Jump to content

xmr.2miners Trojan

InnocentCitizen
 Share
Go to solution Solved by Maurice Naggar,

Recommended Posts

  • Replies 60
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

InnocentCitizen
InnocentCitizen

I've got a xmr trojan on my pc that has attached to my C:Windows/System32/conhost.exe. I have seen many topics about the XMR miner but in the replies I see that the next steps are only for a specific

Posted Images

Maurice Naggar

Maurice Naggar

Posted
Posted

Practice not to make assumptions about the source of friction on Windows Update. I would appreciate this report which will make some checks:

Download   Farbar's Service Scanner utility

and Save to your Desktop.

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are check-marked: 

  • Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.   Please attach that file.  

Link to post
Share on other sites
InnocentCitizen

InnocentCitizen

Posted
  • Author
Posted

Here it is: FSS.txtAlso, I have another problem where Windows boots up really slowly, taking around 5 minutes. But booting into safe mode is completely fine.

My older brother is telling me that my windows or SSD may be corrupted and resetting the PC would fix it, which I might do at this point. Would resetting the PC affect other hard drives life for example the D: drive?

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted (edited)

Please run the following custom script. Read all of this before you start. Please Close all open work.

Farbar program :  is FRST64.exe

Please download the attached fixlist.txt file and save it to C:\Users\arthu\Downloads

< - - - -

NOTE. It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRST64 and select 

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This custom script is intended to help with Microsoft Windows Update.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

NEXT

I suggest to insure that this pc is all up-to-date with security updates & cumulative updates on Windows. select the Windows Start  button, and then go to Settings  > Update & Security  > Windows Update . and click Check for Updates.
Have much patience.

 

Edited by Maurice Naggar
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted (edited)

It looks to me like there was a older copy of the file FIXlist.txt. LOOK real close on the Downloads folder.

IF you see a file named FIXLIST.txt I very much need you to DELETE it.

Please run the following custom script. Read all of this before you start. Please Close all open work.

Farbar program :  is FRST64.exe

Please download the attached fixlist.txt file and save it to C:\Users\arthu\Downloads

< - - - -

NOTE. It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRST64 and select 

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This custom script is intended to help with Microsoft Windows Update.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

Edited by Maurice Naggar
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Yes, Bravo, that is right. That run is good. Do the 2 things listed below, keep going forward. The FSS.exe you have from before. 

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are check-marked: 

  • Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.   Please attach that file.  

[ 2 ]

I would highly suggest to insure that this pc is all up-to-date with security updates & cumulative updates on Windows. select the Windows Start  button, and then go to Settings  > Update & Security  > Windows Update . and click Check for Updates.
Have much patience.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted (edited)

IF you see a file named FIXLIST.txt I very much need you to DELETE it. I am sending a new one here.

Please run the following custom script. Read all of this before you start. Please Close all open work.

Please download the attached fixlist.txt file and save it to C:\Users\arthu\Downloads

< - - - -

NOTE. It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRST64 and select 

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

NEXT

After that, do a new run to Windows Update.

Edited by Maurice Naggar
Link to post
Share on other sites
InnocentCitizen

InnocentCitizen

Posted
  • Author
Posted

Heres the fixlog: Fixlog.txt

But I still can't run the windows update (if the fix was to fix it), it's just gone like it won't load still. Also the taskbar icons do not appear for the first few minutes after startup, but the icons and any notifications all appear at once after those few minutes, with the windows update still being broken. Would you say that resetting windows would fix this?

image.thumb.png.c51819d5a435d4f134648fa1fc93800e.png

 

 

Fixlog.txt

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted (edited)

Patience is appreciated. This is a different / other run. IF you see a file named FIXLIST.txt I very much need you to DELETE it. I am sending a new one here.

Please run the following custom script. Read all of this before you start. Please Close all open work.

Please download the attached fixlist.txt file and save it to C:\Users\arthu\Downloads

< - - - -

NOTE. It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRST64 and select 

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

NEXT

Wait a couple of minutes for Windows to settle in after the Restart.  then, After that, do a new run to Windows Update.

Edited by Maurice Naggar
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

One other request. Please. 

Can you please do the following?

  • In your Downloads folder, launch the mb-support-1.8.7.918.exe file
  • In the User Account Control pop-up window, click Yes to continue and to allow to run
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, place a checkmark on all of the Repair System entries.
  • Then click on the Repair System button and allow it to run and restart the system.
     

image.png

NEXT

Then once the system is settled back, please do this: While using File Explorer, look on your Downloads folder, Start one more time  the mb-support-1.8.7.918.exe file

Once you start it click Advanced >>> then Gather Logs

Have patience till the run has finished.
Attach the mbst-grab-results.zip from the Desktop to your reply..

 

Link to post
Share on other sites
InnocentCitizen

InnocentCitizen

Posted
  • Author
Posted

heres the logs:mbst-fix-results.txt

On windows defender, there is a program detected called "PUA:Win32/GameTool" that has an Active status, and is located in C:\$Recycle.Bin\S-1-5-21-2132396317-601700084-266138492-1001\$RS1SU5U.exe. I looked online and it seems to be a virus that could be the result of my problems(?) I've tried to block it using Windows defender but it keeps coming back. Also I'm pretty sure it came with the miner trogen by looking at the date.

I checked out this article here: https://howtofix.guide/pua-win32-gametool/ Would the software they recommend (being GrindinSoft Anti-Malware) be useful to remove this?

image.png.d7c0ad312e1a0c7de223237624abca01.png

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted (edited)

One CANNOT run Windows Update in "safe" mode.....unless you truly mean Safe Mode WITH NETWORKING .

On the Recycle BIN, go ahead and EMPTY the Recyclebin. https://support.microsoft.com/en-us/windows/empty-the-recycle-bin-in-windows-10-d4c8f8ef-a12e-8250-b0cf-2311960a31f9#

I will be out for a few hours to run errand. Will get back to you later.

While using File Explorer, look on your Downloads folder, Start one more time  the mb-support-1.8.7.918.exe file

Once you start it click Advanced >>> then Gather Logs

Have patience till the run has finished.
Attach the mbst-grab-results.zip from the Desktop to your reply..

Edited by Maurice Naggar
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

If Windows is up and running now, be sure to empty the Recycle Bin.
Be sure to do a quick scan with Microsoft Defender antivirus.

Further to reply above. In order for us to make progress, the Windows needs to be in normal mode.
Restart Windows.
Press and HOLD the SHIFT-key on keyboard during the load-up-startup of Windows, and keep holding during the log in proceedure/
This key-press should minimize the amount of auto-started apps in the Startup folder of the system.

I do need the report I cited above. Thank you.

Link to post
Share on other sites
InnocentCitizen

InnocentCitizen

Posted
  • Author
Posted

mbst-grab-results.zip

I emptied recycle bin and its still there after a windows scan. I tried going into file explorer and deleting it from there by going into the C:/$RecycleBin folder. However running a scan again shows that it popped right back, meaning another program is installing it. In the next reply I'll get back to you with the shift key thingy

Link to post
Share on other sites
InnocentCitizen

InnocentCitizen

Posted
  • Author
Posted

My pc now bluescreens on startup now with the perminant blue screen. After pressing the restart button on my pc it brings me to the screen below. All because I pressed shift lol. I tried to troubleshoot the pc with the startup repair, but it says it cant fix it. There is a system restore file dating back to the 22nd of march, should i do it?

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted (edited)

Just go carefully ,,,,Yes if you see a Restore Point from 28 March then select that one to do a Restore.

When system is back in working condition, make sure to look for the ZIP of a game crack mentioned below is Deleted. Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win32/GameHack!MSR&threatid=2147743021&enterprise=0
Name: HackTool:Win32/GameHack!MSR
Severity: High
Category: Tool
Path: file:_C:\Users\arthu\Downloads\rbxfpsunlocker-x64 (1).zip

Hacks & cracked games or apps are the leading source of malware corruption.

I would urge you highly to stay far away from hack / cracked software of any sort. Whether a so called free program or free game, or whatever.
Hidden risks in pirated software
https://news.microsoft.com/apac/2019/01/08/hidden-risks-in-pirated-software/Why You Shouldn't Use Pirated Software
https://www.computer.org/publications/tech-news/trends/why-you-shouldnt-use-pirated-software

Torrenting & file-sharing. Try to not do that, as a general security matter. All it takes is one malicious file to lead to tragedy & loss.
https://informationsecuritybuzz.com/articles/torrenting-know-risks-take/

DON'T FALL FOR THE MONEY-SAVING LURE OF CRACKED SOFTWARE
https://scambusters.org/crackedsoftware.html

Edited by Maurice Naggar
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.