Jump to content

Recommended Posts

Hello ! 

I'm constantly getting this message from Norton, from 2 Weeks ago, saying : "Norton blocked an atack from : System Infected: Miner.Bitcoinminer Activity 7". My CPU is getting slower and slower, and i don't have any idea what i can do... 

Can anyone please help me ?

Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download Malwarebytes Anti-Malware from here
 

  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to check mark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.


Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

Please download AdwCleaner by Malwarebytes your Desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.

IMPORTANT

  • If you click the Clean button all items listed in the report will be removed.

If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).


===

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs  for my review.

Let me know what problems persists.

Wait for further instructions

Link to post
Share on other sites

Hi again, 

I've done all the scans. 

 

Malwarebytes
www.malwarebytes.com

-Détails du journal-
Date de l'analyse: 10/05/2019
Heure de l'analyse: 20:24
Fichier journal: ea6e9f4e-7350-11e9-9eb6-d850e61cd388.json

-Informations du logiciel-
Version: 3.7.1.2839
Version de composants: 1.0.586
Version de pack de mise à jour: 1.0.10546
Licence: Gratuit

-Informations système-
Système d'exploitation: Windows 10 (Build 17134.706)
Processeur: x64
Système de fichiers: NTFS
Utilisateur: PC-NICO\Nico

-Résumé de l'analyse-
Type d'analyse: Analyse des menaces
Analyse lancée par: Manuel
Résultat: Terminé
Objets analysés: 369954
Menaces détectées: 37
Menaces mises en quarantaine: 0
Temps écoulé: 2 h, 14 min, 30 s

-Options d'analyse-
Mémoire: Activé
Démarrage: Activé
Système de fichiers: Activé
Archives: Activé
Rootkits: Activé
Heuristique: Activé
PUP: Détection
PUM: Détection

-Détails de l'analyse-
Processus: 0
(Aucun élément malveillant détecté)

Module: 0
(Aucun élément malveillant détecté)

Clé du registre: 8
PUP.Optional.InstallCore, HKU\S-1-5-21-526167469-339911312-527618030-1002\SOFTWARE\InstallCore, Aucune action de l'utilisateur, [437], [239563],1.0.10546
PUP.Optional.SweetIM, HKU\S-1-5-21-526167469-339911312-527618030-1002\SOFTWARE\SweetIM, Aucune action de l'utilisateur, [397], [243758],1.0.10546
Adware.MoboGenie, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\MobogenieAdd, Aucune action de l'utilisateur, [3194], [477441],1.0.10546
Adware.MoboGenie, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\MobogenieAdd, Aucune action de l'utilisateur, [3194], [477441],1.0.10546
PUP.Optional.SweetPage.ShrtCln, HKLM\SOFTWARE\WOW6432NODE\sweet-pageSoftware, Aucune action de l'utilisateur, [1578], [230757],1.0.10546
PUP.Optional.SweetIM, HKLM\SOFTWARE\WOW6432NODE\SweetIM, Aucune action de l'utilisateur, [397], [243762],1.0.10546
PUP.Optional.IEPluginServices, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\IePluginService, Aucune action de l'utilisateur, [1160], [239277],1.0.10546
PUP.Optional.OpenCandy, HKU\S-1-5-21-526167469-339911312-527618030-1002\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BitTorrent, Aucune action de l'utilisateur, [1153], [640283],1.0.10546

Valeur du registre: 0
(Aucun élément malveillant détecté)

Données du registre: 2
PUP.Optional.SweetPage.ShrtCln, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|DEFAULT_SEARCH_URL, Aucune action de l'utilisateur, [1578], [292875],1.0.10546
PUP.Optional.SweetPage.ShrtCln, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|SEARCH PAGE, Aucune action de l'utilisateur, [1578], [292875],1.0.10546

Flux de données: 0
(Aucun élément malveillant détecté)

Dossier: 15
PUP.Optional.SupTab, C:\USERS\NICO\APPDATA\ROAMING\SUPTAB, Aucune action de l'utilisateur, [1551], [179902],1.0.10546
PUP.Optional.MoboGenie, C:\Users\Nico\AppData\Local\Mobogenie\Version\CacheVersion, Aucune action de l'utilisateur, [2629], [322690],1.0.10546
PUP.Optional.MoboGenie, C:\Users\Nico\AppData\Local\Mobogenie\Version\NewVersion, Aucune action de l'utilisateur, [2629], [322690],1.0.10546
PUP.Optional.MoboGenie, C:\Users\Nico\AppData\Local\Mobogenie\Version\OldVersion, Aucune action de l'utilisateur, [2629], [322690],1.0.10546
PUP.Optional.MoboGenie, C:\Users\Nico\AppData\Local\Mobogenie\Download\Picture, Aucune action de l'utilisateur, [2629], [322690],1.0.10546
PUP.Optional.MoboGenie, C:\Users\Nico\AppData\Local\Mobogenie\Download\Music, Aucune action de l'utilisateur, [2629], [322690],1.0.10546
PUP.Optional.MoboGenie, C:\Users\Nico\AppData\Local\Mobogenie\Download\Video, Aucune action de l'utilisateur, [2629], [322690],1.0.10546
PUP.Optional.MoboGenie, C:\Users\Nico\AppData\Local\Mobogenie\Download\Apk, Aucune action de l'utilisateur, [2629], [322690],1.0.10546
PUP.Optional.MoboGenie, C:\Users\Nico\AppData\Local\Mobogenie\Download, Aucune action de l'utilisateur, [2629], [322690],1.0.10546
PUP.Optional.MoboGenie, C:\Users\Nico\AppData\Local\Mobogenie\Version, Aucune action de l'utilisateur, [2629], [322690],1.0.10546
PUP.Optional.MoboGenie, C:\Users\Nico\AppData\Local\Mobogenie\backup, Aucune action de l'utilisateur, [2629], [322690],1.0.10546
PUP.Optional.MoboGenie, C:\Users\Nico\AppData\Local\Mobogenie\device, Aucune action de l'utilisateur, [2629], [322690],1.0.10546
PUP.Optional.MoboGenie, C:\Users\Nico\AppData\Local\Mobogenie\driver, Aucune action de l'utilisateur, [2629], [322690],1.0.10546
PUP.Optional.MoboGenie, C:\Users\Nico\AppData\Local\Mobogenie\Data, Aucune action de l'utilisateur, [2629], [322690],1.0.10546
PUP.Optional.MoboGenie, C:\USERS\NICO\APPDATA\LOCAL\MOBOGENIE, Aucune action de l'utilisateur, [2629], [322690],1.0.10546

Fichier: 12
PUP.Optional.MoboGenie, C:\Users\Nico\AppData\Local\Mobogenie\Data\mobogenie_u_user_dl.mg, Aucune action de l'utilisateur, [2629], [322690],1.0.10546
PUP.Optional.MoboGenie, C:\Users\Nico\AppData\Local\Mobogenie\Version\CacheVersion\release-update.xml, Aucune action de l'utilisateur, [2629], [322690],1.0.10546
PUP.Optional.MoboGenie, C:\Users\Nico\AppData\Local\Mobogenie\adb.black_devices, Aucune action de l'utilisateur, [2629], [322690],1.0.10546
PUP.Optional.MoboGenie, C:\Users\Nico\AppData\Local\Mobogenie\adb.write_devices, Aucune action de l'utilisateur, [2629], [322690],1.0.10546
PUP.Optional.MoboGenie, C:\Users\Nico\AppData\Local\Mobogenie\client.time, Aucune action de l'utilisateur, [2629], [322690],1.0.10546
PUP.Optional.MoboGenie, C:\Users\Nico\AppData\Local\Mobogenie\mobo.uuid, Aucune action de l'utilisateur, [2629], [322690],1.0.10546
PUP.Optional.MoboGenie, C:\Users\Nico\AppData\Local\Mobogenie\Source.mu, Aucune action de l'utilisateur, [2629], [322690],1.0.10546
PUP.Optional.OpenCandy, C:\USERS\NICO\APPDATA\ROAMING\BITTORRENT\UPDATES\7.9.1_30889.EXE, Aucune action de l'utilisateur, [1153], [640283],1.0.10546
PUP.Optional.OpenCandy, C:\USERS\NICO\APPDATA\ROAMING\Microsoft\Windows\Start Menu\BitTorrent.lnk, Aucune action de l'utilisateur, [1153], [640283],1.0.10546
PUP.Optional.OpenCandy, C:\USERS\NICO\Desktop\BitTorrent.lnk, Aucune action de l'utilisateur, [1153], [640283],1.0.10546
PUP.Optional.OpenCandy, C:\USERS\NICO\APPDATA\ROAMING\BITTORRENT\BITTORRENT.EXE, Aucune action de l'utilisateur, [1153], [640283],1.0.10546
Generic.Malware/Suspicious, C:\USERS\NICO\DOWNLOADS\FREEMAKEVIDEOCONVERTERSETUP.EXE, Aucune action de l'utilisateur, [0], [392686],1.0.10546

Secteur physique: 0
(Aucun élément malveillant détecté)

WMI: 0
(Aucun élément malveillant détecté)


(end)

 

 

 

 

 

 

 

 

# -------------------------------
# Malwarebytes AdwCleaner 7.3.0.0
# -------------------------------
# Build:    04-04-2019
# Database: 2019-04-03.1 (Local)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start:    05-10-2019
# Duration: 00:00:02
# OS:       Windows 10 Home
# Cleaned:  5
# Failed:   0


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

No malicious folders cleaned.

***** [ Files ] *****

Deleted       C:\END

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

Deleted       HKCU\Software\Conduit
Deleted       HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID|{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}
Deleted       HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID|{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}
Deleted       HKLM\System\CurrentControlSet\Services\EventLog\Application\Wpm

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

No malicious Chromium URLs cleaned.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [1666 octets] - [10/05/2019 23:32:59]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########

 

 

 

Addition.txt AdwCleaner[C00].txt MBAM text file.txt FRST.txt

Link to post
Share on other sites

Hi,

If not already done please run Malwarebytes and delete all the items reported.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

fixlist.txt

Link to post
Share on other sites

Hi,

Norton still sending me this message with the Miner.Bitcoinminer Activity 7.

Norton may be protecting you and your receive a notification each time.
Check this out and if enable disable the notifications.
https://www.howtogeek.com/291934/how-to-disable-nortons-notifications-and-bundled-software/
===

If the problem persists run these progfams.

Open Malwarebytes Anti-Malware.

On the Settings tab > Protection Scroll to and make sure the following are selected: Scroll to and make sure the following are selected:
Scan for Rootkits
Scan within Archives

Scroll further to Potential Threat Protection make sure the following are set as follows:

Potentially Unwanted Programs (PUP`s)        set as :- Always detect PUP`s (recommended)
Potentially Unwanted Modifications (PUM`s)  set as :- Always detect PUM`s (recommended)

Click on the Scan make sure Threat Scan is selected,

A Threat Scan will begin.

When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab

If asked to restart your computer to complete the removal, please do so

When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.

Wait for the prompt to restart the computer to appear, then click on Yes.

After the restart once you are back at your desktop, open MBAM once more to retrieve the log.

To get the log from Malwarebytes do the following:

Click on the Reports tab > from main interface.
Double click on the Scan log which shows the Date and time of the scan just performed.
Click Export > From export you have two options: > From export you have two options:
  Copy to Clipboard - if selected right click to your reply and select "Paste" log will be pasted to your reply
  Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
 
Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply.
===

--RogueKiller--

  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED  
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.


=======


 

Link to post
Share on other sites

Hi,

Nothing was found with the MBAM Scan

 

Malwarebytes
www.malwarebytes.com

-Détails du journal-
Date de l'analyse: 12/05/2019
Heure de l'analyse: 19:56
Fichier journal: 4626694a-74df-11e9-b0be-d850e61cd388.json

-Informations du logiciel-
Version: 3.7.1.2839
Version de composants: 1.0.586
Version de pack de mise à jour: 1.0.10570
Licence: Gratuit

-Informations système-
Système d'exploitation: Windows 10 (Build 17134.706)
Processeur: x64
Système de fichiers: NTFS
Utilisateur: PC-NICO\Nico

-Résumé de l'analyse-
Type d'analyse: Analyse des menaces
Analyse lancée par: Manuel
Résultat: Terminé
Objets analysés: 367940
Menaces détectées: 0
Menaces mises en quarantaine: 0
Temps écoulé: 2 h, 44 min, 45 s

-Options d'analyse-
Mémoire: Activé
Démarrage: Activé
Système de fichiers: Activé
Archives: Activé
Rootkits: Activé
Heuristique: Activé
PUP: Détection
PUM: Détection

-Détails de l'analyse-
Processus: 0
(Aucun élément malveillant détecté)

Module: 0
(Aucun élément malveillant détecté)

Clé du registre: 0
(Aucun élément malveillant détecté)

Valeur du registre: 0
(Aucun élément malveillant détecté)

Données du registre: 0
(Aucun élément malveillant détecté)

Flux de données: 0
(Aucun élément malveillant détecté)

Dossier: 0
(Aucun élément malveillant détecté)

Fichier: 0
(Aucun élément malveillant détecté)

Secteur physique: 0
(Aucun élément malveillant détecté)

WMI: 0
(Aucun élément malveillant détecté)


(end)

 

 

 

And this is what RogueKiller found : 

 

RogueKiller Anti-Malware V13.1.10.0 (x64) [Apr 24 2019] (Gratuit) par Adlice Software
email : https://adlice.com/contact/
Site web : https://adlice.com/download/roguekiller/
Système d'exploitation : Windows 10 (10.0.17134) 64 bits
Démarré en  : Mode normal
Utilisateur : Nico [Administrateur]
Démarré depuis : C:\Program Files\RogueKiller\RogueKiller64.exe
Signatures : 20190423_114402, Driver : Chargé
Mode : Scan Standard, Scan -- Date : 2019/05/12 23:14:55 (Durée : 01:00:28)
Commutateurs : -refid 3

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processus ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Modules de Processus ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Services ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Tâches ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Registre ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
>>>>>> XX - Software
  [PUP.Gen1 (Potentiellement Malicieux)] (X64) HKEY_USERS\S-1-5-21-526167469-339911312-527618030-1002\Software\IM -- N/A -> Trouvé(e)

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ WMI ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Fichier Hosts ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Fichiers ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Navigateurs web ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

 

 

I haven't mentionned that my CPU is around 100% used all the time, even if i have no programms open. 
 

Link to post
Share on other sites

Hi ! 

I've done another scan with the RogueKiller, deleted 2 items this time that was reported and restarted the computer. 

I let the Norton notifications on, but after the 2nd scan, item deletion and restart, i haven't seen any message from Norton yet. 

For the CPU issue, it totally worked thanks a lot, my CPU is a lot faster now !! 

Can i be sure that there is no threat anymore on my CPU now ?

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.