Windows 7: Malwarebytes Blocking IP address

mhhack · 29 Dec 2012

Hi,
Malwarebytes(1.70) is returning "successfully blocked access to a potentially malicious website 91.235.128.161, type outgoing, port 53041, Process: explorer.exe. I've run some p2p software recently, but have uninstalled it, and cannot understand why explorer.exe is the process implicated. I've since run Microsoft Security Essentials and Malwarebytes on my whole system, but they return no errors. Can anyone help?

tman69 · 30 Dec 2012

Quote: Originally Posted by mhhack

Hi,
Malwarebytes(1.70) is returning "successfully blocked access to a potentially malicious website 91.235.128.161, type outgoing, port 53041, Process: explorer.exe. I've run some p2p software recently, but have uninstalled it, and cannot understand why explorer.exe is the process implicated. I've since run Microsoft Security Essentials and Malwarebytes on my whole system, but they return no errors. Can anyone help?

the message means the MBAM blocked something from accessing Windows Explorer (or kept windows explorer from connecting to that website) in other words...it did what it's supposed to do.

IF you would like more info see:

Malwarebytes Forum

A Guy · 30 Dec 2012

Welcome to Seven Forums mhhack. IP address in the Ukraine the-pirate-bay.biz

the-pirate-bay.biz - Ukraine IP. Detailed location, ISP and more info.

91.235.128.161 IP Address WHOIS | DomainTools.com

A Guy

Phone Man · 30 Dec 2012

A lot of times a site you have opened has links to other sites to load advertisments and MB is blocking one of these links.

Jim

mhhack · 30 Dec 2012

Thanks for your info, though I still don't see the solution to the fact that even when my computer is doing nothing malwarebytes will popup the blocking message. Remember that the type is outgoing, which I think means that my PC is initiating the request to connect. It's that that I want to stop.

DBone · 30 Dec 2012

If I were you, I would at least try a scan with Hitman Pro ( Home - SurfRight ). Also, you made it sound as though you did a full scan with Malwarebytes, but I would do another. Make sure it's up to date first, also make sure that in the settings tab, that you have PUP set to "show in results and check for removal"....... Actually, make sure that all 3 choices are set that way.

Start with that, and see if they can sniff something out.

mhhack · 30 Dec 2012

Thanks for your suggestions. I've rerun MB, full scan, and it turns up nothing, with the settings you suggested. I've also run SurfRight with nothing found.
Somehow or other something is prompting exlorer.exe to try to reach that malicious website, even though at the time nothing is running actively except for background tasks.
Just noticed looking at the MB logs that this attempt is made every 15 minutes, with the same URL but a different port.

DavidW7ncus · 30 Dec 2012

Someone reported the same type of issue on the Malwarebytes forum.
If you're interested, MBAM stated they could help determine the cause of the blocks.

Malwarebytes detects outgoing attempt from explorer.exe - Malwarebytes Forum

mhhack · 02 Jan 2013

This finally turned out to be a rootkit infection. One or another of those p2p sites downloaded a rootkit that mimicked explorer.exe. Luckily it was blocked by Malwarebytes and finally removed, though it wasn't detected in previous runs. Go know.

DavidW7ncus · 02 Jan 2013

Hello mhhack,

Glad you got this sorted out.
Can you tell us how you found out you had a rootkit infection?
It could help others if they run into this.

Did a Malwarebytes (MBAM) scan find and remove it?

Malwarebytes does have a new Anti-Rootkit tool (MBAR), but that is still in BETA (as far as I know).
Malwarebytes : Malwarebytes Anti-Rootkit

Thanks,
David

Windows 7: Malwarebytes Blocking IP address

Malwarebytes Blocking IP address problems?