Urgent Help Required - Virus/Trojan Infection

[Heckler 147]

It seems my gaming rig has been hit by some kind of rootkit...  Win64/svcMiner.A

 

I have been unable to shift it, everytime it gets cleaned it reappears upon reboot.

 

 

So far I have done the following... although not necessarily in this strict order.

 

Rebooted in safe mode with networking.

Run both MSE and AVG with deepest scans possible.

Run malwarebytes

Run Spybot S&D

 

After doing all of that... it seemed to be clear.

 

30 mins after a reboot, MSE pops up the same warning about quarantining the same files... but this time they seem to have changed their filename slightly and sometimes the location changes.  According to what I've read, this is usual behaviour for it, it hides itself as windows services... hence it's name.

 

I rebooted into safe mode, cleaned again and then ran sfc /scannow from a command prompt.  It found and repaired some files.  Scanned again and everything seemed fine.

 

Rebooted and it was back immediately again.

 

At this point I restored my last backup from Sunday 1st but that also contained the infection... I don't know when it got infected or how... I'm normally very careful and everything gets scanned when downloaded, and I run daily scans and weekly backup an image of my entire C: drive

 

I am out of ideas... every single time I search for info, I end up at some scam site trying to trick you into buying that 'spyhunter' software... It's a scam, don't fall for it.

 

I can't find a tool that's designed specifically for this infection... So it seems my last option is thus.,

 

Format and reinstall windows.

 

It won't be so bad, a friend has offered to sell me his old motherboard and CPU. It's ASUS M5A88M and FX4170... My current PC is an older ASUS M4A79XTD-EVO with a Phenom II X4 955BE... I'll be losing the Xfire feature of my current board, but that's OK because I upgraded the twin 5770's I had for an R9 280X in January.  I can also swap the FX4170 CPU with the FX6300 CPU in my mediaserver.

 

He's selling me the board and cpu for £20 +P&P... around £25-26 total.

 

At the moment my antivirus is telling me it has the files quarantined... but if I reboot they are duplicated again.

 

Am I correct in thinking that the system will be ok for a few days... new MB/CPU should be here by Tuesday as he's having it picked up Monday by courier.. I'm avoiding all sites that require personal info... But I don't know how long it's been infected as it was only picked up this week. I assume the database was updated with this ones signature during this week or it would have caught it earlier... I can't be certain but there was a suggestion that the original infection happened around the 15th Jan according to when files were created. I checked and didn't install any software on that date but did install something on the 16th... that may have been downloaded on the 15th...it scanned as clean back then... but has since been deleted...this may have been the cause but I can't be sure.

 

Any extra advice/help you may have will be of great use... I've learned a couple of new tricks this week dealing with it... well, trying to deal with it.  Any new tricks and tips to combat this rootkit trojan or whateer it is... Greatly appreciated. The more I know the more prepared I am.

 

On the plus side... this is the first time I have ever been hit with an infection that's forced me into a position where I am going to wipe and start over clean... I've had near misses in the past, it's how you learn.

 

 

[DrWatson 62]

Try hitman pro  it is free. (for 30 days just enter email address)

[Angelblue05 4130]

Is this related? http://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning/trojan-win64svcminera-detected/50809607-f45e-4195-b6ef-c87d039c4122

Edited March 7, 2015 by Angelblue05

[Heckler 147]

Try hitman pro  it is free. (for 30 days just enter email address)

 

 

Is this related? http://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning/trojan-win64svcminera-detected/50809607-f45e-4195-b6ef-c87d039c4122

 

 

Cheers guys, I'd not tried the malwarebytes antiroot kit suggested in that link.

 

I have now run it and it looks like it's found the original infected file... that none of the other programs detected. Was buried in the users\[usename]\appdata\local\temp\  folder... it cleaned that ok, but found nothing in the registry or anything.  That original file was created on the 23rd Jan... Where it came from is still a mystery... But I have a suspicion.

 

Around that time I was having browser issues with Chrome and just before xmas I switched back to Firefox.. But then I encountered a problem with Firefox... flash was always crashing. On the 16th Jan I installed Chrome again, but I recall for a brief moment I tested IE... which I never use, haven't since the early days of firefox... It could be that an unprotected IE was the problem and allowed malware to be placed on my system through a flaw/bug in one of my browsers.

 

It's all speculation... I have resigned myself to wiping, and starting over. My drive will be completely purged, and then instead of running a weekly backup, I'm going to set up a RAID for the new install... I've got 3x 500GB drives and a 1TB in this system. Two can be used for a RAID0 and the other for the backup... the 1TB is my games drive.

 

Cheers for the suggestions... another tool to add to my collection. 

[Koleckai Silvestri 1150]

I usually just slam my OS drive if I think I have a virus or rootkit. I don't even verify that I am infected as it is easier to reformat and replace the partition with a clean copy. 30 minutes and I am up and running again.

[overClocked! 63]

Consider running Combofix as well as the other utilities listed on this page from bleepingcomputer.  AdwCleaner, JWRT and RKILL have all served me well in the past cleaning infected machines.  After they have done their job, go behind them with Malwarebytes for some additional cleanup.

 

Good luck.

[jluce50 118]

When I run into stuff like this, I usually have the best luck booting into a linux LiveCD and doing a deep scan from there using Avast/Kaspersky/etc. Seems to be able to find and clean stuff even the boot-time/safemode scans can't.

[Heckler 147]

A mate is sending me his old Motherboard and CPU for about £25... So I'll be getting a small upgrade and will have to do a reinstall anyway... These drives will be scrubbed, formatted, scrubbed again even so there is no chance of anything being left.