Jump to content

Trojan BitCoin Minor Virus


Recommended Posts

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.


Let me see that log in your reply....

Thanks,

Kevin...

fixlist.txt

Link to post
Share on other sites

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

fixlist.txt

Link to post
Share on other sites

Please download Malwarebytes Anti-Rootkit from here
 
  • Right click on the tool (select "Run as Administrator) to start the extraction to a convenient location. (Desktop is preferable)
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

 

Link to post
Share on other sites

That log is clean, run the following:

Follow the instructions at this link and post the requested logs: https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/

Thank you,

Kevin

Download RogueKiller and save it on your desktop, ensure to download correct version..

RogueKiller (X86)

RogueKiller (x64)
 
  • Exit all running applications.
  • Double-click on RogueKiller.exe to launch the tool. On its first execution, RogueKiller will disply the software license (EULA), click on "Accept" to continue.
  • If RogueKiller is unable to load, do not hesitate to try launching it several times or rename it winlogon.
  • Click "Start Scan" to begin the analysis. This may take some time.
  • Once the scan is complete, click the "Open TXT" button to display the scan report.
  • Copy/Paste it's content in your next reply.


Do not use the Remove Selected option until i`ve had a look at the log..
Link to post
Share on other sites

RogueKiller V12.12.7.0 (x64) [Mar  5 2018] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7600) 64 bits version
Started in : Normal mode
User : 13005085 [Administrator]
Started from : C:\Users\13005085\Downloads\RogueKiller_portable64.exe
Mode : Scan -- Date : 03/12/2018 19:08:02 (Duration : 00:38:14)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 26 ¤¤¤
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Orbit -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-839522115-1801674531-725345543-354616\Software\Orbit -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-839522115-1801674531-725345543-354616\Software\ProgSense -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-839522115-1801674531-725345543-354616\Software\Video Player -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-839522115-1801674531-725345543-354616\Software\Orbit -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-839522115-1801674531-725345543-354616\Software\ProgSense -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-839522115-1801674531-725345543-354616\Software\Video Player -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\im -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Orbit_is1 -> Found
[PUP.Gen0] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000123B4-9B42-4900-B3F7-F4B073EFC214} -> Found
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-839522115-1801674531-725345543-354616\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : ISA-Firewall.rp.sg:8080  -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-839522115-1801674531-725345543-354616\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : ISA-Firewall.rp.sg:8080  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-839522115-1801674531-725345543-354616\Software\Microsoft\Internet Explorer\Main | Start Page : http://outlook.office365.com/  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-839522115-1801674531-725345543-354616\Software\Microsoft\Internet Explorer\Main | Start Page : http://outlook.office365.com/  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{2C8A629F-3985-42C5-8998-BF592D89747F} | DhcpNameServer : 10.60.20.11 10.60.20.12 10.60.20.13 ([][][])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{2C8A629F-3985-42C5-8998-BF592D89747F} | DhcpNameServer : 10.60.20.11 10.60.20.12 10.60.20.13 ([][][])  -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {74F6339B-01E7-4909-97F1-5C1DD0F6896B} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\NexonUS\NGM\NGM.exe|Name=Nexon Game Manager| [7] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {71479D1C-E269-47B9-B339-EC10D71D7A2B} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\NexonUS\NGM\NGM.exe|Name=Nexon Game Manager| [7] -> Found
[PUP.RelevantKnowledge|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{C6A3A400-901E-4AF8-9A82-A0EA3B1DBBE3}C:\program files (x86)\relevantknowledge\rlvknlg.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\program files (x86)\relevantknowledge\rlvknlg.exe|Name=rlvknlg.exe|Desc=Relevant-Knowledge| [x] -> Found
[PUP.RelevantKnowledge|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{1C468DFF-DD1F-4911-BF06-F9C637E6E348}C:\program files (x86)\relevantknowledge\rlvknlg.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\program files (x86)\relevantknowledge\rlvknlg.exe|Name=rlvknlg.exe|Desc=Relevant-Knowledge| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {74F6339B-01E7-4909-97F1-5C1DD0F6896B} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\NexonUS\NGM\NGM.exe|Name=Nexon Game Manager| [7] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {71479D1C-E269-47B9-B339-EC10D71D7A2B} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\NexonUS\NGM\NGM.exe|Name=Nexon Game Manager| [7] -> Found
[PUP.RelevantKnowledge|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{C6A3A400-901E-4AF8-9A82-A0EA3B1DBBE3}C:\program files (x86)\relevantknowledge\rlvknlg.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\program files (x86)\relevantknowledge\rlvknlg.exe|Name=rlvknlg.exe|Desc=Relevant-Knowledge| [x] -> Found
[PUP.RelevantKnowledge|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{1C468DFF-DD1F-4911-BF06-F9C637E6E348}C:\program files (x86)\relevantknowledge\rlvknlg.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\program files (x86)\relevantknowledge\rlvknlg.exe|Name=rlvknlg.exe|Desc=Relevant-Knowledge| [x] -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-839522115-1801674531-725345543-354616\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-839522115-1801674531-725345543-354616\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 8 ¤¤¤
[PUP.Gen1][File] C:\Users\13005085\Desktop\Orbit.lnk [LNK@] C:\PROGRA~2\ORBITD~1\orbitdm.exe -> Found
[PUP.Gen1][File] C:\Users\13005085\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Orbit.lnk [LNK@] C:\PROGRA~2\ORBITD~1\orbitdm.exe -> Found
[PUP.Gen1][File] C:\Users\13005085\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Orbit.lnk [LNK@] C:\PROGRA~2\ORBITD~1\orbitdm.exe -> Found
[PUP.Gen1][Folder] C:\Users\13005085\AppData\Roaming\ProgSense -> Found
[PUP.Gen1][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Orbit\Orbit.lnk [LNK@] C:\PROGRA~2\ORBITD~1\orbitdm.exe -> Found
[PUP.Gen1][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Orbit\Uninstall Orbit.lnk [LNK@] C:\PROGRA~2\ORBITD~1\unins000.exe -> Found
[PUP.Gen1][Folder] C:\Program Files (x86)\Orbitdownloader -> Found
[PUP.Gen1][File] C:\Users\13005085\Desktop\Orbit.lnk [LNK@] C:\PROGRA~2\ORBITD~1\orbitdm.exe -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUP.Gen2][Firefox:Addon] 1pibzh1e.default : RelevantKnowledge [{C7AE725D-FA5C-4027-BB4C-787EF9F8248A}] -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Hitachi HTS727575A9E364 ATA Device +++++
--- User ---
[MBR] 00bdc57b0c242d928514dc7595853a98
[BSP] 61fd1ad25ed6e4fc86a64cdea971f5c8 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 204900 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 419842048 | Size: 510402 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Generic- Multi-Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.