Jump to content

Win32/CoinMiner Infection


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hello!

I got infected previously back in August, and I removed the bitcoin miner (I can't recall which one it is, but I don't think it was the same one.) Now, I got infected with CoinMiner and I removed it via Windows Defender. However, I think it was on my computer for a longer time than before as I noticed in my FRST/Addition logs that my defender are always stopped before completion. I have attached my latest Malwarebytes Log and my FRST and Addition log. I wasn't sure if "One Month" was supposed to be ticked in whitelist, so I uploaded both. 

Any help would be appreciated. 

 

Thank you!

malwarebytesreport.txt FRST_1monthselected.txt Addition.txt FRST.txt Addition_1monthselected.txt

Link to post
Share on other sites

Hello @ryeoki    :welcome:

My name is Maurice.  I will guide you.

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it

https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner

 

Then be sure to close all web browsers.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean

Attach the clean log.

Link to post
Share on other sites

Some remarks & notations.  At the end-of-day when you are off the computer....do you do a Windows SHUTDOWN using the main menu ?  or, do you mainly leave it to go into sleep mode ?

Some notes:

On the 8th, 11th, 12th of January, at 6 AM would the computer / would Windows have been in sleep mode ?  What time in the day do you typically get on the machine and Login ?

Remark:   Microsoft Defender antivirus appears to have dealt with the threat it identified as a win32/coinminer!MSR 

Windows Defender:
================
Date: 2022-01-17 15:00:33
Description: 
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/CoinMiner!MSR&threatid=2147743972&enterprise=0
Name: Trojan:Win32/CoinMiner!MSR
Severity: Severe
Category: Trojan
Path: file:_C:\Windows\System32\7B296FC0-376B-497d-B013-58F4D9633A22-5P-1.B5841A4C-A289-439d-8115-50AB69CD450; file:_C:\Windows\System32\7B296FC0-376B-497d-B013-58F4D9633A22-5P-1.B5841A4C-A289-439d-8115-50AB69CD450B
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: User
Process Name: Unknown
Security intelligence Version: AV: 1.355.2072.0, AS: 1.355.2072.0, NIS: 1.355.2072.0
Engine Version: AM: 1.1.18800.4, NIS: 1.1.18800.4

^

Go to this folder location   C:\windows\system32  do you see a 7B296FC0-376B-497d-B013-58F4D9633A22-5P-1.B5841A4C-A289-439d-8115-50AB69CD450

Link to post
Share on other sites

Hello!

Thanks for your response. I have attached the log here: AdwCleaner[S02].txt

At the end of the day, I leave my computer on and I would turn off the monitors. 

Quote

On the 8th, 11th, 12th of January, at 6 AM would the computer / would Windows have been in sleep mode ?  What time in the day do you typically get on the machine and Login ?

The computer would generally be on. I leave my computer continuously on so it should not be on sleep mode at 6AM. I don't usually log out so I rarely login (when I do have to login, I assume that windows had automatically updated.), but I use the computer regularly around 9AM EST. 

Link to post
Share on other sites

Quote

Go to this folder location   C:\windows\system32  do you see a 7B296FC0-376B-497d-B013-58F4D9633A22-5P-1.B5841A4C-A289-439d-8115-50AB69CD450

The files shouldn't be there as I think Windows Defender removed them after I did a full scan. I knew there was something wrong because my mouse was stuttering and that happened previously before with a bitcoin miner malware. 

I don't see that specific file, but I do see these two. 6bea57fb-8dfb-4177-9ae8-42e8b3529933_RuntimeDeviceInstall.dll and 69fe178f-26e7-43a9-aa7d-2b616b672dde_eventlogservice.dll

Link to post
Share on other sites

Ahh. Your pc does indeed go into sleep mode  after a period of inactivity.  I would urge you to make it a habit to do a Windows SHUTDOWN  from the main menu when you no longer need to use the computer, like each evening. Select Start and then select Power > Shut down. 

That way, the next time you Login, Windows will be a fresh session, which is highly recommended.  You ought not to let your computer be without a restart for days and days.

Next step # 1

Do a Windows RESTART.      Select Start and then select Power > then select RESTART.

Next step # 2

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

Next step # 3

Just want to do a visual check in Windows Security to see (visually) that Microsoft Defender is on .  And do a Update run & do a Custom scan on the C drive.

  • From the Windows Start menu, select Settings, then select Update and Security.
  • Next, look at the left-side menu & select Windows Security
  • Next, In Windows Security section: Click on the grey button Open Windows Security
  • Now, click on the shield Virus and threat protection
  • Look to see that Microsoft Defender is shown & available for use.
  • On the next display, look at all the options.  Look down the list and see "Check for Updates" .
  • You should click on that to have the system check for updates for Windows Defender.  Watch & wait for that to complete.
  • Please also note that the Scan options (all) can be displayed by clicking on Scan options.
  • I would like you to select CUSTOM scan from scan options
  • Then select the C drive
  • Then have it scan the whole C drive.
Link to post
Share on other sites

It shouldn't go to sleep after inactivity as I have turned off that setting. The current setting is "Never" for sleep mode. The last bitcoin miner malware, I had to reset my Windows as it deleted/removed my Windows Defender (I don't know if the old WinSyS files might have anything to do with it). It currently has MalwareBytes active as the virus defender, and so I turned on the "Periodic Scanning", scanned for intelligence updates, and did a full scan of the C:/ drive. No threats were found. What should I do next? 

 

Link to post
Share on other sites

Lets's use the Command Prompt to gather some status info. 
Right-click the Start button (Windows Key+X) to bring up the hidden quick access menu and select Command Prompt.
In the Command window, type:

net stats srv

I am interested in seeing the date shown on the line "statistics" and the time.

When finished, type 

exit

in command-window to exit.

Link to post
Share on other sites

I did restart my computer before I scanned.

I don't have Command Prompt as a shortcut there (due to the virus previously, it wouldn't let me create new folders so instead I enabled the shortcut for Windows Powershell instead and then did the fix for windows system). I opened up Command Prompt as administrator and typed in the following:

Quote

 

C:\WINDOWS\system32>NET STATISTICS DESKTOP-S1J6EMK
The syntax of this command is:

NET STATISTICS
[WORKSTATION]


C:\WINDOWS\system32>NET STATISTICS
Statistics are available for the following running services:

   Workstation

The command completed successfully.


C:\WINDOWS\system32>NET STATISTICS WORKSTATION
Workstation Statistics for \\DESKTOP-S1J6EMK


Statistics since 2022-01-18 4:35:20 PM


  Bytes received                               115780
  Server Message Blocks (SMBs) received        3
  Bytes transmitted                            99894
  Server Message Blocks (SMBs) transmitted     0
  Read operations                              0
  Write operations                             0
  Raw reads denied                             0
  Raw writes denied                            0

  Network errors                               0
  Connections made                             0
  Reconnections made                           0
  Server disconnects                           0

  Sessions started                             0
  Hung sessions                                0
  Failed sessions                              0
  Failed operations                            0
  Use count                                    11
  Failed use count                             0

The command completed successfully.

 


 

Link to post
Share on other sites

Thank you for that copy.  

would suggest that you do this next scan. This is a known respected tool. It will scan for viruses as well as for potentially unwanted applications.   ( P U A  or  P U P ).

I would suggest a free scan with the ESET Online Scanner.  This will be another check for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

  • Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.

You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else.

  • When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”.
  • Click The blue Save scan log to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom).

Press Continue when all done.

You should decline the offer for “periodic scanning”.   ( if offered)

Please make sure you attach the log report.   

Link to post
Share on other sites

Alright, thanks.  Eset Online did not like the contents of that file.  Let us do a scan with a different antivirus scanner. 

Download Sophos Free Virus Removal Tool   and save it to your desktop.

  • If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....
  • Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...

 

Double click the icon and select Run

Click Next

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

  • Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

 

Attach the results in your reply

  • Close the Notepad document, close the Threat Details screen, then click Start cleanup

Click Exit to close the program

 

If no threats were found please confirm that result....

  • The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

 

Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs 

I  would want to have that report file.  Let me know what Sophos report.  Running this tool is not a one-shot-solution.  There would be lots more scanning to do.

Link to post
Share on other sites

I do see this log.  You picked what they call "Scan and clean" tool.  That one is a limited scope tool.  It is ok that you ran it.  But it is not the one I have in mind.

Kindly go back / we want the Virus Removel Tool   VRT.

https://www.sophos.com/en-us/products/free-tools/virus-removal-tool.aspx

click on the Green spot  at the top right of that page.

Edited by Maurice Naggar
Link to post
Share on other sites

Lets just put aside any more mention of any further Sophos.  Lets go past that  and do other things.  It's unfortunate they made it so complicated. Let's put that suggestion away.

^

Lets do a adjustment and then do a custom script run.

Start Malwarebytes For Windows. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

[  2  ]

Next, a custom script to do other checks & some other cleanups.

We will use FRST64.exe  on the E: Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  Ryeoki  only / for this machine only.

 

This custom script has some specific things, plus some general aspect to help the system overall.  Hoping it will not exceed 60 minutes in execute time.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. .  It will run the Windows DISM tool to check the system.  It will rebuild the Winsock.  It will reset the HOSTS file to standard.

It will attempt to run a quick scan with Microsoft Defender antivirus.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome,  and Opera  & BRAVE caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

  •  
  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
  • Please save the (attached file named) FIXLIST.txt   to the   E: Downloads  folder

Fixlist.txt

 

Then, Start the Windows Explorer and then, go  to the E: Downloads   folder.


RIGHT click on FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

Link to post
Share on other sites

Thanks for the log report. The Microsoft Defender antivirus is proptecting in real-time. Its definitions are up-to-date:
AntivirusSignatureLastUpdated : 2022-01-19 1:27:01 PM
AntispywareSignatureLastUpdated : 2022-01-19 1:27:01 PM
The "boogers" that had been flagged on the 17th are no longer around.
We have run a few different scans before:
The Sophos Scan and clean
ESET Online scanner
a manual Microsoft Defender scan by you.
Malwarebytes Adwcleaner
^
Lets monitor over the next couple of days to see if Microsoft Defender flags anything over the next couple of days.
*
Meantime lets get a couple of readout reports.

This next is just a report to check on some Windows services  

Download   Farbar's Service Scanner utility

and Save to your Desktop.

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are check-marked:

  • Internet Services
    Windows Firewall
    System Restore
    Security Center/Action Center
    Windows Update
    Windows Defender
    Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.   Please attach that file. 

[   2    ]

I would recommend getting a readout report as to update status of some key apps.

 

  • and save the tool on the desktop.
  • If Windows's  SmartScreen block that with a message-window, then
  • Click on the MORE INFO spot and over-ride that and allow it to proceed.

                               This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Link to post
Share on other sites

  • Root Admin

I believe it may be getting late for Maurice. @ryeoki

Pardon me for stepping in, but please uninstall, updates, or otherwise address the following issues as appropriate for  your system while you await Maurice's return.

 

 

--------------------------- [ OtherUtilities ] ----------------------------

Git version 2.31.1 v.2.31.1 Warning! Download Update

Node.js v.14.16.1 Warning! Download Update

GitHub Desktop v.2.9.4 Warning! Download Update

Python 3.9.0 (64-bit) v.3.9.150.0 Warning! Download Update

TeamViewer v.15.24.5 Warning! Download Update


------------------------------ [ ArchAndFM ] ------------------------------

7-Zip 19.00 (x64) v.19.00 Warning! Download Update
Uninstall old version and install new one.


------------------------------- [ Imaging ] -------------------------------

GIMP 2.10.28 v.2.10.28 Warning! Download Update


-------------------------- [ IMAndCollaborate ] ---------------------------

Discord v.0.0.309 Warning! Download Update

Zoom v.5.8.3 (1581) Warning! Download Update

--------------------------------- [ P2P ] ---------------------------------

qBittorrent 4.3.9 v.4.3.9 Warning! Download Update


-------------------------------- [ Media ] --------------------------------

VLC media player v.3.0.11 Warning! Download Update

iTunes v.12.11.4.15 Warning! Download Update
^Please use Apple Software Update tool.^

Audacity 2.4.2 v.2.4.2 Warning! Download Update


--------------------------- [ AdobeProduction ] ---------------------------

Adobe Acrobat DC v.20.006.20042 Warning! Download Update
^Please run Acrobat DC and go Help - Check for updates...^


------------------------------- [ Browser ] -------------------------------

Mozilla Firefox 86.0 (x64 en-US) v.86.0 Warning! Download Update


---------------------------- [ UnwantedApps ] -----------------------------

Bonjour v.3.1.0.1 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering.

 

 

Link to post
Share on other sites

  • Root Admin

Please get one last set of logs and Maurice should follow up with you again tomorrow with any further directions. @ryeoki

 

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.