Jump to content

Trojan.BitCoinMiner.Generic keeps coming back


Go to solution Solved by Bajiru,

Recommended Posts

Hello. My brother's Windows 10 PC is infected with the Trojan.BitCoinMiner.Generic trojan. We both knew it was from a game copy he downloaded from a sketchy website, so we deleted it, and the previous instance of the trojan succeessfully. However, it literally crippled vital parts of his Windows installation, like Windows Update. He was able to fix this without reinstalling by upgrading from build 2004 to 20H2.

 

1 month later, and suddenly he cannot install updates ("Something went wrong. Try to reopen Settings later."), he cannot download apps from Windows Store (I don't know how, but this Store app is useful and not available as an exe file), Safe Mode sessions are corrupted and he cannot enable the Administrator account no matter what.

Following the steps from this similar post here, we ran a Malwarebytes scan, which quarantined and removed 7 detections of the trojan in various places. Then, we ran a scan using AdwCleaner and rebooted. Finally, we ran Farbar Recovery Scan Tool.

However, as the scripts and log files there were for a completely different Windows installation, I have attached the log files from his PC to see what can be done.

Thank you in advance.

Addition.txt AdwCleaner[S00].txt Malwarebytes.txt FRST.txt

Link to post
Share on other sites

Hi,     :welcome:
My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
We will be needing to do multiple passes / several different scans for this case.  Patience & persistence are needed.

Let's start out with what follows.

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

At Scan options,  select Full scan.

Let me know the result of this.

The log is named MSERT.log 

the log will be at  C:\Windows\debug\msert.log

Please attach that log with your reply.

 

Link to post
Share on other sites
2 hours ago, Maurice Naggar said:

Hi,     :welcome:
My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
We will be needing to do multiple passes / several different scans for this case.  Patience & persistence are needed.

Let's start out with what follows.

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

At Scan options,  select Full scan.

Let me know the result of this.

The log is named MSERT.log 

the log will be at  C:\Windows\debug\msert.log

Please attach that log with your reply.

 

Hey, thanks for reaching out! I go by Bill, "Bajiru" is just a pseudonym.

 

Since my brother cannot run the scan now, he is going to let it run overnight. I'll upload the log in the morning.

Link to post
Share on other sites

Hello, @Maurice Naggar.

We let the scan ran overnight, though it yielded no results. I have attached the log file.

Though, I have to mention that yesterday, he scanned his PC for ~20 minutes the 1st time and it did find 1 infection, however he cancelled the scan prematurely as he had to get some work done and his disk usage was at 100%.

msert.log

Link to post
Share on other sites

Hi Bill.   New run with Malwarebytes for Windows.  It should take something like 20 minutes or even less.

I need you to be extra careful to insure that each tagged line item is CHECK-MARKED to be removed ( Quarantined)  when you Review the list of tagged items.

Read all of this all the way.  Look at the image file and see how to get all line items TICKED for removal. 👉 Please read ALL this all the way down First before yu click 'scan'.

Start Malwarebytes from the Windows  Start menu.
Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.
Then click the Security tab.   

Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON        👈
Click it to get it ON  if it does not show a blue-color

.

Then scroll down to the section Potentially Unwanted items.   We need the next 2 lines   ( for P U P  & for P U  M)  to be set to "Always ( Recommended) ".
You can make the change by clicking on the down-arrow selection list-control.   We want all P U P  &  P U M to be marked for removal.

Next, click the small x on the Settings line   to go to the main Malwarebytes Window.
 

Next click the blue button marked Scan.
When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.
You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).    👈

🔻

MB4_scan_tick_ALL2.jpg.e8a7f94bceca3237b7dbe17faacfa577.jpg

 

 

Then click on Quarantine selected.

MB4_scan_all_Quarantine2.jpg.dd0e7b543cdb7c69c37bcf14f0e5b9d1.jpg
 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

Link to post
Share on other sites

Hi Bill.   That is a very good report.  I would suggest one more follow-up.

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.   ( Just be sure that Thunderbird is closed when yu run this.)
Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.
Adwcleaner  detects factory Preinstalled applications too! 

Please download  Malwarebytes AdwCleaner https://downloads.malwarebytes.com/file/adwcleaner


 
Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.
At the prompt for license agreement, review and then click on I agree.

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).
Then click on Dashboard button.
Click the blue button "Scan Now".

allow it a few minutes to finish the Scan.   Let it remove what it finds.
NOTE:  When it comes to the section "
Pre-installed applications

You can skip that.
Please find and send the Adwcleaner "C" clean report.
In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".
Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs
Thanks.  Keep me advised.

Link to post
Share on other sites

Thanks for the report.  That is a fine result.  You do not need to run it again.  Please do what follows below.

set Windows to SHOW all folders, all files, including hidden ones, or system folder locations, like Appdata.

Open Windows File Explorer.

Select View from its top menu bar > click Options on the icon at the far right-side > Change folder and search options ( from the drop down ).

  • on the next multi-tab mini-window
  • Select the View tab and, in Advanced settings,
  • select Show hidden files, folders, and drives
  • and OK.

.

[     2     ]

There are a few things to fix on this Windows configuration.  There is a bock setting in place ( who know why) to prevent Windows update.  There are a few settings that are debug points. The following custom script will take care of all that.  plus to run the Windows DISM tool to recheck this Windows and also the System File Checker.
Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

The system will be rebooted after the script has run.

Save the attached file FIXLIST.txt  to the Downloads folder.   Save it as-is.

.

This custom script is for Bajiru  only / for this machine only.

 
Close and save any open work files before starting this procedure.    If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRST64   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing. 

Fixlist.txt

Link to post
Share on other sites
  • Solution

@Maurice Naggar thanks for the script. However, I forgot to tell you that it's probably not needed.

Yesterday night, we checked Task Manager and found a process called "StopUpgrade10" by greatis.com. My brother doesn't know how he got it at all. I deleted it plus any residual files, rebuilt the registry entries in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv (exported them from my functioning PC and imported them to his), restarted and now Windows Update works normally.

 

I think the topic is closed now. Thank you really much for your help. Hope you gave a good day! :)

Link to post
Share on other sites

Thank you for the status update. Please relay these tips to your brother.

Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

 

Stay safe.  I wish you all the best.   😎

Sincerely,

Maurice

 

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.