It is certainly likely that it was some embedded ads on those sites that caused this.

Remember that your browser is running and thus it was being told to go out to the ad-sites, grab the ads, and try to display them.

Hence the Outbound block.

What browser do you typically use to go to your favorite sites?

You need to beef up your security settings in the browsers.

I'm using XP Pro and use Firefox 20.0.1 almost exclusively but I checked those problematic sites using I.E. 8.0 and the same thing happened.

Some tips on securing your browsers. http://www.cert.org/...curing_browser/

Thank you! I'll read up on this tonight.

John

[Maurice Naggar]

Do indeed study that article.

Also, give a try with using Noscript with your Firefox browser (which you said you use most often)

https://addons.mozilla.org/en-us/firefox/addon/noscript/?src=collection&collection_id=477d8173-93f4-4b49-b902-7f4d8c250614

Then do some testing to see that reduces or does away with your main issue.

[Boreas]

Do indeed study that article.

Also, give a try with using Noscript with your Firefox browser (which you said you use most often)

https://addons.mozil...02-7f4d8c250614

Then do some testing to seethat reduces or does away with your main issue.

Thanks again. I will. I looked briefly at the Firefox instructions in your earlier link. The menus in Tools have changed for this latest release so there are some steps that I can't take there. I'll do what I can and see what happens.

John

[AdvancedSetup]

Unfortunately we're blocking parts of Softlayer which has a large portion of networks that are used by some advertisements so until that gets cleaned up the IP blocks will continue for those. In general it should not stop access to the main sites as those are not their IPs.

[Boreas]

Do indeed study that article.

Also, give a try with using Noscript with your Firefox browser (which you said you use most often)

https://addons.mozil...02-7f4d8c250614

Then do some testing to see that reduces or does away with your main issue.

Maurice -

I tried several of the steps in the article you referenced to no avail but the Noscript addon seems to have done the trick. Thanks for all your help!

(I'm still confused as to why this is affecting only one of my computers. My other LT and my DT are unaffected. Oh, well! I'll probably install Noscript on them as well.)

Very gratefully,

John

[Maurice Naggar]

You are very welcome.

(remember that the browsers in your other systems are quite likely to have some settings different from this one).

I wish you well. Cheers.