MALWAREBYTES BLOCKED ACCESS TO MALICIOUS WEBSITE PORT 6881 EXPLORER .EXE

[kokirikid]

ok did the scan 

 

 

12/26/2013 20:48

Scan of all local drives

 

File C:\AdwCleaner\Quarantine\C\Users\wiz\AppData\Roaming\file scout\filescout.exe.vir is infected by Win32:Malware-gen, Moved to chest

File C:\MSOCache\All Users\{90120000-0016-0C0A-0000-0000000FF1CE}-C\ExcelLR.cab|>EXCEL.HXS_3082 Error 42127 {CAB archive is corrupted.}

File C:\ProgramData\Microsoft\BingDesktop\BingCore\temp\tmp667F.exe|>$TEMP\lbgvatvz.exe is infected by Win32:Malware-gen, Moved to chest

File C:\ProgramData\Microsoft\BingDesktop\BingCore\temp\tmp667F.exe is infected by Win32:Malware-gen, Moved to chest

File C:\ProgramData\Microsoft\BingDesktop\BingCore\temp\tmpBB43.exe is infected by Win32:Malware-gen, Moved to chest

 

Scanning aborted

Number of searched folders: 5241

Number of tested files: 256061

Number of infected files: 4

 

----------------------------------------

12/27/2013 09:06

Scan of all local drives

 

File C:\MSOCache\All Users\{90120000-0016-0C0A-0000-0000000FF1CE}-C\ExcelLR.cab|>EXCEL.HXS_3082 Error 42127 {CAB archive is corrupted.}

File C:\Users\wiz\AppData\Local\VirtualStore\Windows\SysWOW64\rabbit.dat|>services.exe is infected by Win32:Miner-B [PUP], Moved to chest

File C:\Users\wiz\AppData\Local\VirtualStore\Windows\SysWOW64\rabbit.dat is infected by Win32:Malware-gen, Moved to chest

File C:\Users\wiz\AppData\Roaming\.anki\crsscmgr\service.exe is infected by Win32:Miner-B [PUP], Moved to chest

File C:\Windows\SoftwareDistribution\Download\29eaad390df05f29593bb8cfadcbadb6\BIT6AC0.tmp|>mpasbase.vdm Error 42127 {CAB archive is corrupted.}

File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\avira_secure_backup_int[1].exe|>avira_secure_backup.exe Error 42126 {RAR archive is corrupted.}

File D:\downloads\apps\Moldiv-1.8.ipa.tr#|>Payload\Moldiv.app\label_18_s.png Error 42125 {ZIP archive is corrupted.}

File D:\downloads\apps\PhotoWonder-3.0.7.ipa.tr#|>Payload\PhotoWonder.app\pk_star_face_back.png Error 42125 {ZIP archive is corrupted.}

File D:\downloads\apps\Transfer-4.5(??).ipa.tr#|>Payload\Transfer.app\AppStoreFBPromotional.jpg Error 42125 {ZIP archive is corrupted.}

Number of searched folders: 48908

Number of tested files: 1215393

Number of infected files: 3

 

 

 

i selected move to chest but still I am not sure if its still infected. thanks Mr Charlie sorry for taking so long

[MrCharlie]

If it's OK now......

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• If you get Unsupported operating system. Aborting now, just reboot and try again.
• A Notepad document should open automatically called checkup.txt.
• Please Post the contents of that document.
• Do Not Attach It!!!

MrC

[kokirikid]

Results of screen317's Security Check version 0.99.77

Windows 7 Service Pack 1 x64 (UAC is enabled)

Internet Explorer 11

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Windows Firewall Disabled!

avast! Antivirus

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.75.0.1300

Java 6 Update 20

Java 6 Update 26

Java 7 Update 45

Adobe Flash Player 11.9.900.170

Adobe Reader 9 Adobe Reader out of Date!

Google Chrome 31.0.1650.63

````````Process Check: objlist.exe by Laurent````````

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

AVAST Software Avast AvastSvc.exe

AVAST Software Avast AvastUI.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 2%

````````````````````End of Log``````````````````````

there you go

[MrCharlie]

Out dated programs on the system are vulnerable to malware.
Please update or uninstall them:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please uninstall these from your add/remove programs:
Java™ 6 Update 20
Java™ 6 Update 26

Java 7 Update 45 <----this is OK

----------------------------------------------------------


Adobe Reader 9 Adobe Reader out of Date! <---please check for an update if available or uninstall and download and install Foxit Reader which is less vulnerable to malware and much better than Adobe. Don't install any toolbars that may come with it (ASK Toolbar).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /



Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

Please download OTC to your desktop. (This will clean up most of the tools and logs)
http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")
Click on the CleanUp! button and follow the prompts.
(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)
You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete. (right click.....Delete)
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.

Note:
If you used FRST and can't delete the quarantine folder:
Download the fixlist.txt to the same folder as FRST.exe.
Run FRST.exe and click Fix only once and wait
That will delete the quarantine folder created by FRST.
The rest you can manually delete.

-------------------------------

Any questions...please post back.
If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[kokirikid]

I am on the cleaning up process but 2 questions

 

1-....FRST.?

 

 

2-do I unistall   anti malware ?(not malware anti rootkit, but anti malware one)

[MrCharlie]

You didn't use FRST

Keep Malwarebytes Anti-Malware (you can use it to scan for malware, just make sure you update it first)

Delete Malwarebytes Anti-Rootkit (the MBAR folder)

MrC

[kokirikid]

alright

 

can you clear up why Java would keep nagging after have succesfully installed, and confirmed by showing on its official wesbite on  browser?

 

after system reboot , it asked this

 

why again?

[MrCharlie]

Click allow access, that's a good file and you shouldn't see it again.

MrC

[kokirikid]

Ok so i did that & at some point before shutting down my computer, anti malware popped up that "blocked access port " message one time

I was going to bed so i shut down the laptop.... I will try in a bit and see if I get it again

What do you think mrCharlie?

[MrCharlie]

Let me know but here's some info on IP blocking:
 

The Website/IP Blocking is a good feature of Malwarebytes, but when it does its job....people think they're infected. Sometimes this is true, but we checked the system and I don't see any malware on the system.

If you would like to contact Malwarebytes about the problem, here's your options:
http://forums.malwarebytes.org/index.php?showtopic=119858

Here's some more information on IP Blocking by Malwarebytes:

IP blocks can indicate a number of things:

• They could indicate that MBAM is doing its job of blocking bad content on websites.

• They can also occur when running Skype and certain P2P programs, such as torrents. For example, please see this help desk topic about Skype and this one about P2P.

• In some cases the blocks are a false positive.

• However, they can also be a sign of infection, especially if the blocks are outgoing and they occur when no browsers are open.

--> There is more information about the IP blocking module in the FAQ - Section G (and in the Helpdesk topics HERE and HERE).
They include instructions on how to set MBAM to ignore a particular IP, if you wish to do so.
They also contain instructions on how to determine what process might be trying to make the connections.
You may also research the IP in question at www.ip-lookup.net or a similar site.

On the other hand, if you think the IP blocks might be a false positive, then please read this sticky topic before starting a new topic in the False Positives forum.

Alternatively, if you think you might be infected, based on the IP blocks and/or other suspicious computer behavior, then please read the following for the available options to have a malware expert assist you with cleaning process Available Assistance For Possibly Infected Computers.

Some more reading:
http://forums.malwarebytes.org//index.php?showtopic=21076&st=0#entry107310

 

 

 

MrC

[kokirikid]

I see, well it only pops up of course after installing anti malware ..otherwise i would even know

 

so I ve been navigating on chrome for about 2 hours and got the alert 2 times within 45 min each 

 

Run avast scan, no threats

 

Can you tell me which of those are recommended?

they keep nagging they never go away (windows update)

 

 

1-AMD - Other hardware, Storage Controller - AMD SATA Controller

Download size: 81 KB

 

2-Bing Bar 7.3 (KB2673774)

Update type: Optional

 

Bing Bar, an IE extension toolbar, seamlessly integrates with the Bing search engine. Use it to easily get search results from Bing, watch videos, read news, view maps, keep in touch with friends on Facebook and Skype, and much more.

 

3-Bing Desktop v1.3.1

Download size: 9.0 MB

Update type: Optional

 

 

4-Hewlett-Packard Development Company, L.P. - Other hardware - HP Mobile Data Protection Sensor

 

Download size: 102 KB

 

You may need to restart your computer for this update to take effect.

 

Update type: Optional

 

 

 

5-Qualcomm Atheros Communications Inc. - Network - Qualcomm Atheros AR9285 802.11b/g/n WiFi Adapter

 

Download size: 2.9 MB

 

You may need to restart your computer for this update to take effect.

 

Update type: Optional

 

 

7-Update for Windows 7 for x64-based Systems (KB2574819)

 

Download size: 2.1 MB

 

Update type: Optional

 

Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.

 

8-Update for Windows 7 for x64-based Systems (KB2592687)

 

Download size: 2.1 MB - 8.8 MB

 

Update type: Optional

 

The Remote Desktop Protocol 8.0 update enables you to use the new Remote Desktop Services features. These features are introduced in Windows 8 and in Windows Server 2012 and are available for computers that are running Windows 7 Service Pack 1

 

 

9-Update for Windows 7 for x64-based Systems (KB2709981)

 

Download size: 413 KB

Update type: Optional

 

Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.

 

[kokirikid]

(typos up there, I meant, ''ran avast scan, no threats)

 

Oh and this, I have previously selected to install but somehow its still asking to update

 

Security Update for Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package (KB2538242)

 

Download size: 3.0 MB

 

You may need to restart your computer for this update to take effect.

 

Update type: Important

 

A security issue has been identified leading to MFC application vulnerability in DLL planting due to MFC not specifying the full path to system/localization DLLs.  You can protect your computer by installing this update from Microsoft.  After you install this item, you may have to restart your computer.

[MrCharlie]

I would only install these:
 

8-Update for Windows 7 for x64-based Systems (KB2592687)

Download size: 2.1 MB - 8.8 MB

Update type: Optional

The Remote Desktop Protocol 8.0 update enables you to use the new Remote Desktop Services features. These features are introduced in Windows 8 and in Windows Server 2012 and are available for computers that are running Windows 7 Service Pack 1


9-Update for Windows 7 for x64-based Systems (KB2709981)

Download size: 413 KB
Update type: Optional

Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.

 

This one you can download and install directly:

Security Update for Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package (KB2538242)
http://www.microsoft.com/en-us/download/details.aspx?id=26347

 

MrC

[kokirikid]

ok so I am on that , as for the pop up message i shall only ignore?

 

but keep anti malware installed, right?

 

(and proceed to change [passwords on another computer ) correct?

[kokirikid]

I'll change info passwd on my ipad/tablet, is that ok! right@ hhahaha dont wanna sound paranoid but just checking

[MrCharlie]

What browser is open when you get the block?

MrC

[kokirikid]

Its google chrome. I will try with safari-IE, I dont use firefox. 

[kokirikid]

Used safari and got another pop up but just one within 30 min, I get like 4 within 1 hour on google chrome

[MrCharlie]

Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system.....Which system am I using?)

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

If the logs are large, you can attach them:

To attach a log:

Bottom right corner of this page.

New window that comes up.

MrC

[kokirikid]

I think they are kinda  long

 

 

here i attached them, thanks mr charlie!

Addition.txt

FRST.txt

[MrCharlie]

You have so much crapware on this system it's not funny!!

Do this:

Download the attached fixlist.txt to the same folder as FRST.

Run FRST.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then......

Download a fresh copy of AdwCleaner and run it as before.

See how it is.

If you're still not happy...

Reset Chrome:

https://support.google.com/chrome/answer/3296214?hl=en

Reset Firefox:

https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-most-problems

Let me know.....MrC

[kokirikid]

And how do I avoid crapware?

I will post txt files as soon as I do the steps

[MrCharlie]

And how do I avoid crapware?

Don't install it!

MrC

[kokirikid]

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 29-12-2013 01

Ran by wiz at 2013-12-30 15:28:04 Run:1

Running from C:\Users\wiz\Desktop

Boot Mode: Normal

==============================================

 

Content of fixlist:

*****************

CHR HKLM-x32\...\Chrome\Extension: [jhjjdgbhohaallcimgcmakfiobacimkm] - C:\Program Files (x86)\BuzzSearch\jhjjdgbhohaallcimgcmakfiobacimkm.crx

C:\Program Files (x86)\BuzzSearch\jhjjdgbhohaallcimgcmakfiobacimkm.crx

Task: {5CF538EE-50E3-4DFD-9948-55157062A3AC} - System32\Tasks\Express Files Updater => C:\Program Files (x86)\ExpressFiles\EFupdater.exe

C:\Program Files (x86)\ExpressFiles

*****************

 

HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jhjjdgbhohaallcimgcmakfiobacimkm => Key deleted successfully.

"C:\Program Files (x86)\BuzzSearch\jhjjdgbhohaallcimgcmakfiobacimkm.crx" => File/Directory not found.

"C:\Program Files (x86)\BuzzSearch\jhjjdgbhohaallcimgcmakfiobacimkm.crx" => File/Directory not found.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{5CF538EE-50E3-4DFD-9948-55157062A3AC} => Key deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5CF538EE-50E3-4DFD-9948-55157062A3AC} => Key deleted successfully.

C:\Windows\System32\Tasks\Express Files Updater => Moved successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Express Files Updater => Key deleted successfully.

"C:\Program Files (x86)\ExpressFiles" => File/Directory not found.

 

==== End of Fixlog ====

 

 

 

 

and AWCLEANER found

 

 

 

***** [ Files / Folders ] *****

 

File Found : C:\Windows\System32\Tasks\NCH Software

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

Key Found : HKLM\Software\DeviceVM

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v11.0.9600.16428

 

 

-\\ Mozilla Firefox v

 

[ File : C:\Users\wiz\AppData\Roaming\Mozilla\Firefox\Profiles\vs3tv5xn.default\prefs.js ]

 

 

-\\ Google Chrome v31.0.1650.63

 

[ File : C:\Users\wiz\AppData\Local\Google\Chrome\User Data\Default\preferences ]

 

 

*************************

[kokirikid]

@ mr charlie, I always try not to install stupid toolbars and stuff like that on browser, there are some old very old stufffloating around but they seem to be gone but still show and windows says 'not found' but its file always shows.

example under programs.

 

1-What should I delete on adwcleaner?

 

2-why is there a firefox thing? I havent used firefox in a year or so.