Jump to content

Recommended Posts

As the title says, the Trojan bitcoinminer just keeps on knocking at the door of my internet connection and my pc.

 

I mean, malwarebytes pro is perfect at stopping it before it gets up to its normal tricks which in my case if to take control

of my very very expensive graphics card and make it run at full speed, makes the fan sound like a rocket engine and puts

a lot of heat and stress on the full system, so its not good, but as I say, I have malwarebytes pro set to run on windows

startup and it holds the Trojan back.

 

Only thing is, every time I was testing things out just for the sake of it, I would turn off MB's pro from starting along with

windows and then restart the computer and sure as can be every single time I try that the bitcoinminer is back again

running my graphics card at full throttle, its doing my head in.

 

I am only hoping there is a way to stop this thing in its tracks so that I don't need to keep running scans and deleting the

Trojan etc, I know that having them sitting in quarantine etc is fine but I would hopefully rather put the blockers on it

totally if at all possible please ?

 

Thank you.

 

p.s

I have zipped/rar'd up the 3 text files you would need for you to see, cheers :)

p.p.s

I had the internet totally disconnected when I ran "dds" by the way :) just saying.

malwarebytes.rar

Link to post
Share on other sites

  • Staff

Hello scottydog

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo

Link to post
Share on other sites

Ok, I done as you requested, I also switched off malwarebytes pro so that the Trojan bitcoinminer kicked straight back in and it did as I knew it would.

 

Anyway, I have the 2 log files you requested and I have attached them here, the same Trojan/Virus is still attacking me and the only thing that's holding it back is by switching malwarebytes pro back on to boot with windows again, when that's on then it holds it back but surely that cant be right ?

 

I have been building my own computers since as far back as windows 95 first started and this is by far the worst ever and most difficult Trojan/virus I have seen in my life so far !!!

 

p.s

 

how do I make sure now that both of these programs I installed are cleanly removed totally as I don't like any bits an pieces of things hanging about that are not required etc ?

JRT.txt

AdwCleanerS0.txt

Link to post
Share on other sites

  • Staff

Hello scottydog

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
Link to post
Share on other sites

Sorry, I wrote that wrong, I meant to say I already tried that because it was suggested before to me and I done it just like you said too.....plus, I would have just edited the last post of mines there but I cant see any options for editing posts and that's why I am adding this note on.

Link to post
Share on other sites

  • Staff

I still would like to see the report that combofix made

I would like to see the report so lets see if we can find the report this way.

Extra Combofix Report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\ComboFix.txt
  • click ok
  • copy and paste the report into this topic for me to review
Gringo
Link to post
Share on other sites

  • Staff

Hello scottydog

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::Folder::c:\program files\SavingsbullFilterc:\program files (x86)\SavingsBullC:\tempc:\programdata\Websteroidsc:\users\&&&&&&\AppData\Local\Websteroidsc:\program files (x86)\InstallConverter bundle uninstallerFile::c:\windows\SysWow64\Websteroids.B324755F3F87.dllDriver::SavingsbullFilterService64Websteroids 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

CFScriptB-4.gif

This will let ComboFix run again.

Restart if you have to.

Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
Link to post
Share on other sites

ok done, I ran it this time with malwarebytes pro still running and the internet connected too, I have attached the file as requested.

 

You will notice that I have changed the user name on windows from &&&&&& or whatver it is and left it as it should be with the owner of the computers name Ann, she didnt want that at first but its ok, so not a problem.

 

Anyway, I know I can simply be rid of this trojan/virus with a clean install of windows which I must have done about 100 times now with my own computers, so thats not a problem should it come to that, I would rather not though because I can install windows in minutes, its reinstalling all the drivers etc that can sometimes take hours that is the pain in the neck.

 

I honestly have never came across a Trojan like this in all the years I have been dealing with pc's, such a pain man, argggg :(

 

 

combofix script.txt

Link to post
Share on other sites

So what next or is that it ?

 

I know I can format my main drive & reinstall windows which is simple, but its the fact of looking up and finding and Installing all the drivers for everything in and connected to the system that is the real pain in the neck, however, I do know through past experience that sometimes this is the only way to get rid of a very very bad Trojan/virus such as this one and its looking more like that as what has been suggested so far has not got rid of it and it is still sitting there just waiting on the chance that I may turn off malwarebytes pro from booting with windows, I know it because as mentioned before I have tried plenty times.

 

I thought though that in this day and age there would be a permanent fix for literally any Trojan or Virus instead of the tedious task of reinstalling windows etc, doesn't look like it though :(

 

Is there any more suggestions before I take the step to do a full clean wipe and reinstall of windows please anyone ?

 

p.s

I have also noticed a few seconds of Lag when opening webpages, is that maybe because MB pro or the windows security software are causing that ? Could someone let me know about that as I have an SSD and everything worked ultra fast until now, but since I started to do all these tests and run all these suggested programmes etc it seems to me that things are slightly slower now, infact I know they are slower as its plain to see, maybe someone may have suggestions for my questions or at least let me know if everything now is exhausted and I just need to do a clean wipe etc ? Thank you, that's all I ask.

Link to post
Share on other sites

p.s, people should be advised strongly to watch out when they are advised to download the correct programs that are suggested to try and fix the problem I have, I noticed that I actually picked up a lot more Trojans/virus's when downloading 1 or 2, only lucky for me I was able to get rid of them (I think, not sure they are gone 100%, the bits of programs may still be lurking about in my computer, all I could do is access the bits that wouldn't allow me to remove them, I had to go into the registry and remove from there and that is very dangerous for people that really might not know what they are doing).

 

Very exact direct links to the programs suggested is the best route, even better if you could store the actual "free" downloads on this website server and that way people would not make any mistakes, also instructions on how to fully remove the programmes too would help as they certainly didn't come off my system and wouldn't budge as I mentioned, I can only imagine what a poor person that isn't very computer literate would be going through, if it was a bit of a nightmare for me then just Imagine how they feel, I am sorry and I don't mean any disrespect to anyone at all, but at the same time people for sure need guided easier to cleanly installing and removing all these things, I am still very Interested on why my webpages are slower at opening now since I started to do all that was asked of you guys (I mean Malwarebytes pro staff, not anyone else).

 

Again, I says all these things with the very greatest of respect and mean no harm, thanks.

Link to post
Share on other sites

  • Staff

Hello scottydog

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Gringo
Link to post
Share on other sites

Ok, both files attached as requested.

 

Ok, also same as last thing you had me try, I ran Farbar with Malwarebytes pro enabled (and the internet enabled too) as MBs pro is the only thing that is holding back the bitcoinminer Trojan and as you know and I have explained before (but even though MBs Pro is holding it back it is still knocking at the door all the time and being stored within MBs Pro), what bitcoinminer is doing if MBs Pro isn't enabled from windows startup then bitcoinminer simply blasts in and runs my graphics card at full throttle (it doesn't seem to be grabbing control of the CPU (I think) which I have heard is common with a lot of people rather than just the Graphics card), I am sure you are aware of what it does anyway, but I am just saying so that you are aware of what I am doing.

 

Thanks.

FRST.txt

Addition.txt

Link to post
Share on other sites

EDIT : >

 

Just to add on to my last post from less than an hour ago, I just double checked my CPU speed etc this time with MBs Pro disabled at windows startup and to my surprise YES it is or also taking control of my CPU too, that is also running at full throttle same as what the Graphics card is, and remember, I have my CPU overclocked from the Bios etc as that's what I do for a hobby, so now with this bitcoinminer kicking in if MBs Pro isn't enabled at startup I now have an already overclocked CPU running at full throttle along with my graphics card as I say, just as well I have good cooling etc on this system, LOL.

 

I hope to have this issue sorted a.s.a.p as its certainly not good when its doing this, I am starting to think now is possibly a good time to just do a clean format and reinstall of the Windows drive, what do ya think ?

 

Do you think there is little chance of getting the issue sorted without doing a clean format and reinstall of windows ? You might as well be truthful as you are probably losing patience with this as much as I am too, lol.

 

Thanks.

Link to post
Share on other sites

  • Staff

Hello scottydog

I need you to download this script I have made for you --> fixlist.txt

It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

Run FRST again but this time press the Fix button just once and wait.

When finished, it will make a log (fixlog.txt) next to FRST. Please copy and paste the content of this file to your reply.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Gringo

Link to post
Share on other sites

Hi gringo_pr,

 

Its appears to be better but I'm scared to disable malwarebytes now and reboot the pc a few times and then re-enable MBs to see if it picks anything up, lol.

 

Would that be the best way to fully test it out mate yes ?

 

Let me know and I will try whatever you say.

Link to post
Share on other sites

  • Staff

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur

Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

  • Programs to remove
    • µTorrent
  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here CCleaner

    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.
: Malwarebytes' Anti-Malware :

I see You have MBAM installed on the computer - that is great!! it is a very good program! I would like you to run a quick scan for me now

  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidentally close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK to either and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

  • Go Here to download HijackThis program
  • Save HijackThis to your desktop.
  • Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
  • Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
  • copy and paste hijackthis report into the topic
"information and logs"
  • In your next post I need the following
    • Log From MBAM
    • report from Hijackthis
    • let me know of any problems you may have had
    • How is the computer doing now?
Gringo
Link to post
Share on other sites

Hi mate, I don't think I need to do all that being honest, I have tried disabling MBs pro and rebooting the pc a load of times etc since we last communicated and it appears that bitcoinminer has gone, I then re-enabled MBs etc and ran more scans each time and nothing is found, so it must be clean now, all thanks to you, cheers man :)

 

p,s

I understand exactly what you mean about using P2P software etc, it can be dangerous sometimes, I know this and there is no doubt that is where I may or may not have got the bitcoin Trojan from, hard to say.

 

All I can say for now though is its all been looking nice and clean etc, so that's great man :)

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.