xmr.2miners.com - cmd.exe

[Asegeir]

 Hello,

I have recently noticed my system has a trojan working on it.

Malwarebytes frequently notifies me that it has blocked an outgoing website to location xmr.2miners.com.

What caught my eye was my CPU % usage was very high for a moment upon opening Task Manager and after that moment all appeared as normal.

So I installed Remote Process Explorer and discovered cmd.exe using a steady 29.16% of my CPU amongst other notable symptoms.

How can I strip this parasite off my machine.

Help much appreciated,

 Thankyou

[Maurice Naggar]

Hello  

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

• Removing malware can be unpredictable
• Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Only run the tools I guide you to.
• Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
• The removal of malware isn't instantaneous, please be patient.
• Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
• Please stick with me until I give you the "all clear".
• If your system is running Discord, please be sure to Exit out of it while this case is on-going.

I would like a report set for review. This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then Gather Logs

Have patience till the run has finished.
Attach the mbst-grab-results.zip from the Desktop to your reply..

[Asegeir]

mbst-grab-results.zip

Hello Maurice,

zip attached.

[Maurice Naggar]

Thanks. There is a new-fangled malware here. Have patience. We will need to do several "rounds".

Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article
Please use this Guide

Please run this special purpose custom script. Read all of this before you start. Please Close all open work.

Please download the attached fixlist.txt file and save it to Downloads folder

Fixlist.txt < - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

IF the FRSTENGLISH ( Farbar FRST) issues a error message when you start this tak-run, then Please Stop and let me know the "error exception message", then wait for me to make a new reply.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRSTENGLISH and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . 

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

[Asegeir]

 Hello,

a moment or two after Fix started. I received this message.

 

[Maurice Naggar]

Be sure that you have done a Windows Restart. plus, kindly, get a fresh report for me.

Your machine has the FRSTENGLISH report tool on the Downloads folder. We will use that. Go to Downloads folder. RIGHT-click on FRSTENGLISH and select 

Run as Administrator

and tap ENTER. And reply YES to allow to proceed.  

•  When the tool opens click Yes to the disclaimer.  And be very sure to TICK the box for Addition.txt
• Press the Scan button.

• It will make a log (FRST.txt & Addition.txt) in the same directory the tool is run
• Have patience since the run may take something like 10 or so minutes  (less depending on your hardware speed)
• Close Notepad IF those show up on Notepad.
• Just please Attach the 2 files FRST.txt +Addition.txt  with your next reply.

Also do 2 special scans, as follows

Use File Explorer. Drill down to the sub-folder C:\Program Files\WindowsMalwareProtection

when you have it in sight, ( preferrably showing on the left-side tree-view frame) do a RIGHT - click on it and on the fly-out options, pick "Scan with Malwarebytes".

Hopefully the executables will be flagged & removed by Malwarebytes.

And when done, repeat the RIGHT-click procedure, and then select "Scan with Microsoft Defender antivirus" 

[Maurice Naggar]

NOTE: The infection(s) here are likely banking trojans, with possibilities of lifting of data. Please refrain from doing any banking or shopping on this machine until after I give the all-clear.

Do not do any loose web-surfing on this machine. Go to only this forum & those places I provide links to for tools & other cleanup.

You want to keep a real close monitor on your financial accounts  ( but only use other safe devices for that purpose).

and if you have a known-clean 'other' device ( one other than this Windows here) then consider changing your financial passwords to real-strong new passwords. 

1Password Strong Password Generator
https://1password.com/password-generator/

If you're really interested in Password strength see this post https://forums.malwarebytes.com/topic/284814-are-your-passwords-in-the-green/

[Asegeir]

Thank you for the warnings and advice. I will have to continue this tomorrow it is late (UK).

[Maurice Naggar]

Good morning. I am looking forward to your doing this list https://forums.malwarebytes.com/topic/297552-xmr2minerscom-cmdexe/?do=findComment&comment=1565874

I will have  more for you soon. There will be more to do.

[Asegeir]

 Hello Maurice,

Here are the two .txt's

FRST.txtAddition.txt

 

However, when attemping to locate this dir "C:\Program Files\WindowsMalwareProtection"

I was unable to do so; nor in \Program Filesx86\ dir.

[Maurice Naggar]

Thank you. It looks like we managed to remove the 2 rogue/trojan scheduled tasks, plus the rogue folder.
Here is what I would like you to do next.
( 1 )
Do one new Scan with Malwarebytes.

( 2 )
Next, after that scan, then do a adjustment. Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

( 3 )

Sophos Scan & Clean

Download Sophos Free Virus Removal Tool and save it to your desktop.

• If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....
• Please close all other open applications and Do Not use your PC whilst the scan is in progress... This scan is very thorough so it may take several hours to complete, please be patient...

Double click the icon and select Run

Click Next

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

• Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

 

Attach the results in your next reply

• Close the Notepad document, close the Threat Details screen, then click Start cleanup

Click Exit to close the program

 

If no threats were found please confirm that result...

• The Virus Removal Tool scans the following areas of your computer:
• Memory, including system memory on 32-bit (x86) versions of Windows
• The Windows registry
• All local hard drives, fixed and removable
• Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

 

Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs 

Please attach that log on your next reply

Thank you

[Asegeir]

 Good Evening Maurice,

.log file attached.

SophosScanAndClean_20230504_2031.log

 

Contrary to your instruction, Sophos software was ready to use without need for installation.

As you will see, a tracking cookie was located, though, I wasn't presented with a choice to clean it out.

I don't think this is of any high priority but I thought I would share it with you.

[Maurice Naggar]

Good evening. I appreciate your note and the report. No threats detected. The cookie cited is one that looks like a advert trace.
These next 2 steps will not take long.
Do a new scan with Malwarebytes for Windows. Launch Malwarebytes.
Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward. Be sure it succeeds.
If prompted to do a Restart, just please follow all directions.

Next, click the small x on the Settings line to go to the main Malwarebytes Window.  Next click the blue button marked Scan.
If any items are flagged, insure to select all such lines, so that they are quarantined.
After it is all done, Exit the program. We then want a new report.
( 2 )

Find and then launch mb-support-1.8.7.918.exe
Once you start it click Advanced >>> then Gather Logs

Have patience till the run has finished. It will take several minutes to generate a report set.
Attach the mbst-grab-results.zip from the Desktop to your reply..

[Asegeir]

 Maurice,

Grabs attached.

mbst-grab-results.zip

[Maurice Naggar]

Thank you. IF today there was a IP Block notice by Malwarebytes ( like when Firefox is in use) then be real sure to let me know. The Windows Operating system on this device is 'behind' in terms of not being on the very latest "22H2" Feature Update build. It happens to still be on the 2021 Fall update. You need to be on 22H2, the Fall 2022 one.

These next steps can be referred to as a Windows 10 repair-install in place.
If this machine is a laptop or notebook, be sure it is connected to power thru a regular power cord to regular electric power.
( that is to say, not be on battery power).

1. Back up your personal data and files to an external hard drive, USB thumb drive.
2. Restart Windows.
3. Ensure you are signed in or have administrator rights to do a repair install
4. Unplug all external peripherals except for the Mouse, Keyboard, and LAN cable before starting. { unplug printers, copyers, fax machines, if any)

Download the Microsoft Update Assistant on the Microsoft page  ( click on the blue-color Update now button )
https://www.microsoft.com/en-us/software-download/windows10

or from https://go.microsoft.com/fwlink/?LinkId=691209

After it is completely saved.
Start the tool and select "Upgrade this PC now."

Make sure to select " Keep personal files and apps. "

It will take some time to run & complete. Your computer will restart a few times, Make sure you don’t turn off your PC
If you see a dark screen at times, do not fret.  Just simply move the mouse pointer around the screen or press the space bar to trigger a screen display refresh.
 

[Asegeir]

 Hope you had a good weekend Maurice,

my OS is now up to date and appears to be clear of any parasites.

Is there anything further that needs to be done or shall we conclude this support thread.

I am curious to know what files this piece of malware was using/creating or attached to and what its functions were on my system.

 Thankyou for your help

[Maurice Naggar]

Hello. I am glad to know that Windows O S is now current. I would like to see result from this next report. 

Temporarily disable Microsoft SmartScreen to download the next software below 

I would recommend getting a readout report as to update status of some key apps.
Download SecurityCheck by glax24 from here

and save the tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then
                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

When all done, you may go back to turn ON the EDGE Smartscreen protection.

As to your question, I need to defer for later --- I would need to review the prior reports.

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

[Maurice Naggar]

Hello. These apps were flagged as needing your attention.
Git v.2.36.1  Warning! Download Update

Oracle VM VirtualBox 6.1.22 v.6.1.22  Warning! Download Update

Microsoft Visual Studio Code (User) v.1.68.1  Warning! Download Update

Notepad++ (32-bit x86) v.8.4.8  Warning! Download Update

7-Zip 19.00 (x64) v.19.00  Warning! Download Update
Uninstall old version and install new one.

Discord v.0.0.309  Warning! Download Update

Zoom v.5.10.4 (5035)  Warning! Download Update

Mozilla Firefox (x64 en-GB) v.112.0.2  Warning! Download Update

Edited May 15 by Maurice Naggar