Infection date and initial symptoms
3/17/2015 - Initial symptoms were noticed when I went to run a local dev project on my computer, and I was unable to reach the vagrant box on my system. I looked at the hosts file, and my IP's and URL names weren't in there. I tried to add them back in, hit save, and it wanted to save it as a .txt file. When I looked into it further, I found that trying to rename the hosts.txt file to hosts failed. It kept renaming it to hosts(2), etc... I was able to open the hosts file by typing in the path in my code editor, but it was un-savable. I finally went in with cygwin and was able to do an ls -al, which showed me that the hosts file was there, but it was missing the + sign between the permissions and the symlink count:

d---rwx---+ 1 Workface User TrustedInstaller 0 Mar 17 15:23 .
drwxrwx---+ 1 TrustedInstaller TrustedInstaller 0 Mar 17 15:18 ..
-rwx------ 1 SYSTEM SYSTEM 1017 Mar 17 15:26 hosts
----rwx---+ 1 Workface User SYSTEM 3683 Jun 10 2009 lmhosts.sam
----rwx---+ 1 Workface User SYSTEM 407 Jun 10 2009 networks
----rwx---+ 1 Workface User SYSTEM 1358 Jun 10 2009 protocol
----rwx---+ 1 Workface User SYSTEM 17463 Jun 10 2009 services

I also wound up using cygwin terminal to delete the old hosts file and was able to save a new copy. All my hosts redirects for my vagrant box work fine now.

I ran a ton of different system checks, using the guide here: http://malwaretips.com/blogs/remove-browser-redirect-virus/

I also did an scf /scannow and it detected no changed system files.

It cleaned up a few things, but malwarebytes is still popping up messages every 15 minutes or so about there being a Malicious Website Blocked
IP: 91.214.45.106
Port: 6881
Type: Outbound
Process: c:\Windows\explorer.exe

and

Malicious Website Protection, IP, 41.203.69.4, 41103, Inbound, C:\Program Files (x86)\Skype\Phone\Skype.exe
Current issues and symptoms
IP: 91.214.45.106
Port: 6881
Type: Outbound
Process: c:\Windows\explorer.exe

and

Malicious Website Protection, IP, 41.203.69.4, 41103, Inbound, C:\Program Files (x86)\Skype\Phone\Skype.exe

keep popping up in Malwarebytes.
Steps taken in order to remove the infection
Listed in Description above.

Wade

New Member
That makes sense. The only odd thing is that I have seen the same type of message a couple times in regards to skype where skype is the exe that is referenced, but why would explorer.exe be the referenced executable for most of them?
 

Wade

New Member
Thank you for all your help.

I appreciate the time you have spent on this. It was very frustrating for me, and I'm glad to have gotten rid of the problems I was having.

Wade
 

argus

Former MalwareTips Staff
Download DelFix by Xplode and save it to your desktop.
  • Run the tool by right click on the
    icon and Run as administrator option.
  • Make sure that these ones are checked:
    • Remove disinfection tools
    • Purge system restore
    • Reset system settings
  • Push Run and wait until the tool completes his work.
  • All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt)
The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.


Regards.