Jump to content

Website blocked: xmr.2miners.com


Go to solution Solved by Maurice Naggar,

Recommended Posts

I know there are several topics to this problem, but I didn´t wanted to write in to anothers people problem shooting.

Downloaded an .exe, scanned it, no detection,but since executing it...see screenshot.

Attached the detections. Already scanned with avast, kaspersky (KVRT), MSERT and ESET Online, but none of them did solve the problem :(

After detection and deleting via MBAM, it is there again...please help!

2023-09-22_152825.jpg

22092023.txt mbst-fix-results.txt mbst-grab-results.zip

Link to post
Share on other sites

Hello :welcome: @Flauschi64  My name is Maurice. I will guide you. Thanks for the reports. Know that Malwarebytes is keeping the pc safe from potential threat. What is being blocked is the I P address. (Know that the reports are more useful than a screen-grab image).

  • Removing pesky malware can be an involved set of tasks over separate runs. Have much patience. Follow my directions. 
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

    Do these 2 steps so that ALL folders & Files are set to SHOW, plus also, Turn OFF Windows Fast start.
    Show-Hidden-Folders-Files-Extensions
    https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

    Disable-Fast-Startup
    https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

Link to post
Share on other sites

Notice the notations on Malwarebytes scan report 

Quote

Keine Aktion durch Benutzer

Quote

No action by user

First some housekeeping, and then one Scan.  There will be more later after all this.
Start Malwarebytes. Click Settings ( gear ) icon. Next, let us make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

  • now Click the General tab.
  • Under Application updates, click the Check for updates button.

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes scan

Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

 

MB4_scan_tick_ALL.jpg.d5c4071c62ed66534301fbb217b93bc0.jpg

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine2.jpg.6c45445994d4125c0b617ac7c5551e03.jpg

 


Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

(  2   )

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it
guide & download link

Then be sure to close all web browsers after the download & before launching the tool.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

Guide article

NOTE: IF Adwcleaner in the results shows "no items" flagged, then please click on the button marked "Run Basic Repair"

adwcleaner-basic-repair.png.b6454e1c53e6ff2c6d0b97103375d6b7.png

Attach the clean log from Adwcleaner when all completed.

Link to post
Share on other sites

Go slow and careful to do all that is listed below, please. I need for you to download and be sure to SAVE the tool named FRST64.exe onto the DOWNLOADS folder.

download & save a copy of the tool FRST64.exe from this link https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/

Ignore all advertising and the ads on the page. Just be sure the FRST64 is saved. Then, go to folder Downloads. With your mouse, do a RIGHT-Click on FRST64.exe & select 

rename

and rename it to

FRSTENGLISH.exe

That is important, so hopefully the next log will have English remarks ( so I can use it).

NEXT, see if you can temporarily Turn Off the Comodo security ( so that it does not interfere with next task)

NEXT

Please run the following custom script. Read all of this before you start. The meaning of the "Fix button" operation here is just to run a custom script just for this particular machine.

NOTE-1:  This custom fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will attempt to insure a rogue scheduled Task is removed. It will attempt to clear Cache files of web browsers.  It will attempt to clear temporary file areas. It rebuilds the Winsock. Depending on the speed of your computer this fix may take 50-55 minutes or more.

Please Close all open work before you actually do begin this run.

FRSTENGLISH,exe  program location:   Downloads folder. The tool is already on system. That is what we will use.

Please download the attached fixlist.txt file and save it to Downloads

Fixlist.txt <- < - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on  FRSTENGLISH and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

NOTICE: For potential outside readers,  This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause harm.

 

Link to post
Share on other sites

Der Windows-Ressourcenschutz hat beschädigte Dateien gefunden und erfolgreich repariert.
Windows Resource Protection found and successfully repaired corrupted files.

One antivirus/security scan here.

TrendMicro HouseCall scan
from this Link

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher
Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.

The program will check with TrendMicro & do a update run.

Next it will show the Disclosure window.

Click Next to proceed.

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

I suggest a CUSTOM scan on C drive.

IF you wish a Full scan or a Custom scan, first click on the Settings

then you can select which drives you want to include in the scan.

The default is a Quick scan.

Click Scan now when ready.

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.

If you see an item that you know is safe, you can click the Action  , and select Ignore.

When all done & ready, click the Fix now button.
The "Summary" at the end at "Review Results" is what matters.

Link to post
Share on other sites

Let us just forget that. Your machine has the FRSTENGLISH report tool on the Downloads folder. We will use that. Go to Downloads folder. RIGHT-click on FRSTENGLISH and select 

Run as Administrator

and tap ENTER. And reply YES to allow to proceed.  

  •  When the tool opens click Yes to the disclaimer.  And be very sure to TICK the box for Addition.txt
  • Press the Scan button.

_frst_scan.jpg

  • It will make a log (FRST.txt & Addition.txt) in the same directory the tool is run
  • Have lots of patience as the run can take several minutes to complete everything.
  • Have patience since the run may take something like 10 or so minutes  (less depending on your hardware speed)
  • Close Notepad IF those show up on Notepad.
  • Just please Attach the 2 files FRST.txt +Addition.txt  with your next reply. You may put those into a ZIP file & then ATTACH it.
Link to post
Share on other sites

I would recommend getting a readout report as to update status of some key apps.
Temporarily disable Microsoft SmartScreen to download the next software below 

Download SecurityCheck by glax24 from here

and save the tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then
                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

I would like to know. Did this machine used to have COMODO ? Did this machine used to have AVIRA ?

Link to post
Share on other sites

There are still at least 3 Comodo services still around. You must run the Comodo Removal tool 64-bit  ( your Windows is 64 bit).
Comodo does not have a all inclusive, simple page of instruction.  which adds to making things more complex.

Use this link-page here https://forums.malwarebytes.com/topic/127580-information-list-of-uninstaller-tools/
Scroll to where the line is listed for COMODO

Click the spot marked x64 file. SAVE the file to your mahine on like the Downloads folder

Having saved the file, now you want to run that tool.
Look on the second half of this page about running the tool.
https://help.comodo.com/topic-72-1-766-12685-Use-the-Comodo-Uninstaller-Tool.html

When all completed, you want to be sure to Restart Windows.

Once all done, please re-run the tool SecurityCheck.exe

Link to post
Share on other sites

This is a good point to emphasize not playing online games or games in general, while the case is on-going.
I would also emphasize to reduce the auto-started applications that start with Windows down to the absolute minimum. Which would basically be just security applications.
Apply these principles now from the following How-to
How to perform a clean boot in Windows

We need to turn off all auto-start applications as much as possible, like all Games, all Steam, PDF24, GOG

NEXT

Create an Autoruns Log:

  • Please download Sysinternals Autoruns from here:   https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
  • Save Autoruns.zip to your computer. Then locate it and extract it to a new folder where you can find and run it.
  • Once it starts you may not be able to easily stop the scan but you can try to press the Escape key on your keyboard.
  • Once scanning is stopped, click on the Options menu at the top of the program and select Scan Options... 
  • Then place a check mark on the following items Verify Code Signatures, Check VirusTotal.com, and Submit Unknown Images
  • Then click the Rescan button. Agree to the VirusTotal EULA
  • Once the new scan has been completed, please click on the File button at the top of the program and select Save, or use the Save icon, and save the Autoruns.arn file to your desktop and close Autoruns.
  • Right-click on the Autoruns.arn file (it will typically be the name of your computer) on your desktop or where you save it, and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the Autoruns.zip folder (your computer name.zip) you just created to your next reply.

 

image.png

Link to post
Share on other sites

After my yesterday´s bluescreen post, I started all our steps again to this step, where we SCAN with FRSTenglish.

Everything looked ok so far, but today at startup a bluescreen again, so I had to start from a system reset point (FRST 18:18pm) again.

Mining at my graphics card detected but no alert from mbam after this.

Now I did our last step, clear startup, only microsoft and security software working, closed all active tasks, like shown in the article,then reboot.

No mining from this point. Attached now sysinternal zip

DESKTOP-A69NLVH.zip

Link to post
Share on other sites

I would like a report set for review. This is a report only.

Please download MALWAREBYTES MBST Support Tool
Be sure it is SAVEd.

Do a RIGHT-click on mb-support-1.9.2.9nn,exe & select "Run as administrator" and reply YES and ALLOW it to proceed.

click Advanced >>> then Gather Logs

Have patience till the run has finished. It may take several minutes to fully generate the report.
Attach the mbst-grab-results.zip from the Desktop to your reply..

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.