Jump to content

Recommended Posts

Hello, how's it going everyone, i have a small problem here, i noticed my computer is working and using resources when it shouldn't and some GPU usage heavy apps haven't been working well lately, a while ago i ran MalwareBytes and it keeps saying I've got a BitCoinMiner Trojan located on the Registry, when i go to the registry the folder containing the miner points me to a file that apparently doesn't exist called starter.exe located in C:\Windows\servicing, the problem is this Virus reappears after every time i boot, any ideas?

Link to post
Share on other sites

Hello m202 and welcome to Malwarebytes,

The Malwarebytes log shows "No Action By User" is that correct..?

Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Next,

Download and save Adiag to your Desktop, https://www.adlice.com/download/diag/
 
  • Right click and select "Run as Administrator" on the first window select Scan
  • Make sure all items are checkmarked, then select Start Scan
  • Do not use your PC as the scan progresses
  • If malicious entries are found select Results, if not close our the application.
  • You will be back to main interface, select "Display all" then "Report"
  • In the new window select "Export" then "Text File" name that file Adiag1 and save to your desktop. Close that window, then close out Adiag
  • Attach Adiag1 to your reply.


Let me see those logs in your reply....

Thank you,

Kevin...
Link to post
Share on other sites

That is correct, i have quarantined and deleted the malware several times in MalwareBytes, those captures were mostly just to show the issue, i attach here the files you asked, by the way i had a problem with Adiag, the report function didn't work for me the first time so i took screenshots and deleted the viruses, after restarting the pc ADiag's report function started working but the viruses didn't reappear. I'm running RogueKiller at the moment, when it finishes i'll attach it's report as well.

Addition.txt

FRST.txt

ADiag1.txt

Link to post
Share on other sites

What was removed with Adiag..?

Next,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Protection Scroll to and make sure the following are selected:

    Scan for Rootkits
    Scan within Archives
     
  • Scroll further to Potential Threat Protection make sure the following are set as follows:
    Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)
     
  • Click on the Scan make sure Threat Scan is selected,
  • A Threat Scan will begin.
  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab
  • If asked to restart your computer to complete the removal, please do so
  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open Malwarebytes once more to retrieve the log.


To get the log from Malwarebytes do the following:
 
  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

fixlist.txt

Link to post
Share on other sites

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a file on the Desktop (WINDOWS UPDATES SERVICES.reg).  Please zip it up and attach to your reply.

 

fixlist.txt

Link to post
Share on other sites

Thanks for that log, i`m trying to find out why this key is replaced after removal by malwarebytes:

HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\WINDOWS UPDATES SERVICES

That key is not genuine as far as i`m aware, I have Windows 10 Pro and cannot find it on my system, the correct reg entry for windows updates follows:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

Link to post
Share on other sites

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a file on the Desktop (WINDOWS UPDATES SERVICES.reg).  Please zip it up and attach to your reply.

fixlist.txt

Link to post
Share on other sites

Hiya m202,

Enable System Restore and create a restore point - https://www.thewindowsclub.com/system-restore-disabled-turn-on-system-restore-windows

Next,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Protection Scroll to and make sure the following are selected:

    Scan for Rootkits
    Scan within Archives
     
  • Scroll further to Potential Threat Protection make sure the following are set as follows:
    Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)
     
  • Click on the Scan make sure Threat Scan is selected,
  • A Threat Scan will begin.
  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab
  • If asked to restart your computer to complete the removal, please do so
  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open Malwarebytes once more to retrieve the log.


To get the log from Malwarebytes do the following:
 
  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

Let me see those logs in your reply..

Thank you,

Kevin...

fixlist.txt

Link to post
Share on other sites

I see why the problem is still there, my fix for removal of bad keys failed.. Can you Navigate in regedit ok, if so open regedit navigate to the following keys and delete the folder "Windows Update Services"

HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\WINDOWS UPDATES SERVICES

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\SERVICES\WINDOWS UPDATES SERVICES

Reboot after those keys are deleted, then try Malwarebytes again....

Its 1am local time for me, am off to bed... Can you also copy, zip and attach the following file: C:\Windows\Logs\NetSetup\VSS\wcservices.exe

Link to post
Share on other sites

Hello m202,

Run the following fix then run Malwarebytes again.....

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

The malicious files should not return after the scan with Malwarebytes...

Thank you,

Kevin..

 

fixlist.txt

Link to post
Share on other sites

Something interesting happened today, as soon as i boot the pc and ran malwarebytes this time it did recognize wcservices.exe as a threat but both that file and the 2 previous ones are now identified as Trojan.FakeMS, here's the summary just in case, i ran FRST as you said and the registry threats appeared but i guess it's because i hadn't removed it before, i attach the files you ask and just quarantined them on Malwarebytes.

Fixlog.txt

result.txt

Link to post
Share on other sites

Yes one of the staff guys from Malwarebytes did ask for a copy of wcservices.exe to be zipped and attached. Once that file was confirmed as malicious MB defs were updated. I did not think the update would be implemented in time, that is why I listed a fix for you...

What is happening now with your system, are we finally rid of the miner...?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.