Persistent BitcoinMiner Virus Infection: Resistance to Antivirus Deletion

Hello everyone
I think I caught the BitcoinMiner virus. I don't want to be removed by antivirus. A moment after I delete infected files, the virus notification pops up again. Over and over again...
Could the virus get into your computer through pop-up ads?
I paste logs from OTL. Help.

You need the Frst.txt and Addition.txt logs from FRST from this page https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ and not from the unsupported OTL program.

Thank you for your help.
I attach files.

Otwórz notatnik systemowy i wklej:
Task: {03F41391-F3A5-4B02-AB73-7B3CBA3D1843} - System32\Tasks\{D1FE52A9-941D-4BA2-8DBF-0A554E29E712} => C:\Windows\system32\pcalua.exe -a G:\Setup.exe -d G:\
Task: {1A4556E8-189F-4D48-B88B-81A8BD8F76B2} - System32\Tasks\{3C8C6182-6779-4122-8260-432D2DCD485F} => C:\Windows\system32\pcalua.exe -a J:\programy\Nero6\nero63117.exe -d J:\programy\Nero6
Task: {AAFA5047-E278-4184-901D-582CB0528EC9} - System32\Tasks\{8CB37EEB-C815-49A3-BC6F-C2B9C705745F} => "c:\program files\internet explorer\iexplore.exe" hxxps://ui.skype.com/ui/0/7.33.0.104/pl/abandoninstall?page=tsProgressBar
Task: {CECCEC79-C10E-45DB-B7CB-17103E7C25DF} - System32\Tasks\{EB9E77B6-FEF0-4208-865D-D52AA12BD830} => C:\Windows\system32\pcalua.exe -a "C:\Program Files\TeamSpeak 3 Client\plugins\ts3overlay\InstallHook.exe" -d "C:\Program Files\TeamSpeak 3 Client\plugins\ts3overlay\" -c ts3overlay_hook_win32.dll 10001
Task: {FD8C8BE5-4BD8-4D2A-A4EC-CCEAB92B2F31} - System32\Tasks\{5156CA6C-1CAC-48A5-83A9-BB7A1EE57AFC} => C:\Windows\system32\pcalua.exe -a "C:\Program Files (x86)\F-Secure\Uninstall\fsuninst.exe" -c /UninstRegKey:"F-Secure Anti-Virus"
Task: {FFB59619-2318-48AE-9180-A98C6237F209} - System32\Tasks\{8D2E57E1-E8D1-4F32-9A8D-12766AF9C297} => C:\Windows\system32\pcalua.exe -a "C:\Users\Garvi\Desktop\Nowy folder\KD MAX DEMO pliki instalacyjne\setup.exe" -d "C:\Users\Garvi\Desktop\Nowy folder\KD MAX DEMO pliki instalacyjne"
Hosts:
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-19\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
HKU\S-1-5-20\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
HKU\S-1-5-21-1555414959-3566746135-1843529842-1000\...\MountPoints2: F - F:\Setup.exe
HKU\S-1-5-21-1555414959-3566746135-1843529842-1000\...\MountPoints2: {67049dea-fc6d-11e4-b51e-b870f4b068b2} - I:\Startme.exe
HKU\S-1-5-21-1555414959-3566746135-1843529842-1000\...\MountPoints2: {c85c6f19-f6a0-11e3-83c8-ccaf7806b24a} - "F:\WD SmartWare.exe" autoplay=true
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
HKU\S-1-5-21-1555414959-3566746135-1843529842-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird => nie znaleziono
CHR HomePage: Default -> amazon.com/websearch/?ie=UTF8__PARAM__
CHR DefaultSearchURL: Default -> hxxps://www.amazon.com/websearch/?ie=UTF8__PARAM__&query={searchTerms}
CHR DefaultSearchKeyword: Default -> amazon
2017-09-24 10:38 - 2017-09-24 10:38 - 000095510 _____ C:\Users\Garvi\Desktop\Extras.Txt
2017-09-24 10:38 - 2017-09-24 10:38 - 000000000 ____D C:\Users\Garvi\Downloads\FRST-OlderVersion
2017-09-24 10:58 - 2017-09-24 10:58 - 002399744 _____ (Farbar) C:\Users\Garvi\Downloads\FRST64 (1).exe
2017-09-24 10:27 - 2017-09-24 10:27 - 000095826 _____ C:\Users\Garvi\Desktop\OTL.Txt
2017-09-24 10:26 - 2017-09-24 10:26 - 000095510 _____ C:\Users\Garvi\Downloads\Extras.Txt
2017-09-24 10:25 - 2017-09-24 10:25 - 000095826 _____ C:\Users\Garvi\Downloads\OTL.Txt
2017-09-24 10:04 - 2017-09-24 10:04 - 000602112 _____ (OldTimer Tools) C:\Users\Garvi\Downloads\OTL_[www.programosy.pl].exe
2017-09-17 21:02 - 2017-09-17 21:03 - 000000000 ____D C:\b74d18fcac5d7b886d60ab66ae23fece
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść w folderze obok FRST.exe.
Uruchom FRST i kliknij w Fix/Napraw.

Napiszesz co dokladnie wykrywa antywirus i gdzie? Podaj pelna sciezke oraz nazwy plikow.


Zmien Adobe Reader 9.1 MUI na najnowsza wersje AR lub Foxit -> http://ninite.com/foxit/

Odinstaluj SpyBot.

Wykonaj Fixlist.txt dla FRST:
Task: {03F41391-F3A5-4B02-AB73-7B3CBA3D1843} - System32\Tasks\{D1FE52A9-941D-4BA2-8DBF-0A554E29E712} => C:\Windows\system32\pcalua.exe -a G:\Setup.exe -d G:\
Task: {1A4556E8-189F-4D48-B88B-81A8BD8F76B2} - System32\Tasks\{3C8C6182-6779-4122-8260-432D2DCD485F} => C:\Windows\system32\pcalua.exe -a J:\programy\Nero6\nero63117.exe -d J:\programy\Nero6
Task: {AAFA5047-E278-4184-901D-582CB0528EC9} - System32\Tasks\{8CB37EEB-C815-49A3-BC6F-C2B9C705745F} => "c:\program files\internet explorer\iexplore.exe" hxxps://ui.skype.com/ui/0/7.33.0.104/pl/abandoninstall?page=tsProgressBar
Task: {CECCEC79-C10E-45DB-B7CB-17103E7C25DF} - System32\Tasks\{EB9E77B6-FEF0-4208-865D-D52AA12BD830} => C:\Windows\system32\pcalua.exe -a "C:\Program Files\TeamSpeak 3 Client\plugins\ts3overlay\InstallHook.exe" -d "C:\Program Files\TeamSpeak 3 Client\plugins\ts3overlay\" -c ts3overlay_hook_win32.dll 10001
Task: {FD8C8BE5-4BD8-4D2A-A4EC-CCEAB92B2F31} - System32\Tasks\{5156CA6C-1CAC-48A5-83A9-BB7A1EE57AFC} => C:\Windows\system32\pcalua.exe -a "C:\Program Files (x86)\F-Secure\Uninstall\fsuninst.exe" -c /UninstRegKey:"F-Secure Anti-Virus"
Task: {FFB59619-2318-48AE-9180-A98C6237F209} - System32\Tasks\{8D2E57E1-E8D1-4F32-9A8D-12766AF9C297} => C:\Windows\system32\pcalua.exe -a "C:\Users\Garvi\Desktop\Nowy folder\KD MAX DEMO pliki instalacyjne\setup.exe" -d "C:\Users\Garvi\Desktop\Nowy folder\KD MAX DEMO pliki instalacyjne"
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [NeroFilterCheck] => C:\Windows\SysWOW64\NeroCheck.exe [155648 2001-07-09] (Ahead Software Gmbh)
HKU\S-1-5-21-1555414959-3566746135-1843529842-1000\...\Run: [SpybotSD TeaTimer] => C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\S-1-5-21-1555414959-3566746135-1843529842-1000\...\MountPoints2: F - F:\Setup.exe
HKU\S-1-5-21-1555414959-3566746135-1843529842-1000\...\MountPoints2: {67049dea-fc6d-11e4-b51e-b870f4b068b2} - I:\Startme.exe
HKU\S-1-5-21-1555414959-3566746135-1843529842-1000\...\MountPoints2: {c85c6f19-f6a0-11e3-83c8-ccaf7806b24a} - "F:\WD SmartWare.exe" autoplay=true
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CodecPackUpdateChecker.lnk [2014-07-09]
ShortcutTarget: CodecPackUpdateChecker.lnk -> C:\Windows\SysWOW64\C2MP\UpdateChecker.exe ()
2017-09-24 10:38 - 2017-09-24 10:38 - 000000000 ____D C:\Users\Garvi\Downloads\FRST-OlderVersion
2017-09-24 10:27 - 2017-09-24 10:27 - 000095826 _____ C:\Users\Garvi\Desktop\OTL.Txt
2017-09-24 10:26 - 2017-09-24 10:26 - 000095510 _____ C:\Users\Garvi\Downloads\Extras.Txt
2017-09-24 10:25 - 2017-09-24 10:25 - 000095826 _____ C:\Users\Garvi\Downloads\OTL.Txt
2017-09-24 10:04 - 2017-09-24 10:04 - 000602112 _____ (OldTimer Tools) C:\Users\Garvi\Downloads\OTL_[www.programosy.pl].exe

I did as written by krzychupar. I don't know enough to tell if everything is alright, that's why I paste FRST files.
Is everything ok now?

EDIT
Kolobos:
Antivirus detects infected files in: C: \ Users \ Garvi \ AppData \ Local \ Chromium \ User Data \ f_008d3. After each scan, the file (f_008d3) the antivirus displayed a different name for the infected file; they were names like: f_008d4, f_008d38 etc. In an alert he said that this file is in the archive (like zip) and cannot delete it. I found files with similar names in the Ceche folder, but the target file was not there. That's why I deleted the entire Ceche folder. But it gave nothing. Over and over - an infection notification popped up -> I deleted the entire Ceche folder. After some time the infection window popped up again, so I deleted Ceche.
After some time, I guessed that the virus may be associated with pop-up ads on the alltuve.tv website or with the alltube.tv website itself ... After opening it on a second computer, the fun with Bitcoin file infection began. Now I have the same on the other device ...
Returning to the subject - can I not worry about this topic here yet, is the virus still lurking somewhere?

I merged. RADU23

You go to the site where Bitcoin Miner is, that's why the files are still being created.

I thought so, thanks
Is your computer free of BitcoinMiner now?

It looks like this, such excavators work only when they enter the site, they do not infect the computer. Therefore, the file is detected in the cache.

I ask because I wasn't sure. Thank you for your help.
When I got infected with a second BitcoinMiner computer, I scanned it with anti-virus, but (as before on the previous device) it did not delete the files. I deleted them manually, but the browser is still mussels and consumes up to 99% of memory when used. I think the virus is still in the computer. I put files from FRST below, please check that everything is OK.

W logach widac, ze antywirus wykryl:
Error: (09/24/2017 01:03:52 PM) (Source: F-Secure Anti-Virus) (EventID: 103) (User: )
Description: 2 2017-09-24 13:03:52+02:00    \misio F-Secure Anti-Virus
Spyware detected:
Type: riskware
Family:
Name: Application.BitCoinMiner.SX
Object: C:\Documents and Settings\misio\Local Settings\Application Data\Chromium\User Data\Default\Cache\f_00006c

Error: (09/24/2017 01:03:52 PM) (Source: F-Secure Anti-Virus) (EventID: 103) (User: )
Description: 1 2017-09-24 13:03:52+02:00    \misio F-Secure Anti-Virus
Spyware detected:
Type: riskware
Family:
Name: Application.BitCoinMiner.SX
Object: C:\Documents and Settings\misio\Local Settings\Application Data\Chromium\User Data\Default\Cache\f_00006a

Zapewne usunal.

Zmien Adobe Reader 9.5.0 - Polish na najnowsza wersje AR lub na Foxit: http://ninite.com/foxit/

Odinstaluj:
mks_vir Skaner Online
Spybot - Search & Destroy

Wpisow z tej modyfikowanej wersji Chrome i tak nie widac w logach, wiec sa zbedne.

Fixlist.txt dla FRST:
HKLM\...\Run: [] => [X]
Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
HKU\S-1-5-21-2052111302-725345543-682003330-1004\...\Run: [CW] => [X]
HKU\S-1-5-21-2052111302-725345543-682003330-1004\...\MountPoints2: {169f3d68-b7bc-11e5-832f-00166f916797} - "F:\WD SmartWare.exe" autoplay=true
HKU\S-1-5-21-2052111302-725345543-682003330-1004\...\MountPoints2: {5a043882-33d6-11e7-8417-00166f916797} - F:\HiSuiteDownLoader.exe
IFEO\Your Image File Name Here without a path: [Debugger]
BootExecute: autocheck autochk * sdnclean.exe
CHR HKLM\...\Chrome\Extension: [bknbnapaddjdnbilpmlacdkjdkjmbjhd] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [ofoeigeaodhbjogdigckajfhjbonaofg] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2052111302-725345543-682003330-1004\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bknbnapaddjdnbilpmlacdkjdkjmbjhd] - hxxp://clients2.google.com/service/update2/crx
2017-09-02 13:02 - 2017-09-02 13:27 - 000002432 _____ C:\Documents and Settings\misio\Local Settings\Tempfo1596.html
2017-09-02 13:02 - 2017-09-02 13:27 - 000002089 _____ C:\Documents and Settings\misio\Local Settings\TempyH1596.html
2017-09-24 10:51 - 2017-08-02 18:55 - 000000602 _____ C:\WINDOWS\Tasks\Check for updates (Spybot - Search & Destroy).job
2017-01-14 13:37 - 2017-01-14 13:37 - 002174976 _____ (Advanced Micro Devices Inc.) C:\Program Files\Common Files\atimpenc.dll
2016-01-10 21:11 - 2016-01-10 21:11 - 000000038 __SHC () C:\Documents and Settings\misio\Local Settings\Application Data\69ff07055291669bb2b218.72821112



Zawsze mozesz tez usunac przegladarke razem z katalogiem profilu C:\Documents and Settings\misio\Local Settings\Application Data\Chromium\ i zainstalowac ponownie.
Wczesniej zrob kopie zakladek itp. o ile sa potrzebne.

I'll uninstall Adobe and Spybot in a moment. Thank you for your help. Did I get rid of the virus on the other device?

You've already posted logs from this computer in the previous post to which I wrote back.

I pasted FRST files after changing fixlist.txt (as you described at 16:16).

Why did I write to you that the contents of the cache and entries from this browser can not be seen in the logs? What I've provided is just a few unnecessary entries, you don't have to post logs.

Approx. Thank you for your help and best regards. Subject to close.