Jump to content

Trojan bitcoin mining file disguising itself in task manager


Recommended Posts

Hello everyone,

I would like to begin by saying that this website is amazing. It has led me to find out why my PC performance is so poor in less than an hour when I have been troubleshooting it for months, so thank you. I've been having game performance issues for a few months now. I tried dozens upon dozens of troubleshooting methods without a solution in sight until I noticed something. When I was running a game and opened task manager, my CPU usage would instantly drop from 99% to 50-60%. This reminded me of something I read online about bitcoin miners hiding itself as you open task manager. What I didn't actually know was that it was possible for the virus to camouflage itself under the game.

I started by installing Malwarebytes and AdwCleaner as instructed by @AdvancedSetupin other user's threads. I did a scan with Malwarebyte with rootkit scan enable in the settings yet nothing was found. After scanning with ADWcleaner, two ''PUP.OptionalLegacy'' files were found which I believe are irrelevant. Feeling discouraged after thinking I had found finally found a fix, I decided to play a bit of a game thats easier to run with the performance issues. Out of curiosity, I opened task manager and the first thing I see is Malwarebyte warning me about my game being a trojan. I do a bit of research on the matter and most search results foolishly chalk it up to being a false-positive. I looked at the summary of the programs findings and was given an IP which I will not put here since it directly leads to a MWB warning saying the link/IP is a trojan. I then used a geographical IP location finder and it told me that the location is in Georgia, Kvemo Kartli. There is no way this is a false-positive since the company who made the game is located in Canada, Vancouver. I also never joined a multiplayer server and only stayed on the main menu screen so there is no way that a P2P false-positive could have happened. This leads me to believe that there is an infected file on my computer which acts as a proxy between my PC and a website. It camouflages itself under whatever video game I'm playing to act as if the cause of the high CPU usage was the game. What Malwarebytes picked up on is the command which tells the file or site to pause the mining when I open TM.

Here are all the required scans

1. The scan is unable to spot the virus but shows up in detection history. This happens everytime I open taskmanager while a game is running.  Here is the file summary clearly showing that the virus is concealing itself as my game, the IP address geographical location and the browser page warning.

2. AdwCleaner detects nothing.

Please note that this is all speculation on my part. I have next to no knowledge in this type of stuff and I may be wrong. What do you think? Thank you.

1.png

2.png

3.png

4.png

5.png

MWBscan.txt RPT detection trojan.txt Addition.txt

Link to post
Share on other sites

Hello.  :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.   

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
Please only just attach   all report files, etc  that I ask for as we go along.  I

I need the full set of reports from the tool below.  Then wait for my further guidance.  We will be doing other scans for malware & adware.

I would appreciate  getting  additional / fuller  important details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.80.848.exe  to run the report

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

Please know I help here as a volunteer.  and that I am not on 24 x 7.
Help on this forum is one to one. 

Sincerely,

Maurice

Link to post
Share on other sites

Hello.   Th

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from this link here

and save it to your desktop.

Double-click on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
  
 

ank you for the report-tool-zip file,   

Link to post
Share on other sites

Thanks for the MBAR scan.  The 2 registry keys are specific to BAT or COM files.  They should have been dealt with after one Windows Restart.

Let me suggest that you run one new special scan.

I would suggest a free scan with the ESET Online Scanner
Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".
Next, when prompted by Windows, allow it to start by clicking Yes
When prompted for scan type, Click on Full scan

Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
Have patience.  The entire process may take an hour or more. There is an initial update download.

There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.

Link to post
Share on other sites

Bravo.  The scan result is excellent.  no viruses / no malware.

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Please select "FULL" scan

Let me know the result of this.

The log is named MSERT.log 

the log will be at  C:\Windows\debug\msert.log

Please attach that log with your reply.

 

Link to post
Share on other sites

Looks like I had something preventing windows defender from working properly. I've been suspecting this since when I would turn off malwarebytes, a notification would appear warning me that both my anti-virus and windows defender were deactivated. But when I would go to the windows defender page, it would say that it was indeed running. I've also ran this scan before and nothing was detected. This is spooky haha. Here is the log.

msert.log

Link to post
Share on other sites

That MSERT run did not find any malware.  It only detected a minor situation:  that Windows Defender was not set as a antispyware.  It now is.

Bottom line, no malware found.

Next,   a    TrendMicro HouseCall scan

https://www.trendmicro.com/en_us/forHome/products/housecall.html

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher

 

Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.

The program will check with TrendMicro & do a update run.

 

Next it will show the Disclosure window.

Click Next to proceed.

 

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

 

IF you wish a Full scan or a Custom scan, first click on the Settings

then you can select which drives you want to include in the scan.

The default is a Quick scan.

Click Scan now when ready.

 

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

 

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.

If you see an item that you know is safe, you can click the Action  , and select Ignore.

When all done & ready, click the Fix now button.

Link to post
Share on other sites

Ah my bad for jumping the gun. The scan shows 0 threats found but unfortunately there doesnt appear to be a log file. I know this is a different matter but their network program says that my network may be compromised. Not too sure what to make of it.

housecall.png

network.png

Link to post
Share on other sites

The key & important thing is that the TrendMicro Housecall scan found no virus, no malware.

As to any "network" issue, did you jump into the Housecall for Home networks scan ?   If so, all I can suggest is that you check the resources at that TrendMicro site.

As far as your local computer, you should be following basic security good practices.  Such as,

keeping Windows fully up to date with security updates,

keeping all your applications current with security patches,

having the Premium Malwarebytes for Windows,

See more security tips   Tips to help protect from infection - Windows Malware Removal Help & Support - Malwarebytes Forums

Link to post
Share on other sites
  • 2 weeks later...

Hello.

To remove the FRST  tool & its work files, do this.  Go to your Downloads folder.  Do a RIGHT-click on FRSTENGLISH.exe & select RENAME & then change it to UNINSTALL.exe .
Then run that ( double click on it)  to begin the cleanup process.

 

Delete mbst-grab-results.zip   on the Desktop

Delete mb-support-1.80.848.exe

Delete msert.exe

Delete the MBAR,exe

 

Any other download file I had you download, you may delete.

I wish you all the best.  Stay safe.

Sincerely,

Maurice

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.