Win32:BitCoinMiner-CA (Trj)

Please help me I have had this virus since saturday 11/05/2013. I have tried everything I could think of to get rid of it but it keeps coming back, any help would be greatly appreciated.

Object: C:\Users\xxxxxx\AppData\Local\Temp\iswizard
Infection: Win32:BitCoinMiner-CA (Trj)
Process: C:/Windows/SysWOW64/rundll32.exe

follow guide and attach logs. http://forum.avast.com/index.php?topic=53253.0

  1. AdwCleaner
  2. Malwarebytes
  3. OTL
  4. aswMBR

when done malware removers will be notified

monitoring

Here are the logs

and the last log

Ok, Let’s hit this malware with two-step …

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.


Please download zoek.exe and save it to your desktop.

[*] Close any open browsers.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:



installedprogs;
filesrcm;
dwm.exe;z
C:\Users\Jack Foley\AppData\Local\Temp\iswizard;vs
startupall;
firefoxlook;
Chromelook;
skipfix-iedefaults;
silentrunners;


[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button
Please wait until a logreport will open (this can be after reboot)

[*] Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named “zoek-results.log

Ok, here are the logs

[list]Hi,

Multiple Antivirus Programs

You are running more than 1 Antivirus program!

AV: avast! Antivirus Disabled/Updated
AV: AVG Internet Security 2013 Disabled/Updated

Running - more than one - antivirus program is not recommended because:
[*]They can conflict with each other.
[*]Report the other antivirus software as malicious.
[*]Antivirus programs use an enormous amount of computer’s resources… actively scanning your computer.
[*]Can cause your computer to become unstable…run slowly and even, in rare cases, BSOD crash…etc
I strongly suggest you uninstall one of them. Which one, is your decision.


Open notepad and copy/paste the text present inside the code box below:



Folder::
c:\users\Jack Foley\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk

DirLook::
c:\users\Jack Foley\.shsh
c:\users\Jack Foley\AppData\Roaming\redsn0w

FileLook::
c:\windows\system32\drivers\tapSF0901.sys

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSIDLL"=-

Driver::
vToolbarUpdater15.1.0

KillAll::

File::
c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.1.0\ToolbarUpdater.exe

RegNull::
[HKEY_USERS\S-1-5-21-3130723657-4083518555-1479036497-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1695CB16-A955-5ED1-79D1-F0D7D3560BA9}*]
"iamccjfjlmckbcdikg"=hex:69,61,63,67,64,6d,6c,65,6b,6f,63,6d,68,69,6f,62,62,6c,
   00,04
"hagdmjknmnfhpbdp"=hex:69,61,63,67,64,6d,6c,65,6b,6f,63,6d,68,69,6f,62,62,6c,
   00,00
"halbobggiflpihen"=hex:66,61,6f,66,69,68,61,64,62,6c,6c,68,00,f5

[HKEY_USERS\S-1-5-21-3130723657-4083518555-1479036497-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{537BD1E7-FE65-0D90-EEAB-65734BD8CA8F}*]
"iaehpfnnhmikbdnhmd"=hex:6a,61,6e,6d,65,6d,62,6e,65,64,68,6e,69,68,6b,68,6d,68,
   6f,6c,00,00
"haghfmdnhdehnmdg"=hex:6a,61,6e,6d,65,6d,62,6e,65,64,68,6e,69,68,6b,68,6d,68,
   6f,6c,00,00
"gapanhoimljpoe"=hex:6b,61,6b,6d,6f,69,67,64,6b,64,6a,70,65,62,61,6b,64,6b,6b,
   66,6c,6e,00,80


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )


Re-run zoek.exe as you did before but use this script:

msitzk32.dll;z
msitzk32.dll;a
C:\Users\Jack Foley\AppData\Local\CrashDumps\dwm.exe.*.dmp;f
emptyalltemp;
autoclean;

Click on RunScript button and attach here fresh zoek log

Ok I uninstalled AVG and here are the logs.

Re-run this zoek script and attach here his fresh created log:

C:\Windows\SysWOW64\msitzk32.dll;f
startupall;
filesrcm;
firefoxlook;
chromelook;

Here is the log

  1. Delete all zoek logs ( delete all C:\zoek-results.log ). I don’t want to mix with fresh logs.

  2. Then run this zoek script:

hphibigbodkkohoglgfkddblldpfohjl;chr
C:\Program Files (x86)\TorrentHandler\TorrentHandler.crx;f
iswizard;z
iswizard;a

Download TDSSKiller and save it to your desktop

Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.

[*] Press Start Scan

[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]

Please post the contents of that log in your next reply.


How’s your computer runing now?

Here are the logs.

Its not crashing anymore and I haven’t gotten a pop-up from Avast telling me about the virus for two days.

Now run this zoek script:

[HKEY_USERS\S-1-5-21-3130723657-4083518555-1479036497-1000\Software\WinRAR\ArcHistory];r
"1"="";r
C:\Users\Jack Foley\AppData\Local\Temp\iswizard;f\
emptyalltemp;
autoclean;

… … … … … …

Open notepad and copy/paste the text present inside the code box below:



DeQuarantine::
C:\Qoobox\Quarantine\C\users\Jack Foley\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk
Quit::



Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Logs

Ok, that’s it.
It is necessary to uninstall ComboFix and other used tools:

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.


Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[
] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.

Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.


I recommended you to keep Malwarebytes and to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

Ok, thank you so much for the help