Jump to content

MBAM detected an Outbound connection to a malicious IP when using a game installer.


Recommended Posts

I downloaded the game 'War Thunder' from the game's site and ran the installer. While the installer is connecting I get a popup from Malwarebytes saying there is an outbound connection to a malicious IP Address, I won't post it publicly but if you want it I can PM it to you. Obviously this is a little freaky so I shut down the installer and run a quick run with MBAM and discover nothing. I then ran RKill, which didn't really find anything, and ran another MBAM scan which came up clean. I also discovered an IP in the "Web Exclusions" tab which I didn't add, it wasn't the one which came up in the popup, and removed it. I also deleted a file in quarantine (nothing serious, it was a PUP) which has been there for a few days. I'm thinking it was a false positive but you've got to be careful these days, no?

Link to post
Share on other sites

Hello and :welcome:
If you've not already done so please start here and post back the 2 log files FRST.txt and Addition.txt

P2P/Piracy Warning:
 

 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 



Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed please print out these instructions.

  • Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
  • If the log is too large then you can use attachments by clicking on the More Reply Options button.
  • Please enable your system to show hidden files: How to see hidden files in Windows
  • Make sure you're subscribed to this topic:
    • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly
  • Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive
  • Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you.
  • The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue.
  • When we are done, I'll give you instructions on how to cleanup all the tools and logs
  • Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.
  • Your topic will be closed if you haven't replied within 3 days
  • (If I have not responded within 24 hours, please send me a Private Message as a reminder)
Link to post
Share on other sites

My computer is having troubles finding FRST.txt and Addition.txt, come to think of it I may have removed them for some unknown reason when I downloaded MBAM. Should I try a reinstall of MalwareBytes? Is there any other files you can look at?

 

I've purged some files that were in quarantine and the problems seemed to have subsided. I've deleted the possible virused files and have ceased to get the IP popup and RKill hasn't picked up on any malware processes BUT it says that Windows Defender is disabled. How do you reenable it?

Link to post
Share on other sites

The FRST log files will be in the same place as where you had the FRST.exe (or FRST64.exe) scanner.  The log files are also located in the C:\FRST\Logs directory.  The logs will tell me why Windows Defender is disabled and if it is proper to reactivate it.
 
If you can not find the logs, then run a fresh scan with FRST again and post those logs.
 

Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Make sure the Addition.txt option is checked in the Optional Scan section.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.
Link to post
Share on other sites

Yes sorry, I was out of town for the weekend. It is needed to mention that I have already deleted and uninstalled all uTorrent files a few weeks ago, but they still appeared in the log. It is also interesting that many programs/games the were deleted or nonexistent showed up as well (all of the Sims2 files were deleted about a year ago). I can give you a list of them if you really want, but here's the files you requested.

 

FRST.txtAddition.txt

Link to post
Share on other sites

If your MBAM and Webroot Secure Anywhere scans are coming up clean, then I would say you are good to go.  The FRST logs you provided are fine, so unless you need anything else, I would say you are good to go.

 

I'll leave this open for a day or so for you to reply with any new information if there is.  Thanks.

Link to post
Share on other sites

Thank you for helping me out.

 

A few thoughts though: I didn't add any web exclusions to MBAM, but when I looked there was an IP address in there. I removed it and haven't had any problems, it's just strange.

 

The second one is: how do I re-enable Windows Defender? Again, not having not many problems, but it'd provide peace of mind.

Link to post
Share on other sites

Windows Defender has been disabled by Webroot Secure Anywhere (which will do the job of both AntiVirus and AntiSpyware).  If you have the Complete version of Webroot, it also monitors your firewall.
 

Clean up of Malware Removal Tools
Now that we are through using these tools, let's clean them off your system so that should you ever need to have malware removed again (we hope not) fresh, updated copies will be downloaded.

  • Download Delfix from here to your desktop and double click it to start the program
  • Ensure Remove disinfection tools is ticked
    Also tick:
  • Activate UAC
  • Create registry backup
  • Purge system restore
  • Reset system settings
  • DelFixSelectall_zps0f04cec4.png
  • Click Run
  • The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply.

You can delete any log files left on your desktop as these are no longer needed.

Link to post
Share on other sites

  • 3 weeks later...
  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.