Confused by Malwarebytes Pop Up

User avatar
BobH
UraniumLounger
Posts: 9214
Joined: 13 Feb 2010, 01:27
Location: Deep in the Heart of Texas

Confused by Malwarebytes Pop Up

Post by BobH »

I keep getting this pop up from Malwarebytes active screening.
malware.PNG
It seems to indicate that I'm sending out malware as it says the type is Outbound and gives a port number. When I look for the directory identified by Malwarebytes, I cannot find one. When I enter the IP address in my browser it says it cannot locate the page. A scan revealed nothing.
malware.PNG
I've searched but I haven't found the right argument yet.

Can anyone advise me?
:cheers: :chocciebar: :thankyou:
You do not have the required permissions to view the files attached to this post.
Bob's yer Uncle
(1/2)(1+√5)
Intel Core i5, 3570K, 3.40 GHz, 16 GB RAM, ECS Z77 H2-A3 Mobo, Windows 10 >HPE 64-bit, MS Office 2016

User avatar
HansV
Administrator
Posts: 78235
Joined: 16 Jan 2010, 00:14
Status: Microsoft MVP
Location: Wageningen, The Netherlands

Re: Confused by Malwarebytes Pop Up

Post by HansV »

It's probably a false positive.

The path is C:\Windows\SysWOW64\WindowsPowerShell\v1.0 as far as I can tell. PowerShell is a utility that cones with Windows.
Best wishes,
Hans

User avatar
BobH
UraniumLounger
Posts: 9214
Joined: 13 Feb 2010, 01:27
Location: Deep in the Heart of Texas

Re: Confused by Malwarebytes Pop Up

Post by BobH »

I've opened a ticket with Malwarebytes but haven't heard back from them.

I suspect you're right about the false positive because I don't have that directory in my C:\Windows folder.
C windows dir.PNG
I'll report back when I've resolved this with MWB
You do not have the required permissions to view the files attached to this post.
Bob's yer Uncle
(1/2)(1+√5)
Intel Core i5, 3570K, 3.40 GHz, 16 GB RAM, ECS Z77 H2-A3 Mobo, Windows 10 >HPE 64-bit, MS Office 2016

JoeP
SilverLounger
Posts: 2051
Joined: 25 Jan 2010, 02:12

Re: Confused by Malwarebytes Pop Up

Post by JoeP »

SysWOW64 is under the WIndows folder not the top-level of C:

See Domain tools lookup for more information about the IP address. It appears to be a domain owned by m247.com hosted in Paris, France. M247.com appears to be the owner. They claim to be located in the UK. I can't comment on them as I know nothing about them.

BTW, Powershell has the ability to communicate outside the host PC (i.e. your machine). I'd check for a scheduled task.
Joe

User avatar
Argus
GoldLounger
Posts: 3081
Joined: 24 Jan 2010, 19:07

Re: Confused by Malwarebytes Pop Up

Post by Argus »

(Outbound blocking isn't necessarily you sending malware; software can block access to certain sites.)

Far from all IP addresses are used by web sites. And it's usually not something you will find with the help of a search engine.

I usually start with my home territory, RIPE, and if they point in any other direction/part of the world I check that (though it sure isn't often). As Joe said the IP address points to M247-LTD-Paris, France, but with contact details and responsible organisation, M247 Europe SRL, in Romania.

And yes, also the Malwarebytes’s forum has other threads regarding outbound blocks.
And yes (was going to comment about that last night, but it wasn't of highest importance), you must have SysWOW64, if you look in the Windows folder, instead of the root of the system drive (called Windows).

I know you have used VPN, of different types I think; any changes there?
And again, as Joe said, although you have a clean scan report, there are examples (also in the Malwarebytes’s forum) of situations with partially removed malware, but tasks lingering behind, so check the Task scheduler.
Byelingual    When you speak two languages but start losing vocabulary in both of them.

User avatar
BobH
UraniumLounger
Posts: 9214
Joined: 13 Feb 2010, 01:27
Location: Deep in the Heart of Texas

Re: Confused by Malwarebytes Pop Up

Post by BobH »

Thanks for the info, Joe and Argus!

Here are all the tasks I see in Task Scheduler. I removed 3 tasks having to do with WinZip notifications as I do not use WinZip and don't want the nags.
sched.PNG
I one that is worrisome is the last one: User Feed Synchronization. I would delete but thought I'd ask your advice first. Also, can I safely delete the OneDrive Standalone Update if I don't use OneDrive?

FWIW: The support ticket resulted in their sending me links to a diagnostic tool of theirs which I downloaded, installed and ran. It updated the ticket. I should hear from them again within a day or so. I'll report results.


Again, thank you for the advice. :cheers: :chocciebar: :thankyou:
You do not have the required permissions to view the files attached to this post.
Bob's yer Uncle
(1/2)(1+√5)
Intel Core i5, 3570K, 3.40 GHz, 16 GB RAM, ECS Z77 H2-A3 Mobo, Windows 10 >HPE 64-bit, MS Office 2016

User avatar
HansV
Administrator
Posts: 78235
Joined: 16 Jan 2010, 00:14
Status: Microsoft MVP
Location: Wageningen, The Netherlands

Re: Confused by Malwarebytes Pop Up

Post by HansV »

User_Feed_Synchronization is used by Internet Explorer to sync RSS feeds. It doesn't do any harm, but if you don't use Internet Explorer, you can safely delete this scheduled task.
You can delete the OneDrive task too, but it will probably rise from the dead at the earliest opportunity Microsoft sees.
Best wishes,
Hans

User avatar
BobH
UraniumLounger
Posts: 9214
Joined: 13 Feb 2010, 01:27
Location: Deep in the Heart of Texas

Re: Confused by Malwarebytes Pop Up

Post by BobH »

On digging a bit deeper wrt the User Synchronization task, I found this information:
gotcha.PNG
With the information about different spellings of the mssync*.exe file, I did a search using Everything et voila . . .
trojan.PNG
I've not done anything further. I'm waiting to hear from Malwarebytes support.
You do not have the required permissions to view the files attached to this post.
Bob's yer Uncle
(1/2)(1+√5)
Intel Core i5, 3570K, 3.40 GHz, 16 GB RAM, ECS Z77 H2-A3 Mobo, Windows 10 >HPE 64-bit, MS Office 2016

User avatar
HansV
Administrator
Posts: 78235
Joined: 16 Jan 2010, 00:14
Status: Microsoft MVP
Location: Wageningen, The Netherlands

Re: Confused by Malwarebytes Pop Up

Post by HansV »

With all due respect, that information about MSFeedSync.exe is incorrect. The four versions in C:\Windows\System32 etc. are a legitimate application from Microsoft. (If you found it in a completely different folder, it might be malware)
Best wishes,
Hans

User avatar
Argus
GoldLounger
Posts: 3081
Joined: 24 Jan 2010, 19:07

Re: Confused by Malwarebytes Pop Up

Post by Argus »

Spelling is one thing (but as we pointed out in the 80s & 90s, it's easy to change a name and it still would be malware; that said, today, when MSFT has strengthened Windows so that only trusted installers can put files in certain folders, the OS keeping backups etc. that problem is much smaller), but we also have a situation where files can be legitimate parts of the system OS but one doesn't usually see them running in Task Manager, they are used by other software (so we shouldn't see them normally). There have been some cases with similar spelling, slightly different, running in plain view in Task Manager. But I agree with Hans about the "four versions in C:\...".

As for the Task Scheduler; if there any minor tasks added by software I have installed I usually disable the task if I don't want it.
Byelingual    When you speak two languages but start losing vocabulary in both of them.

User avatar
BobH
UraniumLounger
Posts: 9214
Joined: 13 Feb 2010, 01:27
Location: Deep in the Heart of Texas

Re: Confused by Malwarebytes Pop Up

Post by BobH »

Yes, those instances are valid. I was looking for a different spelling with no double-S as suggested by the info I copied from a web page.

I was asked by Malwarebytes support to run another program after they reviewed the logs I sent them. So far there has been no repeat of the warning. I haven't yet learned what their tool was looking for and might have fixed.
Bob's yer Uncle
(1/2)(1+√5)
Intel Core i5, 3570K, 3.40 GHz, 16 GB RAM, ECS Z77 H2-A3 Mobo, Windows 10 >HPE 64-bit, MS Office 2016

User avatar
BobH
UraniumLounger
Posts: 9214
Joined: 13 Feb 2010, 01:27
Location: Deep in the Heart of Texas

Re: Confused by Malwarebytes Pop Up

Post by BobH »

Although it probably means nothing to anyone, I learned that the file that was deleted was the one shown below. It was in the start menu. I don't know if it is truly malware or just a file that MWB wasn't happy with. I'm posting only to close the subject and to provide information just in case it helps someone searching here.

the file . . .
C:\Users\rhhut\AppData\Roaming\q0quj8RwNDEcfqYMe9ZJWOiZxHAQoghuDE4DzIsgnHlNyY337O7EysR6k00StykhsYg7lwbWkdKxnelTBfWnalFnq4ypWupR9akNBo3PTcnAcvI_aap6wUmg3qu82blO9YdbWb7tqUxWtiCVrB24W0YAytnRFZEuoTrMdUf9J3NsZrimFU60i7q
Bob's yer Uncle
(1/2)(1+√5)
Intel Core i5, 3570K, 3.40 GHz, 16 GB RAM, ECS Z77 H2-A3 Mobo, Windows 10 >HPE 64-bit, MS Office 2016