Jump to content

Malware/crypto miner on second-hand machine? Malwarebytes modified


Recommended Posts

Hi there - I've been running a second-hand machine for a few months and continually hear a "ca-ching"/cash register sound effect that occurs periodically.

I suspect this is some form of a cryptocurrency miner running as a background process, maybe even in my Nvidia GPU - again, the machine is used.

In addition, I think this malware is changing or disabling my MalwareBytes installation, which fails due to a corrupted DLL file sometime after downloading and running successfully, usually after a couple days.

I no longer trust results from MB and it looks like it scans incompletely due to some modification.

I re-downloaded and ran MB, ADW (which had an interrupted automatic restart after executing), and FarBar and have attached logs.

I suspect my Windows 10 copy that came with the machine is a pirated version that may have some form of backdoor or root-kit, so I'm posting more for visibility of this issue rather than a fix, but wanted to see if there's anything I can do before re-formatting my drives.

FRST.txt Addition.txt mb_scan_3_2_21.txt adw_scan_3_2_21.txt

Link to post
Share on other sites

  • Root Admin

Hello @je_9944

Why is this running as a startup item?

HKU\S-1-5-21-3963545731-3011886360-1453227493-1001\...\Run: [BakkesMod] => "C:\Users\jorda\AppData\Local\Temp\Rar$EXa15788.45575\BakkesMod.exe" <==== ATTENTION

 

Maybe a good idea to clean up all your temporary file locations.

You also have some old Java. It looks like you probably code in Java but old versions greatly increase the chances of getting infected. You should consider uninstalling older versions if you no longer need them.

Running Torrent software also increases your risk of infection.

It looks like you possibly used some software before that added these entries?

AppInit_DLLs: prio.dll => No File
AppInit_DLLs-x32: prio32.dll => No File

File Name    prio32.dll
Software Developer    O&K Software
File Type    
File Location    C:Program FilesPrio
Software    Prio

 

No service should run out of a Temp folder.

 

S3 cpuz149; \??\C:\WINDOWS\temp\cpuz149\cpuz149_x64.sys [X]

What about these? Are this on the system?

 

S3 cUyyiYio; \??\C:\Windows\cUyyiYio [X]
S3 IorCdIdR; \??\C:\Windows\IorCdIdR [X]
S3 MontuHisx; \??\C:\SJ9WAe3yX8Kc91ic.sys [X]
S3 NdYBoyvi; \??\C:\Windows\NdYBoyvi [X]

 

 

Link to post
Share on other sites

  • 1 month later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.