How to find out what Malwarebytes is blocking?

**Banyarola** · 2011-11-06 03:40

Every now and then I get a block warning from Malwarebytes and never can figure out what exactly was blocked..

Here's a screen shot of one I just got...
This particular one I always get when reading a certain newspaper...

Anyway to tell what is being blocked?

IP-BLOCK 173.192.183.196 (Type: outgoing, Port: 52765, Process: iexplore.exe)

**RetiredGeek** · 2011-11-06 07:06

Banyarola,

It would appear that something running in iExplorer is trying to call home on port 52765. What, I don't have a clue.

**Banyarola** · 2011-11-06 07:18

Well RG, it seems it only happens on certain sites, mostly the one newspaper I read on-line.
I never installed anything from them and my system is clean...

Now that I think of it, whenever MalewareBytes blocks something it is always outgoing..

Maybe someone else that reads this post will have an answer...

**Just Plain Fred** · 2011-11-06 08:06

Originally Posted by Banyarola

Maybe someone else that reads this post will have an answer...

Banyarola,
Hello.... maybe this attachment will help ?

Regards Fred

**SpiritWind** · 2011-11-06 10:32

And why are you not asking on the Malwarebytes Support Forums, which would seem to be the best place for an answer to your question !?

**Banyarola** · 2011-11-06 11:07

Thanks Fred...I did that already.

SW, the people on the MB forums are the same type of people as on here... I asked a question, I didn't ask directions...

**Tinto Tech** · 2011-11-06 16:50

In addition to JPF's attachment, a look up on mxtoolbox.com indicates that IP is newcheapline_dot_info (url link obscured deliberately).

Browsing to that under Linux rather than Windows (I might be daft sometimes, but I'm not entirely stupid!) reveals a login screen of a company by the name of RMM Online Advertising.

I suspect the newspaper site you were reading was pushing adverts and was requesting data be sent back by Internet Explorer using the 52765 TCP/IP port. You could try open the site in Chrome or Firefox to see if you get the same result and perhaps consider adblocking extensions.

**jscher2000** · 2011-11-07 11:49

Originally Posted by Banyarola

Anyway to tell what is being blocked?

IP-BLOCK 173.192.183.196 (Type: outgoing, Port: 52765, Process: iexplore.exe)

If Malwarebytes prevents the connection from happening, it probably does not have a copy of the request that would have been sent if the connection had been permitted.

To find that information, you would need to look upstream toward the browser. Debugging tools such as Firebug or Microsoft's Fiddler2 proxy can capture all of the requests sent by the browser. Obviously, you may have to do some digging to find the one of interest.

One complication is matching the IP address reported by Malwarebytes to the request. Unless the request was directed to the server at its IP address, you would need to translate between the IP address and the host name. Does Windows cache its DNS lookups somewhere?

There probably is a tool that is aware of both the browser's requests and the requests that emanate from the operating system's IP stack in response to the request and can match them up, but I've never used one.

**Banyarola** · 2011-11-07 14:54

Originally Posted by jscher2000

There probably is a tool that is aware of both the browser's requests and the requests that emanate from the operating system's IP stack in response to the request and can match them up, but I've never used one.

Well JS, thanks for the time and effort you took to reply but I think I won't bother trying to pursue because it's not that important and I really don't know what the heck you are talking about!

**jscher2000** · 2011-11-07 20:07

Just a footnote, then. Your browser sends a request to Windows for a page. Windows has to look up the corresponding IP address (DNS resolution), then it sends a connect request to the server. Only when the server accepts the connection is the actual request for the web page sent. (If you want to read up on this, look for info on the SYN-ACK handshake.)

**Perrorist** · 2011-11-09 20:33

Whenever I see this type of message come up, I'm thankful I have MW working full-time. They nearly always occur when I've strayed onto a less than reputable site.

**genej313** · 2011-11-10 09:56

Originally Posted by Perrorist

Whenever I see this type of message come up, I'm thankful I have MW working full-time. They nearly always occur when I've strayed onto a less than reputable site.

I use FF, almost exclusively, and a handful of standalone security tools as opposed to a suite. Comodo Dragon is VERY good at blocking suspect outbound or inbound requests. Better safe than sorry, so Web of Trust, WOT, is a must have on any system I use. They don't know everything but they do know a lot, I do ignore their advice but rarely, you might try that and see how that site is rated and what WOT knows about it. And google advanced search is invaluable in finding answers to obscure questions ask what is and that IP address, which brings up a link to WHOIS a database of all IP's, including contact information, email addy for the web master. You can play with the results, honing them if you will, to find out more - there is a website attached to that address that you can search on too. Love puzzles. I used to use Whois a lot back in the days before spam filters got to be as good as they are to track down spammers and email their webmaster, don't do that anymore because I get a piece of spam only a couple times a week these days - got wiser about who I share information with as I got older and those disposable email addresses are quite helpful too. :^)

**billabong** · 2011-11-10 10:28

It's apparently something called Softlayer Technologies in Dallas. http://www.networksolutions.com/whoi...73.192.183.196

**Banyarola** · 2011-11-11 02:22

Well Perriost, I occasionally get the message on reputable sites like newspaper etc and I only go to reputable sites...

Thread: How to find out what Malwarebytes is blocking?

Thread Tools