Jump to content

Trojan Bitcoin Miner


Recommended Posts

Hey this is my first time here, i just got a new pc and downloaded some software on my computer however i may be affected. every time i open my computer i get a trojancoin miner.ALI. i've uploaded the pic. I recently thought i caught it with malware bytes because it found a fake trojan agent and the computer seemed good and no pop ups. however after a avg identity protection update from the OFFICIAL program it restarted and i got the pop up again. note that i don't have seem to have any malicious software nor notice any slowness in my laptop ( pc 

post-161925-0-46089100-1398383840_thumb.

Link to post
Share on other sites

Hi Dhruv525, and welcome to Malwarebytes Forum.

Please see I'm infected - What do I do now? and copy and paste the logs from Farbar Recovery Scan Tool (FRST.txt and Addition.txt) each in their own reply.

Please also download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document in your next reply also.

 

Link to post
Share on other sites

Please read the following and post back the logs when ready.

P2P/Piracy Warning:
 

I see you have BitTorrent Peer 2 Peer software installed.  If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here. Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

 

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 

start

 

SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
C:\ProgramData\SetStretch.exe
C:\ProgramData\SetStretch.VBS
C:\Users\dhruv\AppData\Roaming\Origin\update.vbe
C:\Users\dhruv\AppData\Local\Temp\Quarantine.exe
AlternateDataStreams: C:\Windows:nlsPreferences
AlternateDataStreams: C:\Users\dhruv\Local Settings:OxjcYOW7XwO720LyuGJKUXs9
AlternateDataStreams: C:\Users\dhruv\OneDrive:ms-properties
AlternateDataStreams: C:\Users\dhruv\AppData\Local:OxjcYOW7XwO720LyuGJKUXs9
AlternateDataStreams: C:\Users\dhruv\AppData\Local\Application Data:OxjcYOW7XwO720LyuGJKUXs9
AlternateDataStreams: C:\Users\dhruv\AppData\Local\Temp:d8athmjs03V69CuHbXz
AlternateDataStreams: C:\Users\dhruv\AppData\Local\Temp:j995bnd0fUf9E6DMrPOoXHhpj
AlternateDataStreams: C:\Users\dhruv\AppData\Local\Temp:SiOn268klR3MGhq2LXhtpM2gjnMPs

 

end

 

Save the file as fixlist.txt in to the same folder as FRST
Run FRST and click Fix only once and wait
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will create a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

 

Please post the log from FRST (Fixlog.txt) in your next reply.

 

 

Please download AdwCleaner by Xplode onto your Desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
  • NOTE: If you get an error message, it means that nothing was found.  Exit from AdwCleaner.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished and the PC has rebooted.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner

 

Please scan your system with ESET Online Scanner

  • Click the "Run ESET Online Scanner" button.
    • For browsers other than Internet Explorer such as Firefox, Chrome, or Opera (Microsoft Internet Explorer users can skip this step) another page will open to download the ESET Smart Installer
    • Click on esetsmartinstaller_enu.exe
    • Save it to your desktop, and double-click to run it.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

 

Please copy and paste into a reply (don't attach) the contents of the log from Farbar Recovery Scan Tool (Fixlog.txt), AdwCleaner, ESET Online Scan, and note any errors encountered.

Please also let me know if you were willing to completely uninstall or disable your Peer 2 Peer (P2P) software while being helped as is required to continue.

Link to post
Share on other sites

my bad i didnt read about the attach part heres the fixlog again

------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 27-04-2014
Ran by dhruv at 2014-04-28 00:28:24 Run:1
Running from C:\Users\dhruv\Downloads
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
 
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
C:\ProgramData\SetStretch.exe
C:\ProgramData\SetStretch.VBS
C:\Users\dhruv\AppData\Roaming\Origin\update.vbe
C:\Users\dhruv\AppData\Local\Temp\Quarantine.exe
AlternateDataStreams: C:\Windows:nlsPreferences
AlternateDataStreams: C:\Users\dhruv\Local Settings:OxjcYOW7XwO720LyuGJKUXs9
AlternateDataStreams: C:\Users\dhruv\OneDrive:ms-properties
AlternateDataStreams: C:\Users\dhruv\AppData\Local:OxjcYOW7XwO720LyuGJKUXs9
AlternateDataStreams: C:\Users\dhruv\AppData\Local\Application Data:OxjcYOW7XwO720LyuGJKUXs9
AlternateDataStreams: C:\Users\dhruv\AppData\Local\Temp:d8athmjs03V69CuHbXz
AlternateDataStreams: C:\Users\dhruv\AppData\Local\Temp:j995bnd0fUf9E6DMrPOoXHhpj
AlternateDataStreams: C:\Users\dhruv\AppData\Local\Temp:SiOn268klR3MGhq2LXhtpM2gjnMPs
 
end
*****************
 
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key deleted successfully.
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
C:\ProgramData\SetStretch.exe => Moved successfully.
C:\ProgramData\SetStretch.VBS => Moved successfully.
C:\Users\dhruv\AppData\Roaming\Origin\update.vbe => Moved successfully.
C:\Users\dhruv\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Windows => ":nlsPreferences" ADS removed successfully.
"C:\Users\dhruv\Local Settings" => ":OxjcYOW7XwO720LyuGJKUXs9" ADS not found.
"C:\Users\dhruv\OneDrive" => ":ms-properties" ADS not found.
C:\Users\dhruv\AppData\Local => ":OxjcYOW7XwO720LyuGJKUXs9" ADS removed successfully.
"C:\Users\dhruv\AppData\Local\Application Data" => ":OxjcYOW7XwO720LyuGJKUXs9" ADS not found.
C:\Users\dhruv\AppData\Local\Temp => ":d8athmjs03V69CuHbXz" ADS removed successfully.
C:\Users\dhruv\AppData\Local\Temp => ":j995bnd0fUf9E6DMrPOoXHhpj" ADS removed successfully.
C:\Users\dhruv\AppData\Local\Temp => ":SiOn268klR3MGhq2LXhtpM2gjnMPs" ADS removed successfully.
 
==== End of Fixlog ====
Link to post
Share on other sites

# AdwCleaner v3.204 - Report created 28/04/2014 at 00:38:08

# Updated 26/04/2014 by Xplode

# Operating System : Windows 8.1  (64 bits)

# Username : dhruv - SOUL

# Running from : C:\Users\dhruv\Downloads\adwcleaner.exe

# Option : Clean

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v11.0.9600.16518

 

 

-\\ Google Chrome v34.0.1847.116

 

[ File : C:\Users\dhruv\AppData\Local\Google\Chrome\User Data\Default\preferences ]

 

 

*************************

 

AdwCleaner[R0].txt - [894 octets] - [25/04/2014 22:13:47]

AdwCleaner[R1].txt - [852 octets] - [28/04/2014 00:31:48]

AdwCleaner[R2].txt - [911 octets] - [28/04/2014 00:36:35]

AdwCleaner[s0].txt - [917 octets] - [25/04/2014 22:16:58]

AdwCleaner[s1].txt - [833 octets] - [28/04/2014 00:38:08]

 

########## EOF - C:\AdwCleaner\AdwCleaner[s1].txt - [892 octets] ##########

 

Link to post
Share on other sites

Please scan your system with ESET Online Scanner

  • Click the "Run ESET Online Scanner" button.
    • For browsers other than Internet Explorer such as Firefox, Chrome, or Opera (Microsoft Internet Explorer users can skip this step) another page will open to download the ESET Smart Installer
    • Click on esetsmartinstaller_enu.exe
    • Save it to your desktop, and double-click to run it.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

 

Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:
http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).
Please go here to see a list of programs that need to be disabled.
**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**
**Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.**

 

 

Please post the log from ComboFix and ESET Online Scanner, and note any errors encountered, and let me know if your problem continues.

Link to post
Share on other sites

sorry the scan went over night and i have to go tot school but i have eset scan and i think it found it.

-----------------------------------------------------------------------------------------------------------------------------------

C:\FRST\Quarantine\C\Users\dhruv\AppData\Roaming\Origin\update.vbe.xBAD VBS/CoinMiner.AD trojan cleaned by deleting - quarantined
 
Link to post
Share on other sites

i currently cant operate combofix because it says its unable to as quoted> 

BleepingComputer Review:

ComboFix is a program, created by sUBs, that scans your computer for known malware, and when found, attempts to clean these infections automatically. In addition to being able to remove a large amount of the most common and current malware, ComboFix also displays a report that can be used by trained helpers to remove malware that is not automatically removed by the program.

Please note that running this program without supervision can cause your computer to not operate correctly. Therefore only run this program at the request of an experienced helper.

This program does not work on Windows 8.1 at this time!

For those who wish to help finance the author's work, he is accepting contributions via Paypal. You can contribute by clicking on the following image:

Link to post
Share on other sites

My error, I overlooked that you were running Windows 8.1.
 
ESET Online Scan found and quarantined the file that was already in the FRST quarantine. Let's see what else is in that file's original folder:

 

Using Windows Explorer, delete the previous copy of fixlist.txt that you saved in C:\Users\dhruv\Downloads
Open Notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 

startFolder: C:\Users\dhruv\AppData\Roaming\Origin end

 
Save the file as fixlist.txt in to the same folder as FRST
Run FRST and click Fix only once and wait
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will create a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.
 
Please post the log from FRST (Fixlog.txt) in your next reply.

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 27-04-2014

Ran by dhruv at 2014-04-29 23:00:38 Run:2

Running from C:\Users\dhruv\Downloads

Boot Mode: Normal

==============================================

 

Content of fixlist:

*****************

start

 

Folder: C:\Users\dhruv\AppData\Roaming\Origin

 

end

*****************

 

 

========================= Folder: C:\Users\dhruv\AppData\Roaming\Origin ========================

 

 

====== End of Folder: ======

 

 

==== End of Fixlog ====

Link to post
Share on other sites

Using Windows Explorer, delete the following folder:
C:\Users\dhruv\AppData\Roaming\Origin.

It's time to remove some of the tools that we used, if not already deleted, and any logs they produced:
Security Check
AdwCleaner
(run the program and click Uninstall)
Junkware Removal Tool
Farbar Recovery Scan Tool (and delete the folder C:\FRST)

To help keep malware off your system:

  • Keep Windows updated at Windows Update or Microsoft Update.
  • Keep your other applications updated, there are vulnerabilities that rely on exploits through other programs like Java, Microsoft Office, Adobe Reader, Flash, and others.
  • Run a program like Secunia Online Software Inspector or FileHippo Update Checker to see what programs need to be updated.
  • Stay away from P2P software; even with a clean P2P program, their networks are often riddled with malware.
  • Don't click on attachments or links in e-mail, and read your e-mail in text-only mode for the highest safety.
  • Don't click on links received in instant message programs.
  • In place of Internet Explorer, browse with Firefox with the NoScript and AdBlock Plus add-ons.
  • A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available at http://www.mvps.org/...p2002/hosts.htm
  • A free non-resident utility to prevent the installation of ActiveX-based malware is JavaCool's SpywareBlaster available at http://www.javacools...m/products.html
  • I recommend reading Tony Klein's article So How did I get Infected in the First Place? at http://www.spywarein...showtopic=60955

Do you consider your problem resolved?

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.