Jump to content

website blocked due to Trojan pool.minexmr.com cmd.exe

Kotare
 Share

Recommended Posts

  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted (edited)

Hello @Kotare

Let me have you do the following, please.

 

Create an Autoruns Log:

  • Please download Sysinternals Autoruns from here.
  • Save Autoruns.exe to your desktop and double-click it to run it.
  • Once it starts, please press the Esc key on your keyboard.
  • Now that scanning is stopped, click on the Options button at the top of the program and select Verify Code Signatures and Check VirusTotal.com and Submit Unknown Images
  • Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
  • When it's finished, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.
  • Right-click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the Autoruns.zip folder you just created to your next reply

 

image.png

 

 

 

Please open an elevated admin command prompt and run the following. Then post back the C:\RecentPrograms.txt file 

reg export "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings" C:\RecentPrograms.txt

 

Please open an elevated admin command prompt and run the following. Notepad should open with a list of all Scheduled Tasks. Please save that file and attach it as well 

SCHTASKS /Query /fo table /v > 0 && notepad 0 | ECHO >NUL  & DEL 0

 

As you can see here in the FRST logs, Windows Defender is finding and attempting to remove this CoinMinerLoader (Yes, it's an older detection but probably related to current blocks)

Date: 2021-03-17 20:24:16.258
Description:
Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:MSIL/CoinMinerLoader.A&threatid=2147777383&enterprise=1
Name: Trojan:MSIL/CoinMinerLoader.A
Severity: Severe
Category: Trojan
Path: file:_C:\Users\srv.neuromancer\AppData\Local\Microsoft\Windows\INetCache\IE\win_s[1].zip
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: Real-Time Protection
Process Name: C:\Windows\System32\certutil.exe
Signature Version: AV: 1.333.559.0, AS: 1.333.559.0, NIS: 119.0.0.0
Engine Version: AM: 1.1.17900.7, NIS: 2.1.14600.4

 

I would recommend that you clear your Internet Explorer cache but since this is a Server and you may be running applications that use the cache you'll need to ensure that clearing this cache will not inadvertently produce unexpected results to those applications.

 


How can i Clear the Internet Explorer cache with GPO ?
https://social.technet.microsoft.com/Forums/windowsserver/en-US/5dd8f085-85c9-4484-a3f0-594180d24d43/how-can-i-clear-the-internet-explorer-cache-with-gpo-?forum=winserverDS

Internet Explorer versions and their cache location
https://social.technet.microsoft.com/Forums/en-US/878e79ff-6c50-42aa-b273-c08008dac4cc/internet-explorer-versions-and-their-cache-location?forum=winserver8gen

Clear Internet Explorer Cache using Rundll32 Command-Line
https://www.winhelponline.com/blog/clear-ie-cache-command-line-rundll32/

Internet Explorer cache location
https://stackoverflow.com/questions/854412/internet-explorer-cache-location/854425

 

Thank you

 

 

Edited by AdvancedSetup
updated information
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

If you look here you can see that there are 3 scheduled tasks that are set that do not look valid. Please manually verify these tasks and the files they call. Make sure all files if found are legit and remove the tasks and if needed recreate them new.

image.png

 

Verify that you can open and run Windows Defender on the system.

 

Please download and run the following from Microsoft

 

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Please let me know the results of this scan.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Hello @Kotare

 

Please do the following.

  • Open Malwarebytes and click the cross-hair just above the word Scanner
  • Then near the bottom click the Advanced scanners link
  • Then under Custom Scan click on the Configure Scan button
  • Enable scan for rootkits
  • Place a checkmark on your C: volume hard drive and click the Scan button

This scan will take a long while to run but once completed please go to Reports and export the log to text or clipboard and post back the results.

 

Visually

Please open Malwarebytes and click on the cross-hair just above the word Scanner

image.png

 

Then click Advanced scanners

image.png

 

Then click the Configure Scan button

image.png

 

Enable all checked items as shown and select your C: drive and click the Scan button

image.png

 

Allow Malwarebytes to remove anything it finds and post back the log once completed.

 

Thanks

 

 

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Okay, thanks. Please run the following again.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Please let me know the results of this scan.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

Then get me new FRST logs.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Clear your browser cache. Try not to open or use a browser on the Server unless you really need to.

Have you added Content blockers to your browsers?

I'd love to blow out your temporary file locations but that would cause issues for SQL or other apps in some cases. Again, make sure you go through your temp files and remove those that are not part of SQL or other Server applications, processes.

Look on the following page for ideas to help prevent ingress of unwanted objects.

 

Please go ahead and run the following other scanner as a secondary scan to make sure what Microsoft found was fully removed and not found by them either.

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Link to post
Share on other sites
  • 2 weeks later...
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept