Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with alpha.exe and zed.exe (Bitcoin Miner)


  • This topic is locked This topic is locked
18 replies to this topic

#1 osaka0235

osaka0235

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 22 October 2017 - 11:24 AM

Hello, Bleeping Computer Communities.

 

I recently ran a full computer scan with Kaspersky Free Anti Virus and found out that I do have alpha.exe and zed.exe on my computer.

 

There are both located in AppData\Local\Temp in two separate folders (nvd and ati)

 

For some reason, Kaspersky couldn't fix these problems so I had to manually delete it by myself.

 

However, after few minutes (or hours) alpha.exe and zed.exe were created automatically in my Temp folder again.

 

Without Kaspersky working properly, I am out of ideas. Any kinds of help would be greatly appreciated.

 

 

Similar cases that I found in the forum 

 

-> https://www.bleepingcomputer.com/forums/t/658898/infected-with-bit-coin-miners/


Edited by osaka0235, 22 October 2017 - 11:26 AM.


BC AdBot (Login to Remove)

 


#2 osaka0235

osaka0235
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 22 October 2017 - 11:34 AM

I am currently doing FRST scanning. I will upload it as soon as it is done.



#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 22 October 2017 - 01:54 PM

Hi osaka0235 :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

j1Bynr2.pngMalwarebytes - Clean Mode
  • Download and install the free version of Malwarebytes
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
  • Let the scan run, the time required to complete the scan depends of your system and computer specs
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
    • If it asks you to restart your computer to complete the removal, do so
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 osaka0235

osaka0235
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 22 October 2017 - 06:59 PM

Hello, Aura.
 
You can just call me Ryan and it is pleasure to meet you.
 
I am still trying to get the FRST scan log but it is stuck on "Scanning Shortcut" forever.
 
I am not sure if I am doing something wrong.  However, I have waited over at least 5 hours or so and just got the partial log.
 
 
Anyway, I carefully followed your steps and ran the threat scan through the Malwarebytes.
 
So far it removed all the files and folders. However, I will have to see if they pop up again after few hours.
 
This is the summary after I ran the deletion.
 
 
Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 10/22/17
Scan Time: 5:40 PM
Log File: 604a5550-b782-11e7-ade0-6045cb1966db.json
Administrator: Yes
 
-Software Information-
Version: 3.2.2.2029
Components Version: 1.0.212
Update Package Version: 1.0.3071
License: Trial
 
-System Information-
OS: Windows 10 (Build 15063.674)
CPU: x64
File System: NTFS
User: DESKTOP-JIH5TGF\Hyun
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 402232
Threats Detected: 7
Threats Quarantined: 7
Time Elapsed: 1 min, 6 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 7
Trojan.BitCoinMiner, C:\USERS\HYUN\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\WINNET.EXE, Quarantined, [78], [440587],1.0.3071
Trojan.BitCoinMiner, C:\USERS\HYUN\APPDATA\LOCAL\TEMP\nvd\zed.exe, Quarantined, [78], [442161],1.0.3071
Trojan.BitCoinMiner, C:\Users\Hyun\AppData\Local\Temp\nvd\cpu_tromp_AVX.dll, Quarantined, [78], [442161],1.0.3071
Trojan.BitCoinMiner, C:\Users\Hyun\AppData\Local\Temp\nvd\cpu_tromp_SSE2.dll, Quarantined, [78], [442161],1.0.3071
Trojan.BitCoinMiner, C:\Users\Hyun\AppData\Local\Temp\nvd\cuda_djezo.dll, Quarantined, [78], [442161],1.0.3071
Trojan.BitCoinMiner, C:\Users\Hyun\AppData\Local\Temp\nvd\cuda_tromp.dll, Quarantined, [78], [442161],1.0.3071
Trojan.BitCoinMiner, C:\Users\Hyun\AppData\Local\Temp\nvd\cuda_tromp_75.dll, Quarantined, [78], [442161],1.0.3071
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)


#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 22 October 2017 - 07:34 PM

Did you check the Shortcut.txt checkbox before running the scan with FRST, or not?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 osaka0235

osaka0235
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 22 October 2017 - 07:41 PM

I just noticed the error that you mentioned above. Thank you for pointing me out the simple error like that. I will post FRST log as well when it is finished.



#7 osaka0235

osaka0235
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 22 October 2017 - 08:59 PM

For some reason, FRST log is still stuck at the "Scanning Shortcut" forever.

 

I had to forcefully shut it down. 

 

 

Anway, there are no alpha.exe and zed.exe at my temp folder at the current moment.

 

Which seems like a good news.

Attached Files


Edited by osaka0235, 22 October 2017 - 09:08 PM.


#8 osaka0235

osaka0235
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 22 October 2017 - 09:03 PM

Here are partial result logs from the FRST scan.

Attached Files



#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 23 October 2017 - 09:30 AM

I forwarded your issue to FRST's developer so he can investigate.

Are zed.exe and alpha.exe back yet?

Edit: Also, can you download FRST again (updated version), then run a scan? If it gets stuck on "Scanning shortcuts" again, can you note down the number that is shown and tell me what it is?

Edited by Aura, 23 October 2017 - 11:54 AM.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 osaka0235

osaka0235
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 23 October 2017 - 08:44 PM

Thank you very much for your help!

 

Good news is that zed.exe and alpha.exe are not coming back at all.

 

 

As for the FRST scan issue, I will try to re-download and run a scan again.

 

You said you need the numbers when it gets stuck again. What number are you referring to?

 

 

Thanks.



#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 24 October 2017 - 07:33 AM

There should be a number in the FRST program window, or on the same line as "Scanning shortcuts".

Good news for zed.exe and alpha.exe indeed :)

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 28 October 2017 - 09:42 AM

Hi osaka0235,

Are you still with me?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 osaka0235

osaka0235
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 30 October 2017 - 02:51 AM

Hi osaka0235,

Are you still with me?

 

I am terribly sorry for the late reply. I was out of town for few days.

 

After downloading the new version FRST scan was successful.

 

I have attached my files.

 

 

As for the Bitcoin Miners, Malwarebytes detected Bitcoin Miners again. It was disguised as a winnet.exe, if I remember correctly.

 

However, I was able to remove it. I will let you know if it is coming back again.

Attached Files


Edited by osaka0235, 30 October 2017 - 02:51 AM.


#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 30 October 2017 - 07:38 AM

Can you provide me the Malwarebytes log showing the detection of the new miner?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 02 November 2017 - 07:26 AM

Hi osaka0235,

Are you still with me?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users