Firefox attempting to access malicious IP?
I recently started running Malwarebytes and it has been telling me that there's a Firefox process that keeps trying to access a supposedly malicious site. The IP address is 109 163 230 92. It's not that a website is trying to access my computer; it's that my computer keeps trying to access the site. Malwarebytes has blocked this, but it keeps trying different ports in the 60000 range. Has anyone else ever had this problem? Or does anyone know what this is about or what is causing this? I have a number of plugins installed and I'll provide troubleshooting info. I tried looking up the WhoIs but couldn't make much sense of it. Thanks in advance for help with this.
All Replies (19)
can you test if these connections also happen when you launch & run firefox in safemode (first close all other firefox windows & then press the shift key while you open firefox)
I can try that, madperson, although it means I'd have to leave it in safe mode for several days. It doesn't seem to happen every day, but when it does there are several attempts spaced a few minutes apart. The problem is that I'm doing work that I need some of the plugins for, so I don't know if this will work for that amount of time. I'll see what I can do though. Maybe I could disable all but the most essential plugins for now and see what happens.
the following site locates the ip-adress in russia/romania & lists 3 domains that are hosted there: http://www.plotip.com/ip/109.163.230.92 have you visited any of these intentionally?
Nope.
does a full scan of your system by malwarebytes or another anti-virus software bring up any suspicious results?
https://support.mozilla.org/en-US/kb/Is%20my%20Firefox%20problem%20a%20re...
Malwarebytes and my anti-virus ESET found a few critters in the last couple of weeks, but they were quarantined and I zapped them. The outgoing calls are still happening.
Okay, I waited until I saw more of those messages, since these out-calling attempts seem to come in waves. I just saw one and I restarted Firefox right away in Safe Mode with all add-ons disabled. First thing I saw after it had reloaded was another warning message that a call-out attempt by process firefox.exe had been blocked. So presumably it's not coming from one of my add-ons. What can I try next in trying to diagnose this? Again, thanks for your help.
can you post a hijack-this log here?
Thanks for the suggestion. I've run a scan with log, which I'll paste below. By the way, this seems to happen either a lot or only when I access my own website. My website was hacked about a month or two ago and I cleaned it out right away, but I'm wondering if maybe there's something that got downloaded to my computer inadvertently that's trying to "phone home."
The log, with my comments, exceeds the maximum character count, so I'll divide it into running processes first, and then the rest of the log in a separate post. Here's part 1 of the log:
Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 10:30:12 AM, on 2012-05-06 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v9.00 (9.00.8112.16421) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe C:\Program Files\HP\HP Software Update\hpwuSchd2.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\NVIDIA Corporation\Display\nvtray.exe C:\Program Files\BOINC\boinctray.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\ChronosXP\ChronosXP.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\FinePixViewer\QuickDCF2.exe C:\Program Files\LG Soft India\fortePivot\bin\fortePivot.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\PayPal Payment Request Wizard\Outlook Wizard\OEHook.exe C:\Program Files\Lunabar\Lunabar.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe C:\Windows\system32\wbem\unsecapp.exe C:\Windows\system32\conime.exe C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Program Files\zabkat\xplorer2\xplorer2_UC.exe C:\Windows\system32\SearchFilterHost.exe C:\Users\Owner\Downloads\SoftwareFree\HijackThis.exe
cor-el moo ko soppali ci
Here's part 2 of the log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://value-exchange.sitesell.com/value-hq.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe -r O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [boincmgr] "C:\Program Files\BOINC\boincmgr.exe" /a /s O4 - HKLM\..\Run: [boinctray] "C:\Program Files\BOINC\boinctray.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup O4 - HKCU\..\Run: [Sidebar] C:\Program Files\windows sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [ChronosXP] "C:\Program Files\ChronosXP\ChronosXP.exe" O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKCU\..\Run: [Google Update] "C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe" /c O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-21-3941292943-3776173302-198126923-1008\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'UpdatusUser') O4 - Startup: Logitech . Product Registration.lnk = C:\Program Files\Logitech\Logitech WebCam Software\eReg.exe O4 - Startup: Lunabar Taskbar Icon.lnk = C:\Program Files\Lunabar\Lunabar.exe O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe O4 - Global Startup: fortePivot.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Outlook Plugin.lnk = C:\Program Files\PayPal Payment Request Wizard\Outlook Wizard\OEHook.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Toggle Flash - {93089660-AD23-44F1-AF37-54011A1A5A22} - C:\Program Files\Toggle Flash\togflash.exe O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O15 - Trusted Zone: http://staplescanada.webprint.com O16 - DPF: CosNet_VideoPlugin - http://www.instantpresenter.com/components/CosNet_VideoPlugin.cab O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://oas.support.microsoft.com/ActiveX/MSDcode.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1253379198927 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O16 - DPF: {E901098E-6B97-485A-B712-9908683F5E9E} (CosNetWebConference Control) - http://www.instantpresenter.com/components/CosNetWebConference.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll O23 - Service: Adobe Active File Monitor V8 (AdobeActiveFileMonitor8.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing) O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe O23 - Service: UMVPFSrv - Logitech Inc. - C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe -- End of file - 11398 bytes
cor-el moo ko soppali ci
I hope that part 2 isn't too messy. If it's impossible to read, let me know and I'll space it out.
Download and Run TDSSKiller http://support.kaspersky.com/faq/?qid=208283363
Download and Install Microsoft Security Essentials http://windows.microsoft.com/en-US/windows/products/security-essentials (not an official endorsement, but I personally recommend MSE as an awesome permanent anti-virus)
Double check for all Windows Updates.
If you are still having problems with Malware after that, I would recommend either http://www.bleepingcomputer.com/virus-removal/, or having your computer cleaned by a professional. Diagnosing virus infections is a bit beyond the scope of this forum.
Hi Tylerdowner, thanks for the suggestions. I'll check out TDSSKiller. I don't think I have essentials running, although I do have their anti-spyware one (can't think of the name). I always make sure all Windows updates are installed, and if there are any waiting that MS hasn't notified me about yet, ESET throws a hissy fit until I update it. ;-)
nothing too obvious in the log - however
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
is flagged as malicious on two sites. you might want to remove this entry & uninstall this software if you don't need it
philipp moo ko soppali ci
Tylerdowner: TDSSKiller came up with nothing.
Madperson: I "repaired" that item and tried accessing my website and got the same outcall warning from MB.
On a hunch, I tested my site on IE9 and got the same warning message, but giving IE as the source process. So I guess this isn't a Mozilla issue, as such. And the warning message is coming up pretty consistently when I access a page on my website, so I suspect this is related to the hack attack I got, which probably coincides with when I started seeing those warnings.
I'm not quite sure what to try next. I could try scrubbing my webspace and reinstalling, but if it's an outgoing call from my computer that suggests the problem is on my computer, not (any longer) on my website, so it might not help. Maybe I'll try bleepingcomputer, as suggested by Tylerdowner.
I really appreciate all the help. :-) Any other suggestions are most welcome.
the problem is most likely on you pc - mcafee website lists a few trojan variants that communicate with this ip: https://www.google.com/search?q=109.163.230.***+mcafee.com
you can also use this microsoft tool (uses the engine of ms security essentials) to create a bootable cd/dvd/usb-stick with up do date sigantures to scan your pc for rootkits etc: http://windows.microsoft.com/en-US/wi.../what-is-windows-defender-offline
as tylerdowner has already suggested, if all those suggestions don't work it would be better to consult a specialised forum like the ones that are listed in the link of my third answer.
sorry, i didn't read the part before, where you said its mainly happening when you visit your site & then with all browsers. so doesn't have to necessarily be something local - maybe still some leftover code/links from the hacking attack - then your browser would be triggered to contact the ip and therefore the traffic is shown as originating from the browser
Hi Madperson, thanks very much for your thoughts. I keep running various scans and nothing shows up. I even ran an antivirus scan on my webspace (provided by cPanel) and it didn't show anything. I've now put in a support ticket to my webhost and hope that they can help. Thanks for mentioning that the problem isn't necessarily on my computer. I feel like I'm running in circles with this, so it could make sense that I'm looking in the wrong place. For the sake of anyone else reading this who is having similar issues, I'll report back anything I find out about this. Again, many thanks for all your help. :-)
I found out what was causing the problem. It was a link to a 3rd party website that I used to create my Facebook badge. It's apparently involved in servers that aren't exactly picky about their users, if you get my drift, so Malwarebytes considers their IP address a dirty one and blocks it. I've removed the link and it's fine now.
Thanks again for the help! :-)