[PUP.Optional.Spigot in Mozilla AppData folder.]

Nothing this morning, thanks, again.

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 9/27/18
Scan Time: 2:25 AM
Log File: 3e5f1550-c237-11e8-b7b5-54ab3ac4e8f8.json

-Software Information-
Version: 3.6.1.2711
Components Version: 1.0.463
Update Package Version: 1.0.7039
License: Premium

-System Information-
OS: Windows 10 (Build 17134.285)
CPU: x64
File System: NTFS
User: System

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Scheduler
Result: Completed
Objects Scanned: 327147
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 3 min, 49 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)

[PUP.Optional.Spigot in Mozilla AppData folder.]

Okay, thanks again.

[PUP.Optional.Spigot in Mozilla AppData folder.]

It took some time to do it all. Norton had some issues that required a restart which hung, so I had to power off the computer manually, but everything seems fine, now. I can access the Mozilla folder under the Roaming folder. The MB scan was negative, but I guess I will have to wait for the results of the overnight scan tomorrow morning to see if the Spigot stuff is truly gone. Thanks again.

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 9/26/18
Scan Time: 12:11 PM
Log File: f1efb50c-c1bf-11e8-b595-54ab3ac4e8f8.json

-Software Information-
Version: 3.6.1.2711
Components Version: 1.0.463
Update Package Version: 1.0.7027
License: Premium

-System Information-
OS: Windows 10 (Build 17134.285)
CPU: x64
File System: NTFS
User: HOMER-VI\Edward

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 327708
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 3 min, 17 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)

[PUP.Optional.Spigot in Mozilla AppData folder.]

Okay the mozilla folder is gone. I forgot to mention because I forgot about it, but I have been running an older version of FireFox because the bookmarks toolbar I have been using is not compatible with the latest version, or it wasn't the last time I checked.

[PUP.Optional.Spigot in Mozilla AppData folder.]

C:\Users\Edward\AppData\Roaming\Mozilla\Firefox\Profiles\m4j6rmyy.default This last folder I can't open or delete due to the permissions. I was able to open it yesterday when I started this post.

[PUP.Optional.Spigot in Mozilla AppData folder.]

Thanks again, Kevin. I'm getting a message that I need permission from the computer's administrator to delete the files/folders in Roaming\Mozilla  even though I am the administrator.

[PUP.Optional.Spigot in Mozilla AppData folder.]

With the help of this forum, I managed to get Chrome cleaned up, but now I'm having problems with FireFox.

Each night Malwarebyes scans my computer and each morning reports this:

File: 1
PUP.Optional.Spigot, C:\USERS\EDWARD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\M4J6RMYY.DEFAULT\PREFS.JS

I quarantine and then delete the file and yesterday I deleted the file prefs.js itself, but it was recreated although I didn't restart FireFox.

I went into the Profiles folder and opened profiles.ini which shows this:

[General]
StartWithLastProfile=1

[Profile0]
Name=default
IsRelative=1
Path=Profiles/m4j6rmyy.default
Default=1

I have no idea where this profile came from, but I suspect it is created by Spigot and keeps recreating prefs.js which recreates the Spigot file all over again.

This isn't a major problem, but it is annoying to get this message every morning and have to spend a few minutes quarantining and removing the file, although I guess I could ignore it...

The previous cleaning used FRST64 and AdwareCleaner, but they didn't find this for some reason. Should I rerun them?

Thanks again for all the help.

[System infected: Bitcoinminer Activity 7 and 9]

Thanks.

[System infected: Bitcoinminer Activity 7 and 9]

Donation sent, thanks again.

[System infected: Bitcoinminer Activity 7 and 9]

Not for at least an hour. Thanks again.

[System infected: Bitcoinminer Activity 7 and 9]

Unable to post files or their content.

Addition.txt

FRST.txt

FRST.zip

Addition.zip

Addition.txt

FRST.txt

[System infected: Bitcoinminer Activity 7 and 9]

Thanks again. Here is the log from ADWCleaner:

# -------------------------------
# Malwarebytes AdwCleaner 7.2.3.1
# -------------------------------
# Build:    09-03-2018
# Database:  (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start:    09-20-2018
# Duration: 00:00:04
# OS:       Windows 10 Home
# Cleaned:  7
# Failed:   3

***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

Deleted       C:\Users\Edward\Downloads\Video downloader
Deleted       C:\Users\Edward\AppData\Local\DriverToolkit

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

Deleted       HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{2B51C83A-465D-4EA9-9CDC-1ED95ED09AC6}
Deleted       HKCU\Software\APN PIP
Deleted       HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A38C15B2D5649AE4C9CDE19DE50DA96C
Deleted       HKLM\Software\Classes\Installer\Products\A38C15B2D5649AE4C9CDE19DE50DA96C
Deleted       HKLM\Software\Classes\Installer\Features\A38C15B2D5649AE4C9CDE19DE50DA96C

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

Not Deleted   Ask
Not Deleted   AOL

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

Not Deleted   nortonsafe.search.ask.com

*************************

[+] Delete IFEO
[+] Delete Prefetch
[+] Delete Tracing Keys
[+] Reset BITS
[+] Reset Windows Firewall
[+] Reset Hosts File
[+] Reset IPSec
[+] Reset Chromium Policies
[+] Reset IE Policies
[+] Reset Proxy Settings
[+] Reset TCP/IP
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [1937 octets] - [20/09/2018 14:42:19]
AdwCleaner_Debug.log - [3686 octets] - [20/09/2018 14:43:33]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########
 

[System infected: Bitcoinminer Activity 7 and 9]

Thanks. Here is the copy and paste of the report from MB:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 9/20/18
Scan Time: 2:23 PM
Log File: 779e03ba-bd1b-11e8-a429-54ab3ac4e8f8.json

-Software Information-
Version: 3.6.1.2711
Components Version: 1.0.463
Update Package Version: 1.0.6937
License: Trial

-System Information-
OS: Windows 10 (Build 17134.285)
CPU: x64
File System: NTFS
User: HOMER-VI\Edward

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 335929
Threats Detected: 14
Threats Quarantined: 14
Time Elapsed: 2 min, 45 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 5
Trojan.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Microsoft\Windows\Google\GOOGLEUPDATETASKMACHINEGU, Quarantined, [543], [558322],1.0.6937
Trojan.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{AA36516D-DE69-45A1-9DC4-18934375739D}, Quarantined, [543], [558322],1.0.6937
Trojan.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{AA36516D-DE69-45A1-9DC4-18934375739D}, Quarantined, [543], [558322],1.0.6937
PUP.Optional.DriverToolkit, HKU\S-1-5-21-481108157-1381744732-3800661945-1001\SOFTWARE\DriverToolkit, Quarantined, [915], [512874],1.0.6937
PUP.Optional.Spigot, HKU\S-1-5-21-481108157-1381744732-3800661945-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{59E31E7C-2F2C-492B-BF86-6EE571951867}, Quarantined, [170], [243431],1.0.6937

Registry Value: 2
PUP.Optional.Spigot, HKU\S-1-5-21-481108157-1381744732-3800661945-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{59E31E7C-2F2C-492B-BF86-6EE571951867}|URL, Quarantined, [170], [243431],1.0.6937
Trojan.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{AA36516D-DE69-45A1-9DC4-18934375739D}|PATH, Quarantined, [543], [558320],1.0.6937

Registry Data: 1
PUP.Optional.Spigot, HKU\S-1-5-21-481108157-1381744732-3800661945-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [170], [293199],1.0.6937

Data Stream: 0
(No malicious items detected)

Folder: 3
PUP.Optional.DriverToolkit, C:\Program Files (x86)\DriverToolkit\Download, Quarantined, [915], [512876],1.0.6937
PUP.Optional.DriverToolkit, C:\Program Files (x86)\DriverToolkit\Backup, Quarantined, [915], [512876],1.0.6937
PUP.Optional.DriverToolkit, C:\PROGRAM FILES (X86)\DRIVERTOOLKIT, Quarantined, [915], [512876],1.0.6937

File: 3
Trojan.BitCoinMiner, C:\WINDOWS\SYSTEM32\TASKS\MICROSOFT\WINDOWS\GOOGLE\GOOGLEUPDATETASKMACHINEGU, Quarantined, [543], [558322],1.0.6937
PUP.Optional.Spigot, C:\USERS\EDWARD\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\M4J6RMYY.DEFAULT\PREFS.JS, Replaced, [170], [301667],1.0.6937
Generic.Malware/Suspicious, C:\USERS\EDWARD\APPDATA\ROAMING\NHM2\BIN\EXCAVATOR_SERVER\EXCAVATOR.EXE, Quarantined, [0], [392686],1.0.6937

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)

[System infected: Bitcoinminer Activity 7 and 9]

I'm having the same problem as other users have had. I get notifications that "Norton Blocked an attack by System infected: Bitcoinminer Activity 7 (sometimes 9)" I have tried a complete scan by NIS and Norton Power Eraser. I've read the other threads, but didn't want to try the suggested tools without direction. Thanks.

[Malwarebytes Anti-Malware popups]

Here's the log file: just a list of websites successfully blocked.

protection_log_2010_04_02.txt

[Malwarebytes Anti-Malware popups]

Hi all,

I get a steady stream of popups from Anti-Malware that it has successfully blocked access to a potentially malicious website and shows the ip address. I am glad that it is doing this, but I would like to know what programs are attempting to access the sites so that I can remove them... Any ideas?

Thanks,

Edward

[Anti-Malware popups]

Hi all,

First of all I looove this program. I guess Norton Internet Security is basically crap, as it allowed all kinds of malware to accumulate on my computer to the point that my browser was being hijacked and the computer was running slowly, but since running Anti-Malware it is like it is a new computer...

Meanwhile, I keep getting popup messages from Anti-malware saying that it has successfully blocked access to a potentially malicious website: (an ip address follows.) While I'm glad it is doing this , I would also like to know where the attempts to connect are coming from and eliminate the programs whatever they are.

Thanks,

Edward