Jump to content

Infected - Ping.exe etc


pr2011

Recommended Posts

So last week my PC was infected with some kind of virus. It started out giving me that whole fake security program thing, which MBAM removed outright, then I started getting those notices that MBAM had blocked access to PING.exe". Anyway, its an old PC so I decided to scrap it and just use my laptop. I unplugged the internet outright and I transferred my files from my PC to my laptop via jump drive.

Everything was fine for a few days, NOW MY LAPTOP IS INFECTED! I installed Kaspersky's virus software which scanned my computer, however malwarebytes still claims to be blocking access to programs like ping.exe, avp.exe, svhost.exe etc etc.

First question is WHAT DO I DO?!

Second question is there any way to keep or transfer the files on my PC without transferring the virus as well? Do you think thats how it spread in the first place?

I made that post in the wrong forum last night and was redirected here. Heres my logs.

Link to post
Share on other sites

I've had this infection as well. I've removed it from one PC on my own - and have it on a second. It's a rootkit/trojan type. Screws with your hosts file, fakes google, etc....

A source I've found - is the image searches you sometimes do via google. Specifically, popular "meme" type images.

The infection installs itself as a windows service. If you terminate the fake ping.exe process, the service waits a couple minutes, then restarts the process. You can use process explorer to isolate the svchost.exe process that's hosting the rootkit service, then hunt down the executables for the infection.

The way this program is faking the process, is it creates a pif that replaces the original ping process with the trojan application - and the pif is deleted once executed.

Attached is the PIF it creates. I haven't worked with PIF files much at all ... so I'm not sure where to start with it. You can hamper the execution of the trojan temporarily by changing the security settings of the real ping.exe to deny-all for users & system. ( force ownership once you're cleaned. )

There are a variety of executables put in the usual places:

documents & settings/user/local settings/temp

documents & settings/user/application data/temp

%system directory/system32/ ( here ) - look for rogue .sys files

I'd attach some executables I isolated - so you can see what you're looking for, but I'm not sure on the rules on them.

ping.pif.txt

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.