Recurring Virus (Bit Miner + Redirection)

June 1, 2012 at 15:24:21
Specs: Windows 7 64 bit, i7 2600k 3.3Ghz / 8gb 1600mhz
Hello,
Today I stupidly clicked ‘run’ on a java applet when I was waking up because I thought it was an update and after a scan I have reviled that I indeed do have a virus, I am not sure if it is the same one but it is the only one which appeared.

The virus is in the ‘installer’ folder in ‘Windows’ (which I can’t access because I have no idea how to show hidden folders, I made a shortcut to it). The virus is called ‘00000008.@’, I believe it is a legitimate file but just modified as every time I delete it, it will reappear after a few minutes. There are also similar files in the folder which are not viruses.

I have tried restoring it to a previous version which does not work; I can scan the old file which is in the previous version window, it comes back as no viruses. When I try and drag that into the original folder and scan it again it has a virus in it. The same thing happens when I try to copy it onto a memory stick.

My anti-virus states that it is a BCminer which I can only assume means a bit coin miner, I also get redirected to webpages once every 10 or so. My internet explorer is also very sluggish.

I was wondering if anyone could suggest a fix.
Thank you.

(The file is located in – C:\Windows\Installer\{1a9efb69-0f25-fd54-88f8-6c5738e3f328}\U\00000008.@)


See More: Recurring Virus (Bit Miner + Redirection)

Report •


#1
June 2, 2012 at 00:53:06
Hi Exeggcute,
Could you tell me which antivirus software you have running please?

This is a hard to remove trojan. You may want to do a fresh install of Windows.
I want you to download the following two programs Rkill and Rougekiller.
Rkill:
http://www.bleepingcomputer.com/dow...

Rougekiller:
http://majorgeeks.com/RogueKiller_d...

1: Download the desktop RogueKiller (link above)
2: Quit all running programs
3: On Seven, right click -> run as administrator
4: Otherwise just throw RogueKiller.exe
5: When prompted, type 1 and validate
6: When the report opens (RKreport.txt is also located next to the executable), save log.
7: If the program has been blocked, do not hesitate to try several times. If it really does not (it could happen), rename it to winlogon.exe

Now download, update and run a full scan of Malwarebytes from this link:
http://www.malwarebytes.org/product...

Once you have finished all three programs include the logs in your next reply. And do not restart your pc.

Please reply and let us know if our help worked.


Report •

#2
June 2, 2012 at 03:34:02
Hello,

Thanks for helping.
I am not sure what you meant by steps 3, 4 and 5 but I downloaded rougekiller and scanned. I have two logs from it; one was produced before I pressed the delete button and one after.
Here they are;


RogueKiller V7.5.2 [05/30/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/file...
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Miles Hardman [Admin rights]
Mode: Scan -- Date: 06/02/2012 10:47:48

¤¤¤ Bad processes: 4 ¤¤¤
[SUSP PATH] iexplore.exe -- C:\Users\Miles Hardman\Desktop\iexplore.exe -> KILLED [TermProc]
[SUSP PATH] iexplore.exe -- C:\Users\Miles Hardman\Desktop\iexplore.exe -> KILLED [TermThr]
[RESIDUE] iexplore.exe -- C:\Users\Miles Hardman\Desktop\iexplore.exe -> KILLED [TermProc]
[RESIDUE] iexplore.exe -- C:\Users\Miles Hardman\Desktop\iexplore.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 6 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : Windows (C:\Users\Miles Hardman\AppData\Roaming\bot.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-3390989300-3506184549-595421747-1000[...]\Run : Windows (C:\Users\Miles Hardman\AppData\Roaming\bot.exe) -> FOUND
[SUSP PATH] HKLM\[...]\Policies\Explorer\Run : Video (C:\Users\Miles Hardman\AppData\Roaming\JavaTXT.exe) -> FOUND
[SUSP PATH] HKLM\[...]\Wow6432Node\Policies\Explorer\Run : Video (C:\Users\Miles Hardman\AppData\Roaming\JavaTXT.exe) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
127.0.0.1 activate.adobe.com
127.0.0.1 3dns-3.adobe.com
127.0.0.1 adobe-dns-2.adobe.com
127.0.0.1 adobe-dns-3.adobe.com
127.0.0.1 ereg.wip3.adobe.com
127.0.0.1 activate-sea.adobe.com
127.0.0.1 wip3.adobe.com
127.0.0.1 wwis-dubc1-vip60.adobe.com
127.0.0.1 activate-sjc0.adobe.com
127.0.0.1 practivate.adobe.com
127.0.0.1 ereg.adobe.com
127.0.0.1 activate.wip3.adobe.com
127.0.0.1 3dns-2.adobe.com
127.0.0.1 adobe-dns.adobe.com
::1 localhost127.0.0.1 practivate.adobe.com
127.0.0.1 ereg.adobe.com
127.0.0.1 activate.wip3.adobe.com
127.0.0.1 wip3.adobe.com
127.0.0.1 3dns-3.adobe.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG HD103SJ ATA Device +++++
--- User ---
[MBR] bceecaa2a17ad6742f3b9cd2616c8a3d
[BSP] 839702fb83b5cfeda37ef99e3c7f2cc6 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 12000 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 24578048 | Size: 941866 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

_____________________________________________________________________

RogueKiller V7.5.2 [05/30/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/file...
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Miles Hardman [Admin rights]
Mode: Remove -- Date: 06/02/2012 10:50:13

¤¤¤ Bad processes: 4 ¤¤¤
[SUSP PATH] iexplore.exe -- C:\Users\Miles Hardman\Desktop\iexplore.exe -> KILLED [TermProc]
[SUSP PATH] iexplore.exe -- C:\Users\Miles Hardman\Desktop\iexplore.exe -> KILLED [TermThr]
[RESIDUE] iexplore.exe -- C:\Users\Miles Hardman\Desktop\iexplore.exe -> KILLED [TermProc]
[RESIDUE] iexplore.exe -- C:\Users\Miles Hardman\Desktop\iexplore.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 4 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : Windows (C:\Users\Miles Hardman\AppData\Roaming\bot.exe) -> DELETED
[SUSP PATH] HKLM\[...]\Policies\Explorer\Run : Video (C:\Users\Miles Hardman\AppData\Roaming\JavaTXT.exe) -> DELETED
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
127.0.0.1 activate.adobe.com
127.0.0.1 3dns-3.adobe.com
127.0.0.1 adobe-dns-2.adobe.com
127.0.0.1 adobe-dns-3.adobe.com
127.0.0.1 ereg.wip3.adobe.com
127.0.0.1 activate-sea.adobe.com
127.0.0.1 wip3.adobe.com
127.0.0.1 wwis-dubc1-vip60.adobe.com
127.0.0.1 activate-sjc0.adobe.com
127.0.0.1 practivate.adobe.com
127.0.0.1 ereg.adobe.com
127.0.0.1 activate.wip3.adobe.com
127.0.0.1 3dns-2.adobe.com
127.0.0.1 adobe-dns.adobe.com
::1 localhost127.0.0.1 practivate.adobe.com
127.0.0.1 ereg.adobe.com
127.0.0.1 activate.wip3.adobe.com
127.0.0.1 wip3.adobe.com
127.0.0.1 3dns-3.adobe.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG HD103SJ ATA Device +++++
--- User ---
[MBR] bceecaa2a17ad6742f3b9cd2616c8a3d
[BSP] 839702fb83b5cfeda37ef99e3c7f2cc6 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 12000 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 24578048 | Size: 941866 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

_____________________________________________________________________

I then tried rKill but all it did was open a few Batch windows and close all my open programs. There does not appear to be a log saved anywhere.
FYI I used malwarebytes to begin with but I am going to get another log due to me doing the scan.
Here it is;

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.01.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Miles Hardman :: MILESHARDMAN-PC [administrator]

02/06/2012 10:53:49
mbam-log-2012-06-02 (11-32-08).txt

Scan type: Custom scan
Scan options enabled: File System | Heuristics/Shuriken | PUP | PUM
Scan options disabled: Memory | Startup | Registry | Heuristics/Extra | P2P
Objects scanned: 118108
Time elapsed: 33 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\Installer\{1a9efb69-0f25-fd54-88f8-6c5738e3f328}\U\00000008.@ (Trojan.Dropper.BCMiner) -> No action taken.

(end)


Report •

#3
June 2, 2012 at 04:14:48
You have done just fine, thanks for sending in the logs.
Can you redo the Malwarebytes scan, in quick scan mode and this time make sure that this entry is selected and then click Remove Selected.

Files Detected: 1
C:\Windows\Installer\{1a9efb69-0f25-fd54-88f8-6c5738e3f328}\U\00000008.@ (Trojan.Dropper.BCMiner) -> No action taken.

Then go to Hitman Pro 64bit version at this link and start the 30 day trial, do a full scan and remove all it finds.
http://www.surfright.nl/en/hitmanpro

Please reply and let us know if our help worked.


Report •

Related Solutions

#4
June 2, 2012 at 04:39:31
Thank you for the help.

Unfortunately I have to go for a few days, I will be back soon to do the scanning. I thought there might be a quick fix which is why I posted. I have tried pressing remove on malwarebytes which also did not work as it just came back after a few minutes, I will try the other fix when I get home.

Thank you anyway!


Report •

#5
June 2, 2012 at 04:53:39
Ok I will keep a eye out.

Please reply and let us know if our help worked.


Report •

#6
June 2, 2012 at 13:34:45
These 3 steps should cure your problem....run them in the EXACT order listed
1- rkill.exe
2- tdss killer
3- malwarebytes
DO NOT reboot until after the malwarebytes scan.

If that doesn't fix the problem...try the same again, only in this time use safe mode by tapping f8 on bootup.

If the above still doesn't work, try these 2 fully working trials
1- Hitman Pro
http://www.surfright.nl/en/downloads
2- Trojan Remover
http://www.simplysup.com/tremover/d...
Run them both till they run clean.

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

Ask Question