Jump to content

Recommended Posts

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.tx

If the problem persists please run the Farbar program and post fresh logs.

fixlist.txt

Edited by nasdaq
Link to post
Share on other sites

Hi,
The last fix did not go as expected.
You have a Trojan.Win32.CoinMiner infection.

I have identified the bad. 

Edit.

Please download and use the Fixlist.txt attached.

If the you create the file from what I have posted it may not work.

===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 

start
	CreateRestorePoint:
EmptyTemp:
CloseProcesses:
	(Microsoft Corporation) [File not signed] C:\Windows\servicing\MsMpEngs.exe
(Microsoft Corporation) [File not signed] C:\Windows\servicing\OneDrive.exe
HKLM-x32\...\Run: [chksum] => C:\Windows\servicing\OneDrive.exe [22016 2019-03-11] (Microsoft Corporation) [File not signed]
HKLM\ DisallowedCertificates: 18AA37360A0698E6A1F54A9E8268FB127B70E189 (U)
HKLM\ DisallowedCertificates: 1B581436B0ED7536755B8B1C81112509A5AAF6ED (Panda Security S.L) <==== ATTENTION
HKLM\ DisallowedCertificates: 1F25DF887B158E34E2FCB13171924610C8F6BA2F (Emsisoft Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 249BDA38A611CD746A132FA2AF995A2D3C941264 (Malwarebytes Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: 2CC344E13934A69AA993E80C8E20FF0ACCB33F1E (U)
HKLM\ DisallowedCertificates: 2F56FF8F95EE69A27C05DBB35924F847C86A66B4 (U)
HKLM\ DisallowedCertificates: 31F5EE85DA34AD374D43776B54F6686E7E922737 (SurfRight B.V.) <==== ATTENTION
HKLM\ DisallowedCertificates: 3C92C9274AB6D3DD520B13029A2490C4A1D98BC0 (Kaspersky Lab) <==== ATTENTION
HKLM\ DisallowedCertificates: 42A8984E8B9C51F6B7274866F8726CA1E9057FAA (ESET) <==== ATTENTION
HKLM\ DisallowedCertificates: 5CA5F811E011742B05D014D03F85848D81F41A63 (Zemana) <==== ATTENTION
HKLM\ DisallowedCertificates: 622271AF668F99BD94AC12E5EBF86E48FD50AECB (Qihu 360 Software Co. Limited) <==== ATTENTION
HKLM\ DisallowedCertificates: 6CD253D636A7B4D0E0981431BC064061A9853ED9 (Comodo Security Solutions) <==== ATTENTION
HKLM\ DisallowedCertificates: 76FBABF1EADED3B91DD7A76A6678301F1F87AA97 (Comodo Security Solutions) <==== ATTENTION
HKLM\ DisallowedCertificates: 84C08B7A367422AF5FEF8D353B36191ECE9DBAF7 (Check Point Software Technologies Ltd.) <==== ATTENTION
HKLM\ DisallowedCertificates: 9900CFAABC45B4247F9D78EE7E12B102D25EA325 (Avira Operations GmbH & Co. KG) <==== ATTENTION
HKLM\ DisallowedCertificates: 9A32249E9A6B9CF5C36B0749C81613524D37C594 (Safer Networking Ltd.) <==== ATTENTION
HKLM\ DisallowedCertificates: AD4C5429E10F4FF6C01840C20ABA344D7401209F (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: BEBFAE20957D4DE689A8B962AEE358EFE39F195F (Symantec Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: BF9254919794C1075EA027889C5D304F1121C653 (U)
HKLM\ DisallowedCertificates: BFA87DC996BD6BCB02B6F530D2C646A0B5A0D5A9 (Emsisoft Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: DBFAD9D59A6A07DCEB004DBE2DC246B547249E86 (U)
HKLM\ DisallowedCertificates: E64232B7757A335C032414C6888633CC498E7CD6 (AVG Technologies CZ) <==== ATTENTION
HKLM\ DisallowedCertificates: F75019695C0504E3ABEFEDCD8FBE500DA08EC8FA (U)
HKLM\ DisallowedCertificates: F83099622B4A9F72CB5081F742164AD1B8D048C9 (ESET) <==== ATTENTION
HKU\S-1-5-21-2426846101-1662573320-2267603240-1002\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
U4 napagent; no ImagePath
	AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxlctlfudivq`qsp`29hfm [0]
AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [464]
AlternateDataStreams: C:\Users\Xmanos\Application Data:00e481b5e22dbe1f649fcddd505d3eb7 [394]
AlternateDataStreams: C:\Users\Xmanos\AppData\Roaming:00e481b5e22dbe1f649fcddd505d3eb7 [394]
FirewallRules: [{89DB5941-F39E-4706-A2B6-98F4BC7964B3}] => (Allow) D:\Steam\bin\cef\cef.win7\steamwebhelper.exe No File
FirewallRules: [{3FF51DD4-6F3E-4EF1-87EA-F1A7FB21D06C}] => (Allow) D:\Steam\bin\cef\cef.win7\steamwebhelper.exe No File
FirewallRules: [TCP Query User{A530A079-2EC7-4499-BA97-753CFE65E283}D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.181\deploy\leagueclient.exe] => (Allow) D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.181\deploy\leagueclient.exe No File
FirewallRules: [UDP Query User{7820FAD9-0F0C-44EE-A312-12617D95532D}D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.181\deploy\leagueclient.exe] => (Allow) D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.181\deploy\leagueclient.exe No File
FirewallRules: [TCP Query User{5E9E97B3-7DA7-403C-ACA7-CEA384B69CA7}D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.182\deploy\leagueclient.exe] => (Allow) D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.182\deploy\leagueclient.exe No File
FirewallRules: [UDP Query User{AE195A76-5545-451A-8DD9-FF51B340F37A}D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.182\deploy\leagueclient.exe] => (Allow) D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.182\deploy\leagueclient.exe No File
FirewallRules: [TCP Query User{9F26E633-612B-43F1-AEC2-92C4F88A3C12}D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.183\deploy\leagueclient.exe] => (Allow) D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.183\deploy\leagueclient.exe No File
FirewallRules: [UDP Query User{816B1979-17CB-433C-94FB-6D842A90FE56}D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.183\deploy\leagueclient.exe] => (Allow) D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.183\deploy\leagueclient.exe No File
FirewallRules: [TCP Query User{0362D1F8-1568-4119-85EF-E43252DEF703}D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.190\deploy\leagueclient.exe] => (Allow) D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.190\deploy\leagueclient.exe No File
FirewallRules: [UDP Query User{73009EAA-B80F-4146-9FA3-25FFC391BC89}D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.190\deploy\leagueclient.exe] => (Allow) D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.190\deploy\leagueclient.exe No File
FirewallRules: [TCP Query User{FE505783-80B3-4EF7-9C42-5604FB97D69E}D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.191\deploy\leagueclient.exe] => (Allow) D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.191\deploy\leagueclient.exe No File
FirewallRules: [UDP Query User{0BABA199-D046-4074-B9E3-5468039732B4}D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.191\deploy\leagueclient.exe] => (Allow) D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.191\deploy\leagueclient.exe No File
FirewallRules: [TCP Query User{51C618F1-8BA7-40AE-BA3E-A29A44B4DFE8}D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.192\deploy\leagueclient.exe] => (Allow) D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.192\deploy\leagueclient.exe No File
FirewallRules: [UDP Query User{9DEC1B54-732F-474E-B155-6E7B4159D780}D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.192\deploy\leagueclient.exe] => (Allow) D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.192\deploy\leagueclient.exe No File
FirewallRules: [TCP Query User{A0F43320-81C2-4419-B544-72FAC39EB2E1}E:\p????aµµata portable\graphisoft\archicad 22\archicad.exe] => (Allow) E:\p????aµµata portable\graphisoft\archicad 22\archicad.exe No File
FirewallRules: [UDP Query User{AFCC49AF-E868-4CD3-A39A-A4C7C74D5D27}E:\p????aµµata portable\graphisoft\archicad 22\archicad.exe] => (Allow) E:\p????aµµata portable\graphisoft\archicad 22\archicad.exe No File
FirewallRules: [TCP Query User{27F75B7B-7682-488B-9F9F-3D51D6408139}D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.193\deploy\leagueclient.exe] => (Allow) D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.193\deploy\leagueclient.exe No File
FirewallRules: [UDP Query User{00D173B7-71DD-4DF4-B003-A8DA0F9BBC74}D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.193\deploy\leagueclient.exe] => (Allow) D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.193\deploy\leagueclient.exe No File
FirewallRules: [TCP Query User{CF178B3F-52A9-4E00-8646-CF08760B4F17}D:\windowsapps\spotifyab.spotifymusic_1.101.348.0_x86__zpdnekdrzrea0\spotify.exe] => (Allow) D:\windowsapps\spotifyab.spotifymusic_1.101.348.0_x86__zpdnekdrzrea0\spotify.exe No File
FirewallRules: [UDP Query User{ED4900CB-00CA-425E-B37A-DBE4C1C7692E}D:\windowsapps\spotifyab.spotifymusic_1.101.348.0_x86__zpdnekdrzrea0\spotify.exe] => (Allow) D:\windowsapps\spotifyab.spotifymusic_1.101.348.0_x86__zpdnekdrzrea0\spotify.exe No File
FirewallRules: [TCP Query User{DDC46CE6-6644-4B4F-9238-8EDA4A3076EE}D:\windowsapps\spotifyab.spotifymusic_1.103.259.0_x86__zpdnekdrzrea0\spotify.exe] => (Allow) D:\windowsapps\spotifyab.spotifymusic_1.103.259.0_x86__zpdnekdrzrea0\spotify.exe No File
FirewallRules: [UDP Query User{EA3F30FC-8C26-417D-8A18-9D37865883EF}D:\windowsapps\spotifyab.spotifymusic_1.103.259.0_x86__zpdnekdrzrea0\spotify.exe] => (Allow) D:\windowsapps\spotifyab.spotifymusic_1.103.259.0_x86__zpdnekdrzrea0\spotify.exe No File
FirewallRules: [TCP Query User{C74308AB-697B-45F9-9B2D-297268268634}D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.194\deploy\leagueclient.exe] => (Allow) D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.194\deploy\leagueclient.exe No File
FirewallRules: [UDP Query User{D3C0811E-1D58-430E-91CF-73C1F3927AFB}D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.194\deploy\leagueclient.exe] => (Allow) D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.194\deploy\leagueclient.exe No File
FirewallRules: [TCP Query User{6D69FE3A-8EA9-4AEB-8821-23F45110B97B}D:\battle.net\battle.net\battle.net.10979\hearthstone\hearthstone.exe] => (Allow) D:\battle.net\battle.net\battle.net.10979\hearthstone\hearthstone.exe No File
FirewallRules: [UDP Query User{81D40728-4D4D-43D7-AD35-C3457012DCB6}D:\battle.net\battle.net\battle.net.10979\hearthstone\hearthstone.exe] => (Allow) D:\battle.net\battle.net\battle.net.10979\hearthstone\hearthstone.exe No File
FirewallRules: [TCP Query User{8E21C6C1-A795-4CBA-87E1-B9DCCD3AFC5C}D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.195\deploy\leagueclient.exe] => (Allow) D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.195\deploy\leagueclient.exe No File
FirewallRules: [UDP Query User{3072D3C5-D933-495B-BCB1-81FC5B7635E1}D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.195\deploy\leagueclient.exe] => (Allow) D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.195\deploy\leagueclient.exe No File
FirewallRules: [TCP Query User{389A5035-FFD1-46AE-AF52-F3F4209B51C5}D:\windowsapps\spotifyab.spotifymusic_1.104.197.0_x86__zpdnekdrzrea0\spotify.exe] => (Allow) D:\windowsapps\spotifyab.spotifymusic_1.104.197.0_x86__zpdnekdrzrea0\spotify.exe No File
FirewallRules: [UDP Query User{16ECA8EB-D81E-4A5B-A2BA-8D4FA1F935E7}D:\windowsapps\spotifyab.spotifymusic_1.104.197.0_x86__zpdnekdrzrea0\spotify.exe] => (Allow) D:\windowsapps\spotifyab.spotifymusic_1.104.197.0_x86__zpdnekdrzrea0\spotify.exe No File
FirewallRules: [TCP Query User{2EDEE108-2BAD-4237-8BF2-85E977ADABF1}D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.196\deploy\leagueclient.exe] => (Allow) D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.196\deploy\leagueclient.exe No File
FirewallRules: [UDP Query User{790F506D-3C80-439F-A883-30DEBDE0D1FB}D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.196\deploy\leagueclient.exe] => (Allow) D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.196\deploy\leagueclient.exe No File
FirewallRules: [TCP Query User{4579C727-3F6F-4EE7-BCB2-BC48E382704E}D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.197\deploy\leagueclient.exe] => (Allow) D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.197\deploy\leagueclient.exe No File
FirewallRules: [UDP Query User{CE147884-8213-44A3-9E82-C1AEA9753C0C}D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.197\deploy\leagueclient.exe] => (Allow) D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.197\deploy\leagueclient.exe No File
FirewallRules: [TCP Query User{6F2F4255-F6CB-449B-A325-EDB12BF48611}D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.198\deploy\leagueclient.exe] => (Allow) D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.198\deploy\leagueclient.exe No File
FirewallRules: [UDP Query User{E9F6FA1E-0F38-4B40-8D33-841CF800ECE2}D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.198\deploy\leagueclient.exe] => (Allow) D:\league of legends\league of legends\rads\projects\league_client\releases\0.0.0.198\deploy\leagueclient.exe No File
	C:\Windows\servicing\MsMpEngs.exe
C:\Windows\servicing\OneDrive.exe
2019-05-05 00:21 - 2019-05-05 00:37 - 000000150 _____ C:\Windows\Reimage.ini
	Reboot:
End

Download the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

You should now be able to download Malwarebytes. Run it this way.

Open Malwarebytes Anti-Malware.

On the Settings tab > Protection Scroll to and make sure the following are selected: Scroll to and make sure the following are selected:
Scan for Rootkits
Scan within Archives

Scroll further to Potential Threat Protection make sure the following are set as follows:

Potentially Unwanted Programs (PUP`s)        set as :- Always detect PUP`s (recommended)
Potentially Unwanted Modifications (PUM`s)  set as :- Always detect PUM`s (recommended)

Click on the Scan make sure Threat Scan is selected,

A Threat Scan will begin.

When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab

If asked to restart your computer to complete the removal, please do so

When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.

Wait for the prompt to restart the computer to appear, then click on Yes.

After the restart once you are back at your desktop, open MBAM once more to retrieve the log.

To get the log from Malwarebytes do the following:

Click on the Reports tab > from main interface.
Double click on the Scan log which shows the Date and time of the scan just performed.
Click Export > From export you have two options: > From export you have two options:
  Copy to Clipboard - if selected right click to your reply and select "Paste" log will be pasted to your reply
  Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
 
Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply.

===

Please post the logs and let me know what problem persists.

fixlist.txt

Edited by nasdaq
Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.