[nddcndndd]

Hello,

I suspect a possible very crafty Bitcoin miner. When I view videos on youtube after a few minutes of not moving my mouse the video starts to lag and when I move my mouse it fixes itself in a bit.

I've tried both with latest Firefox version 45.0.2 with HTML5 player and on IE 10 with Flash Player. When I have Task Manager open in the background this doesn't happen.

If I leave my PC idle for a few minutes and then immediately check temps with Speccy I see that my CPU is running a bit hot and especially my GPU was under load but as soon as I've moved my mouse to open Speccy temps begin to go down to idle ones. I have a GTX 960 and normally it idles at ~40 degrees C with fans turned off and they turn on only under load, I think I hear them turn on when my PC should be on idle.

This issue appeared a few days ago, after I was trying to install a program and got a message: "operation did not complete successfully because the file contains a virus or potentially unwanted software" - after some googling I took it as a false positive and turned off Widnows Defender but the .exe appeared corrupted so I just deleted it and found it from another source. I suspect this could be the source of the infection.

I suspect it's some very stealthy bitcoin miner that only turns itself on when the PC is idle and immediately shuts off when any mouse or keyboard input is detected, additionally it detects when Task Manager is open and doesn't turn itself on to avoid detection. I don't see any suspicious processes or new start ups or tasks with obvious descriptions in Task Manager but I am not sure. Could be a Trojan using a common name. I ran a Quick Scan in Windows Defender and detected nothing. Did a custom scan on my C:/ drive and found nothing, and a partial scan on my other partition where I installed that app but found nothing, but I've heard bitcoin miners can avoid detection.

I need assistance in diagnosing, detecting and removing this virus or info if it could be something else. At first, I though it was an issue with the newest version of Firefox or youtube but now I think the miner detects lack of input during long videos and turns itself on, clogging up my GPU and making video playback tank. It usually happens in intervals of 2 -3 minutes of video playback without other input.

Thank you in advance!

 

[tekir06]

Hello nddcndndd,

We need to see some information about what is happening in your machine. Therefore, We want all our members to perform the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

After running through all the steps, you shall have a proper set of logs. Please post/attach the logs in your next reply.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

 

[nddcndndd]

I'm not sure I'm comfortable with doing all those steps.

I managed to locate the date and time of infection. I checked under
appdata/roaming/ and saw a "taskhost.exe" present in a few folders where it shouldn't belong like in
/Steam
/Mobile Action (my smartphone manager app that I uninstalled long ago)
/Red Alert 3 (a video game save life folder)

All created on 13 April 2016 at around 18:28 to 18:34 - exactly the time when I was trying to use the "corrupted" installer. I'm certain now it's a bitcoin miner.

I had both speccy and Task Manager open - left on idle for around 8 minutes and nothing happened. Then I closed Task Manager and in exactly 2 minutes idle time my GPU temps began to skyrocket then go back down the second I moved my mouse.

It's a type of miner that detects Task Manager and doesn't turn itself on, self replicates or creates at least several copies and runs only when detecting idle time - no input. I haven't really left my PC on idle much since 13 of April but I did leave it on for about 2-4 hours once. Do you think it did damage to my GPU?

I don't trust scanner/remover software to do the job and not break something. I was hoping more on some pointers or articles on how to manually do the job and remove the files myself, delete the registry entries if present, check for a rootkit/back door and block IPs etc.

 

[nddcndndd]

Okay, I think I removed it.

Since I know the exact day and time of infection I did a file search and a folder search for files/folders - created/modified on 13 of April 2016 18:28 to 18:35 and last week, this week.

I found only 3 "TaskHost.exe"s all on the same day at around that time, I think the reason for that is that I tried running the infected installer 3 times. I also found the text log folder that the miner created and used, named CLR_v2.0 which didn't make much sense to me even though similarly named folders existed as well from much older dates like CLR_v2.0_32 ; CLR_v4.0 ; CLR_v4.0_32

Picture 1.

I found the process in Task Manager. Killed it, all the while being careful not to kill the legit TaskHost windows process. I disabled the start-up entry created by it. Deleted all 3 exes and CLR_v2.0 log folder.

Then I proceeded to search for and nuke all folders and files I could find created on that date from 18:28 to 18:35 as long as they weren't something I could make sense of like WER\ReportArchive

I found all these suspicious files
Picture 2 and 3: (make note of the misspelling on _shfoldr.dll instead of _shfolder)
Strangely, they were all in my AppData\Local\Temp folder, a folder that people clean periodically. I deleted them all.

Picture 4:
Lastly, I saw a copy of the .exe that infected me in the Temp folder. (underlined in red). I deleted almost all contents of the Temp folder.

After a restart and leaving it on idle for 30 minutes no abnormal activity/rise in temps was observed. I didn't do any registry editing although I tried removing with regedit the start-up entry created by the Trojan, that after the .exe deletion got renamed to blank "Mobile" with blank publisher and "Disabled" status but I couldn't find the registry entry for it. If someone can tell me an easy way to remove the entry completely without using CClean?

Hopefully, it was just an ordinary Trojan Miner without any backdoors and more intrusive aspects. I didn't see any other folders/files created at time of infection and any other suspicious activity in the days after.

I'm making this post for Virus/Trojan Awareness and to show my exact problem. I wouldn't recommend anyone doing something similar if they don't know what they are doing. Don't use this as a guide.

 

[tekir06]

Hello nddcndndd,

Thanks for the informations. Please do the below steps

STEP 1

Please download AdwCleaner from here and save it to your desktop.

:arrowr: Click the green 'Download now @bleepingcomputer' button.
:arrowr: Run AdwCleaner and select Scan
:arrowr: Once the Scan is done, select Cleaning
:arrowr: Once done it will ask to reboot, please allow the reboot.
:arrowr: On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[C#].txt
:arrowr: Please copy/paste the contents of the log in your next reply.


STEP 2

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

:arrowr: Double-click to run it. When the tool opens click Yes to the disclaimer.
:arrowr: Make sure the Addition.txt button is ticked.
:arrowr: Press Scan button.
:arrowr: It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
:arrowr:The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.

 

[tekir06]

Hello nddcndndd,

Still with us ? If you don't reply within 24 hours, this thread shall be closed.

 

[tetonbob]

Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum