Jump to content

PUA:Win32/CoinMiner - HELP


Mungiu
 Share

Recommended Posts

Windows Defender detected: 
image.png.2c700667ede4d0901d8cb61399ffad9a.png

 

Used software which did not remove the threat so far:

Malwarebytes

Kaspersky Free Trial

Windows Defender - Windows Defender REMOVE/Quarantine actions do not have any effect if pressed

image.png.233a7257b24295c09a03897318e2b1f7.png

 

Comments:

It changed my proxy setting before and I manually disabled that proxy so far, but kept the configurations for this screenshot.

image.png.145803c4e0477f1462cbe34e29a962ed.png

Shortcut.txt Addition.txt FRST.txt Malwarebytes Scan Report.txt

Link to post
Share on other sites

Hi,     :welcome:
My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

.

What follows are just a few starter steps.   There will be more later.

[    1     ]

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

The log is named MSERT.log 

the log will be at  C:\Windows\debug\msert.log

Please attach that log with your reply.     Let me know the result of this.   But just keep going down this list.

[      2    ]

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Adwcleaner  detects factory Preinstalled applications too!

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs

Thanks.  Keep me advised.

 

Link to post
Share on other sites

I had not intended for you to run the "basic repair' option.   But it is ok.

The scan run of Adwcleaner found no adwares / no P U P.

The Microsoft Safety Scanner found no viruses / no malware.    That is a bit of good news.

.

I have a custom script here that will run scans with the Microsoft Windows Defender.   This may take an hour or so.

You want to plan this for a time that you will not be needing to be using the computer yourself actively.

 

The system will be rebooted after the script has run.

.

This custom script is for  Mungiu  only / for this  machine only.

 
Close and save any open work files before starting this procedure. 

I am sending a    custom Fix script which is going to be used by the FRST64  tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the Downloads folder

The tool named FRST64 .exe   tool    is already on the Downloads
Start the Windows Explorer and then, to Downloads folder


RIGHT click on  FRST64     and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing.

Hopefully, after this, there will be no more presence of Windows Defender finding a PUA win32/coinminer

Fixlist.txt

Link to post
Share on other sites

Thanks for the Fixlog report.

As to the Protection history on Windows defender,  your screen shows a Actions button.

You can click on that   and if at all possible, have the item or items either Qurantined or removed  ( deleted ).

Either action would put the item out of play.   That is a radio button.   Just click on the circle of your choice.   Remove will delete the item.

.

Going beyond that, do this next procedure in any event.

I would suggest a free scan with the ESET Online Scanner
Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan

Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
Have patience.  The entire process may take an hour or more. There is an initial update download.

There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.
 

 

 

Link to post
Share on other sites

I tend to think that the only reason you see those last 2 lines for the 11th is that Defender is repeating old content from history.

And that quite likely the same holds true for the line dated from the 18th.

The ESET scan reports no virus / no malware present.

Quote

Files scanned: 466450
Detected files: 0
Cleaned files: 0
Total scan time: 01:05:25

Remember too,   The Microsoft Safety Scanner found no viruses / no malware. 

What follows is one last attempt to (a)  try to find the folder C:\Windows\trustedlogos  (b) if found, scan it with Windows Defender

{ c } if found to delete TrustedLogos.exe &  ProxyLibrary.dll    {   that is, if they are still present }

.

First, delete the old copy of the file I had you save before named Fixlist.txt   on the Downloads folder.

I am attaching a new one with this reply.

.

[    2     ]

The system will be rebooted after the script has run.

.

This custom script is for  Mungiu  only / for this  machine only.

 
Close and save any open work files before starting this procedure. 

I am sending a    custom Fix script which is going to be used by the FRST64  tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the Downloads folder

The tool named FRST64 .exe   tool    is already on the Downloads
Start the Windows Explorer and then, to Downloads folder


RIGHT click on  FRST64     and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Fixlist.txt

Link to post
Share on other sites

Thanks allot for all your time.

1st - Every time I restart my PC I get the windows boot menu which asks me to either load normally or scan the memory.

2nd - Logs are attached

2nd - After the scan. When I clicked Quarantine in windows defender again this is what happened.

image.png.34ace5beace895062cc96b04250f5c98.png

4th - When I tried to quarantine other items again, all of them went back to the initial state:

image.png.1f0f9330488288cc658898d97575a0be.png

Fixlog.txt

Link to post
Share on other sites


Good morning.   I hope you are doing well today.    Thanks for the Fixlog report.

This run has confirmed that the 2 files  ( the subjects of the old protection history of Windows Defender )  "C:\Windows\trustedlogos\ProxyLibrary.dll" &
"C:\Windows\trustedlogos\TrustedLogos.exe;"   are no longer present, and
that the folder  "C:\Windows\trustedlogos" is not present.

We have been looking at history from the August 11 & the 18th.   The flagged items  from then are just no longer around.   We need to clear out old history.   Towards that goal,  I am listing a procedure below.

.

When you restart the machine, there is a option shown to allow you a way to get to Advanced Boot startup options, in case you ever need to get to Windows Safe mode or some other mode.  It is there for just a few seconds  ( 8 seconds).  Just let it be ;  it times out after 8 seconds.   Or else you may just tap the Enter-key to proceed without any action.

.

This procedure is intended to clear old history in the Windows Defender logs older than 3 days,  and then start a new quick scan with Windows Defender.

You may start & run a Windows Defender scan thru the use of Windows Powershell.

Start an Elevated Powershell command prompt-window.

On the Windows taskbar, on the Search box, type in

Quote

powershell


Wait and look for the results list.  Click on the line that shows Powershell with "Run as Administrator".

Then you will see the Powershell window.

Into that, we want to Copy & Paste    ( one line at a time  & then tap Enter-key  after each line    )

Set-MpPreference -ScanPurgeItemsAfterDelay 3

tap Enter key.

 

Update-MpSignature

 
tap Enter key.

 

Start-MpScan -ScanType quickScan


tap Enter-key to proceed.   Watch & monitor until after the Quick Scan has completed.

 

Next, Copy & Paste

remove-mpthreat


tap Enter key.

Let me know what the results are.  You may close the Powershell window, after all, is done.

Edited by Maurice Naggar
Link to post
Share on other sites

Hello.   Good afternoon.   I hope your weekend is going well.  It does look like the 4 command lines were completed.

You can close the Powershell window in case it is still open.

We should look at the actual log file.  You can navigate to it using Windows File Explorer and going to this address on the address bar  ( which you Copy & then Paste  )

%userprofile%\AppData\Local\Temp\MpCmdRun.log

 

Then attach the file named mpcmdrun.log   with your next reply.

ADDED NOTES:

On the 2nd frame shown above ( the Windows Security   )  you should click on  the line "Virus % Threat Protection"  & then see the summary that should be displayed there at the top.

Edited by Maurice Naggar
added notes
Link to post
Share on other sites

Just in case, lets make sure that Windows File Explorer is able to show all folders, including any Hidden ones.

 Use the Option Two as in this article at Tenforums

https://www.tenforums.com/tutorials/9168-show-hidden-files-folders-drives-windows-10-a.html

..

As to the scan log, it is sad to say that Microsoft did not make it easy to look up the scan log   { unless you ran the scan in the GUI itself}.

Lets gather the latest entries off the Windows EVENT Logs in the hope of maybe seeing something about the Windows Defender batch run.

 

Please download MiniToolBox save it to your desktop and run it. 

Reply YES when prompted by Windows to Allow the program to run.
Reply YES when prompted by the tool to proceed.

Checkmark the following check-boxes:
List last 10 Event Viewer log
 

Click Go and post the result ( MTB.txt ). A copy of will be saved in the same directory the tool is run. 
Note: When using Reset FF Proxy Settings option Firefox should be closed. 
.

[      2       ]

We are interested in the history & result of the very last scan.   We should also drill down into Windows Settings   and look for it visually.

See this post  ( as one example)  at the Microsoft Answers forum  

https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning-windows_10/windows-defender-how-to-view-scan-history/317d8870-1362-4c4e-953c-7bdaea5e394c

 

There may be minor differences on older Windows 10 versions as compared to newer ones.  But on mine, here is how to view visually for the last scan result

Press the Windows-logo-flag key on keyboard to get menu >>  click Settings >>  then select Update & Security

then off the left-side click on Windows Security  then click the button "Open Windows Security"

then click Virus &  Threat protection.    The next screen should show a summary at the top labeled "Current Threats".

Hopefully, it will then show just below "No current threats"

Link to post
Share on other sites

Hey Maurice, thank you for checking up, the next two images are proofs the hidden files are shown and that the search with hidden files enabled still provides no search results.

I have also attached the MTB log file.

MTB.txt

image.thumb.png.217ee82b3e85325ef8f6ac59b3ca4840.png

 

image.png.c1e6ddec5c9f1d5e451dcce460955302.png

 

This is my dialogue with Microsoft which I will currently try to execute and see if all gets back to normal.

image.thumb.png.eadde1fb38cef1039c4f4d8c6b4cd770.png

 image.thumb.png.9bfafca9c8dc73f11ce9a7ac8d4d0e07.png

 

image.thumb.png.e73ad52faff26ea12f51649c2b2fd85d.png

 

image.png

Link to post
Share on other sites

Thank you for the information.   It is appreciated.

To the last notes & copies of your exchange with MS,  Anuraag Roy expressed it very well  and to the point.

It is a glitch with the Windows Defender gui interface. When the flagged items have been quarantined or if removed  ( deleted) then the Defender gui cant "locate" the related item.

I would highly recommend that you do what he suggested.

If I may add also,  the items involved had been previously removed.

.

Thanks for the MTB report.  It shows no recent entries about Windows Defender recent events.

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.