Jump to content

MWB keeps flagging Private Internet Access and random IP addreses


Recommended Posts

Ever since I installed the trial of Malwarebytes, it keeps flagging and blocking random IP addresses without identifying the source. How is this helpful? It doesn't tell me the location of the IP address or what app or browser plugin or process initiated the outgoing connection.

In addition, Malwarebytes repeatedly blocks Private Internet Access IP address even when I'm not connected via VPN. What's going on there? Is this design by obscurity? How can I trust Malwarebytes when it gives me no option to verify what it's doing? And why would a legitimate VPN service like PIA with a long history of trust be considered a "trojan" or "riskware"?

 

And here's another example: Malwarebytes keeps blocking one particular IP address (199.36.223.34). Great. So why is RTP detection blocking this? It claims it's malware and yet when I scan for malware with Malwarebytes or other apps, it finds none. So what is trying to phone home? Without this information, I can't troubleshoot or diagnose this. How is this helpful to the user?

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

If you are having technical issues with our Windows product, please do the following:

Malwarebytes Support Tool - Advanced Options

This feature is designed for the following reasons:

  • For use when you are on the forums and need to provide logs for assistance
  • For use when you don't need or want to create a ticket with Malwarebytes
  • For use when you want to perform local troubleshooting on your own

How to use the Advanced Options:

Spoiler
  1. Download Malwarebytes Support Tool
  2. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  3. Place a checkmark next to Accept License Agreement and click Next
  4. Navigate to the Advanced tab
  5. The Advanced menu page contains four categories:
    • Gather Logs: Collects troubleshooting information from the computer. As part of this process, Farbar Recovery Scan Tool (FRST) is run to perform a complete diagnosis. The information is saved to a file on the Desktop named mbst-grab-results.zip and can be added as an email attachment or uploaded to a forum post to assist with troubleshooting the issue at hand.
    • Clean: Performs an automated uninstallation of all Malwarebytes products installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. The Premium license key is backed up and reinstated. All user configurations and other data are removed. This process requires a reboot.
    •  Repair System: Includes various system-related repairs in case a Windows service is not functioning correctly that Malwarebytes for Windows is dependent on. It is not recommended to use any Repair System options unless instructed by a Malwarebytes Support agent.
    • Anonymously help the community by providing usage and threat statistics: Unchecking this option will prevent Malwarebytes Support Tool from sending anonymous telemetry data on usage of the program.
  6. To provide logs for review click the Gather Logs button
  7. Upon completion, click OK
  8. A file named mbst-grab-results.zip will be saved to your Desktop
  9. Please attach the file in your next reply.
  10. To uninstall all Malwarebytes Products, click the Clean button.
  11. Click the Yes button to proceed. 
  12. Save all your work and click OK when you are ready to reboot.
  13. After the reboot, you will have the option to re-install the latest version of Malwarebytes for Windows.
  14. Select Yes to install Malwarebytes.
  15. Malwarebytes for Windows will open once the installation completes successfully.

Screenshots:

Spoiler
 
 
 
 
Spoiler

 

 

01.png

02.png

03.png

04.png

05.png

06.png

 

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help

If you need help looking up your license details, please head here: Find my premium license key

 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Link to post
Share on other sites

8 minutes ago, FlipSkip said:

Ever since I installed the trial of Malwarebytes, it keeps flagging and blocking random IP addresses without identifying the source. How is this helpful? It doesn't tell me the location of the IP address or what app or browser plugin or process initiated the outgoing connection.

Please attach some of the logs with web blocks.

MBAM 4.* instructions for the log:

 

  1. Open the Scanner Box.
  2. Click on the  Detection History Box. 
  3. Mouse over the Scan Report  of correct log with the detection listed to highlight it.
  4. Click the Download/export button give it a name for example: fpreport.txt
  5. Save it to the desktop or somewhere on your computer you can find it.

Attach the scan logs with your post.

10 minutes ago, FlipSkip said:

So why is RTP detection blocking this? It claims it's malware and yet when I scan for malware with Malwarebytes or other apps, it finds none. So what is trying to phone home?

 

Also, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

 

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thanks

Link to post
Share on other sites

I had this problem late last year and apparently it is still going on. The (slightly) funny part is that when I opened a ticket with PIA about this issue they basically sent me a link to my own thread on here about it and said "its a known issue already." Of course they couldn't have known I was the one that started the topic but I didn't get much else out of them after that. I now use a different VPN instead that doesn't seem to have any rogue IP warnings pop up every once in a while like PIA used to.

 

  • Like 1
Link to post
Share on other sites

There are two IP addresses that Malwarebytes' RTP detection repeatedly blocks as either malware or trojan.

199.36.223.34 - Quebec, Canada; ISP: Total Server Solutions L.L.C. and Perfomive LLC (https://performive.com/)

212.102.52.87 - UK; ISP: Datacamp Ltd (https://datacamp.co.uk/)

 

They are outbound either from the System (which is too vague to be helpful) or from Private Internet Access. The lack of details is frustrating, especially when compared to a product like Little Snitch on macOS which gives detailed information about the exact process and port number on both outbound and inbound IP addresses.

 

 

detection_1.txt detection_2.txt detection_3.txt

Link to post
Share on other sites

  • Staff

Hello,

199.36.223.34 - IP address has been unblocked.

212.102.52.87 - is blocked due to this communicating file (C2)

https://www.virustotal.com/gui/file/f4455ede7b38234cb5072c608990fada9a63fb3806df9638e03506e470c06902/behavior/VirusTotal%20Jujubox

 

Thank you.

Link to post
Share on other sites

10 hours ago, JPopovic said:

Hello,

199.36.223.34 - IP address has been unblocked.

212.102.52.87 - is blocked due to this communicating file (C2)

https://www.virustotal.com/gui/file/f4455ede7b38234cb5072c608990fada9a63fb3806df9638e03506e470c06902/behavior/VirusTotal%20Jujubox

 

Thank you.

Thank you for the update.

How do I identify which process or program is trying to contact this IP address from my system? When I do a system wide search for "Jujubox", nothing shows up. And full scans of my system both with Windows Defender and Malwarebytes find no threats.

Link to post
Share on other sites

  • Staff
17 minutes ago, FlipSkip said:

Thank you for the update.

How do I identify which process or program is trying to contact this IP address from my system? When I do a system wide search for "Jujubox", nothing shows up. And full scans of my system both with Windows Defender and Malwarebytes find no threats.

That data should be in your protection log, should show associated process path. 

Link to post
Share on other sites

1 hour ago, Zynthesist said:

That data should be in your protection log, should show associated process path. 

 

-Website Data-
Category: RiskWare
Domain:
IP Address: 212.102.52.87
Port: 0
(No malicious items detected)
Type: Outbound
File: C:\Program Files\Private Internet Access\pia-service.exe

 

Why would Private Internet Access be trying to connect to a malware domain? Is this a false positive because if PIA was doing anything malicious, it would be all over social media by now.

 

Link to post
Share on other sites

I heard back from PIA Support. They said that the IP address '212.102.52.87' is managed by Private Internet Access. Their additional instructions were as follows:

 

Quote
I understand that PIA is being detected as a threat by Malwarebytes.

 

Due to two (2) of the protection systems found in Malware Bytes, it may sometimes interfere with the processes our VPN application requires to operate. To resolve this, please follow the below instructions: 

 

1. Right-click on the Malware Bytes icon in your system tray. 
2. Click on Malwarebytes Anti-Malware
3. Click the Settings icon at the top. 
4. Select the Detection and Protection menu on the left-hand side of the window. 
5. Click into the drop-down menu under the heading "PUP (Potentially Unwanted Program) detections," and select "Warn User About Detections."
6. Click into the drop-down menu under the heading "PUM (Potentially Unwanted Modification) detections," and select "Warn User About Detections." 

 

Additionally, you may also add the following exceptions below to your Malwarebytes antivirus program (NOTE: Please be aware that disabling or uninstalling your antivirus software will not resolve this issue as if PIA has been flagged as a potential threat. This has already been written to the Windows registry and adding the exceptions is the only way to remove these entries from the Windows registry):

 

**NOTE: Please be aware that these files may not line up with your specific version of antivirus software; if this is the case, you may need to search online for steps that are a better match to your version.**

 

File Exclusions:
Windows:
  • C:\Program Files\Private Internet Access
  • C:\Program Files\Private Internet Access\tap\win10
  • C:\Program Files\Private Internet Access\tap\win7
  • C:\Program Files\Private Internet Access\pia-client.exe
  • C:\Program Files\Private Internet Access\pia-openvpn.exe
  • C:\Program Files\Private Internet Access\pia-service.exe
  • C:\Program Files\Private Internet Access\pia-support-tool.exe
  • C:\Program Files\Private Internet Access\pia-wgservice.exe
  • C:\Program Files\Private Internet Access\pia-unbound.exe

 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.