Jump to content
ArchAngelAries

Can't get rid of sneaky Malware, Suspect Bitcoin Miner

Recommended Posts

I'm at my wits end, I downloaded a game trainer from a source I thought was reputable, but after launching it my system went haywire. I had a bunch of malware infect chrome, and even hijack my ethernet port and caused the "unidentified network" thing to happen. I've ran Kaspersky, bitdefender, Malwarebytes, Zemana, and tried reinstalling windows, but nothing seems to work. Zemana and Malwarebytes found a bunch of malware and cleaned it, but it seems to still be hiding in my system, even though all scans show clean...

My CPU usage is high (about 30-50% on Ryzen 9 3900x 12 core) when I first open my task manager, but then it drops to 1-2% immediately. I think I might have a bitcoin miner, or worse. More reasons I think I'm still infected are that my games run really poorly, despite having an AMD Radeon RX 5700XT and 32GB of DDR4, and I keep getting blue screens, but they're not normal blue screens. . There's always a pic of a video game screen capture in the lower right hand corner of my screen, some fps shooter game I don't play. Then there's the problem where this thing prevents my pc from shutting down. I have RGB lights that stay on when the pc is on, and after all this, when I normally shut down from the start menu, the pc continues running. I'm guessing it's because the malware bypasses the power off to keep mining or whatever. The PC won't fully shutdown unless I flip the manual switch... I've tried everything I can think of. Please help.

Share this post


Link to post
Share on other sites

Hi,  
My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible. 
  
Please only just attach   all report files, etc  that I ask for as we go along.
 

Could you just take a few minutes and lets have you  run the Support tool report.

https://support.malwarebytes.com/hc/en-us/articles/360039023453-Upload-Malwarebytes-Support-Tool-logs-offline

 

A file named mbst-grab-results.zip will be saved to your Desktop. 

Please attach the ZIP file in your next reply.

Share this post


Link to post
Share on other sites

Hello Justen.    Welcome aboard.    :welcome:

Thank you for the report.   I am going to guide you to doing a few different scans aimed at checking for any pests, any malware, any malicious type items.

you had previously run a number of tools yourself. Kaspersky, bitdefender, Malwarebytes, Zemana.

So one of the things I have to ask of you is to stop running any tool on your own.   To let me guide you.

and keep in mind that Malwarebytes for Windows does / can find malicious coin-mining type hijacks.

[   1   ]

A bit of house-keeping  since this pc does have BitDefender Free A-V  as the resident antivirus.

There is one setting in Malwarebytes that needs to be off   for the Windows "Security Center"

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 

Click the Security Tab. Scroll down to 

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".

Close Malwarebytes when done.

 

[    2    ]

This next step is to do a real good check for adwares.

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Adwcleaner  detects factory Preinstalled applications too!

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs

Thanks.  Keep me advised.   We are going to do more after this.   These are just first steps.

Thanks for your patience.

 

Share this post


Link to post
Share on other sites

ok, I have done so, it found something in chrome.

also for some reason something has snoozed my bitdefender and wont let me turn it back on, as well as my firewall. And something is lagging my pc and closing windows.

here is the log.

AdwCleaner[C04].txt

Share this post


Link to post
Share on other sites

Hi.   Thank you for the report from Adwcleaner.   This reports doing one cleanup on Chrome browser.

 

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now
It will start a download of "esetonlinescanner_enu.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan
Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Sincerely.

Share this post


Link to post
Share on other sites

PS.   Added notes.   Lets get the ESET scan done   ^^^^

You described a number of other issues.   Windows shutdown issue is one.  Another apparent issue this pc has is ( apparently ) push ads from one or another of the web browsers.

This is for " after "  you have completed the ESET scan above ^^^^

 

   

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.  

Scroll down to the tips section "How do I disable them".  

 

If this pc has the Google Chrome browser, or the Brave browser, I suggest you install the Malwarebytes Browser guard for Chrome.  

To get & install the Malwarebytes Browser Guard extension for Chrome,  

   

Open this link in your Chrome   browser:  

   

Then proceed with the setup.  

  

If the pc has Mozilla Firefox, to get & install the Malwarebytes Browser Guard  Firefox extension.  

Open this link in your Firefox browser:     

Then proceed with the setup.  

That link is for English US.   There are other language version.  Just go to the very bottom right of the page and look at “Change language” list drop down. 

Share this post


Link to post
Share on other sites

Hi, thank you, I'm currently running the eset tool and its already found 4 items, it's still running and only looks half done, I'll follow your additional steps and reply with the logs when it finishes. I might reply late, around 2 AM Denver, Colorado USA time, I'm going to a friend's birthday party tonight. By the way, thank you so much for helping me with this. I''l reply with the logs as soon as I can.

Share this post


Link to post
Share on other sites

Thanks for the scan log.   Apparently ESET found & removed a few temporary files.   They were classified as potentially unwanted application

Please  keep in mind I am a volunteer.  That I am not on 24 x 7.   That I am also helping others as well.

 

If the Malwarebytes for Windows is in trial mode, then lets take a couple of minutes and make this adjustment.

There is one setting in Malwarebytes that needs to be off.   .
Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 
Click the Security Tab. Scroll down to 
"Windows Security Center"
Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
Close Malwarebytes when done.
 

[    2     ]

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from this link here

and save it to your desktop.

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
  
 

[     3     ]

SecurityCheck by glax24    

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.
Download SecurityCheck by glax24 from here  

and save the tool on the desktop.

If Windows's  SmartScreen block that with a message-window, then
Click on the MORE INFO spot and over-ride that and allow it to proceed.
This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt
 

Share this post


Link to post
Share on other sites

Just in case /  I want to be sure there is not a unintended mis-understanding about the setting in Malwarebytes for Windows.

on the "register" in Windows Security Center,  we want it OFF

like in this snapshot

WSC_MB4_register_OFF.jpg.a2b8ef50aa716d2f89a5dbb406c1429a.jpg

Share this post


Link to post
Share on other sites

I'm sorry, I definitely understand, and am very thankful for all your help, it just seems like my pc is getting worse and worse by the second. I ran the Malwarebytes rootkit tool and ran it twice as it came up clean. Here are the logs, also, whatever this is completely infected bitdefender and I had to force unistall it in safe mode because it was freaking my system out. Also the security check file you had me download wont save Windows Defender Flags it as a trojan and refuses to save.

I really do appreciate your help...

Yes I have that set to off, just as it appears in the picture.

mbar-log-2020-06-26 (12-54-10).txt mbar-log-2020-06-26 (12-49-59).txt

Share this post


Link to post
Share on other sites

Thanks for the MBAr logs.   The MBAR reports NO rootkit.   That is excellent to see.

You need continued , infinite patience with the machine.   Just do not do any web surfing,  online shopping, no banking, no online games  .....for the duration.

 

I would remind both of us, you had already run some run  ( before starting this case) a few other tools:   Zemana, Kaspersky, ......

 

SecurityCheck by glax24    

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.
Download SecurityCheck by glax24 from here  

and save the tool on the desktop.

If Windows's  SmartScreen block that with a message-window, then
Click on the MORE INFO spot and over-ride that and allow it to proceed.
This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Share this post


Link to post
Share on other sites
1 hour ago, ArchAngelAries said:

....    the security check file you had me download wont save Windows Defender Flags it as a trojan and refuses to save.

I did not spot that line until just now.   The Windows Defender is falsely stopping the securitycheck tool

Please use these ways to get around that.

If Windows's  SmartScreen block that with a message-window, then
Click on the MORE INFO spot and over-ride that and allow it to proceed.
This tool is safe.   Smartscreen is overly sensitive.

 

also, if we need to, lets temporarily turn off the Smartscreen     ( just only so you can run the above tool)

 

The tutorials below can help show you how to turn off Windows Defender Smartscreen.  

These are intended to be temporary measures. 
 
Change Windows SmartScreen Settings in Windows 10 Security System Tutorials 

 
 

 

added NOTE:

I very much want to see the report from Security Check

 

Further NOTE:  I would like to have a refresher of detail:  Why did you suspect a "coin miner" ?   where / how had you seen it ?

 

 

and

 

 

Go to the Downloads folder.  Locate   FRSTENGLISH.exe

 

Run report with FRSTENGLISH.     

Right-click on FRSTENGLISH and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.


Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.

 

image.png.5d47975010636d1d032768cefa8d6625.png

 

 


The tool will produce 2  logfiles on your desktop: FRST.txt , Addition.txt 
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.

 

 

Share this post


Link to post
Share on other sites
Posted (edited)

Further notes   to the above  ^^^^^!!

The following is a portion of the display when Windows's  Smartscreen has stopped something

Def_smart_block.jpg.2e3f54b4afbc0eeea1c43ffca8104f42.jpg

 

When this shows up,  when you are trying to run a tool or program that I have suggested that you run,  then here is how to OverRide

See the "More info"   ( shown in white letters)

CLICK it so that you get another detail screen.

Then click on the "Run anyway"   on that one.

 

image.png.52de63012837f7a622acc128523304c8.png

 

I do hope to get all the reports / logs I suggested in my prior reply.

We need to understand that Smartscreen uses "reputation" ratings  AND that this is known to have "false positive blocks".

 

Thanks.

Edited by Maurice Naggar

Share this post


Link to post
Share on other sites

I definitely understand the need for patience, I just hate that it seems like it's getting worse. Unfortunately I don't have any other device besides my phone to download things, so I kinda have to use my pc's web browser. I finally was able to sideload the securitycheck.exe, and when I tried to run and also run as admin it gave me the error " /autodelscript "  access is denied". I've uploaded a screenshot of the error. I've ran the FRST tool, and here are the logs.

Screenshot (1).png

Addition.txt FRST.txt

Share this post


Link to post
Share on other sites

So I think the reason the securitycheck.exe failed was because Zemana flagged it as a Trojan and quarantined it. I checked on virus total and it also flagged it as a Trojan. However, since I have no reason to not trust you, I whitelisted the exe and tried again. I've attached the log. I suspected a bitcoin miner because I read online that miners cause a lot of the problems I'm having as well as they hide from task manager, which is what I think is happening. When I open task manager the CPU usage is around 30-50% at idle, but immediately drops back to 0-1% like something killed a task to hide from task manager. And then all these other problems started happening.

SecurityCheck.txt

Share this post


Link to post
Share on other sites

If I could just convey to you some things, like I tried to do before ......do not be looking at Task Manager in the way that you are.  Do NOT jump to conclusions like you seem to be leaning.

There are not clever malware that hide themselves & self erase from Task Manager.

Further, we pin down and locate malicious malware by running and using a bunch of known, proven, trusted security scan tools.

I would like you to stop looking at Task manager.

.

As you saw, the blocks of the SecurityCheck tool are False positives.  I even mentioned the possibility when I first mentioned it.

.

Now then,  voila.   We have the new reports.   The SecurityCheck report shows the listed antivirus to be "Kaspersky Security Cloud"

Quote

Kaspersky Anti-Virus Service 20.0 (AVP20.0) - The service is running

Is that a program you installed as a "trial" ?

 

So at present, the resident antivirus is Kaspersky.    This explains why the Microsoft Windows Defender is not on as the resident A-V.

.

Malwarebytes programs are able to detect malicious "bit mining" hijackers.   I have not seen a confirmation here of their being any such pest.

.

The FRST report confirms that Kaspersky is the resident antivirus.   You can & should do a scan of the system with Kaspersky Security.   I am very much interested in knowing the result.

and

By the way, if you are done with Zemana,  you should uninstall it.  It is running on the machine and is eating up slices of time & resources in Windows.

.

By the same token / same principle / keep in mind how many tabs you have open in Chrome or any web browser.

.

I would like for you to do a  new, special scan with Malwarebytes for Windows.

Run a scan with Malwarebytes.
Start Malwarebytes from the Windows  Start menu.

Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.

Then click the SECURITY  tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON  if it does not show a blue-color

Now click the small X  to get back to the main menu window.


Click the SCAN button.
Select a Threat Scan ( which should be the default).

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Be sure all items were removed.  Let it remove what it has detected   ( if anything is flagged).

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4
 

.

I would remind us that we have done a scan with the Malwarebytes Anti-rootkit tool  ( MBAR )  & it reported no rootkits / no malware.

We have run the Malwarebytes Adwcleaner.

The ESET Online scanner only found a few P U P   ( potential unwanted add-ons).

I would like to see the result from the new Malwarebytes scan  &  I would like to see the result from a new Kaspersky scan.

Cheers.

 

Share this post


Link to post
Share on other sites

yeah, I ended up installing Kaspersky because whatever is/was going on, it totally infected and took control of Bitdefender. It disabled Bitdefender, blocked scanning with Bitdefender, and removed my permissions as admin to remove/uninstall Bitdefender...So, I had to force uninstall Bitdefender because it refused to allow me to restart it/reinstall/repair/uninstall normally. So I used Wise Program Uninstaller and then completed the uninstall of the infected Bitdefender program in safe mode. And as added precaution, because the pc wouldn't allow a new install of Bitdefender, it claims it's already installed, I installed Kaspersky. I've ran the scans with the parameters you instructed and have attached the logs. Also I've gone ahead and uninstalled Zemana like you instructed.

Thank you again for all your help. I greatly appreciate you and your continued assistance.

p.s. After Uninstalling Bitdefender and installing Kaspersky, I am no longer receiving notifications saying "Firewall is turned off/Antivirus is turned off" so there's that at least... Truth be told, after installing Kaspersky, I haven't really seen any issues that cause alarm, I even tested a graphically intensive offline game and was able to run it at a steady constant 60 fps... Though, I am kind of hesitant to suggest that I might be in the clear. But I might just be being paranoid.

Malwarebytes Custom Scan 6-27-2020.txt Kaspersky Custom Scan 6-27-2020.txt

Share this post


Link to post
Share on other sites

Thank you for the reports.   and if I may remark,  we need to dial back on any tendency for "paranoid".

By the way, installing & uninstalling antivirus programs with so much rapidity / frequency  gets things complicated .....because antivirus programs often leave bits and pieces behind.

I believe I have spotted some leftovers of ESET  here  ( by poring over the FRST reports )  and have a custom cleanup for you  ( below ).

There are also still leftover drivers from BitDefender.

.

Kaspersky found zero threats.   Malwarebytes for Windows reports no malicious malware.   No rootkit.

..

This is a custom script cleanup.

This custom script is for  Archangelaries  only / for this machine only.

 
Close and save any open work files before starting this procedure. 

I am sending a  new  custom Fix script which is going to be used by the FRSTENGLISHtool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRSTENGLISH.exe   tool    is already on the Downloads folder
Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRSTENGLISH    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST  window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg
 
PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

 

Fixlist.txt

Share this post


Link to post
Share on other sites

I definitely understand the need to not be paranoid, I've just been really scared that I might've destroyed my expensive gaming pc is all. But I'm very glad to have you helping me, and it is very reassuring that you are confirming that we are not finding anything else malicious. I've attached the log as requested. :) 

Fixlog.txt

Share this post


Link to post
Share on other sites

That is a good custom fix run.   Thanks for the log.

.

There is still a handful of BitDefender listed in the Windows registry.  As I noted before, often it is necessary to run dedicated removal tools from the maker of the antivirus.

I would like to have you run  tool from BitDefender for the purpose of cleanup.

Use the Bitdefender dedicated uninstall tool. Download the uninstall tool corresponding  version of Bitdefender from this location and then run it on your system.

Share this post


Link to post
Share on other sites

Unfortunately, none of those are the version I had installed. I had installed the free version from here. If there's an official uninstaller that would work for the free version, I'd gladly use it.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.