What is Pakistani Girls Mobile Data?
The Malwarebytes research team has determined that Pakistani Girls Mobile Data is a Trojan.HostHijack. These trojans are designed to redirect your internet traffic.
This particular one installs an altered version of the legitimate MVPS hosts file.
The hijackers changed the 0.0.0.0 IPs intended as a way of blocking, to their own IP to hijack the traffic to their own target site.
How do I know if my computer is affected by Pakistani Girls Mobile Data?
You may see this entry in your list of installed programs:
You may also see some alarms or reports regarding failed connections to the domain pakistangirls[.]info.
How did Pakistani Girls Mobile Data get on my computer?
Trojans use different methods for distributing themselves. This particular one was offered as a database of girls' mobile data.
How do I remove Pakistani Girls Mobile Data?
Our program Malwarebytes Anti-Malware can detect and remove this trojan.
- Please download Malwarebytes Anti-Malware to your desktop.
- Double-click mbam-setup-{version}.exe and follow the prompts to install the program.
- At the end, be sure a check-mark is placed next to:
Launch Malwarebytes Anti-Malware - Then click Finish.
- Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
- If an update is available, it will be implemented before the rest of the scanning procedure.
- When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
- Restart your computer when prompted to do so.
- Pakistani Girls Mobile Data replaces your hosts file, so you may have to restore the old one. You can find third-party hosts file alternatives at hpHosts or at mvps.org or you can simply reset the default hosts file as outlined here by Microsoft.
We hope our application and this guide have helped you eradicate this trojan.
As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Pakistani Girls Mobile Data trojan. It would have warned you before the trojan could install itself, giving you a chance to stop it before it became too late.
and it would block some of the connections made by this trojan and the consequential redirects.
Technical details for experts
Possible signs in FRST logs:
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt (Pakistani Girls Mobile Data ) C:\Users\{username}\Desktop\Pakistani-Girls-Mobile-Data.exe Pakistani Girls Mobile Data 1.5.8 (HKLM-x32\...\Pakistani Girls Mobile Data 1.5.8) (Version: 1.5.8 - Pakistani Girls Mobile Data) 127.0.0.1 localhost 188.138.17.135 m.fr.a2dfp.net 188.138.17.135 mfr.a2dfp.net 188.138.17.135 ad.a8.net 188.138.17.135 asy.a8ww.net 188.138.17.135 static.a-ads.com 188.138.17.135 abcstats.com 188.138.17.135 a.abv.bg 188.138.17.135 adserver.abv.bg 188.138.17.135 adv.abv.bg 188.138.17.135 bimg.abv.bg 188.138.17.135 ca.abv.bg 188.138.17.135 track.acclaimnetwork.com 188.138.17.135 accuserveadsystem.com 188.138.17.135 www.accuserveadsystem.com 188.138.17.135 achmedia.com 188.138.17.135 csh.actiondesk.com 188.138.17.135 ads.activepower.net 188.138.17.135 app.activetrail.com 188.138.17.135 stat.active24stats.nl #[Tracking.Cookie] 188.138.17.135 traffic.acwebconnecting.com 188.138.17.135 office.ad1.ru 188.138.17.135 cms.ad2click.nl 188.138.17.135 ad2games.com 188.138.17.135 ads.ad2games.com 188.138.17.135 content.ad20.net 188.138.17.135 core.ad20.net 188.138.17.135 banner.ad.nu 188.138.17.135 adadvisor.net 188.138.17.135 tag1.adaptiveads.com There are 11878 more lines.Alterations made by the installer:
File system details [View: All details] (Selection) --------------------------------------------------- In the existing folder C:\Windows\System32\drivers\etc Alters the file hosts 6/10/2009 11:00 PM, 824 bytes, A ==> 8/28/2016 2:15 PM, 594944 bytes, RHA In the existing folder C:\Windows\SysWOW64 Adds the file link.bat"="1/11/2016 11:49 PM, 43 bytes, RHA Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Pakistani Girls Mobile Data 1.5.8] "DisplayIcon"="REG_SZ", "C:\Windows\System32\drivers\etc\Uninstall.exe" "DisplayName"="REG_SZ", "Pakistani Girls Mobile Data 1.5.8" "DisplayVersion"="REG_SZ", "1.5.8" "EstimatedSize"="REG_DWORD", 581 "InstallDate"="REG_SZ", "20160912" "InstallLocation"="REG_SZ", "C:\Windows\System32\drivers\etc\" "InstallSource"="REG_SZ", "C:\Users\{username}\Desktop\" "Language"="REG_DWORD", 1033 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "Pakistani Girls Mobile Data" "UninstallString"="REG_SZ", "C:\Windows\System32\drivers\etc\Uninstall.exe" "VersionMajor"="REG_DWORD", 1 "VersionMinor"="REG_DWORD", 5Malwarebytes Anti-Malware log:
Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 9/12/2016 Scan Time: 3:54 PM Logfile: mbamPakistanGirls.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.09.12.05 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 320291 Time Elapsed: 10 min, 20 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 1 Trojan.HostsHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Pakistani Girls Mobile Data 1.5.8, Quarantined, [d471e889564471c555b1d81343c1ad53], Registry Values: 0 (No malicious items detected) Registry Data[b]:[/b] 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 2 Trojan.HostsHijack, C:\Users\{username}\Desktop\Pakistani-Girls-Mobile-Data.exe, Quarantined, [59ec224fa4f6c86e259dfded689c6e92], Trojan.DNSChanger, C:\Windows\SysWOW64\link.bat, Quarantined, [e65f9fd29ffbbb7b2d36c9f7e81bf50b], Physical Sectors: 0 (No malicious items detected) (end)As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention