I have started seeing emails similar to the title of this blog post trickle in the last few weeks. It had me totally confused until someone sent me something a little more informative:
Just to make it known, your name has been attached to malicious software involved in involuntary GPU mining for the purpose of bitcoin farming. The farmer was improperly coded so I caught it however. The output string from command line ( Eligius ) gave me the following. I will be exploring this Tor site in the next few hours and if this is you actively seeking to farm users of their GPU power, I highly suggest you cease and desist as this is a highly illegal activity.
Parameters: "-o" "http://mining/eligius.st:8337" "-u" "13j4XQEnXzgTi3ihJLLi3DctDZbU26KJ16" "-p" "x"joe@joeware.net Joe Richards
I still don’t really know what it means but I expect it is some sort of malware that someone, not me, is installing on PCs. I don’t know what people are clicking on or installing or whatever that is loading this on their PCs but again, this isn’t me, I can’t help you. My first recommendation is to know what you are installing and clicking on but that is too little advice too late. But I still can’t help you. If this is a work PC, call your helpdesk. If this is a personal PC, call the manufacturer, or call a PC support company like Best Buy.
If you absolutely must have me to figure it out for you, go to my blog (http://blog.joeware.net), look in the upper left corner where it says tip jar, click on PayPal Donate, and specify $2000 and your email address you want me to contact you on. I will receive that and then send you an email with my home address. You will send the PC along with a paid return shipper and I will sit down, figure out what is going on your PC and make it so my utility is no longer running on the PC. That is the only help I can offer.
How can I prove I didn’t put this malware out there you ask? Simple, I am not a complete and utter idiot.
While at times I am mislead or confused and sometimes, more times than I prefer, I make mistakes, I am not a complete and utter idiot. How does that prove that I didn’t do this? If you take the statement "joe loaded this on my PC and is GPU mining on my PC" as a fact, the very next fact you can see is that my full name and email address pop up. And from that you can deduce that "joe is a complete and utter idiot." Again, I was smart enough to write the QUIET utility initially which included purposely putting my name and address in it and I will state for the record that I am also smart enough to remove the name of the utility along with my name and email address and recompile it if I chose to be subversive with the utility. I would further say that I wouldn’t even allow it to output what you see above and in fact you would never see a console window flash but those things don’t help with the proof. I am not an idiot so ipso facto, Shazam, AllaKhazam, voila, and tada… I didn’t do this.
Anymore questions on this, you know where the tip jar is.
thank you and have a good day.
joe
Hi. I got hit by this too. Just to let you know, there’s also a keylogger riding on the virus.
If it’s anything like mine, it’ll be in:
C:\Users\NAME\AppData\Roaming\2 5\
I think I found the keylogger log in the Roaming folder. The virus itself is in the “2 5” folder.
It’s improperly coded and at startup will popup an error along with a console including your email and the info you’ve already gotten.
As to how to remove it, I deleted as many files as I could in the 2 5 folder.
Windows Defender picked it up first, which I hope blocked it from actually doing anything.
MalwareBytes picked up four files.
I think it’s gone now. I’ll scan with AVG too…
AVG picked up 3 more files. One was an exe. Two others were in IE’s temporary internet files folder.
It disguises itself as the windows rundll32.exe.
In task manager I think it runs under “j.exe”.
Hope this helps anyone else.
Any idea how you got infected with it?
I have absolutely no idea. Probably some shady site I accidentally visited.
I bought Blur on steam yesterday and the console window and “scvhost.exe” error message popped up during the game. I ignored it because I thought it might have just been a game glitch.
Today, on restart it popped up again. That’s when I got suspicious.
From what I understand, I might have gotten the a virus that then loaded different things. One may have been the miner and the other the keylogger.
I found the keylogger file and it had all my key presses, including the paypal email and password I used to buy Blur yesterday. I already changed that password.
Also, sorry to spam your comments here. AS you said the console window contains joe@joeware.net, so this is probably the first place people will come for help. I figured I’d do them a service.
Interesting comments
@S (if he is still following). What anti-virus/malware program(s) are you using on your machine? Just wondering what software/defenses the keylogger made it past.
Thanks
Mike
Happened to be too, I have no idea how I got it.
@Mike
I was an idiot and just had Microsoft’s Defender. IT people on the web are always talking about how it’s one of the best AV programs, but it definitely did a worse job than AVG.
It picked up one problem after the virus was already in.
Avg picked up 3. And that was after I had already run both defender and malwarebytes.
To get rid of it I had to use AVG and Malwarbytes. I also ran Spybot S&D, but I think the stuff it picked up was just harmless ads and stuff.
I have both defender and AVG running now. So hopefully that’ll protect me from my own stupidity next time.
Can someone send me a copy of this? Or tell me where can I get it from?
I would like to play around with it….
If anyone is willing to send me a copy, please ZIP it and password protect it. Email the archive along with the password to rumbata yahoo com (there is an @ before yahoo and a dot before com).
How can we report Joe?
Report what?
So for a while I’ve had a console window show up and a GPU driver crash at startup and I got suspicious, but I never found anything. Yesterday and today, as I logged on, I noticed the mouse moving. Yesterday, I managed to find a process, name [][][].exe, and thinking it was the source, I ended the task. Today the console screen showed up for longer than usual, and I saw the link to your website. Thinking you were the hacker, I came to report you. After reading this thread, it seems as though your server has been hacked as an IP tunnel of a sort. I’ve found that /AppData/Roaming/1 5 is also a possible source: that is where I found mine. The folder had logs disguised as Diablo 3 saves(I do not own Diablo 3, so I immediately knew it was fake) and Adobe Photoshop settings. Additionally, I found a keylog, called local, in my roaming folder…I believe it is used by the virus, although when I tried to delete it, it created itself again… I then found a file called 6V9KETK0NK.exe in roaming, which disguises itself as a Visual Basic Command-line. A quick web search revealed that this was indeed a virus, resulting in me deleting it. It instantly apearred again, so I decided to follow your advice and get AVG(Although I only have the free version). I am currently running a test through AVG and will give my status later… Also, I hope to help solve this issue and possibly report the virus. Anyways, I would appreciate any tips on how to deal with it etc. Thanks guys, and I hope this helps a bit.
No my server has not been hacked. Someone took a tool I make freely available to the world and included it in whatever malware you downloaded and installed.
Um so I’ve run quite a few AV programs, yet it still continues to write to the log… Can you tell me what your software does and how I can use it to disable the virus?
The only thing the quiet utility does is prevent a window from being opened on the desktop when a process runs. It isn’t much use for you and isn’t causing you your pain.
OK, so: 4 threats found. Trojan @ AppData\Local\Temp\76912.exe
Reference to infected file @ \AppData\Local\Temp\svchost.exe
Worm found @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
And finally corrupted exe @ \AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3SE8BZX1\BOIE9_ENUS_WIN764[1].EXE
I have the same issue as all of you. I ran Malwarebytes and it removed several threats. Here is the cop of the log:
Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 530325
Time elapsed: 1 hour(s), 14 minute(s), 37 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 1
HKLM\SYSTEM\CurrentControlSet\Services\Adobe Licensing Console (Trojan.Clicker.CT) -> Quarantined and deleted successfully.
Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|Policies (Trojan.Agent) -> Data: c:\directory\CyberGate\install\Svchost.exe -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|HKLM (Trojan.Agent) -> Data: c:\directory\CyberGate\install\Svchost.exe -> Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 10
C:\Windows\System32\msvfd32.exe (Trojan.Clicker.CT) -> Quarantined and deleted successfully.
C:\Games\Left 4 Dead\Left 4 Dead 2\left4dead2\addons\Name_Enabler.dll (Malware.UPX.Mod) -> Quarantined and deleted successfully.
C:\Users\Derp\AppData\Local\Temp\CouponDropDown.exe (PUP.CrossRider.CDD) -> Quarantined and deleted successfully.
C:\Users\Derp\AppData\Local\Temp\setup_coupondropdown.exe (PUP.CrossRider.CDD) -> Quarantined and deleted successfully.
C:\Users\Derp\AppData\Local\Temp\IXP001.TMP\flaudit.exe (Trojan.Clicker.CT) -> Quarantined and deleted successfully.
C:\Users\Derp\AppData\Local\Temp\mrt806A.tmp\stdrt.exe (Trojan.Clicker.CT) -> Quarantined and deleted successfully.
C:\Users\Derp\AppData\Roaming\8 0\svchost.exe (PUP.BitMiner) -> Quarantined and deleted successfully.
C:\Users\Derp\Documents\Adobe After Effects CS6\Patch\32bit\amtlib.dll (PUP.RiskwareTool.CK) -> Quarantined and deleted successfully.
C:\Users\Derp\Documents\Adobe After Effects CS6\Patch\64bit\amtlib.dll (PUP.RiskwareTool.CK) -> Quarantined and deleted successfully.
C:\Users\Derp\AppData\Local\Temp\.exe (Trojan.Agent) -> Quarantined and deleted successfully.
(end)
Currently running AVG and scanning it now. Also, here is a screen cap of what pops up after I removed everything that Malwarebytes picked up: http://i.imgur.com/ZU71H.jpg
On top of this, virtually everybody I’ve talked to (/g/ on 4chan) basically told me there is no other way to completely get rid of this without wiping your hardrive and re-installing a fresh copy or Windows.