Author Topic: Trojan.Dropper.BCMiner & Company  (Read 5020 times)

Offline Jimmyjam85

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Trojan.Dropper.BCMiner & Company
« on: October 15, 2012, 07:28:28 PM »
I am trying to clean a friends computer and am repeatedly being redirected to other websites which from what I´ve read is due to the BCMiner trojan. I tried running mutiple scanners to get rid of it but it just keeps re-appearing. The scanner that is actually catching it is MBAM and it also caught Adware.Agent, PUP.PlayBryte, PUP.MyWebSearc, and Adware.IBryte

From what I´ve read here on the forums regarding this trojan I downloaded nd ran ComboFix, so heres the log from that scan, if theres anything else you need I will be more than happy to provide any information needed.

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21661
  • Gender: Male
    • Personal Message (Offline)
Re: Trojan.Dropper.BCMiner & Company
« Reply #1 on: October 15, 2012, 07:48:28 PM »
follow guide and attach logs....not copy and paste.  http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR


when done a removal specialist will help you
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Jimmyjam85

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: Trojan.Dropper.BCMiner & Company
« Reply #2 on: October 15, 2012, 08:13:28 PM »
Question. My friend purchased there computer with Windows 7 home edition in Spanish. So will the logs be okay if they are in Spanish? I mean it basically looks the same just a couple things here and there are in Spanish. I've tried seeing if there was a way to change the language on the ADWcleaner program but I can't seem to find it.
« Last Edit: October 15, 2012, 08:15:24 PM by Jimmyjam85 »

Offline adotd

  • Sr. Member
  • ****
  • Posts: 278
    • Personal Message (Offline)
Re: Trojan.Dropper.BCMiner & Company
« Reply #3 on: October 15, 2012, 08:22:49 PM »
hi

just done a bit of research. this may help you :)

www.froggie.sk/

anthony

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21661
  • Gender: Male
    • Personal Message (Offline)
Re: Trojan.Dropper.BCMiner & Company
« Reply #4 on: October 15, 2012, 08:34:29 PM »
adwcleaner will clear som browser toolbar crap if you have any....the log is not that important
also any file path and malware names are still in english...i think......and Essexboy have seen so many logs that he can read these logs blindfolded
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Jimmyjam85

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: Trojan.Dropper.BCMiner & Company
« Reply #5 on: October 15, 2012, 08:36:22 PM »
Haha sounds good then, but now for some reason Malwarebytes won't update anymore so now I have to figure this out

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28953
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Trojan.Dropper.BCMiner & Company
« Reply #6 on: October 15, 2012, 09:04:07 PM »
Hi it appears to be a firefox/IE browser hijact and not bitcoiner

To remove this I will need the OTL logs

Offline Jimmyjam85

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: Trojan.Dropper.BCMiner & Company
« Reply #7 on: October 15, 2012, 10:44:21 PM »
Here´s the log you requested. :)
« Last Edit: October 15, 2012, 10:51:58 PM by Jimmyjam85 »

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28953
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Trojan.Dropper.BCMiner & Company
« Reply #8 on: October 16, 2012, 02:08:21 PM »
OK let me know what problems remain after this

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


Code: [Select]
:OTL
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://searchfunmoods.com/?f=1&a=aed&chnl=aed&cd=2XzuyEtN2Y1L1Qzu0EtDtB0AzztByEyD0FzyyEtCyCyE0B0EtN0D0Tzu0CtByBzztN1L2XzutBtFtBtFtDtFtAyEyE&cr=2092008366
IE - HKLM\..\SearchScopes\{17B15372-2A23-8F17-D120-661A6ED7B4DE}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=168&systemid=406&sr=0&q={searchTerms}
IE - HKLM\..\SearchScopes\{23088cf8-eaf8-4bb3-a251-9ba61557ac75}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=Z1xdm003YYus&ptnrS=Z1xdm003YYus&si=CJm8h_f9m6oCFakaQgodvWIu2A&ptb=F5FB6AC8-2559-457F-B1E6-7AA2B5287957&psa=&ind=2011072503&st=sb&n=77de87f7&searchfor={searchTerms}
IE - HKU\S-1-5-21-4123514263-4221296367-3105316158-1000\..\SearchScopes\{8D0206EA-D72B-4D74-9FB7-267972EA5D77}: "URL" = http://searchfunmoods.com/results.php?f=4&q={searchTerms}&a=aed&chnl=aed&cd=2XzuyEtN2Y1L1Qzu0EtDtB0AzztByEyD0FzyyEtCyCyE0B0EtN0D0Tzu0CtByBzztN1L2XzutBtFtBtFtDtFtAyEyE&cr=2092008366
IE - HKU\S-1-5-21-4123514263-4221296367-3105316158-1000\..\SearchScopes\{91607fa7-3c2f-4f90-93e3-d5337a6b0ac2}: "URL" = Playbryte-fa-ptn/search/redirect/?type=default&user_id=75b85d46-7125-4563-9f75-ba03c68d3d4b&query={searchTerms}
O2 - BHO: (My Personal Homepage) - {0538CF1C-8419-4800-ADBB-0C00C799FDA2} - C:\Users\Ana\AppData\Roaming\Genieo\Application\IEPlugins\bin\IEWrapper.dll ()
O2 - BHO: (no name) - {1036AD63-AEAC-460B-9060-C96005D4DC86} - No CLSID value found.
O2 - BHO: (Privacy Safeguard BHO) - {A42D2EB4-DD31-4BB5-8AA5-8D4E04806DBE} - C:\Program Files\PrivacySafeGuard\PrivacySafeGuard.dll File not found
O3 - HKLM\..\Toolbar: (no name) - {06C7AD57-B655-418D-9AB8-9526A6D2E052} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O4 - HKLM..\Run: [Sendori Tray] C:\Program Files (x86)\Sendori\SendoriTray.exe (Sendori, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\IMESHA~1\MediaBar\Datamngr\x64\IEBHO.dll) - C:\Program Files (x86)\iMesh Applications\MediaBar\Datamngr\x64\IEBHO.dll (Bandoo Media, inc)
[2012/10/04 14:47:17 | 000,000,000 | ---D | C] -- C:\Program Files\PrivacySafeGuard
[2012/10/04 14:47:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Privacy SafeGuard
[2012/10/04 14:39:36 | 000,321,384 | ---- | C] (Sendori) -- C:\Windows\SysWow64\Sendori.dll
[2012/10/04 14:39:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Sendori
[2012/10/04 14:39:31 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Sendori
[2012/10/04 14:39:27 | 000,000,000 | ---D | C] -- C:\ProgramData\FreePriceAlerts
[2012/10/02 15:47:33 | 000,000,000 | ---D | C] -- C:\Users\Ana\AppData\Roaming\7551CC04
[2012/09/22 02:23:26 | 000,000,000 | ---D | C] -- C:\Users\Ana\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\File Recovery
[2012/09/22 11:36:30 | 000,000,136 | ---- | M] () -- C:\ProgramData\-rZkt00NwntvqGMr
[2012/10/04 14:18:51 | 000,290,500 | ---- | C] () -- C:\Users\Ana\AppData\Local\funmoods-speeddial_sf.crx
[2012/09/22 02:50:31 | 000,000,136 | ---- | C] () -- C:\ProgramData\-rZkt00NwntvqGMr
[2012/09/22 02:50:31 | 000,000,136 | ---- | C] () -- C:\ProgramData\-rZkt00NwntvqGM

:Files
C:\Users\Ana\AppData\Local\Google\Chrome\User Data\Default\Extensions\geggofhlfbcmanadhknllmlajiafopoh
C:\Users\Ana\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmekldhjpnedilgjphomliffhhnknpeb
C:\Users\Ana\AppData\Local\Google\Chrome\User Data\Default\Extensions\gejobfgabjknekpkpnpnieipmfapcdpe
C:\Program Files (x86)\iMesh Applications

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Offline Jimmyjam85

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: Trojan.Dropper.BCMiner & Company
« Reply #9 on: October 16, 2012, 02:12:21 PM »
Will do as soon as I get home from work which  is 10 more hours. Thanks for the help and ill update you on the status in a while.

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28953
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Trojan.Dropper.BCMiner & Company
« Reply #10 on: October 16, 2012, 02:16:03 PM »
Tsk reading while at work  ;D ;D ;D ;D

Offline Jimmyjam85

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: Trojan.Dropper.BCMiner & Company
« Reply #11 on: October 18, 2012, 05:53:34 AM »
Sorry for the delay, been working 10 hours shifts and busy with family etc. Just did as told and here´s the report after inserting the script running the fix and running the quick scan after the reboot.

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28953
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Trojan.Dropper.BCMiner & Company
« Reply #12 on: October 18, 2012, 01:02:10 PM »
How is the computer behaving now ?

Offline Jimmyjam85

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: Trojan.Dropper.BCMiner & Company
« Reply #13 on: October 18, 2012, 02:04:04 PM »
Not sure didn't do much after running OTL. The computer battery died when restarting, would that harm the fix in any way? And what in particular improvements should I be looking for exactly? I stopped getting the Internet re-directions a couple days ago.

Should this fix the virus scanner update, Google Chrome and Safari issue I just started having?

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28953
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Trojan.Dropper.BCMiner & Company
« Reply #14 on: October 18, 2012, 02:10:50 PM »
I removed the remaining funweb and other redirecting/bad extensions

What is the virus update scanner error ?
Quote
Should this fix the virus scanner update, Google Chrome and Safari issue I just started having

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now