Is my laptop infected with a cryptojacker?

[CoffeeMcCoffee]

Hello, I suspect that i have a crypto mining malware in my laptop, Everynow and then the cpu usage spikes a little, 20% to 35% I've tried several tools to analyze the malware, Tried scanning on MalwareBytes, but found no threats. But, I still suspect there is a crypto-mining malware in my machine, How can i be sure that there's no crypto-jacking malware in my machine?

[1PW]

Hello @CoffeeMcCoffee and :

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, or its subsets, please carefully follow these instructions:

1. Download the Malwarebytes Support Tool.
2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
4. Run the MBST Support Tool.
5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.
7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have sent.

Thank you.

[CoffeeMcCoffee]

Here are the logs:

mbst-grab-results.zip

[Maurice Naggar]

Hello  @CoffeeMcCoffee

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

• Removing malware can be unpredictable
• Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Only run the tools I guide you to.
• Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
• The removal of malware isn't instantaneous, please be patient.
• Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
• Please stick with me until I give you the "all clear".
• If your system is running Discord, please be sure to Exit out of it while this case is on-going.

Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article
Please use this Guide

This is a good point to emphasize not playing online games or games in general, while the case is on-going.
I would also emphasize to reduce the auto-started applications that start with Windows down to the absolute minimum. Which would basically be just security applications.
Apply these principles now from the following How-to
How to perform a clean boot in Windows
https://support.microsoft.com/en-us/help/929135/how-to-perform-a-clean-boot-in-windows

Tell me, is BitDefender the only antivirus that is active on ths device ?
 

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand.

This link is for the 64-bit version of MSERT.exe . Be sure you save the file first
https://definitionupdates.microsoft.com/download/DefinitionUpdates/safetyscanner/amd64/MSERT.exe

Upon completion of the save, Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well

Launch MSERT.exe
Accept the agreement terms of Microsoft
Select CUSTOM scan
Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.
Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those.
We only rely on the end result that is on the log-report-file.

This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log

the log will be at

Windows\debug\msert.log
Please attach that log with your reply

It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

[Maurice Naggar]

Inquiry: By the way, I notice that this device has Hitmanpro64 + Roguekiller +TDSSKILLER
Is it the case you have run each one of those recently on your own ? also, what other security scanners have you run ?

[CoffeeMcCoffee]

I have run Malwarebytes multiple times, A quick scan and a custom scan, I also ran Avira, Windows Defender Offline Scan, Kaspersky, and Norton, and also Hitmanpro64 + Roguekiller +TDSSKILLER.
And yes i had run each of those recently on my own.
Here is the MSERT log, the scan took about 3 hours, 2,000,000 files were scanned.
It showed that my computer is completely safe.

msert.log

[Maurice Naggar]

Results Summary:
----------------
No infection found.
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Safety Scanner Finished On Fri May  5 19:33:50 2023

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it
guide & download link

Then be sure to close all web browsers after the download & before launching the tool.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

Guide article

Attach the clean log from Adwcleaner when all completed.

[CoffeeMcCoffee]

Here's the log:

AdwCleaner[C01].txt

[Maurice Naggar]

Please run this special purpose custom script. Read all of this before you start. Please Close all open work.

Please download the attached fixlist.txt file and save it to Downloads folder   

Fixlist.txt < - - -

NOTE. It's important that both files, FRSTENGLISH.exe, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

IF the FRST64 ( Farbar FRST) issues a error message when you start this tak-run, then Please Stop and let me know the "error exception message", then wait for me to make a new reply.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRSTENGLISH and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . 

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

[CoffeeMcCoffee]

2 hours ago, Maurice Naggar said:

Please run this special purpose custom script. Read all of this before you start. Please Close all open work.

Please download the attached fixlist.txt file and save it to Downloads folder   

Fixlist.txt 12.96 kB · 2 downloads  < - - -

NOTE. It's important that both files, FRSTENGLISH.exe, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

IF the FRST64 ( Farbar FRST) issues a error message when you start this tak-run, then Please Stop and let me know the "error exception message", then wait for me to make a new reply.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRSTENGLISH and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . 

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

Fixlog.txtHere's the log:

[Maurice Naggar]

Thanks for the Fixlog. I have not seen indicators of any malicious coinminer. I am going to list 2 further tasks.

(1)

One other scan here.

TrendMicro HouseCall scan
https://www.trendmicro.com/en_us/forHome/products/housecall.html

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher
Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.

The program will check with TrendMicro & do a update run.

Next it will show the Disclosure window.

Click Next to proceed.

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

I suggest a CUSTOM scan on C drive.

IF you wish a Full scan or a Custom scan, first click on the Settings

then you can select which drives you want to include in the scan.

The default is a Quick scan.

Click Scan now when ready.

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.

If you see an item that you know is safe, you can click the Action  , and select Ignore.

When all done & ready, click the Fix now button.

( 2 )

Temporarily disable Microsoft SmartScreen to download the next software below 

I would recommend getting a readout report as to update status of some key apps.
Download SecurityCheck by glax24 from here

and save the tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then
                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

When all done, you may go back to turn ON the EDGE Smartscreen protection.

 

[CoffeeMcCoffee]

14 hours ago, Maurice Naggar said:

Thanks for the Fixlog. I have not seen indicators of any malicious coinminer. I am going to list 2 further tasks.

(1)

One other scan here.

TrendMicro HouseCall scan
https://www.trendmicro.com/en_us/forHome/products/housecall.html

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher
Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.

The program will check with TrendMicro & do a update run.

Next it will show the Disclosure window.

Click Next to proceed.

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

I suggest a CUSTOM scan on C drive.

IF you wish a Full scan or a Custom scan, first click on the Settings

then you can select which drives you want to include in the scan.

The default is a Quick scan.

Click Scan now when ready.

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.

If you see an item that you know is safe, you can click the Action  , and select Ignore.

When all done & ready, click the Fix now button.

( 2 )

Temporarily disable Microsoft SmartScreen to download the next software below 

I would recommend getting a readout report as to update status of some key apps.
Download SecurityCheck by glax24 from here

and save the tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then
                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

When all done, you may go back to turn ON the EDGE Smartscreen protection.

 

SecurityCheck.txt Here's the SecurityCheck log:

[Maurice Naggar]

Hello. Per the SecurityCheck report these apps need your follow-up and action.
Git v.2.37.1  Warning! Download Update

Java 8 Update 51 (64-bit) v.8.0.510  Warning! Download Update
Uninstall old version and install new one (jre-8u351-windows-x64.exe).

Adobe Creative Cloud v.4.0.1.188  Warning! Download Update

Bitdefender Agent RedLine Service (bdredline_agent) - The service has stopped. QUESTION: Do you have a paid license for BitDefender ??

Winaero Tweaker v.1.40.0.0 Warning! Suspected demo version. Computer experts no longer recommend this program.

[CoffeeMcCoffee]

1 hour ago, Maurice Naggar said:

Hello. Per the SecurityCheck report these apps need your follow-up and action.
Git v.2.37.1  Warning! Download Update

Java 8 Update 51 (64-bit) v.8.0.510  Warning! Download Update
Uninstall old version and install new one (jre-8u351-windows-x64.exe).

Adobe Creative Cloud v.4.0.1.188  Warning! Download Update

Bitdefender Agent RedLine Service (bdredline_agent) - The service has stopped. QUESTION: Do you have a paid license for BitDefender ??

Winaero Tweaker v.1.40.0.0 Warning! Suspected demo version. Computer experts no longer recommend this program.

I'm going to uninstall some of these programs, I don't need some of them. Also, No, I don't have a paid version of BidDefender, I have tested the free version only.

[Maurice Naggar]

The free version of BitDefender eventually will no longer have REAL-time protection. You may want to consider uninstalling BitDefender, rebooting the system, then check on and allow Microsoft Defender antivirus to be the real-time antivirus protection.

In the same spirit, if you do not have the Premium Malwarebytes, you should consider it.

[CoffeeMcCoffee]

Okay, I will uninstall BitDefender, Malwarebytes Premium is on and active with Real-Time Protection.

[Maurice Naggar]

Alright. Please re-run SecurityCheck.exe. Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

[CoffeeMcCoffee]

6 hours ago, Maurice Naggar said:

Alright. Please re-run SecurityCheck.exe. Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Here's the log:

SecurityCheck.txt

[Maurice Naggar]

I have a few more suggestions for you. The first set is per the findings of SecurityCheck report. There are 8 programs that are out of date & insecure. They need upodates.
Microsoft Visual Studio Code (User) v.1.77.3  Warning! Download Update

TreeSize Free V4.6.2 (64 bit) v.4.6.2  Warning! Download Update

WinRAR 6.11 (64-bit) v.6.11.0  Warning! Download Update

Discord v.1.0.9012  Warning! Download Update

Audacity 3.2.2 v.3.2.2  Warning! Download Update

HandBrake 1.5.1 v.1.5.1  Warning! Download Update

Opera GX Stable 97.0.4719.89 v.97.0.4719.89  Warning! Download Update

Brave v.112.1.50.121  Warning! Download Update

Your pc has the trial mode of Malwarebytes. We need to insure that Microsoft Defender antivirus is on and Enabled.
( A )
Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

( B )
I also would appreciate this report:

Download   Farbar's Service Scanner utility

and Save to your Desktop.

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are check-marked:

• Internet Services
  Windows Firewall
  System Restore
  Security Center/Action Center
  Windows Update
  Windows Defender
  Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.   Please attach that file.  

[CoffeeMcCoffee]

1 hour ago, Maurice Naggar said:

I have a few more suggestions for you. The first set is per the findings of SecurityCheck report. There are 8 programs that are out of date & insecure. They need upodates.
Microsoft Visual Studio Code (User) v.1.77.3  Warning! Download Update

TreeSize Free V4.6.2 (64 bit) v.4.6.2  Warning! Download Update

WinRAR 6.11 (64-bit) v.6.11.0  Warning! Download Update

Discord v.1.0.9012  Warning! Download Update

Audacity 3.2.2 v.3.2.2  Warning! Download Update

HandBrake 1.5.1 v.1.5.1  Warning! Download Update

Opera GX Stable 97.0.4719.89 v.97.0.4719.89  Warning! Download Update

Brave v.112.1.50.121  Warning! Download Update

Your pc has the trial mode of Malwarebytes. We need to insure that Microsoft Defender antivirus is on and Enabled.
( A )
Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

( B )
I also would appreciate this report:

Download   Farbar's Service Scanner utility

and Save to your Desktop.

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are check-marked:

• Internet Services
  Windows Firewall
  System Restore
  Security Center/Action Center
  Windows Update
  Windows Defender
  Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.   Please attach that file.  

Here's the log:

FSS.txt

[Maurice Naggar]

Thanks. This report is very good. To date, there is no malware here. We can wrap up this case.
Let's go ahead and do some clean-up work and remove the tools and logs we've run.
Please download KpRm by kernel-panik and save it to your desktop.

• right-click kprm_(version).exe and select Run as Administrator.
• Read and accept the disclaimer.
• When the tool opens, ensure all boxes under Actions are checked.
• Under Delete Quarantines select Delete Now, then click Run.
• Once complete, click OK.
• A log will open in Notepad titled kprm-(date).txt.
• You may attach that file to your next reply. (not compulsory)

Delete mb-support-1.8.7.918.exe
Delete mbst-grab-results.zip on the Desktop. 

[CoffeeMcCoffee]

5 hours ago, Maurice Naggar said:

Thanks. This report is very good. To date, there is no malware here. We can wrap up this case.
Let's go ahead and do some clean-up work and remove the tools and logs we've run.
Please download KpRm by kernel-panik and save it to your desktop.

• right-click kprm_(version).exe and select Run as Administrator.
• Read and accept the disclaimer.
• When the tool opens, ensure all boxes under Actions are checked.
• Under Delete Quarantines select Delete Now, then click Run.
• Once complete, click OK.
• A log will open in Notepad titled kprm-(date).txt.
• You may attach that file to your next reply. (not compulsory)

Delete mb-support-1.8.7.918.exe
Delete mbst-grab-results.zip on the Desktop. 

kprm-20230510080920.txtHere's the log:

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you