Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bitcoin miner or trojan infection?


  • Please log in to reply
7 replies to this topic

#1 Derpnik

Derpnik

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 19 January 2018 - 05:18 PM

Hi, I'm on Windows 7, and in an effort to download something, I clicked the wrong link, and downloaded the wrong file.

 

Without thinking, I ran it, and as a result I believe my system is infected.

 

When I ran the file, firefox crashed, and then when I reopened it, address bar searches were directing to "foxsearch.me" before google.

 

I am also getting random popups when clicking, but only on firefox (I also have chrome installed, and I haven't had any random popups using it).

 

After running this program, I updated Malwarebytes to 3.2.2, or whatever the latest version is as of 2 hours ago, and the GUI will not launch.  I have mbam.exe, mbamtray.exe, and MBAMservice.exe running in my the processes tab of the task manager, but regardless of what I do, the GUI will not pop up, and I suspect this may be due to an infection.

 

In searching for a solution to that, I was directed to a program linked in this post on the malwarebytes forums: https://forums.malwarebytes.com/topic/209359-malwarebytes-3-wont-start/?page=2

 

I am currently running mbar.exe, which has found 4 pieces of malware; one listed as Adware.YoBrowser, one as RiskWare.BitCoinMiner, and two as Trojan.Agent.

 

I just now uploaded the file I downloaded originally (which mbar is identifying as Adware.YoBrowser) to virustotal, and got these results: https://www.virustotal.com/#/file/ed1ea75dd62295487a3d34c75155ddd14a0e577bbb442b6cccc610d60031b409/detection

 

I hope someone can help, I have a lot of faith in you guys, as you've helped me in the past!


Edited by Derpnik, 19 January 2018 - 05:21 PM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:08 AM

Posted 19 January 2018 - 05:53 PM

Did you allow MBAR to delete/ quarantine what it found? If you did, run a scan using Malwarebytes.

 

Once you have done the above...run the programs below.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of Google Chrome and Avast.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Download AdwCleaner by Xplode onto your desktop. (compatible with Windows 7, 8 and 10)

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

 

Download and run the FREE online scanner from Free Virus Scan | Online Virus Scan from ESET | ESET

  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 Derpnik

Derpnik
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 21 January 2018 - 10:46 PM

Sorry for the delayed response.

 

I ran Malwarebytes twice more; first it found the same four threats, second it found the RiskWare.BitcoinMiner, and seems to have successfully deleted all of the threats.

 

I ran CCleaner, and found that the random popups in firefox vanished after this.

 

AdwCleaner's log states that it found nothing malicious of any type, so I didn't bother posting it.

 

I ran ESET as requested, and the only malicious file it found was the original setup.exe that I had downloaded (the one I uploaded to virustotal).  It deleted it.  I did, however, forget to export the log, but that was the only malicious file it found.

 

I have yet to restart my computer since running all these scans, but every issue appears to be gone.

 

Aside from running a scan again, is there a way to be sure?

 

Thanks for the help so far.



#4 buddy215

buddy215

  • Moderator
  • 13,419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:08 AM

Posted 22 January 2018 - 07:03 AM

Last scan...after rebooting and you see no problem....popups, etc.

 

  • Please download Security Check by glax24 and save the file to the Desktop
  • Run the tool by accepting all the Security prompts
  • when complete the tool will produce a log file C:\SecurityCheck\SecurityCheck.txt and also copy the contents to the Clipboard
  • Simply Paste the log to your reply

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 Derpnik

Derpnik
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 22 January 2018 - 01:20 PM

Alright, after the reboot, everything looks good so far.

 

Here's the security check log:

 

SecurityCheck by glax24 & Severnyj v.1.4.0.53 [27.10.17]
WebSite: www.safezone.cc
DateLog: 22.01.2018 13:17:02
Path starting: C:\Users\Kevin\AppData\Local\Temp\SecurityCheck\SecurityCheck.exe
Log directory: C:\SecurityCheck\
IsAdmin: True
User: Kevin
VersionXML: 4.83is-17.01.2018
___________________________________________________________________________

Windows 7(6.1.7601) Service Pack 1 (x64) Professional Lang: English(0409)
Installation date OS: 05.07.2013 23:12:55
LicenseStatus: Windows® 7, Professional edition The machine is permanently activated.
Boot Mode: Normal
Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
SystemDrive: C: FS: [NTFS] Capacity: [1862.9 Gb] Used: [1656.3 Gb] Free: [206.6 Gb]
------------------------------- [ Windows ] -------------------------------
Internet Explorer 11.0.9600.18314 Warning! Download Update
Online installation. Last version available when Windows update is enabled throught the Internet.
User Account Control disabled (Level 1)
^It is recommended to enable (default): Win+R typing UserAccountControlSettings and Enter^
Notify before download
Windows Update (wuauserv) - The service is running
Security Center (wscsvc) - The service is running
Remote Registry (RemoteRegistry) - The service has stopped
SSDP Discovery (SSDPSRV) - The service is running
Remote Desktop Services (TermService) - The service has stopped
Windows Remote Management (WS-Management) (WinRM) - The service has stopped
Account guest is enabled. Not require a password.
---------------------------- [ Antivirus_WMI ] ----------------------------
Microsoft Security Essentials (enabled and up to date)
--------------------------- [ FirewallWindows ] ---------------------------
Windows Firewall (MpsSvc) - The service is running
Disabled the public profile of Windows Firewall
Disabled the standard profile for Windows Firewall
--------------------------- [ AntiSpyware_WMI ] ---------------------------
Microsoft Security Essentials (enabled and up to date)
Windows Defender (disabled and out of date)
Spybot - Search and Destroy (disabled and out of date)
---------------------- [ AntiVirusFirewallInstall ] -----------------------
Microsoft Security Essentials v.4.9.218.0
ESET Online Scanner v3
-------------------------- [ SecurityUtilities ] --------------------------
Malwarebytes Anti-Malware version 2.2.1.1043 v.2.2.1.1043
Spybot - Search & Destroy v.2.4.40
--------------------------- [ OtherUtilities ] ----------------------------
WinRAR 4.20 (64-bit) v.4.20.0 Warning! Download Update
7-Zip 9.20 (x64 edition) v.9.20.00.0 Warning! Download Update
Uninstall old version and install new one.
Oracle VM VirtualBox 5.1.14 v.5.1.14 Warning! Download Update
Microsoft Silverlight v.5.1.41212.0 Warning! Download Update
Foxit Reader v.7.0.3.916 Warning! Download Update
VLC media player v.2.2.6 Warning! Download Update
OpenOffice 4.1.2 v.4.12.9782 Warning! Download Update
--------------------------------- [ IM ] ----------------------------------
Pidgin v.2.12.0
Skype™ 7.35 v.7.35.103 Warning! Download Update
--------------------------------- [ P2P ] ---------------------------------
qBittorrent 3.3.12 v.3.3.12 Warning! P2P-client.
-------------------------------- [ Java ] ---------------------------------
Java 8 Update 161 (64-bit) v.8.0.1610.12 Warning! Download Update
Uninstall old version and install new one (jre-8u162-windows-x64.exe).
--------------------------- [ AdobeProduction ] ---------------------------
Adobe Flash Player 25 ActiveX v.25.0.0.171 Warning! Download Update
Adobe Flash Player 27 NPAPI v.27.0.0.183 Warning! Download Update
Adobe Reader XI (11.0.18) v.11.0.18 Warning! Download Update
^Please run Adobe Reader XI and go Help - Check for updates...^
------------------------------- [ Browser ] -------------------------------
Mozilla Firefox 57.0.1 (x64 en-US) v.57.0.1 Warning! Download Update
Google Chrome v.63.0.3239.132
Mozilla Firefox 56.0 (x86 en-US) v.56.0 Warning! Download Update
--------------------------- [ RunningProcess ] ----------------------------
C:\Program Files (x86)\Mozilla Firefox\firefox.exe v.56.0.0.6478
------------------ [ AntivirusFirewallProcessServices ] -------------------
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe v.2.3.173.0
Spybot-S&D 2 Scanner Service (SDScannerService) - The service has stopped
Spybot-S&D 2 Security Center Service (SDWSCService) - The service is running
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe v.2.3.39.2
Spybot-S&D 2 Updating Service (SDUpdateService) - The service is running
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe v.2.4.40.77
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe v.2.4.40.129
Microsoft Antimalware Service (MsMpSvc) - The service is running
C:\Program Files\Microsoft Security Client\MsMpEng.exe v.4.9.218.0
C:\Program Files\Microsoft Security Client\msseces.exe v.4.9.218.0
Microsoft Network Inspection (NisSrv) - The service is running
C:\Program Files\Microsoft Security Client\NisSrv.exe v.4.9.218.0
Windows Defender (WinDefend) - The service has stopped
----------------------------- [ End of Log ] ------------------------------
 



#6 buddy215

buddy215

  • Moderator
  • 13,419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:08 AM

Posted 22 January 2018 - 03:03 PM

Suggest uninstalling these programs:

Spybot S&D

qBittorrent 3.3.12 v.3.3.12 (Very risky using to download free stuff....and might be illegal, too)

 

Suggest updating those programs mentioned when you have the time. The most urgent would be Flash and Java.

 

You have an old version of Malwarebytes and I don't think it will accept updates. You should open it and run the

updater. Should be version 3 something.

 

Looks like the malware is gone...if you see a reason to suspect it has come back...let me know.


Edited by buddy215, 22 January 2018 - 03:06 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 Derpnik

Derpnik
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 22 January 2018 - 04:54 PM

So I did try updating malwarebytes to 3.something, but the UI would not come up.  mbam.exe, MBAMservice.exe, and mbamtray.exe were all running, but the GUI wouldn't come up regardless of what I did.

 

This older version (it's actually what MBAM chameleon installed) does appear to be accepting database updates, though, so I figured better to use it than just MSE.

 

Thanks again for the help!



#8 buddy215

buddy215

  • Moderator
  • 13,419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:08 AM

Posted 22 January 2018 - 05:10 PM

You should uninstall MBAM and install the latest. How do I uninstall Malwarebytes Anti-Malware? | Official Malwarebytes Support

Read the info in the link before attempting to uninstall.

 

You're welcome...happy surfin'


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users