Jump to content

Rundll32.exe infected with coin miner

rotationaldynamics
 Share

Recommended Posts

  • Replies 57
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

kevinf80

kevinf80

Posted
Posted

I assume the infection has moved legit file and replaced with exploited/infected file... Lets see if the following works..

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

fixlist.txt

Link to post
Share on other sites
rotationaldynamics

rotationaldynamics

Posted
  • Author
Posted

Fix result of Farbar Recovery Scan Tool (x64) Version: 21.01.2018
Ran by User (22-01-2018 21:53:40) Run:2
Running from C:\Users\User\Desktop
Loaded Profiles: User (Available Profiles: User)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
Replace: C:\pagefile.sys C:\WINDOWS\pagefile.sys
End
*****************

"C:\WINDOWS\pagefile.sys" => Could not move.
Could not replace C:\WINDOWS\pagefile.sys

==== End of Fixlog 21:53:40 ====

Link to post
Share on other sites
rotationaldynamics

rotationaldynamics

Posted
  • Author
Posted (edited)

fixlist content:
*****************
Start
Unlock: C:\WINDOWS\pagefile.sys
C:\WINDOWS\pagefile.sys
Replace: C:\pagefile.sys C:\WINDOWS\pagefile.sys
End
*****************

"C:\WINDOWS\pagefile.sys" => not found
"C:\WINDOWS\pagefile.sys" => not found
"C:\WINDOWS\pagefile.sys" => not found
Could not replace C:\WINDOWS\pagefile.sys

==== End of Fixlog 22:00:29 ====
 

Yeah I do, I've got my windows install disk as well

Edited by rotationaldynamics
Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Run the following:

Please download Zemana AntiMalware and save it to your Desktop.
 
  • Install the program and once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them.
    Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.
     
  • Open Zemana AntiMalware again.
  • Click on user posted image icon and double click the latest report.
  • Now click File > Save As and choose your Desktop before pressing Save.
  • Attach saved report in your next message.

 

 

Link to post
Share on other sites
rotationaldynamics

rotationaldynamics

Posted
  • Author
Posted (edited)

Zemana AntiMalware 2.74.2.150 (Installed)

-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2018/1/22
Operating System       : Windows 8.1 64-bit
Processor              : 4X Intel(R) Core(TM) i5-4670K CPU @ 3.40GHz
BIOS Mode              : Legacy
CUID                   : 12D4EC43322EE212C774C9
Scan Type              : System Scan
Duration               : 7m 8s
Scanned Objects        : 48982
Detected Objects       : 1
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : Enabled
Detect All Extensions  : Disabled
Scan Documents         : Disabled
Domain Info            : WORKGROUP,0,2

Detected Objects
-------------------------------------------------------

pagefile.sys
Status             : Scanned
Object             : %systemroot%\pagefile.sys
MD5                : 11D62E27938E0CFF642F02620FCDE06E
Publisher          : -
Size               : 1534464
Version            : -
Detection          : RiskTool:Win32/BitCoinMiner
Cleaning Action    : Quarantine
Related Objects    :
                File - %systemroot%\pagefile.sys
                DLL - 5736 - C:\Windows\System32\rundll32.exe


Cleaning Result
-------------------------------------------------------
Cleaned               : 1
Reported as safe      : 0
Failed                : 0

Sorry I didn't reboot manually, I will do that now.

Edited by rotationaldynamics
Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

See if you can run GMER, all security must be off or your system will crash:

Please download Gmer from Here by clicking on the "Download EXE" Button.
 
  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    Sections
    IAT/EAT
    Show All     ( should be unchecked by default )
     
  • Leave everything else as it is.
  • Close all other running Programs as well as your Browsers.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.


Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

**If GMER crashes** Follow the instructions here and disable your security temporarily…
Link to post
Share on other sites
rotationaldynamics

rotationaldynamics

Posted
  • Author
Posted

Hi Kevin,

When I restart windows I have the rundll32 infection, when I use zemana it gets rid of it, but when I restart my computer it comes back. When scanning for rootkits should I have it so that the infection is ongoing or removed?

Also here is ark.txt with the infection removed by Zemana.

Thank you

ark.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

This file is legitimate "C:\pagefile.sys"  MD number checks out correct. It is always found at the root of C:\ and is super hidden

This one is definitely malicious "C:\Windows\pagefile.sys" That file does not run from the Windows folder...

Run FRST one more time:

Type the following in the edit box after "Search:".

pagefile.sys

Click Search Files button and post the log (Search.txt) it makes to your reply.

Next,

Run FRST again:

Type or copy/paste the following in the edit box after "Search:".

pagefile.sys

Click Search Registry button and post the log (Search.txt) it makes to your reply.

 

Link to post
Share on other sites
rotationaldynamics

rotationaldynamics

Posted
  • Author
Posted

File search:

Farbar Recovery Scan Tool (x64) Version: 21.01.2018
Ran by User (23-01-2018 15:09:52)
Running from C:\Users\User\Desktop
Boot Mode: Normal

================== Search Files: "pagefile.sys" =============

C:\pagefile.sys
[2018-01-04 14:17][2018-01-23 04:54] 599175168 ___SH () D41D8CD98F00B204E9800998ECF8427E [File not signed]

C:\Windows\pagefile.sys
[2018-01-22 22:39][2018-01-23 15:07] 078257664 _____ () C6138F4648DD3BD8C5E08621D32AB6FA [File not signed]


====== End of Search ======

Registry search:

Farbar Recovery Scan Tool (x64) Version: 21.01.2018
Ran by User (23-01-2018 15:17:35)
Running from C:\Users\User\Desktop
Boot Mode: Normal

================== Search Registry: "pagefile.sys" ===========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToBackup]
"Memory Page File"="\Pagefile.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
"PagingFiles"="?:\pagefile.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
"ExistingPageFiles"="\??\C:\pagefile.sys"

====== End of Search ======

Also when I booted up just now I came to thisahhhhhhhhhhhhhh.thumb.PNG.e516278e508ba63da44796d52485720e.PNG:

and for some reason my input is quite laggy and will stop at certain points

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Thanks for those logs,

Quote

C:\pagefile.sys
[2018-01-04 14:17][2018-01-23 04:54] 599175168 ___SH () D41D8CD98F00B204E9800998ECF8427E [File not signed]

That entry is correct and legitimate.

Quote

================== Search Registry: "pagefile.sys" ===========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToBackup]
"Memory Page File"="\Pagefile.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
"PagingFiles"="?:\pagefile.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
"ExistingPageFiles"="\??\C:\pagefile.sys"

====== End of Search ======

Those registry entries are correct and related to C:\pagefile.sys

Quote

C:\Windows\pagefile.sys
[2018-01-22 22:39][2018-01-23 15:07] 078257664 _____ () C6138F4648DD3BD8C5E08621D32AB6FA [File not signed]

That entry is malicious, also note the MD number has change since it was removed by Zemana and replaced after reboot...

From the screen shot it appears that C:\Windows\System32\mfilter.exe has also returned...

Next,

I want you to set your system up for a clean boot, alter settings as described in the following link. That is all non microsoft services disabled, any that affect internet connection or security leave enabled. Re-boot when ready.

https://support.microsoft.com/en-gb/help/929135/how-to-perform-a-clean-boot-in-windows

Next,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Leave your system in clean boot after FRST fix and system reboot have completed. See if your system is now settled..

Thank you,

Kevin...

 

fixlist.txt

Link to post
Share on other sites
rotationaldynamics

rotationaldynamics

Posted
  • Author
Posted

Fix result of Farbar Recovery Scan Tool (x64) Version: 21.01.2018
Ran by User (24-01-2018 03:38:28) Run:5
Running from C:\Users\User\Desktop
Loaded Profiles: User (Available Profiles: User)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
Unlock: C:\WINDOWS\pagefile.sys
C:\WINDOWS\pagefile.sys
Replace: C:\pagefile.sys C:\WINDOWS\pagefile.sys
End
*****************

"C:\WINDOWS\pagefile.sys" => was unlocked
C:\WINDOWS\pagefile.sys => moved successfully
"C:\WINDOWS\pagefile.sys" => not found
Could not replace C:\WINDOWS\pagefile.sys

==== End of Fixlog 03:38:28 ====

Also my task manager is no longer coming up. I set process manager as my task manager and then needed to change back to do some steps in the clean boot, but could not as process manager doesn't have options for startup processes.

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

I assume you are in clean boot..? continue:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Thanks,

Kevin...

fixlist.txt

Link to post
Share on other sites
rotationaldynamics

rotationaldynamics

Posted
  • Author
Posted

 

I think I'm in clean boot? I don't know how to tell.

Fix result of Farbar Recovery Scan Tool (x64) Version: 21.01.2018
Ran by User (24-01-2018 10:36:25) Run:6
Running from C:\Users\User\Desktop
Loaded Profiles: User (Available Profiles: User)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
Unlock: C:\WINDOWS\pagefile.sys
C:\WINDOWS\pagefile.sys
Unlock: C:\Windows\System32\mfilter.exe
C:\Windows\System32\mfilter.exe
End
*****************

"C:\WINDOWS\pagefile.sys" => was unlocked
Could not move "C:\WINDOWS\pagefile.sys" => Scheduled to move on reboot.
"C:\Windows\System32\mfilter.exe" => was unlocked
C:\Windows\System32\mfilter.exe => moved successfully

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 24-01-2018 10:37:50)

C:\WINDOWS\pagefile.sys => Is moved successfully

==== End of Fixlog 10:37:50 ====

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

The reason to be in clean boot was to see if these two malicious returned after you re-boot your system, if you have not manually rebooted please do so now. Clean boot disables all non system services, so in that mode if the malicious files do not return we then need to enable those disabled services in a controlled manor to see if they return... The link I gave does explain how to enable those 3rd party services in a controlled manor. Look under the following sub header:

How to determine what is causing the problem after you do a clean boot

Did you manage to enable task manager...?

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.