Hidden crypto Miner? Infected?

[Swerdnaj]

MBAM would not run, but downloaded the MBAM utility. I have attached FRST and MBAM logs. Please help me, and Thanks!

Addition.txt FRST.txt MBAM results.txt MBAM threat log.txt

[Maurice Naggar]

Hello 

Thanks for the reports.   My name is Maurice.  I will guide you forward.

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it

https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner

Then be sure to close all web browsers.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean

Attach the clean log.

[Maurice Naggar]

Question:  Are you getting help elsewhere?

Are you now or perhaps recently, been getting remote help via Bomgar ?

I do need to know if you are getting help elsewhere.   Please advise.

[Swerdnaj]

I am not getting help anywhere else. The Bomgar file was used by a software company in the past to work only on it's software, and only when I called them for support. I don't allow anyone else access to this computer.

Files attached.

AdwCleaner[C00].txt AdwCleaner[S00].txt

[Swerdnaj]

My svchost files run very high. see attached. Thanks

[Maurice Naggar]

We can do different scans with known security tools to check for malware, including malicious miners. ( By the way, I did notice you have used a handful of different apps on your own.)

I would strongly suggest you not be looking at Task Manager.   Svchost is a Windows service that is pervasily used to manage & run different tasks, including modules of apps.  Further to that, I can guide you later to other means to reduce the load of auto-started applications.  But let's keep focused to hunting for actual malware. That is the main goal here.

[   1   ]

This pc runs Windows 7.  I need you to insure that it does SHOW all folders / all files

See https://www.sevenforums.com/tutorials/853-navigation-pane-show-all-folders.html

[   2    ]

We will use FRSTENGLISH.exe  on Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  Swerdnaj  only / for this machine only.

This custom script has some specific things, plus some general aspect to help the system overall.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will rebuild the Winsock.  

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome,  and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Flash Player cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 
If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder   

Fixlist.txt

Start the Windows Explorer and then, to the Downloads   folder.

RIGHT click on  FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please know this will do a Windows Restart.   Just let it do its thing.  

[Swerdnaj]

FixLog attached

Fixlog.txt

[Maurice Naggar]

That is a good run.  Thanks.

Next, I suggest a new scan for virsuses & other malware.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

 

Let me know the result of this.    This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

C:\Windows\debug\msert.log

Please attach that log with your reply.

[Swerdnaj]

MSERT.log attached

msert.log

[Maurice Naggar]

Thank you.  Most excellent result from Safety Scanner  

Quote

No infection found.

I would suggest a free scan with the ESET Online Scanner.  This will be another check for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

• Save the file to your system, such as the Downloads folder, or else to the Desktop.

 

• Go to the saved file, and double click it to get it started.

 

• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes
• When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

• Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.

You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else.

• When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”.
• Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom).

Press Continue when all done. You should click to off the offer for “periodic scanning”.

Please make sure you attach the log report.

[Swerdnaj]

Well, that took forever!

ESET scan log attached.

ESET Scan Log.txt

[Maurice Naggar]

Thank you.  Well worth the run.  The ESET found and removed the Ask toolbar and some other potential unwanted add-ons.

Go ahead and delete esetonlinescanner.exe + also delete MSERT.exe.

Advise me, How is the system at this point ?

Also, I dould like you to do one new Scan with Malwarebytes for Windows.  Malwarebytes is very good at finding and removing malicious miners.  Let me know result of that scan.

Edited October 4, 2021 by Maurice Naggar

[Swerdnaj]

I ran the Custom Scan including all options available on Malwarebytes, results attached.

The system is starting and running faster. Thanks for that!  I still have a svchost process running at over 300,000K when online, and over 250,000K when not online. Those high usage rates have not gone down with all of our cleanup, so are they of any concern? (and yes, I do look at my task manager, especially when my computer is lagging like it was before we started, Sorry, can't help myself ;)

 

MBAM log.txt

[Maurice Naggar]

That is a perfect report from the Malwarebytes for Windows scan.   Thank you.

SVCHOST is an abbreviation of service host. If one uses Task Manager or Process Explorer, you’ll usually see multiple instances of it running, and sometimes even several dozen instances. That is normal & expected.  Svchost is used by many services of your Windows system.
Services are organized into logical groups that are all somewhat related, and then a single Service Host instance is created to host each group. For example, one Service Host process runs the three services related to the firewall. Another Service Host process might run all the services related to the user interface, and so on.
What you report seeing on Task Manager is normal.
This machine has no malicious miner.  It does not have a infection or malware.
This last full Custom scan by Malwarebytes for Windows confirms that.
.
We use known security scanners from trusted sources to look for and remove malware.
.
As to laggy computers, there are several areas that you can look into.
Here are a few links to handy articles
Please know that a slow condition can be due to non-infection factors.

See https://support.microsoft.com/en-us/help/2746761/how-to-speed-up-your-slow-computer

 

See Miekiemoes blog article on slow computer situation

https://miekiemoes.blogspot.com/2008/02/help-my-computer-is-slow.html

 

also, at Bleepingcomputer

https://www.bleepingcomputer.com/forums/t/87058/slow-computerbrowser-check-here-first;-it-may-not-be-malware/

Sincerely.

[Swerdnaj]

I connected my computer to my wired network today after the cleanup we did, and it could not find it. I then tried to search for and open secpol.msc, it is not on my computer anymore. I cannot find or connect to my private wired network. Please help fix this.

Thanks

[Maurice Naggar]

The OS on this machine is Windows 7 Home Premium Service Pack 1.   Secpol.msc is not  available on all Windows versions.

NOTE:
The Local Security Group Policy Editor will only be available in the Windows 7 Professional, Ultimate, and Enterpise editions. The Local Security Policy Editor is not available in the Windows 7 Starter and Home Premium editions.

To see about running the Local Security Policy Editor on Windows 7, please see this link at Sevenforums ( which by the way, is an excellent resource for Windows 7)
https://www.sevenforums.com/tutorials/7357-local-security-policy-editor-open.html

[Maurice Naggar]

Hello.

I'd like for you to take one-time actions to power off your PC and any powered printers attached & then power off your hardware router.
Start by Shutting down Windows, and powering off your PC.  Then power Off the hardware router. Also, turn off the Hub or Switch for your 'network' ( if any).
Then wait for one minute.
Then power up in reverse order.  First get the router powered up.  Then your Hub or switch for the Network. Wait for a minute.
Then power up PC  and then get Windows started.
>
After that, I'd like to get a special report with the Malwarebytes Support tool.
 

This is a report only.

Please download Malwarebytes MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

• Please attach  mbst-grab-results.zip    to your reply , like displayed here.
• To send  ( upload)   attachments please click the "ADD Files"  link . Then browse to where your file is located and select it and click the Open button.

 

Edited October 7, 2021 by AdvancedSetup
corrected font issue

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks