MaleWareBytes Flagged Potentially Harmful Site?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I'm running the freebie version of MalWareBytes.

It says that it blocked an outgoing attempt to access
89.28.62.91.

When I Google "What is 89.28.62.91", I come up with
http://www.projecthoneypot.org/ip_89.28.62.91

Reading that page, I get the impression that my PC might be
infected with somebody's 'bot that's trying to use it to send
spam.

Another thought that occurs is that MaleWareBytes might be
issuing fake notifications as a marketing ploy.

Am I even close on either count?
--
Pete Cresswell

Re: MaleWareBytes Flagged Potentially Harmful Site?


Quoted text here. Click to load it

You'd have ask yourself why your computer is connecting to a site in Moldova.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: MaleWareBytes Flagged Potentially Harmful Site?

Per David H. Lipman:
Quoted text here. Click to load it

Per the OP, one possibility is infection with a malware/bot.  The
other is that it is not trying to connect... so the OP stands.
--
Pete Cresswell

Re: MaleWareBytes Flagged Potentially Harmful Site?

(PeteCresswell) wrote:
Quoted text here. Click to load it

If the destination IP# doesn't ring any bells, see what process is
responsible for the request.

Re: MaleWareBytes Flagged Potentially Harmful Site?

(PeteCresswell) wrote:

Quoted text here. Click to load it

So why not check which process is making the connection to 89.28.62.91?
Use something like a 3rd party firewall or SysInternals TCPview.

Quoted text here. Click to load it

The freeware version of MalwareBytes does not include a real-time
monitor.  So what program really popped up the alert on the outbound
connection attempt?

Re: MaleWareBytes Flagged Potentially Harmful Site?


Quoted text here. Click to load it

< snip >

Quoted text here. Click to load it

{ snicker }

Good point !

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

Re: MaleWareBytes Flagged Potentially Harmful Site?


Quoted text here. Click to load it

The freeware version with a key I suppose. [g]


--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts

Re: MaleWareBytes Flagged Potentially Harmful Site?


Quoted text here. Click to load it
89.28.62.91?
Quoted text here. Click to load it

I'd go with sysinternals. Excellent details.
 
Quoted text here. Click to load it

The freeware version does come with a trial offer to run the full
version for so many days and then revert back to the freeware (crippled
really) version if you don't elect to purchase. By crippled I mean
without protection module benefits. And automatic scheduling, but many
free apps exist which can be configured to handle that for you,
automatically.




--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts

Re: MaleWareBytes Flagged Potentially Harmful Site?

Per VanguardLH:
Quoted text here. Click to load it

It really was MalwareBytes.  But, trust me, I haven't given those
guys a dime.
--
Pete Cresswell

Re: MaleWareBytes Flagged Potentially Harmful Site?

(PeteCresswell) wrote:

Quoted text here. Click to load it

Then maybe you are running their trialware version.  Is there a
"Register" button at the bottom of the panels in the program's GUI?  If
so and you click on it, do you see that it is registered or do you see
empty fields where you input a license key (that you don't have since
you didn't buy it)?  I didn't find info on their site on the expiration
period for their trial version.

The only evidence that I see in the GUI for MalwareBytes that it is the
free version is a "Purchase" button on the bottom of each panel.
Presumably if you bought the product then they wouldn't be showing a
button to purchase it again.

If you have their freeware version, it can't be popping up alerts since
it isn't running in the background to have a monitor checking on your
host's activity.  You could use SysInternals' Process Explorer to see
what process opened a window.  After loading Process Explorer, click on
the spider web icon in its toolbar.  Then click on the window where you
see the alert.  Process Explorer will highlight (as gray) which process
has an open handle on that window (i.e., which process owns the window).
Then you can be sure what process hence what program opened that alert
window.

Re: MaleWareBytes Flagged Potentially Harmful Site?

Per VanguardLH:
Quoted text here. Click to load it

I think I have the "Trial" version - and it never really expires
itself, just keeps issuing periodic invitations to purchase.
Quoted text here. Click to load it

The click-click approach wasn't working for me, so I tried
dragging the spider web to the window in question and it worked
like a charm.

Slick!

Thanks.
--
Pete Cresswell

Re: MaleWareBytes Flagged Potentially Harmful Site?

(PeteCresswell) wrote:

Quoted text here. Click to load it

Authors/owners of trialware or shareware are not required to add code
that cripples or disables their product after the trial period.  The
trial period is a contract by your acceptance via install.  If you
install their trialware then you agree to the terms of that trial.  They
can, as you noticed, constantly nuisance you with advertising popups
trying to get you to surrender and buy their product (or move to the
free version).  They may trust the honor system that users who like
their product will buy it when the agreed upon trial expires or the
users uninstall their trial version and go to their free version.

http://www.malwarebytes.org/products/malwarebytes_pro says:

  Consumers and personal users pay a one-time fee of just $24.95! Want
  to take a test drive of Malwarebytes PRO before purchasing? Please
  click here to learn about our 14 day Trial.

So it is likely you are way beyond the trial period for using their Pro
version.  Naughty naughty.

Quoted text here. Click to load it

Oops, yep, you click and drag the web icon to the window to find out
which process owns that window.

Re: MaleWareBytes Flagged Potentially Harmful Site?

Per VanguardLH:
Quoted text here. Click to load it

TcpView!.... Something of an education for Yours Truly.

Haven't seen any attempts at the Moldavian address yet, but three
little nasties jumped out at me - all apparently picked up when I
started fooling around with IE 8: WjamUpdater.exe, Iminent, and
IminentMessanger.

The last 2 seem tb legitimate IE add-ons - but I never installed
or asked for them.   Thanks Microsoft!!!
--
Pete Cresswell

Re: MaleWareBytes Flagged Potentially Harmful Site?

On Thursday, April 12, 2012 9:33:24 AM UTC+8, (PeteCresswell) wrote:
Quoted text here. Click to load it

Relax. What you are no doubt probably seeing is Skype related. Skype does
this--don't load Skype on bootup and this "Moldovian problem" will disappear.
It's harmless but related to Skype's messaging.

RL

Re: MaleWareBytes Flagged Potentially Harmful Site?

Per RayLopez99:
Quoted text here. Click to load it

Sounds like a good chance to try Vanguard's various recommended
techniques.

Does anybody know why Skype would be trying to connect to
Moldavia?
--
Pete Cresswell

Re: MaleWareBytes Flagged Potentially Harmful Site?


Quoted text here. Click to load it


It's P2P software.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: MaleWareBytes Flagged Potentially Harmful Site?

(PeteCresswell) wrote:

Quoted text here. Click to load it

More likely it was foistware you installed bundled in with some other
install.  You need to look at the options available during an
installation to see what it proposes to install.  Use a custom install
choice if available so you can de-select the pre-selected bundleware.
If the author of the installer doesn't show the bundleware so you have a
choice to include it or not (despite them pre-selecting its inclusion
you can still deselect to exclude it) then the bundleware becomes
foistware.

Microsoft cannot stop users from including bundleware shoved into
installations from non-Microsoft sources.  The Iminent crap isn't from
Microsoft.  See:

http://www.iminent.com /

Re: MaleWareBytes Flagged Potentially Harmful Site?

Per VanguardLH:
Quoted text here. Click to load it

That rings true.  Coincident with installing IE 8, I was shopping
around for a video transcoder for M4V==>MPEG and installed about
a half-dozen candidates.

Thanks again.   This whole thing has bee worth it - just in terms
of educational value.
--
Pete Cresswell

Re: MaleWareBytes Flagged Potentially Harmful Site?

Maybe this whole thing is awakening my inner paranoid.

Now I'm getting notifications from Malware bytes of blocked
connections to 22.64.149.142 and 22.64.167.208 - both of which
seem tb "DoD Network Information Center" in Columbus Ohio per
http://en.utrace.de

TcpView doesn't seem to show these - and that makes sense to me
in the context of MalwareBytes reporting that the attempt was
blocked - i.e. no connection got made, so there's nothing for
TcpView to feed on.

This is coincident with running uTorrent trying (unsuccessfully)
to download a movie.

Guess I'll swear off uTorrent for the foreseeable future.

That being said, "DoD Network Information Center"?????  WTF?
--
Pete Cresswell

Site Timeline