Website blocking

[tommytiko]

Can any one please advise - What is the website blocking service in mbam? Is it blocking access to websites? And if so, are the identities of the websites sent in the updates?

I attach a log of what I take to be website blocking activity, and it logs various websites blocked while the computer was running but not in use by me or anyone else. The ip addresses appear to be in south america and saudi. Why would my computer be attempting to access these sites? There is no other evidence that I am aware of that such activity is going on on my computer.

protection_log_2010_05_22.txt

[noknojon]

Hi tommytiko -

The base files that include all updated blocked sites and new Malware items are in each update -

That is why there are so many updates - New infections and new Rogue sites are discovered daily -

Thank You -

EDIT -

If your Router/Modem is turned on then these sites can be ones linked to sites you have visited or may be suspect sites that are over active open networks -

Please read This Page (Section G) for the full process involved in the IP blocking system -(From the FAQ section) -

[tommytiko]

Hi tommytiko -

The base files that include all updated blocked sites and new Malware items are in each update -

That is why there are so many updates - New infections and new Rogue sites are discovered daily -

Thank You -

EDIT -

If your Router/Modem is turned on then these sites can be ones linked to sites you have visited or may be suspect sites that are over active open networks -

Thanks Noknojon. I take it that the log that I uploaded shows that my computer attempted to connect to those sites, and was blocked from doing so by mbam. It all happened when my computer was unattended, and had been for some hours. I wonder therefore what caused it to attempt to connect to those sites, and with what purpose, and whether this is a sign of data theft activity via some malware.

[noknojon]

- Part of a section on that page -

I got an alert and I wasn't even surfing, how does that happen?

There are many applications on your system which have access to the Net and any of these can trigger an IP alert with no browser open. Most common offenders are P2P applications and IM clients, usually an ad will trigger an alert. An advanced or premium firewall will be able to give you a list of programs which can access the Net.

I hope this helps -

[tommytiko]

- Part of a section on that page -

I hope this helps -

Thanks again. I'd like to know how to track down which of the many programs with access to the internet attempted to make contact with the supposedly malicious sites, and indeed to know more about the sites, so that I can work out wherther there is a problem with something on my computer, but I cannot immediately think of how to do so.

[YoKenny1]

I use CurrPorts

Description

CurrPorts is network monitoring software that displays the list of all currently opened TCP/IP and UDP ports on your local computer. For each port in the list, information about the process that opened the port is also displayed, including the process name, full path of the process, version information of the process (product name, file description, and so on), the time that the process was created, and the user that created it.

http://www.nirsoft.net/utils/cports.html

[tommytiko]

I use CurrPorts http://www.nirsoft.net/utils/cports.html

Thanks Yokenny1. I am running currports and now wait to see wait shows up.

[tommytiko]

Thanks Yokenny1. I am running currports and now wait to see wait shows up.

I am running currports and getting logs showing blocking of websites but I do not see that the attempts to connect to the websites are reflected in currports.

Presumably mbam has a reason for blocking access to the sites it blocks. Is there any information available to users as to what that reason is? I should like to know in case there is a data leak or potential data leak here, and in case it would help me to identify the programs that are attempting to connect to the sites in question. I have 2 sites being blocked, and looking up the ip addresses points to china and taiwan, which I can think of no good reason for my system to want to connect to.

[YoKenny1]

What does MBAM Logs show?

Process Name should show you.

[LifeIsPhun]

What does MBAM Logs show?

Process Name should show you.

I am interested in this exact same thing...newbie here just to interact on this issue...

I get the IP Blocking popup bubble quite a bit...sometimes just after running a program like Outlook (which makes me suspect) and sometimes during random times. I checked the logs and there are many, many different IP addresses from different countries. I did a IP Reverse Lookup on most of them and they are from Moldovia, China, Saudi Arabia, etc.

Like tommyTiko above, I can see NO reason that my system should be attaching to any system overseas. This is a home computer that has never done any business overseas, I don't visit foreign domains (as far as I know), BUT I have had viruses that I have cleaned from my computer in the past but current scans don't find anything.

I know, re-asking the same questions as tommy, and Yes I did read ALL of the recommended This Page (Section G) but didn't see any recommendations of a tool to use. Is CurrPorts the best tool for this?

Also like tommy, I am concerned about leakage and getting to the bottom of the processes that are making these contacts. Doese MalwareBytes scans look for processes that would make these kinds of attempts a attempt to eradicate them?

I have attached my protection-log and as you can see...quite a lot of blocked IPs in a short time.

Where do I find the "Process Name" you mention in the quote above? Is this in CurrPorts?

protection_log_2010_05_25.txt

[AdvancedSetup]

Hello LifeIsPhun, and welcome to Malwarebytes.org

You almost have to have P2P software installed and running. IF not then you're best bet is to seek help from an Expert with scanning your system for infections.

We don't work on Malware removal in the general forums.

Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someon has replied to your post.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

[tommytiko]

What does MBAM Logs show?

Process Name should show you.

Herewith an example of a log, and a copy of what curports shows.

currports.rtf

protection_log_2010_05_25.txt

[tommytiko]

Hello LifeIsPhun, and welcome to Malwarebytes.org

You almost have to have P2P software installed and running. IF not then you're best bet is to seek help from an Expert with scanning your system for infections.

We don't work on Malware removal in the general forums.

Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someon has replied to your post.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

When you say "You almost have to have P2P software installed and running.", is that an oblique way of saying that these attempts to connect to odd websites could be caused by leaving skype running in the system tray?

[tommytiko]

What does MBAM Logs show?

Process Name should show you.

Presumably mbam has a reason for blocking access to the sites it blocks. Is there any information available to users as to what that reason is?

[noknojon]

Presumably mbam has a reason for blocking access to the sites it blocks. Is there any information available to users as to what that reason is?

The sites that are automatically blocked are all considered dangerous or may contain infections -

These are reviewed daily by our research team - Once they are cleaned up then the auto blocking ceases -

I hope this helps -

Refer back to Post #2 in this thread for more details -

[LifeIsPhun]

Hello LifeIsPhun, and welcome to Malwarebytes.org

You almost have to have P2P software installed and running. IF not then you're best bet is to seek help from an Expert with scanning your system for infections.

We don't work on Malware removal in the general forums.

Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someon has replied to your post.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

Yes, in my case I am running MS Messenger in the background all of the time. I also run Skype, but only when actually communicating with others...it doesn't autoLoad.

I will do a test of not loading MS Live Messenger on startup and see if all of the IP Blocking messages go away. Thanx for the input.

Ok, now lets say the IP Blocking does not catch anything when MS Live Msngr (or any other P2P) is not running. Does that mean that these P2P programs are malicious in their own right? I will start to do more research on this myself and come back here with answers there as well...

[mountaintree16]

Well P2P is LimeWire, Vuze, BitTorrent, uTorrent, etc...

[LifeIsPhun]

Well P2P is LimeWire, Vuze, BitTorrent, uTorrent, etc...

Oh, well in that case I am not using any of those.

I am a software developer, so I am sensitive to subtle "differences" in system behavior and this thread has triggered some thoughts. I have MS Live Messenger configured to autoLoad when Win boots, but periodically I will get a message from Messenger right after Win | boot | user login that says MS Messenger could not startup. I have just blown it off as a usual Win 7 problem and manually started MS Messenger. The boot of my machine this morning got that message, BUT I happened to not load Messenger manually! And guess what...absolutely NO IP Blocking messages!

Now, being a developer I can't pin it only on MS Messenger not loading BUT maybe there is some other malicious process/daemon that crashed that didn't load properly that was an IP "shim" to MS Msngr. So I waited for a couple of hours while busy on my machine and I still have not had ANY IP Blocking activity. Normally I would have had at least a few by now. The reason I think it may be some other malicious process is because I then manually started MS Msngr and it have been running active for about 30 minutes still with NO IP Blocking activity. I checked the mbam Protection Logs, nothing but the "startup" messages I expected.

Next, I will disable MS Msngr autoLoad, reboot and see if I get IP Blocking messages. If so, then I will go to the "threat removal" section of this site and go from there. If I don't get any IP Blocking messages I will then manually start MS Msngr again and see if the IP Blocking messages start up again.

I will post my results here...

Stay tuned.

[jeremyfarshore]

Oh, well in that case I am not using any of those.

I am a software developer, so I am sensitive to subtle "differences" in system behavior and this thread has triggered some thoughts. I have MS Live Messenger configured to autoLoad when Win boots, but periodically I will get a message from Messenger right after Win | boot | user login that says MS Messenger could not startup. I have just blown it off as a usual Win 7 problem and manually started MS Messenger. The boot of my machine this morning got that message, BUT I happened to not load Messenger manually! And guess what...absolutely NO IP Blocking messages!

Now, being a developer I can't pin it only on MS Messenger not loading BUT maybe there is some other malicious process/daemon that crashed that didn't load properly that was an IP "shim" to MS Msngr. So I waited for a couple of hours while busy on my machine and I still have not had ANY IP Blocking activity. Normally I would have had at least a few by now. The reason I think it may be some other malicious process is because I then manually started MS Msngr and it have been running active for about 30 minutes still with NO IP Blocking activity. I checked the mbam Protection Logs, nothing but the "startup" messages I expected.

Next, I will disable MS Msngr autoLoad, reboot and see if I get IP Blocking messages. If so, then I will go to the "threat removal" section of this site and go from there. If I don't get any IP Blocking messages I will then manually start MS Msngr again and see if the IP Blocking messages start up again.

I will post my results here...

Stay tuned.

Hi LifeIsPhun and tomytiko

I had the same question. Having run Malwarebytes and removed 6 threats, I still had the IP Blocking messages. Even when I had no applications running, it was still blocking attempts to communicated with IP addresses in Ukraine.

I followed the first set of instructions from NokNoJon and went to section G. I then downloaded and ran Avira Anti-Virus. This found further threats (which alarmed me), in particular adsldps.exe and a recurrence of sdra64.exe (which I had already removed). Once these threats were removed and adsldps.exe was de-activated and deleted, no more blocked IP messages.

Hope it works for you!

[Haider]

Hello to All: Please visit this site URLVoid though at Beta stage that doesn't support IP address at the moment but you could always find actual URL using DNS Tools from DomainTools this may give you some clues

[AdvancedSetup]

Gentlemen - please seek assistance from one of the Experts in the HJT forum where they can help you find out what the real issue is. It is not normal for your system to get that many blocks from MBAM and it's not caused by using Live messenger either unless its infected.

Thanks