Outgoing connection blocked

[ngns]

Hello,

I'm not sure yet if this is anything to be concerned about. I've tried to write a full explanation, but I've put my main questions in bullets near the bottom.

I'm running Windows 10, and I am very careful about what goes onto this machine, and what websites I visit. I'm running both Panda antivirus and Malwarebytes.

Last night I shut down my machine. This morning I started it up again, and initiated Firefox. Firefox opened to the Google home page, and right away, I pressed CTRL+T to open up a new tab. I'm not sure exactly the timing here, but as I was opening up the two websites I normally start off running (Trello and LastPass, both reputable), a green message popped up, stating that an outgoing connection was blocked.

Unfortunately, I closed down Firefox right away, without doing any further forensics. The reason why I say it is unfortunate is I'm not sure what other pages were loading at the time (for example, sometimes Firefox sometimes loads pages that you had open when you shut it down last time, if the shutdown wasn't perfect). Afterwards, I did check Firefox's history but didn't find any visits to any unexpected sites.

I should note that while I was loading up my pages, Firefox itself was still loading (i.e., still in its "slow" stage). Also, I was opening up new tabs at the time, an action which previews a number of websites in the new tab (I'm not sure if it actually tries to contact them).

I immediately checked the Malwarebytes logs, and found the related entry, which I've pasted below. There were actually three very similar entries (including this one) all with the same timestamp, to the minute.

I then ran a full scan using both Panda and Malwarebytes, neither of which found any threats. I've also restarted the computer multiple times, and haven't been able to replicate the issue.

I suppose the questions I have is:

• I know that the site that was blocked was not a false positive. I'm primarily concerned about why my computer tried to connect to it.
• Given the story I outlined above, is there any serious risk that I am infected with something? or
• is it possible, or more likely that this was some artifact of my restarting, or Firefox previewing a site?
• I'm not sure sure at all how common it is for occasional random outgoing connections to get blocked while surfing the web. It hasn't really happened to me.

 

{
   "applicationVersion" : "3.0.6.1469",
   "clientID" : "",
   "clientType" : "other",
   "componentsUpdatePackageVersion" : "1.0.75",
   "cpu" : "x64",
   "dbSDKUpdatePackageVersion" : "1.0.1635",
   "detectionDateTime" : "2017-03-31T17:16:10Z",
   "fileSystem" : "NTFS",
   "id" : "[removed]",
   "isUserAdmin" : true,
   "licenseState" : "licensed",
   "linkagePhaseComplete" : false,
   "loggedOnUserName" : "System",
   "machineID" : "",
   "os" : "Windows 10",
   "schemaVersion" : 2,
   "sourceDetails" : {
      "type" : "mwac"
   },
   "threats" : [
      {
         "linkedTraces" : [

         ],
         "mainTrace" : {
            "cleanAction" : "block",
            "cleanResult" : "successful",
            "cleanResultErrorCode" : 0,
            "cleanTime" : "",
            "generatedByPostCleanupAction" : false,
            "id" : "bc78a64b-1635-11e7-95f3-346895ee6e38",
            "linkType" : "none",
            "objectMD5" : "",
            "objectPath" : "",
            "objectSha256" : "",
            "objectType" : "website",
            "websiteData" : {
               "ip" : "104.28.16.78",
               "isInbound" : false,
               "port" : 50878,
               "processPath" : "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe",
               "url" : "winwiki.org"
            }
         },
         "ruleID" : -1,
         "rulesVersion" : "0.0.0",
         "threatID" : -1,
         "threatName" : ""
      }
   ],
   "threatsDetected" : 1
}

 

[ngns]

Just as a further update, today something very similar happened. On booting up the computer and loading up Firefox, the green messages popped up.

There were two of them, and the log entries were very similar to the one I posed above, except there were four of them:

Two connection attempts to ipcdigital.com, and three to "angelfire.com".

Both happened within minutes of booting up and starting up Firefox, (and visiting web pages, the same two as the above post, Trello and LastPass, as well as this forum). Both batches (ipcdigital and angelfire) were within a minute or so of each other.

Once again, the scan completed without finding anything.

I've pasted the log entry for one of those attempts:

{
   "applicationVersion" : "3.0.6.1469",
   "clientID" : "",
   "clientType" : "other",
   "componentsUpdatePackageVersion" : "1.0.75",
   "cpu" : "x64",
   "dbSDKUpdatePackageVersion" : "1.0.1640",
   "detectionDateTime" : "2017-04-01T17:27:45Z",
   "fileSystem" : "NTFS",
   "id" : "",
   "isUserAdmin" : true,
   "licenseState" : "licensed",
   "linkagePhaseComplete" : false,
   "loggedOnUserName" : "System",
   "machineID" : "",
   "os" : "Windows 10",
   "schemaVersion" : 2,
   "sourceDetails" : {
      "type" : "mwac"
   },
   "threats" : [
      {
         "linkedTraces" : [

         ],
         "mainTrace" : {
            "cleanAction" : "block",
            "cleanResult" : "successful",
            "cleanResultErrorCode" : 0,
            "cleanTime" : "",
            "generatedByPostCleanupAction" : false,
            "id" : "8518bad5-1700-11e7-aeea-346895ee6e38",
            "linkType" : "none",
            "objectMD5" : "",
            "objectPath" : "",
            "objectSha256" : "",
            "objectType" : "website",
            "websiteData" : {
               "ip" : "198.27.68.209",
               "isInbound" : false,
               "port" : 53629,
               "processPath" : "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe",
               "url" : "ipcdigital.com"
            }
         },
         "ruleID" : -1,
         "rulesVersion" : "0.0.0",
         "threatID" : -1,
         "threatName" : ""
      }
   ],
   "threatsDetected" : 1
}

 

[ngns]

A A further update. I'm not sure if it helps. I ran AwdCleaner (also form Malwarebytes), and it found five threats. However, I'm not sure if these are threats, rather than potential threats.

Registry items:

HKCU\Software\Microsoft\Internet Explorer\DOMStorage\castplatform.com
HKCU\Software\Microsoft\Internet Explorer\DOMStorage\cdn.castplatform.com
HKCU64\Software\Microsoft\Internet Explorer\DOMStorage\castplatform.com
HKCU64\Software\Microsoft\Internet Explorer\DOMStorage\cdn.castplatform.com

As a note, I don't use Internet Explorer (except to open PDFs).

Also, in Chrome, the search provider ask.com.

So it seems these were not really positive threats identified?