Help please, my computer is infected. mpstat.us sites appear in my frequent tabs

[amyb2007]

Hi there,

 

I am not really sure how to explain what exactly is infecting my computer but I think at some point, as many others here report, I accidentally clicked on an ad a couple months ago.

 

 trc.taboola.com sites that I never visited started showing up in my frequent tabs. An example of one of the taboola tabs: "trc.taboola.com/ziffdavis-network15-pcmag/log13/available". This tab appeared the next time I started my computer after I had visited a pcmag website. And there were other page names that would appear in the taboola addresses, like PCMag, that I had visited on later occasions. I also started getting mpstat.us tabs as well, for example, 36f142cc.mpstat.us & another, 36f1f08e.mpstat.us. I have had many of these over the last several weeks, sometimes two at a time, but usually just one, when I view the frequent sites on a new tab. Always with a 36 at the start and then other letters & numbers.

 

 I did several scans with AVG and Malwarebytes & found nothing. I ran scans with Adwcleaner, that found several things, which I deleted. I also ran a junkware JRT scan. I would be happy to post all the logs of scans I have run if you think that would help to troubleshoot.  

 

Conhost.exe is a process that also seems to be causing my computer to slow down. I now end the process when I start my computer, but every time I restart, there it is running again & seems to really slow things down. And when the process is running, my computer makes weird intermittent beeps.  I have read this conhost might be a bitcoin miner.  Currently the taboola addresses no longer appear on my frequent tabs, but the mpstat addresses do. 

 

Please help. I have no idea how to rid my machine of this taboola, mpstat & conhost menace. Thank you in advance for any help or guidance you can provide. I am including the FRST & addition logfiles from a scan I did last night.

 

Amy

 

Addition_04-08-2015_22-39-10.txtFRST_04-08-2015_22-39-10.txt

 

[TwinHeadedEagle]

Hello,

    

 

They call me TwinHeadedEagle around here, and I'll try to help your with your issue.

 

     

    

Before we start please read and note the following:

• We're primarily oriented on malware removal here, so you must know that some issues just cannot be solved and you must be prepared for this. Some tools we use here will remove your browser search history, so backup your important links and all the files whose loss is unacceptable.
• Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
• Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time. Keep in mind that private life gets in the way too. Note that we may live in totally different time zones, what may cause some delays between answers.
• Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
• Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
• Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.
• I volunteer to help you, so please, do not ask for help for your company/business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

I can't foresee everything, so if anything not covered in my instructions happens, please stop and inform me!

There are no silly questions. Never be afraid to ask if in doubt!

 

 

 

  Rules and policies

 

We won't support any piracy.

That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!

The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

 

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.

 

 

---

Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Right-click on icon and select Run as Administrator to start the tool.
• Wait patiently until the main console will appear, it may take a minute or two.
• In the main box please paste in the following script:

  createsrpoint;autoclean;emptyalltemp;ipconfig /flushdns >>"%temp%\log.txt";b

• Make sure that Scan All Users option is checked.
• Push Run Script and wait patiently. The scan may take a couple of minutes.
• When the scan completes, a zoek-results logfile should open in notepad.
• If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)
• Post its content into your next reply.

[amyb2007]

Thank you so much for helping me out with this. I did as you said, downloaded zoek.exe, turned off antivirus & firewall & ran zoek from my desktop as admin. I was concerned it wasn't working as it took 10 min to bring up its window (I left conhost.exe running for the scan, as I wasn't sure if it needed to be running for the scan to do its magic or not, hope I didn't screw anything up doing that.) I have attached the scan results. Hope that is okay too, as your initial instructions said you prefer attachments but your written instructions said to paste.

 

 

zoek-results.log

[amyb2007]

I forgot to mention, that as the scan was nearing end, my AVG turned itself back on again. That was my fault because when i disabled it I thought 15min would be enough but the scan took atleast 30 min, I should have chosen "until restart". When it turned on, it found an object in my appdata/local/temp folder and it said was dangerous, zoek.bat, IDP.ALEXA.43, and asked if I wanted to block/quarantine it. I waited to answer until the zoek scan was complete and then I said no. And it set it as an exception.

[TwinHeadedEagle]

It is fine. How is your PC behaving now?

[amyb2007]

It is still making intermittent beeps, not as often, but still doing it. My frequent tabs were empty when I opened IE but then after visiting one page, I closed the browser session, opened IE again, & one of those 36f11e49.mpstat.us pages was in my tabs again.

In my history tab for today, I found that mpstat page & also a site listed as s.tagsrvcs.com and I have no idea where that came from. Clearly some malware, but I never looked in my history tabs before but I am guessing this is still part of the mpstat menace. Conhost.exe seems to be out of the listing of processes from all users, so that's good

[TwinHeadedEagle]

Scan with Farbar Recovery Scan Tool

 

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on icon and select Run as Administrator to start the tool.

  (XP users click run after receipt of Windows Security Warning - Open File).

• Make sure that Addition option is checked.
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please upload them into your next reply.

[amyb2007]

Here are the results.

Addition.txtFRST.txt

[TwinHeadedEagle]

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.

  (XP users click run after receipt of Windows Security Warning - Open File).

• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

---

Please follow this guide to reset Internet Explorer settings:

http://windows.microsoft.com/en-us/internet-explorer/reset-ie-settings#ie=ie-11

fixlist.txt

[amyb2007]

Here is the fixlog. I hope I did it all correctly but I think I messed it up.

 

I downloaded the fixlist to my desktop. I moved FRST64.exe & FRST.txt and addition.txt onto the desktop in order to make sure it was all in the same place with the fixlist. ( I found doubles of these files in the original folder & was getting them confused, so for some reason, I decided to rename the old and newer FRST and addition files to keep them straight. I am very sorry about that, as I realized after the test & restart that it probably messed up the whole fix.)

 

Then I ran frst64exe as administrator, clicked fix one time. Fixlog was created & then it had me do a restart. But when I opened ie, the mpstat.us still appeared in my history list of pages visited today. I deleted it in the history list, then reset ie settings. I then closed ie, opened it again & found an mpstat.us page in the history list again.

 

Did I mess it all up? Can I rename the file back to FRST.txt & rerun the fix? Or do I just need to have my computer privileges taken away now?

 

I am so sorry I am an idiot. I am going to go lay down in the corner now.

 

Fixlog.txt

[TwinHeadedEagle]

Do you use Internet Explorer or it just happens itself?

[amyb2007]

I use internet explorer 11. And if you mean that the mpstat pages happen themselves, yes. I do not visit those pages, but they have been appearing in my tabs (and in my historyof pages too), like when I go to open a new page when I am on IE, I will click on the blank tab at the top, and when the new tab opens up, frequent pages that are listed will include pages I have actually visited, but then there will be a page with the weird 36fxxxxx.mpstat.us address on it. It has not happened since I posted here last night tho.

I am going to donate $20 to you later today (from my work computer) for your continued help with this.

[TwinHeadedEagle]

What websites you frequently visit?

[amyb2007]

BBC news, Yahoo, and Facebook primarily. I pay bills as well and my son plays games on my computer on a site called A10 i believe. Once in a while I go to MSNBC as well for news.

[TwinHeadedEagle]

I was hoping to hear BBC from you. A lot of people are reporting that BBC website is creating such history or some kind of statistics, so your PC is clean, this is something related to BBC website.

[amyb2007]

That does make me feel better hearing that it could be BBC. I have not had as much beeping as before, and no mpstats have appeared in my tabs. Next time I go to BBC news I will pay close attention to my tabs history. It does seem that it is not as slow starting up or opening IE now and not working as hard when I am on IE browsing the web.    However, my husband uses BBC news as well and he doesn't have the mpstat sites appearing in his tabs or history at all so I am not really sure what is going on there.

The conhost.exe thing does still concern me because I have read it is actually a legitimate process but it should not appear in the task manager list, and that if it does it is likely a bitcoin miner. The file size is also suspicious, as my file size is 338,432 and that is not the typical size and it is listed as created June 9, 2015.

[TwinHeadedEagle]

Let's check your PC one more time:

Scan with Farbar Recovery Scan Tool

 

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on icon and select Run as Administrator to start the tool.

  (XP users click run after receipt of Windows Security Warning - Open File).

• Make sure that Addition option is checked.
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please upload them into your next reply.

[amyb2007]

So I have had no beeping that I noticed tonight & still no mpstats appearing! Maybe it really is fixed. Fingers crossed. Here's the results. Addition.txtFRST.txt

[TwinHeadedEagle]

Your PC is indeed clean. Keep me updated.

[amyb2007]

Awesome! Thank you for checking it for me once again. Too bad I use the BBC site for my homepage, maybe it is time to change it lol

Thanks again for all your help! I will let you know if I need you to rescue me again, hopefully I won't tho.

Amy

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!