Jump to content

Win64/CoinMiner.PO keeps coming back after putting it in quarantine.


Recommended Posts

Thanks for the update, there must be a dropper that puts the file back after reboot. Try the following...

Open the search function, type or copy/paste Windows Defender Security Center then select ok to open that option.

In the new window select Virus and Threat Protection then select Scan Options

The scan options window will open, from there select Windows Defender Offline Scan

You will be given the option to save any opened work etc, then select Scan from there when the scan completes Windows will reboot..

To check for found entries:

Select Start , and then select Settings > Update & Security > Windows Security > Virus & threat protection . On the Virus & threat protection screen select Protection history.

If entries are shown as "Found" the time and date will be same as the offline scan just completed.....

 

Link to post
Share on other sites

Yes odd for sure, but still we do not find the dropper... Reboot your system then continue:

Run th following please:

user posted imageScan with Autoruns

Please download Sysinternals Autoruns from the following link: https://live.sysinternals.com/autoruns.exe save it to your desktop.

Note: If using Windows Vista, Windows 7, Windows 8/8.1 or Windows 10 then you also need to do the following:
 
  • Right-click on Autoruns.exe and select Properties
  • Click on the Compatibility tab
  • Under Settings check the box next to Run this program as an administrator
  • Click on Apply then click OK
     
  • Double-click Autoruns.exe to run it.
  • Once it starts, please press the Esc key on your keyboard.
  • Now that scanning is stopped, click on the Options button at the top of the program and verify that the following are checked, if they are unchecked, check them:

    Hide empty locations
    Hide Windows entries

     
  • Click on the Options button at the top of the program and select Scan Options... then in the Autoruns Scan Options dialog enable/check the following two options:

    Verify code signatures
    Check VirusTotal.com

     
  • Once that's done click the Rescan button at the bottom of the Autoruns Scan Options dialog and this will start the scan again, this time let it finish.
  • When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the file to your desktop and close Autoruns.
  • Right click on the file on your desktop that you just saved and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the ZIP folder you just created to your next reply...

 

 

Link to post
Share on other sites

Nothing to help us in that log... From the frst logs the following restore point is listed...

Quote

25-11-2020 23:27:03 univcredist

What is univcredist was it installed or removed on the 25th, does it coincide with the arrival of explore.exe.

Link to post
Share on other sites
Set windows up for "Clean Boot" mode, full instructions here: https://support.microsoft.com/en-gb/kb/929135

Basically all none MS services are disabled, see how your system runs in that mode.

With your system in clean boot mode, remove the problem file with scan by Malwarebytes or ESET.

After removal reboot your system, see if rogue file C:\Windows\explore.exe returns....

The rogue file is trying to mimic the genuine windows file C:\Windows\explorer.exe
Link to post
Share on other sites

Hello UhSilo,

We cannot leave your system in clean  boot mode indefinitely. Clean Boot is a method used to find out what causes the current problem. All system services are still active, all 3rd party services that run at boot are disabled.

In your case we are trying to find what replaces the malicious executable explore.exe after removal, if clean boot gives a positive result we know that a 3rd party service is responsible. So now we have to find out culprit....

As clean boot has indicated where the problem lies, it is now a process of elimination to find which non MS service(s) was affecting your system...

Go through the process again, this time with all MS services hidden again enable the top half of non MS services, re-boot and see how your system responds, if still ok the top half can be left enabled.

Repeat again, enable so many of the bottom half then re-boot. Continue until you locate the problem service(s). A process of elimination, a bit long winded but worth the effort. Let me know the outcome...

Does that makes sense to you, can you follow that process, I know it is long winded but is the best way forward...

Thank you,

Kevin...

Edited by kevinf80
Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.