Vladimireth Posted October 28, 2023 ID:1597106 Share Posted October 28, 2023 Hello, I have recently realized that my GPU has suddenly spiked up to 100% multiple times even when I have no applications opened. I ran Malwarebytes and it found 5 items which I tried to quarantine but it kept coming back every scan. I'm not sure what to do but I saved the file for the scan. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/26/23 Scan Time: 6:10 AM Log File: f5af16f0-73bd-11ee-a671-08bfb8c037b5.json -Software Information- Version: 4.6.5.293 Components Version: 1.0.2181 Update Package Version: 1.0.76576 License: Trial -System Information- OS: Windows 11 (Build 22621.2283) CPU: x64 File System: NTFS User: LAPTOP-299K78D4\Asus -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 248511 Threats Detected: 5 Threats Quarantined: 0 Time Elapsed: 0 min, 44 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 3 Trojan.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\GoogleUpdateTaskMachineQC, No Action By User, 616, 1047226, , , , , , Trojan.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{1EA2971B-FF18-4C30-B8BD-2D97BE5464AF}, No Action By User, 616, 1047226, , , , , , Trojan.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\BOOT\{1EA2971B-FF18-4C30-B8BD-2D97BE5464AF}, No Action By User, 616, 1047226, , , , , , Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 2 Trojan.BitCoinMiner, C:\WINDOWS\SYSTEM32\TASKS\GoogleUpdateTaskMachineQC, No Action By User, 616, 1047226, 1.0.76576, , ame, , 26B1123DE44EB9B8140AB63FF84B4CDA, E2CE6E82A4CFB2E89259AB88B4119ABE3725E5FCBADB8D3E7B35E9E34A12B003 Trojan.FakeChrome, C:\PROGRAM FILES\GOOGLE\CHROME\UPDATER.EXE, No Action By User, 8319, 1098697, 1.0.76576, , ame, , 99B6E5BCDCC8B4F94B9E3232839C2576, 1045127280B64E5D8E7AF1EFC347089F759860222F1373349D8C4AA1449918DB Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 28, 2023 ID:1597109 Share Posted October 28, 2023 Hello. My name is Maurice. I will guide you. Removing pesky malware can be an involved set of tasks over separate runs. Have much patience. Follow my directions. Please don't run any other scans, download, install or uninstall any programs while I'm working with you. Only run the tools I guide you to. Do not run online games while case is on-going. Do not do any free-wheeling web-surfing. The removal of malware isn't instantaneous, please be patient. Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure. Please stick with me until I give you the "all clear". If your system is running Discord, please be sure to Exit out of it while this case is on-going. Do these 2 steps so that ALL folders & Files are set to SHOW, plus also, Turn OFF Windows Fast start. 1. Show-Hidden-Folders-Files-Extensions https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/ 2. Disable-Fast-Startup https://forums.malwarebytes.com/topic/299350-disable-fast-startup/ 3. First some housekeeping, and then one Scan. There will be more later after all this. Start Malwarebytes. Click Settings ( gear ) icon. Next, let us make real sure that Malwarebytes does NOT register with Windows Security Center Click the Security Tab. Scroll down to "Windows Security Center" Click the selection to the left for the line "Always register Malwarebytes in the Windows Security Center". { We want that to be set as Off .... be sure that line's radio-button selection is all the way to the Left. thanks. } This will not affect any real-time protection of the Malwarebytes for Windows 😃. now Click the General tab. Under Application updates, click the Check for updates button. When it shows a new version available, Accept it and let it proceed forward. Be sure it succeeds. If prompted to do a Restart, just please follow all directions. Let me know how that goes. Next, the Malwarebytes scan Next, click the small x on the Settings line to go to the main Malwarebytes Window. Next click the blue button marked Scan. When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical. >>>>>> 👉 You can actually click the topmost left check-box on the very top line to get ALL lines ticked ( all selected). <<<< 💢 Please double verify you have that TOP check-box tick marked. and that then, all lines have a tick-mark Then click on Quarantine button. Then, locate the Scan run report; export out a copy; & then attach in with your reply. See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 Link to post Share on other sites More sharing options...
Vladimireth Posted October 28, 2023 Author ID:1597146 Share Posted October 28, 2023 Hello, Thanks for getting back to me. I have completed all the steps and restarted my computer while I was at it. I have attached the copy of the scan report and pasted it here as well. I hope to hear from you again soon. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/28/23 Scan Time: 9:51 PM Log File: cd4c1d9e-75d3-11ee-aada-08bfb8c037b5.json -Software Information- Version: 4.6.5.293 Components Version: 1.0.2181 Update Package Version: 1.0.76684 License: Trial -System Information- OS: Windows 11 (Build 22621.2283) CPU: x64 File System: NTFS User: LAPTOP-299K78D4\Asus -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 252469 Threats Detected: 5 Threats Quarantined: 5 Time Elapsed: 0 min, 54 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 3 Trojan.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\GoogleUpdateTaskMachineQC, Quarantined, 616, 1047226, , , , , , Trojan.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{8D143090-4719-41A0-85FA-880D8011AF11}, Quarantined, 616, 1047226, , , , , , Trojan.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\BOOT\{8D143090-4719-41A0-85FA-880D8011AF11}, Quarantined, 616, 1047226, , , , , , Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 2 Trojan.BitCoinMiner, C:\WINDOWS\SYSTEM32\TASKS\GoogleUpdateTaskMachineQC, Quarantined, 616, 1047226, 1.0.76684, , ame, , 26B1123DE44EB9B8140AB63FF84B4CDA, E2CE6E82A4CFB2E89259AB88B4119ABE3725E5FCBADB8D3E7B35E9E34A12B003 Trojan.FakeChrome, C:\PROGRAM FILES\GOOGLE\CHROME\UPDATER.EXE, Quarantined, 8315, 1098697, 1.0.76684, , ame, , 99B6E5BCDCC8B4F94B9E3232839C2576, 1045127280B64E5D8E7AF1EFC347089F759860222F1373349D8C4AA1449918DB Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) t2.txt Link to post Share on other sites More sharing options...
Vladimireth Posted October 28, 2023 Author ID:1597147 Share Posted October 28, 2023 Link to post Share on other sites More sharing options...
Vladimireth Posted October 28, 2023 Author ID:1597148 Share Posted October 28, 2023 The message above is a reference to a pop up that shows very frequently. I couldn't include it in the post for some reason as it kept flagging it as spam. Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 28, 2023 ID:1597154 Share Posted October 28, 2023 I am aware that there have been and are, displays of Block notice by Malwarebytes. No need for you to grab the image & paste here on this thread. We get that data from the Malwarebytes logs themselves. I also want to request that you only just ATTACH each report as we go along. I prefer that you do that, rather then copying pasting the entire content in-line of the main reply body. OK ? Please do that for me, and for the benefit of each potential reader of this thread. By the way, the Blocks mean that Malwarebytes is keeping machine out of harm. It STOPS the potential "booger" from that I P address. This next tool ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed. get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it. Disregard the title subject of the topic.Run the MBAR tool as listed here https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes when done, I need the MBAR logs. Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created. Both files can be found in the extracted MBAR folder on your Desktop. Please attach both files in your next reply. Link to post Share on other sites More sharing options...
Vladimireth Posted October 30, 2023 Author ID:1597259 Share Posted October 30, 2023 Here a r e the two files. mbar-log-2023-10-30 (01-22-57).txt system-log.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 30, 2023 ID:1597418 Share Posted October 30, 2023 Hello. Thank you. The MBAR reports having removed Trojan.FakeChrome. It needed the system to be Restarted to effect that fix. Make sure the system was Restarted one time since that run. I would like a report set for review. This is a report only. Please download MALWAREBYRES MBST Support Tool Once you start it click Advanced >>> then Gather Logs Have patience till the run has finished. Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop. Please attach mbst-grab-results.zip to your reply , like displayed here. To send ( upload) attachments please click the "ADD Files" link . Then browse to where your file is located and select it and click the Open button. The set of data from the report will provide much needed information. Be aware there is more cleanup(s) to do. Please always attach reports as we go along. Cheers. Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 2, 2023 ID:1597990 Share Posted November 2, 2023 Hello @Vladimireth How are you progressing as far as getting mbst-grab-results.zip ? Link to post Share on other sites More sharing options...
Vladimireth Posted November 2, 2023 Author ID:1598007 Share Posted November 2, 2023 Hello. Apologies for the delay, I had thought that I uploaded the attachment here yesterday but I must have been mistaken. Here is the mbst-grab-results.zip. mbst-grab-results.zip Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted November 2, 2023 Solution ID:1598031 Share Posted November 2, 2023 There are multiple issues on this machine. Please run the following custom script. Read all of this before you start. The meaning of the "Fix button" operation here is just to run a custom script just for this particular machine. NOTE-1: This custom fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. There is a rogue scheduled task that needs to be removed. Two Windows services are corrupted. It will attempt to run some scans with Microsoft Defender antivirus. It will attempt to clear Cache files of web browsers. It will attempt to clear temporary file areas. It rebuilds the Winsock. Depending on the speed of your computer this fix may take 50-55 minutes or more. Please Close all open work before you actually do begin this run. FRSTENGLISH.exe program location: Downloads folder. The tool is already on system. That is what we will use. Please download the attached fixlist.txt file and save it to Downloads Fixlist.txt <- < - - - - NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work. Right-click with your mouse on FRSTENGLISH and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important. next, press the Fix button just once and wait. You will see a green-color scroll display while FRST is running. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply. NOTICE: For potential outside readers, This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause harm. Link to post Share on other sites More sharing options...
Vladimireth Posted November 6, 2023 Author ID:1598480 Share Posted November 6, 2023 Hello again, I have completed all the steps and got the file here. Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 6, 2023 ID:1598497 Share Posted November 6, 2023 Hello. Thanks for the log-report. The custom-run is good. The Windows System File Checker has made some corrections. Windows Resource Protection found corrupt files and successfully repaired them. This last run has completed what was originally intended. The custom fix run included getting 2 Windows Services, Bits + Dosvc, to the normal standard. This should be a tremendous regaining of the ability to do Microsoft Windows Update. Curious to know, whether today, there was a Block notice citing stratum-eurplant(.)xyz ? In any event, I am listing below several steps. I need you to do all of them. Launch Malwarebytes.. Next click the blue button marked Scan. When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical. >>>>>> 👉 You can actually click the topmost left check-box on the very top line to get ALL lines ticked ( all selected). <<<< 💢 Please double verify you have that TOP check-box tick marked. and that then, all lines have a tick-mark Then click on Quarantine button. Then, locate the Scan run report; export out a copy; & then attach in with your reply. See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 ( 2 ) Temporarily disable Microsoft SmartScreen to download the next software below Download Farbar's Service Scanner utility and Save to your Desktop. Right-Click on fss.exe and select Run As Administrator. Answer Yes to ok when prompted. If your firewall then puts out a prompt, again, allow it to run. Once FSS is on-screen, be sure the following items are check-marked: Internet Services Windows Firewall System Restore Security Center/Action Center Windows Update Windows Defender Other services Click on "Scan". It will create a log (FSS.txt) in the same directory the tool is run. Please attach that file. ( 3 ) I would recommend getting a readout report as to update status of some key apps. Download SecurityCheck by glax24 from here and save the tool on the desktop. If Windows's SmartScreen block that with a message-window, then Click on the MORE INFO spot and over-ride that and allow it to proceed. This tool is safe. Smartscreen is overly sensitive. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt When all done, you may go back to turn ON the EDGE Smartscreen protection. Link to post Share on other sites More sharing options...
Vladimireth Posted November 10, 2023 Author ID:1599039 Share Posted November 10, 2023 Hello, I have completed the steps and have attached all the files. report.txt FSS.txt SecurityCheck.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 10, 2023 ID:1599117 Share Posted November 10, 2023 Thank you. The Malwarebytes scan report is all excellent. The FSS report is normal and good. Here are the applications that need your attention, as reported by SecurityCheck. Malwarebytes version 4.6.5.293 v.4.6.5.293 Warning! Download Update Notepad++ (64-bit x64) v.8.5.7 Warning! Download Update NVIDIA GeForce Experience 3.27.0.112 v.3.27.0.112 Warning! Download Update Discord v.1.0.9016 Warning! Download Update Windscribe v.2.6.14 Warning! Download Update Google Chrome v.119.0.6045.107 Warning! Download Update Microsoft Edge v.119.0.2151.44 Wondershare Helper Compact 2.6.0 v.2.6.0 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering. Now then, I believe your system is good-to-go. Advise me: Has the Block notice(s) about "stratum-eurplant" gone away? Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 16, 2023 ID:1600234 Share Posted November 16, 2023 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following to help you better protect your computer and privacy Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 28, 2023 ID:1602118 Share Posted November 28, 2023 (edited) Topic has been reopened per request. You indicated to me that the Microsoft Defender antivirus is flagging a threat classified by MS as Trojan:Win32/Wacatc.B!ml Re-opening this thread only for Vladimireth and this is limited to that one threat. Thanks Edited November 28, 2023 by Maurice Naggar Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 28, 2023 ID:1602119 Share Posted November 28, 2023 (edited) Hello @Vladimireth You indicated to me that the Microsoft Defender antivirus is flagging a threat classified by MS as Trojan:Win32/Wacatc.B!ml The executable file it flags is in the user-level sub-folder c:\users\asus\appdata\python I suggested that you first of all Uninstall Python. Now then, since Python is likely not listed as a installed application, you can skip that part. and second, to get, save, & Run the Microsoft Safety Scanner. Be sure you relay to me the report log c:\Windows\debug\msert.log After that, do the following Open an elevated Powershell window i.e. run Powershell Prompt as an administrator . On the Taskbar Search box, type in powershell.exe click the line for "run as administrator" It is best to use the Windows Copy ( CTRL+ C ) and paste ( CTRL+V ) for the whole line, as-is On that prompt-window, Copy & Paste this command Remove-Item -Path "C:\Users\Asus\AppData\Roaming\Python" -force -recurse press Enter-key on keyboard and watch & write down the result ( if possible) Close the Powershell window One other scan here. TrendMicro HouseCall scan from this Link First, Download & Save to your Downloads folder the appropriate HouseCallLauncher Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it. The program will check with TrendMicro & do a update run. Next it will show the Disclosure window. Click Next to proceed. The end user license agreement is presented. Click the Accept radio button & click Next to proceed. I suggest a CUSTOM scan on C drive. IF you wish a Full scan or a Custom scan, first click on the Settings then you can select which drives you want to include in the scan. The default is a Quick scan. Click Scan now when ready. The scan progress will then be displayed. Monitor the progress or just leave it alone until it finishes this phase. When the scan phase has completed, if any items are tagged, you will see a list, showing the file & its location, the classification of the threat, the type, risk, and Action option. If you see an item that you know is safe, you can click the Action , and select Ignore. When all done & ready, click the Fix now button. The "Summary" at the end at "Review Results" is what matters. Providing that TrendMicro has dealt with any trojan or virus, or real threat, then we are done with the usage of TrendMicro Housecall. Edited November 28, 2023 by Maurice Naggar Link to post Share on other sites More sharing options...
Vladimireth Posted December 2, 2023 Author ID:1602893 Share Posted December 2, 2023 I have attached the msert.log. Strangely enough as you mentioned, I do not recall downloading or having PYHTON. I went to try and uninstall it but nothing showed up. I have installed HouseCall and did a scan and found no threats along with 6 GBs of junk files that it gave me the option to remove. msert.log Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 3, 2023 ID:1602977 Share Posted December 3, 2023 Get and SAVE the tool "FRST64" to either the Desktop or else, to the Downloads folder. download & save a new copy of the tool FRST64.exe from this link https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ Find & then start FRST64 Type the following ( better yet, use COPY then Paste) into the search box exactly as shown SearchAll: python Then press the Search Files button Please wait while the program searches for all entries relating to this , when done a search.txt log will be saved to the desktop. Please attach this log to your next reply. Link to post Share on other sites More sharing options...
Vladimireth Posted December 8, 2023 Author ID:1603943 Share Posted December 8, 2023 Search.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 8, 2023 ID:1603951 Share Posted December 8, 2023 I have reviewed the contents of the Search report. Most of the lines reported that contain "python related" elements, are contained in "Wondershare Filmora". To what useful purpose does having "Wondershare Filmora" serve ? Is creating videos a key use of this pc ? Just wondering. Now then, this search did not show a mention of appdata\roaming\python such that we can say that that sub-folder is no longer present. And that we can close this particular hunt. Question: Are you ready to wrap-up this case ? Is there some other outstanding issue ? Link to post Share on other sites More sharing options...
Vladimireth Posted December 8, 2023 Author ID:1604049 Share Posted December 8, 2023 Thank you. I can remove filmora from my PC if it is necessary as a last step since I don't really use it often anymore. Can I confirm that it is also safe to use apps such as discord and etc., as you have mentioned? Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 8, 2023 ID:1604051 Share Posted December 8, 2023 It is up to you what to do about Filmora. As to Discord, just make sure it is the very latest release. Be careful using Discord, since we have often read where other users fell into following "lured messages".....messages that lead to exploits. 👌💢 Temporarily disable Microsoft SmartScreen to download the next software below Let's go ahead and do some clean-up work and remove the tools and logs we've run. Please download KpRm by kernel-panik and save it to your desktop. right-click kprm_2-15.exe and select Run as Administrator. Read and accept the disclaimer. When the tool opens, ensure all boxes under Actions are checked. Under Delete Quarantines select Delete Now, then click Run. Once complete, click OK. A log will open in Notepad titled kprm-(date).txt. You may attach that file to your next reply. (not compulsory) Your system is good-to-go. Sincerely. Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 8, 2023 ID:1604052 Share Posted December 8, 2023 Since this issue is resolved the topic will now be closed to prevent others from posting here. If you need assistance please start your own new topic and someone will be happy to assist you. Thanks Link to post Share on other sites More sharing options...
Recommended Posts