Solved Was infected by bitcoin miner, HJT log inside

Hey folks,

My PC got infected by a bitcoin miner last night, which I only realised today. There was a suspicious "services and controller app.exe*32" process running, located under C:\Program Files\Windows Multimedia Platform\ . I scanned the aforementioned .exe with Avast, which reported it as a threat, so I killed the process and placed the file in quarantine.

After this, I ran a check using up-to-date versions of both Malwarebytes' Anti-Malware and SuperAntispyware. Both scans came up clean. Then, I had HJT run a scan, just in case. I've had the log checked by 3 online sites, but I'm not 100% confident in those results, as some of the entries look fishy to me.

I should point out that even though my PC seems to be running fine, I want to make sure that no-one is controlling it from the other part of the globe...

All in all, could a kind and helpful (and expert...) soul take a look at the attached HJT log? I'm running Win 7 Ultimate x64. Thanks very much in advance.

 

Hi laputomi,
HijackThis shows a lot of unknowns but HJT has not been updated since Trend Micro bought it years ago.

Lets get an updated look at your computer and go from there:

Scan with Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool x64 and save it to your Desktop.
Right-click on icon and select Run as Administrator to start the tool.
When the tool opens click Yes to disclaimer.

• 
  
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please attach both logs to your next reply.
Please attach all reports using button below. Doing this, you make it easier for me to analyze and fix your problem.

NOTE: All tools we use here are completely clean and do not contain any malware. If your antivirus detects them as malicious, please disable your antivirus and then continue.

2oG

 

Hi laputomi, I have win 7 Ultimate 64bit also. I would delete the following, followed by rebooting your PC.
BHO Groove Browser helper
BHO URLRedirection BHO
HKUS S-1-5-19 (all four)
Extra Context Menu Item
HKLM TCPIP NameServer
HKUS Runonce
HKUS Run
Service SystemRoot Unknown Owner (several entries)
Good Luck,

 

Sorry didn't mean to butt in, just giving my opinion for HJT.
Cheers,

 

And your opinion is?.........

 

Hey 2oldGeek,
Thanks for taking your precious time to deal with my issue. Please find the requested logs below. Many thanks for your kind help.

 

You are more than welcome.. You really don't have any problems, that is, no malware but maybe a few system settings that need a touch but nothing to worry about...
HJT is no longer a viable program. It is not updated and finds a lot of false positives..
Avast is the best free antivirus, IMHO.and backed with MBAM is a very good combination. Superantispyware on the other hand does not do much for you.. It don't hurt but it's not kept up and misses most all new malware.

About the only thing I can recommend is to run a generic fix with Zoek which should correct any system settings:

Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Please also download the attached scriptfile, named zoekscript.txt.


Disable your AntiVirus and AntiSpyware programs, so they do not interfere with the running of Zoek.exe. You can find instructions how to disable your security applications here.

Now, on your Desktop, drag and drop zoekscript.txt on Zoek.exe as shown below:

​

Please approve any UAC prompt to allow this action to proceed.

Answer Yes to the following prompt to allow the zoek script to run:

​

This action causes Zoek.exe to start automatically. Please be patient while Zoek is scanning.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log to your reply.


It's up to you to run Zoek. It's a generic cleaner and can't hurt......

let me know?
2oG

 

Hey mate, I've done the Zoek scan you asked. Please find attached the log.

My only gripe is that Speed Dial (a Chrome extension) has been seemingly disabled / deleted, along with all my quick-access bookmarks, so to speak. Any way to bring them back?

 

That's very strange... Unless Zoek for some reason considered them as bad.....

I did have Zoek set a restore point before scanning so you are able to go to System Restore and un-do that fix...

2oG

 

Yeah, I've noticed that. I might try version 2 of Speed Dial and see if it works out well for me. If so, no problem. If it doesn't, I'll simply do a rollback.

Many thanks for all your help, mate!

 

So, Speed Dial 2 works fine and with some additional features too, so I don't mind the old on having been deleted.

Once again, many thanks for your help, 2oldGeeek; I owe you a beer!

I'll mark this thread as "Solved".

 

Glad to hear that it worked out.. Usually when Zoek deletes something, there's a reason for it..

Surf safe,
2oG

 

I don't drink any more! ( I don't drink any less ether.. )

 

Oh, she loves me, keeps the fridge full of beer.. Says it keeps me off the streets and out of the red light district....

 

old farts cant handle their beer? next time your in the sunny okanagan b.c. come look me up and we will see.lol