I was just browsing the web when I got this pop-up. Hopefully nothing that is too scary.
“Malicious Website Protection, IP, 203.93.106.31 Port: 137, Outbound”
It also never gave me a process that was using this. I went to my avast! Network connections to check but could find nothing. A quick search of the IP shows it in China and is notorious for comment spamming. Possible RAT, Keylogger, am I part of a botnet? Help!
maybe related to this
Oh, the Sites You Will Never See https://blog.malwarebytes.org/online-security/2013/05/oh-the-sites-you-will-never-see/
a malware expert will find out when checking your logs
I did a little researching. Port 137 is used for Windows File and Printer sharing, but is also exploited by some worms/trojans/backdoors. These are just a few:
- W32.HLLW.Moega
- W32.Crowt.A@mm (01.23.2005) - mass mailing worm, opens a backdoor, logs keystrokes. Uses ports 80 and 137.
W32.Reidana.A (03.27.2005) - worm that spreads using the MS DCOM RPC vulnerability (MS Security Bulletin [MS03-026]) on port 139. The worm attempts to download and execute a remote file via FTP. Opens TCP port 4444.
Just a little food for thought.
System looks clean, no indicators of keyloggers or Trojans etc…
Does Avast do anything when MBAM alerts ?
Is there any unusual behaviour on the computer
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint: S0 nckkof; No ImagePath S0 nmfmfx; No ImagePath S0 ysyfer; No ImagePath CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
Nothing that really stands out. Computer is running extremely quick, and is not showing signs of anything abnormal. I was just frightened when I saw a pop-up with no process, an IP that already has a bad reputation, is an outbound connection, and it was right after I downloaded and installed WinRar, which I think is a somewhat sketchy piece of software. Other than that I think we are good, I’ll scan other computers on this network to eliminate the possibility of worms. Thanks again, you’re a life-saver essexboy! ;D
WinRAR does drop some uninvited guests sometimes
Would you recommend I reinstall it or use something different, such as 7Zip? I’m getting it from the actual website, I know the dangers of downloading from all the PUP extravaganza websites like CNet.
I use peazip but if you got the programme direct from the site then there should be no additions (unless they have just started)