ryeoki Posted January 18, 2022 ID:1497978 Share Posted January 18, 2022 Hello! I got infected previously back in August, and I removed the bitcoin miner (I can't recall which one it is, but I don't think it was the same one.) Now, I got infected with CoinMiner and I removed it via Windows Defender. However, I think it was on my computer for a longer time than before as I noticed in my FRST/Addition logs that my defender are always stopped before completion. I have attached my latest Malwarebytes Log and my FRST and Addition log. I wasn't sure if "One Month" was supposed to be ticked in whitelist, so I uploaded both. Any help would be appreciated. Thank you! malwarebytesreport.txt FRST_1monthselected.txt Addition.txt FRST.txt Addition_1monthselected.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 18, 2022 ID:1497982 Share Posted January 18, 2022 Hello @ryeoki My name is Maurice. I will guide you. Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed. It will not take much time, First download & save it https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner Then be sure to close all web browsers. Then go to where the EXE file is saved. Start Adwcleaner. Then do a scan with Adwcleaner https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean Attach the clean log. Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 18, 2022 ID:1497994 Share Posted January 18, 2022 Some remarks & notations. At the end-of-day when you are off the computer....do you do a Windows SHUTDOWN using the main menu ? or, do you mainly leave it to go into sleep mode ? Some notes: On the 8th, 11th, 12th of January, at 6 AM would the computer / would Windows have been in sleep mode ? What time in the day do you typically get on the machine and Login ? Remark: Microsoft Defender antivirus appears to have dealt with the threat it identified as a win32/coinminer!MSR Windows Defender: ================ Date: 2022-01-17 15:00:33 Description: Microsoft Defender Antivirus has detected malware or other potentially unwanted software. For more information please see the following: https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/CoinMiner!MSR&threatid=2147743972&enterprise=0 Name: Trojan:Win32/CoinMiner!MSR Severity: Severe Category: Trojan Path: file:_C:\Windows\System32\7B296FC0-376B-497d-B013-58F4D9633A22-5P-1.B5841A4C-A289-439d-8115-50AB69CD450; file:_C:\Windows\System32\7B296FC0-376B-497d-B013-58F4D9633A22-5P-1.B5841A4C-A289-439d-8115-50AB69CD450B Detection Origin: Local machine Detection Type: Concrete Detection Source: User Process Name: Unknown Security intelligence Version: AV: 1.355.2072.0, AS: 1.355.2072.0, NIS: 1.355.2072.0 Engine Version: AM: 1.1.18800.4, NIS: 1.1.18800.4 ^ Go to this folder location C:\windows\system32 do you see a 7B296FC0-376B-497d-B013-58F4D9633A22-5P-1.B5841A4C-A289-439d-8115-50AB69CD450 Link to post Share on other sites More sharing options...
ryeoki Posted January 18, 2022 Author ID:1498006 Share Posted January 18, 2022 Hello! Thanks for your response. I have attached the log here: AdwCleaner[S02].txt At the end of the day, I leave my computer on and I would turn off the monitors. Quote On the 8th, 11th, 12th of January, at 6 AM would the computer / would Windows have been in sleep mode ? What time in the day do you typically get on the machine and Login ? The computer would generally be on. I leave my computer continuously on so it should not be on sleep mode at 6AM. I don't usually log out so I rarely login (when I do have to login, I assume that windows had automatically updated.), but I use the computer regularly around 9AM EST. Link to post Share on other sites More sharing options...
ryeoki Posted January 18, 2022 Author ID:1498010 Share Posted January 18, 2022 Quote Go to this folder location C:\windows\system32 do you see a 7B296FC0-376B-497d-B013-58F4D9633A22-5P-1.B5841A4C-A289-439d-8115-50AB69CD450 The files shouldn't be there as I think Windows Defender removed them after I did a full scan. I knew there was something wrong because my mouse was stuttering and that happened previously before with a bitcoin miner malware. I don't see that specific file, but I do see these two. 6bea57fb-8dfb-4177-9ae8-42e8b3529933_RuntimeDeviceInstall.dll and 69fe178f-26e7-43a9-aa7d-2b616b672dde_eventlogservice.dll Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 18, 2022 ID:1498028 Share Posted January 18, 2022 Ahh. Your pc does indeed go into sleep mode after a period of inactivity. I would urge you to make it a habit to do a Windows SHUTDOWN from the main menu when you no longer need to use the computer, like each evening. Select Start and then select Power > Shut down. That way, the next time you Login, Windows will be a fresh session, which is highly recommended. You ought not to let your computer be without a restart for days and days. Next step # 1 Do a Windows RESTART. Select Start and then select Power > then select RESTART. Next step # 2 Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html Next step # 3 Just want to do a visual check in Windows Security to see (visually) that Microsoft Defender is on . And do a Update run & do a Custom scan on the C drive. From the Windows Start menu, select Settings, then select Update and Security. Next, look at the left-side menu & select Windows Security Next, In Windows Security section: Click on the grey button Open Windows Security Now, click on the shield Virus and threat protection Look to see that Microsoft Defender is shown & available for use. On the next display, look at all the options. Look down the list and see "Check for Updates" . You should click on that to have the system check for updates for Windows Defender. Watch & wait for that to complete. Please also note that the Scan options (all) can be displayed by clicking on Scan options. I would like you to select CUSTOM scan from scan options Then select the C drive Then have it scan the whole C drive. Link to post Share on other sites More sharing options...
ryeoki Posted January 18, 2022 Author ID:1498046 Share Posted January 18, 2022 It shouldn't go to sleep after inactivity as I have turned off that setting. The current setting is "Never" for sleep mode. The last bitcoin miner malware, I had to reset my Windows as it deleted/removed my Windows Defender (I don't know if the old WinSyS files might have anything to do with it). It currently has MalwareBytes active as the virus defender, and so I turned on the "Periodic Scanning", scanned for intelligence updates, and did a full scan of the C:/ drive. No threats were found. What should I do next? Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 18, 2022 ID:1498048 Share Posted January 18, 2022 Q: Did you do a Windows Restart ? I am glad to read that the scan with Microsoft Defender reported no infection. Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 18, 2022 ID:1498054 Share Posted January 18, 2022 Lets's use the Command Prompt to gather some status info. Right-click the Start button (Windows Key+X) to bring up the hidden quick access menu and select Command Prompt. In the Command window, type: net stats srv I am interested in seeing the date shown on the line "statistics" and the time. When finished, type exit in command-window to exit. Link to post Share on other sites More sharing options...
ryeoki Posted January 19, 2022 Author ID:1498068 Share Posted January 19, 2022 I did restart my computer before I scanned. I don't have Command Prompt as a shortcut there (due to the virus previously, it wouldn't let me create new folders so instead I enabled the shortcut for Windows Powershell instead and then did the fix for windows system). I opened up Command Prompt as administrator and typed in the following: Quote C:\WINDOWS\system32>NET STATISTICS DESKTOP-S1J6EMK The syntax of this command is: NET STATISTICS [WORKSTATION] C:\WINDOWS\system32>NET STATISTICS Statistics are available for the following running services: Workstation The command completed successfully. C:\WINDOWS\system32>NET STATISTICS WORKSTATION Workstation Statistics for \\DESKTOP-S1J6EMK Statistics since 2022-01-18 4:35:20 PM Bytes received 115780 Server Message Blocks (SMBs) received 3 Bytes transmitted 99894 Server Message Blocks (SMBs) transmitted 0 Read operations 0 Write operations 0 Raw reads denied 0 Raw writes denied 0 Network errors 0 Connections made 0 Reconnections made 0 Server disconnects 0 Sessions started 0 Hung sessions 0 Failed sessions 0 Failed operations 0 Use count 11 Failed use count 0 The command completed successfully. Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 19, 2022 ID:1498082 Share Posted January 19, 2022 Thank you for that copy. I would suggest that you do this next scan. This is a known respected tool. It will scan for viruses as well as for potentially unwanted applications. ( P U A or P U P ). I would suggest a free scan with the ESET Online Scanner. This will be another check for viruses, other malware, adwares, & potentially unwanted applications. Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on Full scan Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You may step away from machine &. Let it be. You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else. When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”. Click The blue “Save scan log” to save the log. If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom). Press Continue when all done. You should decline the offer for “periodic scanning”. ( if offered) Please make sure you attach the log report. Link to post Share on other sites More sharing options...
ryeoki Posted January 19, 2022 Author ID:1498085 Share Posted January 19, 2022 I have attached the scanner log here: eset scanner.txt Only 1 file was found, which was in C:\Program Files\Git\etc\hosts Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 19, 2022 ID:1498135 Share Posted January 19, 2022 Alright, thanks. Eset Online did not like the contents of that file. Let us do a scan with a different antivirus scanner. Download Sophos Free Virus Removal Tool and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours... Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Attach the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result.... The Virus Removal Tool scans the following areas of your computer: Memory, including system memory on 32-bit (x86) versions of Windows The Windows registry All local hard drives, fixed and removable Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan. Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs I would want to have that report file. Let me know what Sophos report. Running this tool is not a one-shot-solution. There would be lots more scanning to do. Link to post Share on other sites More sharing options...
ryeoki Posted January 19, 2022 Author ID:1498147 Share Posted January 19, 2022 Hello, The tool said it didn't have to install and it also does not mention where it scans. Here is the log. SophosScanAndClean_20220119_1203.log Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 19, 2022 ID:1498152 Share Posted January 19, 2022 (edited) I do see this log. You picked what they call "Scan and clean" tool. That one is a limited scope tool. It is ok that you ran it. But it is not the one I have in mind. Kindly go back / we want the Virus Removel Tool VRT. https://www.sophos.com/en-us/products/free-tools/virus-removal-tool.aspx click on the Green spot at the top right of that page. Edited January 19, 2022 by Maurice Naggar Link to post Share on other sites More sharing options...
ryeoki Posted January 19, 2022 Author ID:1498172 Share Posted January 19, 2022 Hello! Even clicking the green "Download Now" button (which forwards me to a register page, which after registering), gives me the Scan&Clean tool still. Is there another link to obtain this? Thanks. Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 19, 2022 ID:1498183 Share Posted January 19, 2022 The page just asks for some info & a Email address. Its a first step. Did you do that? Then check your inbox for a possible notice from Sophos. Link to post Share on other sites More sharing options...
ryeoki Posted January 19, 2022 Author ID:1498231 Share Posted January 19, 2022 Yes, I filled in my info and email. The only downloader you get is the Scan&Clean tool. There is nothing in my email regarding this. You can try it yourself, as I only get the download for the Scan&Clean tool. Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 19, 2022 ID:1498242 Share Posted January 19, 2022 Lets just put aside any more mention of any further Sophos. Lets go past that and do other things. It's unfortunate they made it so complicated. Let's put that suggestion away. ^ Lets do a adjustment and then do a custom script run. Start Malwarebytes For Windows. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center Click the Security Tab. Scroll down to "Windows Security Center" Click the selection to the left for the line "Always register Malwarebytes in the Windows Security Center". { We want that to be set as Off .... be sure that line's radio-button selection is all the way to the Left. thanks. } This will not affect any real-time protection of the Malwarebytes for Windows 😃. Close Malwarebytes. [ 2 ] Next, a custom script to do other checks & some other cleanups. We will use FRST64.exe on the E: Downloads folder to run a custom script. The system will be rebooted after the script has run. This custom script is for Ryeoki only / for this machine only. This custom script has some specific things, plus some general aspect to help the system overall. Hoping it will not exceed 60 minutes in execute time. NOTE-1: This script will run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. . It will run the Windows DISM tool to check the system. It will rebuild the Winsock. It will reset the HOSTS file to standard. It will attempt to run a quick scan with Microsoft Defender antivirus. NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome, and Opera & BRAVE caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those. Please save the (attached file named) FIXLIST.txt to the E: Downloads folder Fixlist.txt Then, Start the Windows Explorer and then, go to the E: Downloads folder. RIGHT click on FRST64.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Link to post Share on other sites More sharing options...
ryeoki Posted January 20, 2022 Author ID:1498253 Share Posted January 20, 2022 Hello! The fix finished and the log is located here: Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 20, 2022 ID:1498280 Share Posted January 20, 2022 Thanks for the log report. The Microsoft Defender antivirus is proptecting in real-time. Its definitions are up-to-date: AntivirusSignatureLastUpdated : 2022-01-19 1:27:01 PM AntispywareSignatureLastUpdated : 2022-01-19 1:27:01 PM The "boogers" that had been flagged on the 17th are no longer around. We have run a few different scans before: The Sophos Scan and clean ESET Online scanner a manual Microsoft Defender scan by you. Malwarebytes Adwcleaner ^ Lets monitor over the next couple of days to see if Microsoft Defender flags anything over the next couple of days. * Meantime lets get a couple of readout reports. This next is just a report to check on some Windows services Download Farbar's Service Scanner utility and Save to your Desktop. Right-Click on fss.exe and select Run As Administrator. Answer Yes to ok when prompted. If your firewall then puts out a prompt, again, allow it to run. Once FSS is on-screen, be sure the following items are check-marked: Internet Services Windows Firewall System Restore Security Center/Action Center Windows Update Windows Defender Other services Click on "Scan". It will create a log (FSS.txt) in the same directory the tool is run. Please attach that file. [ 2 ] I would recommend getting a readout report as to update status of some key apps. Download SecurityCheck by glax24 from here https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe and save the tool on the desktop. If Windows's SmartScreen block that with a message-window, then Click on the MORE INFO spot and over-ride that and allow it to proceed. This tool is safe. Smartscreen is overly sensitive. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Link to post Share on other sites More sharing options...
ryeoki Posted January 20, 2022 Author ID:1498287 Share Posted January 20, 2022 Thanks Maurice for bearing with me :) Here is the FSS log: FSS.txt Here is the SecurityCheck log: SecurityCheck.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 20, 2022 Root Admin ID:1498289 Share Posted January 20, 2022 I believe it may be getting late for Maurice. @ryeoki Pardon me for stepping in, but please uninstall, updates, or otherwise address the following issues as appropriate for your system while you await Maurice's return. --------------------------- [ OtherUtilities ] ---------------------------- Git version 2.31.1 v.2.31.1 Warning! Download Update Node.js v.14.16.1 Warning! Download Update GitHub Desktop v.2.9.4 Warning! Download Update Python 3.9.0 (64-bit) v.3.9.150.0 Warning! Download Update TeamViewer v.15.24.5 Warning! Download Update ------------------------------ [ ArchAndFM ] ------------------------------ 7-Zip 19.00 (x64) v.19.00 Warning! Download Update Uninstall old version and install new one. ------------------------------- [ Imaging ] ------------------------------- GIMP 2.10.28 v.2.10.28 Warning! Download Update -------------------------- [ IMAndCollaborate ] --------------------------- Discord v.0.0.309 Warning! Download Update Zoom v.5.8.3 (1581) Warning! Download Update --------------------------------- [ P2P ] --------------------------------- qBittorrent 4.3.9 v.4.3.9 Warning! Download Update -------------------------------- [ Media ] -------------------------------- VLC media player v.3.0.11 Warning! Download Update iTunes v.12.11.4.15 Warning! Download Update ^Please use Apple Software Update tool.^ Audacity 2.4.2 v.2.4.2 Warning! Download Update --------------------------- [ AdobeProduction ] --------------------------- Adobe Acrobat DC v.20.006.20042 Warning! Download Update ^Please run Acrobat DC and go Help - Check for updates...^ ------------------------------- [ Browser ] ------------------------------- Mozilla Firefox 86.0 (x64 en-US) v.86.0 Warning! Download Update ---------------------------- [ UnwantedApps ] ----------------------------- Bonjour v.3.1.0.1 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering. Link to post Share on other sites More sharing options...
ryeoki Posted January 20, 2022 Author ID:1498295 Share Posted January 20, 2022 Hello, All of the updates have been completed! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 20, 2022 Root Admin ID:1498299 Share Posted January 20, 2022 Please get one last set of logs and Maurice should follow up with you again tomorrow with any further directions. @ryeoki To begin, please do the following so that we may take a closer look at your installation for troubleshooting: NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system. Download the Malwarebytes Support Tool In your Downloads folder, open the mb-support-x.x.x.xxx.exe file In the User Account Control pop-up window, click Yes to continue the installation Run the MBST Support Tool In the left navigation pane of the Malwarebytes Support Tool, click Advanced In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply Thank you Link to post Share on other sites More sharing options...
Recommended Posts