Jump to content

trace the offending program?

therealex
 Share

Recommended Posts

Firefox

Firefox

Posted
Posted

Hello and Welcome to Malwarebytes.....

To determine what is trying to access that site we would probably need more info...

Do you run P2P software like Utorrent, Bittorrent, Limewire, or the like?

Did you have any other software open when you got the notice?

You can use software like wire shark to determine what software may be trying to access that IP.

If you feel it is a false positive, you can post in False Positive Section so that they can check it.

Hope this helps

Link to post
Share on other sites
noknojon

noknojon

Posted
Posted
antispywarepro.net 208.73.210.27 parkinglot.information.com Rogue Antivirus Bogdan Pankiv / software@fabrica.net.ua 2009-04-28
This is one line from just one report on IP 208.73.210.27 -

I hope it will give you a basic idea why it is blocked - McAfee also Red Lists it -

clef.ca, wzbt.org, pal9.com, mlbk.com, azais.net and at least 100 other hosts point to 208.73.210.27. It is blacklisted in two lists.

Thank You - :angry:

EDIT - You can always type, or Cut and Paste, the IP into a browser and review the sites that list it -

Link to post
Share on other sites
therealex

therealex

Posted
  • Author
Posted

Thanks for the responses. I don't usually run P2P software, although I have occasionally run bitpump. I stop the process, though, when it's done. It isn't running now. Rebooting does not prevent the attempted IP access.

I ran tcpview, but since you can't create a log file it didn't help track down which program was trying to access the address. I downloaded wireshark and created a filter for that address, so I'll see what happens. When I get it determined, I'll post the result!

- Russ

Link to post
Share on other sites
therealex

therealex

Posted
  • Author
Posted

Okay, as Clint Eastwood once said:

"A man's got to know his limitations".

I found the reference to a couple of the attempts in Wireshark, but don't know how to proceed to find the offending program! Here's what I got:

90317 21:39:57.941489 192.168.1.2 192.168.1.1 DNS Standard query A filmfreephotos.com

This lines up with malwarebytes' log:

21:39:57 Russell Alexander IP-BLOCK 208.73.210.27

Although the log goes on to find more:

21:40:00 Russell Alexander IP-BLOCK 208.73.210.27

21:40:06 Russell Alexander IP-BLOCK 208.73.210.27

21:40:18 Russell Alexander IP-BLOCK 208.73.210.27

21:40:21 Russell Alexander IP-BLOCK 208.73.210.27

21:40:27 Russell Alexander IP-BLOCK 208.73.210.27

And Wireshark finds this oddity:

90382 21:40:25.238093 192.168.1.2 192.168.1.1 DNS Standard query A cornersnackbar.com

"cornersnackbar.com"?

Anyway, I don't expect you kind folks to babysit me through figuring out what it all means, but a gentle push in the right direction would be greatly appreciated!

Link to post
Share on other sites
noknojon

noknojon

Posted
Posted

Hi therealex -

Did you note my post #4 above that lists one of the sites from the IP you submitted - It shows that it contains Rogue Antivirus -

This are the reasons that it is blocked - It is also on the McAfee RED list (means very bad site) -

PS. This was just from a 5 min Google search -

Thank You - :)

Link to post
Share on other sites
therealex

therealex

Posted
  • Author
Posted
Hi therealex -

Did you note my post #4 above that lists one of the sites from the IP you submitted - It shows that it contains Rogue Antivirus -

This are the reasons that it is blocked - It is also on the McAfee RED list (means very bad site) -

PS. This was just from a 5 min Google search -

Thank You - :)

Yes, I saw that. I understand why it's blocked, but what I don't understand is which program keeps trying to access it. Am I being dense here (not unusual)?

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

There are a few programs that can monitor this for you and you can also do it on the command line though most users are not comfortable with the command line.

Please try this utility and as long as its not a hidden process it should show you.

http://www.nirsoft.net/utils/cports.html

Link to post
Share on other sites
therealex

therealex

Posted
  • Author
Posted
Please try this utility and as long as its not a hidden process it should show you.

http://www.nirsoft.net/utils/cports.html

Thanks, I'm running it now. It actually showed a false positive - MB flagged Avast! as trying to connect to banned IP address. Still waiting for that 208.73.210.27 to show its face again!

Thanks for the tip, this seems like a great program.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept