"xnotes.exe" is recognised by other AV vendors as malware. McAfee includes this as a PUP associated with BitCoinMiner. See the description at http://vil.nai.com/vil/content/v_617462.htm
xnotes modifies the registry to run automatically at startup :
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\XNOTES = %PROGRAMFILES%\XNotes\XNotes.exe
Generic PUP.z!gx looks like the downloader and while McAfee says it's a PUP almost everyone else classes it as a Trojan. See http://home.mcafee.com/virusinfo/virusprofile.aspx?key=582336#none
All the notes for these two say that a regular scan should delete the dropped files and remove or repair the registry setting(s). If you are being re-infected there must be another agent somewhere on your system that is doing it, perhaps by downloading these files at startup, or else McAfee's quarantining is missing something.
I see you're now being taken through some detailed detection and removal steps by someone at MajorGeeks, so I won't suggest anything for you to try. Too many cooks, and all that ...
Thats the registry entry i have been deleteing over and over and over again, with no luck. As you were saying there must be something redoanloading that most likely Generic PUP.z!gx. McAfee manages to capture and quarantine this but somehow it keeps regenerating on startup as well. i have exhausted all my knowledge and what i have tried to learn from reading other forums as an amateur user. I have been desperate as this issue has been bugging me for days and yes i have posted in major geeks as well. Please understand that out of my desperation for finding a solution i did resort to other forum pages. Thanks so much for your time and help Hayton, really appreciate it.
The thought has crossed my mind about using the paid removal service, i will give it a few more trys before resorting to this option however.
Thanks for your help
MajorGeeks is a respected PC help forum, and I won't interfere while you're following the instructions they're giving you. I see you ran the rootkit diagnostics and they came back clean, that's a good sign.
One thing to consider is that the file that's repeatedly giving you BitCoinMiner may be in a location that a Quick Scan would not go to. If you are advised to run Malwarebytes then run a Full Scan, and do it from Windows not Safe Mode.
Next time you reboot, put Process Explorer in the Startup section of Programs in the Start Menu so you can see what's running, and look for the running processes associated with this PUP/Trojan.
Peter I have asked a mcafee lab staffer to have a look here as Mcafee is not getting the dropper. See if he has a suggestion.
Potentially Unwanted Programs (PUPs) are not considered a virus or trojan because they do not self-replicate and they do not damage systems maliciously.
Solution for PUP and to submit the sample below: (after submitting the sample, please mention the ID in this thread).
It could be an issue with the detection and removal configuration you have set for the McAfee product. Some threats reside in system secure location like System Restore in Windows environment.
You may try to unhide the hidden and system protected files while searching for this program. These locations are usually not accessible by applications.
Some of the threat files need to be removed manually. These are classified as Potentially Unwanted Programs.
If you are using Windows ME/XP, ensure that system restore is disabled, as described here:
You can find more information about the enabling/disabling of PUPs at the link given below:
In case you are still having problems, please send us a sample for analysis, in a password-protected ZIP file (password - infected). You can find detailed instructions for how to do this at http://vil.mcafeesecurity.com/vil/submit-sample.aspx
If you are having problems password-protecting the file(s), here are some brief instructions for creating a password-protected zip file for WinZip.
If you have different software or if you need further instructions, please consult technical support of the archiving software you have.
WinZip is available for download at www.winzip.com
1) Create a new zip file
2) In WinZip, choose Options, then Password, then type the password "infected"
3) Place your infected files in the Zip file
4) Close the archive and send it to Virus_Research@avertlabs.com with the description of the file.
If you're using WinZIP you can tell if the files have been password-protected because there will be a plus-sign at the end of the filename (i.e. "filename.exe+").
Please include a description of the symptoms your system is experiencing, and any pertinent information about what AV Products you are using including company, version number (engine/dat numbers for McAfee Products) and results of the scan.
I ran malwarebytes after runnging various programs and deleting a few other temp files manually, and it had found 5 trojan in full scan! I got rid of all of them and restarted the computer again and i think that may have finally done it... i think im not sure the cpu seems to be running normally now (chrome.exe not using 100% of my cpu, which i thought was an issue with the browser not finally realizing it was due to the trojans/bitcoinmines). I'm re running malware and mcAfee just to confirm that there are no infections on the computer. ill post back results anyway.
Thanks for the links and advice !
Message was edited by: arvin1 on 4/11/11 5:53:57 AM
I think that the PUP on my computer is affiliated with a trojan virus also present on the machine. I am running Windows 7 64 bit and i i have also turned off my system restore as per my intial investigation through other McAfee forums. So far i've running multiple spyware removals including superantispyware, malwarebytes, McAfee, Comboscript, MG tools and others. I think that i may have finally gotten rid of the unwanted trojan virus and pup, pending a few more scans. If not i will most definately capture the malicious files, zip them and forward them to avertlabs along with all the relevant details, hoping that there will be some kind of cure. Thank You
Good to know the situation has improved. Watch out for any re-occurrence, if you're not sure where it came from but you see it come back after visiting a particular site please let us know.
This one apparently drops a lot of files and folders into the %appdata%\local directory. Keep an eye on that location and watch for any more safari/E/chrome/xnotes entries. The dropper is the one McAfee would like to identify; if that is not dealt with then you just get BCM reappearing every time you delete it. And you don't want your CPU running at 100% all the time just to earn a few cents for some crook somewhere who's using you to get BitCoins.