Jump to content

My Windows 2012 has possibly a Trojan


Recommended Posts

Hello, I have an issue to where a client has a server to which has a Trojan.bitminer caused by Star.exe which I looked in the C:\Windows\Temp\Star.exe and nothing was there. One of the workers has had a bitcoin mining problem which we finally caught. Malwarebytes keeps blocking websites from IP address at least 5 times. Any suggestions are helpful.

Link to post
Share on other sites

Hello  @Jawsh    :welcome:

My name is Maurice.  Let me know what name you prefer to go by.  I will guide you.

I need a report set for review.   This is a report only.

Please download MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply , like displayed here.
  • To send  ( upload)   attachments please click the "ADD Files"  link . Then browse to where your file is located and select it and click the Open button.

 

_mb_attach.jpg

 

The set of data from the report will provide much needed information.

Please always attach reports as we go along.

NOTE:  The block notices from Malwarebytes do mean that the pc is being kept safe from any potential harm.   It is STOPPED from a outbound attempt to ai.backend-chat.com

Edited by AdvancedSetup
corrected font issue
Link to post
Share on other sites

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 9/10/21
Protection Event Time: 9:50 PM
Log File: a6be120e-12a2-11ec-914f-9cb654b16555.json

-Software Information-
Version: 4.4.5.130
Components Version: 1.0.1430
Update Package Version: 1.0.44816
License: Premium

-System Information-
OS: Windows Server 2012 R2
CPU: x64
File System: NTFS
User: System

-Blocked Malware Details-
File: 1
Trojan.BitCoinMiner, C:\Windows\Temp\Star.exe, Quarantined, 596, 965972, 1.0.44816, , ame, , 241EA195774E19C5E9873A5B375617AE, AA00699728A2EE613DBE78792A6491C1B3B2F2562B3C4542B97D81B0C4CD4020


(end)

Link to post
Share on other sites

Thanks for the report.  The most recent block notices were about IP blocks  on IP "45.95.147.21"

I notice this machine  is a  "Windows Server 2012 R2"

First action:

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

Next action:

Use Windows Explorer.   Expand / navigate the left hand tree view of the C drive & drill down to C:\Windows

Use the mouse and ( on the Left-hand tree) RIGHT click on Windows folder and select "Scan with Malwarebytes"  and let Malwarebytes do that scan.

Edited by Maurice Naggar
Link to post
Share on other sites

  • 4 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.