blocking IP addresses in Firefox - need major help

[wandergirl]

Last night Malwarebytes started blocking IPs in Firefox when the browser opens - and whenever I use the browser to surf. The browser is working slowly and these same IPs are not being blocked in IE:

216.240.187.103

216.240.187.102

The browser fights to connect with these IPs. I believe after a bit of troubleshooting it is related to the updater. When I disable the IP protection, the updater for the browser and the updater for my addons works. They do not connect when malwarebytes is on. I don't know if this is a false positive or if somehow my browser is infected or corrupted.

I have tried to contact firefox to find out if these ips are related to their service. I did not get very much information. They did say that .103 is a firefox 403 forbidden error. They did not address the .102 ip at all during the chat session. I did follow their instructions to re-add their program in McAfee. [i had been getting a message that update XML file malformed (200)] After re-adding the program to my firewall, I no longer got that error notice but it still would not update unless I disabled the Malwarebytes IP protection. They gave no other info. I have been through their troubleshooting process. I have started it in safe mode - same alerts. I have disabled all addons and I have no themes - same problem on startup of firefox - getting alerts to the IPs. I redownloaded the program - same problems. The only thing I have not done yet is a wipeout and a complete reinstall from scratch - which I am trying to avoid in order not to lose my bookmarks and have to reload all the features.

I have run my full-scan malwarebytes and get no issues. I have run a full scan in McAfee and get no issues - I also ran their scan from their website to make sure that their program's antivirus is not being blocked somehow.

The mbam log which was run in the developer's mode was:

Malwarebytes' Anti-Malware 1.41

Database version: 3081

Windows 5.1.2600 Service Pack 3

11/2/2009 12:43:19 PM

mbam-log-2009-11-02 (12-43-19).txt

Scan type: Full Scan (C:\|)

Objects scanned: 190664

Time elapsed: 1 hour(s), 25 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

My discussion with Firefox was:

Thank you for using Firefox Support's Live Chat. If you still need help, you can visit http://support.mozilla.com to find an answer or ask another question.

[12:25 PM] wandergirl has joined the room

[12:25 PM] zzxc has joined the room

[12:25 PM] zzxc: Hello

[12:25 PM] wandergirl: HI did you get my message? I need help.

[12:27 PM] wandergirl: I am getting alerts that malicious IPs are being blocked in my browser: 216.240.187.103 & .102

[1 2:27 PM] zzxc: yes

[12:27 PM] zzxc: '

[12:27 PM] zzxc: Are they blocked in other browsers as well?

[12:27 PM] wandergirl: no

[12:27 PM] wandergirl: Do you work with these IPs?

[12:28 PM] wandergirl: I have tried all of you're troubleshooting directions and nothing helps. I have even disabled Malwarebytes to see if it is a false positive blocking the updater and it is not.

[12:29 PM] wandergirl: I still get the error for malformed file (200) when Malwarebytes is disabled.

[12:31 PM] wandergirl: I do not get the messages when I use IE.

[12:33 PM] zzxc: I get a 403 forbidden error at 216.240.187.103

[12:33 PM] wandergirl: The only troubleshooting step I have not yet taken is the complete wipeout of firefox for a fresh reload. I have already done a reinstall without wipeout.

[12:33 PM] wandergirl: what is that?

[12:33 PM] wandergirl: what do think is going on?

[12:34 PM] zzxc: Does this work when malwarebytes is disabled?

[12:36 PM] wandergirl: no the updater still will not update - I get the xml file malformed 200 error even when malwarebytes disabled.

[12:37 PM] wandergirl: nothing will update - not even addons.

[12:39 PM] zzxc: ok

[12:39 PM] zzxc: try running enumprocess to see all othe r security programs

[12:39 PM] zzxc: http://www.trolly.homepage.t-online.de/EnumProcess.exe

[12:40 PM] wandergirl: It says windows firewall is off 9 processes from McAfee detected - I use their firewall.

[12:43 PM] wandergirl: I use malwarebytes and mcafee total protection. Only malwarebytes is blocking what it deems to be malicious ips from loading into the firefox browser. this does not happen on IE

[12:44 PM] wandergirl: has my browser been corrupted?

[12:44 PM] wandergirl:</ td> I am trying to figure that out if it is corrupted or this is a false positive.

[12:44 PM] zzxc: What did enumprocess say?

[12:45 PM] zzxc: This problem is usually caused by a misbehaving firewall.

[12:45 PM] wandergirl: it said that windows firewall is off and 9 processes from mcafee detected.

[12:46 PM] wandergirl: I have already tired disabling the ip addresses in my firewall - then the updater just reads no updates available. when i took the addresses out of the blocked list, the programs tries to update but cannot - again the prol

[12:47 PM] wandergirl: the problem is that malwarebytes is blocking it - not the firewall and says that the ips are malicious and I was assuming that they were associated with the updater

[12:48 PM] wandergirl: when i looked up the ips online one said that the .103 was associated with firefox

[12:48 PM] wandergirl: but you have said that .103 is a forbidden error

[12:50 PM] zzxc: Which firewall do you have?

[12:50 PM] wandergirl: McAfee - it is part of the total protection security suite

[12:54 PM] zzxc: try the steps at ((configuring mcafee internet security))

[12:56 PM] wandergirl: ok hold on

[12:56 PM] wandergirl: do I have to close our chat to perform this?

[12:59 PM] wandergirl has left the room

Like I said these instructions did nothing. The browser had been set to full access in my firewall. When I re-installed firefox.exe, I gave it only outgoing permissions. The same alerts happened nothing changed.

Please please help me figure this out.

[MysteryFCM]

These IP's aren't Firefox related, they belong to a range owned by Internet Express, and are related to Trellian;

http://hosts-file.net/?s=216.240.187.103

There's currently over 200 malicious sites within that range, so I'd advise you use a program such as Fiddler to try and find out exactly why it's contacting those IP's;

www.fiddlertool.com

Once Fiddler is installed, load Firefox and check the connections in Fiddler. Save the Fiddler log, then repeat the process with MBAM's IP Protection disabled so we can see the actual packets.

[wandergirl]

These IP's aren't Firefox related, they belong to a range owned by Internet Express, and are related to Trellian;

http://hosts-file.net/?s=216.240.187.103

There's currently over 200 malicious sites within that range, so I'd advise you use a program such as Fiddler to try and find out exactly why it's contacting those IP's;

www.fiddlertool.com

Once Fiddler is installed, load Firefox and check the connections in Fiddler. Save the Fiddler log, then repeat the process with MBAM's IP Protection disabled so we can see the actual packets.

I am not sure how to do this. I could not get the file to upload from firefox so I have opened IE to try........ I could not upload the session I saved. I do not know what to do or what you are asking me to do.

[wandergirl]

Well since I could not figure out how to use fiddler, I decided to go with the find option - clean uninstall of firefox. The only personal info I saved was my bookmarks. I completely deleted all the folders from my system and user profiles. When I did a clean install, I added all of my extensions one by one, restarting firefox after each install in order to see if the alerts were triggered with any of the extensions. They were not. I can only assume that I had malware in my browser which was trying to contact or was attracting the malcious websites to try to contact me through firefox - as I was not having the problem in IE. I have even updated my malwarebytes immediately to make sure the IP protection was the most current. So my problem is solved but I don't know the root of the problem other than it was related to my old firefox browser which was the currently available version, but must have gotten corrupted in some manner and whatever the issue was it could not be detected by malwarebytes or mcafee.

[wandergirl]

Well I am a few minutes into my time on the web and I am getting the blocking messages again. If someone can help me get the fiddler info - some directions, that would be great. Their directions are hard to follow.

[wandergirl]

Well I think I may have figured it out, but I don't have the old info before I reinstalled the browser. I did get one blocked access notice for the same IP - .102, I did not catch it enough to see if .103 went off, but at any rate it is much less - only once so far. I will try to upload the info from fiddler:

it did upload this time.

71_Full.txt

[wandergirl]

Here is the file again after after disabling and then enabling the IP protection. Maybe you can make sense of it..... If not please try to let me know what to do.

71_Full.txt

[MysteryFCM]

Sorry for taking so long to reply.

The attachments are only showing a single connection to Yahoo. Please see below for instructions regarding Fiddler;

1. Load Fiddler

2. Load Firefox and go to the affected site

3. Once the site has loaded, press CTRL+A to select EVERYTHING in the left hand pane of Fiddler

4. Right click the selected items and select "Copy" > "Full Summary"

5. Paste the results into Notepad

Save the first one (with MBAM's IP Protection enabled) as "FULL_IPBL", and the second (with the IP Protection disabled) as "FULL_NOIPBL".

[wandergirl]

I will give this a try. I am also sorry that my own response time is not quick. For some reason I am not getting notified that you have responded to my thread by email. I did enable email notification.

It will be a bit difficult to guess which program is the culprit. Since the reinstall firefox is updating properly. The alerts did go off when I hit my pdf primo. I will try that again and see. Since the reinstall, it will alert occasionally not constantly like it was doing before the reinstall of my firefox browser.

[wandergirl]

I can't get the alerts to go off again - even when I access www.HealthFreedomUSA.org and the other associated websites of health freedom. Malwarebytes had been blocking a malicious IP associated with their sites. However before I got your last instructions, I got desperate. I reloaded my SpySweeper program which I had uninstalled a couple weeks ago and ran it. It caught over 30 cookies - all trackers none high risk. However it indicated that I had over 138 cookies total, so I went to McAfee and ran the computer cleanup. Between these two programs the cookies may have been wiped out which were triggering all the malicious alerts. At any rate I can't make the situation reproduce at this time. But I will upload the reports for you to review:

FULL_IPBL.txt

FULL_NOIPBL.txt

[wandergirl]

I did figure out why I might not be blocked at healthfreedom anymore - perhaps it is because my Firefox addon NoScript reloaded with a clean whitelist. It no longer allows scripts by healthfreedomusa.org or any of the associated scripts on that page: altavista, addthis, ekstreme

Please don't give up on me ok? Until I hear back from you, I have decided to block these in my firewall.

216.240.187.103

216.240.187.102

I have not blocked the healthfreedom site which I was getting alerts on but am not currently:

208.100.34.31

If for some reason I should still be getting the alert - wait I will check in IE.... no no longer getting the alerts in IE either for the email which was setting it off. I did not want to go to the website lest those scripts run if they are bad - I can't block them in IE.

The website link where I would have normally been blocked by malwarebytes is:

Money Bomb! Dr. Rima + Gen. Bert at Codex: http://www.healthfreedomusa.org/?p=3686

[MysteryFCM]

Thanks for letting me know

Due to the nature of the range these IP's reside on, I'd advise continuing to block them.

healthfreedomusa.org itself resolves to the 208.100.34.31 IP you mentioned, and currently has 5 malicious neighbours.

[wandergirl]

Thanks for your help. I could post a list of all the spy cookies quarantined by SpySweeper and the log from McAfee of what was cleaned off - (if I can manage to pull it up) - if that would be of any help in possibly identifying the source. In the meantime concerning the IP 208.100.34.31, I could block it in my firewall and only allow it when I need to visit the HealthFreedom website. Will that work? That way the other malicious sites associated with that IP will never have access in the meanwhile while surfing? When you said that HealthFreedom has 5 malicious neighbors are they related to the same non-profit entity or are just other websites hosted by the IP?

[MysteryFCM]

That would work, yes.

The sites don't seem to be directly related, no. Sadly the logs won't be of much use.

[Library Tech Steve]

Those IP addresses are both known to be infected with Rouge Antiviruses. Right now I am trying to get rid of one at the library I work at. It has infected our Server somehow. Not fun. Malwarebytes did detect viruses on one of the machines in our domain. However, after removing the viruses, I still am getting DNS redirrects. Not fun. Hope this helps a little.

Steve