I keep getting this pop up from Malwarebytes active screening.
Can anyone advise me?
It seems to indicate that I'm sending out malware as it says the type is Outbound and gives a port number. When I look for the directory identified by Malwarebytes, I cannot find one. When I enter the IP address in my browser it says it cannot locate the page. A scan revealed nothing.
I've searched but I haven't found the right argument yet.Confused by Malwarebytes Pop Up
-
- UraniumLounger
- Posts: 9533
- Joined: 13 Feb 2010, 01:27
- Location: Deep in the Heart of Texas
Confused by Malwarebytes Pop Up
You do not have the required permissions to view the files attached to this post.
Bob's yer Uncle
Dell Intel Core i5 Laptop, 3570K,1.60 GHz, 8 GB RAM, Windows 11 64-bit, LibreOffice,and other bits and bobs
(1/2)(1+√5) |
-
- Administrator
- Posts: 79435
- Joined: 16 Jan 2010, 00:14
- Status: Microsoft MVP
- Location: Wageningen, The Netherlands
Re: Confused by Malwarebytes Pop Up
It's probably a false positive.
The path is C:\Windows\SysWOW64\WindowsPowerShell\v1.0 as far as I can tell. PowerShell is a utility that cones with Windows.
The path is C:\Windows\SysWOW64\WindowsPowerShell\v1.0 as far as I can tell. PowerShell is a utility that cones with Windows.
Best wishes,
Hans
Hans
-
- UraniumLounger
- Posts: 9533
- Joined: 13 Feb 2010, 01:27
- Location: Deep in the Heart of Texas
Re: Confused by Malwarebytes Pop Up
I've opened a ticket with Malwarebytes but haven't heard back from them.
I suspect you're right about the false positive because I don't have that directory in my C:\Windows folder. I'll report back when I've resolved this with MWB
I suspect you're right about the false positive because I don't have that directory in my C:\Windows folder. I'll report back when I've resolved this with MWB
You do not have the required permissions to view the files attached to this post.
Bob's yer Uncle
Dell Intel Core i5 Laptop, 3570K,1.60 GHz, 8 GB RAM, Windows 11 64-bit, LibreOffice,and other bits and bobs
(1/2)(1+√5) |
-
- SilverLounger
- Posts: 2133
- Joined: 25 Jan 2010, 02:12
Re: Confused by Malwarebytes Pop Up
SysWOW64 is under the WIndows folder not the top-level of C:
See Domain tools lookup for more information about the IP address. It appears to be a domain owned by m247.com hosted in Paris, France. M247.com appears to be the owner. They claim to be located in the UK. I can't comment on them as I know nothing about them.
BTW, Powershell has the ability to communicate outside the host PC (i.e. your machine). I'd check for a scheduled task.
See Domain tools lookup for more information about the IP address. It appears to be a domain owned by m247.com hosted in Paris, France. M247.com appears to be the owner. They claim to be located in the UK. I can't comment on them as I know nothing about them.
BTW, Powershell has the ability to communicate outside the host PC (i.e. your machine). I'd check for a scheduled task.
Joe
-
- GoldLounger
- Posts: 3081
- Joined: 24 Jan 2010, 19:07
Re: Confused by Malwarebytes Pop Up
(Outbound blocking isn't necessarily you sending malware; software can block access to certain sites.)
Far from all IP addresses are used by web sites. And it's usually not something you will find with the help of a search engine.
I usually start with my home territory, RIPE, and if they point in any other direction/part of the world I check that (though it sure isn't often). As Joe said the IP address points to M247-LTD-Paris, France, but with contact details and responsible organisation, M247 Europe SRL, in Romania.
And yes, also the Malwarebytes’s forum has other threads regarding outbound blocks.
And yes (was going to comment about that last night, but it wasn't of highest importance), you must have SysWOW64, if you look in the Windows folder, instead of the root of the system drive (called Windows).
I know you have used VPN, of different types I think; any changes there?
And again, as Joe said, although you have a clean scan report, there are examples (also in the Malwarebytes’s forum) of situations with partially removed malware, but tasks lingering behind, so check the Task scheduler.
Far from all IP addresses are used by web sites. And it's usually not something you will find with the help of a search engine.
I usually start with my home territory, RIPE, and if they point in any other direction/part of the world I check that (though it sure isn't often). As Joe said the IP address points to M247-LTD-Paris, France, but with contact details and responsible organisation, M247 Europe SRL, in Romania.
And yes, also the Malwarebytes’s forum has other threads regarding outbound blocks.
And yes (was going to comment about that last night, but it wasn't of highest importance), you must have SysWOW64, if you look in the Windows folder, instead of the root of the system drive (called Windows).
I know you have used VPN, of different types I think; any changes there?
And again, as Joe said, although you have a clean scan report, there are examples (also in the Malwarebytes’s forum) of situations with partially removed malware, but tasks lingering behind, so check the Task scheduler.
Byelingual When you speak two languages but start losing vocabulary in both of them.
-
- UraniumLounger
- Posts: 9533
- Joined: 13 Feb 2010, 01:27
- Location: Deep in the Heart of Texas
Re: Confused by Malwarebytes Pop Up
Thanks for the info, Joe and Argus!
Here are all the tasks I see in Task Scheduler. I removed 3 tasks having to do with WinZip notifications as I do not use WinZip and don't want the nags. I one that is worrisome is the last one: User Feed Synchronization. I would delete but thought I'd ask your advice first. Also, can I safely delete the OneDrive Standalone Update if I don't use OneDrive?
FWIW: The support ticket resulted in their sending me links to a diagnostic tool of theirs which I downloaded, installed and ran. It updated the ticket. I should hear from them again within a day or so. I'll report results.
Again, thank you for the advice.
Here are all the tasks I see in Task Scheduler. I removed 3 tasks having to do with WinZip notifications as I do not use WinZip and don't want the nags. I one that is worrisome is the last one: User Feed Synchronization. I would delete but thought I'd ask your advice first. Also, can I safely delete the OneDrive Standalone Update if I don't use OneDrive?
FWIW: The support ticket resulted in their sending me links to a diagnostic tool of theirs which I downloaded, installed and ran. It updated the ticket. I should hear from them again within a day or so. I'll report results.
Again, thank you for the advice.
You do not have the required permissions to view the files attached to this post.
Bob's yer Uncle
Dell Intel Core i5 Laptop, 3570K,1.60 GHz, 8 GB RAM, Windows 11 64-bit, LibreOffice,and other bits and bobs
(1/2)(1+√5) |
-
- Administrator
- Posts: 79435
- Joined: 16 Jan 2010, 00:14
- Status: Microsoft MVP
- Location: Wageningen, The Netherlands
Re: Confused by Malwarebytes Pop Up
User_Feed_Synchronization is used by Internet Explorer to sync RSS feeds. It doesn't do any harm, but if you don't use Internet Explorer, you can safely delete this scheduled task.
You can delete the OneDrive task too, but it will probably rise from the dead at the earliest opportunity Microsoft sees.
You can delete the OneDrive task too, but it will probably rise from the dead at the earliest opportunity Microsoft sees.
Best wishes,
Hans
Hans
-
- UraniumLounger
- Posts: 9533
- Joined: 13 Feb 2010, 01:27
- Location: Deep in the Heart of Texas
Re: Confused by Malwarebytes Pop Up
On digging a bit deeper wrt the User Synchronization task, I found this information:
With the information about different spellings of the mssync*.exe file, I did a search using Everything et voila . . .
I've not done anything further. I'm waiting to hear from Malwarebytes support.You do not have the required permissions to view the files attached to this post.
Bob's yer Uncle
Dell Intel Core i5 Laptop, 3570K,1.60 GHz, 8 GB RAM, Windows 11 64-bit, LibreOffice,and other bits and bobs
(1/2)(1+√5) |
-
- Administrator
- Posts: 79435
- Joined: 16 Jan 2010, 00:14
- Status: Microsoft MVP
- Location: Wageningen, The Netherlands
Re: Confused by Malwarebytes Pop Up
With all due respect, that information about MSFeedSync.exe is incorrect. The four versions in C:\Windows\System32 etc. are a legitimate application from Microsoft. (If you found it in a completely different folder, it might be malware)
Best wishes,
Hans
Hans
-
- GoldLounger
- Posts: 3081
- Joined: 24 Jan 2010, 19:07
Re: Confused by Malwarebytes Pop Up
Spelling is one thing (but as we pointed out in the 80s & 90s, it's easy to change a name and it still would be malware; that said, today, when MSFT has strengthened Windows so that only trusted installers can put files in certain folders, the OS keeping backups etc. that problem is much smaller), but we also have a situation where files can be legitimate parts of the system OS but one doesn't usually see them running in Task Manager, they are used by other software (so we shouldn't see them normally). There have been some cases with similar spelling, slightly different, running in plain view in Task Manager. But I agree with Hans about the "four versions in C:\...".
As for the Task Scheduler; if there any minor tasks added by software I have installed I usually disable the task if I don't want it.
As for the Task Scheduler; if there any minor tasks added by software I have installed I usually disable the task if I don't want it.
Byelingual When you speak two languages but start losing vocabulary in both of them.
-
- UraniumLounger
- Posts: 9533
- Joined: 13 Feb 2010, 01:27
- Location: Deep in the Heart of Texas
Re: Confused by Malwarebytes Pop Up
Yes, those instances are valid. I was looking for a different spelling with no double-S as suggested by the info I copied from a web page.
I was asked by Malwarebytes support to run another program after they reviewed the logs I sent them. So far there has been no repeat of the warning. I haven't yet learned what their tool was looking for and might have fixed.
I was asked by Malwarebytes support to run another program after they reviewed the logs I sent them. So far there has been no repeat of the warning. I haven't yet learned what their tool was looking for and might have fixed.
Bob's yer Uncle
Dell Intel Core i5 Laptop, 3570K,1.60 GHz, 8 GB RAM, Windows 11 64-bit, LibreOffice,and other bits and bobs
(1/2)(1+√5) |
-
- UraniumLounger
- Posts: 9533
- Joined: 13 Feb 2010, 01:27
- Location: Deep in the Heart of Texas
Re: Confused by Malwarebytes Pop Up
Although it probably means nothing to anyone, I learned that the file that was deleted was the one shown below. It was in the start menu. I don't know if it is truly malware or just a file that MWB wasn't happy with. I'm posting only to close the subject and to provide information just in case it helps someone searching here.
the file . . .
C:\Users\rhhut\AppData\Roaming\q0quj8RwNDEcfqYMe9ZJWOiZxHAQoghuDE4DzIsgnHlNyY337O7EysR6k00StykhsYg7lwbWkdKxnelTBfWnalFnq4ypWupR9akNBo3PTcnAcvI_aap6wUmg3qu82blO9YdbWb7tqUxWtiCVrB24W0YAytnRFZEuoTrMdUf9J3NsZrimFU60i7q
the file . . .
C:\Users\rhhut\AppData\Roaming\q0quj8RwNDEcfqYMe9ZJWOiZxHAQoghuDE4DzIsgnHlNyY337O7EysR6k00StykhsYg7lwbWkdKxnelTBfWnalFnq4ypWupR9akNBo3PTcnAcvI_aap6wUmg3qu82blO9YdbWb7tqUxWtiCVrB24W0YAytnRFZEuoTrMdUf9J3NsZrimFU60i7q
Bob's yer Uncle
Dell Intel Core i5 Laptop, 3570K,1.60 GHz, 8 GB RAM, Windows 11 64-bit, LibreOffice,and other bits and bobs
(1/2)(1+√5) |