Jump to content

I think I have some kind of malware hiding when I open task manager


scrawny
 Share

Recommended Posts

Hello,

A few days I got a new internet connection with 500 mbps download. On all my other devices I get 500 mbps download except my PC where its caped at 80 mbps unless I open task manager. I also noticed that my CPUs first core usage is always at max speed unless I open task manager (checked with HW Monitor). I downloaded and ran Malwarebytes but there was no thread found. I attached the Farbar Recovery Scan Tool and attached the Addition and FRST.txt. Also the Malwarebytes results.

If anyone could please help me I would greatly appreciate because I dont want to to reinstall windows.

Addition.txt FRST.txt Malwarebytes.txt

Link to post
Share on other sites

Hello scrawny and welcome to Malwarebytes,

Thanks for those logs, continue please:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed.

The following directories are emptied:
 
  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin


Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

user posted image

The system will be rebooted after the fix has run.

Next,

Download Sophos Scan and Clean and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take awhile to complete...

You will have to register your name and email address to download the tool. You will also have to confirm your email address again each time the scan started...

Found entries will have options to delete or quarantine, if you believe they maybe false positives you can change to ignore.

A reboot maybe requested to remove difficult malware/infection, please allow that to happen

Saved logs are found here: C:\ProgramData\Sophos\ScanandClean\Logs

Please attach that log to your reply...

Thank you,

Kevin.

fixlist.txt

Link to post
Share on other sites

I am not sure if I am allowed to post again because it said in the rules pushing topics is not allowed but I found something that might be important and related so I think it doesnt refer to pusing. I couldnt edit my previous post either. If I am wrong, I am sorry.

Anyway I downloaded process explorer hoping anything suspicious would come up there. When I sorted by cpu usage everything looked fine but then I decided to sort by Private Bytes and Working Set and on top of Private Bytes is an explorer.exe with about 2.5 GB and the Working Set is around 4 MB. I decided to kill it and voila, my issues were gone. Download is normal again and CPU is down at 800 Mhz when I do nothing. But when I restart my PC it is back. Usually you can see Command Line, Path and Service location if you point at the name but on the explorer.exe it only says "Path: [Access is denied.]". I also attached a screenshot of the process. I tried searching the .exe on my C drive but there were so many results and honestly I have no clue about which one could be suspicious.

Capture1.PNG

Link to post
Share on other sites

Hiya scrawny,

Can you post the log from FRST fix, also continue with the following:

user posted imageScan with Autoruns

Please download Sysinternals Autoruns from the following link: https://live.sysinternals.com/autoruns.exe save it to your desktop.

Note: If using Windows Vista, Windows 7, Windows 8/8.1 or Windows 10 then you also need to do the following:
 
  • Right-click on Autoruns.exe and select Properties
  • Click on the Compatibility tab
  • Under Settings check the box next to Run this program as an administrator
  • Click on Apply then click OK
     
  • Double-click Autoruns.exe to run it.
  • Once it starts, please press the Esc key on your keyboard.
  • Now that scanning is stopped, click on the Options button at the top of the program and verify that the following are checked, if they are unchecked, check them:

    Hide empty locations
    Hide Windows entries

     
  • Click on the Options button at the top of the program and select Scan Options... then in the Autoruns Scan Options dialog enable/check the following two options:

    Verify code signatures
    Check VirusTotal.com

     
  • Once that's done click the Rescan button at the bottom of the Autoruns Scan Options dialog and this will start the scan again, this time let it finish.
  • When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the file to your desktop and close Autoruns.
  • Right click on the file on your desktop that you just saved and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the ZIP folder you just created to your next reply

Thank you,

Kevin.

Link to post
Share on other sites

Hiya scrawny,

Try the following:

Please download Malwarebytes Anti-Rootkit from here: http://downloads.malwarebytes.org/file/mbar
 
  • Right click on the tool (select "Run as Administrator) to start the extraction to a convenient location. (Desktop is preferable)
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt


Thank you,

Kevin..
Link to post
Share on other sites

Hiya scrawny,

Nothing of note in those logs, all entries as expected... Lets try running FRST via the recovery environment, see if we can find out what is wrong:

Please download Farbar Recovery Scan Tool from here:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit...

Next,

Boot your PC and let it go as far as it can, Now hold down the Shift key and re- boot your PC. Windows should open to the "Choose an Option" window....

Other options for Choose an option window at following link:

How to use the Windows 8 or 10 System Recovery Environment Command Prompt Here: http://www.howtogeek.com/126016/three-ways-to-access-the-windows-8-boot-options-menu/ to enter System Recovery Command prompt.

From that window select "Troubleshoot" from the next window select "Advance Options" from there select "Command Prompt" ensure to plug the flash drive into an open USB port...

Continue with the following:
 
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64 or e:\frst depending on your version. Press Enter Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Thanks,

Kevin...
Link to post
Share on other sites

Hey Kevin,

Sorry for the late response. I made the scan and attached the file.

Also I started process explorer as admin (yea.. should have thought about that earlier) and found the path and command line to the explorer.exe. Seems like it has something to do with randomx which is a miner and its mining monero.

explorer.PNG.68c73823c1136aaa8338ad876066a315.PNG

Link to post
Share on other sites

Hiya scrawny,

Have you ever used anything related to crypto currency, there was no evidence whatsoever in your logs related to randomx/monero. The following is a quote from "bit2me.com" a site related to BitCoins, from that quote it would seem that RandomX is not malicious..

Quote

RandomX is the name of the new mining algorithm for Monero, the privacy coin whose objective is to keep the network protected from ASIC mining, allowing only mining per CPU, and at the same time providing enormous security to its protocol and blockchain

Next,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

user posted image
 
Thanks,
 
Kevin

fixlist.txt

Link to post
Share on other sites

Hey, Kevin,

No I have never used anything related to bitcoin mining. I also searched for that topic but the only thing I could find was a reddit post https://www.reddit.com/r/MoneroMining/comments/e9kjx6/randomx_malware/

The person used a 2 years old tool called randomx sniffer to find the malware but that doesnt work for me either.

I attached the fixlist but the malicious explorer.exe is still showing up.

 

Fixlog.txt

Link to post
Share on other sites

Hiya scrawny,

Try the following:

Please start an elevated Admin level Command Prompt and type or copy/paste the following exactly and press the Enter key after each line.

SCHTASKS /Query /FO LIST /V >"%USERPROFILE%\Desktop\MyScheduledTasks.txt"

reg export "HKEY_CURRENT_USER\Console" "%USERPROFILE%\Desktop\MyConsoleSettings.txt" /y

Then locate on your desktop the file MyScheduledTasks.txt and MyConsoleSettings.txt then attach them back on your next reply...

Thank you,

Kevin

Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.