Jump to content

what is this "potentially malicious" site:

Recommended Posts

Greetings, first post. Okay so I clicked on a link in a Facebook post and a few minutes later my laptop starts streaming what sounds like overlapping radio stations. It looks like a svchost rootkit trojan, "2013/12/22 06:36:28 -0600  IP-BLOCK (Type: outgoing, Port: 49282, Process: svchost.exe)". MBAM is blocking IP repeatedly as the trojan cycles through 49xxx trying to find an open ports.  I have run most of the non-MB anti-malware tools trying to get rid of it with no success (have not tried MBAR yet). My main question at this point is, what the heck does that IP belong to and how did it get classified as a "potentially malicious" site in MBAM (which is apparently, certainly justifyable). Also any tips or information on how to get rid of this thing short of re-imaging my laptop OS (Win 7). THX.

Link to post
Share on other sites

Hello and :welcome: , salsanchips:


That particular IP is somewhere in the U.K.


IP blocks can indicate a number of things:

  • They could indicate that MBAM is doing its job of blocking bad content on websites.
  • In some cases the blocks are a false positive.
  • However, they can also be a sign of infection, especially if the blocks are outgoing and they occur when no browsers are open.

--> There is more information about the IP blocking module in the in the Help Desk topics HERE and HERE and HERE, and in the FAQ - Section G.
They also contain instructions on how to determine what process might be trying to make the connections.


On the other hand, if you think the IP blocks might be a false positive, then please read this pinned topic before starting a new topic in the Website Blocking False Positives sub-forum.

Alternatively, if you think you might be infected, based on the IP blocks and/or other suspicious computer behavior, then please read the following for the available options to have a malware expert assist you with the scanning/cleaning process Available Assistance For Possibly Infected Computers.

>>>>Under the circumstances, this might be the safest course of action for you.

The help is free & will only cost you a bit of your time to get checked out.




Link to post
Share on other sites

Looks like MBAR took care of it. Ran it in Safe Mode and let it replace a "patched" MBR - no more streaming audio. I tried about a dozen anti-malware tools and MBAR was the only one that identified and fixed it and it did so effortlessly. I bought a license for MBAM and will keep it running to block that malicious IP if for some reason it re-appears. Good job :)

Link to post
Share on other sites

  • 1 month later...

Well, this IP is still doing bad stuff. Exactly what, I don't know. I started by downloading an  electronic version of The Catcher in the Rye. Even Amazon does not have this available, so I should have known something was up.


After that I started getting warnings from MAB. Thought I got rid of all of it but downbook.exe was sending to this IP - who knows what. It was doing it (or trying) ever 30 seconds of so, getting stopped by MAB. Went through and deleted every instance of the title of the book and downbook.exe, then emptied my recycle bin. Have heard no more from it.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.