[bug] Various nslookups result to some localhost ip

[Richard63]

Seems since shortly we have an issue on our hands.

When trying an nslookup to a polish site, I got no popup or warning from malware bytes.

However the correct ip was not given but I got a result of 127.53.0.1 instead.

Ofcourse this was not the correct ip. Then I tried again, and trying to look it up via cloudflare, so like this:
nslookup somedomain.pl 1.1.1.1

and the same thing happened.

Then I set the 1.1.1.1 ip in my router as default DNS, tried again, and in both ways (normal nslookup and with 1.1.1.1 and even 8.8.8.8) I got the result 127.66.0.1 which is still wrong.

The correct ip should be 77.91.xx.xx

So I decided to disable Malware Bytes and promptly I got the correct results both on normal nslookup and on 1.1.1.1.

Enabled Malware bytes again, and got the localhost results again, which prooved that MBAM is the root cause. This should not happen, an nslookup should always work, especially on request at an external host like cloudflare.

So at this moment to keep Malware Bytes working, I had to disable the internet check, so nslookups keep working correctly.

 

Can this be fixed a.s.a.p. please.

[AdvancedSetup]

Hello @Richard63 and

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply

 

 

 

 

[Richard63]

Hello.

Thank you for the quick reply.
 

12 minutes ago, AdvancedSetup said:

information obtained are safe and not harmful to your privacy

Well I know for sure there are some things in the frst logs which are harmfull to my privacy, names, document names for example. So please remove a.s.a.p. from the forum after investigating. Thank you.

Edited August 12 by AdvancedSetup
Log removed per request

[AdvancedSetup]

The logs indicate the computer needs a restart to update some files. Please RESTART the computer. @Richard63

Then get me some NEW fresh logs

 

 

Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/

Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/

Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/

 

 

 

 

 

[Richard63]

Thank you again for the quick reply and removal of logs.

I rebooted and made the new logs as requested, although I'm curious as to which files would be updated. I didn't see a notice of Microsoft updates.
Please remove again after investigation, thank you.

 

 

Edited August 12 by AdvancedSetup
Logs removed per request

[AdvancedSetup]

Please give me a moment to review the other logs.

This was in the previous log which typically probably would not alert you about restarting

 

Pending File Rename Operations
========================================
C:\Program Files\Microsoft Office 15\ClientX64\Centennial.Detection.IsCentennialOfficeInstalled.scratch
C:\Program Files\Microsoft Office 15\ClientX64\Centennial.Detection.IsCentennialOfficeInstalled.scratch
C:\Program Files\Microsoft Office 15\ClientX64\Centennial.Detection.IsCentennialOfficeInstalled.scratch

 

 

 

[AdvancedSetup]

Please do the following @Richard63

 

Please Uninstall, Update, or otherwise address the following as appropriate for your computer.

 

• Asian Language And Spelling Dictionaries Support For Adobe Acrobat Reader v.22.001.20085 Warning! This software is no longer supported. Please uninstall it and use Adobe Acrobat Reader DC.
• Discord v.1.0.9012 Warning! Download Update
• HandBrake 1.8.1 v.1.8.1 Warning! Download Update
• KC Softwares PortExpert v.1.7.2.12 Warning! This software is no longer supported.
• Microsoft Edge WebView2 Runtime v.126.0.2592.113 Warning! Download Update
• Microsoft Office Access database engine 2007 (English) v.12.0.6612.1000 Warning! This software is no longer supported.
• Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 v.14.36.32532.0 Warning! Download Update
• Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 v.14.36.32532.0 Warning! Download Update
• Mozilla Thunderbird (x64 nl) v.102.1.0 Warning! Download Update
• Skype versie 8.92 v.8.92 Warning! Download Update
• Total Commander 64-bit (Remove or Repair) v.8.01 Warning! Download Update

Please uninstall the following

---------------------------- [ UnwantedApps ] -----------------------------

Bonjour   (This program is rarely needed on Windows but often causes networking issues)
CCleaner  (computer experts no longer recommend this program)

 

 

Next

Please make the following change in Malwarebytes if you're using the Premium or Trial version

• Please open Malwarebytes. Click on the small gear icon to open the Settings and go to the General tab.
• Then turn off "Always register Malwarebytes in the Windows Security Center"
• Restart the computer

 

Then check for Windows Updates and install any security updates found

 

When all has been completed, please RESTART the computer one more time and get me NEW fresh logs again.

 

 

 

Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/

Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/

Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/

 

 

 

[Richard63]

Thank you.

However I don't think the updates of the programs will fix a specific issue only happening on nslookups.

Also I don't know where you get the version information from, but to put some examples:

Discord -> Is updated every time as soon as I start it. I started it today to, no updates.

Mozilla Thunderbird  v.102.1.0  gives a warning -> I always update that, my current version is even 128.1.0esr (64-bits) so way past v102. ;)

I can't delete port expert, because I need that program. It's not started with Windows so it's not influencing with nslookup anyway.

Total Commander also don't needs to be updated. I don't need the latest version for this, I use it once a while, also not conflicting with nslookup stuff.

Edge Webview, I wouldn't even know how to update this. I don't normally use Edge, I always use Firefox.

Microsoft Visual C++ are updates only required by some specific software, they don't need to be up to date every time either. If they should, then Microsoft should update them, which MS does not.

Adobe Acrobat reader. Odd that this is not supported anymore, because in my program files list it says this is a version is updated 10 days ago on august 3. When looking here,
https://get.adobe.com/nl/reader/

there is no DC, it's just Acrobat Reader again nowadays.

So at least about Thunderbird and Acrobat, some of those scanners are not providing accurate information.

Bonjour: Sorry, but you should know this service is required by several applications, mainly printer. And it even got installed with my printer if I'm correct.

CCcleaner does not need to be uninstalled as I hardly use it, it's not running by default, I disabled that part, so it can't do harm and it also doesn't interfere with my system.

 

You are now asking me to do updates and things. And I'm prepared to do some required things, but I'm not a noob. The issue is very clear. Enable internet check in MBAM, nslookup will fail on certain sites. I can give you the site I tested and then you can see for yourself, If I'm allowed to pm you.
As soon as internet check is disalbed or only Windows Defender is running, then nslookups to those sites work without any issues. And this time it's not even a site I've ever visited before. Never used it in my browser only nslookup.

So it's clearly an MBAM issue, not a "my system" issue.

So maybe it's better to send you the domain name so you can check the result on your own system, before we're going to make all kind of unnecessary changes (even some which even have newer versions then suggested).

Please remove the logs from my former post.

[Richard63]

I'm just checking the Mozilla. And I see this in my program's list:

When I start Mozilla, I get the 128.1.0esr. I'm not sure when I remove the 102.1.0 (if even present anywhere) it might not remove Thunderbird completely. Anyway, doesn't have to to with nslookup.

[AdvancedSetup]

Bonjour is 100% rarely ever needed on Windows and In the many years I've been doing Windows support (more than 35 years now) not a single person has proven it was needed. The only potentially possible time it may be needed is if you're attaching an Apple TV to your Windows computer. However you'll find thousands of users on PC where their networking is messed up and in some cases even having network broadcast storms that prevent almost all networking.

I would highly suggest you uninstall it. I'm not saying this is your issue but we have millions and millions of customers and at the moment this is the only post or ticket on our Help desk complaining of this issue.

 

The other findings are recommendations and in some cases may not be accurate on versions. This tool is a 3rd party application trying to analyze hundreds of different software applications and can sometimes not have up to date information.

You do not need to do any of those things if you do not wish to. They're all recommendations based on findings from the logs.

 

Please provide the exact IP and DNS name or URL you're trying to contact and I'll see if I can duplicate the issue.

 

Thanks

 

[Richard63]

Just now, AdvancedSetup said:

not a single person has proven it was needed.

Yes I've read that before, also about security. Which was the reason I've uninstalled if 5 years ago. And then at a certain point got complaints from my system that it couldn't access the bonjour service. And I had to install it again. I think you might even see iTunes complaining if it's not installed. I'm not sure anymore, but that's the reason it got installed in 2019 again.

I'm a hosting provider and I've never encountered network issues om my home network to be true. Also working with computers, maybe a bit shorter, but still 34 years so I can say I have some experience. And I know about various things which can cause issues, but don't really need to be the cause. And if bonjour was the cause now, then I would have the same issue if the MBAM internet check was disabled, right?
Also I would have issues with loads of domains, not with some or a single one maybe.
 

33 minutes ago, AdvancedSetup said:

Please make the following change in Malwarebytes if you're using the Premium or Trial version

This one I did, but it doesn't seem the have made any changes, still same problem.

I would like to ask again to please remove the old logs. I will provide you with the domain I'm having issues with.

 

[Richard63]

It was not "various" but only 1 domain and a subdomain from the same domain.

I provided the information by PM.

@AdvancedSetup then soon discovered that ip/domain was blocked at that time by MBAM, only nslookup does not give a popup warning about the block. Visiting the url or using tracert does.
It's reported to the devs, and who knows might be fixed.

So for others reading this, in certain cases (with this version) when using nslookup a localhost result -might- be thrown when a ip or domain is blacklisted by MBAM.

Thanks @AdvancedSetup for the fast responses, great service and help/advise with this!