Jump to content

How do I get rid of a bitcoin miner virus? help


Recommended Posts

my gpu randomly started running at 100% at idle and the only fix I have found was to reset windows so I did multiple times, well it kinda worked but doesnt, not 100% use at idle but 100% use when doing anything like chrome games, opening anything. 

What I always see in task manager that I have never seen before that are using my gpu are system, client server runtime process, and desktop windows manager. I read in another old forum and did the steps but I need a fixlist.txt file for my stuff. Here are my logs for farbar. I have run malware bytes and every other scan and they have found nothing.

Addition.txt FRST.txt

Link to post
Share on other sites

Hi,       :welcome:
My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.   

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
Please only just attach   all report files, etc  that I ask for as we go along.

 

Thanks for the Farbar FRST reports.  You are asserting that you suspect a virus.   Have you done a Full scan with the Windows Defender ?

2- the processes you are seeing on Task Manager are normal expectations, as far as processes.

[      3     ]

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system. 
The download links & the how-to-run-the tool are at this link at Microsoft 
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 
  
Let me know the result of this.
The log is named MSERT.log  
the log will be at  C:\Windows\debug\msert.log
Please attach that log with your reply.
 

[      4       ]

Let’s  please try to get and run a special  report  tool from Microsoft. 
It does not make changes. It will be just a report.

Please download Sysinternals Autoruns from here and save it to your desktop.

Note: you also need to do the following:
Right-click on Autoruns.exe and select Properties
Click on the Compatibility tab
Under Privilege Level check the box next to Run this program as an administrator
Click on Apply then click OK

Double-click Autoruns.exe to run it.
Once it starts, please press the Esc key on your keyboard.
Now that scanning is stopped, click on the Options button at the top of the program and select Filter Options...
In the Autoruns Filter Options dialogue, verify that the following are unchecked, if they are checked, uncheck them:
Include empty locations
Hide Microsoft entries
Hide Windows entries

Verify that the following is checked, if it is unchecked, check it:
Verify code signatures

Check VirusTotal.com

 

 

Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.

Right click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
Attach the Autoruns.zip folder you just created to your next reply

 

5 -  Kindly let me know if the pc has the Trial Malwarebytes or if it is a Premium license.

Thank you.

Link to post
Share on other sites

I need to emphasize that Malwarebytes for Windows will detect and remove malicious 'bitcoin'  mining rogues.

What I am trying to convey is that we use security programs to identify malware.   We ought not to be just making a assertion that has not been confirmed by a security tool.

The Microsoft Safety Scanner tool reports no viruses / no trojans / no malware.

.

Just as a note, about disc space.   You may run the Windows built-in Disc Clean applet to delete temporary files in order to regain some free space.

I would  recommend that you run the Windows built-in CLEANMGR applet, which is the disk and system cleanup applet.

https://support.microsoft.com/en-us/help/4026616/windows-10-disk-cleanup

.

Back to additional scanning for malware & viruses   ( if any )

I would suggest a free scan with the ESET Online Scanner
Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan

Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
Have patience.  The entire process may take an hour or more. There is an initial update download.

There is a progress window display.

You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

 

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.
 
 

Link to post
Share on other sites

I have already done eset scan and it doesnt work, I already found the culprit but I can't delete it. it is rtkauduservice64.exe and I disabled it and it stopped running at 100% at idle but still runs at 100% for an instant I open an application then stops, but it is still here. it is in system32 and I am trying to delete it but I cant

 

Link to post
Share on other sites

Lets go just a bit slower,  with a bit more detail.

Did the ESET scan start  and then finish ?   If yes,  what did it show on the results ?

and

just how & where   & with what tool do you "see"    " rtkauduservice64.exe " ?    That file is a REALTEK audio driver.   It is not "malware"

Link to post
Share on other sites

I saw it on startup in task manager and it is hiding im system 32, I deleted all realtek audio files and I guess it was desguised as them. My problem is half solved I don’t think I deleted all the related files. I already did eset and it found nothing

Link to post
Share on other sites

Hi.   I have a request and other suggestion.

A.   Please stop deleting anything on your own while this case is open here.

B.   Legitimate drivers are stored in the System32 sub-folder.    I do not advise to delete anything without checking with me.

C.   I would like to get a better idea of your hardware devices and their drivers.   To that end,  I would like a run with the Speccy report tool.

You should use a tool-applet named Speccy  to see what it can tell about the hardware system.

  • Please download Speccy from here and run the installer
  • Be sure to uncheck any checkboxes for any offers for any browsers, toolbars, or anything else it might ask to install other than the program itself (let us know if you have any trouble, and take a screenshot of the page of the installer where you're stuck and post it in your reply before proceeding if necessary)
  • Click on the Customize link in the installer and select the options you desire for icons and whether you want Speccy to inform you of updates (I recommend unchecking this option)
  • Once the installer completes, uncheck the box to view the release notes and click the Run Speccy button
  • Once the program starts it will analyze your system, please be patient as it may take a few moments to complete.
  • Once it finishes and none of the areas say Analyzing click on the File button at the top and select Save Snapshot...
  • Save the file to your desktop and click Ok to confirm; you may now close Speccy and uninstall it if you do not wish to keep it
  • Go to your desktop and right click on the file you just created and hover over Send to and select Compressed (zipped) Folder
  • Please attach the zip file you just created to your next post

 

D.  I should have mentioned that Task Manger's initial displays  ( the ones related to CPU usage percentage )  are not to be relied upon   & certainly not for making any jump to assumption about any state of "infection"  or suspicion.    We use known security tools to judge about infection.

you need to totally not pay attention to the percentage  for like at least one minute.   The very initial display is NOT the real deal.  You need to let the app settle down.

The CPU usage can fluctuate depending on all sorts of conditions.  It  ( high cpu usage  at some moment in time) does not mean that there is some kind of "infection".

 

You should review this topic and see if it applies to your system as well.   It takes a while for Task Manager to compute tasks & then refresh the display..

https://forums.malwarebytes.com/topic/252362-cpu-usage-always-at-70-until-task-manager-is-open/

 

 

Link to post
Share on other sites
  • 2 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.