My computer is being used for Crypto Mining (CryptoJacking)

[ItsEatHam]

Hello,

Recently I've been receiving Messages from MalwareBytes, like these: https://gyazo.com/505eaa5ef4ca890a42dff1fdc7559276,
I researched into the website "pool-aus.supportxmr.com" and I'm pretty sure its some type of Crypto Currency related website. (I'm not very good with crypto-currency)
 

A few minutes after my PC Starts up, TaskManager, Reg-Edit, Process Hacker & My Browsers(Chrome & Opera GX) Disable!

TaskManager returns this: Title: "C:\WINDOWS\system32\taskmgr.exe" Description: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item"

Reg-Edit returns this: Title: "C:\WINDOWS\system32\regedit.exe" Description: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item"

Process Hacker just wont launch (Nothing Happens, no errors etc)

Whenever I search anything on my browsers, they return untitled

So I realised that the file in "C:\Windows\notepad.exe" is not the legitimate notepad, the real one is located in "C:\Windows\SysWOW64\notepad.exe", so I removed the "fake" notepad.
Everything worked fine, taskmanager & all that worked perfectly, and my pc felt a lot faster.

Until the next day, I am using my pc like normal until my browser crashes again, and starts showing untitled, so I try to open taskmanager to see if I have this malware AGAIN, and I cannot open task manager again, and all those other programs which I mentioned before.

And MalwareBytes Sends me a similar message to the one mentioned earlier, now saying that there is an outbound connection to the SAME Crypto Currency website as before, from this file:
"C:\Windows\explorer.exe", and my pc feels a lot slower again.

So no doubt I have the same malware again,
I'm unsure of what to do, can anyone help?

[nasdaq]

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please Attach it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file:
In the Reply section in the bottom of the topic Select Click the Choose a File.
Navigate to the location of the File.
Click the file. It will appear in section.
Click the Saving button.

Please attach the logs for my review.

Wait for further instructions

p.s.
This program is updated often.
If it's identified as suspicious by your Anti-Virus program trust it if Downloaded from the link I provided.
OR, you should restore the program from the Quarantine folder.
====

[ItsEatHam]

2 hours ago, nasdaq said:

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please Attach it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file:
In the Reply section in the bottom of the topic Select Click the Choose a File.
Navigate to the location of the File.
Click the file. It will appear in section.
Click the Saving button.

Please attach the logs for my review.

Wait for further instructions

p.s.
This program is updated often.
If it's identified as suspicious by your Anti-Virus program trust it if Downloaded from the link I provided.
OR, you should restore the program from the Quarantine folder.
====

Hello there,
I'm currently having an issue with my computer booting up, so I'm unable to access my Desktop or anything like that.

I've made a thread about this: 

 

[nasdaq]

Hi,

 

Try the recommendations on this page.

https://www.dell.com/support/kbdoc/en-ca/000113309/how-to-access-the-windows-recovery-environment-in-windows-10

I hope you can create a  USB recovery media in this Environment.

If not you will need to contact Dell to get an installation CD or FLASH drive from them.

Dell Support link.
https://www.dell.com/support/home/

p.s.
If you can get to the Recovery Environment but unable to do what is suggested please let me know what option(s) you have that you can use.

 

[ItsEatHam]

5 hours ago, nasdaq said:

Hi,

 

Try the recommendations on this page.

https://www.dell.com/support/kbdoc/en-ca/000113309/how-to-access-the-windows-recovery-environment-in-windows-10

I hope you can create a  USB recovery media in this Environment.

If not you will need to contact Dell to get an installation CD or FLASH drive from them.

Dell Support link.
https://www.dell.com/support/home/

p.s.
If you can get to the Recovery Environment but unable to do what is suggested please let me know what option(s) you have that you can use.

 

Alright I've made a Recovery Drive!

I booted up with it, as shown in the link your provided, And I'm successfully in the recovery environment.

What should I do now? 

[ItsEatHam]

1 hour ago, ItsEatHam said:

Alright I've made a Recovery Drive!

I booted up with it, as shown in the link your provided, And I'm successfully in the recovery environment.

What should I do now? 

okay, I tried startup repair, that didn't work

So I'm going to system restore to a time before i rebooted with AdwCleaner

[nasdaq]

Hi.

Good call.

If successful please do  no used AdwCleaner until I have had a chance to view the logs from this scan.

 

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please Attach it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file:
In the Reply section in the bottom of the topic Select Click the Choose a File.
Navigate to the location of the File.
Click the file. It will appear in section.
Click the Saving button.

Please attach the logs for my review.

Let me know what problems persists.

Wait for further instructions

p.s.
This program is updated often.
If it's identified as suspicious by your Anti-Virus program trust it if Downloaded from the link I provided.
OR, you should restore the program from the Quarantine folder.
====
 

 

[ItsEatHam]

1 hour ago, nasdaq said:

Hi.

Good call.

If successful please do  no used AdwCleaner until I have had a chance to view the logs from this scan.

 

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please Attach it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file:
In the Reply section in the bottom of the topic Select Click the Choose a File.
Navigate to the location of the File.
Click the file. It will appear in section.
Click the Saving button.

Please attach the logs for my review.

Let me know what problems persists.

Wait for further instructions

p.s.
This program is updated often.
If it's identified as suspicious by your Anti-Virus program trust it if Downloaded from the link I provided.
OR, you should restore the program from the Quarantine folder.
====
 

 

Great another problem

I've tried System Restoring to the both of the Restore Points that I have, and both of them return this (Attached Image Below).

[nasdaq]

While in Recovery mode what are the other options you can use?

[ItsEatHam]

13 hours ago, nasdaq said:

While in Recovery mode what are the other options you can use?

I can use Command Prompt, I can factory image restore (which I just found out doesn't work, it cant find a factory image to restore to), I can startup repair (doesn't work), I can uninstall updates, and I can restore windows to a specific image file.

[ItsEatHam]

Sorry forgot to mention also i can system restore (which we found out earlier also doesnt work)

[ItsEatHam]

14 hours ago, nasdaq said:

While in Recovery mode what are the other options you can use?

okay, into further investigation, I turned on bootlogging (from startupsettings), 
and I can access the log file (nbtlog) from cmd, in the recovery environment.

And its saying BOOTLOG_NOT_LOADED with a lot of VPN adapters, BUT I found a driver which isn't loading:

\SystemRoot\System32\Drivers\dxgkrnl.sys

And there are many other drivers, which aren't windows ones (made from other programs / apps).

I'm unsure if dxgkrnl.sys is a driver that is causing the problem, of me not being able to boot up,
Just thought I'd let you know though.

[nasdaq]

Hi,

I'm checking with the Experts.

Will get back to your as soon as I have an answer.

[ItsEatHam]

19 minutes ago, nasdaq said:

Hi,

I'm checking with the Experts.

Will get back to your as soon as I have an answer.

Alright, Thanks! 

[nasdaq]

Hi

You tried a System Restore and it failed

I've tried System Restoring to the both of the Restore Points that I have, and both of them return this (Attached Image Below).

 

Do you remember how you tried to restore the system to a prior date?

====

Now start the Computer in the Recovery Environment.

At the Prompt type:

C:

At the prompt
COPY & Paste into the Command-window ( or type verbatim each command line)  & after each, press Enter key on keyboard.

bcdedit /set {bootmgr} displaybootmenu yes

and

wmic recoveros set AutoReboot = False

===

Then if connected Remove the USB-flash-thumb drive  before the Power Off >  Power ON.

Close the Window.
Restart the computer and you should see this image.

Press F8
Then you should be able to boot to Safe mode with NetWorking.

IF not, repeat the Power Off  > ON  > F8 press   and pick Command Promptly.

If successful do not power off the computer.

Let me know if successful.
Will take it from there.

[ItsEatHam]

 

20 minutes ago, nasdaq said:

Hi

You tried a System Restore and it failed

 

 

 

Do you remember how you tried to restore the system to a prior date?

====

Now start the Computer in the Recovery Environment.

At the Prompt type:

C:

At the prompt
COPY & Paste into the Command-window ( or type verbatim each command line)  & after each, press Enter key on keyboard.

bcdedit /set {bootmgr} displaybootmenu yes

and

wmic recoveros set AutoReboot = False

===

Then if connected Remove the USB-flash-thumb drive  before the Power Off >  Power ON.

Close the Window.
Restart the computer and you should see this image.
 

Press F8
Then you should be able to boot to Safe mode with NetWorking.

IF not, repeat the Power Off  > ON  > F8 press   and pick Command Promptly.

If successful do not power off the computer.

Let me know if successful.
Will take it from there.

Hey, I've followed all your steps,
Upon bootup the menu(windows boot manager) shows up then disappears very quickly, too quick that I cannot press F8 in time.

It then loads up like usual, then shuts down then loads up again, and brings me back to this: (image uploaded below)

[Maurice Naggar]

{ Kindly forgive the momentary intrusion].

The Windows Boot Manager screen will stay for several seconds  ( until and unless some keyboard key is depressed or perhaps, the Enter-key was in the input buffer.)

My first tip is to keep a finger ready by the F8-Function key on the keyboard  & be on the lookout for the screen.

As soon as you see the screen, you want to tap the F8-Function key.

and before all that, you want to use the POWER-OFF on your computer hardware and turn power OFF.  If this is a laptop, be sure it is powered with a electrical cord to wall-power.  Any connected printers or copiers or such, you want to have disconnected.

You power Off first.  Wait for like 30-40 seconds.  Then power ON & be ready.

By the way after F8 key is pressed, you will see a mini-screen like this

 

To make a selection off that, only use the top-most NUMBER  row  at the top of the Keyboard.  Pick by number.

[ Excuse the intrusion.  I will leave you in Nasdaq's very capable care.]

Edited December 22, 2020 by Maurice Naggar

[ItsEatHam]

38 minutes ago, Maurice Naggar said:

{ Kindly forgive the momentary intrusion].

The Windows Boot Manager screen will stay for several seconds  ( until and unless some keyboard key is depressed or perhaps, the Enter-key was in the input buffer.)

My first tip is to keep a finger ready by the F8-Function key on the keyboard  & be on the lookout for the screen.

As soon as you see the screen, you want to tap the F8-Function key.

and before all that, you want to use the POWER-OFF on your computer hardware and turn power OFF.  If this is a laptop, be sure it is powered with a electrical cord to wall-power.  Any connected printers or copiers or such, you want to have disconnected.

You power Off first.  Wait for like 30-40 seconds.  Then power ON & be ready.

By the way after F8 key is pressed, you will see a mini-screen like this

 

To make a selection off that, only use the top-most NUMBER  row  at the top of the Keyboard.  Pick by number.

[ Excuse the intrusion.  I will leave you in Nasdaq's very capable care.]

Okay, it took me a good 5 minutes to get the right timing, but I eventually got it.

When the startup settings menu appeared, I pressed 5, then it startups again but it returns back to thd same screen as earlier: (attached below)
 

[nasdaq]

Hi,

 

You are in good hands with Maurice.

I will be watching this topic and hope to learn.

 

Thanks.

 

[ItsEatHam]

1 hour ago, nasdaq said:

Hi,

 

You are in good hands with Maurice.

I will be watching this topic and hope to learn.

 

Thanks.

 

Okay, Thanks for the help so far

[Maurice Naggar]

Hello.

On the presumption that this Windows  system has a valid Restore Point, suggest what follows.

The goal is to initiate the Windows System Restore to do a Restore to a prior SR point.

To get that kicked off from a Command Prompt.

Press F8 -function key to select a Startup Setting choice

Press the number 6  to Enable Safe mode with Command prompt

This should load a Command-prompt session/window.

then

COPY and Paste   onto the Command-prompt   ( though in your situation you will be typing this.  Be sure you do not mis-type.  Look real close.  Double check.

%systemroot%\system32\rstrui.exe 

tap Enter to start Windows System Restore module.   

Take a look and see how many System Restore points there are.  Maybe jot those down on paper for your benefit.  Pick one that you believe is a good one from before when the recent hiccup started.

Then make selection / choice of Restore point.

Once started have lots & lost of patience.  The attempt to do a system restore will take time.  Once it starts, leave it be.

Take your time.  Go careful.  Have patience.

[ItsEatHam]

7 minutes ago, Maurice Naggar said:

Hello.

On the presumption that this Windows  system has a valid Restore Point, suggest what follows.

The goal is to initiate the Windows System Restore to do a Restore to a prior SR point.

To get that kicked off from a Command Prompt.

Press F8 -function key to select a Startup Setting choice

Press the number 6  to Enable Safe mode with Command prompt

This should load a Command-prompt session/window.

then

COPY and Paste   onto the Command-prompt   ( though in your situation you will be typing this.  Be sure you do not mis-type.  Look real close.  Double check.

%systemroot%\system32\rstrui.exe 

tap Enter to start Windows System Restore module.   

Take a look and see how many System Restore points there are.  Maybe jot those down on paper for your benefit.  Pick one that you believe is a good one from before when the recent hiccup started.

Then make selection / choice of Restore point.

Once started have lots & lost of patience.  The attempt to do a system restore will take time.  Once it starts, leave it be.

Take your time.  Go careful.  Have patience.

Hey Maurice
I'm having troubles booting into safe mode with command prompt(brings me back to the "your pc couldn't start properly" screen),
Could I use the recovery environment's Command Prompt Instead?

 

[Maurice Naggar]

Yes you can.

[ItsEatHam]

5 minutes ago, Maurice Naggar said:

Yes you can.

Maurice,
When I type in the command, it returns an error:
"To use System Restore, you must specify which Windows installation to restore.

Restart this computer, select an operating system, and then select System Restore."

[ItsEatHam]

10 minutes ago, ItsEatHam said:

Maurice,
When I type in the command, it returns an error:
"To use System Restore, you must specify which Windows installation to restore.

Restart this computer, select an operating system, and then select System Restore."

I'm able to access the system restore menu if I just type "rstrui.exe" into command prompt,
But only two restore points show up, and both of them don't work.