Unknown Bitcoin Miner virus.

[TwinkieTheKidd]

I seem to have acquired a rather nasty Bitcoin miner (or I assume that's what it is). It seems to generate a random name and create a folder in Appdata/Low which I cannot access due to an access denied. It asks for administrator rights which when provided it still says access denied (these are my personal machines. I'm the only admin). I tried to take ownership via file security but I always get an access denied error and it says the current owner is unknown. It creates multiple threads using the same name as the folder it created which I cannot affect in any way. I can't kill them or restrict there priority level. I also cannot open the containing folder due to the aforementioned admin issue. It seems to constantly max out either 1 or 2 cores on and off. It drops down to no usage for 30 seconds to 2 minutes on a regular basis. I'm not sure what it's doing as I don't get a spike in network traffic. Based on how the performance hit affects my system I suspect these processes have given themselves above average priority. The virus seems to have spread to my Laptop and HTPC via my network since there isn't any download I've made that the 3 of them have in common. The processes have in common only that they identify themselves as "Windows Process Manager" in the description bar and that whenever the file name of the current process is googled it always seems to be listed on the page of a spam redirect webpage:

* www.discopoints.org/?postfix=CB&prefix=WE

I suspect that web portal acts as some sort of homing device since every filename they've taken so far has been on that webpage. The hard part is I can't find out how to remove the virus because I don't know the name or strain of the virus due to it creating randomly named folders. MalwareBytes Anti Malware (which is supposedly the best at detecting Malware) never detects it even when I specifically tell it to scan the aforementioned folders. It doesn't seem to be using my GPU. Only my CPU. So far the process names i've seen are:

* nvbtcis
* weklacb
* aurpmwc
* nvczsrmsvc

It's also always accompanied by a process that describes itself as "Printer Driver Host"

* dtmcbpx

They are always 32-bit processes. Each instance of the main mining process seems to use between 20 and 100MB of RAM depending on the age of the process.

Do any of you recognize this behavior? If I can find out what virus I'm dealing with I can likely find instructions on its removal. I've never seen a virus that takes this degree of control over my systems.

* Edit: Both systems are running Windows 7 Ultimate SP1 64-bit
* Edit 2: I also tried booting to Linux Live to view the folders. Under Linux the folders appeared as empty. I tried deleting them so I could boot back into Windows and create my own folders in a read only state so they couldn't re replicate themselves. By the time I was into Explorer they had already been taken over by the virus again.

* Edit 3: I've noticed it has the digital signature of a company called Jetbrains S.R.O. so I've sent them an email to see if they know anything about this. I assume they won't be happy that there digital signature is on a virus program.

* Edit 4: Reinstalling my OS isn't an option. It would take monthes to reinstall all my software. We're talking 3+ year old installs with TBs of data.

It was suggested I try posting here. Neither MalwareBytes nor Avast have been able to succesfully remove this virus. Avasts BootScan just threw out a data error and was unable to correctly delete the files. RKill didn't kill it.

 

[kevinf80]

Hello TwinkieTheKidd and welcome to Malwarebytes, Continue with the following: If you do not have Malwarebytes installed do the following: Download Malwarebytes version 3 from the following link: https://www.malwarebytes.com/mwb-download/thankyou/ Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions.... When the install completes or Malwarebytes is already installed do the following: Open Malwarebytes, select > "settings" > "protection tab" Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Go back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes deal with any found entries... To get the log from Malwarebytes do the following:   Click on the Report tab > from main interface. Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options: Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply   Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Next, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status...   Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans"   Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Let me see those logs in your reply... Thank you, Kevin....

[TwinkieTheKidd]

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 4/22/18
Scan Time: 9:46 AM
Log File: e1491cc0-463b-11e8-96ad-005056c00001.json
Administrator: Yes

-Software Information-
Version: 3.4.5.2467
Components Version: 1.0.342
Update Package Version: 1.0.4836
License: Trial

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Unimatrix0\UnimatrixZero

-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Cancelled
Objects Scanned: 365
Threats Detected: 1
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 1 min, 3 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
Rootkit.Agent.PUA, C:\Windows\System32\drivers\atoilpsv.sys, No Action By User, [382], [429857],0.0.0

Physical Sector: 0
(No malicious items detected)

(end)

I quarantined the PUA Agent. The virus is located inside a folder called ataepwm so I suspect that is involved somehow.

 

 

FRST.txt

Addition.txt

[kevinf80]

Hello TwinkieTheKid,

Your system has smartservice infection, to remove that you will need access to a spare known to be clean PC and a USB flash drive 4 gb or above...

Select the Windows key and X key together, from the xmenu list select Command Prompt (Admin). Type or copy/paste the following commands, hit enter after each one:

CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes CMD: bcdedit.exe /set {default} recoveryenabled yes Boot up your spare PC plug in the flash drive, navigate to that drive, right click on it direct and select format. Quick option is adequate... Next, On that same PC downoad and save FRST to same Flash drive, make sure to get the correct version, if you are unsure d/l and save both, only the correct one will run. Do not plug Flash Drive into sick PC until booted to Recovery Environment. http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ Next, Boot sick PC to Recovery Environment, if you are unsure of that action have a read at the following link, maybe bookmark for future reference... https://www.tenforums.com/tutorials/2294-boot-advanced-startup-options-windows-10-a.html Next, From the Windows 10 Tutorial you should get access to the Advanced Startup Options at boot for Windows 10 From that window select "Troubleshoot" From the next window select "Advance Options" From that Window select "Command Prompt" Ensure to plug the flash drive into a USB port... You should now be in Recovery Environment with the Command Prompt Window open...... Continue with the following:   Select Command Prompt In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" or "My PC" and find your flash drive letter and close the notepad. In the command window type E:\frst64 or E:\frst depending on your version. Press Enter Note: Replace letter E with the drive letter of your flash drive. The tool will start to run. When the tool opens click Yes to disclaimer. Press Scan button. It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply. Leave the infected PC in Recovery mode, post the produced log from your flash drive via the spare PC.... Thank you, Kevin.. Exit   Next,   If you have access to a spare PC and USB flash drive continue with the following:

 

[TwinkieTheKidd]

@kevinf80

 

I have done as you instructed.

Here is the log file:

 

FRST.txt

[kevinf80]

Thanks for that log, continue:

Boot sick PC back to Normal mode...

Next,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. Next, Open Malwarebytes Anti-Malware.   On the Settings tab > Protection Scroll to and make sure the following are selected: Scan for Rootkits Scan within Archives   Scroll further to Potential Threat Protection make sure the following are set as follows: Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended) Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)   Click on the Scan make sure Threat Scan is selected, A Threat Scan will begin. When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab If asked to restart your computer to complete the removal, please do so When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard. Wait for the prompt to restart the computer to appear, then click on Yes. After the restart once you are back at your desktop, open MBAM once more to retrieve the log. To get the log from Malwarebytes do the following:   Click on the Reports tab > from main interface. Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options: Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply   Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Next, Download AdwCleaner by Malwarebytes onto your Desktop. Or from this Mirror   Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the EULA (I accept), then click on Scan Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply Next, Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop Ensure to get the correct version for your system.... https://www.microsoft.com/en-gb/download/malicious-software-removal-tool-details.aspx Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window In the "Scan Type" window, select Quick Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter: notepad c:\windows\debug\mrt.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time.... Let me see those logs in your reply, also let me know if there are any remaining issues or concerns... Thank you, Kevin..

fixlist.txt

[TwinkieTheKidd]

@kevinf80

 

The virus has been successfully eradicated from my system. I greatly appreciate your help. However I have another system that has the same infection (I assume it jumped over via my network or a flash drive). If I perform the first steps and generate a log file from the 2nd infected system would you be willing to create a fixlist for it? I've done my research and  I understand the nature of the virus now as a ring zero driver based "bodyguard" type malware protecting a generic clicker virus and a trojan but I don't have the required understanding of it to create a fixlist.txt from a scan results text file.

[kevinf80]

Yes, just follow on with this thread and follow the instructions in reply #2 (miss out Malwarebytes scan) and reply #4. Post the produced logs...

Thank you,

Kevin...

[kevinf80]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks