Jump to content

Need help removing a bitminer


hunluan
 Share

Recommended Posts

Hi, I recently found a process that I can't seem to remove, and malwarebytes unfortunately does not seem to detect it. I am on Windows 10 64bit.

I attached the farbar search log, (FRST.txt and Addition.txt)

as well as two malwarebytes scans (Scan1.txt and Scan2.txt)

I tried to run malwarebytes again with the rootkit detection, but that scan has been running for several hours and is still ongoing so I currently have no results to post.

I also have attached the Adwcleaner scan results (AdwCleaner[C00].txt and AdwCleaner[S00].txt)

 

I assumed my problem was a bitminer as the process "updatedg.exe" only appears when I am inactive on the computer (such as when watching a video) and takes most of my processor, but disappears as soon as I move the mouse, I've attached a screenshot of it appearing in task manager (malware-pic1.png) as well as the process file location (malware-pic2.png).

C:\Users\tsung\AppData\Roaming\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\cpu

I put in a DisallowRun entry in the registry in an attempt to stop it but it still appears (although at half the processor use as before?)

Deleting the folder the first time did not seem to be a permanent action, and the deletion process took suspiciously long, but I deleted just the file itself and the problem seems to be fixed.

However, I think it would be too optimistic to assume this has solved my problem.

 

Here is also a reddit post I came across that appears to be the same problem, just for additional context or information I did not provide, I didn't find many mentions of this problem elsewhere.

https://www.reddit.com/r/techsupport/comments/9f6wxs/i_find_bitcoin_mining_malware_sysclcexe/

I do also see "sysclc.exe" appear briefly but I am unable to find the file on my hard drive.

 

I'm not sure what else to do so I'm posting here for help. Let me know if there's any other information I can provide or steps I should take.

I hope this post is formatted correctly and does not break any rules, please let me know if there is a problem with the post that I can fix.

I would like if I could update malwarebytes to solve this problem.

malware-pic1.png

malware-pic2.png

FRST.txt Addition.txt Scan1.txt Scan2.txt AdwCleaner[C00].txt AdwCleaner[S00].txt AdwCleaner_Debug.log

Link to post
Share on other sites

Hi,   :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.

 

Please only just attach   all report files, etc  that I ask for as we go along.

.

Thanks for the reports.  The first scan with Malwarebytes found and removed some adwares & P U P's  that were on Chrome browser.

The 2nd ( later ) scan with Malwarebytes found nothing.   That is quite good.

The Malwarebytes Adwcleaner found a couple of P U P  types  ( also on Chrome).

 

I have these starter tips & suggestions for you.

[   1   ]

Turn off the SYNC option on Google Chrome.

need you to use Chrome to  go to https://www.google.com/settings/chrome/sync and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok".

[   2   ]

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

[   3   ]

 

I suggest you install the Malwarebytes Browser guard on to Chrome browser.

To get & install the Malwarebytes Browser Guard extension for Chrome,

 

Open this link in your Chrome   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

 

[   4   ]

To get & install the Malwarebytes Browser Guard  Firefox extension.

Open this link in your Firefox browser  

https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

Then proceed with the setup.

That link is for English US.   There are other language version.  Just go to the very bottom right of the page and look at “Change language” list drop down.


[  5  ]

This will remove updatedg from being autorun from a policy registry setting.

What follows below is a cleanup;  a custom cleanup.   After this run completes, I expect things to be a lot better.

 

This custom script is for  hunluan  only.

Close and save any open work files before starting this procedure.  I am sending a  custom fix script to do some cleanups.  

 

Please Close and save any open work files before you start this next step.  It will involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE AS and save it directly ( as is) to the Downloads  folder

The tool named FRST64.exe   tool    is already on the Downloads folder.

Start the Windows Explorer and then, open the Downloads folder.


Double click FRST64

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:
Click the Fix button just once, and wait.

 

FRST_Fixl.png.c4c1c0dddcc49b11fa400590f070bd5e.png

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply at your next opportunity.   Just keep going forward with the next step below.

[   6   ]

Let’s do a special search.

We need to search for a few things with SystemLook:

Please download SystemLook (64-bit) by jpshortstuff and save it to your desktop

Right-click SystemLook_x64.exe and select Run as Administrator to start the tool.

If prompted by Windows  UAC, please allow it  to run.
If you receive an "Open file - security warning"... asking "Do you want to run this file?", press the Run button.

 

COPY & paste the entire text into the main text box of SystemLook:   COPY all 4 lines below  as-is in their entirety and then paste
 

:regfind

updatedg

:filefind

updatedg

 

 

Click the Look button to start the scan

When finished, a notepad window will open with the results of the scan.

A file will be created (on the same folder where you saved SystemLook) with the results of the scan, named SystemLook.txt

Please attach  this log in your next reply.

Thank you.

 

Fixlist.txt

Link to post
Share on other sites

Hi Maurice, thanks for taking the time to give me a hand.

 

I have followed all of your steps besides installing the chrome extension (step [3]), but I will keep this suggestion/recommendation in mind in the future.

I've attached the two logs, one from FRST (Fixlog.txt) and one from systemlook (SystemLook.txt)

 

I'm not sure if these steps have helped, as I mentioned in my post that I did somehow manage to delete "updatedg.exe" on the 2nd attempt and it has not returned since, but I will be optimistic and assume that things are better. I also mentioned that I had used DisallowRun in the registry already to disable "updatedg.exe", but step [5] from you appears to do this also? If it is not too much trouble, could you explain the difference? I am not very familiar with editing registry.

 

It isn't a big deal, but I do wish you had warned me my browsing data would be wiped, though I suppose that result makes sense. A minor inconvenience.

 

Do you need any other information from me? Thanks again for taking the time to read over my post and help me out.

Fixlog.txt SystemLook.txt

Link to post
Share on other sites

Well done.   Thanks for the logs.   The best news is that SystemLook did not find any file by the name updatedg.   That is excellent.

I apologize that I did not ( earlier ) catch your mentioning that you had deleted the file.

I also regret that I mistook the "disallow" entries to be ones that auto-ran the updatedg.   As you had said, they did not prevent it running.

In any event now, the beast is gone.   There are ( although inert )  3 mentions of updatedreg.exe on the history cache of Edge.

So the following is one final cleanup for those.

This fix run should go very fast.   First, be sure to delete the FIXLIST.txt  file I had you save before.

 

I am sending a  NEW  custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE AS and save it directly ( as is) to the Downloads  folder

The tool named FRST64.exe   tool    is already on the Downloads folder.

Start the Windows Explorer and then, open the Downloads folder.


Double click FRST64

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:
Click the Fix button just once, and wait.

 

FRST_Fixl.png.c4c1c0dddcc49b11fa400590f070bd5e.png

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply at your next opportunity.

 

Fixlist.txt

Link to post
Share on other sites

Hi again Maurice, thanks for the prompt reply,

 

I've done as you've said once again, attached is the result log (Fixlog.txt)

I think we're done here for this particular event? I hope this problem is added to a definition list somewhere that helps someone else. I'll check back tomorrow one more time just in case.

 

Thanks once again for your help, I appreciate you taking the time to do so and the clear instructions.

Fixlog.txt

Link to post
Share on other sites

Hello.   Thanks for the Fixlog.   Bravo.   Yes, the original issue is no more.

I do have one additional suggestion about getting Windows 10 more up-to-date.   This pc is running a Windows 10 build from last year.

When you get some quiet time, take direct measures to get the Windows 10 May 2019  Build 1903  ( or later ) thru Microsoft Windows Update.

 

I would suggest  to upgrade to the Windows 10 build 1903 ( or later build).  You should be able to manually get it thru Windows Update.

It may take repeated tries with Windows Update till your pc is able to see that Update.  You should make a try each day, from here on out, till you see it offered.

The suggestion I have is to go to the Start menu, click the Windows Settings icon. Select Update & Security.  Click on Windows Update.

The Windows Update ( eventually) will have a display like this when it shows up.

Note that the display will show the new build in a new way, in the middle of the display.  You will need to click on the blue line marked "Download and install now"  when ready.

 

image.png.f49327fe3da02c5bb04d729d2bcf0dd4.png

 

Getting that Windows build update will put this pc in a better position for a more secure operating system.

.

Edited by Maurice Naggar
Link to post
Share on other sites

Hi one last time (I think haha),

Thanks for the suggestion, I actually literally just updated windows after my last comment on this thread.

I had specifically rolled back the may update to the april one due to a strange bug causing large FPS drops and delay when typing in various textboxes immediately after the may update first dropped, I updated just now since I think support for the april update is ending this month. The typing bug seems to have been fixed since may, so good news.

 

Thanks again for all the help, have a good day, is there something I can do to rep you on this site or something?

Link to post
Share on other sites

You are welcome.  I am very glad to have worked with you & helped you.

You should delete the FIXLIST.txt file I had you save.  You can delete the Fixlog.txt  and you may delete any files or tools I had you download.

 

Backup is your best friend. Be sure to do that on a regular periodic basis, to offline backup media.

 

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).


Free games & free programs are like "candy". We do not accept them from "strangers".


Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.
 

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq




Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

 

I wish you all the best.   I am marking this case for closure.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.