tankdriver Posted April 17, 2017 ID:1118026 Share Posted April 17, 2017 I have Malwarebytes block a outgoing connection 58 times in the last 23 hrs. This is the IP img.ed4.net With the following ports at the end of the address….. 64105 64104 56742 56736 56611 56606 56596 56595 56578 56006 56003 55966 55987 55948 I have ran the scans, and they come back clean. I have the Malwarebytes Pro. Any Ideas? Thanks Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 18, 2017 Root Admin ID:1118169 Share Posted April 18, 2017 Hello @tankdriver and Please post the protection log from Malwarebytes with the block. Then let me get some other logs please. Please, read the topic here Available Assistance for Possibly Infected Computers and run the scan and post back the requested logs as attachments. Thank you Ron Link to post Share on other sites More sharing options...
tankdriver Posted April 19, 2017 Author ID:1118295 Share Posted April 19, 2017 here is the protection log.... Malwarebyteswww.malwarebytes.com -Log Details- Protection Event Date: 4/18/17 Protection Event Time: 9:14 PM Logfile: Administrator: Yes -Software Information- Version: 3.0.6.1469 Components Version: 1.0.103 Update Package Version: 1.0.1757 License: Premium -System Information- OS: Windows 10 CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , , Blocked, [-1], [-1],0.0.0 -Website Data- Domain: img.ed4.net IP Address: 23.220.100.10 Port: [57979] Type: Outbound File: C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE (end) here is the scan log..... Malwarebyteswww.malwarebytes.com -Log Details- Scan Date: 4/18/17 Scan Time: 2:47 AM Logfile: Administrator: Yes -Software Information- Version: 3.0.6.1469 Components Version: 1.0.103 Update Package Version: 1.0.1752 License: Premium -System Information- OS: Windows 10 CPU: x64 File System: NTFS User: System -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 375163 Time Elapsed: 2 min, 35 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) (end) I'll get the other logs tomorrow. Link to post Share on other sites More sharing options...
tankdriver Posted April 19, 2017 Author ID:1118297 Share Posted April 19, 2017 Here is 2 more log files..... Addition.txt FRST.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 19, 2017 Root Admin ID:1118302 Share Posted April 19, 2017 The logs indicate that you have a couple issue going on. I do not believe they have anything to do with the blocks you're getting though. Aside from Outlook, if you keep Outlook closed do you ever get this block? Error: (04/18/2017 07:28:11 AM) (Source: Windows Search Service) (EventID: 3104) (User: ) Description: Enumerating user sessions to generate filter pools failed. Error: (04/18/2017 07:45:53 AM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: iCloudPhotos.exe, version: 106.0.0.53, time stamp: 0x58cb0177 Faulting module name: iCloudPhotos_main.dll, version: 106.0.0.53, time stamp: 0x58cb59f7 Exception code: 0xc0000005 Fault offset: 0x000f492c Faulting process ID: 0x1b9c Faulting application start time: 0x01d2b848bebad801 Faulting application path: C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudPhotos.exe Faulting module path: C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudPhotos_main.dll Report ID: 1d07783e-929b-4346-bcbc-8e639e57a76d Faulting package full name: Faulting package-relative application ID: Let's go ahead and do some other scans for malware but overall I don't think you're infected. I think it's due to a link in mail that points to one of the sites we're blocking. Please restart the computer first and then run the following steps and post back the logs when ready.STEP 01 Please download Junkware Removal Tool to your desktop. Shutdown your antivirus to avoid any conflicts. Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP. The tool will open and start scanning your system. Please be patient as this can take a while to complete. On completion, a log (JRT.txt) is saved to your desktop and will automatically open. Post the contents of JRT.txt into your next reply message When completed make sure to re-enable your antivirus STEP 02 Fix with AdwCleaner Please download AdwCleaner by Xplode and save the file to your Desktop. Right-click on icon and select Run as Administrator to start the tool. Accept the Terms of use. Wait until the database is updated. Click Scan. When finished, please click Clean. Your PC should reboot now. After reboot, logfile will be opened. Copy its content into your next reply. Note: Reports will be saved in your system partition, usually at C:\Adwcleaner STEP 03 Download Sophos Free Virus Removal Tool and save it to your desktop. Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View Log file (bottom left-hand corner) Copy and paste the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found, please confirm that result. STEP 04 Please download the Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit Double-click to run it. When the tool opens, click Yes to disclaimer. Press the Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply. The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here. Please attach the Additions.txt log to your reply as well. Thanks Link to post Share on other sites More sharing options...
tankdriver Posted April 19, 2017 Author ID:1118444 Share Posted April 19, 2017 Ran as requested. Here is the files.... AdwCleaner[S0].txt FRST.txt Addition.txt Link to post Share on other sites More sharing options...
Dr_Jon Posted April 22, 2017 ID:1119166 Share Posted April 22, 2017 My post on this disappeared off somewhere else, if that was my fault here's what I wrote, if a mod moved it then please delete that version as it's pointless on its own: I get these as well, just after clicking show images on an e-mail, I think it's just an image hosting site. E-mail is from someone reputable and the source code looks like this: ... href="https://link.confused.com/r/UUUSSQQ/XBI1JS/P90AL/Y8MEYH2/QU97TW/XB/h?a=http://view.ed4.net/v/UUUSSQQ/DDZTIW/GL3I9RU/OQO21/&b=utm_medium=email%26utm_source=LondonMotorshow%26utm_campaign=9965198%26utm_content=LondonMotorShow" style="font-family: 'Open Sans', Arial, Helvetica, sans-serif; font-size: 13px; color: #333333; line-height: 16px;" target="_blank" ><u>View this email in web browser</u></a><br /><br /> ... <img src="http://img.ed4.net/confusedcom/images/Travel/D_LMS_Banner2.png" class="image_resize" alt="" width="640" style="display:block; border:none; outline:none; text-decoration:none;"/></a></td> ... I assume either a false positive or something else hosted on the site (presumably in an image). Link to post Share on other sites More sharing options...
CarolBD61 Posted April 22, 2017 ID:1119196 Share Posted April 22, 2017 I started happening to me as well on 4/17/17. Started with CVS emails, now Bed Bath and Beyond as well. These are reputable companies that I have requested to send me advertising emails. I have gotten hundreds of these blocks this week. Both of them are using img.ed4.net as an image hosting site. I have done extensive scans on my PC and find no malware. Is this a false positive? If not, what is Malwarebytes finding objectionable on this site? Two log files are reproduced below. The first is a block generated by auto-preview of an email in Outlook, the second happened when I chose to view an email as a website, and was generated from Chrome: [begin first report] Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 4/17/17 Protection Event Time: 7:04 PM Logfile: Administrator: Yes -Software Information- Version: 3.0.6.1469 Components Version: 1.0.103 Update Package Version: 1.0.1750 License: Premium -System Information- OS: Windows 10 CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , , Blocked, [-1], [-1],0.0.0 -Website Data- Domain: img.ed4.net IP Address: 23.216.55.8 Port: [50509] Type: Outbound File: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE (end) [begin second report] Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 4/22/17 Protection Event Time: 9:41 AM Logfile: Administrator: Yes -Software Information- Version: 3.0.6.1469 Components Version: 1.0.103 Update Package Version: 1.0.1784 License: Premium -System Information- OS: Windows 10 CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , , Blocked, [-1], [-1],0.0.0 -Website Data- Domain: img.ed4.net IP Address: 23.205.120.146 Port: [57834] Type: Outbound File: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (end) Link to post Share on other sites More sharing options...
eeek5127 Posted April 23, 2017 ID:1119353 Share Posted April 23, 2017 The issue also comes from Bed, Bath & Beyond emails. I had to permanently delete them out of my trash folder and unsubscribe to fix it. It's another legitimate company sending me what appears in every way to be safe correspondence that I requested. But to be safe (and not continually annoyed) I unsubscribed. Link to post Share on other sites More sharing options...
ABG Posted April 23, 2017 ID:1119358 Share Posted April 23, 2017 I am having the same problem with CVS IMAG.ED4.NET 58908. I am not that good with this, so i will watch to see if there is a solution. Thanks. Link to post Share on other sites More sharing options...
bluesgene Posted April 23, 2017 ID:1119378 Share Posted April 23, 2017 Same issue here with CVS img.ed4.net. Never had a problem with CVS emails until now. Link to post Share on other sites More sharing options...
Maguid Posted April 23, 2017 ID:1119400 Share Posted April 23, 2017 img.id4.net is CVS's image container. I looked at the source of one of my emails and this URL is everywhere. Why Malwarebytes is reacting to this is out of my domain. I simply made an exclusion in my account. so far it has been quiet. Link to post Share on other sites More sharing options...
Staff Dashke Posted April 24, 2017 Staff ID:1119496 Share Posted April 24, 2017 The block is due to malicious content on the server - Quote hxxp://img.ed4.net/dcsg/images/09_EasyToneTour/ => https://virustotal.com/en/file/fdaf6f07edbfb23407bccbc2bd5566a9c7cb3623054b2d11b0813a03c81a91a1/analysis/1492354812/ Link to post Share on other sites More sharing options...
Eagleeye Posted April 26, 2017 ID:1120100 Share Posted April 26, 2017 (edited) Good afternoon, Just my 3-cents worth for anyone interested... MBAM 2.2.1.1043 is also blocking an outgoing connection to: img.ed4.net, when I opened an advertisement email this morning from Hanes(dot)com - a trusted website from which I've ordered items before, and routinely receive advertisements. HpHosts flags it for phishing. The ports shown in the MBAM detection entries are: 52869 & 52462. In the email's source code, I also see: img.ed10.net. VirusTotal shows it as clean, however. [UPDATE, 4/26/17 @ 3:40 p.m. US EST]: Just received another advertisement from Hanes(dot)com which MBAM has again blocked the outbound connection attempt to the same URL cited above (i.e., img.ed4.net) I have now notified Hanes IT staff TWICE of this issue - still NO response from them. (For Dashke) Do you have any recommendations at this point? Best regards, EE Edited April 26, 2017 by Eagleeye Added update to original post Link to post Share on other sites More sharing options...
tmikct Posted April 26, 2017 ID:1120152 Share Posted April 26, 2017 (edited) i Quote MysteryFCM said: This is a false positive and will be unblocked on the next update. n response to my inquiry and per Malwarebytes staff, the CVS email is a false positive and will be unblocked on the next update. Edited April 26, 2017 by tmikct Link to post Share on other sites More sharing options...
JohnCS Posted April 26, 2017 ID:1120154 Share Posted April 26, 2017 I'm getting the blocking for img,ed4.net on all Bed Bath & Beyond, CVS and Kellogg's emails. These companies all have malicious content on their servers? Link to post Share on other sites More sharing options...
Eagleeye Posted April 26, 2017 ID:1120180 Share Posted April 26, 2017 (edited) A brief update here for anyone interested. I just heard back from the IT Staff at Hanes(dot)com, who advise they are investigating the problem with the two compromised advertisement emails I received from them today. They requested I forward them the emails in question, which I did. If Malwarebytes Staff need the email address of the IT person who contacted me, let me know and I'll provide it. Best regards. EE Edited April 26, 2017 by Eagleeye Revised post. Link to post Share on other sites More sharing options...
Staff Dashke Posted April 27, 2017 Staff ID:1120313 Share Posted April 27, 2017 Can you please update your database and let us know if that helps? The block has been removed yesterday. Link to post Share on other sites More sharing options...
tmikct Posted April 27, 2017 ID:1120369 Share Posted April 27, 2017 Just received a new email from CVS and No blocking message appeared when I opened it. Link to post Share on other sites More sharing options...
Eagleeye Posted April 27, 2017 ID:1120398 Share Posted April 27, 2017 Hi Dashke, My MBAM database has already updated. I did receive another advertisement email from Hanes this morning, but there was no blocking by MBAM on this one. Much obliged for the timely resolution! EE Link to post Share on other sites More sharing options...
Staff Dashke Posted April 27, 2017 Staff ID:1120404 Share Posted April 27, 2017 That's great news, thank you very much for letting us know @tmikct @Eagleeye! Link to post Share on other sites More sharing options...
tankdriver Posted April 28, 2017 Author ID:1120532 Share Posted April 28, 2017 I received a Petco with no more issues. Thanks for the help..... Link to post Share on other sites More sharing options...
Recommended Posts