Jump to content

Trojan.BitCoinMiner can't be removed


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hello,

I have recently realized that my GPU has suddenly spiked up to 100% multiple times even when I have no applications opened. I ran Malwarebytes and it found 5 items which I tried to quarantine but it kept coming back every scan. I'm not sure what to do but I saved the file for the scan.

 

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 10/26/23
Scan Time: 6:10 AM
Log File: f5af16f0-73bd-11ee-a671-08bfb8c037b5.json

-Software Information-
Version: 4.6.5.293
Components Version: 1.0.2181
Update Package Version: 1.0.76576
License: Trial

-System Information-
OS: Windows 11 (Build 22621.2283)
CPU: x64
File System: NTFS
User: LAPTOP-299K78D4\Asus

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 248511
Threats Detected: 5
Threats Quarantined: 0
Time Elapsed: 0 min, 44 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 3
Trojan.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\GoogleUpdateTaskMachineQC, No Action By User, 616, 1047226, , , , , , 
Trojan.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{1EA2971B-FF18-4C30-B8BD-2D97BE5464AF}, No Action By User, 616, 1047226, , , , , , 
Trojan.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\BOOT\{1EA2971B-FF18-4C30-B8BD-2D97BE5464AF}, No Action By User, 616, 1047226, , , , , , 

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 2
Trojan.BitCoinMiner, C:\WINDOWS\SYSTEM32\TASKS\GoogleUpdateTaskMachineQC, No Action By User, 616, 1047226, 1.0.76576, , ame, , 26B1123DE44EB9B8140AB63FF84B4CDA, E2CE6E82A4CFB2E89259AB88B4119ABE3725E5FCBADB8D3E7B35E9E34A12B003
Trojan.FakeChrome, C:\PROGRAM FILES\GOOGLE\CHROME\UPDATER.EXE, No Action By User, 8319, 1098697, 1.0.76576, , ame, , 99B6E5BCDCC8B4F94B9E3232839C2576, 1045127280B64E5D8E7AF1EFC347089F759860222F1373349D8C4AA1449918DB

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

Hello. :welcome: My name is Maurice. I will guide you.

  • Removing pesky malware can be an involved set of tasks over separate runs. Have much patience. Follow my directions. 
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

    Do these 2 steps so that ALL folders & Files are set to SHOW, plus also, Turn OFF Windows Fast start.
    1. Show-Hidden-Folders-Files-Extensions
    https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

    2. Disable-Fast-Startup
    https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

3. 

First some housekeeping, and then one Scan.  There will be more later after all this.
Start Malwarebytes. Click Settings ( gear ) icon. Next, let us make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

  • now Click the General tab.
  • Under Application updates, click the Check for updates button.

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes scan

Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

 

MB4_scan_tick_ALL.jpg.d5c4071c62ed66534301fbb217b93bc0.jpg

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine2.jpg.6c45445994d4125c0b617ac7c5551e03.jpg

 


Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

Link to post
Share on other sites

Hello,

Thanks for getting back to me. I have completed all the steps and restarted my computer while I was at it.

I have attached the copy of the scan report and pasted it here as well.

I hope to hear from you again soon.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 10/28/23
Scan Time: 9:51 PM
Log File: cd4c1d9e-75d3-11ee-aada-08bfb8c037b5.json

-Software Information-
Version: 4.6.5.293
Components Version: 1.0.2181
Update Package Version: 1.0.76684
License: Trial

-System Information-
OS: Windows 11 (Build 22621.2283)
CPU: x64
File System: NTFS
User: LAPTOP-299K78D4\Asus

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 252469
Threats Detected: 5
Threats Quarantined: 5
Time Elapsed: 0 min, 54 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 3
Trojan.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\GoogleUpdateTaskMachineQC, Quarantined, 616, 1047226, , , , , , 
Trojan.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{8D143090-4719-41A0-85FA-880D8011AF11}, Quarantined, 616, 1047226, , , , , , 
Trojan.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\BOOT\{8D143090-4719-41A0-85FA-880D8011AF11}, Quarantined, 616, 1047226, , , , , , 

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 2
Trojan.BitCoinMiner, C:\WINDOWS\SYSTEM32\TASKS\GoogleUpdateTaskMachineQC, Quarantined, 616, 1047226, 1.0.76684, , ame, , 26B1123DE44EB9B8140AB63FF84B4CDA, E2CE6E82A4CFB2E89259AB88B4119ABE3725E5FCBADB8D3E7B35E9E34A12B003
Trojan.FakeChrome, C:\PROGRAM FILES\GOOGLE\CHROME\UPDATER.EXE, Quarantined, 8315, 1098697, 1.0.76684, , ame, , 99B6E5BCDCC8B4F94B9E3232839C2576, 1045127280B64E5D8E7AF1EFC347089F759860222F1373349D8C4AA1449918DB

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

t2.txt

Link to post
Share on other sites

I am aware that there have been and are, displays of Block notice by Malwarebytes. No need for you to grab the image & paste here on this thread. We get that data from the Malwarebytes logs themselves. I also want to request that you only just ATTACH each report as we go along.  I prefer that you do that, rather then copying pasting the entire content in-line of the main reply body.

OK ?  Please do that for me, and for the benefit of each potential reader of this thread.

By the way, the Blocks mean that Malwarebytes is keeping machine out of harm. It STOPS the potential "booger" from that I P address.

This next tool ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed.
get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it.
Disregard the title subject of the topic.Run the MBAR tool as listed here 

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes

  • when done, I need the MBAR logs.
  • Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.
  • Both files can be found in the extracted MBAR folder on your Desktop.
  • Please attach both files in your next reply.
Link to post
Share on other sites

Hello. Thank you. The MBAR reports having removed Trojan.FakeChrome. It needed the system to be Restarted to effect that fix. Make sure the system was Restarted one time since that run.

I would like a report set for review.   This is a report only.

Please download MALWAREBYRES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply , like displayed here.

To send  ( upload)   attachments please click the "ADD Files"  link . Then browse to where your file is located and select it and click the Open button.

 

_mb_attach.jpg

 

The set of data from the report will provide much needed information. Be aware there is more cleanup(s) to do.

Please always attach reports as we go along.

Cheers.

Link to post
Share on other sites

  • Solution

There are multiple issues on this machine. 

Please run the following custom script. Read all of this before you start. The meaning of the "Fix button" operation here is just to run a custom script just for this particular machine.

NOTE-1:  This custom fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  There is a rogue scheduled task that needs to be removed. Two Windows services are corrupted. It will attempt to run some scans with Microsoft Defender antivirus. It will attempt to clear Cache files of web browsers.  It will attempt to clear temporary file areas. It rebuilds the Winsock. Depending on the speed of your computer this fix may take 50-55 minutes or more.

Please Close all open work before you actually do begin this run.

FRSTENGLISH.exe  program location:   Downloads folder. The tool is already on system. That is what we will use.

Please download the attached fixlist.txt file and save it to Downloads

Fixlist.txt <- < - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on  FRSTENGLISH and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

NOTICE: For potential outside readers,  This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause harm.

Link to post
Share on other sites

Hello. Thanks for the log-report. 

The custom-run is good. The Windows System File Checker has made some corrections.

Windows Resource Protection found corrupt files and successfully repaired them.
This last run has completed what was originally intended. 

The custom fix run included getting 2 Windows Services, Bits + Dosvc, to the normal standard. This should be a tremendous regaining of the ability to do Microsoft Windows Update.

Curious to know, whether today, there was a Block notice citing stratum-eurplant(.)xyz ?
In any event, I am listing below several steps. I need you to do all of them.
Launch Malwarebytes.

Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

 

MB4_scan_tick_ALL.jpg.d5c4071c62ed66534301fbb217b93bc0.jpg

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine2.jpg.6c45445994d4125c0b617ac7c5551e03.jpg

 


Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 
 

(   2   )

 

 Temporarily disable Microsoft SmartScreen to download the next software below

Download   Farbar's Service Scanner utility

and Save to your Desktop.

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are check-marked:

  • Internet Services
    Windows Firewall
    System Restore
    Security Center/Action Center
    Windows Update
    Windows Defender
    Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.   Please attach that file.  

 

(   3   )

I would recommend getting a readout report as to update status of some key apps.
Download SecurityCheck by glax24 from here

and save the tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then
                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

When all done, you may go back to turn ON the EDGE Smartscreen protection.

Link to post
Share on other sites

Thank you. The Malwarebytes scan report is all excellent. The FSS report is normal and good.

Here are the applications that need your attention, as reported by SecurityCheck.

Malwarebytes version 4.6.5.293 v.4.6.5.293 Warning! Download Update

Notepad++ (64-bit x64) v.8.5.7 Warning! Download Update

NVIDIA GeForce Experience 3.27.0.112 v.3.27.0.112 Warning! Download Update

Discord v.1.0.9016 Warning! Download Update

Windscribe v.2.6.14 Warning! Download Update

Google Chrome v.119.0.6045.107 Warning! Download Update
Microsoft Edge v.119.0.2151.44

Wondershare Helper Compact 2.6.0 v.2.6.0 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering.

Now then, I believe your system is good-to-go. Advise me: Has the Block notice(s) about "stratum-eurplant" gone away?

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

  • 2 weeks later...

Topic has been reopened per request. You indicated to me that the Microsoft Defender antivirus is flagging a threat classified by MS as Trojan:Win32/Wacatc.B!ml

Re-opening this thread only for Vladimireth  and this is limited to that one threat.

Thanks

 

Edited by Maurice Naggar
Link to post
Share on other sites

Hello @Vladimireth
You indicated to me that the Microsoft Defender antivirus is flagging a threat classified by MS as Trojan:Win32/Wacatc.B!ml
The executable file it flags is in the user-level sub-folder c:\users\asus\appdata\python

I suggested that you first of all Uninstall Python. Now then, since Python is likely not listed as a installed application, you can skip that part.  and second, to get, save, & Run the Microsoft Safety Scanner.
Be sure you relay to me the report log c:\Windows\debug\msert.log

After that, do the following

Open an elevated Powershell window i.e. run Powershell Prompt as an administrator .

On the Taskbar Search box, type in
powershell.exe
click the line for "run as administrator"


It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is
On that prompt-window,  Copy & Paste this command

Remove-Item -Path "C:\Users\Asus\AppData\Roaming\Python" -force -recurse

press Enter-key on keyboard   and watch & write down the result ( if possible)

Close the Powershell window

One other scan here.

TrendMicro HouseCall scan
from this Link

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher
Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.

The program will check with TrendMicro & do a update run.

Next it will show the Disclosure window.

Click Next to proceed.

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

I suggest a CUSTOM scan on C drive.

IF you wish a Full scan or a Custom scan, first click on the Settings

then you can select which drives you want to include in the scan.

The default is a Quick scan.

Click Scan now when ready.

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.

If you see an item that you know is safe, you can click the Action  , and select Ignore.

When all done & ready, click the Fix now button.
The "Summary" at the end at "Review Results" is what matters.

Providing that TrendMicro has dealt with any trojan or virus, or real threat, then we are done with the usage of TrendMicro Housecall.

Edited by Maurice Naggar
Link to post
Share on other sites

Get and SAVE the tool "FRST64" to either the Desktop or else, to the Downloads folder. download & save a new copy of the tool FRST64.exe from this link https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/

Find & then start FRST64

 

Type the following ( better yet, use COPY then Paste) into the search box exactly as shown

SearchAll: python

Then press the Search Files button
Please wait while the program searches for all entries relating to this , when done a search.txt log will be saved to the desktop. Please attach this log to your next reply.
 

Link to post
Share on other sites

I have reviewed the contents of the Search report. Most of the lines reported that contain "python related" elements, are contained in "Wondershare Filmora". To what useful purpose does having "Wondershare Filmora" serve ? Is creating videos a key use of this pc ? Just wondering.

Now then, this search did not show a mention of

appdata\roaming\python

such that we can say that that sub-folder is no longer present. And that we can close this particular hunt.
Question: Are you ready to wrap-up this case ? Is there some other outstanding issue ?
 

Link to post
Share on other sites

It is up to you what to do about Filmora. As to Discord, just make sure it is the very latest release. Be careful using Discord, since we have often read where other users fell into following "lured messages".....messages that lead to exploits.

👌💢 Temporarily disable Microsoft SmartScreen to download the next software below

Let's go ahead and do some clean-up work and remove the tools and logs we've run.
Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_2-15.exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • You may attach that file to your next reply. (not compulsory)

Your system is good-to-go.
Sincerely.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.