Avast WEBforum

Other => Viruses and worms => Topic started by: Jimmyjam85 on October 15, 2012, 09:28:28 PM

Title: Trojan.Dropper.BCMiner & Company
Post by: Jimmyjam85 on October 15, 2012, 09:28:28 PM
I am trying to clean a friends computer and am repeatedly being redirected to other websites which from what I´ve read is due to the BCMiner trojan. I tried running mutiple scanners to get rid of it but it just keeps re-appearing. The scanner that is actually catching it is MBAM and it also caught Adware.Agent, PUP.PlayBryte, PUP.MyWebSearc, and Adware.IBryte

From what I´ve read here on the forums regarding this trojan I downloaded nd ran ComboFix, so heres the log from that scan, if theres anything else you need I will be more than happy to provide any information needed.
Title: Re: Trojan.Dropper.BCMiner & Company
Post by: Pondus on October 15, 2012, 09:48:28 PM
follow guide and attach logs....not copy and paste.  http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

when done a removal specialist will help you
Title: Re: Trojan.Dropper.BCMiner & Company
Post by: Jimmyjam85 on October 15, 2012, 10:13:28 PM
Question. My friend purchased there computer with Windows 7 home edition in Spanish. So will the logs be okay if they are in Spanish? I mean it basically looks the same just a couple things here and there are in Spanish. I've tried seeing if there was a way to change the language on the ADWcleaner program but I can't seem to find it.
Title: Re: Trojan.Dropper.BCMiner & Company
Post by: adotd on October 15, 2012, 10:22:49 PM
hi

just done a bit of research. this may help you :)

www.froggie.sk/

anthony
Title: Re: Trojan.Dropper.BCMiner & Company
Post by: Pondus on October 15, 2012, 10:34:29 PM
adwcleaner will clear som browser toolbar crap if you have any....the log is not that important
also any file path and malware names are still in english...i think......and Essexboy have seen so many logs that he can read these logs blindfolded
Title: Re: Trojan.Dropper.BCMiner & Company
Post by: Jimmyjam85 on October 15, 2012, 10:36:22 PM
Haha sounds good then, but now for some reason Malwarebytes won't update anymore so now I have to figure this out
Title: Re: Trojan.Dropper.BCMiner & Company
Post by: essexboy on October 15, 2012, 11:04:07 PM
Hi it appears to be a firefox/IE browser hijact and not bitcoiner

To remove this I will need the OTL logs
Title: Re: Trojan.Dropper.BCMiner & Company
Post by: Jimmyjam85 on October 16, 2012, 12:44:21 AM
Here´s the log you requested. :)
Title: Re: Trojan.Dropper.BCMiner & Company
Post by: essexboy on October 16, 2012, 04:08:21 PM
OK let me know what problems remain after this

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
Code: [Select]
:OTL
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://searchfunmoods.com/?f=1&a=aed&chnl=aed&cd=2XzuyEtN2Y1L1Qzu0EtDtB0AzztByEyD0FzyyEtCyCyE0B0EtN0D0Tzu0CtByBzztN1L2XzutBtFtBtFtDtFtAyEyE&cr=2092008366
IE - HKLM\..\SearchScopes\{17B15372-2A23-8F17-D120-661A6ED7B4DE}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=168&systemid=406&sr=0&q={searchTerms}
IE - HKLM\..\SearchScopes\{23088cf8-eaf8-4bb3-a251-9ba61557ac75}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=Z1xdm003YYus&ptnrS=Z1xdm003YYus&si=CJm8h_f9m6oCFakaQgodvWIu2A&ptb=F5FB6AC8-2559-457F-B1E6-7AA2B5287957&psa=&ind=2011072503&st=sb&n=77de87f7&searchfor={searchTerms}
IE - HKU\S-1-5-21-4123514263-4221296367-3105316158-1000\..\SearchScopes\{8D0206EA-D72B-4D74-9FB7-267972EA5D77}: "URL" = http://searchfunmoods.com/results.php?f=4&q={searchTerms}&a=aed&chnl=aed&cd=2XzuyEtN2Y1L1Qzu0EtDtB0AzztByEyD0FzyyEtCyCyE0B0EtN0D0Tzu0CtByBzztN1L2XzutBtFtBtFtDtFtAyEyE&cr=2092008366
IE - HKU\S-1-5-21-4123514263-4221296367-3105316158-1000\..\SearchScopes\{91607fa7-3c2f-4f90-93e3-d5337a6b0ac2}: "URL" = Playbryte-fa-ptn/search/redirect/?type=default&user_id=75b85d46-7125-4563-9f75-ba03c68d3d4b&query={searchTerms}
O2 - BHO: (My Personal Homepage) - {0538CF1C-8419-4800-ADBB-0C00C799FDA2} - C:\Users\Ana\AppData\Roaming\Genieo\Application\IEPlugins\bin\IEWrapper.dll ()
O2 - BHO: (no name) - {1036AD63-AEAC-460B-9060-C96005D4DC86} - No CLSID value found.
O2 - BHO: (Privacy Safeguard BHO) - {A42D2EB4-DD31-4BB5-8AA5-8D4E04806DBE} - C:\Program Files\PrivacySafeGuard\PrivacySafeGuard.dll File not found
O3 - HKLM\..\Toolbar: (no name) - {06C7AD57-B655-418D-9AB8-9526A6D2E052} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O4 - HKLM..\Run: [Sendori Tray] C:\Program Files (x86)\Sendori\SendoriTray.exe (Sendori, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\IMESHA~1\MediaBar\Datamngr\x64\IEBHO.dll) - C:\Program Files (x86)\iMesh Applications\MediaBar\Datamngr\x64\IEBHO.dll (Bandoo Media, inc)
[2012/10/04 14:47:17 | 000,000,000 | ---D | C] -- C:\Program Files\PrivacySafeGuard
[2012/10/04 14:47:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Privacy SafeGuard
[2012/10/04 14:39:36 | 000,321,384 | ---- | C] (Sendori) -- C:\Windows\SysWow64\Sendori.dll
[2012/10/04 14:39:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Sendori
[2012/10/04 14:39:31 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Sendori
[2012/10/04 14:39:27 | 000,000,000 | ---D | C] -- C:\ProgramData\FreePriceAlerts
[2012/10/02 15:47:33 | 000,000,000 | ---D | C] -- C:\Users\Ana\AppData\Roaming\7551CC04
[2012/09/22 02:23:26 | 000,000,000 | ---D | C] -- C:\Users\Ana\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\File Recovery
[2012/09/22 11:36:30 | 000,000,136 | ---- | M] () -- C:\ProgramData\-rZkt00NwntvqGMr
[2012/10/04 14:18:51 | 000,290,500 | ---- | C] () -- C:\Users\Ana\AppData\Local\funmoods-speeddial_sf.crx
[2012/09/22 02:50:31 | 000,000,136 | ---- | C] () -- C:\ProgramData\-rZkt00NwntvqGMr
[2012/09/22 02:50:31 | 000,000,136 | ---- | C] () -- C:\ProgramData\-rZkt00NwntvqGM

:Files
C:\Users\Ana\AppData\Local\Google\Chrome\User Data\Default\Extensions\geggofhlfbcmanadhknllmlajiafopoh
C:\Users\Ana\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmekldhjpnedilgjphomliffhhnknpeb
C:\Users\Ana\AppData\Local\Google\Chrome\User Data\Default\Extensions\gejobfgabjknekpkpnpnieipmfapcdpe
C:\Program Files (x86)\iMesh Applications

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
Title: Re: Trojan.Dropper.BCMiner & Company
Post by: Jimmyjam85 on October 16, 2012, 04:12:21 PM
Will do as soon as I get home from work which  is 10 more hours. Thanks for the help and ill update you on the status in a while.
Title: Re: Trojan.Dropper.BCMiner & Company
Post by: essexboy on October 16, 2012, 04:16:03 PM
Tsk reading while at work  ;D ;D ;D ;D
Title: Re: Trojan.Dropper.BCMiner & Company
Post by: Jimmyjam85 on October 18, 2012, 07:53:34 AM
Sorry for the delay, been working 10 hours shifts and busy with family etc. Just did as told and here´s the report after inserting the script running the fix and running the quick scan after the reboot.
Title: Re: Trojan.Dropper.BCMiner & Company
Post by: essexboy on October 18, 2012, 03:02:10 PM
How is the computer behaving now ?
Title: Re: Trojan.Dropper.BCMiner & Company
Post by: Jimmyjam85 on October 18, 2012, 04:04:04 PM
Not sure didn't do much after running OTL. The computer battery died when restarting, would that harm the fix in any way? And what in particular improvements should I be looking for exactly? I stopped getting the Internet re-directions a couple days ago.

Should this fix the virus scanner update, Google Chrome and Safari issue I just started having?
Title: Re: Trojan.Dropper.BCMiner & Company
Post by: essexboy on October 18, 2012, 04:10:50 PM
I removed the remaining funweb and other redirecting/bad extensions

What is the virus update scanner error ?
Quote
Should this fix the virus scanner update, Google Chrome and Safari issue I just started having
Title: Re: Trojan.Dropper.BCMiner & Company
Post by: Jimmyjam85 on October 18, 2012, 04:26:01 PM
Well on Avast it basically times out and says it can't reach the server, same thing on Spynot S&D, MBAM is the only one that shows an error "PROGRAM_ERROR_UPDATING(0,0 Host not found)", also no Internet access when using Safari or Google Chrome(web pages just say not connected to a network) but IE works fine.
Title: Re: Trojan.Dropper.BCMiner & Company
Post by: essexboy on October 18, 2012, 04:28:44 PM
Quote
IE - HKU\S-1-5-21-4123514263-4221296367-3105316158-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = actsvr.comcastonline.com;*.local
IE - HKU\S-1-5-21-4123514263-4221296367-3105316158-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = actsvr.comcastonline.com:8100
Is comcast your ISP ?

Title: Re: Trojan.Dropper.BCMiner & Company
Post by: Jimmyjam85 on October 18, 2012, 04:31:42 PM
It might be my friends ISP but it's definitely not mine.
Title: Re: Trojan.Dropper.BCMiner & Company
Post by: essexboy on October 18, 2012, 07:27:58 PM
OK could you create a system restore point.  I will remove those then let me know if that makes a difference

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
Code: [Select]
:OTL
IE - HKU\S-1-5-21-4123514263-4221296367-3105316158-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = actsvr.comcastonline.com;*.local
IE - HKU\S-1-5-21-4123514263-4221296367-3105316158-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = actsvr.comcastonline.com:8100

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]THEN

Please download MiniToolBox (http://download.bleepingcomputer.com/farbar/MiniToolBox.exe), save it to your desktop and run it.
(https://dl.dropbox.com/u/73555776/minitoolbox.JPG)
Checkmark the following checkboxes:

Click Go and attach the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.
 
Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
Title: Re: Trojan.Dropper.BCMiner & Company
Post by: Jimmyjam85 on October 19, 2012, 09:40:21 AM
Here are the reports for the OTL fix and the MiniToolBox, the MiniToolBpx report is in spanish and if needed I can try and run it through some kind of translator.
Title: Re: Trojan.Dropper.BCMiner & Company
Post by: essexboy on October 19, 2012, 03:39:05 PM
Spanish is not a problem as the file names are English

First :
Start an elevated command prompt
Go Start > All Programs > Accessories
Right click Command Prompt and select Run as Administrator
In the black box that opens enter the following commands pressing enter after each one :

netsh winsock reset
netsh int ip reset resetlog.txt

Let me know of any errors generated
Title: Re: Trojan.Dropper.BCMiner & Company
Post by: Jimmyjam85 on October 20, 2012, 05:05:09 AM
Don´t know how you did that but you sure fixed that issue, as for that root-kit, where shall we go from here? Should I update and run MBAM, avast and spybot S&D? Or perhaps some others aswell?
Title: Re: Trojan.Dropper.BCMiner & Company
Post by: Pondus on October 20, 2012, 07:29:14 AM
it will be some hours before essexboy is back in the forum, so be patient  ;)
Title: Re: Trojan.Dropper.BCMiner & Company
Post by: essexboy on October 20, 2012, 01:38:54 PM
The lsp stack was corrupted.. Now fixed.

How is the computer behaving ?

As I have said I saw no indication of a rootkit .. But run MBAM again please and post the resultant log