Jump to content

PUP.bitminer (plus ping.exe and redirects) help!


pahume

Recommended Posts

Hi,

I've been dealing with internet redirects, ping.exe using 100% system resources, and the PUP.Bitminer found in the malwarebytes full search that won't go away (like many posting here recently, apparently!). I've read a considerable amount on these issues and have tried everything I know, but I can't get them resolved. Any help you can offer would be greatly appreciated! Below is the DDS logs.

DDS (Ver_2011-08-26.01) - NTFSAMD64 NETWORK

Internet Explorer: 8.0.7601.17514

Run by pbrucea at 15:29:55 on 2011-12-19

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4061.2896 [GMT -6:00]

.

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\ctfmon.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

dRunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f

dRunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll

DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.3.1.0.cab

TCP: DhcpNameServer = 192.168.2.1

TCP: Interfaces\{3B3445EC-A397-4336-90D5-3E59DD556A82} : DhcpNameServer = 192.168.2.1

TCP: Interfaces\{3B3445EC-A397-4336-90D5-3E59DD556A82}\75869647564596765627D27657563747 : DhcpNameServer = 76.85.229.110 76.85.229.111 192.168.33.1

TCP: Interfaces\{6A97EAA0-6FF2-495C-8416-5A755F14911A} : DhcpNameServer = 129.93.5.53 129.93.6.189

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll

TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun-x64: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

Hosts: 216.240.133.193 www.google-analytics.com.

Hosts: 216.240.133.193 ad-emea.doubleclick.net.

Hosts: 216.240.133.193 www.statcounter.com.

Hosts: 69.72.252.254 www.google-analytics.com.

Hosts: 69.72.252.254 ad-emea.doubleclick.net.

.

Note: multiple HOSTS entries found. Please refer to Attach.txt

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\pbrucea\AppData\Roaming\Mozilla\Firefox\Profiles\t13jjwt9.default\

FF - prefs.js: browser.search.selectedEngine - Search the Web

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/?rlz=1V1IPYX

.

============= SERVICES / DRIVERS ===============

.

R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]

R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [2011-7-18 140672]

R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller (NDIS 6.20);C:\Windows\system32\DRIVERS\L1C62x64.sys --> C:\Windows\system32\DRIVERS\L1C62x64.sys [?]

R3 NETw1v64;Intel® Wireless WiFi Link 1000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\NETw1v64.sys --> C:\Windows\system32\DRIVERS\NETw1v64.sys [?]

S1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]

S1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]

S2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]

S2 AFBAgent;AFBAgent;"C:\Windows\system32\FBAgent.exe" --> C:\Windows\system32\FBAgent.exe [?]

S2 ASMMAP64;ASMMAP64;C:\Program Files\ATKGFNEX\ASMMAP64.sys [2010-2-8 14904]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 IMFservice;IMF Service;C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe [2011-12-19 820568]

S3 ETD;ELAN PS/2 Port Input Device;C:\Windows\system32\DRIVERS\ETD.sys --> C:\Windows\system32\DRIVERS\ETD.sys [?]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]

S3 RegFilter;RegFilter;C:\Program Files (x86)\IObit\IObit Malware Fighter\Drivers\win7_amd64\RegFilter.sys [2011-12-19 33184]

S3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;C:\Windows\system32\DRIVERS\SiSG664.sys --> C:\Windows\system32\DRIVERS\SiSG664.sys [?]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 UrlFilter;UrlFilter;C:\Program Files (x86)\IObit\IObit Malware Fighter\Drivers\win7_amd64\UrlFilter.sys [2011-12-19 21872]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

S4 FileMonitor;FileMonitor;C:\Program Files (x86)\IObit\IObit Malware Fighter\Drivers\win7_amd64\FileMonitor.sys [2011-12-19 20336]

.

=============== Created Last 30 ================

.

2011-12-19 20:41:25 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys

2011-12-19 19:33:59 518144 ----a-w- C:\Windows\SWREG.exe

2011-12-19 19:33:59 256000 ----a-w- C:\Windows\PEV.exe

2011-12-19 19:16:00 -------- d-----w- C:\Program Files\iTunes

2011-12-19 19:16:00 -------- d-----w- C:\Program Files\iPod

2011-12-19 19:16:00 -------- d-----w- C:\Program Files (x86)\iTunes

2011-12-19 18:59:17 750488 ----a-w- C:\Windows\System32\npdeployJava1.dll

2011-12-19 18:56:04 -------- d-----w- C:\Program Files (x86)\SpeedFan

2011-12-19 18:14:53 -------- d-----w- C:\Users\pbrucea\AppData\Local\Seven Zip

2011-12-19 15:59:17 99840 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\HPZPPLHN.DLL

2011-12-19 06:26:59 -------- d-----w- C:\Users\pbrucea\AppData\Roaming\IObit

2011-12-19 06:21:07 -------- d-----w- C:\ProgramData\IObit

2011-12-19 06:21:04 -------- d-----w- C:\Program Files (x86)\IObit

2011-12-19 05:33:44 -------- d-----w- C:\Program Files (x86)\FileHippo.com

2011-12-19 05:09:33 -------- d-----w- C:\Program Files\CCleaner

2011-12-19 03:19:56 -------- d-----w- C:\ProgramData\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}

2011-12-19 03:15:48 -------- d-----w- C:\Users\pbrucea\AppData\Local\PackageAware

2011-12-15 13:57:18 -------- d-----w- C:\Program Files\Microsoft Security Client

2011-12-14 22:34:59 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2011-12-14 22:34:59 1638912 ----a-w- C:\Windows\System32\mshtml.tlb

2011-12-14 22:34:35 3145216 ----a-w- C:\Windows\System32\win32k.sys

2011-12-14 22:34:33 723456 ----a-w- C:\Windows\System32\EncDec.dll

2011-12-14 22:34:33 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll

2011-12-14 22:34:28 2048 ----a-w- C:\Windows\SysWow64\tzres.dll

2011-12-14 22:34:28 2048 ----a-w- C:\Windows\System32\tzres.dll

2011-12-12 01:19:19 -------- d-----w- C:\Users\pbrucea\AppData\Roaming\EeeStorageUploader

2011-12-12 01:19:10 -------- d-----w- C:\Users\pbrucea\AppData\Roaming\ASUS WebStorage

2011-12-11 15:20:12 -------- d-----w- C:\Program Files\SystemRequirementsLab

2011-12-11 15:02:48 -------- d-----w- C:\Users\pbrucea\AppData\Local\Sunbelt Software

2011-12-08 03:26:02 -------- d-----w- C:\Program Files (x86)\Toolbar Cleaner

2011-12-07 03:03:34 660368 ----a-w- C:\Windows\System32\deployJava1.dll

2011-12-07 02:40:28 -------- d-----w- C:\Program Files\ESET

2011-12-06 20:23:21 -------- d-----w- C:\Program Files (x86)\ESET

2011-12-06 18:00:18 118784 ----a-w- C:\Windows\SysWow64\MSSTDFMT.DLL

2011-12-06 02:02:45 234536 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr

2011-12-04 22:31:01 -------- d-----w- C:\Program Files (x86)\Steam

2011-12-04 22:31:01 -------- d-----w- C:\Program Files (x86)\Common Files\Steam

2011-12-03 16:21:35 159744 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin3.dll

2011-12-03 16:21:35 159744 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin2.dll

2011-12-03 16:21:35 159744 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin.dll

2011-12-03 16:21:35 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin7.dll

2011-12-03 16:21:35 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin6.dll

2011-12-03 16:21:35 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin5.dll

2011-12-03 16:21:35 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin4.dll

2011-12-03 16:21:35 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin3.dll

2011-12-03 16:21:35 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin2.dll

2011-12-03 16:21:35 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin.dll

2011-12-01 21:26:24 21712 ----a-w- C:\Windows\SysWow64\drivers\DrvAgent64.SYS

2011-12-01 21:26:24 -------- d-----w- C:\Users\pbrucea\AppData\Local\eSupport.com

2011-11-29 12:53:34 8570192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B347379D-6B93-4EC6-8137-4E35BF71D246}\mpengine.dll

2011-11-23 04:15:17 98816 ----a-w- C:\Windows\sed.exe

2011-11-23 04:15:17 208896 ----a-w- C:\Windows\MBR.exe

2011-11-22 17:59:40 55384 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys

2011-11-22 17:01:32 -------- d-----w- C:\Users\pbrucea\AppData\Roaming\SUPERAntiSpyware.com

2011-11-22 17:01:14 -------- d-----w- C:\ProgramData\!SASCORE

2011-11-22 17:01:11 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com

2011-11-22 17:01:11 -------- d-----w- C:\Program Files\SUPERAntiSpyware

2011-11-22 15:00:29 -------- d-----w- C:\Users\pbrucea\AppData\Roaming\F08BF

2011-11-22 14:59:54 -------- d-----w- C:\Users\pbrucea\AppData\Roaming\8ECF0

2011-11-22 14:59:45 -------- d-----w- C:\Users\pbrucea\AppData\Roaming\VQQQdKRTT

2011-11-22 14:59:45 -------- d-----w- C:\Users\pbrucea\AppData\Roaming\KUUClzNNyxAuv2o

2011-11-22 14:59:29 -------- d-----w- C:\Users\pbrucea\AppData\Roaming\z77ddELL8g

2011-11-22 14:59:28 -------- d-----w- C:\Users\pbrucea\AppData\Roaming\ZNNttxP0ucS1b3n

2011-11-22 14:59:28 -------- d-----w- C:\Users\pbrucea\AppData\Roaming\hsWWJJ7fEL8T

.

==================== Find3M ====================

.

2011-12-07 03:10:34 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2011-11-05 05:41:43 1188864 ----a-w- C:\Windows\System32\wininet.dll

2011-11-05 04:35:00 981504 ----a-w- C:\Windows\SysWow64\wininet.dll

2011-10-26 05:21:20 43520 ----a-w- C:\Windows\System32\csrsrv.dll

2011-10-24 20:29:02 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx

2011-10-24 20:29:02 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts

2011-09-29 16:29:28 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys

.

============= FINISH: 15:30:43.19 ===============

DDS.txt

Attach.zip

Link to post
Share on other sites

Welcome to the forum.

Please Update and run a Quick Scan with MBAM.

Then.....

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTL.txt <-- Will be opened

Extra.txt <-- Will be minimized

------------------

Last...

Please download Farbar Service Scanner and run it on the computer with the issue.


  • Make sure "Include All Files" option remains checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

MrC

Link to post
Share on other sites

Thanks for the reply MrC

MBAM quick scan came up clean. The OTL scans are attached and the Farbar scan is below:

Farbar Service Scanner

Ran by pbrucea (administrator) on 21-12-2011 at 11:11:58

Microsoft Windows 7 Home Premium Service Pack 1 (X64)

********************************************************

Internet Services:

=================

Connection Status:

=================

Localhost is accessible.

LAN connected.

Google IP is accessible.

Yahoo IP is accessible.

Windows Firewall:

================

MpsSvc Service is not running. Checking service configuration:

Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.

Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.

Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:

Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.

Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.

Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.

mpsdrv Service is not running. Checking service configuration:

The start type of mpsdrv service is OK.

The ImagePath of mpsdrv service is OK.

Firewall Disabled Policy:

========================

System Restore:

==============

SDRSVC Service is not running. Checking service configuration:

The start type of SDRSVC service is OK.

The ImagePath of SDRSVC service is OK.

The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:

The start type of VSS service is OK.

The ImagePath of VSS service is OK.

System Restore Disabled Policy:

==============================

File Check:

==========

C:\Windows\System32\nsisvc.dll => MD5 is legit

C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit

C:\Windows\System32\dhcpcore.dll => MD5 is legit

C:\Windows\System32\drivers\afd.sys => MD5 is legit

C:\Windows\System32\drivers\tdx.sys => MD5 is legit

C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit

C:\Windows\System32\dnsrslvr.dll => MD5 is legit

C:\Windows\System32\mpssvc.dll => MD5 is legit

C:\Windows\System32\bfe.dll => MD5 is legit

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit

C:\Windows\System32\SDRSVC.dll => MD5 is legit

C:\Windows\System32\vssvc.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

OTL.Txt

Extras.Txt

Link to post
Share on other sites

I see you have ComboFix on the system, did you run it and if so can you post the log.

-----------------------------

Please do this:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKU\S-1-5-21-4023056496-1070836841-2960616442-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
    O3 - HKU\S-1-5-21-4023056496-1070836841-2960616442-1000\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
    O4 - HKU\.DEFAULT..\RunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f File not found
    O4 - HKU\.DEFAULT..\RunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f File not found
    O4 - HKU\S-1-5-18..\RunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f File not found
    O4 - HKU\S-1-5-18..\RunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f File not found
    [2011/11/22 09:00:29 | 000,000,000 | ---D | C] -- C:\Users\pbrucea\AppData\Roaming\F08BF
    [2011/11/22 08:59:54 | 000,000,000 | ---D | C] -- C:\Users\pbrucea\AppData\Roaming\8ECF0
    [2011/11/22 08:59:45 | 000,000,000 | ---D | C] -- C:\Users\pbrucea\AppData\Roaming\VQQQdKRTT
    [2011/11/22 08:59:45 | 000,000,000 | ---D | C] -- C:\Users\pbrucea\AppData\Roaming\KUUClzNNyxAuv2o
    [2011/11/22 08:59:29 | 000,000,000 | ---D | C] -- C:\Users\pbrucea\AppData\Roaming\z77ddELL8g
    [2011/11/22 08:59:28 | 000,000,000 | ---D | C] -- C:\Users\pbrucea\AppData\Roaming\ZNNttxP0ucS1b3n
    [2011/11/22 08:59:28 | 000,000,000 | ---D | C] -- C:\Users\pbrucea\AppData\Roaming\hsWWJJ7fEL8T
    [2011/03/20 17:35:51 | 000,000,000 | ---D | M] -- C:\Users\pbrucea\AppData\Roaming\x3watch
    [2011/11/22 08:59:29 | 000,000,000 | ---D | M] -- C:\Users\pbrucea\AppData\Roaming\z77ddELL8g

    :Commands
    [resethosts]
    [createrestorepoint]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

-----------------------------

Please download and run TDSSKiller as outlined in the post below:

http://forums.malwarebytes.org/index.php?showtopic=100665&view=findpost&p=499595

Post back the log, MrC

Link to post
Share on other sites

Download and run hosts-perm.bat

http://download.bleepingcomputer.com/bats/hosts-perm.bat

Download and unzip HostsXpert

http://www.funkytoad.com/download/HostsXpert.zip

Open the folder and double-click HostsXpert.exe to run the program.

Click "Restore MS Hosts File".

Click OK at the confirmation box.

Click "Make Read Only".

Click the X to exit the program.

-- If the Hosts file does not exist, you will be prompted to create a new one. Just press "Ok".

-- If you were using a custom Hosts file you will need to replace any of those entries yourself.

MrC

Link to post
Share on other sites

I'm not using a custom hosts file, that I know of, but after running hosts-perm.bat I went to run HostsXpert and received the message:

Your HOSTS file is marked as a “system file” and can NOT be manipulated. Press OK to remove the system file attribute, CANCEL to quit.

HostsXpert will not reset these attributes

Download and run hosts-perm.bat

http://download.bleepingcomputer.com/bats/hosts-perm.bat

Download and unzip HostsXpert

http://www.funkytoad.com/download/HostsXpert.zip

Open the folder and double-click HostsXpert.exe to run the program.

Click "Restore MS Hosts File".

Click OK at the confirmation box.

Click "Make Read Only".

Click the X to exit the program.

-- If the Hosts file does not exist, you will be prompted to create a new one. Just press "Ok".

-- If you were using a custom Hosts file you will need to replace any of those entries yourself.

MrC

Link to post
Share on other sites

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:


  • List content of Hosts

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

MrC

Link to post
Share on other sites

Here's the log:

MiniToolBox by Farbar

Ran by pbrucea (administrator) on 21-12-2011 at 14:35:28

Microsoft Windows 7 Home Premium Service Pack 1 (X64)

***************************************************************************

========================= Hosts content: =================================

::1 localhost

216.240.133.193 www.google-analytics.com.

216.240.133.193 ad-emea.doubleclick.net.

216.240.133.193 www.statcounter.com.

69.72.252.254 www.google-analytics.com.

69.72.252.254 ad-emea.doubleclick.net.

69.72.252.254 www.statcounter.com.

127.0.0.1 localhost

**** End of log ****

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:


  • List content of Hosts

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

MrC

Link to post
Share on other sites

Lets try this...........

Please do this:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O1 - Hosts: 216.240.133.193 www.google-analytics.com.
    O1 - Hosts: 216.240.133.193 ad-emea.doubleclick.net.
    O1 - Hosts: 216.240.133.193 www.statcounter.com.
    O1 - Hosts: 69.72.252.254 www.google-analytics.com.
    O1 - Hosts: 69.72.252.254 ad-emea.doubleclick.net.
    O1 - Hosts: 69.72.252.254 www.statcounter.com.


  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

MrC

Link to post
Share on other sites

Still getting the same message, Cannot create file C:\Windows\System32\drivers\etc\Hosts

Lets try this...........

Please do this:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O1 - Hosts: 216.240.133.193 www.google-analytics.com.
    O1 - Hosts: 216.240.133.193 ad-emea.doubleclick.net.
    O1 - Hosts: 216.240.133.193 www.statcounter.com.
    O1 - Hosts: 69.72.252.254 www.google-analytics.com.
    O1 - Hosts: 69.72.252.254 ad-emea.doubleclick.net.
    O1 - Hosts: 69.72.252.254 www.statcounter.com.


  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

MrC

Link to post
Share on other sites

Still getting the same message, Cannot create file C:\Windows\System32\drivers\etc\Hosts

Lets try this...........

Please do this:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O1 - Hosts: 216.240.133.193 www.google-analytics.com.
    O1 - Hosts: 216.240.133.193 ad-emea.doubleclick.net.
    O1 - Hosts: 216.240.133.193 www.statcounter.com.
    O1 - Hosts: 69.72.252.254 www.google-analytics.com.
    O1 - Hosts: 69.72.252.254 ad-emea.doubleclick.net.
    O1 - Hosts: 69.72.252.254 www.statcounter.com.


  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

MrC

Link to post
Share on other sites

I'm trying to copy the default Hosts file into /drivers/etc but when I request to replace the default hosts file with the (hidden, apparently) hosts files already in the folder I receive an error message saying I do not have permission to perform the action. I am sure there is an easy way around this but I am too much of a computer noob to know it. :rolleyes:

Link to post
Share on other sites

Download hosts-perm.bat:

http://download.bleepingcomputer.com/bats/hosts-perm.bat

Right click on hosts-perm.bat and choose "run as administrator"

Next.......

Right click on notepad and choose "run as administrator", leave it open and navigate to:

C:\windows\system32\drivers\etc

In the folder etc you'll see hosts

Drag it into notepad and delete these lines: (you'll have to drag the windows down a little to do this)

216.240.133.193 www.google-analytics.com.

216.240.133.193 ad-emea.doubleclick.net.

216.240.133.193 www.statcounter.com.

69.72.252.254 www.google-analytics.com.

69.72.252.254 ad-emea.doubleclick.net.

69.72.252.254 www.statcounter.com.

Leave these:

127.0.0.1 localhost

# ::1 localhost

Close it out and save changes.

When you're done the hosts file should look like this:

http://download.bleepingcomputer.com/misc/host-files/windows-7/hosts

MrC

Link to post
Share on other sites

Ok, finished that. What next?

Download hosts-perm.bat:

http://download.bleepingcomputer.com/bats/hosts-perm.bat

Right click on hosts-perm.bat and choose "run as administrator"

Next.......

Right click on notepad and choose "run as administrator", leave it open and navigate to:

C:\windows\system32\drivers\etc

In the folder etc you'll see hosts

Drag it into notepad and delete these lines: (you'll have to drag the windows down a little to do this)

216.240.133.193 www.google-analytics.com.

216.240.133.193 ad-emea.doubleclick.net.

216.240.133.193 www.statcounter.com.

69.72.252.254 www.google-analytics.com.

69.72.252.254 ad-emea.doubleclick.net.

69.72.252.254 www.statcounter.com.

Leave these:

127.0.0.1 localhost

# ::1 localhost

Close it out and save changes.

When you're done the hosts file should look like this:

http://download.bleepingcomputer.com/misc/host-files/windows-7/hosts

MrC

Link to post
Share on other sites

MBAM quick scan came up clean:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 911122201

Windows 6.1.7601 Service Pack 1

Internet Explorer 8.0.7601.17514

12/21/2011 7:40:32 PM

mbam-log-2011-12-21 (19-40-32).txt

Scan type: Quick scan

Objects scanned: 189661

Time elapsed: 2 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Please Update and run a Quick Scan with MBAM, post the report and let me know how it is, MrC

Link to post
Share on other sites

The comptuer, you mean? I haven't experienced a redirect and it seems to be running at normal CPU and temperature levels (e.g., not 100%), and I haven't seen ping.exe causing the latter in anycase. If it has been fixed I am suprised...I guess I was expecting a dramatic, final battle against the maleware :P

How is it??? MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.