Jump to content

My laptop might be infected with a cyrpto mining malware


Recommended Posts

After learning what crypto jacking is I decided to test my laptop to see if I was infected. I had already scanned my device with Bitdefender and nothing came up. I turned on my laptop and left it open on taskmanger  to see the cpu usage. I ended up leaving it on for 5 minutes making sure not to move the mouse or touch the keyboard. Within 5 minutes my cpu usage went from 1% up to 30% and randomly spiked up to 100% with the fan being loud. When I moved the mouse the cpu usage went down back to 1% and the fan also went quiet. I’m not sure what to do from here so I came here asking for help. 

 

Link to post
Share on other sites
  • Root Admin

Hello @PaulKim

It very well could be normal as often background tasks are told to sleep or reduce their resource usage until the computer is not being used.

We can go ahead though and run some scans to see what's going on.

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed click on the View Report button, then the Export button and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, please click Clean & Repair.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a checkmark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Link to post
Share on other sites
  • Root Admin

Yes, the FRST tool is very safe. That is a false positive from SmartScreen and Windows Defender.

This tool is used around the world on a daily basis. As you can see from the main site it has over 5,000 downloads

image.png

 

Though there are some types of infections that can be shared over a home network the majority do not. One has to also have a known exploit method to attack another local system and most home users often don't have home sharing setup properly to allow it.

If there is concern though we can also review other systems you have.

 

Link to post
Share on other sites
  • Root Admin

Hello @PaulKim

The logs do not show any indications of an infection. However there are multiple entries in the Event Logs indicating you're having issues with some Intel software.

 

Application errors:
==================
Error: (07/24/2020 11:15:18 AM) (Source: SecurityCenter) (EventID: 17) (User: )
Description: Security Center failed to validate caller with error %1.

Error: (07/20/2020 01:40:06 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: GfxDownloadWrapper.exe, version: 8.15.100.6472, time stamp: 0x5c0eb879
Faulting module name: KERNELBASE.dll, version: 10.0.19041.388, time stamp: 0x3cc24707
Exception code: 0xe0434352
Fault offset: 0x0000000000023e49
Faulting process id: 0x2cdc
Faulting application start time: 0x01d65ec5275eb225
Faulting application path: C:\WINDOWS\System32\DriverStore\FileRepository\igdlh64.inf_amd64_16ed7d82b93e4f68\GfxDownloadWrapper.exe
Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll
Report Id: 889cbe42-6a86-4fdc-9cd4-e04a37dc85a9
Faulting package full name:
Faulting package-relative application ID:

Error: (07/20/2020 01:40:05 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: GfxDownloadWrapper.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IO.DirectoryNotFoundException
   at System.IO.__Error.WinIOError(Int32, System.String)
   at System.IO.FileStream.Init(System.String, System.IO.FileMode, System.IO.FileAccess, Int32, Boolean, System.IO.FileShare, Int32, System.IO.FileOptions, SECURITY_ATTRIBUTES, System.String, Boolean, Boolean, Boolean)
   at System.IO.FileStream..ctor(System.String, System.IO.FileMode, System.IO.FileAccess, System.IO.FileShare, Int32, System.IO.FileOptions, System.String, Boolean, Boolean, Boolean)
   at System.IO.StreamWriter.CreateFile(System.String, Boolean, Boolean)
   at System.IO.StreamWriter..ctor(System.String, Boolean, System.Text.Encoding, Int32, Boolean)
   at System.IO.StreamWriter..ctor(System.String, Boolean, System.Text.Encoding)
   at GfxGameSettingsDownload.Program.Main(System.String[])

Error: (07/14/2020 04:41:32 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 257) (User: )
Description: The Cryptographic Services service failed to initialize the Catalog Database. The ESENT error was: -1409.

Error: (07/13/2020 04:39:34 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: GfxDownloadWrapper.exe, version: 8.15.100.6472, time stamp: 0x5c0eb879
Faulting module name: KERNELBASE.dll, version: 10.0.19041.292, time stamp: 0x84cd251b
Exception code: 0xe0434352
Fault offset: 0x0000000000023e49
Faulting process id: 0x298c
Faulting application start time: 0x01d6595e191b3ed4
Faulting application path: C:\WINDOWS\System32\DriverStore\FileRepository\igdlh64.inf_amd64_16ed7d82b93e4f68\GfxDownloadWrapper.exe
Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll
Report Id: 33dc3f2e-e814-412c-bdc3-2bb036b8c91d
Faulting package full name:
Faulting package-relative application ID:

Error: (07/13/2020 04:39:34 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: GfxDownloadWrapper.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IO.DirectoryNotFoundException
   at System.IO.__Error.WinIOError(Int32, System.String)
   at System.IO.FileStream.Init(System.String, System.IO.FileMode, System.IO.FileAccess, Int32, Boolean, System.IO.FileShare, Int32, System.IO.FileOptions, SECURITY_ATTRIBUTES, System.String, Boolean, Boolean, Boolean)
   at System.IO.FileStream..ctor(System.String, System.IO.FileMode, System.IO.FileAccess, System.IO.FileShare, Int32, System.IO.FileOptions, System.String, Boolean, Boolean, Boolean)
   at System.IO.StreamWriter.CreateFile(System.String, Boolean, Boolean)
   at System.IO.StreamWriter..ctor(System.String, Boolean, System.Text.Encoding, Int32, Boolean)
   at System.IO.StreamWriter..ctor(System.String, Boolean, System.Text.Encoding)
   at GfxGameSettingsDownload.Program.Main(System.String[])

Error: (07/09/2020 12:34:22 PM) (Source: SecurityCenter) (EventID: 17) (User: )
Description: Security Center failed to validate caller with error %1.

Error: (07/08/2020 07:36:52 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ETDService.exe, version: 11.11.21.4, time stamp: 0x5c4e5d3b
Faulting module name: ntdll.dll, version: 10.0.19041.207, time stamp: 0xcad89ab4
Exception code: 0xc0000374
Fault offset: 0x00000000000fdec9
Faulting process id: 0xb90
Faulting application start time: 0x01d653bddbe93ae9
Faulting application path: C:\Program Files\Elantech\ETDService.exe
Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll
Report Id: 7039adb5-e413-402c-82ce-3e6245e436c8
Faulting package full name:
Faulting package-relative application ID:


System errors:
=============
Error: (07/24/2020 11:45:31 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Intel(R) PROSet/Wireless Zero Configuration Service service terminated with the following error:
%%2147770990

Error: (07/24/2020 11:44:58 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x8024001e: 9P9F6DZJBBLJ-64343GTDocStudio.OfficeDocOpener.

Error: (07/23/2020 08:32:51 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Intel(R) PROSet/Wireless Zero Configuration Service service terminated with the following error:
%%2147770990

Error: (07/18/2020 04:51:29 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Intel(R) PROSet/Wireless Zero Configuration Service service terminated with the following error:
%%2147770990

Error: (07/17/2020 06:10:14 PM) (Source: DCOM) (EventID: 10010) (User: DESKTOP-E4SG6DR)
Description: The server {7160A13D-73DA-4CEA-95B9-37356478588A} did not register with DCOM within the required timeout.

Error: (07/17/2020 03:18:46 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Intel(R) PROSet/Wireless Zero Configuration Service service terminated with the following error:
%%2147770990

Error: (07/17/2020 02:35:03 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Steam Client Service service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (07/17/2020 02:35:03 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.


Windows Defender:
===================================
Date: 2020-06-25 22:32:49.3210000Z
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 0.0.0.0
Update Source: Microsoft Malware Protection Center
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 0.0.0.0
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

 

 

Here are a couple of links that discuss the software that is crashing.

https://community.intel.com/t5/Graphics/GfxDownloadWrapper-exe-crashing/td-p/646611

https://community.intel.com/t5/Graphics/How-to-disabled-gfxdownloadwrapper-in-the-enterprise-environment/td-p/580869?profile.language=en

https://www.bigmessowires.com/2019/06/12/intel-integrated-graphics-driver-crashes/

 

You can also try running the following commands. Very unlikely to fix these errors, but it will ensure that all the Microsoft operating system files are valid and not corrupt.
Open an elevated Admin command prompt and type in the following and press the Enter key.

 

SFC  /SCANNOW 

 

Then type in the following and press the Enter key

DISM.exe /Online /Cleanup-image /Restorehealth 

 

 

Also, just to double-check we can have you run another antivirus scan if you like. Make sure you first disable Bitdefender before running this scan. I do not expect it to find anything but it may give you more peace of mind.

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Thanks

 

 

Link to post
Share on other sites

My laptop still feels weird to me the fans are constantly running sometimes extremely loud when I’m not even doing anything or have anything open and I’ve noticed FPS drops in games and spikes in cpu usages constantly. I just decided to do a factory reset on my laptop to be safe. I looked at what I did to my laptop in the past to see if I did anything suspicious the only real suspect things I remember doing was trying out a new program QuickCpu and downloading a FPS pack the FPS pack was in filedropper I remembered the website being suspicious but after downloading the pack and scanning it with Bitdefender and Malwarebytes saying it detected nothing I thought it was fine.

Link to post
Share on other sites
  • Root Admin

Yes, it very well could depending on what type of infection, however the logs did not indicate there was any such threat.

Please go ahead and run FRST for me again and I can review the logs.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

I’ll get back to you with this report tomorrow but I have a question I reset my laptop by going into update and security and doing the reset option and picking remove everything is that the best way to do it or is there a more secure way of doing it?

Link to post
Share on other sites
  • Root Admin

Yes, normally the Remove Everything is the option to get the cleanest. The majority of infections would be removed by that option, however there are a few that can create a special area in the partition table that can bypass even a format. Those are rare and require you to remove the partition and reinstall Windows or simply remove the bad code from the partition.

I have not seen one of those type of infections though for a couple of years now.

 

Link to post
Share on other sites
  • Root Admin

Yes, the logs appear to show the computer is clean.

Make sure that System Protection is enabled and then try to create a new System Restore Point

Application errors:
==================
Error: (07/26/2020 02:04:01 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\ProgramData\Package Cache\BDB645EBAF3C91ECEB1A143BE6793CA57E6435C3\VC_redist.x64.exe Cache\BDB645EBAF3C91ECEB1A143BE6793CA57E6435C3\VC_redist.x64.exe" /q /norestart; Description = Microsoft Visual C++ 2017 Redistributable (x64) - 14.11.25325; Error = 0x80070514).

 

If you have any other questions or issues before we close up here please let me know.

 

Link to post
Share on other sites

Everything seems to be fine so far I decided to let my system idle to see the cpu usage and this time it was at 0-1% usage with the occasional jump to 5%. I still haven’t fully set up my laptop so we’ll see what happens. Thank you for all your help and advice!

Link to post
Share on other sites
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.