Jump to content

Trojan BitCoin Minor Virus


Recommended Posts

Thanks for that log, if RogueKiller is still open make sure all found entries are checkmarked, then click on the Remove Selected button. On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
This will open the report in Notepad. Copy/paste its content in your next reply....

If you`ve already closed RogueKiller, run again....

  • Wait for the scan to complete
  • On completion, the results will be displayed
  • Checkmark all found entries
  • click on the Remove Selected button
  • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
  • This will open the report in Notepad. Copy/paste its content in your next reply....

Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"


Thanks,

Kevin...

 

Link to post
Share on other sites

RogueKiller V12.12.7.0 (x64) [Mar  5 2018] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7600) 64 bits version
Started in : Normal mode
User : 13005085 [Administrator]
Started from : C:\Users\13005085\Downloads\RogueKiller_portable64.exe
Mode : Delete -- Date : 03/13/2018 06:51:52 (Duration : 00:40:46)

¤¤¤ Processes : 1 ¤¤¤
[Proc.RunPE] mspoolv.exe(440) -- C:\Windows\System32\mspoolv.exe[-] -> Killed [TermProc]

¤¤¤ Registry : 28 ¤¤¤
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Orbit -> Deleted
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-839522115-1801674531-725345543-354616\Software\Orbit -> Deleted
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-839522115-1801674531-725345543-354616\Software\ProgSense -> Deleted
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-839522115-1801674531-725345543-354616\Software\Video Player -> Deleted
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-839522115-1801674531-725345543-354616\Software\Orbit -> Deleted
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-839522115-1801674531-725345543-354616\Software\ProgSense -> Deleted
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-839522115-1801674531-725345543-354616\Software\Video Player -> Deleted
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\im -> Deleted
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Orbit_is1 -> Deleted
[PUP.Gen0] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000123B4-9B42-4900-B3F7-F4B073EFC214} -> Deleted
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-839522115-1801674531-725345543-354616\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : ISA-Firewall.rp.sg:8080  -> Deleted
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-839522115-1801674531-725345543-354616\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : ISA-Firewall.rp.sg:8080  -> ERROR [2]
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-839522115-1801674531-725345543-36406-{637FE20B-9A5B-4F51-B1BE-D10045625B40}-03132018070932572\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : ISA-Firewall.rp.sg:8080  -> ERROR [2]
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-839522115-1801674531-725345543-36406-{637FE20B-9A5B-4F51-B1BE-D10045625B40}-03132018070932572\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : ISA-Firewall.rp.sg:8080  -> ERROR [2]
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-839522115-1801674531-725345543-354616\Software\Microsoft\Internet Explorer\Main | Start Page : http://outlook.office365.com/  -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-839522115-1801674531-725345543-354616\Software\Microsoft\Internet Explorer\Main | Start Page : http://outlook.office365.com/  -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{2C8A629F-3985-42C5-8998-BF592D89747F} | DhcpNameServer : 10.60.20.11 10.60.20.12 10.60.20.13 ([][][])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{2C8A629F-3985-42C5-8998-BF592D89747F} | DhcpNameServer : 10.60.20.11 10.60.20.12 10.60.20.13 ([][][])  -> Replaced ()
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {74F6339B-01E7-4909-97F1-5C1DD0F6896B} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\NexonUS\NGM\NGM.exe|Name=Nexon Game Manager| [7] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {71479D1C-E269-47B9-B339-EC10D71D7A2B} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\NexonUS\NGM\NGM.exe|Name=Nexon Game Manager| [7] -> Deleted
[PUP.RelevantKnowledge|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{C6A3A400-901E-4AF8-9A82-A0EA3B1DBBE3}C:\program files (x86)\relevantknowledge\rlvknlg.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\program files (x86)\relevantknowledge\rlvknlg.exe|Name=rlvknlg.exe|Desc=Relevant-Knowledge| [x] -> Deleted
[PUP.RelevantKnowledge|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{1C468DFF-DD1F-4911-BF06-F9C637E6E348}C:\program files (x86)\relevantknowledge\rlvknlg.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\program files (x86)\relevantknowledge\rlvknlg.exe|Name=rlvknlg.exe|Desc=Relevant-Knowledge| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {74F6339B-01E7-4909-97F1-5C1DD0F6896B} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\NexonUS\NGM\NGM.exe|Name=Nexon Game Manager| [7] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {71479D1C-E269-47B9-B339-EC10D71D7A2B} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\NexonUS\NGM\NGM.exe|Name=Nexon Game Manager| [7] -> Deleted
[PUP.RelevantKnowledge|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{C6A3A400-901E-4AF8-9A82-A0EA3B1DBBE3}C:\program files (x86)\relevantknowledge\rlvknlg.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\program files (x86)\relevantknowledge\rlvknlg.exe|Name=rlvknlg.exe|Desc=Relevant-Knowledge| [x] -> Deleted
[PUP.RelevantKnowledge|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{1C468DFF-DD1F-4911-BF06-F9C637E6E348}C:\program files (x86)\relevantknowledge\rlvknlg.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\program files (x86)\relevantknowledge\rlvknlg.exe|Name=rlvknlg.exe|Desc=Relevant-Knowledge| [x] -> Deleted
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-839522115-1801674531-725345543-354616\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Replaced (1)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-839522115-1801674531-725345543-354616\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Replaced (1)

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Hitachi HTS727575A9E364 ATA Device +++++
--- User ---
[MBR] 00bdc57b0c242d928514dc7595853a98
[BSP] 61fd1ad25ed6e4fc86a64cdea971f5c8 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 204900 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 419842048 | Size: 510402 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Generic- Multi-Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

Link to post
Share on other sites

Thanks for the update and logs. One question, first scan with FRST we see the following in the main log:

Quote

HKLM\SYSTEM\CurrentControlSet\Services\avgSP <==== ATTENTION (Rootkit!)
HKLM\SYSTEM\CurrentControlSet\Services\avgMonFlt <==== ATTENTION (Rootkit!)
HKLM\SYSTEM\CurrentControlSet\Services\avgSnx <==== ATTENTION (Rootkit!)

We remove those but problems persist after reboot.

Second scan with FRST we see the following in the main log:

Quote

HKLM\SYSTEM\CurrentControlSet\Services\aswSP <==== ATTENTION (Rootkit!)
HKLM\SYSTEM\CurrentControlSet\Services\aswMonFlt <==== ATTENTION (Rootkit!)
HKLM\SYSTEM\CurrentControlSet\Services\aswSnx <==== ATTENTION (Rootkit!)

@shadowwar ask ealier if you have possibly downloaded and installed software that may have caused this problem we have on your system.

Did you download AVG previously, if so where from..?

Did you download Avast previously, if so where from...

Next,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Open Malwarebytes Anti-Malware.

  • On the Settings tab > Protection Scroll to and make sure the following are selected: Scroll to and make sure the following are selected:

    Scan for Rootkits
    Scan within Archives

  • Scroll further to Potential Threat Protection make sure the following are set as follows:

    Potentially Unwanted Programs (PUP`s)         set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s)  set as :- Alwaysdetect PUM`s (recommended)

  • Click on the Scan make sure Threat Scan is selected,

  • A Threat Scan will begin.

  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab

  • If asked to restart your computer to complete the removal, please do so

  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.

  • Wait for the prompt to restart the computer to appear, then click on Yes.

  • After the restart once you are back at your desktop, open MBAM once more to retrieve the log.

To get the log from Malwarebytes do the following:

  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options: > From export you have two options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     

  • Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Thanks,

Kevin

 

 

fixlist.txt

Link to post
Share on other sites

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/14/18
Scan Time: 2:52 AM
Log File: b6d678b8-26ef-11e8-94a3-026f375b5150.json
Administrator: Yes

-Software Information-
Version: 3.4.4.2398
Components Version: 1.0.322
Update Package Version: 1.0.4334
License: Trial

-System Information-
OS: Windows 7
CPU: x64
File System: NTFS
User: System

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 330090
Threats Detected: 5
Threats Quarantined: 5
Time Elapsed: 13 min, 51 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 1
Trojan.BitCoinMiner, C:\WINDOWS\SYSTEM32\MSPOOLV.EXE, Quarantined, [69], [497649],1.0.4334

Module: 1
Trojan.BitCoinMiner, C:\WINDOWS\SYSTEM32\MSPOOLV.EXE, Quarantined, [69], [497649],1.0.4334

Registry Key: 1
Trojan.BitCoinMiner, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\mspoolv, Quarantined, [69], [497649],1.0.4334

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 2
Trojan.Agent, C:\WINDOWS\TEMP\SVCH0ST.EXE, Quarantined, [17], [205959],1.0.4334
Trojan.BitCoinMiner, C:\WINDOWS\SYSTEM32\MSPOOLV.EXE, Quarantined, [69], [497649],1.0.4334

Physical Sector: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

Obviously we are not finding the protective rootkit that will keep on returning the infection after removal... Try the following:

Download PowerTool and save to your Desktop, ensure to get the correct version:

PowerTool for 64-bit systems >> https://malwarebytes.box.com/s/vnp2jdko58ww33bxabbm8zu9764u0tlh

PowerTool for 32-bit systems >> https://malwarebytes.box.com/s/f0bsa1nuzjv994neyzbtrti1au0s98yx

Please follow the instructions below:

Right click on user posted image PowerTool, Select "Run as Administrator"

Windows 8/8.1/10 users may see the following, if so select "More Info"

user posted image

In the next Window select "Run Anyway"

user posted image

Initially click on sq image to enlarge window to full screen (As shown in the image below)
Now click on Kernel tab (No. 1 on the image below)
Then click on Kernel Notify Routine (No. 2 on the image below)
Also click on Path so you sort the list by name (No. 3 on the image below)

user posted image

Right click anywhere on listed items under path (No. 4 on the image above) and select Export.

user posted image

Save exported file to your Desktop, zip up that file and attach to your reply....

user posted image user posted image

Thank you,

Kevin......
Link to post
Share on other sites

Thanks for that log, nothing definite unfortunately....

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

Next,

See if you can also run the following, your security will probably crash your system when GMER is run. Turn off all security..

Please download Gmer from Here by clicking on the "Download EXE" Button.
 
  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    Sections
    IAT/EAT
    Show All
    ( should be unchecked by default )
     
  • Leave everything else as it is.
  • Close all other running Programs as well as your Browsers.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.



Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

**If GMER crashes** Follow the instructions here and disable your security temporarily…

Post those logs,

thanks,

Kevin

 

Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.