DuckFX Posted November 22, 2016 ID:1073852 Share Posted November 22, 2016 Dear Moderators, Staff, Recently I've seen that minerd.exe has popped up on my computer task manager, i managed to remove it so that it doesn't take all of my CPU up, but i still found the file location. My anti-Virus, Kaspersky, says the virus is still there as in "malware" and I think I may agree with him. I then tried deleting the files but each time i deleted it and rebooted, they just re-popped up and same cycle over and over. How do I get rid of it definitely? Thankyou! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 22, 2016 Root Admin ID:1073925 Share Posted November 22, 2016 Hello and Please read the following and post back the logs when ready and we'll see about getting you cleaned up. Before we proceed further, please read all of the following instructions carefully. If there is anything that you do not understand kindly ask before proceeding. If needed, please print out these instructions. Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text. If the log is too large, then you can use attachments by clicking on the More Reply Options button. Please enable your system to show hidden files: How to see hidden files in Windows Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly Removing malware can be unpredictable, it is unlikely, but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you. The removal of malware is not instantaneous; please be patient. Often we are also in a different Time Zone. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue. You can check here if you're not sure if your computer is 32-bit or 64-bit Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners. When we are done, I'll give you instructions on how to clean up all the tools and logs Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that. Your topic will be closed if you haven't replied within 3 days (If I have not responded within 24 hours, please send me a Private Message as a reminder) STEP 01 Please run a Threat Scan with MBAM. If you're unable to run or complete the scan as shown below, please see the following:MBAM Clean Removal Process 2x When reinstalling the program, please try the latest version. Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware. Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button. Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply. Link to post Share on other sites More sharing options...
DuckFX Posted November 22, 2016 Author ID:1074059 Share Posted November 22, 2016 I don't know if MinerD is in there. Hope it is! Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 11/22/2016 Scan Time: 5:24 PM Logfile: Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.11.22.14 Rootkit Database: v2016.11.20.01 License: Trial Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Disabled OS: Windows 10 CPU: x64 File System: NTFS User: Amaury J-D Scan Type: Threat Scan Result: Completed Objects Scanned: 337295 Time Elapsed: 13 min, 41 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 30 PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\APPID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}, , [4e0840834555c076376d59512dd67090], PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}, , [4e0840834555c076376d59512dd67090], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}, , [4e0840834555c076376d59512dd67090], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}, , [57ff249f4e4c033329c54d49fc07bd43], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}, , [57ff249f4e4c033329c54d49fc07bd43], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\INTERFACE\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}, , [57ff249f4e4c033329c54d49fc07bd43], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\INTERFACE\{BD51A48E-EB5F-4454-8774-EF962DF64546}, , [57ff249f4e4c033329c54d49fc07bd43], PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}, , [57ff249f4e4c033329c54d49fc07bd43], PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{BD51A48E-EB5F-4454-8774-EF962DF64546}, , [57ff249f4e4c033329c54d49fc07bd43], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}, , [57ff249f4e4c033329c54d49fc07bd43], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{BD51A48E-EB5F-4454-8774-EF962DF64546}, , [57ff249f4e4c033329c54d49fc07bd43], PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}, , [57ff249f4e4c033329c54d49fc07bd43], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}, , [57ff249f4e4c033329c54d49fc07bd43], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\REI_AxControl.ReiEngine.1, , [57ff249f4e4c033329c54d49fc07bd43], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\REI_AxControl.ReiEngine, , [57ff249f4e4c033329c54d49fc07bd43], PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\REI_AxControl.ReiEngine, , [57ff249f4e4c033329c54d49fc07bd43], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\REI_AxControl.ReiEngine, , [57ff249f4e4c033329c54d49fc07bd43], PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\REI_AxControl.ReiEngine.1, , [57ff249f4e4c033329c54d49fc07bd43], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\REI_AxControl.ReiEngine.1, , [57ff249f4e4c033329c54d49fc07bd43], PUP.Optional.Reimage, HKU\S-1-5-21-285063949-4146897881-553778616-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{10ECCE17-29B5-4880-A8F5-EAD298611484}, , [57ff249f4e4c033329c54d49fc07bd43], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}, , [70e6388b9dfdcb6b737c0d898e7502fe], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\APPID\REI_AxControl.DLL, , [bf97aa19faa0b77fbd25910511f2cf31], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0, , [ce88467d356539fdf7b25654e12221df], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\REI_AxControl.DLL, , [4d09a71c77237db940a293033ac956aa], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0, , [3125fcc70e8c171f8f1ae0ca956e2cd4], PUP.Optional.Reimage, HKLM\SOFTWARE\REIMAGE\Reimage Repair, , [76e0ae1568325dd9b801c3f424dfad53], PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\REI_AxControl.DLL, , [e2746360247611259c465f3715eed42c], PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0, , [9fb79132afebca6ca30601a99271a25e], PUP.Optional.Reimage, HKU\S-1-5-21-285063949-4146897881-553778616-1001\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\Reimage - Windows Problem Relief., , [31256a59f8a28aac44a8494d986b0ef2], PUP.Optional.Reimage, HKU\S-1-5-21-285063949-4146897881-553778616-1001\SOFTWARE\REIMAGE\PC REPAIR, , [fc5a487b96040f279558ecaaa360d52b], Registry Values: 4 PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0, REI_AxControl 1.0 Type Library, , [ce88467d356539fdf7b25654e12221df] PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0, REI_AxControl 1.0 Type Library, , [3125fcc70e8c171f8f1ae0ca956e2cd4] PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0, REI_AxControl 1.0 Type Library, , [9fb79132afebca6ca30601a99271a25e] PUP.Optional.Reimage, HKU\S-1-5-21-285063949-4146897881-553778616-1001\SOFTWARE\REIMAGE\PC REPAIR|QuitMessage, , , [fc5a487b96040f279558ecaaa360d52b] Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 1 PUP.Optional.SpeedItUp, C:\Windows\Reimage.ini, , [ba9c5f640c8eb4822408ddc2a85ba35d], Physical Sectors: 0 (No malicious items detected) (end) Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 23, 2016 Root Admin ID:1074111 Share Posted November 23, 2016 Please restart the computer and run MBAM again as before and post back the new log. Link to post Share on other sites More sharing options...
DuckFX Posted November 23, 2016 Author ID:1074210 Share Posted November 23, 2016 PS: I know the file Location of MinerD, (Ps it says Remove Selected, I didn't press it because I wasn't sure so I'll let you decide) Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 11/23/2016 Scan Time: 10:01 AM Logfile: Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.11.23.09 Rootkit Database: v2016.11.20.01 License: Trial Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Disabled OS: Windows 10 CPU: x64 File System: NTFS User: Amaury J-D Scan Type: Threat Scan Result: Completed Objects Scanned: 337510 Time Elapsed: 17 min, 16 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 30 PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\APPID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}, , [f4c1ffc40892b77f752e674300035fa1], PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}, , [f4c1ffc40892b77f752e674300035fa1], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}, , [f4c1ffc40892b77f752e674300035fa1], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}, , [6b4ad9ead1c910260edf0393ad56f808], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}, , [6b4ad9ead1c910260edf0393ad56f808], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\INTERFACE\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}, , [6b4ad9ead1c910260edf0393ad56f808], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\INTERFACE\{BD51A48E-EB5F-4454-8774-EF962DF64546}, , [6b4ad9ead1c910260edf0393ad56f808], PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}, , [6b4ad9ead1c910260edf0393ad56f808], PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{BD51A48E-EB5F-4454-8774-EF962DF64546}, , [6b4ad9ead1c910260edf0393ad56f808], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}, , [6b4ad9ead1c910260edf0393ad56f808], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{BD51A48E-EB5F-4454-8774-EF962DF64546}, , [6b4ad9ead1c910260edf0393ad56f808], PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}, , [6b4ad9ead1c910260edf0393ad56f808], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}, , [6b4ad9ead1c910260edf0393ad56f808], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\REI_AxControl.ReiEngine.1, , [6b4ad9ead1c910260edf0393ad56f808], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\REI_AxControl.ReiEngine, , [6b4ad9ead1c910260edf0393ad56f808], PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\REI_AxControl.ReiEngine, , [6b4ad9ead1c910260edf0393ad56f808], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\REI_AxControl.ReiEngine, , [6b4ad9ead1c910260edf0393ad56f808], PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\REI_AxControl.ReiEngine.1, , [6b4ad9ead1c910260edf0393ad56f808], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\REI_AxControl.ReiEngine.1, , [6b4ad9ead1c910260edf0393ad56f808], PUP.Optional.Reimage, HKU\S-1-5-21-285063949-4146897881-553778616-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{10ECCE17-29B5-4880-A8F5-EAD298611484}, , [6b4ad9ead1c910260edf0393ad56f808], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}, , [457018ab08925fd714dad9bd2ad92bd5], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\APPID\REI_AxControl.DLL, , [c8edb013702a9c9a568bb1e58f74d927], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0, , [862f8f34c8d2d3638820c9e1be45b44c], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\REI_AxControl.DLL, , [793c0db62a70979f41a0bed82fd420e0], PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0, , [6a4b4a797e1c2b0b2385feacce35ec14], PUP.Optional.Reimage, HKLM\SOFTWARE\REIMAGE\Reimage Repair, , [cce96360aeec78be1b9de4d3e91a0df3], PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\REI_AxControl.DLL, , [0ca99231c7d3a19526bb1284b64d5ca4], PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0, , [2d88457e554577bfe7c1a00ab64d669a], PUP.Optional.Reimage, HKU\S-1-5-21-285063949-4146897881-553778616-1001\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\Reimage - Windows Problem Relief., , [9b1a23a0c8d21d19905b2a6ca95aef11], PUP.Optional.Reimage, HKU\S-1-5-21-285063949-4146897881-553778616-1001\SOFTWARE\REIMAGE\PC REPAIR, , [ad08a81bd6c4a195ec00ade9986bd32d], Registry Values: 4 PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0, REI_AxControl 1.0 Type Library, , [862f8f34c8d2d3638820c9e1be45b44c] PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0, REI_AxControl 1.0 Type Library, , [6a4b4a797e1c2b0b2385feacce35ec14] PUP.Optional.Reimage, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0, REI_AxControl 1.0 Type Library, , [2d88457e554577bfe7c1a00ab64d669a] PUP.Optional.Reimage, HKU\S-1-5-21-285063949-4146897881-553778616-1001\SOFTWARE\REIMAGE\PC REPAIR|QuitMessage, , , [ad08a81bd6c4a195ec00ade9986bd32d] Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 1 PUP.Optional.SpeedItUp, C:\Windows\Reimage.ini, , [d1e45f6465351125bb70118e7f84f50b], Physical Sectors: 0 (No malicious items detected) (end) Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 24, 2016 Root Admin ID:1074355 Share Posted November 24, 2016 You need to select all and yes, have MBAM remove all please. Then restart and scan again, this time it should be clean. If it's not clean scan and remove again and let me know. Thanks Link to post Share on other sites More sharing options...
DuckFX Posted November 24, 2016 Author ID:1074522 Share Posted November 24, 2016 Scan did not remove MinerD files, but I think removed the MinerD startup Program, I deleted the MinerD files, rebooted, and voila! Its not there anymore! Computer working properly! Thank you Malware-bytes! Thank you AdvancedSetup! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 24, 2016 Root Admin ID:1074586 Share Posted November 24, 2016 Okay, you're welcome. If all is good I'll go ahead and close your topic. If you think you'd still like to review for other possible issues let me know. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 30, 2016 Root Admin ID:1075961 Share Posted November 30, 2016 Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts