Jump to content

sebastiantwz

Members
 View Profile  See their activity

  • Posts

    9

  • Joined

  • Last visited

 Content Type 

Posts posted by sebastiantwz

    SVCHost.exe Bitcoin mining trojan

    in Resolved Malware Removal Logs

    Posted

    Here is the contents:

     

     Results of screen317's Security Check version 0.99.81  
     Windows 7 Service Pack 1 x64 (UAC is enabled)  
     Internet Explorer 11  
    ``````````````Antivirus/Firewall Check:`````````````` 
    Kaspersky Internet Security   
     Antivirus up to date!   
    `````````Anti-malware/Other Utilities Check:````````` 
     Java 7 Update 51  
     Adobe Flash Player 12.0.0.44  
     Adobe Reader 10.1.9 Adobe Reader out of Date!  
     Mozilla Firefox 25.0.1 Firefox out of Date!  
     Google Chrome 33.0.1750.154  
     Google Chrome 34.0.1847.116  
    ````````Process Check: objlist.exe by Laurent````````  
     Malwarebytes Anti-Malware mbamservice.exe  
     Malwarebytes Anti-Malware mbam.exe  
     Kaspersky Lab Kaspersky Internet Security 2013 avp.exe  
    `````````````````System Health check````````````````` 
     Total Fragmentation on Drive C:  
    ````````````````````End of Log`````````````````````` 
     
     
    I noticed something that might/might not be a problem. From the past few days, i found that some of the windows gadgets seems to be missing. I always have a clock and Kaspersky's gadgets on my desktop, but sometimes they failed to show up during reboot. Right-click and choosing Gadgets seems to have no effect at all. Any Idea what might have caused this?

    SVCHost.exe Bitcoin mining trojan

    in Resolved Malware Removal Logs

    Posted

    Thank you Mr C,

     

    This is the log from Adwcleaner:

     

    # AdwCleaner v3.023 - Report created 11/04/2014 at 10:59:05
    # Updated 01/04/2014 by Xplode
    # Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
    # Username : Sebastian - SEBASTIAN-PC
    # Running from : C:\Users\Sebastian\Desktop\AdwCleaner.exe
    # Option : Clean
     
    ***** [ Services ] *****
     
     
    ***** [ Files / Folders ] *****
     
    Folder Deleted : C:\ProgramData\apn
    Folder Deleted : C:\ProgramData\Babylon
    Folder Deleted : C:\ProgramData\Performancer
    Folder Deleted : C:\ProgramData\StarApp
    Folder Deleted : C:\ProgramData\contoinuetosaivey
    Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\contoinuetosaivey
    Folder Deleted : C:\Program Files (x86)\continuetosave
    Folder Deleted : C:\Program Files (x86)\Surf Canyon
    Folder Deleted : C:\Users\Sebastian\AppData\LocalLow\Conduit
    Folder Deleted : C:\Users\Sebastian\AppData\LocalLow\contoinuetosaivey
    Folder Deleted : C:\Users\Sebastian\AppData\Roaming\BabSolution
    Folder Deleted : C:\Users\Sebastian\AppData\Roaming\Babylon
    Folder Deleted : C:\Users\Sebastian\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcjagnifjocnddgeknajocbkkhlgibem
    Folder Deleted : C:\Users\Sebastian\AppData\Local\Google\Chrome\User Data\Default\Extensions\cflheckfmhopnialghigdlggahiomebp
    File Deleted : C:\Users\Sebastian\AppData\Roaming\Mozilla\Firefox\Profiles\ji8pb58a.default\user.js
     
    ***** [ Shortcuts ] *****
     
     
    ***** [ Registry ] *****
     
    Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bcjagnifjocnddgeknajocbkkhlgibem
    Key Deleted : HKCU\Software\Google\Chrome\Extensions\cflheckfmhopnialghigdlggahiomebp
    Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\cflheckfmhopnialghigdlggahiomebp
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\surfcanyon.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
    Key Deleted : HKLM\SOFTWARE\Classes\surfcanyon.BhoSite
    Key Deleted : HKLM\SOFTWARE\Classes\surfcanyon.BhoSite.1
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ApnSetup_RASAPI32
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ApnSetup_RASMANCS
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{A3514F71-E63F-440B-8076-14226E21B2BF}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5AB7104A-B71F-49AD-9154-F7F8806AE848}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{611EC2E2-6B0A-CAA7-0710-A62D96DC16FE}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{68AD96A1-2A28-4841-ABD0-F5AA45F008C9}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{BA3105E9-5DE6-4A1E-A819-6F5046AB67F5}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5AB7104A-B71F-49AD-9154-F7F8806AE848}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{611EC2E2-6B0A-CAA7-0710-A62D96DC16FE}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5AB7104A-B71F-49AD-9154-F7F8806AE848}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{611EC2E2-6B0A-CAA7-0710-A62D96DC16FE}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5AB7104A-B71F-49AD-9154-F7F8806AE848}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{611EC2E2-6B0A-CAA7-0710-A62D96DC16FE}
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
    Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
    Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{68AD96A1-2A28-4841-ABD0-F5AA45F008C9}
    Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}
    Key Deleted : HKCU\Software\Surf Canyon
    Key Deleted : HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}
    Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
    Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
    Key Deleted : HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
    Key Deleted : HKLM\Software\{5F189DF5-2D05-472B-9091-84D9848AE48B}
    Key Deleted : HKLM\Software\Conduit
    Key Deleted : HKLM\Software\SP Global
    Key Deleted : HKLM\Software\SProtector
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IM
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Surf Canyon
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C1C6816E-CBB3-A748-85F9-A8B47B68985B}
     
    ***** [ Browsers ] *****
     
    -\\ Internet Explorer v11.0.9600.17041
     
     
    -\\ Mozilla Firefox v25.0.1 (en-US)
     
    [ File : C:\Users\Sebastian\AppData\Roaming\Mozilla\Firefox\Profiles\ji8pb58a.default\prefs.js ]
     
    Line Deleted : user_pref("aol_toolbar.default.homepage.check", false);
    Line Deleted : user_pref("aol_toolbar.default.search.check", false);
    Line Deleted : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");
    Line Deleted : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");
    Line Deleted : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");
    Line Deleted : user_pref("sweetim.toolbar.previous.keyword.URL", "");
    Line Deleted : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
    Line Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");
    Line Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");
    Line Deleted : user_pref("sweetim.toolbar.searchguard.enable", "");
     
    -\\ Google Chrome v34.0.1847.116
     
    [ File : C:\Users\Sebastian\AppData\Local\Google\Chrome\User Data\Default\preferences ]
     
     
    *************************
     
    AdwCleaner[R0].txt - [5964 octets] - [11/04/2014 10:52:07]
    AdwCleaner[s0].txt - [5869 octets] - [11/04/2014 10:59:05]
     
    ########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [5929 octets] ##########

    SVCHost.exe Bitcoin mining trojan

    in Resolved Malware Removal Logs

    Posted

    Dear MrC,

     

    Thank you for the quick reply. I have done a Threat scan and have removed the threats. 

     

    Below is the report from Roguekiller:

     

    RogueKiller V8.8.15 _x64_ [Mar 27 2014] by Adlice Software
     
    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Sebastian [Admin rights]
    Mode : Scan -- Date : 04/10/2014 11:21:31
    | ARK || FAK || MBR |
     
    ¤¤¤ Bad processes : 0 ¤¤¤
     
    ¤¤¤ Registry Entries : 3 ¤¤¤
    [RUN][sUSP PATH] HKLM\[...]\Wow6432Node\[...]\Run : AMD Catalyst (C:\ProgramData\Catalyst\CCC\colorrgb.exe [-]) -> FOUND
    [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
     
    ¤¤¤ Scheduled tasks : 0 ¤¤¤
     
    ¤¤¤ Startup Entries : 0 ¤¤¤
     
    ¤¤¤ Web browsers : 0 ¤¤¤
     
    ¤¤¤ Browser Addons : 1 ¤¤¤
    [CHR][PUP] Default : Surf Canyon
     
    ¤¤¤ Particular Files / Folders: ¤¤¤
     
    ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
     
    ¤¤¤ External Hives: ¤¤¤
     
    ¤¤¤ Infection : PUP ¤¤¤
     
    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts
     
     
     
     
    ¤¤¤ MBR Check: ¤¤¤
     
    +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD1002FAEX-00Z3A0 +++++
    --- User ---
    [MBR] 2e3e2b958ef91da48a940bdc93b77e29
    [bSP] 0fe74d927a7bfbc4467fe682338c9ba1 : Windows 7/8 MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 953867 MB
    User = LL1 ... OK!
    User = LL2 ... OK!
     
    +++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) Corsair Force GS +++++
    --- User ---
    [MBR] 318d4df6b2031bf40296635bab8ffd24
    [bSP] 51fb655a4bc59cd7cb5553a9159baa29 : Windows 7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 122002 MB
    User = LL1 ... OK!
    User = LL2 ... OK!
     
    +++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ IDE) WDC WD30EZRX-00D8PB0 ATA Device +++++
    --- User ---
    [MBR] d653763f095c857288d1552fee22868b
    [bSP] 43a6027aeaa449a5c5f079b9e9a6744d : Empty MBR Code
    Partition table:
    0 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 1 | Size: 2097152 MB
    User = LL1 ... OK!
    User = LL2 ... OK!
     
    Finished : << RKreport[0]_S_04102014_112131.txt >>
     
     
    One more thing, how do I make sure my System Restore is Turned On and running? 

    SVCHost.exe Bitcoin mining trojan

    in Resolved Malware Removal Logs

    Posted

    Firstly, I would like to thank everyone for any help I can get.

     

    The issue started off when I noticed some strange behavior whereby my graphics cards seems to be working at 99% load all the time. I have download Malwarebytes and performed a scan on my PC. It seems that my PC has been infected with some sort of Bitcoin mining malware disguised as svchost.exe and has been utilizing my GPU at full capacity for the past weeks. 

     

    The good news is Malwarebytes was able to quarantine and have everything under control (well done I must say, Kaspersky is not very useful since it could not find the malware), the bad news is that the malware is still on my PC. It comes back to haunt my GPU everytime I turn on my PC.

     

    Attached are the files from the Farbar recovery scans.

     

    Any assistance will be greatly appreciated

    Addition.txt

    FRST.txt

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.