Coinhive script got onto my pc somehow

[LegacyNovus]

I was looking up stock trading as I wanted to educate myself on how the whole system worked. Sadly one of the sites I visited in my ignorance gave me a little parting gift. Was wondering if anyone had experience with this little bugger:

 

[Aura]

Hi LegacyNovus

Read the article below.

https://blog.malwarebytes.com/security-world/2017/10/why-is-malwarebytes-blocking-coinhive/

Do you still get the block notifications even if your web browser is closed?

[LegacyNovus]

It seems to only happen when I open firefox, it looks like it is trying to run a script even if I am just opening up my homepage. (Also as far as the article is concerned, this is not happening because I visit the website, It happens when I open the program.)

 

Edited December 4, 2017 by LegacyNovus

[Aura]

Alright. Follow the instructions below.

Farbar Recovery Scan Tool (FRST) - Scan mode
Follow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply.

• Download the right version of FRST for your system:
  
  • FRST 32-bit
  • FRST 64-bit
    Note: Only the right version will run on your system, the other will throw an error message. So if you don't know what your system's version is, simply download both of them, and the one that works is the one you should be using.
    
• Move the executable (FRST.exe or FRST64.exe) on your Desktop
• Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
• Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds
• Make sure the Addition.txt box is checked
• Click on the Scan button
  
• On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files
• Copy and paste the content of both FRST.txt and Addition.txt in your next reply
  

[LegacyNovus]

Should I just post everything or put the text files in as an attachment?

 

[Aura]

You can copy/paste the content of both logfiles, or attach them. I don't mind  

[LegacyNovus]

Last question: Will it automatically make a backup or should I do so manually, if the later how?

[Aura]

The scan I'm asking you to run won't delete anything. But the Registry will be backed up automatically before it anyway.

[LegacyNovus]

Like this?

Addition.txt

FRST.txt

[Aura]

I don't see anything suspicious in your Mozilla Firefox settings. Let's try to clear the history and cache and see if that works.

Temp File Cleaner (TFC)

• Download Temp File Cleaner (TFC) and move it to your Desktop
• Right-click on TFC.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
• Simply click on Start to launch the clean-up and wait until it completes
  
• Depending on which processes are running, all your programs will be closed and explorer.exe (your Windows shell) will be killed, it will however be relaunched shortly after so do not panic
• There's no log to give for this tool
  

[LegacyNovus]

Roger that, I am thinking it may not be in the firefox directory.

[LegacyNovus]

Alright I managed to knock the thing out during a nap, I just tested and I still got the popup just from visiting youtube.

 

[Aura]

Have you tried to reinstall Mozilla Firefox yet?

[LegacyNovus]

Trying now.

 

[LegacyNovus]

Update: Uninstalling normally did not get rid of it, perhaps there is something else we could do to track it back to the source file? Since Malewarebytes is blocking it is there a way to trace it when it tries to be nasty?

Edit: Oh yes, I also took some initiative and ran ADWcleaner which promptly gave me nada.

Edited December 6, 2017 by LegacyNovus

[Aura]

Let's see if RogueKiller detects anything.

RogueKiller

• Download the right version of RogueKiller for your Windows version (32 or 64-bit)
• Once done, move the executable file to your Desktop, right-click on it and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
• Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
• Wait for the scan to complete
• On completion, the results will be displayed
• Check every single entry (threat found), and click on the Remove Selected button
• On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
• This will open the report in Notepad. Copy/paste its content in your next reply
  

[LegacyNovus]

Alright will check it out and post back!

 

[LegacyNovus]

I think this may have done it! how is it though that malewarebytes missed it?

 

[Aura]

Do you have the RogueKiller log? I need to see what was detected and removed by it in order to give you an explanation.

[LegacyNovus]

Where would the log be stored?

Edit: NVM found it

 

Rogue log.txt

Edited December 10, 2017 by LegacyNovus

[Aura]

And you deleted everything it found?

[LegacyNovus]

Yes, everything.

 

[Aura]

Honestly, except for the DHCP server settings pointing to IP addresses I don't know, I don't see what RogueKiller could've deleted that could've been associated with your issue.

[LegacyNovus]

Idk magic? at this point I just am happy it's not happening, or not on my pc anymore. I do not care how. XD

 

[Aura]

That's what's important yes Were there any other issues to address, or that was it?