Jump to content

rotationaldynamics

Members
  • Posts

    33
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Thank you very much for all your help Kevin, I'll run this scan when I have some time.
  2. There are no issues anymore, but I'd like to be sure that although the coinminer has been removed there isn't a rat/backdoor on my pc.
  3. I used the replace task manager option in P/E. Here is the log for the search: ================== Search Files: "mfilter.exe;pagefile.sys;taskmgr.exe" ============= C:\pagefile.sys [2018-01-04 14:17][2018-01-25 20:00] 1073741824 ___SH () D41D8CD98F00B204E9800998ECF8427E [File not signed] C:\Windows\WinSxS\wow64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_6.3.9600.17415_none_aa468018f39d863d\Taskmgr.exe [2014-11-22 12:15][2014-11-22 12:15] 001103768 _____ (Microsoft Corporation) 9919D598108E8E449D98ABA2C43D2F20 [File is digitally signed] C:\Windows\WinSxS\amd64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_6.3.9600.17415_none_9ff1d5c6bf3cc442\Taskmgr.exe [2014-11-22 12:15][2014-11-22 12:15] 001239576 _____ (Microsoft Corporation) DAD789C1C1B03311DC7FCFEB5D1520E4 [File is digitally signed] C:\Windows\SysWOW64\Taskmgr.exe [2014-11-22 12:15][2014-11-22 12:15] 001103768 _____ (Microsoft Corporation) 9919D598108E8E449D98ABA2C43D2F20 [File is digitally signed] C:\Windows\System32\Taskmgr.exe [2014-11-22 12:15][2014-11-22 12:15] 001239576 _____ (Microsoft Corporation) DAD789C1C1B03311DC7FCFEB5D1520E4 [File is digitally signed] ====== End of Search ======
  4. Hi Kevin, After the fix the rundll32.exe has not returned to using my cpu. How can I know if I have completely cleaned out the trojan? I did not manage to reenable task manager, process explorer has deleted it and using SFC did nothing. Thanks
  5. I think I'm in clean boot? I don't know how to tell. Fix result of Farbar Recovery Scan Tool (x64) Version: 21.01.2018 Ran by User (24-01-2018 10:36:25) Run:6 Running from C:\Users\User\Desktop Loaded Profiles: User (Available Profiles: User) Boot Mode: Normal ============================================== fixlist content: ***************** Start Unlock: C:\WINDOWS\pagefile.sys C:\WINDOWS\pagefile.sys Unlock: C:\Windows\System32\mfilter.exe C:\Windows\System32\mfilter.exe End ***************** "C:\WINDOWS\pagefile.sys" => was unlocked Could not move "C:\WINDOWS\pagefile.sys" => Scheduled to move on reboot. "C:\Windows\System32\mfilter.exe" => was unlocked C:\Windows\System32\mfilter.exe => moved successfully Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 24-01-2018 10:37:50) C:\WINDOWS\pagefile.sys => Is moved successfully ==== End of Fixlog 10:37:50 ====
  6. Fix result of Farbar Recovery Scan Tool (x64) Version: 21.01.2018 Ran by User (24-01-2018 03:38:28) Run:5 Running from C:\Users\User\Desktop Loaded Profiles: User (Available Profiles: User) Boot Mode: Normal ============================================== fixlist content: ***************** Start Unlock: C:\WINDOWS\pagefile.sys C:\WINDOWS\pagefile.sys Replace: C:\pagefile.sys C:\WINDOWS\pagefile.sys End ***************** "C:\WINDOWS\pagefile.sys" => was unlocked C:\WINDOWS\pagefile.sys => moved successfully "C:\WINDOWS\pagefile.sys" => not found Could not replace C:\WINDOWS\pagefile.sys ==== End of Fixlog 03:38:28 ==== Also my task manager is no longer coming up. I set process manager as my task manager and then needed to change back to do some steps in the clean boot, but could not as process manager doesn't have options for startup processes.
  7. File search: Farbar Recovery Scan Tool (x64) Version: 21.01.2018 Ran by User (23-01-2018 15:09:52) Running from C:\Users\User\Desktop Boot Mode: Normal ================== Search Files: "pagefile.sys" ============= C:\pagefile.sys [2018-01-04 14:17][2018-01-23 04:54] 599175168 ___SH () D41D8CD98F00B204E9800998ECF8427E [File not signed] C:\Windows\pagefile.sys [2018-01-22 22:39][2018-01-23 15:07] 078257664 _____ () C6138F4648DD3BD8C5E08621D32AB6FA [File not signed] ====== End of Search ====== Registry search: Farbar Recovery Scan Tool (x64) Version: 21.01.2018 Ran by User (23-01-2018 15:17:35) Running from C:\Users\User\Desktop Boot Mode: Normal ================== Search Registry: "pagefile.sys" =========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToBackup] "Memory Page File"="\Pagefile.sys" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management] "PagingFiles"="?:\pagefile.sys" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management] "ExistingPageFiles"="\??\C:\pagefile.sys" ====== End of Search ====== Also when I booted up just now I came to this: and for some reason my input is quite laggy and will stop at certain points
  8. Hi Kevin, When I restart windows I have the rundll32 infection, when I use zemana it gets rid of it, but when I restart my computer it comes back. When scanning for rootkits should I have it so that the infection is ongoing or removed? Also here is ark.txt with the infection removed by Zemana. Thank you ark.txt
  9. This is the stack for the thread that is using all the cpu power I don't know if this will help you.
  10. Zemana AntiMalware 2.74.2.150 (Installed) ------------------------------------------------------- Scan Result : Completed Scan Date : 2018/1/22 Operating System : Windows 8.1 64-bit Processor : 4X Intel(R) Core(TM) i5-4670K CPU @ 3.40GHz BIOS Mode : Legacy CUID : 12D4EC43322EE212C774C9 Scan Type : System Scan Duration : 7m 8s Scanned Objects : 48982 Detected Objects : 1 Excluded Objects : 0 Read Level : SCSI Auto Upload : Enabled Detect All Extensions : Disabled Scan Documents : Disabled Domain Info : WORKGROUP,0,2 Detected Objects ------------------------------------------------------- pagefile.sys Status : Scanned Object : %systemroot%\pagefile.sys MD5 : 11D62E27938E0CFF642F02620FCDE06E Publisher : - Size : 1534464 Version : - Detection : RiskTool:Win32/BitCoinMiner Cleaning Action : Quarantine Related Objects : File - %systemroot%\pagefile.sys DLL - 5736 - C:\Windows\System32\rundll32.exe Cleaning Result ------------------------------------------------------- Cleaned : 1 Reported as safe : 0 Failed : 0 Sorry I didn't reboot manually, I will do that now.
  11. After restarting windows, my pagefile.sys reappeared in my c\windows and it is still infected. https://www.virustotal.com/#/file/a23680556c4a6649db552b79e19c862a7116ff803f1b8964a59b89c37c0bd077/detection
  12. fixlist content: ***************** Start Unlock: C:\WINDOWS\pagefile.sys C:\WINDOWS\pagefile.sys Replace: C:\pagefile.sys C:\WINDOWS\pagefile.sys End ***************** "C:\WINDOWS\pagefile.sys" => not found "C:\WINDOWS\pagefile.sys" => not found "C:\WINDOWS\pagefile.sys" => not found Could not replace C:\WINDOWS\pagefile.sys ==== End of Fixlog 22:00:29 ==== Yeah I do, I've got my windows install disk as well
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.