Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help me remove win32/bitcoinminer.AF please


  • This topic is locked This topic is locked
51 replies to this topic

#1 feithful

feithful

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 11 November 2013 - 01:31 AM

several variants have been quarintined by eset AV 7 i thought it was everything under control when i started noticing random slowdowns specially when running up apps or games it began to become really annoyng i tried spybot 1.6 + and using full and updated ESET Smart security 7 but this virus is still around my system is running on a I5 4670K, GTX 660, SSD120 GB S510 , 8GB HYPERX BLU KINGSTON USING XMP 1600MHZ PROFILE, and Windows 8.1 pro am currently having problems with my keyboard and im using on-screenn keyboard to write all this up and it makes so very hard to figght this cursed virus ;( so please help..me out guys and thanks (took me 10 minutes to open this new topic is really painful to click on every single letter)

edit:r dled and ran dds.com but it says "this program is not meant to be ran in compability mode exiting now" something like this i would really apprecitate and follow instructions on how may i help to be helped...


Edited by feithful, 11 November 2013 - 01:41 AM.


BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 AM

Posted 11 November 2013 - 03:33 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)

  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt and (after the first scan only!) the Addition.txt.

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 feithful

feithful
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 11 November 2013 - 03:53 AM

here

Attached Files


Edited by feithful, 11 November 2013 - 03:57 AM.


#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 AM

Posted 11 November 2013 - 04:22 AM

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 feithful

feithful
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 11 November 2013 - 04:34 AM

i get this error

ComboFix is not meant to run in 'Compability Mode'.
The program shall now exit.

deactivated AV and such , tried different compability modes problem persists i believe it is because of Windows 8.1 software support?

attached a screenie for details

Attached Files

  • Attached File  ew.jpg   78.71KB   0 downloads


#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 AM

Posted 11 November 2013 - 04:47 AM

Rats, I did not see the version.

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 feithful

feithful
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 11 November 2013 - 05:08 AM

Heres the log, Malware bytes Anti-Malware is asking me to restart shall i do so?

Attached Files



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 AM

Posted 11 November 2013 - 05:21 AM

Yes, please restart and post up a new FRST log


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 feithful

feithful
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 11 November 2013 - 05:36 AM

restarted and heres the new FRST.txt

on a side note - again my ESET Nod32 7 AV Detected the infected files after restart...:(

Attached Files

  • Attached File  FRST.txt   130.45KB   6 downloads


#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 AM

Posted 11 November 2013 - 05:40 AM

Please show me the log of ESET.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 feithful

feithful
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 11 November 2013 - 05:51 AM

it's on spanish i will reinstall english versión rescan and send logs again (?)

shall i?

Attached Files


Edited by feithful, 11 November 2013 - 05:52 AM.


#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 AM

Posted 11 November 2013 - 06:03 AM

Temp File Cleaner

We need to download Temp File Cleaner (TFC) by OldTimer:

  • Please download TFC.exe by Oldtimer at one of the two links: Link 1 Link 2
  • Save and close all running applications
  • Double-click on TFC.exe to run the program
  • Click on Start to begin the cleaning process note: this program may close running applications, make your screen disappear temporarily, or require a reboot of your PC - this is normal and part of the cleanup
  • When the scan is complete, if you were not asked to reboot the computer, please do so now
More Information can be found about the tool here: http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/

 

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 feithful

feithful
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 11 November 2013 - 06:40 AM

TFC.exe cleared up 2 gb of temp files restarted PC and then Malware-Bytes blocked the trojan up this time because i disabled nod32- ran online nod32scan disabled real time protection on malwarebytes esetnod32 and...
nothing found...

restarted pc and again Malware-Bytes blocked the trojan up

on a side note it seems i cant log into forums with my account anymore using IE11 so i had to switch browser to Chrome now..


Edited by feithful, 11 November 2013 - 06:48 AM.


#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 AM

Posted 11 November 2013 - 06:48 AM

Fix with FRST (normal mode)

  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
  • Save it to the same direction as frst.exe (or frst64.exe) as fixlist.txt.

    MountPoints2: {ec051ff7-1ccb-11e3-8259-74d02b7b644a} - "E:\setup.exe"
    AppInit_DLLs:   [2537520 2013-10-22] ()
    StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe http://www.dosearches.com/?utm_source=b&utm_medium=smt&utm_campaign=eXQ&utm_content=sc&from=smt&uid=ADATAXSSDXS510X120GB_03313102500300002059&ts=1382413306
    SearchScopes: HKLM - DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://search.dosearches.com/web/?utm_source=b&utm_medium=smt&utm_campaign=eXQ&utm_content=ds&from=smt&uid=ADATAXSSDXS510X120GB_03313102500300002059&ts=1382413306&type=default&q={searchTerms}
    SearchScopes: HKLM - {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://search.dosearches.com/web/?utm_source=b&utm_medium=smt&utm_campaign=eXQ&utm_content=ds&from=smt&uid=ADATAXSSDXS510X120GB_03313102500300002059&ts=1382413306&type=default&q={searchTerms}
    SearchScopes: HKLM-x32 - {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = http://feed.snapdo.com/?publisher=Somoto&dpid=Somoto&co=MX&userid=ac796a21-6949-bf0b-0465-45f0b3c383d6&searchtype=ds&q={searchTerms}&installDate=21/10/2013
    BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} -  No File
    FF SearchPlugin: C:\Users\IvanAlejandro\AppData\Roaming\Mozilla\Firefox\Profiles\7nxhelxe.default\searchplugins\iminent.xml
    FF SearchPlugin: C:\Users\IvanAlejandro\AppData\Roaming\Mozilla\Firefox\Profiles\7nxhelxe.default\searchplugins\Web Search.xml
    FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\drae.xml
    
    C:\Users\IvanAlejandro\Downloads\TWDS4EP5.rar
    C:\WINDOWS\system32\Drivers\lvuvc.hs
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 feithful

feithful
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 11 November 2013 - 06:55 AM

hello again and thanks for the high quality support.. please make sure u did read my previous reply to topic as i was editing it when u added the new answer so we are in same page , (perhaps u already did) if so heres the fixlog that came up after fixing with your script 

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users