Jump to content

smart coin miner

dbs00
 Share

Recommended Posts

Aura

Aura

Posted
Posted

The ShellExperienceHost in C:\Windows\SystemApps is legit. The one in ProgramData isn't. Alright, run a new scan with FRST and provide me a fresh set of logs. We'll try something afterwards. It seems that only the miner came back, and not the whole infection (Explorerplug.dll and so on).

Link to post
Share on other sites
Aura

Aura

Posted
Posted

Alright now don't panic, but this fix will delete the taskmgr.exe executable. However, we'll restore it afterwards (the legit one this time).

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply

fixlist.txt

Link to post
Share on other sites
dbs00

dbs00

Posted
  • Author
Posted (edited)

I think I did it twice. 

Did it once, it asked for a restart. I couldn't see the log so I did it again

this is the log from the second run for the fixlist.txt

Fix result of Farbar Recovery Scan Tool (x64) Version: 16.05.2018 01
Ran by Administrator (17-05-2018 17:44:32) Run:2
Running from C:\2
Loaded Profiles: Administrator &  (Available Profiles: Administrator & MSSQL$MICROSOFT##WID & .NET v4.5 & .NET v4.5 Classic)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Task: {68746C60-7353-4C14-89CA-88A700D3BCF0} - System32\Tasks\WindowsRecoveryCleaner => C:\ProgramData\Iostream.exe <==== ATTENTION

C:\ProgramData\WindowsTask
C:\ProgramData\System32
C:\Windows\System32\Taskmgr.exe
*****************

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{68746C60-7353-4C14-89CA-88A700D3BCF0} => not found
"C:\Windows\System32\Tasks\WindowsRecoveryCleaner" => not found
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WindowsRecoveryCleaner => not found
"C:\ProgramData\WindowsTask" => not found
"C:\ProgramData\System32" => not found
"C:\Windows\System32\Taskmgr.exe" => not found

==== End of Fixlog 17:44:32 ====

 

 

seems it deleted taskmgr and it didn't add it back

image.png.1a007bb9b1c14915c771445c6b5e17b3.png

At least now I don't have the problem with the virus closing task manager so I can't see the resource spike :))

Edited by dbs00
Link to post
Share on other sites
  • 2 weeks later...
Aura

Aura

Posted
Posted

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.