[mark64]

Hi, I think i have the Bitcoin virus, exe files turn up in windows folder 4 or 5 times a day which avg asks if i want to block which i do, but once when i didn,t my gpu fan started spinning hard and when i checked the file that had appeared in windows it was trying to bind threads to each processor and connect to the internet.I have trawled many forums and tried different suggestions but still its there.Any help would be greatly appreciated. Thanks in advance Mark

Attached Files

•  OTL.Txt   120.28KB   131 downloads
•  Extras.Txt   73.11KB   171 downloads

[Advertisements]

Hi mark64,



My name is Valinorum and I will be the acolyte today. Before we proceed, please, acknowledge yourself the following(s):

• Please do not create any new threads on this while we are working on your system as it wastes another volunteer's time. If you are being helped/have solved the issue/no longer wish to continue, notify me in your reply and I will quickly close this thread. Failing to comply will result in denial of future assistance.
• Please do not install any new software while we are working on this system as it may hinder our process.
• Malware removal is a complicated process so don't stop following the steps even if the symptoms are not found. Keep up with me until I declare you clean.
• Please do not try to fix anything without being ask.
• Please do not attach your logs or put them inside code/quote tags. Do a Copy/Paste of the entire contents of the log file and submit it inside your post unless directed otherwise.
• Please print or save the instructions I give you for quick reference. We may be using Safe mode which will cut you off from internet and you will not always be able to access this thread.
• Back up your data. I will not knowingly suggest your any course that might damage your system but sometimes Malware infections are so severe that only option we have is to re-format and re-install the operating system.
• If you are confused about any instruction stop and ask. Do not keep on going.
• Do not repeat the steps if you face any problems.
• I am not an omniscient. There are things even I cannot foresee. But what I know took years to learn and perfect the skill. This site is run by volunteers who help people in need in their own free time. I would ask you to respect their time and be patient as sometimes real life demands our time and replies to you can be delayed.
• Privet Message(PM) if and only if I have not responded to your thread within three days or your query is offtopic and personal. Do not PM me under any other circumstances. Your thread is the only medium of communication.
• The fixes are for your system only. Please refrain from using these fixes on other system as it may do serious damage.

Note: Please, bare in mind that I am still a trainee and my replies need to be reviewed by my teachers before I post them to you which requires time as both teachers and helpers are volunteers here. Take it as a good thing because now you have two people examining your problem. I really hope that we will be able to send you home with a smile on your face.

 

Do not attach the logs unless told otherwise.

• Step #1 Scan with Security Check
  • Download Security Check by screen317 to your Desktop from any of the following location;
  • Link 1
  • Link 2
• Right click on the program and choose Run as Administrator;
• After the checking a log will appear;
• Copy and Paste the content of the log in your next reply.

 

• Required Log(s):
• Security Check Log

Regards,
Valinorum

[Valinorum]

Hi mark64,



My name is Valinorum and I will be the acolyte today. Before we proceed, please, acknowledge yourself the following(s):

• Please do not create any new threads on this while we are working on your system as it wastes another volunteer's time. If you are being helped/have solved the issue/no longer wish to continue, notify me in your reply and I will quickly close this thread. Failing to comply will result in denial of future assistance.
• Please do not install any new software while we are working on this system as it may hinder our process.
• Malware removal is a complicated process so don't stop following the steps even if the symptoms are not found. Keep up with me until I declare you clean.
• Please do not try to fix anything without being ask.
• Please do not attach your logs or put them inside code/quote tags. Do a Copy/Paste of the entire contents of the log file and submit it inside your post unless directed otherwise.
• Please print or save the instructions I give you for quick reference. We may be using Safe mode which will cut you off from internet and you will not always be able to access this thread.
• Back up your data. I will not knowingly suggest your any course that might damage your system but sometimes Malware infections are so severe that only option we have is to re-format and re-install the operating system.
• If you are confused about any instruction stop and ask. Do not keep on going.
• Do not repeat the steps if you face any problems.
• I am not an omniscient. There are things even I cannot foresee. But what I know took years to learn and perfect the skill. This site is run by volunteers who help people in need in their own free time. I would ask you to respect their time and be patient as sometimes real life demands our time and replies to you can be delayed.
• Privet Message(PM) if and only if I have not responded to your thread within three days or your query is offtopic and personal. Do not PM me under any other circumstances. Your thread is the only medium of communication.
• The fixes are for your system only. Please refrain from using these fixes on other system as it may do serious damage.

Note: Please, bare in mind that I am still a trainee and my replies need to be reviewed by my teachers before I post them to you which requires time as both teachers and helpers are volunteers here. Take it as a good thing because now you have two people examining your problem. I really hope that we will be able to send you home with a smile on your face.

 

Do not attach the logs unless told otherwise.

• Step #1 Scan with Security Check
  • Download Security Check by screen317 to your Desktop from any of the following location;
  • Link 1
  • Link 2
• Right click on the program and choose Run as Administrator;
• After the checking a log will appear;
• Copy and Paste the content of the log in your next reply.

 

• Required Log(s):
• Security Check Log

Regards,
Valinorum

[mark64]

hi, as requested  checkup.txt   1.07KB   146 downloads

[Valinorum]

Hi mark64,

Do not attach the logs unless told otherwise. Do a copy and paste it in your reply. How many tools have you run as self-help fix before coming here? Did you get the name your anti-virus block?

• Step #2 Uninstall Programs
  I want you to uninstall the following program(s) listed below due to poor reputation we receive about them. To uninstall a program, go to Start > Control Panel > Uninstall a program or Start > Control Panel > Programs and Features. Wait for the list to fill up and double-click on the items I have listed below and follow the on-screen instruction to remove/uninstall them.
• Free Registry Defrag
• AVG PC Tuneup 2011
• Best Buy pc app
• TuneUp Utilities Language Pack (en-GB)
• TuneUp Utilities Language Pack (en-US)

 

• Step #3 P2P Warning
  **IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
• µTorrent

I shall provide you with a few reference links, please read them up to know the risks of having a P2P program.

• P2P file sharing: Know the risks
• P2P File-Sharing: Evaluate the Risks
• ITSC: Risks in Peer-to-peer File Sharing

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P file-sharing as a major conduit to spread their wares.

My recommendation is that you uninstall the programs listed above.

If you choose not to remove them, please do not use them until this computer is clean.
 

• Step #4 Fix with OTL
• Re-run OTL by right clicking and choosing Run as administrator;
• Under the Custom Scans/Fixes Box copy and paste the following contents inside the quote box. (Do not include the word 'quote').
  

  :Commands
  [createrestorepoint]
  
  :OTL
  IE - HKCU\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
  O3 - HKLM\..\Toolbar: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
  O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
  [2014-02-03 17:55:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Registry Clean Expert
  [2014-02-03 17:55:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Registry Clean Expert
  [2012-04-07 16:41:54 | 000,066,872 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
  [2012-04-07 16:41:50 | 000,183,112 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
  @Alternate Data Stream - 127 bytes -> C:\ProgramData\Temp:430C6D84
  @Alternate Data Stream - 124 bytes -> C:\ProgramData\Temp:0B4227B4
  @Alternate Data Stream - 110 bytes -> C:\ProgramData\Temp:DFC5A2B2
  
  :Commands
  [emptytemp]
  
  

• Click on "Run Fix" and let the program run unhindered;
• Your PC will reboot automatically and a log will be opened;
• Please post it in your next reply.

 

• Step #5 Scan with Malwarebytes' Anti-Malware
  
• Double-click to run the application.
• Update it from the update tab;
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform Quick Scan, then click Scan. The scan may take some time to finish, so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to restart. Restart if it tells you to.
• The log is automatically saved by Malwarebytes' Anti-Malware and can be viewed by clicking the Logs tab in the interface.
• Copy and paste the entire report in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
 

• Required Log(s):
• OTL Fix Log;
• MBAM Log

Regards,
Valinorum

[mark64]

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{472734EA-242A-422b-ADF8-83D1E48CC825} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422b-ADF8-83D1E48CC825}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{472734EA-242A-422B-ADF8-83D1E48CC825} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422B-ADF8-83D1E48CC825}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Registry Clean Expert\ not found.
Folder C:\Program Files (x86)\Registry Clean Expert\ not found.
C:\Windows\SysWOW64\PnkBstrA.exe moved successfully.
C:\Windows\SysWOW64\PnkBstrB.exe moved successfully.
ADS C:\ProgramData\Temp:430C6D84 deleted successfully.
ADS C:\ProgramData\Temp:0B4227B4 deleted successfully.
ADS C:\ProgramData\Temp:DFC5A2B2 deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56468 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 128120 bytes
->Flash cache emptied: 41620 bytes

User: mark
->Temp folder emptied: 2177392 bytes
->Temporary Internet Files folder emptied: 19000 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 3208451 bytes
->Google Chrome cache emptied: 134806478 bytes
->Flash cache emptied: 492 bytes

User: Public
->Temp folder emptied: 0 bytes

User: TEMP
->Temp folder emptied: 0 bytes
->Flash cache emptied: 41620 bytes

User: TEMP.mark-PC
->Temp folder emptied: 0 bytes

User: TEMP.mark-PC.000
->Temp folder emptied: 0 bytes
->Flash cache emptied: 56468 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes

User: UpdatusUser.mark-PC
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 41620 bytes

User: UpdatusUser.mark-PC.000
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 41620 bytes

User: UpdatusUser.mark-PC.001
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 2836 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 107552 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 160 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33164 bytes
RecycleBin emptied: 2177530 bytes

Total Files Cleaned = 136.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 02072014_113740

Files\Folders moved on Reboot...
C:\Users\mark\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2014.02.06.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16476
mark :: MARK-PC [administrator]

Protection: Disabled

07-Feb-14 12:08:49 PM
mbam-log-2014-02-07 (12-08-49).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 414559
Time elapsed: 4 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

[Valinorum]

I am sorry for the delay. This thread was missed unintentionally. Can you scan with AVG and tell me if you still get the warnings?

[mark64]

hi, scan came up clean plus it has stopped making random windows exe files 5 to 10 times a day so thank you very much for your help, the only problem left is one of the malware removal programs i used before trying this site seems to have deleted my sbapifs sys. file and my libcurl dll. from windows and was wondering if you where running win 7 64bit system you could copy the 2 files and send to me so i could put them back in windows and re register them as i have tried friends to do this but they all seem to be running windows 8. thank you very much for your help. mark

[Valinorum]

Which malware removal program did you use? Is there any warning messages shown e.g file is missing?

• Step #6 SystemLook Search
  • Please download SystemLook by jpshortstuff to your Desktop from the suitable link below.
  • Download Link for 64-bit System
• Right-click and choose Run as administrator;
• In the search box, copy and pasted the following code in the code-box.
  

  :filefind
  sbapifs.sys
  libcurl.dll
  

• Click on Look;
• After the scan a log will be opened;
• Post the log in your next reply.

 

• Required Log(s):
• SystemLook Log

Regards,
Valinorum

[mark64]

hi, i used quite a few malware removal programs so im not sure which one done the damage but im guessing it was spyhunter, it seems to have stopped giving me a box with libcurl library dll is missing and i was getting a event id at every startup that the sbapifs sys. could not be found until i backed the registry up and deleted sbapifs from it. SystemLook 30.07.11 by jpshortstuff
Log created at 23:06 on 10/02/2014 by mark
Administrator - Elevation successful

========== filefind ==========

Searching for "sbapifs.sys"
No files found.

Searching for "libcurl.dll"
C:\eSupport\eDriver\Software\Trendmicro\TIS2011\Win7_32_Win7_64_3.0\Setup32\AMSP\update\engine\c2t1073741888l1p1r1o1\1.3.1036\libcurl.dll --a---- 262144 bytes [09:32 23/06/2011] [08:52 17/09/2010] AFB0ED1269688E285C88C37C271A0826
C:\eSupport\eDriver\Software\Trendmicro\TIS2011\Win7_32_Win7_64_3.0\Setup64\AMSP\update\engine\c2t1073742080l1p5889r1o1\1.3.1036\libcurl.dll --a---- 316928 bytes [09:32 23/06/2011] [08:52 17/09/2010] 202D45A3CB04D4FEFF11B911CD4360C1
C:\Program Files\Adobe\Adobe Photoshop CS5 (64 Bit)\libcurl.dll --a---- 217600 bytes [13:29 06/04/2010] [13:29 06/04/2010] 7BAB6876D49CBAE6152D72CFFC09A072
C:\Program Files (x86)\Adobe\Adobe Bridge CS5\libcurl.dll --a---- 317952 bytes [15:28 08/03/2010] [15:28 08/03/2010] C158B562B9BF7457CF194E75B9B4669D
C:\Program Files (x86)\Adobe\Adobe Device Central CS5\libcurl.dll --a---- 198152 bytes [10:09 05/03/2010] [10:09 05/03/2010] BC7356EA14224C2D471F8C47FA6A8EC3
C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\libcurl.dll --a---- 192512 bytes [15:50 21/02/2010] [15:50 21/02/2010] 114E5342884A174F0E261526F07B63A1
C:\Program Files (x86)\Xilisoft\DVD Audio Ripper SE\libcurl.dll --a---- 303104 bytes [02:51 14/10/2013] [02:51 14/10/2013] 8AE2C10EDC796A58926F1A9687C0C51B

-= EOF =-

[Valinorum]

Do you still get those messages? Are you facing any issues presently?

[mark64]

no messages at present and no issues, ihave read on the internet sbapifs sys. is a windows file and was trying to prevent future issues. thanks

[Valinorum]

Hi mark64,

The files missing should not warrant any issues.

• Step #7 Run ESET Online Scanner
  
  Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
  
  Vista / 7 users: You will need to to right-click on the either the Internet Explorer or Firefox icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Please go here then click on:
    

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on:
  • When prompted allow the Add-On/Active X to install.
  • Uncheck the box beside Remove Found Threats
  • Make sure that the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Now click on:
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically. The scan may take several hours.
• Wait for the scan to finish. Do not touch either the Mouse or keyboard during the scan. Otherwise it may stall.

When The Scan is Complete:

• If No Threats Were Found:
  
  
  • Put a checkmark in "Uninstall application on close"
  • Close the program
  • Report to me that nothing was found
• If Threats Were Found:
  
  • Click on "list of threats found"
  • Click on "export to text file" and save it to the desktop as ESET SCAN.txt
  • Click on Back
  • Put a checkmark in "Uninstall application on close" (Be sure you have saved the file first)
  • Click on Finish
  • Close the program
  • Copy and paste the report here

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
 

• Required Log(s):
• ESET Scan Log

Regards,
Valinorum

[mark64]

hi, scan came back clean but stupidly didn,t save the log before deleting the program sorry, so i will stop annoying you and thankyou very much for your help. regards mark

[Valinorum]

How is your system running?

[mark64]

hi, system is running well besides my lan connection keeps showing unidentified network and i cant get gigabit speed from my router which i could a couple of days ago, dont know if this is to do with the virus it had or a new fault.when i do get it working using the microsoft fixit the network map shows my router where the modem should be and a blue question mark where the router is, like my local area 2 connection is corrupted