Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: someone harvesting bitcoin on my laptop


21 Dec 2012   #1

Windows 7 Home Premium x64
 
 
someone harvesting bitcoin on my laptop

Hello Everyone,

I was just informed on Malwarebytes forum that I was hacked and that someone is using my laptop to harvest bitcoin. My laptop hardware info is in profile. Experience terrible start time, lagging throughout everything, Mozilla experiences freezes and terrible lag. Working on becoming a Whitehat but still new to the whole ordeal so I am in need of serious help. Neither Avast nor M.S.E. were able to find anything. Spybot on the other hand found:





SweetIM: [SBI $A2B8532B] Settings (Registry key, nothing done)
HKEY_CLASSES_ROOT\AppID\priam_bho.DLL

SweetIM: [SBI $A2B8532B] Settings (Registry key, nothing done)
HKEY_CLASSES_ROOT\AppID\priam_bho.DLL

SweetIM: [SBI $9C9B9F12] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp





I ran cmd.exe and here is my current tasklist:



Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 Services 0 24 K
System 4 Services 0 2,916 K
smss.exe 400 Services 0 1,228 K
csrss.exe 556 Services 0 7,272 K
wininit.exe 600 Services 0 4,672 K
csrss.exe 624 Console 1 43,064 K
services.exe 660 Services 0 10,648 K
lsass.exe 680 Services 0 12,968 K
lsm.exe 692 Services 0 4,524 K
svchost.exe 800 Services 0 10,484 K
svchost.exe 892 Services 0 9,808 K
MsMpEng.exe 952 Services 0 78,460 K
winlogon.exe 1004 Console 1 7,216 K
svchost.exe 560 Services 0 27,512 K
svchost.exe 736 Services 0 157,236 K
svchost.exe 1036 Services 0 53,024 K
svchost.exe 1128 Services 0 5,468 K
svchost.exe 1160 Services 0 20,012 K
svchost.exe 1232 Services 0 33,016 K
AvastSvc.exe 1332 Services 0 3,996 K
spoolsv.exe 1448 Services 0 13,792 K
svchost.exe 1484 Services 0 17,248 K
armsvc.exe 1556 Services 0 3,828 K
svchost.exe 1588 Services 0 8,944 K
AppleMobileDeviceService. 1612 Services 0 9,088 K
ASO3DefragSrv64.exe 1700 Services 0 4,892 K
mDNSResponder.exe 1744 Services 0 5,968 K
svchost.exe 1776 Services 0 25,392 K
svchost.exe 1816 Services 0 3,904 K
LMIGuardianSvc.exe 1844 Services 0 6,888 K
ramaint.exe 1900 Services 0 5,696 K
LMS.exe 1924 Services 0 5,272 K
LogMeIn.exe 1948 Services 0 26,028 K
lxdqcoms.exe 1188 Services 0 6,068 K
taskhost.exe 2760 Console 1 11,608 K
taskeng.exe 2792 Console 1 7,460 K
dwm.exe 2884 Console 1 68,768 K
explorer.exe 2944 Console 1 148,704 K
msseces.exe 2512 Console 1 19,460 K
igfxtray.exe 2552 Console 1 7,576 K
hkcmd.exe 2812 Console 1 17,048 K
igfxsrvc.exe 2012 Console 1 7,496 K
igfxpers.exe 536 Console 1 10,060 K
IAStorIcon.exe 2556 Console 1 20,904 K
AvastUI.exe 3152 Console 1 16,796 K
sua.exe 3324 Services 0 3,948 K
TCPSVCS.EXE 3384 Services 0 5,224 K
svchost.exe 3472 Services 0 9,244 K
TODDSrv.exe 3584 Services 0 5,796 K
svchost.exe 3616 Services 0 10,024 K
SearchIndexer.exe 3640 Services 0 47,824 K
IAStorDataMgrSvc.exe 3732 Services 0 17,356 K
SMSvcHost.exe 3968 Services 0 22,552 K
NDSTray.exe 2856 Console 1 1,248 K
alg.exe 4220 Services 0 5,744 K
NisSrv.exe 4264 Services 0 13,744 K
CFSwMgr.exe 4608 Console 1 528 K
KeNotify.exe 4776 Console 1 10,032 K
svchost.exe 4796 Services 0 17,844 K
ToshibaServiceStation.exe 5036 Console 1 64,860 K
wmpnetwk.exe 5052 Services 0 15,144 K
TMachInfo.exe 3208 Services 0 30,944 K
CFIWmxSvcs64.exe 4892 Services 0 4,520 K
CFSvcs.exe 3488 Services 0 2,996 K
UNS.exe 4352 Services 0 8,944 K
svchost.exe 2504 Services 0 5,216 K
ielowutil.exe 4068 Console 1 528 K
taskhost.exe 4216 Console 1 17,088 K
SpybotSD.exe 1880 Console 1 124,084 K
firefox.exe 3456 Console 1 326,896 K
notepad.exe 3008 Console 1 8,528 K
WUDFHost.exe 4256 Services 0 7,608 K
Speccy64.exe 3204 Console 1 50,716 K
WmiPrvSE.exe 1604 Services 0 16,512 K
WmiPrvSE.exe 5720 Services 0 28,592 K
WmiPrvSE.exe 6052 Services 0 10,888 K
Speccy64.exe 3576 Console 1 51,948 K
cmd.exe 5376 Console 1 3,820 K
conhost.exe 5288 Console 1 6,748 K
tasklist.exe 1888 Console 1 6,816



Not sure what to do from here or what to post. Please just point the way and I'll do whatever.

Thank you in advance


My System SpecsSystem Spec
.

21 Dec 2012   #2

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1 Pro
 
 

Doing a Google search, SweetIM is listed as a toolbar and comes up for the majority as probable spyware. Click on this link and follow the directions for running this tool: (AdWareCleaner)

How do I get rid of "Whitesmoke Toolbar" and conduit search engine?

Follow up by d/l ing & running Windows Offline Defender to be sure it hasn't introduced anything else into your system. Be sure you make this on a clean PC as making it on an infected one can compromise the integrity of the scanner.
My System SpecsSystem Spec
21 Dec 2012   #3

Windows 7 Home Premium x64
 
 

Thank you much! Working on "whitesmoke" as we speak. Will keep posted.
My System SpecsSystem Spec
.


21 Dec 2012   #4

Windows 7 Home Premium x64
 
 

Ha slight complication. I do not have access to a clean computer for Win Offline Defender. Then again, I am not at that step quite yet
My System SpecsSystem Spec
21 Dec 2012   #5

Windows 7 Home Premium x64
 
 

Code:
# AdwCleaner v2.101 - Logfile created 12/21/2012 at 14:34:59
# Updated 16/12/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Merlin - ARCHIMEDES
# Boot Mode : Normal
# Running from : C:\Users\Merlin\Downloads\AdwCleaner.exe
# Option [Delete]
 
 
***** [Services] *****
 
Stopped & Deleted : WajamUpdater
 
***** [Files / Folders] *****
 
File Deleted : C:\Users\Merlin\AppData\Roaming\Mozilla\Firefox\Profiles\jdrw4fxk.default\searchplugins\Web Search.xml
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\ProgramData\Partner
Folder Deleted : C:\Users\Merlin\AppData\Local\Conduit
Folder Deleted : C:\Users\Merlin\AppData\Local\Wajam
Folder Deleted : C:\Users\Merlin\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Merlin\AppData\Roaming\OpenCandy
 
***** [Registry] *****
 
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}
Key Deleted : HKCU\Software\Wajam
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{006EE092-9658-4FD6-BD8E-A21A348E59F5}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}
Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamBHO
Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamBHO.1
Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamDownloader
Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamDownloader.1
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Iminent
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASMANCS
Key Deleted : HKLM\Software\Wajam
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jplinpmadfkdgipabgcdchbdikologlh
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{006EE092-9658-4FD6-BD8E-A21A348E59F5}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}
Key Deleted : HKLM\SOFTWARE\Software
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{AE07101B-46D4-4A98-AF68-0333EA26E113}]
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v9.0.8112.16421
 
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Default_Page_URL] = hxxp://isearch.glarysoft.com/?src=iehome --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Default_Search_URL] = hxxp://isearch.glarysoft.com/?src=iesearch --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - Default_Search_URL] = hxxp://feed.helperbar.com/?publisher=OPENCANDY&dpid=OPENCANDYAPRIL&co=US&userid=26d8c390-fcf9-45c8-bc53-488b53e15fab&affid=110774&searchtype=ds&babsrc=lnkry&q={searchTerms} --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - SearchAssistant] = hxxp://feed.helperbar.com/?publisher=OPENCANDY&dpid=OPENCANDYAPRIL&co=US&userid=26d8c390-fcf9-45c8-bc53-488b53e15fab&affid=110774&searchtype=ds&babsrc=lnkry&q={searchTerms} --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main - Start Page] = hxxp://isearch.glarysoft.com/?src=iehome --> hxxp://www.google.com
 
-\\ Mozilla Firefox v17.0.1 (en-US)
 
Profile name : default 
File : C:\Users\Merlin\AppData\Roaming\Mozilla\Firefox\Profiles\jdrw4fxk.default\prefs.js
 
C:\Users\Merlin\AppData\Roaming\Mozilla\Firefox\Profiles\jdrw4fxk.default\user.js ... Deleted !
 
Deleted : user_pref("browser.search.selectedEngine", "Ask.com");
Deleted : user_pref("browser.search.order.1", "Ask.com");
Deleted : user_pref("browser.search.defaultengine", "Ask.com");
Deleted : user_pref("browser.search.defaultenginename", "Ask.com");
Deleted : user_pref("extensions.asktb.ff-original-keyword-url", "");
 
Profile name : default-1352467417422 [Profil par défaut]
File : C:\Users\Merlin\AppData\Roaming\Mozilla\Firefox\Profiles\7731e0oi.default-1352467417422\prefs.js
 
[OK] File is clean.
 
*************************
 
AdwCleaner[R1].txt - [6038 octets] - [21/12/2012 14:33:54]
AdwCleaner[S1].txt - [6234 octets] - [21/12/2012 14:34:59]
My System SpecsSystem Spec
21 Dec 2012   #6

Windows 7 Home Premium x64
 
 

Did full scan mwbytes. only thing that came up was:

ca_setup.exe (PUP.PasswordTool)

Removing that currently. Was going to run TDSSKiller.exe but if anyone has suggestions, it would be wonderful.
My System SpecsSystem Spec
21 Dec 2012   #7
whs
Microsoft MVP

Vista, Windows7, Mint Mate, Zorin, Windows 8
 
 

You will really only be sure that you got rid of this bugger if you do a clean reinstall. And before you save your own files, run them thru here: https://www.virustotal.com/
My System SpecsSystem Spec
22 Dec 2012   #8

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1 Pro
 
 

Looks like you had a lot of toolbars. I'm guessing you got these when you installed some of your programs. You have to be cautious when installing any program as a lot of them come bundled with toolbars/programs. Be sure to watch the installation windows and uncheck any toolbar/software options.

Best to run TDSSKiller just to be sure none of those introduced a rootkit. And run Windows Defender Offline as soon as you've made it on a clean PC. Be aware that if any rootkit is found, your best option will be to do a clean install.

As whs pointed out, once your system has been compromised the only 100% way to be sure you got it all is to do a clean install.
My System SpecsSystem Spec
22 Dec 2012   #9

Windows 7 Home Premium x64
 
 

Good afternoon! Thank you so much for taking the time to work with me, Borg 686 and whs! I ran a few things in safe mode with networking (have had a sneaky feeling it might have been wrong to have the networking) and will post up the logs. The programs helped tremendously and the https://www.virustotal.com is a gem. Afraid to say that I think the culprit might be more devious than normal because I am exceedingly meticulous about not installing extras: carelessly installed the Babylon one a while ago when I was pushing 72 hours awake and after manually cleaning it up, I have yet to forget the tedious pain the cleanup took. Without further ado. the logs:
My System SpecsSystem Spec
22 Dec 2012   #10

Windows 7 Home Premium x64
 
 

OH! Forgot to ask a question before I post logs. I had the idea to do this since I do not have any access whatsoever to a clean computer.

  • Boot into safe mode with networking.
  • Download and install a VirtualBox (Suggestions for what to run inside are needed. I was just going to do the most readily available Linux distribution).
  • Once the VirtualBox is ready and an OS is setup in Safe Mode with Networking, download the Win Offline Defender and make a bootable CD or Flash drive with it.


Theoretically, the idea sounded great to me and fun to test but I do not have the knowledge, nor the experience to know if that would even be a "'clean" environment much less if any other minute or grandiose factors/variables apply. Some that I can think of would be: If downloading and installing/setting up VirtualBox was even possible in Safe Mode with networking? Would making a bootable CD or flashdrive be possible in S.M.w.N.? Even if the environment inside of the VB which would be inside of S.M.w.N. ended up being "clean," would the download still be a failure as a result of coming from the internet where my infected computer has had plenty of time to apart of? Should the download prove to be in a .zip or similar format proven to be clean by various scans, even if the environment was clean or infected, could a switch from Safe Mode with Networking to Safe Mode allow the extraction and creation of the bootable item to remain clean? Last, if the computer was known to have been infected, could it even be trusted to test any of the previous ideas or should one say lesson learned, clean Win install and post to make others aware of the new information?



Think I might post this for everyone to take a swing at and share experience/ideas or dismiss while laughing at me.
My System SpecsSystem Spec
Reply

 someone harvesting bitcoin on my laptop




Thread Tools



Similar help and support threads for2: someone harvesting bitcoin on my laptop
Thread Forum
Anyone use BitCoin? Chillout Room
What is "bitcoin"? General Discussion
Solved Laptop A sees laptop B on the Homegroup, Laptop B will not find A Network & Sharing
BSOD while bitcoin mining for ~ 30 mins BSOD Help and Support
New Trojan Targets Bitcoin Wallets Security News
Find a Laptop with Windows Laptop Scout + Special Holiday Offers News

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 07:45 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33