IP-blocks and China

[walker48]

I bought Malwarebytes some time ago, but only some days ago I activated the realtime scanner. I read the remarks about the IP-blocks, yet I'm surprised that so many of these blocks seem to be connected with China. I used http://network-tools.com/ to trace the IP-numbers, for instance 58.218.199.250, 58.218.199.147, 221.192.199.49, 58.218.199.227 and all of them have something to do with China. Is this a well-known fact which is not so important of do I have to worry about it?

I'm always connected with the internet, these IP-blocks messages come on a regular base. Just to see if they would appear in a clean Windows 7-install I put back an Acronis-image with such a totally fresh configuration, without any other program. No difference, the same IP-blocks messages, same frequence, so I think it's not because the system itself is infected with a virus, trojan or something like that.

[daledoc1]

Hi, and welcome, walker48:

As you already discovered through your research, IP blocking can occur as a result of certain legitimate programs such as Skype, and it can happen when MBAM is doing its job by preventing bad content from websites from infecting your computer.

But it can also be the result of infection on your system, especially if the IP blocks are "outgoing" and if they occur when no browsers are open.

Please have a look at the FAQ - Section G for information about the IP blocking module.

After doing so, if you think these IP blocks are false positives, then please start a new thread here.

• To have Malwarebytes' Anti-Malware ignore an individual IP address, visit the website in question to incur a block. When you see the tray notification that Malwarebytes' Anti-Malware has blocked the address, right-click on the red M tray icon and use the Add to Ignore List menu to have the IP ignored. You should then be able to refresh your web browser and visit the page. If not, then you may need to close and then open your browser and try again or clear your browser's cache to be able to see the page.
  
• If at any time you decide to remove the selected IP from the Ignore List, you can do so by opening Malwarebytes' Anti-Malware and clicking on the Ignore List tab.
  

----------------------------

Or, if you think your system might be infected -- based on the IP blocks or other suspicious computer behavior -- then please do the following, as we do not work on malware removal in this part of the forum.

1. First, please go to THIS PAGE, print out, read and follow as many instructions as you can, skipping any you are unable to complete.

2. Then, please describe your computer's symptoms as best you can and post the requested MBAM and DDS logs by starting a new thread at the Malware Removal-HJT forum . Please post the results of the requested scans directly into your post, using copy/paste, rather than attaching them.

One of the authorized, trained experts will then assist you as soon as possible for free, one-on-one malware detection and removal.

When you post, please be sure to select Track This Topic & choose one of the email options, so that you will be notified when someone responds.

Please be patient and allow at least 48 hours before bumping your thread -- otherwise it may appear to the experts that you are already being helped

(The "0" reply count is the easiest way for the experts to spot your thread as still needing help.)

Other Support Options:

--- Alternatively, if you are a paying customer using MBAM PRO, you may wish instead to start a free support ticket by contacting support at: support@malwarebytes.org; or

--- Premium, fee-based support options are available here.

HTH,

daledoc1

PS: Please use the button instead of other ones when you reply here and at the other forums, so that it will be easier to read.

[walker48]

Thanks daledoc1, for your reply. As I wrote I installed Malwarebytes in a totally new and fresh system without any other program added, apart from Windows 7 itself. I got the same IP-blocks, so I don't think these blocks are the consequence of an infection. I'm just surprised they all have something to do with China and I wondered if there would be somebody here who would say: 'Oh yes, China...! It's something new for me, these blocks, that's why I aks these questions. Why China? Some examples of today:

13:23:11 IP-BLOCK 58.218.199.227 (Type: outgoing, Port: 137)

13:23:11 IP-BLOCK 58.218.199.227 (Type: outgoing, Port: 137)

13:23:11 IP-BLOCK 58.218.199.227 (Type: outgoing, Port: 137)

13:42:57 IP-BLOCK 221.192.199.49 (Type: outgoing, Port: 137)

13:42:57 IP-BLOCK 221.192.199.49 (Type: outgoing, Port: 137)

13:43:05 IP-BLOCK 221.192.199.49 (Type: outgoing, Port: 137)

13:45:53 IP-BLOCK 58.218.199.250 (Type: outgoing, Port: 137)

13:45:53 IP-BLOCK 58.218.199.250 (Type: outgoing, Port: 137)

13:45:53 IP-BLOCK 58.218.199.250 (Type: outgoing, Port: 137)

13:58:12 IP-BLOCK 58.218.199.147 (Type: outgoing, Port: 137)

13:58:20 IP-BLOCK 58.218.199.147 (Type: outgoing, Port: 137)

13:58:20 IP-BLOCK 58.218.199.147 (Type: outgoing, Port: 137)

[daledoc1]

Hi, and welcome, walker48:

As you already discovered through your research, IP blocking can occur as a result of certain legitimate programs such as Skype, and it can happen when MBAM is doing its job by preventing bad content from websites from infecting your computer.

But it can also be the result of infection on your system, especially if the IP blocks are "outgoing" and if they occur when no browsers are open.

Please have a look at the FAQ - Section G for information about the IP blocking module.

After doing so, if you think these IP blocks are false positives, then please start a new thread here.

Do you use skype or any P2P software?

Are the blocks happening when you are browsing, or when your browsers are closed?

daledoc1

[walker48]

I don't use any P2P software. I run a little (Dutch) program which tells me what has been posted on usenet and sometimes I download stuff from there. When I use that the first time I do so in Sandboxie.

These IP-blocks messages I get as well when there is no action what so ever on my computer: half an hour ago I restarted the PC, didn't touch it after that and yet there are two other messages:

18:30:35 MESSAGE Protection started successfully

18:30:38 MESSAGE IP Protection started successfully

18:37:02 IP-BLOCK 221.192.199.49 (Type: outgoing, Port: 137)

19:13:23 IP-BLOCK 58.218.199.147 (Type: outgoing, Port: 137)

But the strange thing is, as I wrote, that this happens too in a completely 'virginal' system. However, if it 's advisable to post an HijackThis-log in the other department of this forum I'll do so as a matter of course.

[daledoc1]

Thanks for the update.

You didn't mention if the OS reinstall was b/c of an infection?

I'm just a home user, so we might need to wait for some more expert input.

But I am pretty sure there are some nasty rootkits and other infections that are not completely removed by simply reinstalling the OS without a reformat of the HDD.

Clearly something is trying to phone home on your system, and if it's happening when you are not browsing, then it's a bit worrisome.

You might be infected and it might be a good idea for one of the authorized malware experts to have a look at your system.

If you'd like to do that, please follow the instructions in the bottom section of my original reply, since we cannot address possible malware-related problems here in this particular sub-forum.

The assistance in the malware removal forum is free, as is support via the help desk.

Feel free as well to wait and see if the experts have some additional or different suggestions.

HTH,

daledoc1

[walker48]

Well, I'll wait a while then. I did a clean install with a format C:/. I use this 'clean install' to see if problems I have in my 'normal' configuration also turn up in this basic one. If so it's usually a hardware problem, if not it's probably a software problem. Acronis-images (I've always three of them) make it very easy to switch between different systems. I know, there is some nasty stuff out there (rootkits, MBR-infections and so on), may be my system is not as clean as I thought it was.

[daledoc1]

Okey dokey.

Yes, I was thinking in particular about those MBR infections.

Since you are using MBAM PRO, you can submit a ticket for free assistance directly to the help desk, if you prefer that to the malware removal forum.

If you do choose the help desk option, please post back here and let us know, so that the mods/admins can close this topic to prevent someone else from hijacking it.

There may well be an "innocent" explanation for these blocks, but, since you don't use P2P or skype, since they occur when system is idle, and since the IPs are in China, it's all a bit worrisome.

Did you try the suggestion about running TCP View, as suggested in the FAQ-Section G?

It might tell you what process is trying to make the malicious connection.

Well, I'm sure someone will have some additional advice.

Thanks for your patience,

daledoc1

[perrybeagle]

I have also recently been of a lot of attempts by ip addresses which seem to originate in China. Three of them are 202.105.179.222, 58.218.199.147, and 58.218.199.250. If anyone knows what is going on with this, I'd like to hear about it. They are becoming a lot more frequent recently. Malwarebytes is a great product - recommended by The Tech Guy. I'm in Fort Myers, FL.

[walker48]

Thansk again!

Just some additional information: I did several times a scan with aswMBR, one line was in yellow, sptd.sys, that's my Daemon-tool, two lines were in red (I made them red for this message), so I used the button 'fix MBR', restarted the PC, did again a scan with aswMBR and got exactly the same results: one yellow, two red lines. Can aswMBR also give 'false positives' or do we have another problem here? Of course I did several scans with MBAM and ESET NOD32 v.4 with the latest definitions, always 0 detections, and the system itself doesn't show any strange behavior, all is running smoothly.

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software

Run date: 2011-09-10 21:13:10

-----------------------------

21:13:10.497 OS Version: Windows x64 6.1.7601 Service Pack 1

21:13:10.497 Number of processors: 8 586 0x1A04

21:13:10.497 ComputerName: SWINDEN UserName: Henk

21:13:10.746 Initialize success

21:13:13.024 AVAST engine defs: 11090901

21:13:15.738 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T1L0-6

21:13:15.738 Disk 0 Vendor: WDC_WD1001FALS-00J7B0 05.00K05 Size: 953868MB BusType: 3

21:13:15.754 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T1L0-7

21:13:15.754 Disk 1 Vendor: WDC_WD1001FALS-00J7B0 05.00K05 Size: 953869MB BusType: 3

21:13:15.769 Disk 0 MBR read successfully

21:13:15.769 Disk 0 MBR scan

21:13:15.769 Disk 0 Windows 7 default MBR code

21:13:15.769 Service scanning

21:13:20.465 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32

21:13:21.885 Modules scanning

21:13:21.885 Disk 0 trace - called modules:

21:13:21.900 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8004ec32c0]<<

21:13:21.900 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8005f7e790]

21:13:21.900 3 CLASSPNP.SYS[fffff8800183b43f] -> nt!IofCallDriver -> [0xfffffa8005d45670]

21:13:21.916 5 ACPI.sys[fffff8800100b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T1L0-6[0xfffffa8005d78060]

21:13:21.916 \Driver\atapi[0xfffffa8005d38060] -> IRP_MJ_CREATE -> 0xfffffa8004ec32c0

21:13:22.134 AVAST engine scan C:\Windows

21:13:23.429 AVAST engine scan C:\Windows\system32

21:14:32.646 AVAST engine scan C:\Windows\system32\drivers

21:14:42.022 AVAST engine scan C:\Users\Henk

21:16:18.493 AVAST engine scan C:\ProgramData

21:16:57.711 Scan finished successfully

21:18:10.953 Disk 0 MBR has been saved successfully to "G:\MBR.dat"

21:18:10.953 The log file has been saved successfully to "G:\aswMBR.txt"

[daledoc1]

I have also recently been of a lot of attempts by ip addresses which seem to originate in China. Three of them are 202.105.179.222, 58.218.199.147, and 58.218.199.250. If anyone knows what is going on with this, I'd like to hear about it. They are becoming a lot more frequent recently. Malwarebytes is a great product - recommended by The Tech Guy. I'm in Fort Myers, FL.

Hi, perrybeagle:

Please read the information in Post #2 above.

There are links to information articles about how to evaluate these blocks and how to proceed/report them if you think they might be either false positives or the result of computer infection.

Also, if you would like additional assistance with this here in this particular sub-forum, it might be a good idea to start your own new topic.

Each computer's situation is a bit different -- even if the problems seems to be "the same" -- and it will help to get your issue the individual attention it deserves.

Thanks!

daledoc1

[daledoc1]

@ walker48:

Hi, again!

Alas, I'm sorry but we aren't permitted to review logs or work on malware-related issues here in the general forum.

Please follow my suggestions in my original reply to start a new topic in the malware removal section, or to submit a ticket to the help desk.

One of the authorized, specially trained malware experts will then assist you.

I think that would be the most prudent and safe course of action for you at this point.

Thanks very much for your understanding.

daledoc1

[KenW]

I tried to ping one of the addresses and Malwarebytes blocked it. Just for your info.

[walker48]

On the advice of daledoc1 - thanks! - I started a topic about this problem in the 'malware removal section'

http://forums.malwarebytes.org/index.php?showtopic=95137 so anyone can find there more information.

[daledoc1]

Thanks for the update.

It does seem to be an unusual case.

I'm sure LDTate will get you cleaned up.

Regards,

daledoc1