Constant Inbound Malvertising blocked from the same IP address

[dillydadally]

About every 20 seconds, I have a popup on my computer from Malwarebytes Premium saying it is blocking an inbound Malvertising attempt from 212.224.118.213 on port 80. It's always the same IP address.

I have done a clean reboot, with all services and startup processes disabled and all browsers completely closed and the popup continues to notify me.

I tried adding the IP address to be blocked in my Windows Firewall and it still pops up.

I've done a scan in Malwarebytes Premium and it came up clean.

I ran AdwCleaner a few times and it found 9 problems, which I fixed, but the problem persisted.

I would appreciate any help you can offer! Thank you!

 

AdwCleaner[C00].txt AdwCleaner[S00].txt AdwCleaner[S01].txt Malwarebytes Premium Scan.txt FRST.txt Addition.txt

[AdvancedSetup]

Hello @dillydadally and

Can you please post the Malwarebytes Protection log that shows this IP address or site being blocked.

Thank you

Ron

 

[dillydadally]

Here's a log you requested. Thanks!

Malwarebytes Protection log.txt

[gadgetgrrl]

I am having similar problem. Same IP. Windows 10, MWB 3.7.1.2839

Every 48 seconds, like clockwork, I get the following pop-up. I have closed all browsers, powered down the PC, I even added a Defender Firewall EXCLUDE for all traffic inbound from the IP. The firewall rule has no affect in stopping the popup. Very strange.

The Pop-Up that I get:
Website blocked due to malvertising
(no domain listed)
IP Address: 212.224.118.213
Port: 3389
Type: Inbound

[dillydadally]

Yup, same IP address and inbound. The weird thing is for me it's port 80.

[AdvancedSetup]

Normally there isn't too much one can do about inbound blocks except add to the firewall if they continue. Typically they subside on their own after a few hours or in some rare cases a couple days. I'm checking with our Research Team to see if there might be anything else going on. It's nearly midnight for the team with an approaching holiday so I may not get a reply right away but will respond once I hear back.

Thank you for your patience

Ron

 

 

[AdvancedSetup]

Hello @dillydadally

Can you please open Malwarebytes, then go to Settings, and on the Application tab click the Install Application Updates. Your log shows an older version of the program,  3.7.1.2839 we're currently on 3.8.3

Then reboot the computer and let me know if you're still getting this block.

 

@gadgetgrrl

Can you please post back your Protection log.

Thanks

Ron

 

[gadgetgrrl]

Log of one of the events, as requested.

 

mwb-log.txt

[dillydadally]

Well, last night at 11pm I logged into my computer and it was still happening. This morning at 9am I logged in and the notifications had completely stopped, with me having changed nothing. I'm hoping this means, like you said, they just gave up (as opposed to they somehow got in!). 

I did update Malwarebytes as well as you suggested. I will let you know if the block notifications start up again.

[gadgetgrrl]

Same situation with me (that dillydadally reported). The pop-ups started at 8:35am PDT on 7-2-2019 and stopped 1:52am PDT on 7-3-2019. They had been occurring an average of once every 48 seconds. I also have updated to 3.8.3.

The only thing that still bothers me is that the first thing I did on 7-2-2019 is to add a firewall rule to block ALL incoming from 212.224.118.213. I triple checked it for typos. I rebooted the PC. This rule did NOT stop the MWB pop-ups. Seems strange, since it would implicate something internal to MWB that was causing the pop-ups. But all is well now. Will report back here if it starts again. Thanks.

[AdvancedSetup]

Yes, your version is/was older as well @gadgetgrrl - not sure what was going on but there were multiple fixes since your older version.

If you do have any other issues though please let us know, and thank you for using Malwarebytes

Ron

 

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks