Jump to content

Malicious Website Outbound Filename?

DivineWind
 Share

Recommended Posts

DivineWind

DivineWind

Posted
Posted

Hi,

 

I've been getting the messages below. I take it there is some piece of installed malware, but scans are clean.

 

What is the meaning of the filename at the end of the detection entry?  Are these files corrupted in some way?

 

Thanks.

 

 

Detection, 4/29/2015 1:56:10 PM, SYSTEM, MYPC, Protection, Malicious Website Protection, IP, 184.173.133.194, ccbidder.tlvmedia.com, 53613, Outbound, C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe,

Detection, 4/29/2015 1:56:10 PM, SYSTEM, MYPC, Protection, Malicious Website Protection, IP, 184.173.133.194, ccbidder.tlvmedia.com, 53613, Outbound, C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe,

Detection, 4/29/2015 1:56:10 PM, SYSTEM, MYPC, Protection, Malicious Website Protection, IP, 184.173.133.194, ccbidder.tlvmedia.com, 53615, Outbound, C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe,

Detection, 4/29/2015 1:56:13 PM, SYSTEM, MYPC, Protection, Malicious Website Protection, IP, 184.173.133.194, ccbidder.tlvmedia.com, 53699, Outbound, C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe,

 

Detection, 4/29/2015 8:08:49 PM, SYSTEM, MYPC, Protection, Malicious Website Protection, IP, 184.173.133.194, ccbidder.tlvmedia.com, 50884, Outbound, C:\Program Files (x86)\Mozilla Firefox\firefox.exe,

Detection, 4/29/2015 8:08:49 PM, SYSTEM, MYPC, Protection, Malicious Website Protection, IP, 184.173.133.194, ccbidder.tlvmedia.com, 50884, Outbound, C:\Program Files (x86)\Mozilla Firefox\firefox.exe,

Detection, 4/29/2015 8:08:49 PM, SYSTEM, MYPC, Protection, Malicious Website Protection, IP, 184.173.133.194, ccbidder.tlvmedia.com, 50885, Outbound, C:\Program Files (x86)\Mozilla Firefox\firefox.exe,

Detection, 4/29/2015 8:08:49 PM, SYSTEM, MYPC, Protection, Malicious Website Protection, IP, 184.173.133.194, ccbidder.tlvmedia.com, 50892, Outbound, C:\Program Files (x86)\Mozilla Firefox\firefox.exe,

 

Link to post
Share on other sites
1PW

1PW

Posted
Posted

Hello DevineWind and :welcome:

The reports indicate the computer is very likely infected and malware removal actions are not permitted in this sub-forum.

I recommend following the advice from the topic: Available Assistance for Possibly Infected Computers and have one of the Malware Removal Experts assist you with your issue.

If, as recommended, you do open a topic in Malware Removal Help, please make reference to this thread.

If you would like to get off to a very fast start, the Malware Removal Experts would appreciate it if you would also Copy and Paste (not attach) both the FRST.txt and the Addition.txt output diagnostic reports from only Log Set 1 into your new topic. Please do not tick, nor untick, any FRST categories as they are pre-configured by Farbar.

Thank you. :)

Link to post
Share on other sites
DivineWind

DivineWind

Posted
  • Author
Posted

How reliable is this identification?  Because it suggests that the problem is coming from my Trend Micro Antivirus software.  This problem has never been noticed before, and it appears to have spontaneously stopped.  The next identification --  in a short period of time -- was that the problem was coming from Mozilla Firefox.  Again, this never happened before, and appears to have spontaneously stopped.  A check of the last date of modification of the Trend Micro file that is idenitfied shows that it has not been modified in two years.  This makes it seem very unlikely to be the culprit . . .

Link to post
Share on other sites
daledoc1

daledoc1

Posted
Posted

Some AVs filter/scan network traffic to look for infection.

So, it appears from the log that the AV is responsible for the block.

However, that is not actually the case.

It just appears to Windows that it is the AV responsible for the block.

 

The logs suggest that the computer is very likely infected and malware removal is not permitted in this sub-forum.

As previously suggested, we would recommend following the advice from the topic: Available Assistance for Possibly Infected Computers.

The pinned topic explains the options for free, expert malware removal help >>AND<< the preliminary steps to expedite the process.

A malware helper will guide you through scanning, cleanup and repair.

 

Thanks,

Link to post
Share on other sites
DivineWind

DivineWind

Posted
  • Author
Posted

I do appreciate the responsiveness of the forum, but I don't think my question has been answered yet.

 

I am not looking for help in removing malware. I appreciate the suggestion of where I could go to get such help, and I understand that this is not the place to get such help.

 

I understand that the output that I see on my screen is a result of how mbam works. Indeed, I began by describing how it works. I would to like understand better *why* those files were identified by mbam. A technical answer would be welcome.

 

Thanks.

Link to post
Share on other sites
1PW

1PW

Posted
Posted

Hello DevineWind:

 

It is not the files you should be concerned about at this point.  It is the fact that other, yet to be identified, software (malware) is trying to communicate with a known malicious entity.  MBAM2's Malicious Website Protection module is doing its job by blocking that attempt.  The Trend Micro AV and Mozilla Firefox browser are most probably the conduits and no more.

 

This is why we are urging you to seek immediate remediation assistance and it is most likely that the remediation process will bring you greater clarity.

 

I hope this has helped.

Link to post
Share on other sites
DivineWind

DivineWind

Posted
  • Author
Posted

I am not asking how to remove malware. I am asking a question about how MBAM works and what the meaning of its output is. That is a perfectly reasonable question to ask about a piece of software one is running.

 

I have now asked the same question FIVE TIMES.

 

I was looking for someone who could give me a technical answer. If you are not that person, then perhaps this was not your post to answer. Repeatedly. With instructions to me to go ask a completely different question, somewhere else.

 

I give up.

Link to post
Share on other sites
Porthos

Porthos

Posted
Posted

I was looking for someone who could give me a technical answer. If you are not that person, then perhaps this was not your post to answer. Repeatedly. With instructions to me to go ask a completely different question, somewhere else.

 

 

Those answers can ONLY be discussed in that forum where logs can be run and they can give the appropriate answers. The staff who can help you can ONLY assist in that forum.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

I don't use Trend Micro but my guess is that it too has a web blocker that appears to also be blocking or at least monitoring that IP and website.

We see them looking at it and it appears we're trying to block both Trend AV and Firefox from access that remote site on those ports.

This is certainly an indicator that you probably have some type of unwanted program or setting on the computer. If you wish for further assistance then please follow the advice given already.

I would suggest following the advice from the topic here Available Assistance for Possibly Infected Computers and having one of the Experts assist you with looking into your issue.

Thank you

Link to post
Share on other sites
kaw

kaw

Posted
Posted

I have the same situation - ccbidder.tlvmedia blocked - an outbound [from my laptop] attempt to connect with the identified 'malicious' website.  I think, for purposes of the current discussion in this forum [as opposed to the 'help in removal of malicious software' forum], the question is...

 

  • Why would Malwarebytes software identify the evidently malicious software on my laptop, blocking the malicious software's attempt to connect with its host website, and then simply leave it at that instead of quarantining the threat? 
  • That is, it's a question of programming viability and effectiveness of the premium software we paid for to protect our computers. 
  • Malwarebytes Anti-Malware and its cousin Anti-Exploit are supposed to not only identify and block threats but remove them. That's why I paid for the premium package.  If the attempt of some malicious software [apparently hidden in the files on my laptop] to contact a known malicious website is identified and blocked, what possible reason is there for Malwarebytes to NOT deal with the source of the threat - the malicious software on my laptop - and eliminate it?

 

This question isn't about asking someone in this forum to actually help me remove the malicious software, so please don't direct me to the other forum - I'll go there next to get help with that.  This question IS about the integrity of the Malwarebytes anti-malware/anti-exploit software in performing its intended function - and in this instance, apparently failing in that function.  This forum is the appropriate place for this subject, isn't it?

 

Thanks.

 

KAW

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Hi Kaw

 

Yes this forum can help you but since the threat is not being removed automatically I would suggest following the advice from the topic here Available Assistance for Possibly Infected Computers and having one of the Experts assist you with looking into your issue.
 

 

Thank you

Link to post
Share on other sites
bobby131313

bobby131313

Posted
Posted

Well I have the exact same outgoing threat, 184.173.133.194, ccbidder.tlvmedia.com. I went through the process in the other forum with the experts. I was told......

 

"This is something MalwareBytes can't do anything about. MalwareBytes is doing its work by blocking this connection and it cannot harm you."

 

This threat is obviously trying to steal my FTP credentials as it only tries to phone home when I open up a site profile (where ftp info is stored) in Dreamweaver.

 

I thought removing this kind of stuff was exactly the goal of Malwarebytes. Very disappointed in the outcome here.

Link to post
Share on other sites
daledoc1

daledoc1

Posted
Posted

Hi, bobby131313:

 

I'm quite sorry -- it appears that your malware helper may have inadvertently lost track of your post in the malware removal section >>HERE<<. :(

 

As far as the detection and removal of any particular malware type or variant, the complexities of that are discussed here:

The complexity of finding, preventing, and cleanup from malware

Bottom line: no one single security application can detect, prevent and remove 100% of all possible malware variants.

 

As far as your malware removal topic, I suggest that you might want to send a PM to your helper >>HERE<< requesting further assistance.

 

If you run into further snags, please post back here and we will notify the forum staff.

 

Thanks for your patience.

Link to post
Share on other sites
daledoc1

daledoc1

Posted
Posted

Hi:

Yes please, I would like to try and get this removed.

 

I have requested that our forum staff review your posts for further help.

Please try to be patient, as it is the weekend.

 

Someone will assist you as soon as possible.

 

In order to reduce clutter and confusion here, in this thread, for the topic starter, I expect that the staff will most likely help you in your own topic over in the malware removal section >>HERE<<.

 

In the interim, you might find helpful information in that pinned topic I mentioned earlier:

The complexity of finding, preventing, and cleanup from malware

 

Thank you,

 

Link to post
Share on other sites
kaw

kaw

Posted
Posted

Pardon me, folks, but...

 

Taking this issue to personal messages and personal topics on other forums to address individually is counter to effectively addressing the particular question raised in this forum theme:

 

  • Malwarebytes DOES identify a threat, viz., an outbound attempt to connect with the malicious website ccbidder.tlvmedia.com - with there being  a logical inference that there is malicious software actively operating within the files of our computers. 
  • While I understand that not all threats are being identified by Malwarebytes (or any other anti-malware software), and hence is being handled as identified threats should be, it seems to me that if Malwarebytes does identify evidence that there is malicious software acting on a patron's computer, and does address a 'symptom' of the contagion, Malwarebytes would pursue a course of finding and eliminating the source of the threat.  This is not being done.

I have to ask, then... why not? 

 

One symptom of active malicious software should be enough to get the ball rolling to seek out its source to address the threat.  In fact, there should be no assumption made that the evident malicious software is capable of producing only the single threat identified by Malwarebytes (i.e., attempt to access the malicious website ccbidder.tlvmedia.com).  Identifying this 'symptom' of an infection must be sufficient reason to find and eliminate the source of the infection - I mean, how many other malicious actions might this evident malicious software be taking that have not been identified by Malwarebytes?

 

It seems irresponsible to me for a Malwarebytes helper to conclude that the Malwarebytes anti-malware software is adequately performing its function by blocking access to a computer's attempted outbound connection with a known malicious website without taking further actions against the source of the threat hidden within the files of the computer

 

While I understand that Malwarebytes may not yet be programed to do so - after all, no anti-malware product has everything covered - I must take umbrage with an attitude on the part of Malwarebytes principals that they have no company obligation to revise the products' software to positively address this logical omission in patrons' effective anti-malware coverage. I suspect that there are more than a few patrons of Malwarebytes products whose computers are infected with this malicious software - patrons who have just not weighed in on this forum (meaning that this is a more general software issue and is not the result of a few individuals' computer peculiarities).  To treat this issue as isolated instances requiring individual patrons of Malwarebytes products to seek help in solving their dilemma is... um... unwarranted...?

 

With all due respect, I request that you (Malwarebytes representatives) respond to this line of reasoning in this forum. 

 

Thank you.

 

KAW

Link to post
Share on other sites
kaw

kaw

Posted
Posted

p.s.  I'm currently reading the novels in Neal Stephenson's Baroque Cycle, and have been influenced by the author's style in presenting characters' speech and - especially - correspondence.  This accounts for the writing style in composition of my immediately prior post (although it does not account for the several typos in the text - those are mine alone, and may not be attributed to any others' influence). 

 

:)

 

Yours etc

 

KAW

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.