Jump to content

Malwarebytes blocking outgoing connection.


tankdriver

Recommended Posts

I have Malwarebytes block a outgoing connection 58 times in the last 23 hrs.

This is the IP img.ed4.net

With the following ports at the end of the address…..

64105

64104

56742

56736

56611

56606

56596

56595

56578

56006

56003

55966

55987

55948

 

I have ran the scans, and they come back clean.

I have the Malwarebytes Pro.

Any Ideas?

Thanks

 

 

 

Link to post
Share on other sites

  • Root Admin

Hello @tankdriver and :welcome:

Please post the protection log from Malwarebytes with the block. Then let me get some other logs please.

Please, read the topic here Available Assistance for Possibly Infected Computers and run the scan and post back the requested logs as attachments.

Thank you

Ron

 

 

Link to post
Share on other sites

here is the protection log....

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 4/18/17
Protection Event Time: 9:14 PM
Logfile:
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.103
Update Package Version: 1.0.1757
License: Premium

-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Domain: img.ed4.net
IP Address: 23.220.100.10
Port: [57979]
Type: Outbound
File: C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE

 

(end)

 

here is the scan log.....

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 4/18/17
Scan Time: 2:47 AM
Logfile:
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.103
Update Package Version: 1.0.1752
License: Premium

-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: System

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 375163
Time Elapsed: 2 min, 35 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)

 

I'll get the other logs tomorrow.

Link to post
Share on other sites

  • Root Admin

The logs indicate that you have a couple issue going on. I do not believe they have anything to do with the blocks you're getting though. Aside from Outlook, if you keep Outlook closed do you ever get this block?

 

Error: (04/18/2017 07:28:11 AM) (Source: Windows Search Service) (EventID: 3104) (User: )
Description: Enumerating user sessions to generate filter pools failed.

Error: (04/18/2017 07:45:53 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iCloudPhotos.exe, version: 106.0.0.53, time stamp: 0x58cb0177
Faulting module name: iCloudPhotos_main.dll, version: 106.0.0.53, time stamp: 0x58cb59f7
Exception code: 0xc0000005
Fault offset: 0x000f492c
Faulting process ID: 0x1b9c
Faulting application start time: 0x01d2b848bebad801
Faulting application path: C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudPhotos.exe
Faulting module path: C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudPhotos_main.dll
Report ID: 1d07783e-929b-4346-bcbc-8e639e57a76d
Faulting package full name:
Faulting package-relative application ID:

Let's go ahead and do some other scans for malware but overall I don't think you're infected. I think it's due to a link in mail that points to one of the sites we're blocking.

 

 

Please restart the computer first and then run the following steps and post back the logs when ready.

STEP 01
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 02

adwcleaner_new.png Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

STEP 03
Download Sophos Free Virus Removal Tool and save it to your desktop.
 

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View Log file (bottom left-hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found, please confirm that result.

STEP 04
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Link to post
Share on other sites

My post on this disappeared off somewhere else, if that was my fault here's what I wrote, if a mod moved it then please delete that version as it's pointless on its own:

I get these as well, just after clicking show images on an e-mail, I think it's just an image hosting site. E-mail is from someone reputable and the source code looks like this:

...
href="https://link.confused.com/r/UUUSSQQ/XBI1JS/P90AL/Y8MEYH2/QU97TW/XB/h?a=http://view.ed4.net/v/UUUSSQQ/DDZTIW/GL3I9RU/OQO21/&b=utm_medium=email%26utm_source=LondonMotorshow%26utm_campaign=9965198%26utm_content=LondonMotorShow" style="font-family: 'Open Sans', Arial, Helvetica, sans-serif; font-size: 13px; color: #333333; line-height: 16px;" target="_blank"
><u>View this email in web&nbsp;browser</u></a><br /><br />

...

<img  src="http://img.ed4.net/confusedcom/images/Travel/D_LMS_Banner2.png" class="image_resize"  alt="" width="640" style="display:block; border:none; outline:none; text-decoration:none;"/></a></td>

...

I assume either a false positive or something else hosted on the site (presumably in an image).
 

Link to post
Share on other sites

I started happening to me as well on 4/17/17.  Started with CVS emails, now Bed Bath and Beyond as well.  These are reputable companies that I have requested to send me advertising emails.  I have gotten hundreds of these blocks this week.  Both of them are using img.ed4.net as an image hosting site. I have done extensive scans on my PC and find no malware. 

Is this a false positive?  If not, what is Malwarebytes finding objectionable on this site?

Two log files are reproduced below.  The first is a block generated by auto-preview of an email in Outlook, the second happened when I chose to view an email as a website, and was generated from Chrome:

[begin first report]

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 4/17/17
Protection Event Time: 7:04 PM
Logfile: 
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.103
Update Package Version: 1.0.1750
License: Premium

-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Domain: img.ed4.net
IP Address: 23.216.55.8
Port: [50509]
Type: Outbound
File: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

(end)

[begin second report]

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 4/22/17
Protection Event Time: 9:41 AM
Logfile: 
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.103
Update Package Version: 1.0.1784
License: Premium

-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Domain: img.ed4.net
IP Address: 23.205.120.146
Port: [57834]
Type: Outbound
File: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(end)

Link to post
Share on other sites

The issue also comes from Bed, Bath & Beyond emails.  I had to permanently delete them out of my trash folder and unsubscribe to fix it.  It's another legitimate company sending me what appears in every way to be safe correspondence that I requested.  But to be safe (and not continually annoyed) I unsubscribed.

Link to post
Share on other sites

Good afternoon,

     Just my 3-cents worth for anyone interested...

MBAM 2.2.1.1043 is also blocking an outgoing connection to:  img.ed4.net, when I opened an advertisement email this morning from Hanes(dot)com - a trusted website from which I've ordered items before, and routinely receive advertisements.  HpHosts flags it for phishing.

The ports shown in the MBAM detection entries are:  52869 & 52462.  In the email's source code, I also see:  img.ed10.netVirusTotal shows it as clean, however.

[UPDATE, 4/26/17 @ 3:40 p.m. US EST]:  Just received another advertisement from Hanes(dot)com which MBAM has again blocked the outbound connection attempt to the same URL cited above (i.e., img.ed4.net)  I have now notified Hanes IT staff TWICE of this issue - still NO response from them.

(For Dashke)

Do you have any recommendations at this point?

Best regards,

EE

Edited by Eagleeye
Added update to original post
Link to post
Share on other sites

i

Quote
MysteryFCM said:

This is a false positive and will be unblocked on the next update.

n response to my inquiry and per Malwarebytes staff, the CVS email is a false positive and will be unblocked on the next update.

Edited by tmikct
Link to post
Share on other sites

A brief update here for anyone interested.

I just heard back from the IT Staff at Hanes(dot)com, who advise they are investigating the problem with the two compromised advertisement emails I received from them today.  They requested I forward them the emails in question, which I did.  If Malwarebytes Staff need the email address of the IT person who contacted me, let me know and I'll provide it.

Best regards.

EE

Edited by Eagleeye
Revised post.
Link to post
Share on other sites

Hi Dashke,

     My MBAM database has already updated.  I did receive another advertisement email from Hanes this morning, but there was no blocking by MBAM on this one.

Much obliged for the timely resolution! :)

EE

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.