Installed poweriso and eset is blocking websites

[mmatthe8667 0]

Installed power iso and since did eset is popping up blocking websites that power iso is trying to connect to.  Eset blocked like 62 sites..and this only started after poweriso was installed.  Any idea why?

 

Michael

[itman 1,707]

Are your Eset firewall settings set to default values?

[mmatthe8667 0]

Yes they are..not changed anything in it.

 

Michael

[Marcos 5,143]

Please post the appropriate record from the Filtered websites log.

[itman 1,707]

My question is why is this type of software attempting to connect to the Internet with the activity you posted? It is basically just software to create a .iso file for the most part. At most, the only outbound connection it would need is to the vendor's server for software updates.

[mmatthe8667 0]

5 minutes ago, itman said:

My question is why is this type of software attempting to connect to the Internet with the activity you posted? It is basically just software to create a .iso file for the most part. At most, the only outbound connection it would need is to the vendor's server for software updates.

not sure on that..just know that before it was installed it was not blocking sites..but after installed it..it starts popping up that its blocking sites..

 

Michael

[Marcos 5,143]

We still don't know what address is being blocked. As already requested, please post the appropriate record from the Filtered websites or Detection log.

[mmatthe8667 0]

1 minute ago, Marcos said:

We still don't know what address is being blocked. As already requested, please post the appropriate record from the Filtered websites or Detection log.

working on finding the logs..since not sure where they are..

 

Michael

[mmatthe8667 0]

12 minutes ago, Marcos said:

We still don't know what address is being blocked. As already requested, please post the appropriate record from the Filtered websites or Detection log.

the site it shows is different ones of this: hxxp://www.tivatuddpnoheni.com

Like this:

hxxp://www.tivatuddpnoheni.com/ofr/Solululadul/osutils.cis;Blocked by internal IP blacklist;E:\PowerISO\PowerISO7-x64.exe;THE-BREWERY

hxxp://www.tivatuddpnoheni.com;Blocked by internal IP blacklist;E:\PowerISO\PowerISO7-x64.exe;THE-BREWERY

hxxp://www.tivatuddpnoheni.com/ofr/Solululadul/icc_v5_8.cis;Blocked by internal IP blacklist;E:\PowerISO\PowerISO7-x64.exe;THE-BREWERY

looks like its in a blacklist list of sites in the program?

 

Michael

 

[itman 1,707]

8 minutes ago, mmatthe8667 said:

the site it shows is different ones of this: hxxp://www.tivatuddpnoheni.com

Checked this on URLVoid and site is 100% clean.

[mmatthe8667 0]

Just now, itman said:

Checked this on URLVoid and site is 100% clean.

Thought it might be but want to make sure if its in the program how to remove it..or if it was from eset side to see why it was..

 

Michael

 

[itman 1,707]

15 minutes ago, mmatthe8667 said:

hxxp://www.tivatuddpnoheni.com/ofr/Solululadul/osutils.cis;Blocked by internal IP blacklist;E:\PowerISO\PowerISO7-x64.exe;THE-BREWERY

hxxp://www.tivatuddpnoheni.com;Blocked by internal IP blacklist;E:\PowerISO\PowerISO7-x64.exe;THE-BREWERY

hxxp://www.tivatuddpnoheni.com/ofr/Solululadul/icc_v5_8.cis;Blocked by internal IP blacklist;E:\PowerISO\PowerISO7-x64.exe;THE-BREWERY

You also need to post the IP addresses associated with these alerts. It's possible a redirect is going on.

[mmatthe8667 0]

1 minute ago, itman said:

You also need to post the IP addresses associated with these alerts. It's possible a redirect is going on.

ok got ones like this:

www.tivatuddpnoheni.com goes to 95.211.184.67

ww42.tivatuddpnoheni.com goes to 199.115.112.67

also this site comes up: img.powopibobu3.com which goes to 46.166.187.59

Michael

 

[itman 1,707]

31 minutes ago, mmatthe8667 said:

www.tivatuddpnoheni.com goes to 95.211.184.67

Appear the IPs are associated with a domain server - per Robtex: 

Quote

The IP number is in Netherlands. It is hosted by LEASEWEB.

That server appears to have one or more malicious domains associated with the domains it is hosting:

Quote

We investigated 100 host names that point to 95.211.184.67 . Example: cdneu.dadafarada.com, img.conicono.com, img.yepabonocemm.com and cdneu.appchucklegift.com. We estimate that it is used as ip number by 161 host names.

 

Quote

THREATMINER

Threat information such as virus etc

URI

Last Seen	URL
2016-05-20 02:06:45	http://cdneu.dolphinmemory.com/products/PDF-Reader-v2.cis
2016-05-07 06:04:22	http://cdneu.tokoholapisa.com/ofr/Solululadul/asgnd.cis
2016-02-07 10:47:46	http://img.mydivcdn.com/img/CH_logo_new.png
2016-01-22 07:47:47	http://img.sourceforgecdn.com/img/Rerarapepe/Rerarapepe_b.png

 

Edited March 11, 2019 by itman

[mmatthe8667 0]

4 hours ago, itman said:

Appear the IPs are associated with a domain server - per Robtex: 

That server appears to have one or more malicious domains associated with the domains it is hosting:

 

Would we know why its trying to contact those sites..since the exe is from poweriso site?  And since its trying to connect to them is the poweriso itself safe?

 

Michael

[itman 1,707]

13 hours ago, mmatthe8667 said:

Would we know why its trying to contact those sites..since the exe is from poweriso site? 

One benign reason is the software is trying to update itself. It should have an option to change/disable auto updating. Disable auto update and if the outbound connections cease, you have resolved the issue.

If the outbound connections persist, it could be indicative of malicious or other undesirable activity.  

[Marcos 5,143]

We suspect the site is PUA-related (likely InstallCore, FusionCore or DealPly).