someone harvesting bitcoin on my laptop

Hello Everyone,

I was just informed on Malwarebytes forum that I was hacked and that someone is using my laptop to harvest bitcoin. My laptop hardware info is in profile. Experience terrible start time, lagging throughout everything, Mozilla experiences freezes and terrible lag. Working on becoming a Whitehat but still new to the whole ordeal so I am in need of serious help. Neither Avast nor M.S.E. were able to find anything. Spybot on the other hand found:




SweetIM: [SBI $A2B8532B] Settings (Registry key, nothing done)
HKEY_CLASSES_ROOT\AppID\priam_bho.DLL

SweetIM: [SBI $A2B8532B] Settings (Registry key, nothing done)
HKEY_CLASSES_ROOT\AppID\priam_bho.DLL

SweetIM: [SBI $9C9B9F12] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp




I ran cmd.exe and here is my current tasklist:

Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 Services 0 24 K
System 4 Services 0 2,916 K
smss.exe 400 Services 0 1,228 K
csrss.exe 556 Services 0 7,272 K
wininit.exe 600 Services 0 4,672 K
csrss.exe 624 Console 1 43,064 K
services.exe 660 Services 0 10,648 K
lsass.exe 680 Services 0 12,968 K
lsm.exe 692 Services 0 4,524 K
svchost.exe 800 Services 0 10,484 K
svchost.exe 892 Services 0 9,808 K
MsMpEng.exe 952 Services 0 78,460 K
winlogon.exe 1004 Console 1 7,216 K
svchost.exe 560 Services 0 27,512 K
svchost.exe 736 Services 0 157,236 K
svchost.exe 1036 Services 0 53,024 K
svchost.exe 1128 Services 0 5,468 K
svchost.exe 1160 Services 0 20,012 K
svchost.exe 1232 Services 0 33,016 K
AvastSvc.exe 1332 Services 0 3,996 K
spoolsv.exe 1448 Services 0 13,792 K
svchost.exe 1484 Services 0 17,248 K
armsvc.exe 1556 Services 0 3,828 K
svchost.exe 1588 Services 0 8,944 K
AppleMobileDeviceService. 1612 Services 0 9,088 K
ASO3DefragSrv64.exe 1700 Services 0 4,892 K
mDNSResponder.exe 1744 Services 0 5,968 K
svchost.exe 1776 Services 0 25,392 K
svchost.exe 1816 Services 0 3,904 K
LMIGuardianSvc.exe 1844 Services 0 6,888 K
ramaint.exe 1900 Services 0 5,696 K
LMS.exe 1924 Services 0 5,272 K
LogMeIn.exe 1948 Services 0 26,028 K
lxdqcoms.exe 1188 Services 0 6,068 K
taskhost.exe 2760 Console 1 11,608 K
taskeng.exe 2792 Console 1 7,460 K
dwm.exe 2884 Console 1 68,768 K
explorer.exe 2944 Console 1 148,704 K
msseces.exe 2512 Console 1 19,460 K
igfxtray.exe 2552 Console 1 7,576 K
hkcmd.exe 2812 Console 1 17,048 K
igfxsrvc.exe 2012 Console 1 7,496 K
igfxpers.exe 536 Console 1 10,060 K
IAStorIcon.exe 2556 Console 1 20,904 K
AvastUI.exe 3152 Console 1 16,796 K
sua.exe 3324 Services 0 3,948 K
TCPSVCS.EXE 3384 Services 0 5,224 K
svchost.exe 3472 Services 0 9,244 K
TODDSrv.exe 3584 Services 0 5,796 K
svchost.exe 3616 Services 0 10,024 K
SearchIndexer.exe 3640 Services 0 47,824 K
IAStorDataMgrSvc.exe 3732 Services 0 17,356 K
SMSvcHost.exe 3968 Services 0 22,552 K
NDSTray.exe 2856 Console 1 1,248 K
alg.exe 4220 Services 0 5,744 K
NisSrv.exe 4264 Services 0 13,744 K
CFSwMgr.exe 4608 Console 1 528 K
KeNotify.exe 4776 Console 1 10,032 K
svchost.exe 4796 Services 0 17,844 K
ToshibaServiceStation.exe 5036 Console 1 64,860 K
wmpnetwk.exe 5052 Services 0 15,144 K
TMachInfo.exe 3208 Services 0 30,944 K
CFIWmxSvcs64.exe 4892 Services 0 4,520 K
CFSvcs.exe 3488 Services 0 2,996 K
UNS.exe 4352 Services 0 8,944 K
svchost.exe 2504 Services 0 5,216 K
ielowutil.exe 4068 Console 1 528 K
taskhost.exe 4216 Console 1 17,088 K
SpybotSD.exe 1880 Console 1 124,084 K
firefox.exe 3456 Console 1 326,896 K
notepad.exe 3008 Console 1 8,528 K
WUDFHost.exe 4256 Services 0 7,608 K
Speccy64.exe 3204 Console 1 50,716 K
WmiPrvSE.exe 1604 Services 0 16,512 K
WmiPrvSE.exe 5720 Services 0 28,592 K
WmiPrvSE.exe 6052 Services 0 10,888 K
Speccy64.exe 3576 Console 1 51,948 K
cmd.exe 5376 Console 1 3,820 K
conhost.exe 5288 Console 1 6,748 K
tasklist.exe 1888 Console 1 6,816

Not sure what to do from here or what to post. Please just point the way and I'll do whatever.

Thank you in advance

Thank you much! Working on "whitesmoke" as we speak. Will keep posted.

Ha slight complication. I do not have access to a clean computer for Win Offline Defender. Then again, I am not at that step quite yet

Code:

# AdwCleaner v2.101 - Logfile created 12/21/2012 at 14:34:59
# Updated 16/12/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Merlin - ARCHIMEDES
# Boot Mode : Normal
# Running from : C:\Users\Merlin\Downloads\AdwCleaner.exe
# Option [Delete]
 
 
***** [Services] *****
 
Stopped & Deleted : WajamUpdater
 
***** [Files / Folders] *****
 
File Deleted : C:\Users\Merlin\AppData\Roaming\Mozilla\Firefox\Profiles\jdrw4fxk.default\searchplugins\Web Search.xml
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\ProgramData\Partner
Folder Deleted : C:\Users\Merlin\AppData\Local\Conduit
Folder Deleted : C:\Users\Merlin\AppData\Local\Wajam
Folder Deleted : C:\Users\Merlin\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Merlin\AppData\Roaming\OpenCandy
 
***** [Registry] *****
 
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}
Key Deleted : HKCU\Software\Wajam
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{006EE092-9658-4FD6-BD8E-A21A348E59F5}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}
Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamBHO
Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamBHO.1
Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamDownloader
Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamDownloader.1
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Iminent
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASMANCS
Key Deleted : HKLM\Software\Wajam
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jplinpmadfkdgipabgcdchbdikologlh
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{006EE092-9658-4FD6-BD8E-A21A348E59F5}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}
Key Deleted : HKLM\SOFTWARE\Software
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{AE07101B-46D4-4A98-AF68-0333EA26E113}]
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v9.0.8112.16421
 
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Default_Page_URL] = hxxp://isearch.glarysoft.com/?src=iehome --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Default_Search_URL] = hxxp://isearch.glarysoft.com/?src=iesearch --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - Default_Search_URL] = hxxp://feed.helperbar.com/?publisher=OPENCANDY&dpid=OPENCANDYAPRIL&co=US&userid=26d8c390-fcf9-45c8-bc53-488b53e15fab&affid=110774&searchtype=ds&babsrc=lnkry&q={searchTerms} --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - SearchAssistant] = hxxp://feed.helperbar.com/?publisher=OPENCANDY&dpid=OPENCANDYAPRIL&co=US&userid=26d8c390-fcf9-45c8-bc53-488b53e15fab&affid=110774&searchtype=ds&babsrc=lnkry&q={searchTerms} --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main - Start Page] = hxxp://isearch.glarysoft.com/?src=iehome --> hxxp://www.google.com
 
-\\ Mozilla Firefox v17.0.1 (en-US)
 
Profile name : default 
File : C:\Users\Merlin\AppData\Roaming\Mozilla\Firefox\Profiles\jdrw4fxk.default\prefs.js
 
C:\Users\Merlin\AppData\Roaming\Mozilla\Firefox\Profiles\jdrw4fxk.default\user.js ... Deleted !
 
Deleted : user_pref("browser.search.selectedEngine", "Ask.com");
Deleted : user_pref("browser.search.order.1", "Ask.com");
Deleted : user_pref("browser.search.defaultengine", "Ask.com");
Deleted : user_pref("browser.search.defaultenginename", "Ask.com");
Deleted : user_pref("extensions.asktb.ff-original-keyword-url", "");
 
Profile name : default-1352467417422 [Profil par défaut]
File : C:\Users\Merlin\AppData\Roaming\Mozilla\Firefox\Profiles\7731e0oi.default-1352467417422\prefs.js
 
[OK] File is clean.
 
*************************
 
AdwCleaner[R1].txt - [6038 octets] - [21/12/2012 14:33:54]
AdwCleaner[S1].txt - [6234 octets] - [21/12/2012 14:34:59]

Did full scan mwbytes. only thing that came up was:

ca_setup.exe (PUP.PasswordTool)

Removing that currently. Was going to run TDSSKiller.exe but if anyone has suggestions, it would be wonderful.

Good afternoon! Thank you so much for taking the time to work with me, Borg 686 and whs! I ran a few things in safe mode with networking (have had a sneaky feeling it might have been wrong to have the networking) and will post up the logs. The programs helped tremendously and the https://www.virustotal.com is a gem. Afraid to say that I think the culprit might be more devious than normal because I am exceedingly meticulous about not installing extras: carelessly installed the Babylon one a while ago when I was pushing 72 hours awake and after manually cleaning it up, I have yet to forget the tedious pain the cleanup took. Without further ado. the logs:

OH! Forgot to ask a question before I post logs. I had the idea to do this since I do not have any access whatsoever to a clean computer.

• Boot into safe mode with networking.
• Download and install a VirtualBox (Suggestions for what to run inside are needed. I was just going to do the most readily available Linux distribution).
• Once the VirtualBox is ready and an OS is setup in Safe Mode with Networking, download the Win Offline Defender and make a bootable CD or Flash drive with it.

Theoretically, the idea sounded great to me and fun to test but I do not have the knowledge, nor the experience to know if that would even be a "'clean" environment much less if any other minute or grandiose factors/variables apply. Some that I can think of would be: If downloading and installing/setting up VirtualBox was even possible in Safe Mode with networking? Would making a bootable CD or flashdrive be possible in S.M.w.N.? Even if the environment inside of the VB which would be inside of S.M.w.N. ended up being "clean," would the download still be a failure as a result of coming from the internet where my infected computer has had plenty of time to apart of? Should the download prove to be in a .zip or similar format proven to be clean by various scans, even if the environment was clean or infected, could a switch from Safe Mode with Networking to Safe Mode allow the extraction and creation of the bootable item to remain clean? Last, if the computer was known to have been infected, could it even be trusted to test any of the previous ideas or should one say lesson learned, clean Win install and post to make others aware of the new information?



Think I might post this for everyone to take a swing at and share experience/ideas or dismiss while laughing at me.