Jump to content

TR/BitCoinMinerAL.A.11


Recommended Posts

Hello Sparaflesciata and welcome to Malwarebytes!

I am D-FRED-BROWN and I will be helping you. :)

Please print or save this topic. It will make it easier for you to follow the instructions and complete all of the necessary steps.

----------Step 1----------------

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.

    Vista/Windows 7 users right-click and select Run As Administrator.

  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.

  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
----------Step 2----------------

Please download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt
----------Step 3----------------

Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.

NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

----------Step 4----------------

Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
----------Step 5----------------

In your next reply, please include the following:

  • TDSSKiller's logfile
  • MBAR mbar-log.txt and system-log.txt
  • ComboFix's report (C:\ComboFix.txt)
  • Security Check checkup.txt
After that, please let me know: How is your computer running now? Do you have any questions or concerns you'd like me to address? Don't hesitate to ask. :)

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Note:

Please make sure you are subscribed to this topic: Click on the "Follow This Topic" Button (at the top right of this page), make sure that the "Receive notification" box is checked and that it is set to "Instantly"

 

-------> Your topic will be closed if you haven't replied within 3 days! <--------

(If I don't respond within 24 hours, please send me a PM)

-DFB

Link to post
Share on other sites

( Sorry for my bad english, i'm Italian )

 

 

In attachment the log's file request. Hope i do all correctly.

 

Now my computer run really fast, but i disabled the Avira antivirus as request for use Combofix and i don't know if the malware/trojan gone.

 

 

 

 

 Results of screen317's Security Check version 0.99.68  
 Windows 7 Service Pack 1 x64 (UAC is disabled!)  
 Internet Explorer 10  
``````````````Antivirus/Firewall Check:``````````````
Avira Desktop   
 Antivirus up to date!  (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
 JavaFX 2.1.1    
 Java 7 Update 21  
 Java version out of Date!
 Adobe Flash Player 11.7.700.224  
 Adobe Reader XI  
 Mozilla Firefox 21.0 Firefox out of Date!  
 Google Chrome 27.0.1453.116  
 Google Chrome 28.0.1500.52  
````````Process Check: objlist.exe by Laurent````````  
 Avira Antivir avgnt.exe
 Avira Antivir avguard.exe
 NetRatingsNetSight NetSight NielsenOnline.exe  
 NetRatingsNetSight NetSight meter4 NielsenOnline64.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
 

 

 

TDSSKiller.2.8.18.0_26.06.2013_17.52.07_log.txt

mbar-log-2013-06-26 (18-11-45).txt

system-log.txt

ComboFix.txt

Link to post
Share on other sites

 

( Sorry for my bad english, i'm Italian )

No problem. :)

 

 

Things look a whole lot better. Let's run some more scans to verify there isn't anything left:

 

----------Step 1----------------

Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[R1].txt as well.

----------Step 2----------------

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

----------Step 3----------------

We need to create a New FULL OTL Report

  • Please download OTL from here if you have not done so already:
  • Save it to your desktop.
  • Double click on the OTL icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Push the Run Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

----------Step 4 (note: this scan may take a little time)----------------I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.

    ESET OnlineScan

  • Click the esetOnline.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.
  • Check esetAcceptTerms.png
  • Click the esetStart.png button.
  • Accept any security warnings from your browser.
  • Check esetScanArchives.png
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push esetListThreats.png
  • Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the esetBack.png button.
  • Push esetFinish.png

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

----------Step 5----------------

Please post the AdwCleaner logfile, the JRT.txt, the OTL.txt and Extras.txt, and the ESET online scan log in your next reply.

Let me know how things go.

Link to post
Share on other sites

Still have a little more to do, but we're nearly there.

----------Step 1----------------
We need to run an OTL Fix

  • Please reopen otlicon.png on your desktop.
  • Copy and Paste the following code into the customscanfix.png textbox.

    :OTL
    [2009/07/14 06:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
     
    [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
     
    [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
     
    [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
     
    [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
     
    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
    "" = C:\Windows\SysNative\shell32.dll -- [2013/02/27 07:52:58 | 014,172,672 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment
     
    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
    "" = %SystemRoot%\system32\shell32.dll -- [2013/02/27 06:55:05 | 012,872,704 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment
     
    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
    "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/14 03:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free
     
    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
    "" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/21 05:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free
     
    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
    "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/14 03:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Both

     

    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
    "" = %systemroot%\SysWow64\wbem

    @Alternate Data Stream - 153 bytes -> C:\ProgramData\Temp:05E9FFE5
    @Alternate Data Stream - 141 bytes -> C:\ProgramData\Temp:DF462FF6
    @Alternate Data Stream - 135 bytes -> C:\ProgramData\Temp:D5FBE8F9
    @Alternate Data Stream - 133 bytes -> C:\ProgramData\Temp:F8D65F32
    @Alternate Data Stream - 129 bytes -> C:\ProgramData\Temp:C46995DA
    @Alternate Data Stream - 124 bytes -> C:\ProgramData\Temp:1D6686D8
    @Alternate Data Stream - 121 bytes -> C:\ProgramData\Temp:DBC416F8
    @Alternate Data Stream - 109 bytes -> C:\ProgramData\Temp:0D786AE3

    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    :Commands
    [purity]
    [emptytemp]
    [emptyjava]
    [emptyflash]
    [Reboot]

  • Push runfix.png
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.

 

----------Step 2----------------
Instructions for DELETE:

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.

Afterwards, please reboot the computer.

----------Step 3----------------
Please post the OTL and AdwCleaner reports in your next reply. How are things running now?

Link to post
Share on other sites

Here the report from OTL after restart.

 

All processes killed
Error: Unable to interpret <Quote> in the current context!
========== OTL ==========
C:\Windows\assembly\Desktop.ini moved successfully.
File EY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 not found.
File EY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] not found.
File EY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 not found.
File EY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] not found.
File EY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 not found.
File EY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] not found.
Folder EY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64\ not found.
Folder EY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]\ not found.
Folder EY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64\ not found.
Folder EY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]\ not found.
ADS C:\ProgramData\Temp:05E9FFE5 deleted successfully.
ADS C:\ProgramData\Temp:DF462FF6 deleted successfully.
ADS C:\ProgramData\Temp:D5FBE8F9 deleted successfully.
ADS C:\ProgramData\Temp:F8D65F32 deleted successfully.
ADS C:\ProgramData\Temp:C46995DA deleted successfully.
ADS C:\ProgramData\Temp:1D6686D8 deleted successfully.
ADS C:\ProgramData\Temp:DBC416F8 deleted successfully.
ADS C:\ProgramData\Temp:0D786AE3 deleted successfully.
C:\Windows\BCD5545077AC4347B24F654B1189F8D4.TMP\WiseCustomCall.dll deleted successfully.
C:\Windows\BCD5545077AC4347B24F654B1189F8D4.TMP\WiseCustomCalla.dll deleted successfully.
C:\Windows\BCD5545077AC4347B24F654B1189F8D4.TMP\WiseCustomCalla2.dll deleted successfully.
C:\Windows\BCD5545077AC4347B24F654B1189F8D4.TMP\WiseCustomCalla21.dll deleted successfully.
C:\Windows\BCD5545077AC4347B24F654B1189F8D4.TMP\WiseCustomCalla31.exe deleted successfully.
C:\Windows\BCD5545077AC4347B24F654B1189F8D4.TMP\WiseCustomCalla32.dll deleted successfully.
C:\Windows\BCD5545077AC4347B24F654B1189F8D4.TMP\WiseCustomCalla33.dll deleted successfully.
C:\Windows\BCD5545077AC4347B24F654B1189F8D4.TMP\WiseCustomCalla34.dll deleted successfully.
C:\Windows\BCD5545077AC4347B24F654B1189F8D4.TMP\WiseCustomCalla37.dll deleted successfully.
C:\Windows\BCD5545077AC4347B24F654B1189F8D4.TMP\WiseCustomCalla37.exe deleted successfully.
C:\Windows\BCD5545077AC4347B24F654B1189F8D4.TMP\WiseData.ini deleted successfully.
C:\Windows\BCD5545077AC4347B24F654B1189F8D4.TMP folder deleted successfully.
File rity] not found.
File ptytemp] not found.
File ptyjava] not found.
File ptyflash] not found.
File boot] not found.
 
OTL by OldTimer - Version 3.2.69.0 log created on 06262013_233057

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
 

Link to post
Share on other sites

Let's try this:

 

Delete your existing copy of AdwCleaner.exe.

 

Next,

Please download a new copy AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[R1].txt as well.
Link to post
Share on other sites

Okay, let's try this now:

 

Instructions for DELETE:

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.

Afterwards, please reboot the computer.

Link to post
Share on other sites

It's possible that something is blocking it from working correctly.

 

Please boot to Safe Mode. Instructions on how to do so are here: http://www.computerhope.com/issues/chsafe.htm

 

After that, please try to run the Delete instructions just as before. Let me know how things go.

Link to post
Share on other sites

No worries. We'll do a manual fix instead ;):

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

Folder::

C:\Program Files (x86)\Ask.com

C:\Program Files (x86)\Common Files\spigot

C:\Program Files (x86)\Common Files\Wondershare

C:\Program Files (x86)\Conduit

C:\Program Files (x86)\fbphotozoom

C:\ProgramData\Ask

C:\ProgramData\Babylon

C:\ProgramData\boost_interprocess

C:\ProgramData\Browser Manager

C:\ProgramData\BrrowSe2seavue

C:\ProgramData\IBUpdaterService

C:\ProgramData\InstallMate

C:\ProgramData\SoftSafe

C:\ProgramData\Tarma Installer

C:\Users\Silvietta\AppData\Local\APN

C:\Users\Silvietta\AppData\Local\Conduit

C:\Users\Silvietta\AppData\Local\Google\Chrome\User Data\Default\Extensions\clbfjfbnelcflpgpklppgplejolacbej

C:\Users\Silvietta\AppData\Local\Google\Chrome\User Data\Default\Extensions\ncdghcmanhfigpijjllopocpcnjffkhl

C:\Users\Silvietta\AppData\Local\Google\Chrome\User Data\Default\Extensions\ncdghcmanhfigpijjllopocpcnjffkhl

C:\Users\Silvietta\AppData\Local\PackageAware

C:\Users\Silvietta\AppData\Local\PutLockerDownloader

C:\Users\Silvietta\AppData\Local\Wondershare

C:\Users\Silvietta\AppData\LocalLow\AskToolbar

C:\Users\Silvietta\AppData\LocalLow\BabylonToolbar

C:\Users\Silvietta\AppData\LocalLow\bbrs_002.tb

C:\Users\Silvietta\AppData\LocalLow\Claro LTD

C:\Users\Silvietta\AppData\LocalLow\Conduit

C:\Users\Silvietta\AppData\LocalLow\Funmoods

C:\Users\Silvietta\AppData\LocalLow\PriceGong

C:\Users\Silvietta\AppData\LocalLow\Softonic

C:\Users\Silvietta\AppData\Roaming\Babylon

C:\Users\Silvietta\AppData\Roaming\Mozilla\Firefox\Profiles\ruf9ewma.default\jetpack

C:\Users\Silvietta\AppData\Roaming\Nosibay

C:\Users\Silvietta\AppData\Roaming\OpenCandy

C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

C:\END

File::

C:\Program Files (x86)\Mozilla Firefox\searchplugins\babylon.xml

C:\Program Files (x86)\Mozilla FireFox\searchplugins\Search_Results.xml

C:\Users\Silvietta\AppData\Roaming\Mozilla\Firefox\Profiles\ruf9ewma.default\searchplugins\Askcom.xml

C:\Users\Silvietta\AppData\Roaming\Mozilla\Firefox\Profiles\ruf9ewma.default\searchplugins\Babylon.xml

C:\Users\Silvietta\AppData\Roaming\Mozilla\Firefox\Profiles\ruf9ewma.default\searchplugins\claro.xml

C:\Users\Silvietta\AppData\Roaming\Mozilla\Firefox\Profiles\ruf9ewma.default\searchplugins\delta.xml

C:\Users\Silvietta\AppData\Roaming\Mozilla\Firefox\Profiles\ruf9ewma.default\searchplugins\Search_Results.xml

C:\Users\Silvietta\AppData\Roaming\Mozilla\Firefox\Profiles\ruf9ewma.default\searchplugins\softonic.xml

C:\Users\Silvietta\AppData\Roaming\Mozilla\Firefox\Profiles\ruf9ewma.default\searchplugins\Web Search.xml

Reboot::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.