CoffeeMcCoffee Posted May 5, 2023 ID:1566079 Share Posted May 5, 2023 Hello, I suspect that i have a crypto mining malware in my laptop, Everynow and then the cpu usage spikes a little, 20% to 35% I've tried several tools to analyze the malware, Tried scanning on MalwareBytes, but found no threats. But, I still suspect there is a crypto-mining malware in my machine, How can i be sure that there's no crypto-jacking malware in my machine? Link to post Share on other sites More sharing options...
1PW Posted May 5, 2023 ID:1566081 Share Posted May 5, 2023 Hello @CoffeeMcCoffee and : While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, or its subsets, please carefully follow these instructions: Download the Malwarebytes Support Tool. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file. In the User Account Control (UAC) pop-up window, click Yes to continue the installation. Run the MBST Support Tool. In the left navigation pane of the Malwarebytes Support Tool, click Advanced. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste. For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have sent. Thank you. Link to post Share on other sites More sharing options...
CoffeeMcCoffee Posted May 5, 2023 Author ID:1566082 Share Posted May 5, 2023 Here are the logs: mbst-grab-results.zip 1 Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 5, 2023 ID:1566090 Share Posted May 5, 2023 Hello @CoffeeMcCoffee I will guide you along on looking for remaining malware. Lets keep these principles as we go along. Removing malware can be unpredictable Please don't run any other scans, download, install or uninstall any programs while I'm working with you. Only run the tools I guide you to. Do not run online games while case is on-going. Do not do any free-wheeling web-surfing. The removal of malware isn't instantaneous, please be patient. Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure. Please stick with me until I give you the "all clear". If your system is running Discord, please be sure to Exit out of it while this case is on-going. Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article Please use this Guide This is a good point to emphasize not playing online games or games in general, while the case is on-going. I would also emphasize to reduce the auto-started applications that start with Windows down to the absolute minimum. Which would basically be just security applications. Apply these principles now from the following How-to How to perform a clean boot in Windowshttps://support.microsoft.com/en-us/help/929135/how-to-perform-a-clean-boot-in-windows Tell me, is BitDefender the only antivirus that is active on ths device ? The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand. This link is for the 64-bit version of MSERT.exe . Be sure you save the file firsthttps://definitionupdates.microsoft.com/download/DefinitionUpdates/safetyscanner/amd64/MSERT.exe Upon completion of the save, Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan. That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well Launch MSERT.exe Accept the agreement terms of Microsoft Select CUSTOM scan Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned. Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be. Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run. Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those. We only rely on the end result that is on the log-report-file. This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.) The log is named MSERT.log the log will be at Windows\debug\msert.log Please attach that log with your reply It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself. It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection. That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 5, 2023 ID:1566114 Share Posted May 5, 2023 Inquiry: By the way, I notice that this device has Hitmanpro64 + Roguekiller +TDSSKILLER Is it the case you have run each one of those recently on your own ? also, what other security scanners have you run ? Link to post Share on other sites More sharing options...
CoffeeMcCoffee Posted May 5, 2023 Author ID:1566121 Share Posted May 5, 2023 I have run Malwarebytes multiple times, A quick scan and a custom scan, I also ran Avira, Windows Defender Offline Scan, Kaspersky, and Norton, and also Hitmanpro64 + Roguekiller +TDSSKILLER. And yes i had run each of those recently on my own. Here is the MSERT log, the scan took about 3 hours, 2,000,000 files were scanned. It showed that my computer is completely safe. msert.log Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 5, 2023 ID:1566152 Share Posted May 5, 2023 Results Summary: ---------------- No infection found. Successfully Submitted MAPS Report Successfully Submitted Heartbeat Report Microsoft Safety Scanner Finished On Fri May 5 19:33:50 2023 Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed. It will not take much time, First download & save itguide & download link Then be sure to close all web browsers after the download & before launching the tool. Then go to where the EXE file is saved. Start Adwcleaner. Then do a scan with Adwcleaner Guide article Attach the clean log from Adwcleaner when all completed. Link to post Share on other sites More sharing options...
CoffeeMcCoffee Posted May 6, 2023 Author ID:1566168 Share Posted May 6, 2023 Here's the log: AdwCleaner[C01].txt Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted May 6, 2023 Solution ID:1566191 Share Posted May 6, 2023 Please run this special purpose custom script. Read all of this before you start. Please Close all open work. Please download the attached fixlist.txt file and save it to Downloads folder Fixlist.txt < - - - NOTE. It's important that both files, FRSTENGLISH.exe, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. IF the FRST64 ( Farbar FRST) issues a error message when you start this tak-run, then Please Stop and let me know the "error exception message", then wait for me to make a new reply. Use File Explorer to go to the Downloads folder RIGHT-Click on FRSTENGLISH and select RUN as Administrator and reply YES to allow it to go forward to start. That is important so that this run has Elevated Administrator rights !! NEXT press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Downloads folder (Fixlog.txt) . Note: If the tool warned you about an outdated version please download and run the updated version. The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply. Link to post Share on other sites More sharing options...
CoffeeMcCoffee Posted May 6, 2023 Author ID:1566217 Share Posted May 6, 2023 2 hours ago, Maurice Naggar said: Please run this special purpose custom script. Read all of this before you start. Please Close all open work. Please download the attached fixlist.txt file and save it to Downloads folder Fixlist.txt 12.96 kB · 2 downloads < - - - NOTE. It's important that both files, FRSTENGLISH.exe, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. IF the FRST64 ( Farbar FRST) issues a error message when you start this tak-run, then Please Stop and let me know the "error exception message", then wait for me to make a new reply. Use File Explorer to go to the Downloads folder RIGHT-Click on FRSTENGLISH and select RUN as Administrator and reply YES to allow it to go forward to start. That is important so that this run has Elevated Administrator rights !! NEXT press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Downloads folder (Fixlog.txt) . Note: If the tool warned you about an outdated version please download and run the updated version. The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply. Fixlog.txtHere's the log: Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 6, 2023 ID:1566242 Share Posted May 6, 2023 Thanks for the Fixlog. I have not seen indicators of any malicious coinminer. I am going to list 2 further tasks. (1) One other scan here. TrendMicro HouseCall scanhttps://www.trendmicro.com/en_us/forHome/products/housecall.html First, Download & Save to your Downloads folder the appropriate HouseCallLauncher Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it. The program will check with TrendMicro & do a update run. Next it will show the Disclosure window. Click Next to proceed. The end user license agreement is presented. Click the Accept radio button & click Next to proceed. I suggest a CUSTOM scan on C drive. IF you wish a Full scan or a Custom scan, first click on the Settings then you can select which drives you want to include in the scan. The default is a Quick scan. Click Scan now when ready. The scan progress will then be displayed. Monitor the progress or just leave it alone until it finishes this phase. When the scan phase has completed, if any items are tagged, you will see a list, showing the file & its location, the classification of the threat, the type, risk, and Action option. If you see an item that you know is safe, you can click the Action , and select Ignore. When all done & ready, click the Fix now button. ( 2 ) Temporarily disable Microsoft SmartScreen to download the next software below I would recommend getting a readout report as to update status of some key apps. Download SecurityCheck by glax24 from here and save the tool on the desktop. If Windows's SmartScreen block that with a message-window, then Click on the MORE INFO spot and over-ride that and allow it to proceed. This tool is safe. Smartscreen is overly sensitive. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt When all done, you may go back to turn ON the EDGE Smartscreen protection. Link to post Share on other sites More sharing options...
CoffeeMcCoffee Posted May 7, 2023 Author ID:1566291 Share Posted May 7, 2023 14 hours ago, Maurice Naggar said: Thanks for the Fixlog. I have not seen indicators of any malicious coinminer. I am going to list 2 further tasks. (1) One other scan here. TrendMicro HouseCall scanhttps://www.trendmicro.com/en_us/forHome/products/housecall.html First, Download & Save to your Downloads folder the appropriate HouseCallLauncher Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it. The program will check with TrendMicro & do a update run. Next it will show the Disclosure window. Click Next to proceed. The end user license agreement is presented. Click the Accept radio button & click Next to proceed. I suggest a CUSTOM scan on C drive. IF you wish a Full scan or a Custom scan, first click on the Settings then you can select which drives you want to include in the scan. The default is a Quick scan. Click Scan now when ready. The scan progress will then be displayed. Monitor the progress or just leave it alone until it finishes this phase. When the scan phase has completed, if any items are tagged, you will see a list, showing the file & its location, the classification of the threat, the type, risk, and Action option. If you see an item that you know is safe, you can click the Action , and select Ignore. When all done & ready, click the Fix now button. ( 2 ) Temporarily disable Microsoft SmartScreen to download the next software below I would recommend getting a readout report as to update status of some key apps. Download SecurityCheck by glax24 from here and save the tool on the desktop. If Windows's SmartScreen block that with a message-window, then Click on the MORE INFO spot and over-ride that and allow it to proceed. This tool is safe. Smartscreen is overly sensitive. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt When all done, you may go back to turn ON the EDGE Smartscreen protection. SecurityCheck.txt Here's the SecurityCheck log: Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 8, 2023 ID:1566448 Share Posted May 8, 2023 Hello. Per the SecurityCheck report these apps need your follow-up and action. Git v.2.37.1 Warning! Download Update Java 8 Update 51 (64-bit) v.8.0.510 Warning! Download UpdateUninstall old version and install new one (jre-8u351-windows-x64.exe). Adobe Creative Cloud v.4.0.1.188 Warning! Download Update Bitdefender Agent RedLine Service (bdredline_agent) - The service has stopped. QUESTION: Do you have a paid license for BitDefender ?? Winaero Tweaker v.1.40.0.0 Warning! Suspected demo version. Computer experts no longer recommend this program. Link to post Share on other sites More sharing options...
CoffeeMcCoffee Posted May 8, 2023 Author ID:1566473 Share Posted May 8, 2023 1 hour ago, Maurice Naggar said: Hello. Per the SecurityCheck report these apps need your follow-up and action. Git v.2.37.1 Warning! Download Update Java 8 Update 51 (64-bit) v.8.0.510 Warning! Download UpdateUninstall old version and install new one (jre-8u351-windows-x64.exe). Adobe Creative Cloud v.4.0.1.188 Warning! Download Update Bitdefender Agent RedLine Service (bdredline_agent) - The service has stopped. QUESTION: Do you have a paid license for BitDefender ?? Winaero Tweaker v.1.40.0.0 Warning! Suspected demo version. Computer experts no longer recommend this program. I'm going to uninstall some of these programs, I don't need some of them. Also, No, I don't have a paid version of BidDefender, I have tested the free version only. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 8, 2023 ID:1566479 Share Posted May 8, 2023 The free version of BitDefender eventually will no longer have REAL-time protection. You may want to consider uninstalling BitDefender, rebooting the system, then check on and allow Microsoft Defender antivirus to be the real-time antivirus protection. In the same spirit, if you do not have the Premium Malwarebytes, you should consider it. Link to post Share on other sites More sharing options...
CoffeeMcCoffee Posted May 8, 2023 Author ID:1566485 Share Posted May 8, 2023 Okay, I will uninstall BitDefender, Malwarebytes Premium is on and active with Real-Time Protection. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 9, 2023 ID:1566591 Share Posted May 9, 2023 Alright. Please re-run SecurityCheck.exe. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forwardWait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply.You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Link to post Share on other sites More sharing options...
CoffeeMcCoffee Posted May 9, 2023 Author ID:1566629 Share Posted May 9, 2023 6 hours ago, Maurice Naggar said: Alright. Please re-run SecurityCheck.exe. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forwardWait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply.You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Here's the log: SecurityCheck.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 9, 2023 ID:1566639 Share Posted May 9, 2023 I have a few more suggestions for you. The first set is per the findings of SecurityCheck report. There are 8 programs that are out of date & insecure. They need upodates. Microsoft Visual Studio Code (User) v.1.77.3 Warning! Download Update TreeSize Free V4.6.2 (64 bit) v.4.6.2 Warning! Download Update WinRAR 6.11 (64-bit) v.6.11.0 Warning! Download Update Discord v.1.0.9012 Warning! Download Update Audacity 3.2.2 v.3.2.2 Warning! Download Update HandBrake 1.5.1 v.1.5.1 Warning! Download Update Opera GX Stable 97.0.4719.89 v.97.0.4719.89 Warning! Download Update Brave v.112.1.50.121 Warning! Download Update Your pc has the trial mode of Malwarebytes. We need to insure that Microsoft Defender antivirus is on and Enabled. ( A ) Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center Click the Security Tab. Scroll down to "Windows Security Center" Click the selection to the left for the line "Always register Malwarebytes in the Windows Security Center". { We want that to be set as Off .... be sure that line's radio-button selection is all the way to the Left. thanks. } This will not affect any real-time protection of the Malwarebytes for Windows 😃. Close Malwarebytes. ( B ) I also would appreciate this report: Download Farbar's Service Scanner utility and Save to your Desktop. Right-Click on fss.exe and select Run As Administrator. Answer Yes to ok when prompted. If your firewall then puts out a prompt, again, allow it to run. Once FSS is on-screen, be sure the following items are check-marked: Internet Services Windows Firewall System Restore Security Center/Action Center Windows Update Windows Defender Other services Click on "Scan". It will create a log (FSS.txt) in the same directory the tool is run. Please attach that file. Link to post Share on other sites More sharing options...
CoffeeMcCoffee Posted May 9, 2023 Author ID:1566654 Share Posted May 9, 2023 1 hour ago, Maurice Naggar said: I have a few more suggestions for you. The first set is per the findings of SecurityCheck report. There are 8 programs that are out of date & insecure. They need upodates. Microsoft Visual Studio Code (User) v.1.77.3 Warning! Download Update TreeSize Free V4.6.2 (64 bit) v.4.6.2 Warning! Download Update WinRAR 6.11 (64-bit) v.6.11.0 Warning! Download Update Discord v.1.0.9012 Warning! Download Update Audacity 3.2.2 v.3.2.2 Warning! Download Update HandBrake 1.5.1 v.1.5.1 Warning! Download Update Opera GX Stable 97.0.4719.89 v.97.0.4719.89 Warning! Download Update Brave v.112.1.50.121 Warning! Download Update Your pc has the trial mode of Malwarebytes. We need to insure that Microsoft Defender antivirus is on and Enabled. ( A ) Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center Click the Security Tab. Scroll down to "Windows Security Center" Click the selection to the left for the line "Always register Malwarebytes in the Windows Security Center". { We want that to be set as Off .... be sure that line's radio-button selection is all the way to the Left. thanks. } This will not affect any real-time protection of the Malwarebytes for Windows 😃. Close Malwarebytes. ( B ) I also would appreciate this report: Download Farbar's Service Scanner utility and Save to your Desktop. Right-Click on fss.exe and select Run As Administrator. Answer Yes to ok when prompted. If your firewall then puts out a prompt, again, allow it to run. Once FSS is on-screen, be sure the following items are check-marked: Internet Services Windows Firewall System Restore Security Center/Action Center Windows Update Windows Defender Other services Click on "Scan". It will create a log (FSS.txt) in the same directory the tool is run. Please attach that file. Here's the log: FSS.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 10, 2023 ID:1566680 Share Posted May 10, 2023 Thanks. This report is very good. To date, there is no malware here. We can wrap up this case. Let's go ahead and do some clean-up work and remove the tools and logs we've run.Please download KpRm by kernel-panik and save it to your desktop. right-click kprm_(version).exe and select Run as Administrator. Read and accept the disclaimer. When the tool opens, ensure all boxes under Actions are checked. Under Delete Quarantines select Delete Now, then click Run. Once complete, click OK. A log will open in Notepad titled kprm-(date).txt. You may attach that file to your next reply. (not compulsory) Delete mb-support-1.8.7.918.exe Delete mbst-grab-results.zip on the Desktop. Link to post Share on other sites More sharing options...
CoffeeMcCoffee Posted May 10, 2023 Author ID:1566699 Share Posted May 10, 2023 5 hours ago, Maurice Naggar said: Thanks. This report is very good. To date, there is no malware here. We can wrap up this case. Let's go ahead and do some clean-up work and remove the tools and logs we've run.Please download KpRm by kernel-panik and save it to your desktop. right-click kprm_(version).exe and select Run as Administrator. Read and accept the disclaimer. When the tool opens, ensure all boxes under Actions are checked. Under Delete Quarantines select Delete Now, then click Run. Once complete, click OK. A log will open in Notepad titled kprm-(date).txt. You may attach that file to your next reply. (not compulsory) Delete mb-support-1.8.7.918.exe Delete mbst-grab-results.zip on the Desktop. kprm-20230510080920.txtHere's the log: Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 10, 2023 ID:1566712 Share Posted May 10, 2023 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following to help you better protect your computer and privacy Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts