Jump to content

Repeat alert: Blocked access to potentially malicious website


Recommended Posts

Hi,

 

I just did a search and found a related post about my problem here (Jan 15,2014):

 

https://forums.malwarebytes.org/index.php?showtopic=140452

 

That member wrote:

 

"Every few seconds this morning I get a message from Malwarebytes, "Successfully blocked access to a potentially malicious website: 192.168.1.255. I ran a scan, found nothing. Now what do I do about this? The endless-repeat alert is extremely distracting. Plus I assume there's some problem? Thanks for any assistance!"

 

I'm having the exact same issue except the website being blocked is "open-connect.su".

 

Otherwise I get the same pop-up as described every 10 seconds or so...and it definitely is distracting and makes me wonder if my system is otherwise compromised.

 

As that member did...I've run Malwarebytes and so far it isn't finding any infection or rootkit.

 

I hope this can be resolved as it was for this other issue by shadowwar:

 

"This will be fixed in about 10 mins. Will reply here when new db is up."

 

and then:

 

"The new database is uploaded. its fixed in 1.15.08"

 

Thanks in advance!

 

 

Link to post
Share on other sites

I've just finished a scan (including root-kits) and Malwarebytes says: No Malicious items were detected

 

But now I'm getting a NEW pop up over and over from Malwarebytes saying Malicious Website Blocked:

 

blog.fallout.archives.com

 

IP:  91.206.31.220

 

I'm no longer seeing the first warning I originally posted about.

 

[scratching-head]

 

 

post-161999-0-31588900-1398477251_thumb.

Link to post
Share on other sites

Hi, Jephyr:

 

Welcome.

 

The IP block reported by the other user whose post you mentioned was actually something quite different and long since resolved.

 

IP blocks can indicate a number of things:

  • They could indicate that MBAM is doing its job of blocking bad content on websites.
  • In some cases the blocks are a false positive.
  • However, they can also be a sign of infection, especially if the blocks are outgoing and they occur when no browsers are open.

--> There is more information about the IP blocking module in the in the Help Desk topics HERE and HERE and HERE, and in the FAQ - Section G.
They also contain instructions on how to determine what process might be trying to make the connections.
You may also research the IP in question at www.ip-lookup.net or a similar site.

On the other hand, if you think the IP blocks might be a false positive, then please read this pinned topic before starting a new topic in the Website Blocking False Positives sub-forum.

Alternatively, if you think you might be infected, based on the IP blocks and/or other suspicious computer behavior, then please read the following for the available options to have a malware expert assist you with the cleaning process Available Assistance For Possibly Infected Computers.

>>>Under the circumstances, since you are getting many of these IP blocks now (with the last one being located in the Ukraine), this would probably be the safest course of action for you.

Thanks,

daledoc1

Link to post
Share on other sites

Hello daledoc1:

 

Thanks for the reply. 

 

To clarify:

 

The other forum post I quoted from describes exactly the issue I'm having only with other outbound addesses...and I mentioned it here simply for reference.

 

I'm aware shadowwar resolved that issue then...and that it was taken care of back in January...both things I mentioned in my original post above.

 

---------------------

 

The blocks are happening only with outgoing addresses and whether or not I have a explorer window open. 

 

They are happening every 7 to 15 seconds or so...over and over and over.

 

So this is not an issue of MBAM just doing it's job or from using certain sites...Skype or P2P etc.

 

Using the IP lookup you shared the second address is in the Ukraine...the other in in Luxembourg...no other info is given but niether should have outgoing access from my PC.

 

This is the only issue I seem to be having with my PC...and as I posted just before you...I've run Malwarebytes several times and included root-kits...but no malicious infections are found. 

 

I'll run Hitman Pro...and see what it finds.

 

I don't imagine these are false positives because I don't need to be surfing when they occur and they happen over and over.

 

Anyway...I may check the Available Assistance For Possibly Infected Computers link you provided...but I thought I'd clarify what is happening on my computer so there is less confusion about it. 

 

Thanks again for your help.

 

 

Link to post
Share on other sites

Hi:

 

Understood.

However, again, the problem you referenced in January was really not the same thing, despite a similar, non-specific popup message about a blocked IP.

 

In any event... :)

 

Under the circumstances, the best bet is probably to have one of the malware experts assist you with looking into your issue.

Lots of outgoing IP blocks to foreign IPs, especially with no browsers open, can be indicative of infection.

The tools and scanners necessary to fully investigate cannot be run in this particular section of the forum.

That's why I suggested that you may want to follow the advice here: Available Assistance for Possibly Infected Computers.

 

It's entirely up to you, of course. :)

 

Cheers,

 

daledoc1

 

Link to post
Share on other sites

I seem to be having a similar issue to Jephyr. Malwarebytes scans reveal no infection - all clean. I am, however, getting frequent popups concerning outbound attempts by explorer.exe [despite no open browser of any kind] to 192.168.19.84 and a range of DNS such as report-search.com, diseases-search.com. country-search.com. The site "shouldIblockit" has an entry for the IP address but most virus software report no issue with the site.

I'm loathe to turn notifications off as I might miss something else. I don't know whether to ignore this or not. Any suggestions?

Link to post
Share on other sites

Hi, @pauken:
 
Notification of an IP block is a generic, non-specific message, so it's not really "the same" for you and for the OP. ;)

Here's why:

IP blocks can indicate a number of things:

  • They could indicate that MBAM is doing its job of blocking bad content on websites.
  • In some cases the blocks are a false positive.
  • However, they can also be a sign of infection, especially if the blocks are outgoing and they occur when no browsers are open.

--> There is more information about the IP blocking module in the in the Help Desk topics HERE and HERE and HERE, and in the FAQ - Section G.
They also contain instructions on how to determine what process might be trying to make the connections.
You may also research the IP in question at www.ip-lookup.net or a similar site.

On the other hand, if you think the IP blocks might be a false positive, then please read this pinned topic before starting a new topic in the Website Blocking False Positives sub-forum.

>>Alternatively, if you think you might be infected, based on the IP blocks and/or other suspicious computer behavior, then please read the following for the available options to have a malware expert assist you with the cleaning process Available Assistance For Possibly Infected Computers.

>>If you are seeing a lot of outgoing blocks, especially to foreign IPs and especially when no browsers are open, then this is probably the safest course of action.

Thanks,

daledoc1

Link to post
Share on other sites

Malwarebytes:

 

I'd never had this problem with endless "out-going" pop-up blocks with Malwarebytes Premium until your auto-update to 2.0.1.1004 a few weeks ago.

 

Since then I've had this issue twice...about a week apart...both times it was in fact infections that were removed by other anti-virus/malware software.

 

This is despite religiously updating Malwarebytes, having malicious website protection enabled, and running daily scans with it.

 

(and BTW...I'm not using my computer differently than I have for a long time now)

 

-----------------------

 

To clean my infected system I've had to rely on Hitman Pro on 2 different times to fix the issue with "out-going" pop-ups and to remove trojans...and MS Security Essentials just found a trojan after a scan.

 

I realize new ways to compromise our systems are constantly being devised...but it really seems something is "different" with your ability to protect my system.

 

I've never had this many infections in such a short period of time...all while repeated scans of my system with Malwarebytes Premium find none.

 

-------------------------------

 

Anyway...thought someone on your team (if there's anyone who checks on this forum) might appreciate this kind of feedback.

 

 

 

 

Link to post
Share on other sites

Hi, Jephyr:

I'm sure the staff will read your feedback with great interest.

Thank for taking the time to provide it. :)

 

I am just a home user and forum volunteer, so I probably cannot address your specific concerns with sufficient expertise or authority.

However, you might find valuable explanations and information in this pinned topic:The complexity of finding, preventing, and cleanup from malware

 

Thanks,

 

daledoc1

Link to post
Share on other sites

A big thank you to Jephyr for the mention of Hitman Pro [which I'd not heard of]. It recognised rootkit.boot.cidox.b and removed it. After a reboot my Network traffic, TCP lists and Malwarebytes notification panels all went quiet. I'm aware that this particular threat has been written up as having many versions and wreaking various types of havoc so it may not be all over yet...some manual cleaning still to do perhaps. I feel a lot more confident of eventual success however. Thanks for posting and thanks to Malwarebytes for providing the Forum.

Link to post
Share on other sites

Thanks Ron, you will find my logs at https://forums.malwarebytes.org/index.php?showtopic=147183&hl= since I was advised to start a new thread. You might like to see my other post at https://forums.malwarebytes.org/index.php?showtopic=147701&hl= 

Both these relate to conditions prior to the rootkit being removed. I am not disparaging of the Malwarebytes product - it just appears that in my particular configuration the rootkit was not found by Malwarebytes. I guess the goalposts are always being shifted...

Link to post
Share on other sites

  • Root Admin

@Pauken
 
The log shows that MBAM was not fully functioning properly and I requested to have you post in the removal section of the forum so we could run some other scans and see what's going on.  You said you'd think about it and never did post there.  So my guess is that you either needed to reinstall the program or something was potentially blocking our program at the time.
 
In either case we'd need other logs to determine what is or was going on which in this case if the infection is now gone all we can do is review your system again to ensure if the program is working correctly or not.
 
I would start off by doing the following.

Thank You

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.