Jump to content

dbs00

Honorary Members
  • Posts

    21
  • Joined

  • Last visited

Everything posted by dbs00

  1. Okey , will do that. TYVM Aura for your help in this matter!
  2. also how can I add taskmanager back? after FRST deleted it, I can't use it anymore https://cl.ly/rhGJ
  3. I did not. I used just malwarebytes, without FRST with fix and malwarebytes didn't delete taskmgr so I should do a mwalrebytes sweep and after use frst with fix file?
  4. I removed the virus from all the servers, I changed the RDP passwords, and seems the virus is back on some servers. on some isn't back yet. here are the frst logs from the previous server on which we've been testing things Addition.txt FRST.txt
  5. I did that a few times. atm isn't finding anything with malwarebytes
  6. I think I did it twice. Did it once, it asked for a restart. I couldn't see the log so I did it again this is the log from the second run for the fixlist.txt Fix result of Farbar Recovery Scan Tool (x64) Version: 16.05.2018 01 Ran by Administrator (17-05-2018 17:44:32) Run:2 Running from C:\2 Loaded Profiles: Administrator & (Available Profiles: Administrator & MSSQL$MICROSOFT##WID & .NET v4.5 & .NET v4.5 Classic) Boot Mode: Normal ============================================== fixlist content: ***************** Task: {68746C60-7353-4C14-89CA-88A700D3BCF0} - System32\Tasks\WindowsRecoveryCleaner => C:\ProgramData\Iostream.exe <==== ATTENTION C:\ProgramData\WindowsTask C:\ProgramData\System32 C:\Windows\System32\Taskmgr.exe ***************** HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{68746C60-7353-4C14-89CA-88A700D3BCF0} => not found "C:\Windows\System32\Tasks\WindowsRecoveryCleaner" => not found HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WindowsRecoveryCleaner => not found "C:\ProgramData\WindowsTask" => not found "C:\ProgramData\System32" => not found "C:\Windows\System32\Taskmgr.exe" => not found ==== End of Fixlog 17:44:32 ==== seems it deleted taskmgr and it didn't add it back At least now I don't have the problem with the virus closing task manager so I can't see the resource spike :))
  7. here they are Addition.txt FRST.txt
  8. when I posted my last message, malware bytes couldn't find any virus now I did a new scan and it found 4 files being infected. so either the virus is back, or you updated the database and it found files that were considered clean before. attaching the logs Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/16/18 Scan Time: 5:22 PM Log File: 2b9d87ae-594f-11e8-9857-00266cf2e461.json Administrator: Yes -Software Information- Version: 3.5.1.2522 Components Version: 1.0.365 Update Package Version: 1.0.5134 License: Trial -System Information- OS: Windows 10 Server (Build 14393.2248) CPU: x64 File System: NTFS User: System -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 422999 Threats Detected: 4 Threats Quarantined: 4 Time Elapsed: 22 min, 3 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 Trojan.BitCoinMiner, C:\PROGRAMDATA\SYSTEM32\LOGS\ShellExperienceHostp.exe, Quarantined, [515], [522461],1.0.5134 Module: 1 Trojan.BitCoinMiner, C:\PROGRAMDATA\SYSTEM32\LOGS\ShellExperienceHostp.exe, Quarantined, [515], [522461],1.0.5134 Registry Key: 0 (No malicious items detected) Registry Value: 1 Trojan.BitCoinMiner, HKU\S-1-5-21-3954276434-194457422-406667015-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|ShellExperienceHostp, Quarantined, [515], [522461],1.0.5134 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 Trojan.BitCoinMiner, C:\PROGRAMDATA\SYSTEM32\LOGS\ShellExperienceHostp.exe, Quarantined, [515], [522461],1.0.5134 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end)
  9. that folder seems empty https://cl.ly/rdKX is there a way for me to access it? It was the same for shellexperiencehostp.exe for shellexperiencehost.exe I can see this https://www.virustotal.com/#/file/056e9e6a467119758235ab941014fa3cac659ffd881ab43ab1049b78b6e47209/detection ShellExperienceHost_cw5n1h2txyewy.zip
  10. I can give you RDC access via PM. that's not a problem on my end, and you can take whatever files you need. it's a empty "fresh" server with just windows on it. ( I didn't get to setting it up and the hackers, hacked it meanwhile) so this wasn't infected by me ( by installing virused software)
  11. I can't find that, I have " show hidden files option activated" https://cl.ly/rd6Y
  12. here they are That ubot file shouldn't be a problem. I scanned both file on virus total and they are clean. I attached the results and the files in the zip. Virus total scans.zip
  13. Hey, I just scanned the second server ( where I installed malwarebytes last night and cleaned it for the first time) Added logs here, Let me know if you need more logs https://cl.ly/rba8 Some virus signatures that I noticed " It will close task manager" Even if I have it activated with always on top. If I open task manager he will wait a few minutes and after it will close it, and start itself up. If I open task manager again , it will pause itself for a few minutes and after it will close task manager and start itself up. ( all settings in malwarebytes won't pick this up Thank you Addition.txt FRST.txt
  14. sure thing, after cleaning the servers, I still have ShellExperienceHOstp.exe in task manger is that normal? if close it, it will open itself up right away
  15. Hey, are you sure the update went through ? https://cl.ly/rbmK seems there aren't new application updates I did scans on the "cleaned" server and on the fresh server that didn't had malwarebytes installed. I attached the logs, I'll let you know later if I still notice the virus. TYVM for your help in this matter! Miners.zip
  16. awesome, if you need more samples let me know. I have plenty... unfortunately.
  17. Hey, Here it is from the cleaned server there isn't ExplorerPlugpp.dll just Explorer.dll https://www.sendspace.com/file/ervc35 from the infected server ( i found both) https://www.sendspace.com/file/d2mcoy Let me know if you need other files Thank you ( ps: I was afraid to copy paste on my pc and to paste them here so I uploaded on sendspace
  18. Hey, Done. This is from the server where I didn't install malwarebytes ( so its full of viruses) I can do the same on servers where I run malwarebytes so you can see that MB will find the virus, will "block it" and the virus will reinstate itself again. Let me know if I should redo all steps for such a server. ty WIN-SMGPRG3ATER.zip
  19. I attached below the logs as requested from 2 servers 1. where I used malwarebytes and it "cleaned" the server 2. From server where I didn't use malwarebytes at all. And this one should be full of viruses. Let me know what else I need to provide. Thank you . ps: I'll be back in a few hours Miners.zip
  20. Hi Aura, Thanks for looking into it. 1. No. there servers aren't exposed. but I had some servers with linux, and when logging on them I could see they are trying to bruteforce in. ~ 5k tries per day . So probably it's the same thing for the windows servers as well. ( probably they know the IP ranges for this provider's server and just scanning throughout them) 2. RDP is enabled so I could work on them. Southcloud ( the provider of the servers) recommended for me to restrict RDP access just to my needed IPs ( didn't do that yet tho) 3. Some are fully updated, some aren't. No difference for the virus. Same for windows defender( last version of update, no difference) Let me know what other questions you have,
  21. Hello, for a while now I have problems with some miners . Idk if its worldwide or they are targeting just https://www.cloudsouth.com/ I have 20+ servers from them and most of them are with miners. I reinstalled the OS a few times and soon after the servers will become infected again. I think they are bruteforcing them. I started using 24 characters for passwords on newly reinstalled servers. Here's a report from malwarebytes. (attached below) Even if malwarebytes cleaned the system, and a new check will result in a "clean" pc, the virus is still there and its not being detected. If I open Task Manager , the virus will instantly pause itself and the pc/server will start working normally. A few minutes later the virus will close the task manager and it will start itself. The pc/server will start to lag hard as the virus is using 90% of cpu when its running. Doing a virus scan without opening task manager is impossible. It won't even start. the pc is lagging that hard. Updated windows defender won't pick it up either. In task manager is using some of the following names SHELLEXPERIENCEHOST1.EXE Windowsshellexperiencehost.exe Windowsshellexperiencehoste.exe Windowsshellexperiencehostp.exe Any idea how can I remove these pesky miners? I can provider access via RDP to some infected servers. NP Bitcoin miners report.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.