Bitcoin Virus [Solved]
#1
Posted 04 February 2014 - 10:55 PM
#2
Posted 05 February 2014 - 04:49 AM
My name is Valinorum and I will be the acolyte today. Before we proceed, please, acknowledge yourself the following(s):
- Please do not create any new threads on this while we are working on your system as it wastes another volunteer's time. If you are being helped/have solved the issue/no longer wish to continue, notify me in your reply and I will quickly close this thread. Failing to comply will result in denial of future assistance.
- Please do not install any new software while we are working on this system as it may hinder our process.
- Malware removal is a complicated process so don't stop following the steps even if the symptoms are not found. Keep up with me until I declare you clean.
- Please do not try to fix anything without being ask.
- Please do not attach your logs or put them inside code/quote tags. Do a Copy/Paste of the entire contents of the log file and submit it inside your post unless directed otherwise.
- Please print or save the instructions I give you for quick reference. We may be using Safe mode which will cut you off from internet and you will not always be able to access this thread.
- Back up your data. I will not knowingly suggest your any course that might damage your system but sometimes Malware infections are so severe that only option we have is to re-format and re-install the operating system.
- If you are confused about any instruction stop and ask. Do not keep on going.
- Do not repeat the steps if you face any problems.
- I am not an omniscient. There are things even I cannot foresee. But what I know took years to learn and perfect the skill. This site is run by volunteers who help people in need in their own free time. I would ask you to respect their time and be patient as sometimes real life demands our time and replies to you can be delayed.
- Privet Message(PM) if and only if I have not responded to your thread within three days or your query is offtopic and personal. Do not PM me under any other circumstances. Your thread is the only medium of communication.
- The fixes are for your system only. Please refrain from using these fixes on other system as it may do serious damage.
Note: Please, bare in mind that I am still a trainee and my replies need to be reviewed by my teachers before I post them to you which requires time as both teachers and helpers are volunteers here. Take it as a good thing because now you have two people examining your problem. I really hope that we will be able to send you home with a smile on your face.
Do not attach the logs unless told otherwise.
- Step #1 Scan with Security Check
- Right click on the program and choose Run as Administrator;
- After the checking a log will appear;
- Copy and Paste the content of the log in your next reply.
- Required Log(s):
- Security Check Log
Regards,
Valinorum
#3
Posted 05 February 2014 - 06:52 PM
#4
Posted 06 February 2014 - 08:22 AM
Do not attach the logs unless told otherwise. Do a copy and paste it in your reply. How many tools have you run as self-help fix before coming here? Did you get the name your anti-virus block?
- Step #2 Uninstall Programs
I want you to uninstall the following program(s) listed below due to poor reputation we receive about them. To uninstall a program, go to Start > Control Panel > Uninstall a program or Start > Control Panel > Programs and Features. Wait for the list to fill up and double-click on the items I have listed below and follow the on-screen instruction to remove/uninstall them. - Free Registry Defrag
- AVG PC Tuneup 2011
- Best Buy pc app
- TuneUp Utilities Language Pack (en-GB)
- TuneUp Utilities Language Pack (en-US)
- Step #3 P2P Warning
**IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer. - µTorrent
- P2P file sharing: Know the risks
- P2P File-Sharing: Evaluate the Risks
- ITSC: Risks in Peer-to-peer File Sharing
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P file-sharing as a major conduit to spread their wares.
My recommendation is that you uninstall the programs listed above.
If you choose not to remove them, please do not use them until this computer is clean.
- Step #4 Fix with OTL
- Re-run OTL by right clicking and choosing Run as administrator;
- Under the Custom Scans/Fixes Box copy and paste the following contents inside the quote box. (Do not include the word 'quote').
:Commands
[createrestorepoint]
:OTL
IE - HKCU\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
O3 - HKLM\..\Toolbar: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
[2014-02-03 17:55:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Registry Clean Expert
[2014-02-03 17:55:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Registry Clean Expert
[2012-04-07 16:41:54 | 000,066,872 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2012-04-07 16:41:50 | 000,183,112 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
@Alternate Data Stream - 127 bytes -> C:\ProgramData\Temp:430C6D84
@Alternate Data Stream - 124 bytes -> C:\ProgramData\Temp:0B4227B4
@Alternate Data Stream - 110 bytes -> C:\ProgramData\Temp:DFC5A2B2
:Commands
[emptytemp]
- Click on "Run Fix" and let the program run unhindered;
- Your PC will reboot automatically and a log will be opened;
- Please post it in your next reply.
- Step #5 Scan with Malwarebytes' Anti-Malware
- Double-click to run the application.
- Update it from the update tab;
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select Perform Quick Scan, then click Scan. The scan may take some time to finish, so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to restart. Restart if it tells you to.
- The log is automatically saved by Malwarebytes' Anti-Malware and can be viewed by clicking the Logs tab in the interface.
- Copy and paste the entire report in your next reply.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
- Required Log(s):
- OTL Fix Log;
- MBAM Log
Regards,
Valinorum
#5
Posted 06 February 2014 - 05:26 PM
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{472734EA-242A-422b-ADF8-83D1E48CC825} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422b-ADF8-83D1E48CC825}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{472734EA-242A-422B-ADF8-83D1E48CC825} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422B-ADF8-83D1E48CC825}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Registry Clean Expert\ not found.
Folder C:\Program Files (x86)\Registry Clean Expert\ not found.
C:\Windows\SysWOW64\PnkBstrA.exe moved successfully.
C:\Windows\SysWOW64\PnkBstrB.exe moved successfully.
ADS C:\ProgramData\Temp:430C6D84 deleted successfully.
ADS C:\ProgramData\Temp:0B4227B4 deleted successfully.
ADS C:\ProgramData\Temp:DFC5A2B2 deleted successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56468 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 128120 bytes
->Flash cache emptied: 41620 bytes
User: mark
->Temp folder emptied: 2177392 bytes
->Temporary Internet Files folder emptied: 19000 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 3208451 bytes
->Google Chrome cache emptied: 134806478 bytes
->Flash cache emptied: 492 bytes
User: Public
->Temp folder emptied: 0 bytes
User: TEMP
->Temp folder emptied: 0 bytes
->Flash cache emptied: 41620 bytes
User: TEMP.mark-PC
->Temp folder emptied: 0 bytes
User: TEMP.mark-PC.000
->Temp folder emptied: 0 bytes
->Flash cache emptied: 56468 bytes
User: UpdatusUser
->Temp folder emptied: 0 bytes
User: UpdatusUser.mark-PC
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 41620 bytes
User: UpdatusUser.mark-PC.000
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 41620 bytes
User: UpdatusUser.mark-PC.001
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 2836 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 107552 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 160 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33164 bytes
RecycleBin emptied: 2177530 bytes
Total Files Cleaned = 136.00 mb
OTL by OldTimer - Version 3.2.69.0 log created on 02072014_113740
Files\Folders moved on Reboot...
C:\Users\mark\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat scheduled to be moved on reboot.
PendingFileRenameOperations files...
Registry entries deleted on Reboot...
Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org
Database version: v2014.02.06.09
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16476
mark :: MARK-PC [administrator]
Protection: Disabled
07-Feb-14 12:08:49 PM
mbam-log-2014-02-07 (12-08-49).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 414559
Time elapsed: 4 minute(s), 12 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
#6
Posted 09 February 2014 - 06:41 AM
#7
Posted 09 February 2014 - 04:17 PM
#8
Posted 10 February 2014 - 04:04 AM
- Step #6 SystemLook Search
- Please download SystemLook by jpshortstuff to your Desktop from the suitable link below.
- Download Link for 64-bit System
- Right-click and choose Run as administrator;
- In the search box, copy and pasted the following code in the code-box.
:filefind sbapifs.sys libcurl.dll
- Click on Look;
- After the scan a log will be opened;
- Post the log in your next reply.
- Required Log(s):
- SystemLook Log
Regards,
Valinorum
#9
Posted 10 February 2014 - 04:16 AM
Log created at 23:06 on 10/02/2014 by mark
Administrator - Elevation successful
========== filefind ==========
Searching for "sbapifs.sys"
No files found.
Searching for "libcurl.dll"
C:\eSupport\eDriver\Software\Trendmicro\TIS2011\Win7_32_Win7_64_3.0\Setup32\AMSP\update\engine\c2t1073741888l1p1r1o1\1.3.1036\libcurl.dll --a---- 262144 bytes [09:32 23/06/2011] [08:52 17/09/2010] AFB0ED1269688E285C88C37C271A0826
C:\eSupport\eDriver\Software\Trendmicro\TIS2011\Win7_32_Win7_64_3.0\Setup64\AMSP\update\engine\c2t1073742080l1p5889r1o1\1.3.1036\libcurl.dll --a---- 316928 bytes [09:32 23/06/2011] [08:52 17/09/2010] 202D45A3CB04D4FEFF11B911CD4360C1
C:\Program Files\Adobe\Adobe Photoshop CS5 (64 Bit)\libcurl.dll --a---- 217600 bytes [13:29 06/04/2010] [13:29 06/04/2010] 7BAB6876D49CBAE6152D72CFFC09A072
C:\Program Files (x86)\Adobe\Adobe Bridge CS5\libcurl.dll --a---- 317952 bytes [15:28 08/03/2010] [15:28 08/03/2010] C158B562B9BF7457CF194E75B9B4669D
C:\Program Files (x86)\Adobe\Adobe Device Central CS5\libcurl.dll --a---- 198152 bytes [10:09 05/03/2010] [10:09 05/03/2010] BC7356EA14224C2D471F8C47FA6A8EC3
C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\libcurl.dll --a---- 192512 bytes [15:50 21/02/2010] [15:50 21/02/2010] 114E5342884A174F0E261526F07B63A1
C:\Program Files (x86)\Xilisoft\DVD Audio Ripper SE\libcurl.dll --a---- 303104 bytes [02:51 14/10/2013] [02:51 14/10/2013] 8AE2C10EDC796A58926F1A9687C0C51B
-= EOF =-
#10
Posted 10 February 2014 - 08:47 AM
#11
Posted 10 February 2014 - 03:23 PM
#12
Posted 11 February 2014 - 08:54 PM
The files missing should not warrant any issues.
- Step #7 Run ESET Online Scanner
Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
Vista / 7 users: You will need to to right-click on the either the Internet Explorer or Firefox icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.- Please go here then click on:
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox. - Select the option YES, I accept the Terms of Use then click on:
- When prompted allow the Add-On/Active X to install.
- Uncheck the box beside Remove Found Threats
- Make sure that the option Scan archives is checked.
- Now click on Advanced Settings and select the following:
- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
- Please go here then click on:
- Now click on:
- The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
- When completed the Online Scan will begin automatically. The scan may take several hours.
- Wait for the scan to finish. Do not touch either the Mouse or keyboard during the scan. Otherwise it may stall.
When The Scan is Complete:
- If No Threats Were Found:
- Put a checkmark in "Uninstall application on close"
- Close the program
- Report to me that nothing was found
- If Threats Were Found:
- Click on "list of threats found"
- Click on "export to text file" and save it to the desktop as ESET SCAN.txt
- Click on Back
- Put a checkmark in "Uninstall application on close" (Be sure you have saved the file first)
- Click on Finish
- Close the program
- Copy and paste the report here
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
- Required Log(s):
- ESET Scan Log
Regards,
Valinorum
#13
Posted 12 February 2014 - 05:07 AM
#14
Posted 12 February 2014 - 10:21 PM
#15
Posted 12 February 2014 - 10:35 PM
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users