rotationaldynamics

Thank you very much for all your help Kevin, I'll run this scan when I have some time.

There are no issues anymore, but I'd like to be sure that although the coinminer has been removed there isn't a rat/backdoor on my pc.

I used the replace task manager option in P/E. Here is the log for the search: ================== Search Files: "mfilter.exe;pagefile.sys;taskmgr.exe" ============= C:\pagefile.sys [2018-01-04 14:17][2018-01-25 20:00] 1073741824 ___SH () D41D8CD98F00B204E9800998ECF8427E [File not signed] C:\Windows\WinSxS\wow64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_6.3.9600.17415_none_aa468018f39d863d\Taskmgr.exe [2014-11-22 12:15][2014-11-22 12:15] 001103768 _____ (Microsoft Corporation) 9919D598108E8E449D98ABA2C43D2F20 [File is digitally signed] C:\Windows\WinSxS\amd64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_6.3.9600.17415_none_9ff1d5c6bf3cc442\Taskmgr.exe [2014-11-22 12:15][2014-11-22 12:15] 001239576 _____ (Microsoft Corporation) DAD789C1C1B03311DC7FCFEB5D1520E4 [File is digitally signed] C:\Windows\SysWOW64\Taskmgr.exe [2014-11-22 12:15][2014-11-22 12:15] 001103768 _____ (Microsoft Corporation) 9919D598108E8E449D98ABA2C43D2F20 [File is digitally signed] C:\Windows\System32\Taskmgr.exe [2014-11-22 12:15][2014-11-22 12:15] 001239576 _____ (Microsoft Corporation) DAD789C1C1B03311DC7FCFEB5D1520E4 [File is digitally signed] ====== End of Search ======

Hi Kevin, After the fix the rundll32.exe has not returned to using my cpu. How can I know if I have completely cleaned out the trojan? I did not manage to reenable task manager, process explorer has deleted it and using SFC did nothing. Thanks

I think I'm in clean boot? I don't know how to tell. Fix result of Farbar Recovery Scan Tool (x64) Version: 21.01.2018 Ran by User (24-01-2018 10:36:25) Run:6 Running from C:\Users\User\Desktop Loaded Profiles: User (Available Profiles: User) Boot Mode: Normal ============================================== fixlist content: ***************** Start Unlock: C:\WINDOWS\pagefile.sys C:\WINDOWS\pagefile.sys Unlock: C:\Windows\System32\mfilter.exe C:\Windows\System32\mfilter.exe End ***************** "C:\WINDOWS\pagefile.sys" => was unlocked Could not move "C:\WINDOWS\pagefile.sys" => Scheduled to move on reboot. "C:\Windows\System32\mfilter.exe" => was unlocked C:\Windows\System32\mfilter.exe => moved successfully Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 24-01-2018 10:37:50) C:\WINDOWS\pagefile.sys => Is moved successfully ==== End of Fixlog 10:37:50 ====

Fix result of Farbar Recovery Scan Tool (x64) Version: 21.01.2018 Ran by User (24-01-2018 03:38:28) Run:5 Running from C:\Users\User\Desktop Loaded Profiles: User (Available Profiles: User) Boot Mode: Normal ============================================== fixlist content: ***************** Start Unlock: C:\WINDOWS\pagefile.sys C:\WINDOWS\pagefile.sys Replace: C:\pagefile.sys C:\WINDOWS\pagefile.sys End ***************** "C:\WINDOWS\pagefile.sys" => was unlocked C:\WINDOWS\pagefile.sys => moved successfully "C:\WINDOWS\pagefile.sys" => not found Could not replace C:\WINDOWS\pagefile.sys ==== End of Fixlog 03:38:28 ==== Also my task manager is no longer coming up. I set process manager as my task manager and then needed to change back to do some steps in the clean boot, but could not as process manager doesn't have options for startup processes.

File search: Farbar Recovery Scan Tool (x64) Version: 21.01.2018 Ran by User (23-01-2018 15:09:52) Running from C:\Users\User\Desktop Boot Mode: Normal ================== Search Files: "pagefile.sys" ============= C:\pagefile.sys [2018-01-04 14:17][2018-01-23 04:54] 599175168 ___SH () D41D8CD98F00B204E9800998ECF8427E [File not signed] C:\Windows\pagefile.sys [2018-01-22 22:39][2018-01-23 15:07] 078257664 _____ () C6138F4648DD3BD8C5E08621D32AB6FA [File not signed] ====== End of Search ====== Registry search: Farbar Recovery Scan Tool (x64) Version: 21.01.2018 Ran by User (23-01-2018 15:17:35) Running from C:\Users\User\Desktop Boot Mode: Normal ================== Search Registry: "pagefile.sys" =========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToBackup] "Memory Page File"="\Pagefile.sys" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management] "PagingFiles"="?:\pagefile.sys" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management] "ExistingPageFiles"="\??\C:\pagefile.sys" ====== End of Search ====== Also when I booted up just now I came to this: and for some reason my input is quite laggy and will stop at certain points

Hi Kevin, When I restart windows I have the rundll32 infection, when I use zemana it gets rid of it, but when I restart my computer it comes back. When scanning for rootkits should I have it so that the infection is ongoing or removed? Also here is ark.txt with the infection removed by Zemana. Thank you ark.txt

This is the stack for the thread that is using all the cpu power I don't know if this will help you.

It didn't work, rundll32 still starting up at 25% of my cpu

Zemana AntiMalware 2.74.2.150 (Installed) ------------------------------------------------------- Scan Result : Completed Scan Date : 2018/1/22 Operating System : Windows 8.1 64-bit Processor : 4X Intel(R) Core(TM) i5-4670K CPU @ 3.40GHz BIOS Mode : Legacy CUID : 12D4EC43322EE212C774C9 Scan Type : System Scan Duration : 7m 8s Scanned Objects : 48982 Detected Objects : 1 Excluded Objects : 0 Read Level : SCSI Auto Upload : Enabled Detect All Extensions : Disabled Scan Documents : Disabled Domain Info : WORKGROUP,0,2 Detected Objects ------------------------------------------------------- pagefile.sys Status : Scanned Object : %systemroot%\pagefile.sys MD5 : 11D62E27938E0CFF642F02620FCDE06E Publisher : - Size : 1534464 Version : - Detection : RiskTool:Win32/BitCoinMiner Cleaning Action : Quarantine Related Objects : File - %systemroot%\pagefile.sys DLL - 5736 - C:\Windows\System32\rundll32.exe Cleaning Result ------------------------------------------------------- Cleaned : 1 Reported as safe : 0 Failed : 0 Sorry I didn't reboot manually, I will do that now.

After restarting windows, my pagefile.sys reappeared in my c\windows and it is still infected. https://www.virustotal.com/#/file/a23680556c4a6649db552b79e19c862a7116ff803f1b8964a59b89c37c0bd077/detection

restarted my pc and right on queue old mate's at it again

now when I search for pagefile it comes up with

fixlist content: ***************** Start Unlock: C:\WINDOWS\pagefile.sys C:\WINDOWS\pagefile.sys Replace: C:\pagefile.sys C:\WINDOWS\pagefile.sys End ***************** "C:\WINDOWS\pagefile.sys" => not found "C:\WINDOWS\pagefile.sys" => not found "C:\WINDOWS\pagefile.sys" => not found Could not replace C:\WINDOWS\pagefile.sys ==== End of Fixlog 22:00:29 ==== Yeah I do, I've got my windows install disk as well

Fix result of Farbar Recovery Scan Tool (x64) Version: 21.01.2018 Ran by User (22-01-2018 21:53:40) Run:2 Running from C:\Users\User\Desktop Loaded Profiles: User (Available Profiles: User) Boot Mode: Normal ============================================== fixlist content: ***************** Start Replace: C:\pagefile.sys C:\WINDOWS\pagefile.sys End ***************** "C:\WINDOWS\pagefile.sys" => Could not move. Could not replace C:\WINDOWS\pagefile.sys ==== End of Fixlog 21:53:40 ====

It is not showing up in my file explorer.

I cannot see pagefile.sys in my C drive even with hidden items ticked. Only the one in windows comes up when I search in the C drive.

No worries mate. Farbar Recovery Scan Tool (x64) Version: 21.01.2018 Ran by User (22-01-2018 21:26:36) Running from C:\Users\User\Desktop Boot Mode: Normal ================== Search Files: "pagefile.sys" ============= C:\pagefile.sys [2018-01-04 14:17][2018-01-22 14:25] 2550136832 ___SH () D41D8CD98F00B204E9800998ECF8427E [File not signed] C:\Windows\pagefile.sys [2018-01-18 14:05][2018-01-22 14:28] 067516416 _____ () 70C4B827034BE26B614D9E7F943E4E9B [File not signed] ====== End of Search ======

Farbar Recovery Scan Tool (x64) Version: 21.01.2018 Ran by User (22-01-2018 21:22:12) Running from C:\Users\User\Desktop Boot Mode: Normal ================== Search Files: "C:\WINDOWS\pagefile.sys" ============= ====== End of Search ======

I did check it and it did not remove it, I am rerunning the scan and will upload the report from the new one.

RogueKiller V12.12.0.0 (x64) [Jan 15 2018] (Free) by Adlice Software mail : http://www.adlice.com/contact/ Feedback : https://forum.adlice.com Website : http://www.adlice.com/download/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 8.1 (6.3.9600) 64 bits version Started in : Normal mode User : User [Administrator] Started from : C:\Users\User\Desktop\RogueKiller_portable64.exe Mode : Delete -- Date : 01/22/2018 17:50:50 (Duration : 00:15:30) ¤¤¤ Processes : 2 ¤¤¤ [VT.Detected] mfilter.exe(1296) -- C:\Windows\System32\mfilter.exe[-] -> Killed [TermProc] [Suspicious.Path] pagefile.sys(1644) -- C:\WINDOWS\pagefile.sys[-] -> Found ¤¤¤ Registry : 5 ¤¤¤ [PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} (C:\Program Files (x86)\pandasecuritytb\pandasecurityDx64.dll) -> Not selected [PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} (C:\Program Files (x86)\pandasecuritytb\pandasecurityDx64.dll) -> Not selected [PUP.Gen0] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} (C:\Program Files (x86)\pandasecuritytb\pandasecurityDx64.dll) -> Not selected [PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} : Panda Safe Web (C:\Program Files (x86)\pandasecuritytb\pandasecurityDx64.dll) -> Not selected [PUP.Gen0] (X86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} : Panda Safe Web (C:\Program Files (x86)\pandasecuritytb\pandasecurityDx64.dll) -> Not selected ¤¤¤ Tasks : 0 ¤¤¤ ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ WMI : 0 ¤¤¤ ¤¤¤ Hosts File : 0 ¤¤¤ ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: WDC WD1600AVVS-98L2B0 +++++ --- User --- [MBR] a13964fe159bcc0778283138b0bdc3eb [BSP] 3d8fd9f136251ccf0cb1ee90b9086e94 : Windows Vista/7/8|VT.Unknown MBR Code Partition table: 0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 152625 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] User = LL1 ... OK User = LL2 ... OK +++++ PhysicalDrive1: ST1000DM003-1CH162 +++++ --- User --- [MBR] cab544fbea215dd31deb5414ce5062eb [BSP] d003c15f08d0ce77a3702da3e289b02e : Windows Vista/7/8|VT.Unknown MBR Code Partition table: 0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953867 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] User = LL1 ... OK User = LL2 ... OK

Will this result in my system reinstalling the needed files, or will it brick itself?

yeah both of them are infected, what should I do to clean them and prevent them from becoming infected in the future?

https://www.virustotal.com/#/file/99722dabfbbbabcc0d00c820e29a09a66eceff92533578e99e061ddaa6cda14a/detection