Jump to content

Riskware.BitcoinMiner is coming back over and over.


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hello   :welcome:

My name is Maurice.  I will guide you.  Let me know what nickname you prefer to go by.

As we go along, just attach reports  ( just like you did above).   I would like to see full details from Malwarebytes for Windows.

Please download MBST Support tool.

https://downloads.malwarebytes.com/file/mbst

Go to the Downloads folder. With your mouse pointer, do a Right-click on the mb-support.1.8.4.xxx.exe file & choose "Run as Administrator"  & reply Yes & allow it to proceed.

Once you start it click Advanced > Gather Logs

 

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

Cheers.

Link to post
Share on other sites

Thank you.  There seems to be one questionable file under your user-sub-folder ( seemingly for Discord) that is the one being flagged by Malwarebytes for Windows on a real-time protection "flag event".  We can get that deleted.  I will guide you.

First, some starter steps, to get us started.   Please do all of these, as much as possible.

[   1   ]

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

[    2   ]

This pc also has Mcafee LiveSafe as well as having the trial Malwarebytes.   Make one adjustment on Malwarebytes.  This will not affect its protections while in trial, nor later.

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 

 

Click the Security Tab. Scroll down to 

"Windows Security Center"

 

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".

 

{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes Premium    😃.

Close Malwarebytes.

[   3    ]

Small housekkeping.   Empty Windows Recycle Bin.   See guide at this MS link  https://support.microsoft.com/en-us/windows/empty-the-recycle-bin-in-windows-10-d4c8f8ef-a12e-8250-b0cf-2311960a31f9

Earlier, Malwarebytes had one issue with 1 file there.

[ 4   ]

Get ready to manually delete 1 questionable file.   You can do this.

On the Windows taskbar ,  on the Windows search box,  type in

cmd.exe

and then look at the entire list of choices, and click on Run as Administrator.  

Once the Command prompt window is up,   copy > paste the line in the codebox below into the command-window

It is best to  use COPY & Paste for the following.  All of each line as-is

del /s /q C:\Users\kadew\AppData\Local\Discord\app-1.0.9002\ErrorReport.exe

tap Enter to have it proceed.   Watch to see that it does succeed.   Meaning, I want to know detail in case there is some "error" or exception notice.

.

[   5   ]

This too is do-able.  Use Windows Explorer  and navigate the C drive  from the LEFT-side left-hand navigation Tree.

Expand the C drivve.

We want to get to this sub-folder    C:\Users\kadew\AppData\Local

now RIGHT-click with your mouse pointer  and select "Scan with Malwarebytes".

Have this special scan proceed.  Hopefully if will catch any other leftover malware or P  U   P

 

Edited by Maurice Naggar
Link to post
Share on other sites

I want to convey that display screen grabs from Malwarebytes like in the next-to last preceding post of yours do not show real complete full details.

If it was from a block event, I need the actual log out of history.

If it is a scan result, I need the actual Scan report out of history.   That is to say, there are 2 types of reports.   One is from a Scan.  The other type is a DETECTION or REAL Time Protection event.

The 2 types are discussed / describe here https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows

and note, we always want the Advanced report.    Please keep that in mind.

.

I was hoping you could do that context-menu scan off of C:\Users   like I tried to reuqst on post above

Use Windows Explorer  and navigate the C drive  from the LEFT-side left-hand navigation Tree.

Expand the C drivve.

We want to get to this sub-folder    C:\Users\kadew\AppData

now RIGHT-click with your mouse pointer  and select "Scan with Malwarebytes".

Have this special scan proceed.  Hopefully if will catch any other leftover malware or P  U   P

 

[  Further and in addition   ]

You should do this special scan.

In Malwarebytes for Windows program, we want to do a special scan.
 Click Settings ( gear icon) at the top right of Malwarebytes window. We want to see the SETTINGS window.  Then click the Security tab.  Scroll down and lets be sure the line in SCAN OPTIONs for 

"Scan for rootkits" is ON 👈   Click it to get it ON if it does not show a blue-color . Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

MB4_scan_tick_ALL.jpg.d04ef98c885b4f44f51bfe735922fba7.jpg

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine.jpg.8639e1dfc2301bc6d60a8cfb3c339241.jpg

 


Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

Link to post
Share on other sites

Good morning.  I appreciate the reports you have sent.  I plan to lead you thru a series of additional scans.  The one below is the first.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

 

Let me know the result of this.    This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

C:\Windows\debug\msert.log

Please attach that log with your reply.

Link to post
Share on other sites

  • Solution

Adding a note related to a very out of date program.    Java 8 Update 281  is a old release from Oracle & poses a potential security risk exposure.  Please take time to Uninstall it.

Your Windows system really does not need it.  But if you do have some added application that really truly needs Java, then in that case, you can get the very latest release. See this how to link https://securitygarden.blogspot.com/2021/07/oracle-java-se-security-update-released.html

Orcale release security updates on a quarterly basis.  Out of date Java is one potential vector for bad actors to facilitate a malware infection to get in.

Take care of this at your next opportunity.

.

As to the main issue at hand.  Note that Microsoft Defender antivirus flagged C:\Users\kadew\AppData\Local\Discord\app-1.0.9002\ErrorReport.exe   several times on the 21st.

Category: Potentially Unwanted Software

Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=PUA:Win32/CoinMiner&threatid=227033&enterprise=0
Name: PUA:Win32/CoinMiner

.

ANOTHER file is flagged by MS Defender as a severe threat.   Look for this file   C:\Users\kadew\Downloads\Kiwi V2 - Linkvertise Downloader_v-J6r31.exe

If still around, then Delete it. 

Severity: Severe
Category: Trojan

Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Spursint.F!cl&threatid=2147717281&enterprise=0
Name: Trojan:Win32/Spursint.F!cl

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.