Malware Anti-Exploit Beta alerts in Firefox echoed in Thunderbird?

[maudlin]

My laptop is running Windows 8.1 and I have Malwarebytes Anti-Malware Home Premium installed.

I clicked a Google search result yesterday in Firefox and got this alert:

Malicious Website Blocked
Domain: www.hitcpm.com
IP: 198.134.112.242
Type: Outbound
Process: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

I backed out of Google and believed that between the app and NoScript, I wasn't affected by whatever was on the dodgy site.

I ran a full scan just to be sure  in MWB and nothing showed up, which is what I expected.

But when I switched back to Thunderbird, an almost identical alert showed again.

Malicious Website Blocked
Domain: www.hitcpm.com
IP: 198.134.112.244   <== Note different IP
Type: Outbound
Process: C:\Program Files (x86)\Mozilla Thunderbird/thunderbird.exe

I ran the scan again and still nothing. I also ran a full scan with Windows Defender and everything was clean.

My questions:

1) If the software successfully blocked the malicious site in Firefox, why did I get a slightly different alert, with a different IP address, in Thunderbord? Are there some shared processes between Mozilla apps? Please note that every time I boot Firefox, I get a brief alert that "Mozilla Firefox (and add-ons) is now protected by Malware Anti-Exploit Beta". I never get this alert when launching Thunderbird.

2) Are there any additional steps I should take now?

 

 

[nasdaq]

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

These attacks may be stopped by Malwarebytes and you are notified accordingly.

Chech the Notifications settings.
Change the setting Show Malwarebytes Notifications to Off
https://content.invisioncic.com/Mmalware/monthly_2018_05/2018-05-22_10-28-24.png.a3502457b1398cbb8a3d56e78531dcbd.png

===

If the problem persists please run this Farbar program and post the logs for my review.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

[maudlin]

Thanks for the detailed response!

To clarify, the display of notifications is not an ongoing problem. After launching, closing and re-launching Thunderbird, the alert went away. The alert also went away in Firefox after showing up just once. So I won't be turning off notifications at all as I really prefer to browse with them on.

But I have run the FRST scans and they are attached.

FRST.txt

Addition.txt

Edited July 30, 2018 by maudlin

[maudlin]

[deleted]

Edited July 30, 2018 by maudlin

[nasdaq]

Hi,

You must run the Farbar program as an Administrator.

Please post a fresh FRST.txt log for my review.

 

[maudlin]

Sorry! I've run FRST again as admin. Here are the files.

FRST.txt

Addition.txt

[maudlin]

Cleaned up copy of FRST.txt (as FRST-edit.txt).

FRST-edit.txt

[nasdaq]

Hi,

Your FRST log is clean.

However, this FF extension is optional
FF Extension: (Block Site) - C:\MozillaProfiles\Firefox-profiles\mary\Extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc}.xpi

Read the remarks on this topic and decide if you want to keep it.
https://www.systemlookup.com/FF_Extensions/371.html

[maudlin]

Thanks so much! I really appreciate all the help you've provided.

I installed the Block Site extension a while ago but found it to be pretty buggy, so I disabled it. Checking my FF, I can see that Mozilla added it to their blocked list just last week. I'll uninstall it now.

One remaining issue: It was the duplicate malicious site notification in Thunderbird that first aroused my suspicions that something had gotten through my defenses because the IP address identified in each alert was different.

1 - Should I be suspicious if I see duplicate notifications across Mozilla apps again? (This is actually the second time this has happened over the past week.)

2 - Are duplicate notifications (with or without consistent IP addresses) a known design issue or bug?

(If this isn't the right thread for these questions, please let me know what other part of the forum I should go to.)

[nasdaq]

Hi,

These attacks are stopped by Malwarebytes and you are notified accordingly.

Check the Notifications settings if you like.
Change the setting Show Malwarebytes Notifications to Off

===

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks