Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown malware infection on Win 7 Ultimate x64 machine


  • Please log in to reply
1 reply to this topic

#1 itguytim

itguytim

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 20 April 2016 - 10:43 AM

The user reported the computer was running very slowly, so I started investigating.  Immediately I saw unknown processes running from a folder in %appdata\roaming.  Immediately I placed the PC off the network but still connected to internet.  I've noticed that DNS was set static on the network adapter and that the HOSTS file has been modified with:

 

127.0.0.1  down.baidu2016.com

127.0.0.1  123.sogou.com

127.0.0.1  www.czzsyzgm.com

127.0.0.1  www.czzsyzxl.com

127.0.0.1  union.baidu2019.com

 

Web browsers exhibit unusual behavior as there are additional ads and pages are redirected at random times.  

 

I would appreciate advice on the best way to comprehensively clean the system and remove all malware.  If possible, I'd like to try and determine all activities the malware is performing (ie siphoning data from network, etc) but I understand that this may be impossible.  Any help is appreciated!  Thank you!



BC AdBot (Login to Remove)

 


#2 daScholar

daScholar

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 20 April 2016 - 01:24 PM

As far as recovering data that could have been siphoned via spyware, not sure how to help ya there. But as far as cleaning goes I can help ya.

 

Based on this list I would say you have more of an adware issue, where ads are just being injected. So I can't really say there is or isn't a spyware issue. IF this is your only problem I think you can say it's just adware

 

First and foremost download the tools below and get the computer into safe mode. This helps with cleaning be more thorough.

 

The stuff you found in the hosts file will mainly be ads injected into the browser based on my quick search about those sites. You can delete those entries from the hosts file.

 

1. Run a malwarebytes scan. This cleans up most of the problems I've had in the past.

2. Clean the browser. Those sites are known for installing plugins into all the browsers and need to be removed.

3. Revo Uninstaller Remove any programs that are suspicious. I like using this program because it will scan for files and registry keys that windows uninstaller wouldn't normally clean up.

 

Other things to check for:

 Task Scheduler. Occassionally those who write malware are aggressive and will redownload the software automatically. The most common place this is done is in the task scheduler. Look at the list and see if there is anything suspicious.

 Virus Scan. While in safe mode it's a good idea to run a full deep scan of the computer. Don't just rely on the Background scan your AV does.

 ADWCleaner  If you feel the job done by Malwarebytes wasn't good enough this is a more intense scanner for adware.

 

Hope this helps. Let me know if there is anything else that looks suspicious or needs solving


If you think what I've said is helpful consider visiting my site. HelpfulDesk.Org A new site I'm building to help those with computer questions.

 

It's a brand new site. So any support you can give (inquiries, comments, visits) are appreciated immensly

 

Be awesome out there ~ daScholar





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users