Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help removing BitCoinMiner.sx


  • Please log in to reply
18 replies to this topic

#1 phonomenal

phonomenal

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 01 October 2017 - 10:06 PM

Hello,

I am hoping that someone can help me remove this program from my computer. I keep receiving notifications from bitdefender that it has blocked the program in an on-access scan. I have no idea where it came from but it is slowing my computer down unbelievably. 

I've done everything in the new post preparation guide except for turn on my firewall, which I was unable to do (experienced the same problem as here). 

I have tried running scans with malwarebytes, bitdefender, roguekiller and vipre with no success, so hopefully someone here can help!

I've attache my log files as attachments to this post because I was having trouble pasting them, but I can post them as a reply if needed. 

Thanks in advance for your help!

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:29 AM

Posted 05 October 2017 - 08:22 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
SearchScopes: HKLM-x32 -> DefaultScope value is missing
Toolbar: HKU\S-1-5-21-3787051588-4275036246-233111974-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File][/B]
CustomCLSID: HKU\S-1-5-21-3787051588-4275036246-233111974-1000_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\GGC1\AppData\Local\Citrix\GoToMeeting\4911\G2MOutlookAddin64.dll => No File


End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended. (You need to check with Internet Explorer) <- Important.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old versions of Java via the Control Panel > Programs > Programs and Features.
Java 7 Update 80 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F03217080FF}) (Version: 7.0.800 - Oracle)

Please let me know what problem persists with this computer.

#3 phonomenal

phonomenal
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 05 October 2017 - 10:48 AM

Hi nasdaq, thank you so much for your response, I really appreciate your help. I followed your steps above, but when I came to run FRST again I could not find the program. I think when downloading it initially I might have hit 'Run' and not 'Save'. Sorry about that! This virus has me tearing my hair out and I must not have read the instructions properly.

I have re-downloaded the program to my desktop and re-scanned to create new FRST and Addition text files. I saved the fixlist.txt the folder where the tool is now running from (my desktop) but thought I should check in before running the Fix, just in case there was anything in that script written for the previous location.

Attached the new FRST and Addition files. I have not used my computer since running the original scan, so I assume they should be the same (with a different run location of course) but perhaps you need to take a look.

Thanks again, sorry for the hassle!
 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:29 AM

Posted 05 October 2017 - 01:03 PM

Hi,

Nothing has changed.

Run my suggested fix and post the fixlog.txt for my review.

#5 phonomenal

phonomenal
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 05 October 2017 - 11:53 PM

Great. I went ahead and ran the suggested fix and updated my Java. I have attached the fixlog.txt.

Still getting frequent notifications from Bitdefender that it is blocking Application.BitCoinMiner.SX in on-access scans.

Thanks!

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:29 AM

Posted 06 October 2017 - 07:32 AM

Hi,

Looks like Bitdefender is protecting you.
You get a notification each time.

You can stop these notices.

How to:

https://www.howtogeek.com/291574/how-to-get-rid-of-bitdefenders-notifications-and-bundled-software/

Keep me posted.

#7 phonomenal

phonomenal
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 06 October 2017 - 08:20 AM

Thanks nasdaq. Bitdefender does appear to be helping protect me from the virus, but my computer is still running incredibly slowly. Every hour or so it will almost completely freeze and I'll get six or seven notifications in a row from Bitdefender saying that it is blocking the virus. Is there any way to remove the virus entirely? I'd really like to get my laptop back to working speed.

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:29 AM

Posted 06 October 2017 - 12:56 PM

Hi,

Navigate to this linkk.
https://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

Read the section under
Note: Using Multiple Anti-Malware products:

You presently have two products.
AV: ThreatTrack Security VIPRE (Enabled - Up to date) {A328C8F0-22BE-AEDA-2D52-6C8A3089160A}
AV: Bitdefender Antivirus Free Antimalware (Enabled - Up to date) {3FB17364-4FCC-0FA7-6BBF-973897395371}

Disable one of them. Your computer speed should increase.

By Trial and usage you should find out if these notifications continue.

#9 phonomenal

phonomenal
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 07 October 2017 - 12:44 PM

Okay thanks. I'll disable Bitdefender and update you to let you know how my computer is running!



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:29 AM

Posted 13 October 2017 - 07:05 AM

Are you still with me?

#11 phonomenal

phonomenal
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 14 October 2017 - 01:12 PM

Yes, still around! I took your advice and disabled bitdefender and my computer does seem to be running more quickly although I continue to get notifications from Vipre that it is blocking unwanted applications. Internet explorer also runs very slowly and I occasionally receive notifications that an unknown program is trying to change my internet explorer homepage. 

Please let me know if you have any further advice!



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:29 AM

Posted 14 October 2017 - 01:40 PM


Hi,

Run this cleaning tool.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

#13 phonomenal

phonomenal
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 14 October 2017 - 06:07 PM

Thanks nasdaq. Results log is attached. I'll update you on how things are going in a little while. 

Attached Files



#14 phonomenal

phonomenal
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 17 October 2017 - 10:16 PM

Still getting notifications from Vipre that it is blocking an unknown application (which I presume is the bitcoinminer)



#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:29 AM

Posted 18 October 2017 - 08:33 AM



Hi,

Vipre setting may be set to inform you of these attacks, and others.

See if you can disable these notifications.

Vipre > Actions > Notification options > disable the alerts that you wish to disable




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users