Jump to content

xmr.2miners.com keeps creeping back up from the dead...


akko
Go to solution Solved by Maurice Naggar,

Recommended Posts

Yesterday night, I tried to download a zip file from a trusted websites that I've downloaded from before without any issues. It looks like this one was corrupted and filled with malware because since 30 mins after the download, I started getting notifications about a Trojan website blocked by Malwarebytes. The notification is shown in the attached files.
Upon running a scan, Malwarebytes detected 4 threats, also shown in the attached files. 3 of them are registry keys and one is a file in C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC. These keep coming back even after I quarantine them so I am not sure of what to do at the moment. I would appreciate some help.

Thank you,
Akko

2023-08-27 11_50_49-Window.png

2023-08-27 11_56_07-Window.png

malware_report.txt malware_report_advanced.txt malware_scan.txt

Link to post
Share on other sites

Hello :welcome: @akko My name is Maurice. I will guide you. Let me know what nickname you prefer to go by.

Lets keep these principles as we go along.

  • Removing pesky malware can be an involved set of tasks over separate runs. Have much patience. Follow my directions. 
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

I would like a report set for review. This is a report only.

Please download MALWAREBYTES MBST Support Tool

Do a RIGHT click on mb-support-1.9.2.982.exe & select "Run as Administrator" & reply YES & allow it to proceed forward.

Next click Advanced >>> then Gather Logs

Have patience till the run has finished.
Attach the mbst-grab-results.zip from the Desktop to your reply. This is a first step so that I can "see" what all is involved on this case.

Link to post
Share on other sites

Hello, @akko

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

>

Please run the following custom script. Read all of this before you start. 

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will rebuild the Hosts file. It attempts to run some scans with Microsoft Defender antivirus. It will attempt to clear Cache files of web browsers. It will attempt to clear temporary file areas. It also should clear what is trigerring the events of "xr2.miners(.)com". Depending on the speed of your computer this fix may take 50-55 minutes or more.

Please Close all open work before you actually do begin this run.

Farbar  FRSTENGLISH program location:   Downloads folder. The tool is already on system. That is what we will use.

Please download the attached fixlist.txt file and save it to Downloads

 Fixlist.txt<- < - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on  FRSTENGLISH and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

NOTICE: For potential outside readers,  This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause harm.

Link to post
Share on other sites

It had to restart at some point, but a screen came up saying “Automatic Repair” and said “Your PC did not start correctly”with two options, “Restart” or “Advanced options”. 

I have to go to work right now so what should I do ?

Link to post
Share on other sites

You should select Advanced Options

and then see about selecting Safe Mode with Networking ( where some lookups could be done)

On the Advanced Boot Options screen, use the arrow keys to highlight the safe mode option you want, and then press Enter.

Log on to your computer with a user account that has administrator rights.

Safe Mode with Networking.  Starts Windows in safe mode and includes the network drivers and services needed to access the Internet or other computers on your network. IF there is a problem, please Stop and send me full details.

Link to post
Share on other sites

I got a relative to do all that for me through Facetime, but once Safe Mode with Networking was selected and the PC went throught the restart sequence again, the same screen came up again. I'll point out that they did not have to do the exact steps you mentioned, like using arrow keys to highlight the safe mode option, or log on to the computer with a user account that has admin rights. 

Link to post
Share on other sites

Power off the computer. If this is a notebook or a laptop, press and keep holding the Power-off button until you sense the power is all Off.

Then wait like 2 minutes. Then press the Power button ( to power On ) and then just wait for the system to load.

IF again it fails, repeat this process another time.

Link to post
Share on other sites

Do not accept any offer to repair. Do not click on "Restart" button.

If you still have the same screen, what did it list below the top line under "Automatic Repair"? Did it say something like, your computer did not start correctly?

Instead of pressing the "Restart" we want to press the button "Advanced Options".

then select "Troubleshooting" if you see it there. Next click on "Advanced Options"

Then Click on "Command Prompt". That will put the machine into the Windows Repair Environment --- a special super Command prompt.

You should see a line at bottom

X:\windows\system32

Note the X: on the displayed line. That is a major clue that machine is at the Windows Repair Environment.

There we can do some inquiries and attempt potential adjustments. Let me know when you get to that spot.

 

Link to post
Share on other sites

It is important to keep in mind the X: drive is a temporary drive in memory. That X: represents ( is) the Windows Recovery Environment.
I am going to list a few commands to enter.

On the Command prompt-window, type in

C:


press Enter-key

type in

sfc /scannow


press Enter-key

This will commence a run of the Windows System File Checker.

by the way, if this is a laptop or a notebook, be sure that it is plugged in with regular wall-corded power connection.
and if the machine has a connected printer, or copier, that you physically disconnect those type of devices.

Also, remember, we want to stay in the Windows Recovery Environment.  we will need to do more steps.

Link to post
Share on other sites

Alright. What follows is a different command line. Be sure to type it, all of it, as is. I will try to make it larger font here so you can be sure to see the spaces

 DISM.exe /Online /Cleanup-image /restorehealth

press Enter-key

There is a space after DISM.exe

There is a space after /Online

There is a space after -image

DISM is a Windows command-utility to check integrity.

Link to post
Share on other sites

YAY !  Bravo. The CHKDSK found zero error.  Excellent news.  Now a slight change & then some new commands. One at a time. The first command is to re-orientate the focus back to the X drive & then other commands.

Do the following sequence of steps
type

X:


press Enter-key

that should position to X:\windows\system32  & then the flah cursor

Next carefully yupe this whole line as-is

SFC /scannow /offbootdir=C:\ /offwindir=C:\windows

there is a space after SFC
there is a space after scannow
there is a space after /offbootdir=C:\
press Enter-key when ready

Then see whether now the DISM applet proceeds to run.  Once it starts, just have much patience until after it gets back to flashing cursor.

Once that has completed, or if it has not, then go ahead and type this next line as is

DISM /image:C:\ /cleanup-image /restorehealth

there is a space after DISM
there is a space after /image:C:\
there is a space after /cleanup-image

Link to post
Share on other sites

Try not to over-worry. Type in

net user

press Enter

You should see the account names akkow + morgh listed. 

I think we are close to wrapping up this phase. I would like to Queue up a run at the next Windows Restart.

Type in

echo Y | chkdsk C: /F

Press Enter

That ought to schedule a run of CHKDSK on the next time that Windows Restarts. SO be sure you are extra, extra patient and just let that run by itself, automatically.

Now, Type in

shutdown /r /d p:0:0

There is a space after shutdown

Space after /r

Space after /d

Those are numeric ZEROS  at the 0:0

press Enter. This last command line will do a Shutdown >> Restart of Windows.

Remember to allow the CHKDSK to complete on this Restart / Reboot.   Also, at the next Login, be sure you log in with the account "morgh" which was the original account the case started with. If you run into a issue, Stop and report the details in a reply.  And await for me to have a chance to reply to you.

 

shutdown /r /d p:0:0
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.