Question SOLVED: Bitcoin Mining Virus (Masked as NVIDIA Corporation)

[rizzeh]

Hey everyone, just an update. The lovely people from Bleeping Computer has helped me remove the virus completely and my Task Manager functionality restored.

I'm not sure if you can share links to different forums here, but if anyone wants to read up on how how we were able to fix it. Or if you yourself are encountering the same virus, PM me and I will be glad to send you the link of my topic in BC.

Thanks for everyone who posted here and provided support.

Hey everyone! My PC is currently infected with a Bitcoin Mining virus and I'm just looking around if there are still steps to take in order to fight this curse orinevitably go for the easy route and just wipe and reformat. Any help is appreciated, thanks in advance!

How it happened:
The virus successfully injected itself into my computer masking itself as an Nvidia application. I was working, and suddenly an Nvidia update ran but it was running with cmd, so it was a bit sketchy. But it was my mistake that I ignored it. It was able to inject itself into the registry, and powershell to run its network activities through that phase. This was left unchecked for about 2 hours, by then it had already completed its download and was running autonomously in the background. I turned on Task Manager, but would only show in "less detailed" mode. Once clicked on more details, it forces itself close.

Current Status:
Successfully located the directory of the virus in C:/ProgramData. Size is about 2.8GB, attempted to delete but cannot fully since there are tasks still running in the background. The file is now about 8 MB. Malwarebytes has successfully blocked it from re-downloading in the background. It's somewhat a vaccine, I still have the virus in the PC, but it's in a dormant state because of it's network restrictions.

It's shown to be running through powershell to do its network activities and registry editor to block out task manager and run autonomously in the background. Are there steps to try and remove this thing from the registry editor and also the powershell?

Softwares Used:

1. Windows Defender - Detects virus, attempts to remove, but redetects soon after removal.
2. Malwarebytes - Detected virus, removed virus, does not detect virus anymore even if it still here but successfully blocks it from using network activities.
3. rkill - No detections at all.
4. HitmanPro - No detections at all.
5. Spybot - Detected the virus, when attempted to fix, froze. (Able to detect that the virus had created its own permissions as a new users in Registry permissions)

Observations:

• Accessed HKEY_CURRENT_USER/Microsoft/Windows/CurrentVersion, somewhere along there and injected lines to run files ending with .vbs (was the first stage).
• Signs of it using powershell to run its network activities.
• Located in C:/ProgramData in a hidden folder named "NVIDIA Corporation." File size is about 2.5GB - 2.8GB when it's successfully downloaded all its files.
• Inside the folder you will find a lot of NVIDIA logs to make it appear legit, although there a lot of .json as well.

Running Tasks:
1. NVIDIA Web Helper.exe (Im assuming this is the mother task since I can't fully delete "NVIDIA Corporation" folder because of this task).
-> "C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe" index.js

Questions:

1. If there is no hope left, and I am forced to reformat. Do I need to reformat both my drives or do I only reformat the boot drive?
2. Is there any way to combat these network activities with cmd prompt or powershell?
3. If it has injected itself to registry editor, can you alter that?

Updates:

1. Recently discovered the "NVIDIA Web Helper.exe" process that I assumed was the mother task might not be, since it is running under "Node.exe." Process that I cannot terminate for the time being.
2. Spybot was a great tool that made it possible for me to reduce/delete the "NVIDIA Corporation" folder down to 2 MB.
3. I'm still certain I am infected since I cannot access Task Manager's "more details" still.Or could it be that this is just lingering code from the virus that force closes Task Manager? Will update again soon.
4. I've removed permissions from the Unknown Account in regedit completely except for one section which is HKEY_CURRENT_CONFIG. There is an error saying I can't remove it because of "inheriting permissions" from parent object. Still reading up about this. Any help appreciated!

Was able to suspend Node.js scripts and especially "NVIDIA WebHelper" javascript with Process Explorer and that helped to turn my computer back to normal for the time being. Speed is back to normal, although virus is still lingering as I still see Malwarebytes trying to block something from re-trying to download itself from powershell.exe. As well as myself still not being able to run Task Manager properly.

 

[Vyrvelata]

Well i can recommend installing Kaspersky Internet Security 2020 Trial 30 days... as long as the virus let you install Kaspersky... Kaspersky will take care of it...

 

[USAFRet]

Given all that you're tried, and it is still in there (even a little bit)...time to recover from a known good backup, or go nuclear.

How to prevent in the future?
Well, how did it get in there? Where did you go to get that?

 

[rizzeh]

Thanks for the answers everyone.

With the help of Spybot and Malwarebytes, it stopped re-downloading and working its "Bitcoin Mining" functions. Therefore I have some breathing room with my PC. Might give it a couple of hours of work before trying to go nuclear and format.

The virus is still here just dormant, so I'm backing up some files now. If anyone still has advice, I'd be glad to hear it!

 

[mdd1963]

the 'virus injected itself'?

Or is this a euphemism for 'I saw it with an innocent looking title but not presented via the Nvidia Geforce Experience , so I clicked on it anyway, and then allowed it'?

Do you have any restore points from a day or more prior to the 'autonomous infection event '?

 

[Alabalcho]

You can boot Windows Installation DVD/USB, and enter Command Prompt, where you can move / delete files.

 

[rizzeh]

Sorry for the delayed responses everyone.

But just a bit of an update, a friend of mine has gotten around to helping me and we've done scans with a number of software and analysis on FRST. Successfully had most of them display 0 detections, but the only problem now is still the first encounter/first symptoms I noticed from the virus being the unusable Task Manager.

It's still the same when I click on More Details, it forces itself close completely.

We've scanned with Malwarebytes, Malwarebytes Anti-Rootkit, Roguekiller, Spybot, and AdwCleaner.

I've read a few posts saying that what was forcing Task Manager to close was redistributable files given by the virus. Would anyone know anything about this?

the 'virus injected itself'?

Or is this a euphemism for 'I saw it with an innocent looking title but not presented via the Nvidia Geforce Experience , so I clicked on it anyway, and then allowed it'?

Do you have any restore points from a day or more prior to the 'autonomous infection event '?

Didn't really click on anything, it just sort of popped up as I was in the middle of using the computer with the process named "NVidia Update." With icons and all that, although it was my mistake that I should have gotten alerted at that point since Nvidia usually asks for administrative privileges before executing updates. My mistake, but we live and we learn.

I have got one from a year ago which can work.

You can boot Windows Installation DVD/USB, and enter Command Prompt, where you can move / delete files.

I did not know this, thanks! Would you know anything to scan processes being run through Powershell?

Since Malwarebytes is blocking the virus from downloading and it's detecting it using "powershell.exe."

Thanks for the lovely replies everyone.