Jump to content

Bitcoin.Trojan.Miner.DDS + Trojan.Agent.E ( rogue microsoftaudio)


Go to solution Solved by Maurice Naggar,

Recommended Posts

  • Replies 53
  • Created
  • Last Reply

Top Posters In This Topic

Hello   :welcome: @inbar

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

Gotta have history and all logs from Malwarebytes for Windows. 

 [   2   ]

  • I would like a report set for review.   This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply 
Edited by Maurice Naggar
Link to post
Share on other sites

* Next to do after you hae sent the ZIP report 

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select  CUSTOM scan  & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.  

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.
  • Again, any on-screen display about repeat 'infection' is not to be relied on.  Ignore those.
  • We only rely on the end result that is on the log-report-file.

 

This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply. We will do more later.

Link to post
Share on other sites

Hello. I got the ZIP report and am poring over it. Once after I get the results from you of the Safety scanner run, then I will relay a custom fix script. Meantime ...

Do no more self-mediaction  ( meaning downloading and running other tools). I noticed you hae run quite a number of tools. And I ask you to NOT run Discord while the case is still open.

  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".

Your topic will be closed if you haven't replied within 4 days!
If I have not replied to your last post after 36 hours, please then send me a P M.

 

Link to post
Share on other sites

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows trial    😃.

Close Malwarebytes.

>

This custom script is for  INBAR  only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do  checks & some  cleanups. This is really just housekkeping.

We will use FRSTEnglish  on the Downloads  folder to run a custom script.    The system will be rebooted after the script has run.

This custom script has some specific things, plus some general aspect to help the system overall.  Hoping it will not exceed 60 minutes in execute time.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. .  It will rebuild the Winsock.  It's main goal is to remove any leftover traces of the pest related to "XR.exe" ( xr.zip), microsoftaudio rogue, & the rogue "errorreport".

NOTE-2: This should run a quick scan with MS Defender antivirus and remove outstanding action items, if any. This will also attempt to beef up a bit the MS Defender antivirus.

NOTE-3: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome,  and Opera  & BRAVE caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

  •  
  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt          <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.


RIGHT click on FRSTENGLISH    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

Link to post
Share on other sites

Hello @inbar

What you should try is to get Windows into Safe Mode  & then do the FIX task just like I had listed.  Should have a better chance in "safe mode with Networking"

https://www.bleepingcomputer.com/tutorials/how-to-start-windows-10-in-safe-mode-with-networking/

When all done, then Restart Windows back into normal/regular mode.

Link to post
Share on other sites

At this point, let us do this. 

This next tool ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed.
get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it.
Disregard the title subject of the topic.Run the MBAR tool as listed here 

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes

  • when done, I need the MBAR logs.
  • Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.
  • Both files can be found in the extracted MBAR folder on your Desktop.
  • Please attach both files in your next reply.

 

Link to post
Share on other sites

Thank you for the MBAR reports. That is a very worthwhile run, in that it found & removed 1 trojan file that is one element of the cluster deployed by this malicious malware. Let us now do 2 cleanup tasks.
[ A ]
Do a special run with Malwarebytes for Windows, after a update run.

Start Malwarebytes. Click Settings ( gear ) icon. 

  • Click the Security Tab
  • Scroll down and lets be sure the line in SCAN OPTIONs for
  • "Scan for rootkits" is ON 👈   Click it to get it ON if it does not show a blue-color .
  • Now click on the GENERAL tab
  • Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

  • Next, the Malwarebytes scan.
  • Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

MB4_scan_tick_ALL.jpg.954dd31097351eba2c305a1321a445d6.jpg

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine2.jpg.99b8d9b73d90d347577ae0826ac406b1.jpg

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

😉

[ B }
Keep going, and do the custom-script with FRSTENGLISH & the Fixlist which I listed before at this link. The 2 must be saved on the same folder in order for the Fix to work. Yours is at C:\Users\inbar\Downloads\FRSTEnglish.exe
https://forums.malwarebytes.com/topic/286008-i-have-a-virus-erorrreportexe-and-xrexe-i-remove-it-and-it-comes-back/?do=findComment&comment=1512569

Link to post
Share on other sites

  • AdvancedSetup changed the title to Bitcoin.Trojan.Miner.DDS + Trojan.Agent.E ( rogue microsoftaudio)

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 4/25/22
Scan Time: 8:13 PM
Log File: 01d51f3c-c4bb-11ec-ac48-040e3c2e5058.json

-Software Information-
Version: 4.5.8.191
Components Version: 1.0.1666
Update Package Version: 1.0.54165
License: Trial

-System Information-
OS: Windows 10 (Build 19044.1645)
CPU: x64
File System: NTFS
User: tigereyes\inbar

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 368240
Threats Detected: 9
Threats Quarantined: 9
Time Elapsed: 7 min, 53 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 3
PUP.Optional.RegHunter, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\RegHunterStartup, Quarantined, 3804, 331716, , , , , , 
PUP.Optional.RegHunter, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{C669AB21-28B0-461D-A035-74D528C0B847}, Quarantined, 3804, 331716, , , , , , 
PUP.Optional.RegHunter, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{C669AB21-28B0-461D-A035-74D528C0B847}, Quarantined, 3804, 331716, , , , , , 

Registry Value: 2
PUP.Optional.RegHunter, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{C669AB21-28B0-461D-A035-74D528C0B847}|PATH, Quarantined, 3804, 336834, 1.0.54165, , ame, , , 
Backdoor.Orcus, HKU\S-1-5-21-805586516-1131551213-3014219154-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|MicrosoftAudio, Quarantined, 3945, 1030089, , , , , , 

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 4
PUP.Optional.RegHunter, C:\WINDOWS\SYSTEM32\TASKS\REGHUNTERSTARTUP, Quarantined, 3804, 331716, 1.0.54165, , ame, , DAB4A67857E363B18D257D35569B85FF, F7A9B1DD4B78A214561D72E55C10A6533DBCBAA9DC448A2938FCF644FB12BD20
Backdoor.Orcus, C:\USERS\INBAR\APPDATA\ROAMING\MICROSOFT\MICROSOFTAUDIO.EXE, Quarantined, 3945, 1030089, 1.0.54165, , ame, , 0278A300BAA7B8333EC25DC53883A214, D5EEA9DAEEC5EEC69F950F8A7592E1920BE72B267FEE26124E327A4E32107216
PUP.Optional.RegHunter, C:\PROGRAMDATA\ENIGMA SOFTWARE GROUP\RH_INSTALLER.EXE, Quarantined, 3804, 803112, 1.0.54165, , ame, , A957FAF65C68C890A9D0E91581A079E9, A595191C557F5DFB2D0CECEDCB4309B18437231993322C3725A8DDBE86CA0FCD
Bitcoin.Trojan.Miner.DDS, C:\USERS\INBAR\APPDATA\LOCAL\TEMP\XR.ZIP, Quarantined, 1000002, 0, 1.0.54165, 096F3309F690CC764CC7E0D9, dds, 01743266, C2241658445AC74C76F4205F9372E739, A692099271AD92040D0D3ADA38F3BD5D0353DE420EF8DA9610F3ED54F7C23CB1

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

That is good. Thank you. Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it

https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner

 

Then be sure to close all web browsers.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean

Attach the clean log. And, kindly adise me, How is the system at this point?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.