Brocoiner Coinminer Coinhive etc.Removal

[nycking]

I've Win 10 pro desktop (all updated patched) running regular Windows Security and Malwarebytes free. My Win Security had flagged these malware and PUPs a string of coin miners etc. and it shows some as quarantined and others active. So obviously they are not really removed (but keep surfacing up) each time the PC is starting. I ran malwarebytes free but it detected nothing...which was very dissapointing.

I've attached screenshots of what all is found by win security. Can someone help me get rid of this forever and what's the right routine to run- say monthly to ensure no coinminer or PUP is highjacking my PCs. thanks a tob

[nasdaq]

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove all items in the Quarantine folder.
https://www.malwarebytes.com/support/guides/mbam-legacy/History_Q.html
===

If your default browser is Synced to your other devices reset it.
This may help.
Chrome:
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

Firefox:
https://support.mozilla.org/en-US/kb/remove-synced-device-firefox-accounts

Internet Explorer:
https://www.thewindowsclub.com/sync-internet-explorer-settings-windows-8-1-devices
===

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs  for my review.

Let me know what problems persists.

Wait for further instructions

[nycking]

Hi Nasdaq: thanks for replying. Did all that you asked.

Maybe windows defender is just keeping them in quarantine and they keep resurfacing....I'll await your findings, specially on my main points requested above. 

I tried pasting below the FRST output but forum apparently doesnt allow that. So ive attached that as well like the other file. 

Addition.txtFRST.txt

[nasdaq]

Hi,

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Clean the Windows Defender Quarantine folder of all files.

Open Windows Security.
Click Virus & threat protection and then click Threat History.
Under Quarantined threats, click See full history.
To remove the item,  click remove.
===

Reset Chrome

Open Google Chrome, click on menu icon or the 3 vertical dots located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset and clean up" > "Restore settings to their original defaults"
 
Restart Chrome.
<<<>>>

Syncing

If the problem persists and Chrome is Synced with other Devices check this out.

https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

Execute the suggested fix.

Restart the computer when completed.
===========

Please post the Fixlog.txt and let me know what problem persists.

fixlist.txt

[nycking]

ok but pls. tell me what is this script going to do? Is it performing cleaning or uninstalling stuff? what all does it do?

[nycking]

Also- if you can recommend that for future, is it best to use "ublock origin AD blocker" and an updated hosts file from here https://someonewhocares.org/hosts/  - to prevent future such episodes?  And when I'm visiting sites and downloading software that I don't trust fully- shd. I use something like bitbox or a sandboxed browser and scan any software downloaded, thru malwarebytes freem before testing it thru installing.

[nasdaq]

Hi,

It will remove the restriction on this key.

GroupPolicy\User: Restriction ? <==== ATTENTION

All remaning items are cleaning empty  items.

You can open the file with Notepad.
===

The Hosts file is fine.

I check my downloaded files at VirusTotal.
https://www.virustotal.com/gui/home/upload

====

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

[nycking]

Hi- pl.s respond line by line so I know that I've not misunderstood your points:

1. Do u mean to say except the group policy which will put it to restrict - nothing else is required to be done and my system is clean now. I shd. enable chrome sync across devices (obviously following the link you sent?)

2. For future, I shd. just use an ad blocker and hosts file from that source I listed above. And use virustotal to check software downloaded.

3. Do I need to use a sandboxed browser as well- does it give me any extra protection apart from the step above?

4. And to periodicaly check for malware - PUPs etc ...shd. I just run malwarebytes free every week- shd. I run just a threat scan or a complete scan?

 

[nasdaq]

Hi,

I shd. enable chrome sync across devices (obviously following the link you sent?)

Do you mean should or should not?
Sync your devices . It's your call.
====

For future, I shd. just use an ad blocker and hosts file from that source I listed above.

Ublock is good. Will work well with the Host file.
===

 Do I need to use a sandboxed browser as well- does it give me any extra protection apart from the step above?

If you are the only user of this computer and are careful with your download and open I do not see the need for a sandbox.
Again it's your call.
===

And to periodicaly check for malware - PUPs etc ...shd. I just run malwarebytes free every week- shd. I run just a threat scan or a complete scan?

A complete scan one a week is enough.
If you have issues and do a scan to check further.

Is your problem solved?

[nycking]

Thanks for responding. it seems you missed my first point- what I meant to ask is- How can I rest assured that malware has been taken care of now - if you recall even before Malwarebytes did not show thiose coinminer infections maybe because Win Defender had them quarantined? So it was Windows security /defender that showed it, quanrantined it and contained it- is that right? So how do I know for sure that the malware has been removed completely? What tests shd. I run to check it?

 

[nasdaq]

Hi,

If you were still infected by the coinminer  you CPU would be used by it and your computer would be very very slow.

Hope this is not your situation.

Read this topic.

https://www.kaspersky.com/blog/web-miners-protection/20556/

 

 

 

 

 

[nycking]

Actually I was looking for a more specific answer like a process or something I can check myself- or maybe a tool that can scan for specific rogue processes - your response that "computer would be very very slow" doesnt give me much. Also, pls. note that even with the infection present, my computer or browser was "not very very slow". If I were to specify - Id say barely 10-15% degradation in speed was noticed if any- which essentially means that it was not perceptible normally. 

If you do happen to know of any other thing helpful in my situation, pls. let me know. Else, I thank you very much for all the time and help you've provided- which indeed was very welcome.

Lastly- is kaspersky free in your opinion, better suited than malwarebytes free to detect and check against web and installed miners, PUPs other malware? And is running Malwarebytes on a restart routine (without windows loading up) better to check and remediate against malware and  how to do it?

 

[nasdaq]

You need both Kaspersky who is performing a virus inspection.

Mbam is for Malware  and the blocking of attacks.

We have a large database where we can check processes that are unknown if found in you logs.

We cannot find anything wrong running.

For your peace of mind run this scan.

Please download Sophos Virus Removal Tool and save it to your computer's Desktop.

• Right-click the icon and select Run as administrator.
• Click Yes to accept any security warnings that may appear.
• Click the Next button.
• Select 'I accept the terms in the license agreement', then click Next twice.
• Click the Install button and wait until the installation is complete.
• Click the Finish button. The tool created a shortcut icon on the Desktop of your computer.
• Now, double-click the Sophos Virus Removal Tool shortcut icon to run the tool.
• Click Yes to accept any security warnings that may appear.
• After it updates and a "Start Scanning" button appears in the lower right:
  
  • Disconnect from the Internet or physically unplug your Internet cable connection.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
    
  
  
  

Windows Vista and above:
C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
 
Please post the contents of the log in your next reply and note any errors encountered.
===

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks