Malware detected: coinhive

[Elyzabeth]

As requested on https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/ find attached the FRST and Additons logs. I'm not attaching a Malware Threat Scan log since the software says there are no threats, however, every time I open Google Chrome, Malwarebytes detects this "coinhive".

Thank you in advance for all your help.

Addition.txt

FRST.txt

[Android8888]

Hello Elyzabeth and

My screen name is Android8888 but if you wish you can call me Rui which is my real name. I will be helping you with your malware issues. Please ask questions if anything is unclear.

I suggest printing out each set of instructions or copy them to a Notepad file and reading the entire post before proceeding. It will make following them easier.

Going over your logs I noticed that you have Torrent installed.

• Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
• They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
• Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
• The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
  

It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall Torrent, however that choice is up to you.
If you wish to keep it, please do not use it until your computer is cleaned.

Next,

Please remove the following program:
Popcorn Time

Next,

Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

• Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST64.exe executable is located); DO NOT open or modify that file!
• Right-click on the FRST executable and select Run as Administrator;
• Click on the Fix button;
  
  Credits: Aura
• On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
• Please attach the Fixlog.txt in your next reply;
  

Next,

• Download Malwarebytes AdwCleaner and move it to your computer Desktop.
• Right-click on AdwCleaner.exe and select Run as Administrator to start the tool.
• Accept the EULA (I accept), then click on Scan.
• Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes.
• Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it.
• After the restart, a log will open when logging in. Please attach that log in your next reply.
  

Next,
Please download Zemana Antimalware Portable and save it to your computer Desktop.

• Right-click on the icon and select Run as administrator to install the program.
• Click Yes to accept the User Account Control security warning that may appear.
• Wait a few seconds until the update of database signature is complete.
• Without changing any options, click the Scan button to begin.
• After the short scan is finished, if threats are detected click Next to remove them.
  Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.
• Click on the Back button.
• On the top right corner click on Reports icon (the one with three bars) and double click on the latest report.
• Now click File > Save As, then choose your computer's Desktop and click the Save button.
  

Please attach the saved report in your next reply.

In your next reply please attach the following logs:
Fixlog.txt
AdwCleaner clean log.
Zemana log.

How is the computer running at this point? Any detections of "coinhive"?

Rui

fixlist.txt

[Elyzabeth]

Hey, Rui.

First of all, thank you for your reply and support.

I uninstalled both uTorrent and Popcorn Time, as recommended.

I did everything else as instructed, and coinhive is still here. Stubborn little thing lol

Find attached all the requested log files.

Let me know if you need anything else =)

Fixlog.txt

AdwCleaner[C0].txt

2018.01.31-12.22.35-i0-t92-d3.txt

[Android8888]

Hi Elyzabeth,

Could you please re-run FRST and post a new set of logs for my review.

Thank you.

Rui

[Elyzabeth]

Sure. There you go!

Addition.txt

FRST.txt

[Elyzabeth]

Hello, Rui.

I think I solved it. At some point during the whole cleaning process, I noticed a lot of things were involving Chromium. I did some research and found out this is Google's open source browser. I don't understand much about this kind of thing but maybe because it's open source (I went with the "open" thing lol) it's easier for people to attack it. In my research I also found out you can remove Chromium without causing any damage to your computer or affecting Chrome. So that's what I did. Then I reinstalled Google Chrome, and that was it. Apparently, Coinhive is gone.

If you need me to send any other logs so you can check that, let me know.

Once again, thank you for your support! =)

[Android8888]

Hi Elyzabeth. You're very welcome!

I'm glad to hear that you were able to deal with the problem on your own. Yes, you thought and did well. Chromium is an open-source Web browser project started by Google but that does not mean that it could not be infected.

Now I suggest that you run the following scans to check if the system is completely clean.

• Open Malwarebytes;
• On the left pane select Settings;
• Select the Protection tab;
• Scroll down to Scan Options and ensure Scan for Rootkits and Scan within Archives are both on and leave all other settings to default.
• Go back to DashBoard and select the blue Scan Now tab; Note: The scan may take some time to finish, so please be patient.
• When the scan completes if potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selectedbutton.
• While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), give it a name and save it to your Desktop.
• The log can also be viewed by clicking the log to select it, then clicking the View Report button.
• Please attach the log in your next reply.

Please check for leftovers of infection by running ESET Online Scanner. Please note that this is a very thorough scan so it can take several hours to complete but it's worth it.

• Click on this link to open ESET Online Scanner in a new window.
  
  1. Click on the Scan Now button to download the esetonlinescanner_enu.exe file and save it to your computer Desktop.
  2. Close all your programs and browsers and disconnect any USB flash drives from the computer.
  3. Please disable your antivirus program to avoid potential conflicts, improve the performance and speed up the scan.
  4. Double click on esetonlinescanner_enu.exe to start ESET Online Scanner. It will open a window with the Terms of Use.

• Click the Accept button.
• Under Computer scan settings, check mark Enable detection of potentially unwanted applications.
• Then click Advanced settings and check mark the following options:
  
  • Enable detection of potentially unsafe applications
  • Clean threats automatically
    
• Click the Scan button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, click List Threats.
• Click Export, and save the file to your Desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• Click the Back button.
• Click the Finish button.
  

Note: If nothing is found, it will not produce a log.

Please re-enable your antivirus program.

Please attach the Malwarebytes log and post the contents of ESET log (if it produced one).

How is the system running at this point? Any issues or concerns?

Thank you.

Rui

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks