Malwarebytes blocks trojan outgoing firefox.exe

[floydo]

I have see this several times, and would like an explanation of its meaning.  It appears to be blocking a website, but it says "outgoing".  Is that a trojan from the website, or from firefox, or?   I would think it would be incoming if coming from the website.  Maybe it is just terminology, but it is not clear what is meant by outgoing.  Scanning the computer with rootkits on yields no malware...

Thanks for the great product....

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 10/15/18
Protection Event Time: 7:59 AM
Log File: dadebdfc-d08a-11e8-9079-d0509961dd58.json

-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.441
Update Package Version: 1.0.7363
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Category: Trojan
Domain: jsblom.com
IP Address: 104.27.173.3
Port: [57761]
Type: Outbound
File: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

 

(end)

[kevinf80]

Hello floydo and welcome to Malwarebytes,

Malwarebytes is blocking an outbound call from your computer to this IP Address: 104.27.173.3  https://cleantalk.org/blacklists/104.27.173.3

Lets make a clean install of Firefox, see if that helps...

Use the following link for instructions how to back up your bookmarks, same link can be used to import saved Bookmarks: https://support.mozilla.org/en-US/kb/export-firefox-bookmarks-to-backup-or-transfer Next, Remove all synced data from Firefox to stop possible re-infection or exploitation. https://support.mozilla.org/en-US/questions/1037353 Next, Go here: http://www.mozilla.org/en-US/ download save the latest version of Firefox.. We will install this later... Next, Lets totally remove Firefox and start over. Go here: https://support.mozilla.org/en-US/kb/uninstall-firefox-from-your-computer and follow those instructions... Ensure when the uninstall completes to navigate to and delete the firefox installation folder (if present): (32-bit Windows) C:\Program Files\Mozilla Firefox (64-bit Windows) C:\Program Files (x86)\Mozilla Firefox It is essential the installation folder is removed. Re-boot your system when that is completed.... Next, To remove all remaining data and profile information... Press "Windows key + R" to open the Run box In the Run box, type in or copy and paste %APPDATA% Click OK. A Windows Explorer window will appear. In this window, choose/open in succession Mozilla > Firefox > Profiles. Select Delete on each entry in reverse, eg Profiles > Delete. Firefox > Delete. Mozilla > Delete. Re-boot your system when complete! Next, Use the Mozilla Firefox installer to reinstall your Browser.... When Firefox is installed and open select these keys together :- Ctrl - Shift - A that will access Addons manger, this gives access to find addons/extensions, use, start, stop or disable those features etc.... uBlock-Origin can be installed from here: https://addons.mozilla.org/en-GB/firefox/addon/ublock-origin/ <<--- Recommended.   Does that help..?   Thank you,   Kevin..

[floydo]

I went through the process, and all seems to be working.  Since this happened erratically (a few websites and only occasionally), time will tell, and I will return to this post in a week or so to provide feedback. Thanks for the response and clarification of the definition "outgoing"!

[kevinf80]

Threads are normally closed after 5 days if there is no activity, can you post back within that time.

Thanks,

Kevin

[floydo]

Went through the removal and replacment process, and then went browsing.  No popups, until I went back to  http://forums.storagereview.com/

There malwarbytes popped up as posted above.  So at least the website is consistent in forwarding to this jsblom.com. Other than that I don't know what websites kicked this off.  Looking at the logs the other two that pop up are:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 10/1/18
Protection Event Time: 8:31 PM
Log File: 9acb64e6-c5f3-11e8-9d56-d0509961dd58.json

-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.441
Update Package Version: 1.0.7125
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Category: Trojan
Domain: reauthenticator.com
IP Address: 104.28.4.162
Port: [56201]
Type: Outbound
File: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

 

(end)

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 10/16/18
Protection Event Time: 8:29 AM
Log File: 45624338-d158-11e8-873b-d0509961dd58.json

-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.441
Update Package Version: 1.0.7381
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Category: Malware
Domain: www.pavtube.com
IP Address: 198.255.68.43
Port: [65393]
Type: Outbound
File: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

 

(end)

Not sure what association is beyond this.  Having browsed for a couple days without the popup repeating except consistently from the forum at storage review site....don't know what the other sites were that triggered the popup...

The other thing that seems curious, but probably not associated is firefox was installed in c:\Program Files (X86)\ that I deleted as part of the clean install (no entries in c:\Program Files\), and is now installed in c:\Program Files\.  Firefox about shows version 62.0.3 (64-bit)....I haven't found why, but posted a question at mozilla...

 

[floydo]

Additional information that leads me to believe this is driven by the website and maybe malwarebytes:

Went to Internet explorer and got the same result, output below.  Then went to a different computer with current version of malwarebytes installed and got the same result from firefox!

Any comments would be apprecieated.....

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 10/20/18
Protection Event Time: 10:08 AM
Log File: d202189c-d48a-11e8-b4c8-d0509961dd58.json

-Software Information-
Version: 3.6.1.2711
Components Version: 1.0.463
Update Package Version: 1.0.7438
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Category: Trojan
Domain: jsblom.com
IP Address: 104.27.172.3
Port: [50891]
Type: Outbound
File: C:\Program Files (x86)\Internet Explorer\iexplore.exe

 

(end)

[kevinf80]

Mozilla FireFox has two versions 32 bit, installed to "Program Files (X86)" folder. Also 64 bit, installed to "Program Files" folder. I have both installed on my system, but only use 64 bit version.

I`m not sure what you mean about Malwarebytes, continue as follows:

Please download Zemana AntiMalware and save it to your Desktop.   Install the program and once the installation is complete it will start automatically. Without changing any options, press Scan to begin. After the short scan is finished, if threats are detected press Next to remove them. Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.   Open Zemana AntiMalware again. Click on icon and double click the latest report. Now click File > Save As and choose your Desktop before pressing Save. Attach saved report in your next message.

[floydo]

I may not have been clear on my comments on the experiments I did with malwarebytes to get the popup. 

I noticed that occasionally I would get a trojan popup per previous posts.  I identified one website that would cause the popup consistently (appears identified with firefox).  I uninstalled and reinstalled firefox with same popup result from forums.storagereview.com. Then I went into that site with Microsoft Internet Explorer and got the same popup/trojan warning as with Firefox, except from iexplore.exe .  Then I went to another computer, went to the same site using firefox, and malwarbytes ver 3.6.1.2711 on that computer gave the same popup from firefox.exe .

It seems to me the problem is with the forum site, and malwarebytes is doing its job...?  But the original question was what is the meaning of the popup log posted above?

I did the scan with Zemana, attached.  It did indicate several dlls on software I have used for years (ie quicken, dbpoweramp) failed, but said the system is clean.

Any thoughts to clarify this?

Thanks

2018.10.20-12.07.48-i0-t92-d0.txt

[kevinf80]

Have look at the following link: https://whois.domaintools.com/104.27.172.3  Note that 310 websites use that IP address, if you are unlucky enough to land on one, you have booked a trip to Cloudfare...

I assume the plan is to get you to end up here: https://www.cloudflare.com/plans/?utm_referrer=https://www.google.co.uk/  Cloudflare is out to make money..

Also have a look at this link: https://cleantalk.org/blacklists/104.27.172.3 It seems to be a noted spammer. I agree with your assumption, Malwarebytes is definitely doing its job. You`ve got to wonder what happens to anyone without Malwarebytes Premium. 

   

Edited October 20, 2018 by kevinf80

[floydo]

5 hours ago, kevinf80 said:

 

 

5 hours ago, kevinf80 said:

You`ve got to wonder what happens to anyone without Malwarebytes Premium.

So I believe the computer is not "infected", the log from malwarebytes

Website Data-
Category: Trojan
Domain: jsblom.com
IP Address: 104.27.173.3
Port: [57761]
Type: Outbound
File: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

Could be interpreted as indicating - the website is attempting via firefox to forward you (or your information) to 104.27.173.3 ?  And MB is blocking...

That's my interpretation of your comment and my experiment. 

Thanks

[kevinf80]

If you open Firefox and leave it on the homepage and you receive a block from Malwarebytes, then it can mean firefox is exploited. If nothing happens on the homepage, or other sites  you normally use, Firefox and your PC are ok. If you visit a website with this Domain: jsblom.com and Malwarebytes creates a block, then it is safe to assume its down to the website. I`ve just tried to connect to that domain, Malwarebytes blocked the connection.... We can clean up, no further action needed..

Uninstall Zemana (unless you want to keep it) http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/ Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/ From there you should be good to go... Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful.... Answers to Common Security Questions and best Practices Do I need a Registry Cleaner? Take care and surf safe Kevin...

 

 

 

[floydo]

Thanks for the interesting links, and help!  Zemana uninstalled (I use Revo Judiciously) and noticed Zemana is a bit sloppy in their uninstall (prog files and registry).  I now understand malwarebytes logs require some interpretation as to the issue. Keep up the good work as it really helped clarify this for me.

[kevinf80]

You`re very welcome flydo, comeback anytime...

Regards,

Kevin...

[kevinf80]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks