Odd issue with domain blocking?

Discussion in 'ESET NOD32 Antivirus' started by Carbonyl, Aug 28, 2009.

Thread Status:
Not open for further replies.
  1. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    This morning when I was looking at process explorer, I noticed an odd entry pop up and disappear. It turns out it was a harmless entry - mpas-d.exe - but at the time I didn't know it was part of windows defender. Anyhow, to search it further, I punched the filename into google and tried to look it up. I linked through to a forum page on the (hxxp://www.processlibrary.com) domain, but as soon as I loaded the page NOD gave me a series of repeated messages about blocking content from (hxxp://www.liutilities.com), for some reason? It gave me numerous balloon notifications about this - and this is the first time I've seen it. Even after closing my browser (Opera), I kept getting the balloons for a little while. I hadn't downloaded anything. I keep Javascript off unless a site is whitelisted. I don't remember navigating to anything under the second domain, and I sure hadn't run anything. I can't find anything about the blocking messages in the NOD logs, either?

    Does this mean that an infection broke through NOD? Scans seem to turn up clean no matter what when I scan now. But the fact that I got those notifications at all, the fact that they're not logged, and the fact they kept popping up after Opera was closed and didn't navigate to that site worry me. I'm running Win7 RTM and Nod 4.0.437.0 Thanks.

    EDIT: I notice that a lot of google searches turn up links to liutilities webpages, some of which are even on this forum. Is this domain supposed to be blocked? Is there a way to see a list of blocked domains that NOD uses? I'm beginning to become concerned that something might've hijacked NOD, as scans are running quicker than they should, and this blocking seems even more peculiar now...
     
    Last edited: Aug 28, 2009
  2. danieln

    danieln Eset Staff

    Joined:
    Jan 7, 2009
    Posts:
    112
    Seems the crapware domain is widely advertised.
     
  3. WayneP

    WayneP Support Specialist

    Joined:
    Apr 9, 2009
    Posts:
    339
    Hello Carbonyl,

    The warnings you got were just notifications that the server was blocked. They keep coming up because they take typically 10 seconds for each one to come up and if the page tried to access the server 10 times then it will take 100 seconds to show all 10 of them. You don't see anything in the logs because it does not log blocked sites, only infected files.
     
  4. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    Thanks very much for the clarification, WayneP. It sets my mind at ease... I only wonder why I was receiving messages for a domain block that wasn't the domain I was visiting? I suppose it could be an unrelated issue, but at least this clears up the other points.

    Anyhow, if this is indeed a crapware domain, glad to have it blocked.
     
  5. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    Checking the source file for the page I was looking at cleared up my lingering question. Sorry to spam the forums, but thank you all for the help!

    I have some other questions, but they are unrelated, so I will open a new thread. My apologies in advance if this is inappropriate behavior.
     
Thread Status:
Not open for further replies.