MaleWareBytes Flagged Potentially Harmful Site?

P

(PeteCresswell)

I'm running the freebie version of MalWareBytes.

It says that it blocked an outgoing attempt to access
89.28.62.91.

When I Google "What is 89.28.62.91", I come up with
http://www.projecthoneypot.org/ip_89.28.62.91

Reading that page, I get the impression that my PC might be
infected with somebody's 'bot that's trying to use it to send
spam.

Another thought that occurs is that MaleWareBytes might be
issuing fake notifications as a marketing ploy.

Am I even close on either count?
 
D

David H. Lipman

From: "(PeteCresswell) said:
I'm running the freebie version of MalWareBytes.

It says that it blocked an outgoing attempt to access
89.28.62.91.

When I Google "What is 89.28.62.91", I come up with
http://www.projecthoneypot.org/ip_89.28.62.91

Reading that page, I get the impression that my PC might be
infected with somebody's 'bot that's trying to use it to send
spam.

Another thought that occurs is that MaleWareBytes might be
issuing fake notifications as a marketing ploy.

Am I even close on either count?

You'd have ask yourself why your computer is connecting to a site in Moldova.
 
V

VanguardLH

(PeteCresswell) said:
I'm running the freebie version of MalWareBytes. It says that it
blocked an outgoing attempt to access 89.28.62.91. When I Google
"What is 89.28.62.91", I come up with

http://www.projecthoneypot.org/ip_89.28.62.91

Reading that page, I get the impression that my PC might be infected
with somebody's 'bot that's trying to use it to send spam.

So why not check which process is making the connection to 89.28.62.91?
Use something like a 3rd party firewall or SysInternals TCPview.
Another thought that occurs is that MaleWareBytes might be
issuing fake notifications as a marketing ploy.

The freeware version of MalwareBytes does not include a real-time
monitor. So what program really popped up the alert on the outbound
connection attempt?
 
D

Dustin

VanguardLH said:
So why not check which process is making the connection to 89.28.62.91?
Use something like a 3rd party firewall or SysInternals TCPview.

I'd go with sysinternals. Excellent details.
The freeware version of MalwareBytes does not include a real-time
monitor. So what program really popped up the alert on the outbound
connection attempt?

The freeware version does come with a trial offer to run the full
version for so many days and then revert back to the freeware (crippled
really) version if you don't elect to purchase. By crippled I mean
without protection module benefits. And automatic scheduling, but many
free apps exist which can be configured to handle that for you,
automatically.
 
P

(PeteCresswell)

Per David H. Lipman:
You'd have ask yourself why your computer is connecting to a site in Moldova.

Per the OP, one possibility is infection with a malware/bot. The
other is that it is not trying to connect... so the OP stands.
 
P

(PeteCresswell)

Per VanguardLH:
The freeware version of MalwareBytes does not include a real-time
monitor. So what program really popped up the alert on the outbound
connection attempt?

It really was MalwareBytes. But, trust me, I haven't given those
guys a dime.
 
F

FromTheRafters

(PeteCresswell) said:
Per David H. Lipman:

Per the OP, one possibility is infection with a malware/bot. The
other is that it is not trying to connect... so the OP stands.

If the destination IP# doesn't ring any bells, see what process is
responsible for the request.
 
P

(PeteCresswell)

Per VanguardLH:
So why not check which process is making the connection to 89.28.62.91?
Use something like a 3rd party firewall or SysInternals TCPview.

TcpView!.... Something of an education for Yours Truly.

Haven't seen any attempts at the Moldavian address yet, but three
little nasties jumped out at me - all apparently picked up when I
started fooling around with IE 8: WjamUpdater.exe, Iminent, and
IminentMessanger.

The last 2 seem tb legitimate IE add-ons - but I never installed
or asked for them. Thanks Microsoft!!!
 
R

RayLopez99

Per VanguardLH:

TcpView!.... Something of an education for Yours Truly.

Haven't seen any attempts at the Moldavian address yet, but three
little nasties jumped out at me - all apparently picked up when I
started fooling around with IE 8: WjamUpdater.exe, Iminent, and
IminentMessanger.

The last 2 seem tb legitimate IE add-ons - but I never installed
or asked for them. Thanks Microsoft!!!

Relax. What you are no doubt probably seeing is Skype related. Skype does this--don't load Skype on bootup and this "Moldovian problem" will disappear. It's harmless but related to Skype's messaging.

RL
 
V

VanguardLH

(PeteCresswell) said:
Per VanguardLH:

TcpView!.... Something of an education for Yours Truly.

Haven't seen any attempts at the Moldavian address yet, but three
little nasties jumped out at me - all apparently picked up when I
started fooling around with IE 8: WjamUpdater.exe, Iminent, and
IminentMessanger.

The last 2 seem tb legitimate IE add-ons - but I never installed
or asked for them. Thanks Microsoft!!!

More likely it was foistware you installed bundled in with some other
install. You need to look at the options available during an
installation to see what it proposes to install. Use a custom install
choice if available so you can de-select the pre-selected bundleware.
If the author of the installer doesn't show the bundleware so you have a
choice to include it or not (despite them pre-selecting its inclusion
you can still deselect to exclude it) then the bundleware becomes
foistware.

Microsoft cannot stop users from including bundleware shoved into
installations from non-Microsoft sources. The Iminent crap isn't from
Microsoft. See:

http://www.iminent.com/
 
V

VanguardLH

(PeteCresswell) said:
Per VanguardLH:


It really was MalwareBytes. But, trust me, I haven't given those
guys a dime.

Then maybe you are running their trialware version. Is there a
"Register" button at the bottom of the panels in the program's GUI? If
so and you click on it, do you see that it is registered or do you see
empty fields where you input a license key (that you don't have since
you didn't buy it)? I didn't find info on their site on the expiration
period for their trial version.

The only evidence that I see in the GUI for MalwareBytes that it is the
free version is a "Purchase" button on the bottom of each panel.
Presumably if you bought the product then they wouldn't be showing a
button to purchase it again.

If you have their freeware version, it can't be popping up alerts since
it isn't running in the background to have a monitor checking on your
host's activity. You could use SysInternals' Process Explorer to see
what process opened a window. After loading Process Explorer, click on
the spider web icon in its toolbar. Then click on the window where you
see the alert. Process Explorer will highlight (as gray) which process
has an open handle on that window (i.e., which process owns the window).
Then you can be sure what process hence what program opened that alert
window.
 
P

(PeteCresswell)

Per VanguardLH:
The only evidence that I see in the GUI for MalwareBytes that it is the
free version is a "Purchase" button on the bottom of each panel.
Presumably if you bought the product then they wouldn't be showing a
button to purchase it again.

I think I have the "Trial" version - and it never really expires
itself, just keeps issuing periodic invitations to purchase.
If you have their freeware version, it can't be popping up alerts since
it isn't running in the background to have a monitor checking on your
host's activity. You could use SysInternals' Process Explorer to see
what process opened a window. After loading Process Explorer, click on
the spider web icon in its toolbar. Then click on the window where you
see the alert. Process Explorer will highlight (as gray) which process
has an open handle on that window (i.e., which process owns the window).
Then you can be sure what process hence what program opened that alert
window.

The click-click approach wasn't working for me, so I tried
dragging the spider web to the window in question and it worked
like a charm.

Slick!

Thanks.
 
P

(PeteCresswell)

Per VanguardLH:
More likely it was foistware you installed bundled in with some other
install. You need to look at the options available during an
installation to see what it proposes to install. Use a custom install
choice if available so you can de-select the pre-selected bundleware.
If the author of the installer doesn't show the bundleware so you have a
choice to include it or not (despite them pre-selecting its inclusion
you can still deselect to exclude it) then the bundleware becomes
foistware.

Microsoft cannot stop users from including bundleware shoved into
installations from non-Microsoft sources. The Iminent crap isn't from
Microsoft. See:

http://www.iminent.com/

That rings true. Coincident with installing IE 8, I was shopping
around for a video transcoder for M4V==>MPEG and installed about
a half-dozen candidates.

Thanks again. This whole thing has bee worth it - just in terms
of educational value.
 
P

(PeteCresswell)

Per RayLopez99:
Relax. What you are no doubt probably seeing is Skype related. Skype does this--don't load Skype on bootup and this "Moldovian problem" will disappear.

Sounds like a good chance to try Vanguard's various recommended
techniques.

Does anybody know why Skype would be trying to connect to
Moldavia?
 
D

David H. Lipman

From: "(PeteCresswell) said:
Per RayLopez99:

Sounds like a good chance to try Vanguard's various recommended
techniques.

Does anybody know why Skype would be trying to connect to
Moldavia?


It's P2P software.
 
V

VanguardLH

(PeteCresswell) said:
VanguardLH:


I think I have the "Trial" version - and it never really expires
itself, just keeps issuing periodic invitations to purchase.

Authors/owners of trialware or shareware are not required to add code
that cripples or disables their product after the trial period. The
trial period is a contract by your acceptance via install. If you
install their trialware then you agree to the terms of that trial. They
can, as you noticed, constantly nuisance you with advertising popups
trying to get you to surrender and buy their product (or move to the
free version). They may trust the honor system that users who like
their product will buy it when the agreed upon trial expires or the
users uninstall their trial version and go to their free version.

http://www.malwarebytes.org/products/malwarebytes_pro says:

Consumers and personal users pay a one-time fee of just $24.95! Want
to take a test drive of Malwarebytes PRO before purchasing? Please
click here to learn about our 14 day Trial.

So it is likely you are way beyond the trial period for using their Pro
version. Naughty naughty.
The click-click approach wasn't working for me, so I tried dragging
the spider web to the window in question and it worked like a charm.

Oops, yep, you click and drag the web icon to the window to find out
which process owns that window.
 
P

(PeteCresswell)

Maybe this whole thing is awakening my inner paranoid.

Now I'm getting notifications from Malware bytes of blocked
connections to 22.64.149.142 and 22.64.167.208 - both of which
seem tb "DoD Network Information Center" in Columbus Ohio per
http://en.utrace.de

TcpView doesn't seem to show these - and that makes sense to me
in the context of MalwareBytes reporting that the attempt was
blocked - i.e. no connection got made, so there's nothing for
TcpView to feed on.

This is coincident with running uTorrent trying (unsuccessfully)
to download a movie.

Guess I'll swear off uTorrent for the foreseeable future.

That being said, "DoD Network Information Center"????? WTF?
 
Top