Dsmack Posted October 4, 2023 ID:1592920 Share Posted October 4, 2023 Been searching for weeks now and I cannot fix this problem,the only way is to disable some windows files, every 20 seconds I get a malwarebytes popup warning of a TROJAN for xmrpool.eu exported text is Log File: 882707d2-6256-11ee-a7f9-704d7b6bdd3c.json -Software Information- Version: 4.6.2.281 Components Version: 1.0.2131 Update Package Version: 1.0.75931 License: Premium -System Information- OS: Windows 10 (Build 19045.3516) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Windows\System32\usocoreworker.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: Trojan Domain: xmrpool.eu IP Address: 51.89.217.80 Port: 443 Type: Outbound File: C:\Windows\System32\usocoreworker.exe I have tried everything and Would like some help on this popup thanks Link to post Share on other sites More sharing options...
1PW Posted October 4, 2023 ID:1592924 Share Posted October 4, 2023 Hello @Dsmack and : While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, or its subsets, please carefully follow these instructions: Download the Malwarebytes Support Tool. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file. In the User Account Control (UAC) pop-up window, click Yes to continue the installation. Run the MBST Support Tool. In the left navigation pane of the Malwarebytes Support Tool, click Advanced. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer. WARNING: Do Not click the Repair System under Advanced unless requested to by a Malwarebytes support agent or authorized helper. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste. For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have posted. Thank you. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 5, 2023 Root Admin ID:1593164 Share Posted October 5, 2023 Hello @Dsmack Are you still with us? Link to post Share on other sites More sharing options...
Dsmack Posted October 5, 2023 Author ID:1593196 Share Posted October 5, 2023 Hello I changed my DNS to google like you said in the other post and it stopped the attack ,everything else didnt work so its a solution I guess Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 6, 2023 Root Admin ID:1593357 Share Posted October 6, 2023 It's up to you but I'd highly suggest you post the requested logs and allow us to assist you in cleaning the computer and helping to keep it safe in the future There is no cost aside from some time Thanks @Dsmack Link to post Share on other sites More sharing options...
Dsmack Posted October 6, 2023 Author ID:1593361 Share Posted October 6, 2023 ok i will do that as its returned this morning Link to post Share on other sites More sharing options...
Dsmack Posted October 6, 2023 Author ID:1593363 Share Posted October 6, 2023 mbst-grab-results.zipAttached is file you requested thanks Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 6, 2023 Root Admin ID:1593365 Share Posted October 6, 2023 The Farbar (FRST) program is located here in your downloads folder: C:\Users\Administrator.DESKTOP-DSMACK\Downloads\FRSTEnglish.exe Please follow the process below to perform a fix in Safe Mode Start in Safe mode: Press the Windows icon on the keyboard together with the letter I, to get into the Settings. Choose Update and Security. From the menu at the left, choose Recovery. Under the title Advanced startup at the right, choose Restart now. From the window that will appear choose Troubleshoot and then Advanced options. Choose Startup Settings and then Restart. Press number 5, for choosing Safe mode with networking. You will know that you are in Safe mode, if the background is black and Safe mode is written at the four corners of the screen. After that: Please do the following to run a FRST fix. NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere. Start:: HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction GroupPolicy: Restriction End:: Right-click on FRSTEnglish in your Downloads folder, to run it as administrator. When the tool opens, click "yes" to the disclaimer. Press the Fix button once and wait. FRST will process fixlist.txt When finished, it will produce a log fixlog.txt in your Downloads folder or where you have the Farbar program located. Attach that log in your next reply. Thank you Link to post Share on other sites More sharing options...
Dsmack Posted October 6, 2023 Author ID:1593374 Share Posted October 6, 2023 Ok thanks i tried everything and nothing worked so i reset windows. thanks for your help will come back if it happens again 🙂 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 6, 2023 Root Admin ID:1593385 Share Posted October 6, 2023 Depending on how you reset Windows it may still have an issue. I'd suggest you post a new set of logs for review and we can double check if you like. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 5, 2023 Root Admin ID:1598402 Share Posted November 5, 2023 Due to the lack of feedback, this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread. Tips to help protect from infection Thanks Link to post Share on other sites More sharing options...
Recommended Posts