Does malwarebytes warns all the time or only when you browse internet?
All the time. It happens when I have the browsers closed as well.
Please download zoek.zip or zoek.rar by smeenk (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive…
[*]Close any open browsers
[*]Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.
[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…
[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:
createsrpoint;
StandardSearch;
installer-list;
installedprogs;
uninstall-list;
[*]Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)
[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log”
OK, here are the results of that scan.
Also, for some reason, I can’t print anything to my network printer anymore.
Worked fine before.
Now, it shows the printer as online and Ready, but everything fails to print to it. It bring sup the printer queue and says it’s empty.
I can print fine to the same printer from other devices on my network, and I used to be able to print to it from this device as well.
Re-run zoek with this script
cfhdojbkjhnklbpkdaibdccddilifddb;chr
fbangkleohkafngihneedemihgfeikcl;chr
fbangkleohkafngihneedemihgfeikcl;chr
autoclean;
emptyalltemp;
emptyclsid;
shortcutfix;
resetIEproxy;
netsh int ip reset >> %temp%\log.txt;b
ipconfig /flushdns >> %temp%\log.txt;b
resethosts;
Here’s the log from that command.
Also, Malwarebytes blocked an IP as soon as I opened IE to post this. Not sure if that was related to the browser opening, or just to me logging in.
The IPs are all blocked on port 6881 (usually bittorrent?), maybe there’s a dll in explorer.exe that is still trying to torrent?
One more check…
Update MalwareBytes, press Quick Scan and attach report…
Then, re-run FRST and attach fresh report…
OK, here you go.
Note: I did allow Malwarebytes to remove the trojans it found.
I guess these are also new since 12/29, although I haven’t installed anything knowingly that should have tojans in it. So I’m assuming whatever is causing these ipblocks is also grabbing various trojans.
PC seems clean, are you still having warnings?
Yes, just now, unfortunately. port 6881 from explorer.exe.
Don’t know why.
Maybe this thread is helpful, but I’m not running Defender like he was (this isn’t me, just similar issue):
https://forums.malwarebytes.org/index.php?showtopic=138857&page=4
I haven’t tried combofix either, but not sure if that would be redundant.
Maybe some other microsoft process is legitatemly trying to hit 6881?
Your Windows Defender is disabled, and I do not see any signs of malware in the reports. I saw a lot of people complaining about these detections and they are false positive. Do you have any other problems except this one…
That seems to be the only issue, other than random viruses / trojans being detected in scans when they weren’t before.
Trojanse were removed. PC is clean, and we’re done here 
You can add this to exclusion, by right clicking malwarebytes icon and choose Add to ignore list.
Please download DelFix by “Xplode” to your Desktop.
Run the tool and check the following boxes below;
[] Remove disinfection tools
[] Create registry backup
[*] Purge System Restore
Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt
I don’t need DelFix log report.
I did another scan this morning after updating malwarebytes and it found two more items even though I didn’t install anything yesterday, or visit any sites other than major ones like google and amazon. My laptop woke itself up randomly in the middle of the night and tried to access 6881 again. I think when 6881 failed, it tried something else because I have new malware on my machine:
Tojan.Agent.Gen
and
Backdoor.Agent.HPE
So I’m thinking there’s still something causing problems and installing stuff, and it’s something that isn’t being detected.
Post the scan results here, or attach screenshots of both detections…
Here’s the log.
Re-scan again, but now Select All files, and press Remove. Restart PC.
Then, re-scan again and attach fresh MalwareBytes report…