Jump to content
Ed Wood

False Positives

Recommended Posts

Ever since MalWareBytes added the IP Protection to the software, I have received false positives, even when not connected to the web.

I contacted MalWareBytes (MWB) about this problem, and was told to right click on the MWB icon then untic the IP Protection feature. I have done this, but every time that I reboot my computer, I must do this again.

I have the latest paid version (1.44 - I have been a subscriber since 2006). Has there ever been any patch or repair for this problem? Or, if not, how can I permantly turn this feature off?

I am running under Windows XP Professional SP3, on a 2.5ghz dual core intel coprocessor, with 2 gb ram. I have a 1tb hdd and 2 250gb hdds. I am running Notron's Internet Security 2010, MWB 1.44, Spybot S&D 1.6.2.0 and SuperAntiSpyware 4,33,0,1000. I have an AT&T 6.0 dsl connection.

I would appreciate any help you can provide,

Sincerely,

Ed Wood

Share this post


Link to post
Share on other sites
You can certainly disable the facility, yes.

http://www.malwarebytes.org/forums/index.php?showtopic=21076

But, I'd ask you instead post the IP's in question so I can take a look.

There are far too many for me to write them all down. Every few minutes, MWB will notify me of the fact that it has blocked an IP address. If there is some way to generate a log of this activity, I would gladly attach the log for your use. Let me know how I can do this, if possible,

Regards,

Ed

Share this post


Link to post
Share on other sites
There are far too many for me to write them all down. Every few minutes, MWB will notify me of the fact that it has blocked an IP address. If there is some way to generate a log of this activity, I would gladly attach the log for your use. Let me know how I can do this, if possible,

Regards,

Ed

Steve,

After posting this reply, I read the post in the link that you gave me.

I have turned MBW IP Protection back on, and will let it run for some time, then I will send you the log.

Thanks for your help.

Ed

Share this post


Link to post
Share on other sites

My pleasure :)

Share this post


Link to post
Share on other sites

Those I've checked thus far, have relations to the Koobface infection, suggesting it likely your computer is infected. I'd strongly urge you get it checked.

I'll run through the rest of them in the meantime.

Share this post


Link to post
Share on other sites
Those I've checked thus far, have relations to the Koobface infection, suggesting it likely your computer is infected. I'd strongly urge you get it checked.

I'll run through the rest of them in the meantime.

Steve,

I have run my antivirus/malware/spyware programs and none of them have found koobface virus/worm. I downloaded the freeware Spyware Terminator and ran it. It did not discover the virus. I printed out from the hubpages.com website instructions on how to remove koobface manually. I could not find the virus under the ctrl-alt-del tab (processes running) nor under the add/remove programs tab. I tried to run regedit and do a search (ctrl-f) for koobface and the registery editor locks up every time.

I have been to the website of Symantec (I am running Norton's Internet Security 2010) and do not find any mention of this virus/worm.

I am at a loss on what to do next. Any suggestions?

Regards,

Ed

PS. I am generating another log today that I will attach to another post tonight or tomorrow.

Share this post


Link to post
Share on other sites

Just to clarify;

1. Are you by chance running any P2P software?

2. Are you behind a hardware firewall?

You seem to have a great deal of connections to 117.197-201, which is a little of a concern. I've filtered the list and identified 170 unique IP's so far, but the majority are within the AS9829 (BSNL-NIB) range. All records I have for this range, are connections to a botnet, details on this are at;

http://hphosts.blogspot.com/2010/01/botnet...resolution.html

http://garwarner.blogspot.com/2010/01/send...ashback-to.html

http://www.dynamoo.com/blog/2010/01/convin...ads-to-pdf.html

http://garwarner.blogspot.com/2009/12/some...oogle-jobs.html

http://garwarner.blogspot.com/2009/12/ongo...-zeus-zbot.html

http://garwarner.blogspot.com/2009/12/yet-...-zeus-zbot.html

Share this post


Link to post
Share on other sites

I've ran through all of the IP's and they're not F/P's I'm afraid. The IP's are indicating your computer is potentially part of a botnet.

Please follow the advice in the following as soon as possible.

http://www.malwarebytes.org/forums/index.php?showtopic=9573

Share this post


Link to post
Share on other sites
I've ran through all of the IP's and they're not F/P's I'm afraid. The IP's are indicating your computer is potentially part of a botnet.

Please follow the advice in the following as soon as possible.

http://www.malwarebytes.org/forums/index.php?showtopic=9573

As a matter of fact, I have used a p2p software program to dl the star trek, star trek tng, and star trek ds9 series of tv programs. I downloaded them from mininova.org web site. The p2p program that I used was bittorrent. It is not active on my computer now, even though it is still installed.

Is this the culprit? Do I need to remove it?

Regards,

Ed

Share this post


Link to post
Share on other sites

It's certainly possible, but I'd recommend getting your machine checked just to be safe. As mentioned, quite a few of the IP's are associated with botnets and the Koobface campaign.

I'd also suggesting removing the bittorrent client, yes (and blocking the torrent ports at your routers firewall)

Share this post


Link to post
Share on other sites
It's certainly possible, but I'd recommend getting your machine checked just to be safe. As mentioned, quite a few of the IP's are associated with botnets and the Koobface campaign.

I'd also suggesting removing the bittorrent client, yes (and blocking the torrent ports at your routers firewall)

I have removed the bittorrent client, and the dna client from my system. I need help in blocking the torrent ports at my router firewall. I don't know what they are, or how to do that.

I have an AT&T DSL connection. I am using a combination AT&T modem/wireless router 2-wire gateway, model # 2701HG-B. I am also running Norton's Internet Security 2010.

Are you familiar with how to block access with these items?

Also, I have noticed a decisive decrease in IP Protection notification since I removed the bittorrent client. In today's log, the only blocked IP address is 208.94.233.132. It was blocked on three separate attempts at 9:55.

Thanks again for your help,

Ed Wood

Share this post


Link to post
Share on other sites

The file most commonly accessed at that IP is the following (tracking script) from informer.com;

http://208.94.233.132/WebGate/JavaScripts/LinkInformer.js

This file is pretty much benign, but sadly, the IP is on a Webazilla range. An ISP whose network is known for malicious activity.

I'm not familiar with the AT&T routers as I'm in the UK and never used one, but all you need to do is login to your router, and go to the firewall settings, then change the setting to "Maximum protection - Disallow all unsolicited inbound traffic"

http://portforward.com/english/routers/por...G-B/default.htm

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.