Jump to content

Need help removing stealthy bitcoin miner (pool.hashvault.pro)


Go to solution Solved by MKDB,

Recommended Posts

Hi, I need help to remove a pesky malware or riskware (whichever suits best), below are the details:

  1. MB scans does not shows anything except the occasional PUP which are now cleaned, also used RogueKiller only to quarantine the svchost.exe again and again to no avail.
  2. MB notified on blocking the outbound connection towards the miner's domain every 20 - 60 minutes (log will be shown below).
  3. --This is the most annoying part-- I'm using Core Temp and HWMonitor, the Malware/Miner causes 100% CPU on only Core #0 AND THEN it's gone whenever I opened Task Manager (and Process Explorer) avoiding manual detection. After I close the Task Manager, Core Temp and HWMonitor shows 100% CPU on Core #0 again, a sign that the malware is back.
  4. I have to downclock my PC right now to avoid overheat and crashes due to the overuse of the Core.
  5. Regarding Pirated stuff, I have had games I wanted to test out before buying them, and they're all gone now, still, if there are leftovers, MB scans shows no problem.
  6. The Infection felt like it begins around a month ago which I have no idea from where, presumably accidental clicking on some ads (if that's possible).

Below are the RTP detection log:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 10/3/23
Protection Event Time: 2:50 PM
Log File: 8a6f8f54-61c1-11ee-80e0-309c2325f47d.json

-Software Information-
Version: 4.6.3.282
Components Version: 1.0.2158
Update Package Version: 1.0.75905
License: Trial

-System Information-
OS: Windows 10 (Build 18363.592)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\System32\svchost.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: RiskWare
Domain: pool.hashvault.pro
IP Address: 125.253.92.50
Port: 443
Type: Outbound
File: C:\Windows\System32\svchost.exe

(end)

Below are the screenshot(s) of the domain detail I found on an IP Lookout website.

image.png

image.png

 

I hope that this information is good enough to find a solution.

Thanks

Link to post
Share on other sites

Hello @ashencowl and :welcome::

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, or its subsets, please carefully follow these instructions:

  1. Download the Malwarebytes Support Tool.
  2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
  3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
  4. Run the MBST Support Tool.
  5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
  6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.  WARNING: Do Not click the Repair System under Advanced unless requested to by a Malwarebytes support agent or authorized helper.
  7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have posted.

Thank you.

Link to post
Share on other sites

Hello @ashencowl  and  :welcome:

 

My name is MKDB and I will assist you.

 

 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

  • Please follow the steps in the given order and post back the log files.
  • Please copy and paste all log files into your post.
  • Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
  • Only run the tools I guide you to. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • As English is not my native language, please do not use slang or idioms. It may be hard for me to understand.
  • If you do not respond within 4 days, your topic will be closed.
  • Cracked or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also a big source of current trojan infections. If you are running any kin of illegal software on your system, please uninstall them now, before we start the cleaning procedure.

 

 

Please give me some time to review what you have posted.

Thank you!

Link to post
Share on other sites

  • Solution

@ashencowl

You are using illegal software:

Quote

KMSpico 10.1.8 FINAL + Portable (Office and Windows 10 Activator) [TechTools.net].rar.lnk

https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win32/crack&threatid=2147734096&enterprise=0
Name: HackTool:Win32/crack
Severity: High
Category: Tool
Path: file:_F:\Program Files\Ghosto\MONTER\Skripsi\robo\Robolife Days with Aino\DS-CRACKTRO_03.exe

 

As mentioned above, I do not support pirated/illegal software.

 

 

Moreover, you do use a very outdated version of Windows 10, which is not supported any longer by Microsoft:

Quote

Microsoft Windows 10 Pro Version 1909 18363.592 (X64) (2023-04-09 18:10:35)

Windows 10 and 11 Lifecycle information

 

A backup of all private data and a clean install of windows 10 (without any illegal software) is the way to go for you:

How to: Perform a Clean Install or Reinstall of Windows 10

Anything else cannot be recommended from a safety perspective.

 

@AdvancedSetup

  • Thanks 1
Link to post
Share on other sites

  • Root Admin

Please see the following @ashencowl

Clean Install Windows 10 & 11 (2023)
https://answers.microsoft.com/en-us/windows/forum/all/clean-install-windows-10-11-2023/1c426bdf-79b1-4d42-be93-17378d93e587

Also, please review the following topic

Bypass Microsoft Online Account Creation during installation of Windows 11
https://forums.malwarebytes.com/topic/296613-bypass-microsoft-online-account-creation-during-installation-of-windows-11/

 

  • Thanks 1
Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.