Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Firefox attempting to access malicious IP?

  • 19 replies
  • 5 have this problem
  • 11 views
  • Last reply by pegasus333

more options

I recently started running Malwarebytes and it has been telling me that there's a Firefox process that keeps trying to access a supposedly malicious site. The IP address is 109 163 230 92. It's not that a website is trying to access my computer; it's that my computer keeps trying to access the site. Malwarebytes has blocked this, but it keeps trying different ports in the 60000 range. Has anyone else ever had this problem? Or does anyone know what this is about or what is causing this? I have a number of plugins installed and I'll provide troubleshooting info. I tried looking up the WhoIs but couldn't make much sense of it. Thanks in advance for help with this.

I recently started running Malwarebytes and it has been telling me that there's a Firefox process that keeps trying to access a supposedly malicious site. The IP address is 109 163 230 92. It's not that a website is trying to access my computer; it's that my computer keeps trying to access the site. Malwarebytes has blocked this, but it keeps trying different ports in the 60000 range. Has anyone else ever had this problem? Or does anyone know what this is about or what is causing this? I have a number of plugins installed and I'll provide troubleshooting info. I tried looking up the WhoIs but couldn't make much sense of it. Thanks in advance for help with this.

All Replies (19)

more options

can you test if these connections also happen when you launch & run firefox in safemode (first close all other firefox windows & then press the shift key while you open firefox)

more options

I can try that, madperson, although it means I'd have to leave it in safe mode for several days. It doesn't seem to happen every day, but when it does there are several attempts spaced a few minutes apart. The problem is that I'm doing work that I need some of the plugins for, so I don't know if this will work for that amount of time. I'll see what I can do though. Maybe I could disable all but the most essential plugins for now and see what happens.

more options

the following site locates the ip-adress in russia/romania & lists 3 domains that are hosted there: http://www.plotip.com/ip/109.163.230.92 have you visited any of these intentionally?

more options

does a full scan of your system by malwarebytes or another anti-virus software bring up any suspicious results?

https://support.mozilla.org/en-US/kb/Is%20my%20Firefox%20problem%20a%20re...

more options

Malwarebytes and my anti-virus ESET found a few critters in the last couple of weeks, but they were quarantined and I zapped them. The outgoing calls are still happening.

more options

Okay, I waited until I saw more of those messages, since these out-calling attempts seem to come in waves. I just saw one and I restarted Firefox right away in Safe Mode with all add-ons disabled. First thing I saw after it had reloaded was another warning message that a call-out attempt by process firefox.exe had been blocked. So presumably it's not coming from one of my add-ons. What can I try next in trying to diagnose this? Again, thanks for your help.

more options

can you post a hijack-this log here?

http://sourceforge.net/projects/hjt/

more options

Thanks for the suggestion. I've run a scan with log, which I'll paste below. By the way, this seems to happen either a lot or only when I access my own website. My website was hacked about a month or two ago and I cleaned it out right away, but I'm wondering if maybe there's something that got downloaded to my computer inadvertently that's trying to "phone home."

The log, with my comments, exceeds the maximum character count, so I'll divide it into running processes first, and then the rest of the log in a separate post. Here's part 1 of the log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:30:12 AM, on 2012-05-06
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\BOINC\boinctray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ChronosXP\ChronosXP.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\LG Soft India\fortePivot\bin\fortePivot.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\PayPal Payment Request Wizard\Outlook Wizard\OEHook.exe
C:\Program Files\Lunabar\Lunabar.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\conime.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\zabkat\xplorer2\xplorer2_UC.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Owner\Downloads\SoftwareFree\HijackThis.exe

Modified by cor-el

more options

Here's part 2 of the log:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://value-exchange.sitesell.com/value-hq.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe -r
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [boincmgr] "C:\Program Files\BOINC\boincmgr.exe" /a /s
O4 - HKLM\..\Run: [boinctray] "C:\Program Files\BOINC\boinctray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\windows sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ChronosXP] "C:\Program Files\ChronosXP\ChronosXP.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3941292943-3776173302-198126923-1008\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'UpdatusUser')
O4 - Startup: Logitech . Product Registration.lnk = C:\Program Files\Logitech\Logitech WebCam Software\eReg.exe
O4 - Startup: Lunabar Taskbar Icon.lnk = C:\Program Files\Lunabar\Lunabar.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: fortePivot.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Outlook Plugin.lnk = C:\Program Files\PayPal Payment Request Wizard\Outlook Wizard\OEHook.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Toggle Flash - {93089660-AD23-44F1-AF37-54011A1A5A22} - C:\Program Files\Toggle Flash\togflash.exe
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: http://staplescanada.webprint.com
O16 - DPF: CosNet_VideoPlugin - http://www.instantpresenter.com/components/CosNet_VideoPlugin.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://oas.support.microsoft.com/ActiveX/MSDcode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1253379198927
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E901098E-6B97-485A-B712-9908683F5E9E} (CosNetWebConference Control) - http://www.instantpresenter.com/components/CosNetWebConference.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe Active File Monitor V8 (AdobeActiveFileMonitor8.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
O23 - Service: UMVPFSrv - Logitech Inc. - C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe

--
End of file - 11398 bytes

Modified by cor-el

more options

I hope that part 2 isn't too messy. If it's impossible to read, let me know and I'll space it out.

more options

Download and Run TDSSKiller http://support.kaspersky.com/faq/?qid=208283363

Download and Install Microsoft Security Essentials http://windows.microsoft.com/en-US/windows/products/security-essentials (not an official endorsement, but I personally recommend MSE as an awesome permanent anti-virus)

Double check for all Windows Updates.

If you are still having problems with Malware after that, I would recommend either http://www.bleepingcomputer.com/virus-removal/, or having your computer cleaned by a professional. Diagnosing virus infections is a bit beyond the scope of this forum.

more options

Hi Tylerdowner, thanks for the suggestions. I'll check out TDSSKiller. I don't think I have essentials running, although I do have their anti-spyware one (can't think of the name). I always make sure all Windows updates are installed, and if there are any waiting that MS hasn't notified me about yet, ESET throws a hissy fit until I update it. ;-)

more options

nothing too obvious in the log - however

O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe

is flagged as malicious on two sites. you might want to remove this entry & uninstall this software if you don't need it

Modified by philipp

more options

Tylerdowner: TDSSKiller came up with nothing.

Madperson: I "repaired" that item and tried accessing my website and got the same outcall warning from MB.

On a hunch, I tested my site on IE9 and got the same warning message, but giving IE as the source process. So I guess this isn't a Mozilla issue, as such. And the warning message is coming up pretty consistently when I access a page on my website, so I suspect this is related to the hack attack I got, which probably coincides with when I started seeing those warnings.

I'm not quite sure what to try next. I could try scrubbing my webspace and reinstalling, but if it's an outgoing call from my computer that suggests the problem is on my computer, not (any longer) on my website, so it might not help. Maybe I'll try bleepingcomputer, as suggested by Tylerdowner.

I really appreciate all the help. :-) Any other suggestions are most welcome.

more options

the problem is most likely on you pc - mcafee website lists a few trojan variants that communicate with this ip: https://www.google.com/search?q=109.163.230.***+mcafee.com

you can also use this microsoft tool (uses the engine of ms security essentials) to create a bootable cd/dvd/usb-stick with up do date sigantures to scan your pc for rootkits etc: http://windows.microsoft.com/en-US/wi.../what-is-windows-defender-offline

as tylerdowner has already suggested, if all those suggestions don't work it would be better to consult a specialised forum like the ones that are listed in the link of my third answer.

more options

sorry, i didn't read the part before, where you said its mainly happening when you visit your site & then with all browsers. so doesn't have to necessarily be something local - maybe still some leftover code/links from the hacking attack - then your browser would be triggered to contact the ip and therefore the traffic is shown as originating from the browser

more options

Hi Madperson, thanks very much for your thoughts. I keep running various scans and nothing shows up. I even ran an antivirus scan on my webspace (provided by cPanel) and it didn't show anything. I've now put in a support ticket to my webhost and hope that they can help. Thanks for mentioning that the problem isn't necessarily on my computer. I feel like I'm running in circles with this, so it could make sense that I'm looking in the wrong place. For the sake of anyone else reading this who is having similar issues, I'll report back anything I find out about this. Again, many thanks for all your help. :-)

more options

I found out what was causing the problem. It was a link to a 3rd party website that I used to create my Facebook badge. It's apparently involved in servers that aren't exactly picky about their users, if you get my drift, so Malwarebytes considers their IP address a dirty one and blocks it. I've removed the link and it's fine now.

Thanks again for the help! :-)