Infection date and initial symptoms
3/17/2015 - Initial symptoms were noticed when I went to run a local dev project on my computer, and I was unable to reach the vagrant box on my system. I looked at the hosts file, and my IP's and URL names weren't in there. I tried to add them back in, hit save, and it wanted to save it as a .txt file. When I looked into it further, I found that trying to rename the hosts.txt file to hosts failed. It kept renaming it to hosts(2), etc... I was able to open the hosts file by typing in the path in my code editor, but it was un-savable. I finally went in with cygwin and was able to do an ls -al, which showed me that the hosts file was there, but it was missing the + sign between the permissions and the symlink count:

d---rwx---+ 1 Workface User TrustedInstaller 0 Mar 17 15:23 .
drwxrwx---+ 1 TrustedInstaller TrustedInstaller 0 Mar 17 15:18 ..
-rwx------ 1 SYSTEM SYSTEM 1017 Mar 17 15:26 hosts
----rwx---+ 1 Workface User SYSTEM 3683 Jun 10 2009 lmhosts.sam
----rwx---+ 1 Workface User SYSTEM 407 Jun 10 2009 networks
----rwx---+ 1 Workface User SYSTEM 1358 Jun 10 2009 protocol
----rwx---+ 1 Workface User SYSTEM 17463 Jun 10 2009 services

I also wound up using cygwin terminal to delete the old hosts file and was able to save a new copy. All my hosts redirects for my vagrant box work fine now.

I ran a ton of different system checks, using the guide here: http://malwaretips.com/blogs/remove-browser-redirect-virus/

I also did an scf /scannow and it detected no changed system files.

It cleaned up a few things, but malwarebytes is still popping up messages every 15 minutes or so about there being a Malicious Website Blocked
IP: 91.214.45.106
Port: 6881
Type: Outbound
Process: c:\Windows\explorer.exe

and

Malicious Website Protection, IP, 41.203.69.4, 41103, Inbound, C:\Program Files (x86)\Skype\Phone\Skype.exe
Current issues and symptoms
IP: 91.214.45.106
Port: 6881
Type: Outbound
Process: c:\Windows\explorer.exe

and

Malicious Website Protection, IP, 41.203.69.4, 41103, Inbound, C:\Program Files (x86)\Skype\Phone\Skype.exe

keep popping up in Malwarebytes.
Steps taken in order to remove the infection
Listed in Description above.

Wade

New Member
I have tried everything I can think of, but am at a loss on how to search out this last apparent bug I am having.
 

argus

Former MalwareTips Staff
Helllo,

My name is Argus and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.



Scan with Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.


  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
 
  • Like
Reactions: Billcomputerman123

argus

Former MalwareTips Staff
You need to exit MalwareBytes in your tray area. Right click and select Exit.



Download
Malwarebytes Anti-Rootkit to your desktop.
  • Double-click the icon to start the tool.
  • It will ask you where to extract it, then it will start.
  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder and paste the content of the following files in your next reply:
    • "mbar-log-{date} (xx-xx-xx).txt"
    • "system-log.txt"
 

Wade

New Member
Ok, after it extracts, I immediately get this window. If I click yes, the program just stops.
upload_2015-3-17_16-31-41.png


If I select no, then hit next, I then click update, it downloads the definitions, then I click next. Then I click Scan, and I receive this message.

upload_2015-3-17_16-35-11.png

If I click yes, I get this message.

upload_2015-3-17_16-35-42.png
 

argus

Former MalwareTips Staff
DDA stands for Direct Disk Access, and is required for rootkit scanning. Malwarebytes Anti-Rootkit needs this driver installed in order to be able to detect and remove most rootkits and is needed for it to function properly on any operating system. It's possible that another process is blocking it from doing so, such as your antivirus or third party firewall if you use one.
 

argus

Former MalwareTips Staff
FRST search

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 the same way:
  • Copy explorer.exe into the Search: field in FRST then click the Search Files button.
  • FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
  • Please attach it to your reply.
 

argus

Former MalwareTips Staff
Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.
Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on
    icon and select
    Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.
 

Attachments

Wade

New Member
So far so good. I haven't seen any of the notifications come up yet that I was getting before.
 

Wade

New Member
I just got a malware bytes popup screen again with that odd message.

Malicious Website Protection, IP, 91.214.45.106, 6881, Outbound, C:\Windows\explorer.exe

First one I've had since we did everything.

Wade
 

Wade

New Member
Had a bunch more in the last few hours. 2-3 of each of these.

Malicious Website Protection, IP, 93.170.129.114, 6881, Outbound, C:\Windows\explorer.exe
Malicious Website Protection, IP, 212.117.179.52, 6881, Outbound, C:\Windows\explorer.exe
Malicious Website Protection, IP, 193.138.246.122, 6881, Outbound, C:\Windows\explorer.exe
Malicious Website Protection, IP, 217.23.187.192, 6881, Outbound, C:\Windows\explorer.exe
 

argus

Former MalwareTips Staff
It is uTorrent port.
IP blocks can indicate a number of things:
  • They could indicate that MBAM is doing its job of blocking bad content on websites.
They can also occur when running Skype and certain P2P programs, such as torrents.