Jump to content
TheSquidhunter

Recurring infection: System Infected: miner.bitcoinminer activity 7 AND 9

Recommended Posts

Hello, I am very new to the malwarebytesforums and it is admittedly a little bit late to be searching for help, but this infection has avoided everything in my power.

About four days ago, I acquired a new steam game, but it kept crashing to desktop upon launch. Although the fix was simple (Update graphics drivers), I saw a "Mod" by someone online that'd fix the issue. After downloading and running the file, it gave me an error, so I closed and deleted it, and didn't give it much thought. Little did I know I started going down a slippery slope. About an hour later exactly, norton starts giving me this:

image.png.7ea786514dbc710e6ef320adfa48fe23.png

There are attempted attacks ranging in intervals of 10 minutes to 2 hours (Not shown here for the reason explained below)

Firstly, I apologize, my Windows install is in Spanish, it can't be helped, but I don't think it will affect the removal process. Secondly, the attack always originates from a (What i assume must be) a regional location file within the SysWOW64 folder. I HAVE tried to delete the file folder highlighted below on red (Last attempt today no, which solves the issue for about 4-8 hours. It always comes back. Scans using Zemana, Malwarebytes, Roguekiller, Norton PowerEraser, and the like, return empty.

image.png.80f1c5e3c7d16d93449a80ecf77de040.png

I have also tried running TDSSKiller, but the files it found are either redundant (Civilization V uninstall files and the like) Or Kernel and system drivers which I am too afraid to delete. The only thing I have not attempted is the FRST tool as I dont know how to create a fixlist, and I am afraid of what it might do to the system. I am attaching the FRST.txt and Addition.txt files from today here for review, however.

Thank you for reading this far, I'll patiently await your response!

Addition.txt

FRST.txt

Share this post


Link to post
Share on other sites

Hi TheSquidhunter :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread


This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Give me some time to review your logs and get back at you.

Share this post


Link to post
Share on other sites

sUc2qjf.pngAutoruns - Start-up Entries
Follow the instructions below to give me an Autoruns log containing your start-up entries:

  • Download Autoruns.zip from the Sysinternals Suite webpage
  • Extract the content of the Autoruns.zip folder where you want, then go in the folder, right-click on Autoruns.exe and select Run as Administrator
  • Accept the EULA on opening, then wait for all the entries to load
  • Click on File then Save and save the file to a location easily accessible as a .arn (Autoruns) file
  • Right-click on the file you saved and select Send to followed by Compressed (zipped) folder
  • Attach the .zip file on your next post, or if it says that it's too big, upload it on SendSpace and post the download URL for it here

Share this post


Link to post
Share on other sites

I think I got it. Launch Autoruns again (with Admin Rights), right-click on the following entry and select Delete. Once done, restart your computer, wait a couple of minutes, then generate a new Autoruns report and attach it here.

gb84BPE.png

Share this post


Link to post
Share on other sites

Alright that looks good. Let's dig deeper.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - File Search
Follow the instructions below to download and execute a file search on your system with FRST, and provide the log in your next reply.

  • Right-click on the executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds
  • In the Search text area, copy and paste the following:
    rb_*.exe;tiworker.exe;Riched*
  • Once done, click on the Search Files button and wait for FRST to finish the search
  • On completion, a log will open in Notepad. Copy and paste its content in your next reply

Share this post


Link to post
Share on other sites

Alright. Run a new scan with FRST and provide me a fresh set of logs.

Share this post


Link to post
Share on other sites

Looks good to me. Are you able to export the Norton logs showing the detections? I'll see what files gets flagged and look for them on your machine to see if there's indeed there or not. Though I think we crippled the infection by removing its scheduled task.

Share this post


Link to post
Share on other sites

This is what would get flagged by norton, and the .exe and .dll that was being regenerated. Before we did indeed cripple the malware, it kept regenerating on different (Hidden, permission locked away) folders upon deletion. I COULD delete this folder immediately and I doubt it would get regenerated, but I won't do anything you advise against. 

image.thumb.png.b0d0a956e85e8bd3a3e78301fd551ec7.png

image.thumb.png.61851afc04b5eb14abe84e2af7c7ece5.png

Norton does not think its bad, however I know for a fact that before we deleted the scheduled task, the mining attempts stopped for around 4-8 hours if I deleted those files / folder, until the malware regenerated these two files on a different folder, then it would start all over again. They would always show up in the SySWOW64 folder, under different subdirectories. One folder at a time, always named S-1-4-31, and the permissions always locked. (In fact, it messed with my registry so that my security tab would not show up under properties. What a field trip restoring THAT was).

image.thumb.png.03bda76b9a27149e0c3b404041f33fe3.png

Either way, Here is a .zip of all my PowerEraser Scans, dating all the way from the 17th of this month (Which I believe is actually when this issue began). I trust you can find useful information there and determine if further action is required, or if the deletion of the folder is a go, etc. I'll also go ahead and take a moment to thank you, from the bottom of my heart. I cannot state in words how thankful I am that you took time from your day to fix my issue, for free, and that you have continued your support all the way here. Thank you.

Norton Logs.zip

Share this post


Link to post
Share on other sites

No problem, you're welcome :)

Can you put these two files (Riched32.dll and TiWorker.exe) in a .zip file and attach them here? I'll see if they are the legitimate deal, or disguised malware. If they are, I'll forward them to Malwarebytes' Research Team.

Share this post


Link to post
Share on other sites

Thank you :) You can delete the S-1-4-31 folder now. Still no more warnings?

Share this post


Link to post
Share on other sites

Good :) Were there any other issues to address, or that was it?

Share this post


Link to post
Share on other sites

Please do, yes :)

 

Since there are no signs of infection anymore in your logs, and you just told me that there are no more issues left to address, I guess we're done here. We'll wrap it up by running DelFix to delete the tools and logs that were used in this clean-up.

BWuhenj.pngDelFix
Follow the instructions below to download and execute DelFix.

  • Download DelFix and move the executable to your Desktop
  • Right-click on DelFix.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Check the following options :
    • Activate UAC
    • Remove disinfection tools
    • Create registry backup
    • Purge system restore
    • Reset system settings
  • Once all the options mentionned above are checked, click on Run
  • After DelFix is done running, a log will open. Please copy/paste the content of the output log in your next reply

Qt25440.pngTips, tricks, advice and recommendations

Now it's time to give you some tips, tricks, advice and recommendations on how to protect your system and prevent you from being infected in the future. This is where I'll explain basic security measures that you should take to protect and harden your system, and also make sure it stays as safe and secure as possible against hackers and malware. You are free to ignore the recommendations listed below, although I obviously do not recommend it. If you have any questions about one of the points covered in the speech below, feel free to ask me your questions here directly so I can answer them and guide you.

Windows Updates

Keeping Windows up to date is one of the first steps in having a safe and secure system. The Security Updates that Windows receives are meant to fix exploits and flaws in it that makes it more secure and not exploitable by hackers. In order to do that, you should always install the Security Updates, known as "Important Updates" on your Windows system. These updates are released on the second Tuesday of every month, but some are also released before if they are emergency/critical Security Updates. Let's make sure that you have all your Important Updates and Recommended Updates installed and that your Windows Updates are set to be installed automatically.

Keeping your programs up-to-date

Like keeping Windows updated, keeping your installed programs up-to-date is another important step in having a safe and secure system. Outdated programs can be exploited by hackers and malware to infect a system and take it over. This is especially true today with the rise of Exploit Kits (and also 0-days) which is one of the biggest attack vectors to distribute malware. Therefore, you should always keep vulnerable programs like Adobe Flash Player, Adobe Shockwave Player, Java, Silverlight, Google Chrome, Mozilla Firefox, VLC Media Player, etc. updated to their most recent version (even better, you don't have to install them if you don't use them). Programs like eF2jhaz.pngUCheck, SUMo and y5YE7At.pngHeimdal Free will scan your system for outdated programs, and help you identify them, as well as update them.

Anti-Virus

Note: The programs listed below are all free to use or they have some sort of trial. Some of them have a paid version that provides more features, while a lot of other good programs only have a paid version but aren't listed there (such as Kaspersky and ESET Antivirus products).

Anti-Malware, Anti-Exploit and Anti-Ransomware

Having a decent security setup (which also includes an Antivirus) is the most crucial step to protect a system. These programs are additional layers of defence that will prevent a system from being infected, or if it somehow ends up infected, help mitigate the infection and remediate it. Fortunately, the new Malwarebytes 3 bundle all these layers in one, easy to use and efficient product. Malwarebytes 3 offers Malware, Web, Exploit and Ransomware protection modules that works together in order to keep your system protected and stop an infection at multiple level.

  • j1Bynr2.pngMalwarebytes - Comes with a free trial of the Premium version for 14 days, after which it reverts back to the Free version

Note: Please note that only the Premium version of Malwarebytes 3 offers real-time protection (Malware, Web, Exploit and Ransomware). The free version only allows you to scan your system for threats and remove them.

Firewall

Starting in Windows Vista, the Windows Firewall greatly improved and will satisfy the needs of most users. If you do not have an Internet Suite Antivirus program (which includes a firewall) and you want to use a 3rd party firewall, you can consider the options below.

  • 7p3JzTS.pngGlassWire - Has both a free and paid version (with different packages)
  • MQIMh6k.pngWindows Firewall Control - Gives you more control over your Windows Firewall
  • 5RXGshU.pngTinyWall - Lightweight firewall implementing the Windows Firewall and giving you more control over it

Web Browsers and Web Browsing

Web Browsers could be considered as the closest door between a malware and your system. This is where most malware goes through to infect a system, and therefore it should be the program(s) you want to secure the most. There are two ways of going about it: hardening your web browser via extensions, and having good browsing habits. 

Hardening your web browser means to install extensions that will help it protect itself (and your system on the same occasion) against Exploit Kits, MiTM attacks, etc. but also you at the same time. Here are a few extensions that I recommend you to install.

  • uBlock Origin: Efficient multi-purpose blocker that is lightweight on RAM and CPU usage (Google Chrome, Mozilla Firefox, Microsoft Edge, Opera and most Chromium and Firefox-based browsers)
  • HTTPS Everywhere: Extension that converts your HTTP (unencrypted) requests to HTTPS (encrypted) ones (Google Chrome, Mozilla Firefox and Opera)
  • Web of Trust: Website reputation, rating and review extension that will help you quickly identify bad and suspicious sites from good ones (every web browsers)
  • NoScript: NoScript is a script blocker (Java, Flash, JavaScript, etc.) for Mozilla Firefox and Firefox-based browsers (Mozilla Firefox and Firefox-based web browsers)
  • uMatrix: For advanced users, a point and click matrix-like extensions that allow you to control requests done on a webpage (based on source, destination and type) (Google Chrome, Mozilla Firefox and Opera)
  • LastPass: Secure password manager allowing you to create, manage, and use passwords you save in your LastPass account (every web browser)

As for safe browsing habits, you can find tons of guides, tutorials, articles, etc. online that will highlight the basics you need to follow (only visit websites you trust, do not click on ads, do not download files from untrusted sources, use a password manager, always verify the URL of a website and make sure it's correctly typed, etc.), and even what you can do if you want to take it a step further (create a fake email address for spam emails, browse the web in a privacy mode, etc.). Here are a few:


As you can see, there are plenty of resources out there. Simply Googling "good browsing habits" or "safe browsing habits" should allow you to find a lot of them.

Other recommendations

Even if you follow every recommendation that I listed here, in the end, it's also your job to be careful when browsing the web and downloading files if you don't want to get infected. Therefore, if you use your brain (common sense) when browsing the web, downloading programs and files, etc., you have far less chances to get infected by a malware. If for example you're not sure if a website is legitimate or not, or if a file is safe to download and execute, or if a program looks "too good" to be free, I suggest you to avoid going to that website, downloading that file or using that program.

Here are a few guides, tutorials, articles, etc. that you could read in order to learn more about computer protection and security to improve your current computer protection setup but also improve your good web browsing and computer usage practices :


gRvSooB.pngThe End!

And that's it! Now that you know more about how to protect your computer and secure it, you're good to go back to your online activities, but in a safe and secure way! You are also free to stay on the forums and ask for help in different topics if you ever need to. Just make sure that you post your question/issue in the right section to get the best assistance possible. And if you ever get infected again (which I hope you wont!), you can always comeback in this section to get another checkup with one of our trained malware removal member.

Do you have any questions before I close this thread? :)

Share this post


Link to post
Share on other sites

Thank you very much Aura, I'll make sure to be careful and I hope I won't need to take your time again. I don't have any more questions and thank you for the advice. Here's the log, it seems like everything is in order. Again, thank you very much. Regards from Ecuador!

 

# DelFix v1.013 - Logfile created 26/08/2018 at 15:34:19
# Updated 17/04/2016 by Xplode
# Username : Jose - JOSE-PC
# Operating System : Windows 10 Home  (64 bits)

~ Activating UAC ... OK

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\TDSSKiller_Quarantine
Deleted : C:\RegBackup
Deleted : C:\TDSSKiller.2.8.16.0_20.08.2018_14.30.15_log.txt
Deleted : C:\TDSSKiller.2.8.16.0_20.08.2018_14.40.28_log.txt
Deleted : C:\Users\Jose\Desktop\tdsskiller.exe
Deleted : C:\Users\Public\Desktop\RogueKiller.lnk
Deleted : C:\Users\Jose\Downloads\Addition.txt
Deleted : C:\Users\Jose\Downloads\FRST.txt
Deleted : C:\Users\Jose\Downloads\FRST64 (1).exe
Deleted : C:\Users\Jose\Downloads\FRST64.exe
Deleted : C:\Users\Jose\Downloads\rkill-unsigned.exe
Deleted : C:\Users\Jose\Downloads\rkill.exe
Deleted : C:\Users\Jose\Downloads\RogueKiller_setup_ref3.exe
Deleted : C:\Users\Jose\Downloads\Search.txt
Deleted : C:\Users\Jose\Downloads\tdsskiller.exe

~ Creating registry backup ... OK

~ Cleaning system restore ...


New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########
 

Share this post


Link to post
Share on other sites

No problem TheSquidhunter, you're welcome!

Stay safe :)

Share this post


Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.