[WMI coin miners]

When computer is starting, we see an error from Windows that says that bat file cannot be found.

[WMI coin miners]

We did not install it. We believe it belongs to the virus. 

We cannot actually find the file. I think virus manages to add it to the startup but it cannot actually put the file there. 

[WMI coin miners]

Hello,

We chose the quarantine to all the found items but they come back each time. I'm not sure if I quarantined once again before preparing the logs for the upload. 

[WMI coin miners]

Scanning report is attached. 

scanreport.txt

[WMI coin miners]

Hello,

A WMI based coin miner virus is active on our computer. Malwarebytes is able to remove it but it comes back on the restart. We believe it comes back from MSSQL server agent jobs.

I am attaching the reports so that you can a virus that you are not able to remove.

Note that we suffer blue screen (caused by mwac.sys) on each restart of the Windows, but it works on the every second attempt. 

Secondly, when the virus tries to connect to the internet, malwarebytes blocks it but it actually blocks the whole internet connection, not for just the virus. Moreoever, it even blocks the local network connections. I solve it by closing malwarebytes. Is this normal? Isnt it supposed to just block the virus's connection or the suspicious connection?

It would be great if you can help.

Please let me know if you need more information. 

 

mbst-grab-results.zip