Trojan.Dropper.BCMiner & Company

I am trying to clean a friends computer and am repeatedly being redirected to other websites which from what I´ve read is due to the BCMiner trojan. I tried running mutiple scanners to get rid of it but it just keeps re-appearing. The scanner that is actually catching it is MBAM and it also caught Adware.Agent, PUP.PlayBryte, PUP.MyWebSearc, and Adware.IBryte

From what I´ve read here on the forums regarding this trojan I downloaded nd ran ComboFix, so heres the log from that scan, if theres anything else you need I will be more than happy to provide any information needed.

follow guide and attach logs…not copy and paste. http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

when done a removal specialist will help you

Question. My friend purchased there computer with Windows 7 home edition in Spanish. So will the logs be okay if they are in Spanish? I mean it basically looks the same just a couple things here and there are in Spanish. I’ve tried seeing if there was a way to change the language on the ADWcleaner program but I can’t seem to find it.

hi

just done a bit of research. this may help you :slight_smile:

www.froggie.sk/

anthony

adwcleaner will clear som browser toolbar crap if you have any…the log is not that important
also any file path and malware names are still in english…i think…and Essexboy have seen so many logs that he can read these logs blindfolded

Haha sounds good then, but now for some reason Malwarebytes won’t update anymore so now I have to figure this out

Hi it appears to be a firefox/IE browser hijact and not bitcoiner

To remove this I will need the OTL logs

Here´s the log you requested. :slight_smile:

OK let me know what problems remain after this

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://searchfunmoods.com/?f=1&a=aed&chnl=aed&cd=2XzuyEtN2Y1L1Qzu0EtDtB0AzztByEyD0FzyyEtCyCyE0B0EtN0D0Tzu0CtByBzztN1L2XzutBtFtBtFtDtFtAyEyE&cr=2092008366
IE - HKLM\..\SearchScopes\{17B15372-2A23-8F17-D120-661A6ED7B4DE}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=168&systemid=406&sr=0&q={searchTerms}
IE - HKLM\..\SearchScopes\{23088cf8-eaf8-4bb3-a251-9ba61557ac75}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=Z1xdm003YYus&ptnrS=Z1xdm003YYus&si=CJm8h_f9m6oCFakaQgodvWIu2A&ptb=F5FB6AC8-2559-457F-B1E6-7AA2B5287957&psa=&ind=2011072503&st=sb&n=77de87f7&searchfor={searchTerms}
IE - HKU\S-1-5-21-4123514263-4221296367-3105316158-1000\..\SearchScopes\{8D0206EA-D72B-4D74-9FB7-267972EA5D77}: "URL" = http://searchfunmoods.com/results.php?f=4&q={searchTerms}&a=aed&chnl=aed&cd=2XzuyEtN2Y1L1Qzu0EtDtB0AzztByEyD0FzyyEtCyCyE0B0EtN0D0Tzu0CtByBzztN1L2XzutBtFtBtFtDtFtAyEyE&cr=2092008366
IE - HKU\S-1-5-21-4123514263-4221296367-3105316158-1000\..\SearchScopes\{91607fa7-3c2f-4f90-93e3-d5337a6b0ac2}: "URL" = Playbryte-fa-ptn/search/redirect/?type=default&user_id=75b85d46-7125-4563-9f75-ba03c68d3d4b&query={searchTerms}
O2 - BHO: (My Personal Homepage) - {0538CF1C-8419-4800-ADBB-0C00C799FDA2} - C:\Users\Ana\AppData\Roaming\Genieo\Application\IEPlugins\bin\IEWrapper.dll ()
O2 - BHO: (no name) - {1036AD63-AEAC-460B-9060-C96005D4DC86} - No CLSID value found.
O2 - BHO: (Privacy Safeguard BHO) - {A42D2EB4-DD31-4BB5-8AA5-8D4E04806DBE} - C:\Program Files\PrivacySafeGuard\PrivacySafeGuard.dll File not found
O3 - HKLM\..\Toolbar: (no name) - {06C7AD57-B655-418D-9AB8-9526A6D2E052} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O4 - HKLM..\Run: [Sendori Tray] C:\Program Files (x86)\Sendori\SendoriTray.exe (Sendori, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\IMESHA~1\MediaBar\Datamngr\x64\IEBHO.dll) - C:\Program Files (x86)\iMesh Applications\MediaBar\Datamngr\x64\IEBHO.dll (Bandoo Media, inc)
[2012/10/04 14:47:17 | 000,000,000 | ---D | C] -- C:\Program Files\PrivacySafeGuard
[2012/10/04 14:47:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Privacy SafeGuard
[2012/10/04 14:39:36 | 000,321,384 | ---- | C] (Sendori) -- C:\Windows\SysWow64\Sendori.dll
[2012/10/04 14:39:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Sendori
[2012/10/04 14:39:31 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Sendori
[2012/10/04 14:39:27 | 000,000,000 | ---D | C] -- C:\ProgramData\FreePriceAlerts
[2012/10/02 15:47:33 | 000,000,000 | ---D | C] -- C:\Users\Ana\AppData\Roaming\7551CC04
[2012/09/22 02:23:26 | 000,000,000 | ---D | C] -- C:\Users\Ana\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\File Recovery
[2012/09/22 11:36:30 | 000,000,136 | ---- | M] () -- C:\ProgramData\-rZkt00NwntvqGMr
[2012/10/04 14:18:51 | 000,290,500 | ---- | C] () -- C:\Users\Ana\AppData\Local\funmoods-speeddial_sf.crx
[2012/09/22 02:50:31 | 000,000,136 | ---- | C] () -- C:\ProgramData\-rZkt00NwntvqGMr
[2012/09/22 02:50:31 | 000,000,136 | ---- | C] () -- C:\ProgramData\-rZkt00NwntvqGM

:Files
C:\Users\Ana\AppData\Local\Google\Chrome\User Data\Default\Extensions\geggofhlfbcmanadhknllmlajiafopoh
C:\Users\Ana\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmekldhjpnedilgjphomliffhhnknpeb
C:\Users\Ana\AppData\Local\Google\Chrome\User Data\Default\Extensions\gejobfgabjknekpkpnpnieipmfapcdpe
C:\Program Files (x86)\iMesh Applications

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Will do as soon as I get home from work which is 10 more hours. Thanks for the help and ill update you on the status in a while.

Tsk reading while at work ;D ;D ;D ;D

Sorry for the delay, been working 10 hours shifts and busy with family etc. Just did as told and here´s the report after inserting the script running the fix and running the quick scan after the reboot.

How is the computer behaving now ?

Not sure didn’t do much after running OTL. The computer battery died when restarting, would that harm the fix in any way? And what in particular improvements should I be looking for exactly? I stopped getting the Internet re-directions a couple days ago.

Should this fix the virus scanner update, Google Chrome and Safari issue I just started having?

I removed the remaining funweb and other redirecting/bad extensions

What is the virus update scanner error ?

Should this fix the virus scanner update, Google Chrome and Safari issue I just started having

Well on Avast it basically times out and says it can’t reach the server, same thing on Spynot S&D, MBAM is the only one that shows an error “PROGRAM_ERROR_UPDATING(0,0 Host not found)”, also no Internet access when using Safari or Google Chrome(web pages just say not connected to a network) but IE works fine.

IE - HKU\S-1-5-21-4123514263-4221296367-3105316158-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = actsvr.comcastonline.com;*.local IE - HKU\S-1-5-21-4123514263-4221296367-3105316158-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = actsvr.comcastonline.com:8100
Is comcast your ISP ?

It might be my friends ISP but it’s definitely not mine.

OK could you create a system restore point. I will remove those then let me know if that makes a difference

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
IE - HKU\S-1-5-21-4123514263-4221296367-3105316158-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = actsvr.comcastonline.com;*.local
IE - HKU\S-1-5-21-4123514263-4221296367-3105316158-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = actsvr.comcastonline.com:8100

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download MiniToolBox, save it to your desktop and run it.

https://dl.dropbox.com/u/73555776/minitoolbox.JPG

Checkmark the following checkboxes:

[]Flush DNS
[
]Report IE Proxy Settings
[]Reset IE Proxy Settings
[
]Report FF Proxy Settings
[]Reset FF Proxy Settings
[
]List content of Hosts
[]List IP configuration
[
]List Winsock Entries
[]List last 10 Event Viewer log
[
]List Installed Programs
[]List Devices
[
]List Users, Partitions and Memory size.
[*]List Minidump Files

Click Go and attach the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using “Reset FF Proxy Settings” option Firefox should be closed.

Here are the reports for the OTL fix and the MiniToolBox, the MiniToolBpx report is in spanish and if needed I can try and run it through some kind of translator.