Just got a Malwarebytes Pop-Up

system · 2015-04-27T05:06:12.000Z

I was just browsing the web when I got this pop-up. Hopefully nothing that is too scary.
“Malicious Website Protection, IP, 203.93.106.31 Port: 137, Outbound”
It also never gave me a process that was using this. I went to my avast! Network connections to check but could find nothing. A quick search of the IP shows it in China and is notorious for comment spamming. Possible RAT, Keylogger, am I part of a botnet? Help!

Pondus · 2015-04-27T05:55:48.000Z

maybe related to this
Oh, the Sites You Will Never See https://blog.malwarebytes.org/online-security/2013/05/oh-the-sites-you-will-never-see/

a malware expert will find out when checking your logs

system · 2015-04-27T12:13:47.000Z

I did a little researching. Port 137 is used for Windows File and Printer sharing, but is also exploited by some worms/trojans/backdoors. These are just a few:

W32.HLLW.Moega
W32.Crowt.A@mm (01.23.2005) - mass mailing worm, opens a backdoor, logs keystrokes. Uses ports 80 and 137.

W32.Reidana.A (03.27.2005) - worm that spreads using the MS DCOM RPC vulnerability (MS Security Bulletin [MS03-026]) on port 139. The worm attempts to download and execute a remote file via FTP. Opens TCP port 4444.

Just a little food for thought.

essexboy · 2015-04-27T14:28:01.000Z

System looks clean, no indicators of keyloggers or Trojans etc…

Does Avast do anything when MBAM alerts ?

Is there any unusual behaviour on the computer

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: S0 nckkof; No ImagePath S0 nmfmfx; No ImagePath S0 ysyfer; No ImagePath CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

system · 2015-04-27T20:44:52.000Z

Nothing that really stands out. Computer is running extremely quick, and is not showing signs of anything abnormal. I was just frightened when I saw a pop-up with no process, an IP that already has a bad reputation, is an outbound connection, and it was right after I downloaded and installed WinRar, which I think is a somewhat sketchy piece of software. Other than that I think we are good, I’ll scan other computers on this network to eliminate the possibility of worms. Thanks again, you’re a life-saver essexboy! ;D

essexboy · 2015-04-27T21:16:35.000Z

WinRAR does drop some uninvited guests sometimes

system · 2015-04-27T21:36:04.000Z

Would you recommend I reinstall it or use something different, such as 7Zip? I’m getting it from the actual website, I know the dangers of downloading from all the PUP extravaganza websites like CNet.

essexboy · 2015-04-28T14:04:08.000Z

I use peazip but if you got the programme direct from the site then there should be no additions (unless they have just started)

Announcements