Jump to content

Malwarebytes blocks trojan outgoing firefox.exe


Recommended Posts

I have see this several times, and would like an explanation of its meaning.  It appears to be blocking a website, but it says "outgoing".  Is that a trojan from the website, or from firefox, or?   I would think it would be incoming if coming from the website.  Maybe it is just terminology, but it is not clear what is meant by outgoing.  Scanning the computer with rootkits on yields no malware...

Thanks for the great product....

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 10/15/18
Protection Event Time: 7:59 AM
Log File: dadebdfc-d08a-11e8-9079-d0509961dd58.json

-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.441
Update Package Version: 1.0.7363
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Category: Trojan
Domain: jsblom.com
IP Address: 104.27.173.3
Port: [57761]
Type: Outbound
File: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

 

(end)

Link to post
Share on other sites

Hello floydo and welcome to Malwarebytes,

Malwarebytes is blocking an outbound call from your computer to this IP Address: 104.27.173.3  https://cleantalk.org/blacklists/104.27.173.3

Lets make a clean install of Firefox, see if that helps...

Use the following link for instructions how to back up your bookmarks, same link can be used to import saved Bookmarks:

https://support.mozilla.org/en-US/kb/export-firefox-bookmarks-to-backup-or-transfer

Next,

Remove all synced data from Firefox to stop possible re-infection or exploitation.

https://support.mozilla.org/en-US/questions/1037353

Next,

Go here: http://www.mozilla.org/en-US/ download save the latest version of Firefox.. We will install this later...

Next,

Lets totally remove Firefox and start over.

Go here: https://support.mozilla.org/en-US/kb/uninstall-firefox-from-your-computer and follow those instructions...

Ensure when the uninstall completes to navigate to and delete the firefox installation folder (if present):

(32-bit Windows) C:\Program Files\Mozilla Firefox
(64-bit Windows) C:\Program Files (x86)\Mozilla Firefox

It is essential the installation folder is removed. Re-boot your system when that is completed....

Next,

To remove all remaining data and profile information...

Press "Windows key + R" to open the Run box
In the Run box, type in or copy and paste %APPDATA%
Click OK. A Windows Explorer window will appear.
In this window, choose/open in succession Mozilla > Firefox > Profiles.
Select Delete on each entry in reverse, eg Profiles > Delete. Firefox > Delete. Mozilla > Delete.

Re-boot your system when complete!

Next,

Use the Mozilla Firefox installer to reinstall your Browser....

When Firefox is installed and open select these keys together :- Ctrl - Shift - A that will access Addons manger, this gives access to find addons/extensions, use, start, stop or disable those features etc....

uBlock-Origin can be installed from here: https://addons.mozilla.org/en-GB/firefox/addon/ublock-origin/ <<--- Recommended.
 
Does that help..?
 
Thank you,
 
Kevin..
Link to post
Share on other sites

I went through the process, and all seems to be working.  Since this happened erratically (a few websites and only occasionally), time will tell, and I will return to this post in a week or so to provide feedback. Thanks for the response and clarification of the definition "outgoing"!

Link to post
Share on other sites

Went through the removal and replacment process, and then went browsing.  No popups, until I went back to  http://forums.storagereview.com/

There malwarbytes popped up as posted above.  So at least the website is consistent in forwarding to this jsblom.com. Other than that I don't know what websites kicked this off.  Looking at the logs the other two that pop up are:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 10/1/18
Protection Event Time: 8:31 PM
Log File: 9acb64e6-c5f3-11e8-9d56-d0509961dd58.json

-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.441
Update Package Version: 1.0.7125
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Category: Trojan
Domain: reauthenticator.com
IP Address: 104.28.4.162
Port: [56201]
Type: Outbound
File: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

 

(end)

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 10/16/18
Protection Event Time: 8:29 AM
Log File: 45624338-d158-11e8-873b-d0509961dd58.json

-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.441
Update Package Version: 1.0.7381
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Category: Malware
Domain: www.pavtube.com
IP Address: 198.255.68.43
Port: [65393]
Type: Outbound
File: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

 

(end)

Not sure what association is beyond this.  Having browsed for a couple days without the popup repeating except consistently from the forum at storage review site....don't know what the other sites were that triggered the popup...

The other thing that seems curious, but probably not associated is firefox was installed in c:\Program Files (X86)\ that I deleted as part of the clean install (no entries in c:\Program Files\), and is now installed in c:\Program Files\.  Firefox about shows version 62.0.3 (64-bit)....I haven't found why, but posted a question at mozilla...

 

Link to post
Share on other sites

Additional information that leads me to believe this is driven by the website and maybe malwarebytes:

Went to Internet explorer and got the same result, output below.  Then went to a different computer with current version of malwarebytes installed and got the same result from firefox!

Any comments would be apprecieated.....

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 10/20/18
Protection Event Time: 10:08 AM
Log File: d202189c-d48a-11e8-b4c8-d0509961dd58.json

-Software Information-
Version: 3.6.1.2711
Components Version: 1.0.463
Update Package Version: 1.0.7438
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Category: Trojan
Domain: jsblom.com
IP Address: 104.27.172.3
Port: [50891]
Type: Outbound
File: C:\Program Files (x86)\Internet Explorer\iexplore.exe

 

(end)

Link to post
Share on other sites

Mozilla FireFox has two versions 32 bit, installed to "Program Files (X86)" folder. Also 64 bit, installed to "Program Files" folder. I have both installed on my system, but only use 64 bit version.

I`m not sure what you mean about Malwarebytes, continue as follows:

Please download Zemana AntiMalware and save it to your Desktop.
 
  • Install the program and once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them.
    Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.
     
  • Open Zemana AntiMalware again.
  • Click on user posted image icon and double click the latest report.
  • Now click File > Save As and choose your Desktop before pressing Save.
  • Attach saved report in your next message.
Link to post
Share on other sites

I may not have been clear on my comments on the experiments I did with malwarebytes to get the popup. 

I noticed that occasionally I would get a trojan popup per previous posts.  I identified one website that would cause the popup consistently (appears identified with firefox).  I uninstalled and reinstalled firefox with same popup result from forums.storagereview.com. Then I went into that site with Microsoft Internet Explorer and got the same popup/trojan warning as with Firefox, except from iexplore.exe .  Then I went to another computer, went to the same site using firefox, and malwarbytes ver 3.6.1.2711 on that computer gave the same popup from firefox.exe .

It seems to me the problem is with the forum site, and malwarebytes is doing its job...?  But the original question was what is the meaning of the popup log posted above?

I did the scan with Zemana, attached.  It did indicate several dlls on software I have used for years (ie quicken, dbpoweramp) failed, but said the system is clean.

Any thoughts to clarify this?

Thanks

2018.10.20-12.07.48-i0-t92-d0.txt

Link to post
Share on other sites

Have look at the following link: https://whois.domaintools.com/104.27.172.3  Note that 310 websites use that IP address, if you are unlucky enough to land on one, you have booked a trip to Cloudfare...

I assume the plan is to get you to end up here: https://www.cloudflare.com/plans/?utm_referrer=https://www.google.co.uk/  Cloudflare is out to make money..

Also have a look at this link: https://cleantalk.org/blacklists/104.27.172.3 It seems to be a noted spammer. I agree with your assumption, Malwarebytes is definitely doing its job. You`ve got to wonder what happens to anyone without Malwarebytes Premium. 

   

Edited by kevinf80
Link to post
Share on other sites
5 hours ago, kevinf80 said:

 

 

5 hours ago, kevinf80 said:

You`ve got to wonder what happens to anyone without Malwarebytes Premium.

So I believe the computer is not "infected", the log from malwarebytes

Website Data-
Category: Trojan
Domain: jsblom.com
IP Address: 104.27.173.3
Port: [57761]
Type: Outbound
File: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

Could be interpreted as indicating - the website is attempting via firefox to forward you (or your information) to 104.27.173.3 ?  And MB is blocking...

That's my interpretation of your comment and my experiment. 

Thanks

Link to post
Share on other sites

If you open Firefox and leave it on the homepage and you receive a block from Malwarebytes, then it can mean firefox is exploited. If nothing happens on the homepage, or other sites  you normally use, Firefox and your PC are ok. If you visit a website with this Domain: jsblom.com and Malwarebytes creates a block, then it is safe to assume its down to the website. I`ve just tried to connect to that domain, Malwarebytes blocked the connection.... We can clean up, no further action needed..

Uninstall Zemana (unless you want to keep it) http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/

Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/

From there you should be good to go...

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image

 

 

 

Link to post
Share on other sites

Thanks for the interesting links, and help!  Zemana uninstalled (I use Revo Judiciously) and noticed Zemana is a bit sloppy in their uninstall (prog files and registry).  I now understand malwarebytes logs require some interpretation as to the issue. Keep up the good work as it really helped clarify this for me.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.