Jump to content

Backdoor.Orcus , Trojan.BitCoinMiner /AppData - Local/Roaming


Go to solution Solved by Maurice Naggar,

Recommended Posts

I recently noticed an app called XMRig Miner in Task Manager. I've tried everything to get rid of it, but it keeps reappearing. Another Coin Miner was shown by Autoruns. I believe there are three Coin Miners in total.  Kaspersky Antivirus does find these, but they come back. Scanned with Malwarebytes and they are still there.

Przechwytywanie.PNG.45ef7ac7220c41341d0ddf8b2a5cda4d.PNG

image.png.06a2e1cef103d0f87848393165a1d2dc.png

VirusTotal reports for the three files:

https://www.virustotal.com/gui/file/915d3eec9e710b83a5f7db70cb8333db1adedc74568b5c3a526802ef040f7765

https://www.virustotal.com/gui/file/19a2f9ab341ea2e192ef2282852a846e71479c6d896b8d6db4eccbb82c0ccf2b

https://www.virustotal.com/gui/file/a2486fa436b4b68fdaeaee4e1951c2bbc62fd878acf7f74701fee88dc6a9000d

Espeon Dll that comes along with the Miner:

https://www.virustotal.com/gui/file/eb786d09e7f0894c6c4c54d1705718ec99a7dc2f3c5b31a5aadda06e222f1c15

And, there's another file called Epson.zip in the Temp folder.

malwarebytes-scan.txt

AdwCleaner[S00].txt

FRST.txt

Addition.txt

Shortcut.txt

Link to post
Share on other sites

Hello @garry440 :welcome:  I will guide you. 

Lets make sure that this pc is not used to do free-wheeling websurfing, or online games or other purposes till we close the case.  

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select  CUSTOM scan  & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.  

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.
  • Again, any on-screen display about repeat 'infection' is not to be relied on.  Ignore those.
  • We only rely on the end result that is on the log-report-file.

 

This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply. We will do more later.

Link to post
Share on other sites

The MSERT scan will take several hours. AFTER that has completed, carefully do as listed below. 

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

  • Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

  • Now click on the GENERAL tab

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

  • Next, the Malwarebytes scan.
  • Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

MB4_scan_tick_ALL.jpg.954dd31097351eba2c305a1321a445d6.jpg

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine2.jpg.99b8d9b73d90d347577ae0826ac406b1.jpg

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

There will be more to do. Stick with me, please. There is more yet to do.

Link to post
Share on other sites

This last scan-run of Malwarebytes for Windows did remove some threats. At this point, I need very much for you to Exit/Close any sessions of Discord. Plus Uninstall any and all versions of Discord thru use of Control Panel >>>Programs & Features. It is quite likely Discord has been compromised on this box and what is making things more complex.

*

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do  checks & some  cleanups.

We will use FRST64  on the Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  Garry440  only / for this machine only.

 

This custom script has some specific things, plus some general aspect to help the system overall.  Hoping it will not exceed 60 minutes in execute time.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. .  It will rebuild the Winsock. It will reset the Windows firewall rules.

NOTE-2: It will insure that the last of "rogues /trojans" are gone.

NOTE-3: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome,  and Opera  & BRAVE caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

  •  
  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt             <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.


RIGHT click on FRST64    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Stick with me. There will be more to do.

Kindly too, no more screen  grabs of folder of RTP block detections. Much much prefer to have the actual Log itself from Malwarebytes.

Link to post
Share on other sites

  • AdvancedSetup changed the title to Backdoor.Orcus , Trojan.BitCoinMiner /AppData - Local/Roaming

Good morning. Thanks. 

do a new Threat Scan with Malwarebytes for Windows  and post back the log

 go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

MB4_scan_tick_ALL.jpg.d04ef98c885b4f44f51bfe735922fba7.jpg

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine.jpg.8639e1dfc2301bc6d60a8cfb3c339241.jpg

 


Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

Link to post
Share on other sites

  • Solution

Next steps:

Uninstall Java 8 Update 111 

1. Press & hold  the Windows key on keyboard & then tap the R key   to open the Run box-window.
2. Type

appwiz.cpl

and tap Enter.
The Programs and Features window will appear.   Locate on the list "Java 8 Update 111"

Right-click on it & select Uninstall.

Close Control Panel window

*

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do  checks & some  cleanups.

We will use FRST64  on the Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  Garry440 /441  only / for this machine only.

There are 2 Path exclusions on settings of MS Defender that we need to remove. Also, would like to attempt to do 3 specific scans with MS Defender antivirus.

  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt             <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.


RIGHT click on FRST64    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Stick with me. There will be more to do.

Kindly too, no more screen  grabs of folder of RTP block detections. Much much prefer to have the actual Log itself from Malwarebytes.

After this has completed, Tell mw, How is the system as relates to initial issues of this case ?

Link to post
Share on other sites

Good run. Thank you. I would recommend getting a readout report as to update the status of some key apps.

                               This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Link to post
Share on other sites

NVIDIA GeForce Experience 3.24.0.126 v.3.24.0.126  Warning! Download Update

Notepad++ (32-bit x86) v.8.1.1  Warning! Download Update

WinRAR 5.91 (32-bitowy) v.5.91.0  Warning! Download Update
 
paint.net v.4.2.16  Warning! Download Update

ProtonVPN v.1.25.2  Warning! Download Update

QuickTime 7 v.7.79.80.95  Warning! This software is no longer supported. Please uninstall it and use another software.

Mozilla Firefox (x64 pl) v.98.0.2 Warning! Download Update

Windows Live Essentials v.16.4.3528.0331 Warning! This software is no longer supported.
*
Once you have taken care of these matters, your machine is good-to-go.

 :D This is the all clear for this case. This next tool is to cleanup the tools we used during this case.What follows is just a tools cleanup. 

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • You may attach that file to your next reply. (not compulsory)
Edited by Maurice Naggar
Link to post
Share on other sites

I am marking the case for closure. Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

SAFETY TIPS:

Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html

Only using the Standard-access-level user account when surfing and downloading / installing would have been a tremendous way to prevent the infections of this machine.


Don't remove ( or change )  your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"  

Stay safe.

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.