Jump to content
rotationaldynamics

Rundll32.exe infected with coin miner

Recommended Posts

Hi, my rundll32.exe was using around 40% of my cpu most of the time. When I stop it, it starts back up and does the same thing, except after scanning with mbam, which has now blocked it? Could I please have some assistance in removing this from my pc? I'd rather not just block it in my firewall.

mbam.PNG.f44c49c5918192d3d4edd90fdb2dd723.PNG

Addition.txt

FRST.txt

mbamthreatscan.txt

Share this post


Link to post
Share on other sites

Thanks for those logs, continue as follows:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Protection Scroll to and make sure the following are selected:
    Scan for Rootkits
    Scan within Archives
     
  • Scroll further to Potential Threat Protection make sure the following are set as follows:
    Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)
     
  • Click on the Scan make sure Threat Scan is selected,
  • A Threat Scan will begin.
  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab
  • If asked to restart your computer to complete the removal, please do so
  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more to retrieve the log.


To get the log from Malwarebytes do the following:
 
  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

https://www.microsoft.com/en-gb/download/malicious-software-removal-tool-details.aspx


Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....


Let me see those logs in your reply, also tell me if there are any remaining issues or concerns....

Thank you,

Kevin..

fixlist.txt

Share this post


Link to post
Share on other sites

Hi Kevin,

I did what you said to do and have got all the logs as you asked. The only things to come up on ADW was another antivirus program I have, I installed this after I realised I had the infection affecting my rundll32.exe. On the microsoft tool it said during the scan that there was 1 file infected but when it finished the scan there was apparently no infected file. As you can see after running those programs rundll32 is still eating cpu power. I have suspended it and I cannot see any alternate processes popping up. I am running a full scan now to see if it picks up anything (with the microsoft program) and it has already found 2

Thanks

5a655c8783789_2infectionsandrundll32.thumb.PNG.e2a4eb071c4a9543a0d7ddd0cc756dfd.PNG

AdwCleaner[C0].txt

mrt.log

Fixlog.txt

mabamreport2.txt

Share this post


Link to post
Share on other sites

using MRST it came up with 4 infected files during the process but as soon as it finished it said there were none. Here are the MRST logs for the quick and the full scan. I understand that it is a windows process but as MBAM is blocking it with an IP pointing at a coin mining site I can only assume it is infected/being hijacked


---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.56, January 2018 (build 5.56.14443.1)
Started On Mon Jan 22 14:28:29 2018

Engine: 1.1.14405.2
Signatures: 1.259.631.0
Run Mode: Interactive Graphical Mode

Results Summary:
----------------
No infection found.
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Windows Malicious Software Removal Tool Finished On Mon Jan 22 14:30:19 2018


Return code: 0 (0x0)

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.56, January 2018 (build 5.56.14443.1)
Started On Mon Jan 22 14:31:19 2018

Engine: 1.1.14405.2
Signatures: 1.259.631.0
Run Mode: Interactive Graphical Mode

Results Summary:
----------------
No infection found.
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Windows Malicious Software Removal Tool Finished On Mon Jan 22 16:54:56 2018


Return code: 0 (0x0)

 

Edited by rotationaldynamics

Share this post


Link to post
Share on other sites
Download RogueKiller and save it on your desktop, ensure to download correct version..

RogueKiller (X86)

RogueKiller (x64)
 
  • Exit all running applications.
  • Double-click on RogueKiller.exe to launch the tool. On its first execution, RogueKiller will disply the software license (EULA), click on "Accept" to continue.
  • If RogueKiller is unable to load, do not hesitate to try launching it several times or rename it winlogon.
  • Click "Start Scan" to begin the analysis. This may take some time.
  • Once the scan is complete, click the "Open TXT" button to display the scan report.
  • Copy/Paste it's content in your next reply.


Do not use the Remove Selected option until i`ve had a look at the log..

Share this post


Link to post
Share on other sites

Hi Kevin,

it found rundll32 and it also flagged mfilter.exe which was connected to rundll32 (saw this through process explorer)

It now gives me the option to delete some of the things I found.

Edit: I ran this with rundll32.exe suspended

image.thumb.png.b69121f0c8b95023869269762ff2ab0c.png

rk_97F3.tmp.txt

Edited by rotationaldynamics

Share this post


Link to post
Share on other sites
Upload a File to Virustotal

Go to http://www.virustotal.com/
 
  • Click the Choose file button
  • Navigate to the file C:\Windows\System32\mfilter.exe
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the URL address back here please.
  • Repeat the above steps for the following files

C:\WINDOWS\pagefile.sys

Did you install Panda security before or after Rundll.exe issue

Share this post


Link to post
Share on other sites

You can kill them both with RogueKiller....

Run RogueKiller again....
 
  • Wait for the scan to complete
  • On completion, the results will be displayed
  • Checkmark the following found entries under Processes:

    [VT.Detected] mfilter.exe(1296) -- C:\Windows\System32\mfilter.exe[-] -> Found
    [Suspicious.Path] pagefile.sys(1644) -- C:\WINDOWS\pagefile.sys[-] -> Found


     
  • Leave all other "Found" entries UNChecked
  • click on the Remove Selected button
  • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
  • This will open the report in Notepad. Copy/paste its content in your next reply....

Share this post


Link to post
Share on other sites

RogueKiller V12.12.0.0 (x64) [Jan 15 2018] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : User [Administrator]
Started from : C:\Users\User\Desktop\RogueKiller_portable64.exe
Mode : Delete -- Date : 01/22/2018 17:50:50 (Duration : 00:15:30)

¤¤¤ Processes : 2 ¤¤¤
[VT.Detected] mfilter.exe(1296) -- C:\Windows\System32\mfilter.exe[-] -> Killed [TermProc]
[Suspicious.Path] pagefile.sys(1644) -- C:\WINDOWS\pagefile.sys[-] -> Found

¤¤¤ Registry : 5 ¤¤¤
[PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} (C:\Program Files (x86)\pandasecuritytb\pandasecurityDx64.dll) -> Not selected
[PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} (C:\Program Files (x86)\pandasecuritytb\pandasecurityDx64.dll) -> Not selected
[PUP.Gen0] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} (C:\Program Files (x86)\pandasecuritytb\pandasecurityDx64.dll) -> Not selected
[PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} : Panda Safe Web (C:\Program Files (x86)\pandasecuritytb\pandasecurityDx64.dll)  -> Not selected
[PUP.Gen0] (X86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} : Panda Safe Web (C:\Program Files (x86)\pandasecuritytb\pandasecurityDx64.dll)  -> Not selected

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD1600AVVS-98L2B0 +++++
--- User ---
[MBR] a13964fe159bcc0778283138b0bdc3eb
[BSP] 3d8fd9f136251ccf0cb1ee90b9086e94 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 152625 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: ST1000DM003-1CH162 +++++
--- User ---
[MBR] cab544fbea215dd31deb5414ce5062eb
[BSP] d003c15f08d0ce77a3702da3e289b02e : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953867 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

 

Share this post


Link to post
Share on other sites

What happened with pagefile.sys, did you not check mark...? That is for virtual memory and can be removed.

Share this post


Link to post
Share on other sites

Ok we can do a check for backup file and replace it..

Run FRST one more time:

Type the following in the edit box after "Search:".

pagefile.sys

Click Search Files button and post the log (Search.txt) it makes to your reply.

Edited by kevinf80
wrong file address, have amended..

Share this post


Link to post
Share on other sites

Farbar Recovery Scan Tool (x64) Version: 21.01.2018
Ran by User (22-01-2018 21:22:12)
Running from C:\Users\User\Desktop
Boot Mode: Normal

================== Search Files: "C:\WINDOWS\pagefile.sys" =============


====== End of Search ======

Edited by rotationaldynamics

Share this post


Link to post
Share on other sites

Apologies, I posted wrong syntax, i`ve amended in my last reply. Can you check that reply and run FRST search again...

Share this post


Link to post
Share on other sites

No worries mate.


Farbar Recovery Scan Tool (x64) Version: 21.01.2018
Ran by User (22-01-2018 21:26:36)
Running from C:\Users\User\Desktop
Boot Mode: Normal

================== Search Files: "pagefile.sys" =============

C:\pagefile.sys
[2018-01-04 14:17][2018-01-22 14:25] 2550136832 ___SH () D41D8CD98F00B204E9800998ECF8427E [File not signed]

C:\Windows\pagefile.sys
[2018-01-18 14:05][2018-01-22 14:28] 067516416 _____ () 70C4B827034BE26B614D9E7F943E4E9B [File not signed]


====== End of Search ======

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.