Jump to content

Recommended Posts

Hello,

I realised my computer was having a problem. It would not go to sleep anymore, would prompt an error when trying to update and windows defender be disabled (not opening from settings and icon missing in task bar). Upon further research, I used Malwarebyte to scan, identify and quarantined winlogui bitcoin miner trojan (see MB_log_winlogui.txt attached).

I restored the computer back to a previous point and got defender, sleep and update back to normal.

But the defender icon vanished again a couple of days later. Update and sleep would also fail again. A new scan revealed that the exact same files were back.

I have tried to installed an antivirus, thinking that defender was not good enough. I installed free version of Avira. A day later, Avira's and Defender task bar icon would not show up again... sleep and update would fail, the trojan was back. A backdoor is obviously open...

Could you please help?

PS: I am not sure how to use it myself, but reading through on the forum, seen that you are using FRST most of the time. I attach the result of the scan (FRSR.txt). The scan generated another file I am not sure is important, but is attached here as well (Addition.txt).

FRST.txt Addition.txt MB_log_winlogui.txt

Share this post


Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

If the problem persists and you are Syncing Firefox it with other Devices reset it.

Navigate to this page and Remove it as suggested.

https://support.mozilla.org/en-US/kb/remove-synced-device-firefox-accounts

When done restart the computer normally.

If all is well.

Return to your Firefox Account and Click the Connect button.

Reset the sync.

Restart the computer normally.
<<<>>>

Run Malwarebytes and delete all the entries reported.
Post the log if the entries are not cleaned.

===

Please post the Fixlog.txt and let me know what problem persists.

fixlist.txt

Share this post


Link to post
Share on other sites

Hello Nasdaq,

Thanks for such fast reply. I will do as suggested, running the fix first, then, if problem persists, looking after Firefox sync. I'll post the fixlog file accordingly.

But so to say; I had the quarantined files and restored system yesterday, when posting. But the trojan came back again at restart today. Malwarebyte spot more files than it did yesterday. I attach the scan report here (MB_log_winlogui_200115.txt). I will quarantine, restore to yesterday's point then proceed to the fix (then post again).

MB_log_winlogui_200115.txt

Share this post


Link to post
Share on other sites

Hello again,

System was restored and fixlist ran. Find fixlog attached.

I may look into the firefox account sync anyway, just to make sure...

One question, though, if it is related to sharing firefox across devices. It didn't come back yet, but I had the same trojan (winlogui) on a portable I share firefox info with... I am thinking that it is certainly needing fixing too.

Should I use the same fixlist file, or -making more sense- scan and post the result for you to check it/generate a new fixlist for it?

If the latest, should I post the scan report here or create a new thread?

Fixlog.txt

Share this post


Link to post
Share on other sites

Hi,

This is not the same computer and the fix may be different.

Start a new topic for this second computer..

Post the FRST.TXT and Addition.txt logs.

Post the link of the new topic here and I will expedite a reply if no one else does before me.

Share this post


Link to post
Share on other sites

Hello Nasdaq,

So far so good, the trojan didn't come back. I have disconnected my account and Firefox isn't syncing since. I will re-connect and sync today and post again if having a new infection.

Regarding the laptop, I have created a new topic here: https://forums.malwarebytes.com/topic/255709-preventing-return-of-winlogui/

Thanks again for your help. :-)

Share this post


Link to post
Share on other sites

Hi,

Let me know if the problem returns.

Glad we could help.

p.s.

Look at your other topic now.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.