Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92792 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

VIRUS REMOVAL

virus removal coinminer .aaztrojan high cpu usage

  • This topic is locked This topic is locked
8 replies to this topic

#1 devarchana

devarchana

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 02 July 2020 - 07:58 AM

my system is getting high cpu usage as its getting 100%. when i check the task manager a process named winloder.exe is using 97 % of the cpu usage.
I opened the the file location and its in the public folder.I stopped the process and then everything gets back to normal.
there are so many folders which is generated automatically in the public folder along with two text files.

I am using ESET END POINT FILE SECURITY WHICH IDENTIFIED A TROJAN AS VARIANT OF COINMINER/64.AAZ first found in wsscript.exe.

BUT THE thing is it has not stopped the system from high cpu usage. everytime i have to go to task manager and close the process.

I also deleted the folders and the files which created automatically in the public folder but it comes back some times after some time .
please find the logs i created with frst and please help me to sort this out.

Attached Files


    Advertisements

Register to Remove


#2 Juliet

Juliet

    SuperHelper

  • Retired Classroom Teacher
  • 7,501 posts
  • Interests:Boo!....
  • MVP

Posted 02 July 2020 - 05:06 PM

You've run many tools I would like to see the log reports on

Rogue Killer - search for RKreport.txt

NEXT
Open AdwCleaner, View Log File; please attach the content of the log to your next reply

NEXT
Malwarebytes Anti-Malware, click on the Reports tab
  • double-click on the most recent Scan Report
  • click on Export, then Copy to Clipboard and post in your next reply
~~~~~

Start Farbar Recovery Scan Tool with Administrator privileges
(Right click on the FRST icon and select Run as administrator)

highlight on the text below and select Copy.
beginning with Start:: and finishing with End::
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Highlight the entire content of the quote box below and select Copy.


Start::
CloseProcesses:
CreateRestorePoint:
GroupPolicy: Restriction ? <==== ATTENTION
S1 epp; \??\C:\EEK\bin64\epp.sys [X]
EmptyTemp:
C:\Windows\Temp\*.*
End::




Start FRST (FRST64) with Administrator privileges
Press the Fix button. FRST will process the lines copied above from the clipboard.
When finished, a log file Fixlog.txt will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sometimes the angels fly close enough to you that you can hear the flutter of their wings...


MS - MVP Consumer Security 2009 - 2016, WI-MVP 2016-17
Antivirus Scanners Online Scanners Firewalls Slow Computer??

#3 devarchana

devarchana

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 03 July 2020 - 03:27 AM

Attached File  Fixlog.txt   2KB   18 downloads

 

Thank u for ur reply,
 
Yes I have scanned with adwcleaner and rogue killer in my system, you can check the reports that i attached.
 
 
please check the attached log file of eset security and the taskmanager image along with this, you can also see the folders and files  auto generated in the public folder.
 
The two files along with the winloder.exe , u can see  a file named "dad" and "ghjjjkkjkj" in the attachment. i  tried deleting the files , but it says that the file is
 
open in winloder.exe so  i end that process then I Deleted those files but after some times this repeats .
 
I have attached the fixlog from FRST.

Attached Files



#4 Juliet

Juliet

    SuperHelper

  • Retired Classroom Teacher
  • 7,501 posts
  • Interests:Boo!....
  • MVP

Posted 03 July 2020 - 05:43 AM

Is this a company computer?
Is this computer connected to a server?
Did you install any software recently?

~~

Please go to one of the below sites to scan the following files:
Virus Total (Recommended)
jotti.org
VirScan


Open your Eset scan, from there pick a file to have scanned,
click on Browse, and upload the following file for analysis:

Then click Submit. Allow the file to be scanned, and then please copy and paste the results link (for Virus Total) here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.
 
****

You will probably have to temporarily disable your antivirus security to download and run the below scanner.



Follow the instructions in the thread below. Make sure to download the MBAR version linked in it. Let me know if you're not able to launch it and run a scan.

https://forums.malwa...t-malwarebytes/

If you manage to run a scan, delete everything it finds, and then copy/paste the content of the mbar-log-DATE-(TIME).txt log that is located in the MBAR folder here after.

******

G0tu5D9.pngEmsisoft Emergency Kit - Fix Mode
Follow the instructions below to run a scan using the Emsisoft Emergency Kit.

  • Download the Emsisoft Emergency Kit and execute it. From there, click on the Install button to extract the program in the EEK folder;
  • Once the extraction is complete, the EEK folder will open. Right-click on G0tu5D9.pngstart emergency kit scanner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • EEK will suggest that you run an online update before using the program. Click on Yes to launch it.
  • After the update, click on Malware Scan under 2. Scan and accept to let EEK detect PUPs (click on Yes).
  • Once the scan is complete, make sure that every item in the list is checked, and click on the Quarantine selected button;
  • If it asks you for a reboot to delete some items, click on Ok to reboot automatically;
  • After the restart, open EEK again (in the C:\EEK folder);
  • This time, click on Logs;
  • From there, go under the Quarantine Log tab, and click on the Export button;
  • Save the log on your desktop, then open it, and copy/paste its content in your next reply;
    Please post the log when finished, is the computer running any better?

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`


    Zemana AntiMalware
    download it from here:

    Double-click on the file named “Zemana.AntiMalware.Setup.exe” to start the installation of Zemana AntiMalware. In most cases, downloaded files are saved to the Downloads folder.
    You may be presented with a User Account Control dialog asking you if you want to run this file. If this happens, you should click “Yes” to continue with the installation.
    Click on the “Next” button to install Zemana AntiMalware on your PC. Follow the on-screen prompts to complete the install process.
    When you reach the “Select Additional Tasks” screen, you need to opt-out the “Enable Real Time Protection” option, then click on the “Next” button.

    When Zemana AntiMalware will start, click on the “Scan” button to perform a system scan.
    Zemana AntiMalware will now scan your PC for malicious files. This process can take a few minutes.
    When Zemana AntiMalware has finished it will display a list of all the malware that the program found. Click on the “Next” button to remove the malicious files from your computer.


    Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.
  • open Zemana AntiMalware again and locate the latest report
  • please paste the contents into your reply


  • Can you please copy and paste these logs when finished.
    I know it looks like a lot to do and deep down I'm thinking they might come back clear like the ones we've run previously, but we'll check anyway.

Sometimes the angels fly close enough to you that you can hear the flutter of their wings...


MS - MVP Consumer Security 2009 - 2016, WI-MVP 2016-17
Antivirus Scanners Online Scanners Firewalls Slow Computer??

#5 devarchana

devarchana

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 03 July 2020 - 07:27 AM

this about the server I am talking about , its running  windows server  2008 r2 
 
please see the below url for the files scanned in jotti and virustotal
 
https://virusscan.jo...njob/yst844dzj8
 
https://virusscan.jo...njob/s1idmsir1m
 
 
https://www.virustot...772ff/detection
 
https://www.virustot...3b900/detection
 
 
also find the attached reports as told above

 

 

Attached Files



#6 Juliet

Juliet

    SuperHelper

  • Retired Classroom Teacher
  • 7,501 posts
  • Interests:Boo!....
  • MVP

Posted 03 July 2020 - 08:12 AM

Research shows me, everything we've tried has said it removes it. It would linger on because the app or download remains or, if connected to a server it's coming in from another computer thats also connected to the same.

I did find
On January 14, 2020, Microsoft will end all support for Windows Server 2008 R2.
That means your vulnerable without Microsoft updates.

It can come in through software that is distributed bundled together with other components or programs.

~~~

Please perform a scan with the free version of Dr.Web and let me know the outcome.


 


Sometimes the angels fly close enough to you that you can hear the flutter of their wings...


MS - MVP Consumer Security 2009 - 2016, WI-MVP 2016-17
Antivirus Scanners Online Scanners Firewalls Slow Computer??

#7 devarchana

devarchana

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 06 July 2020 - 12:36 AM

sorry for the late reply
 
I did the dr web scan , it didn't find anything in the initil scan ,then i give seleceted scan and mapped the C:\Users\Public folder where the folders are generate automatically, it found those files as trojan btc miner.
 
I have attached the report of that , it showed virus has been neutralized but its not , after sometime the same file came back in the same folder.
please help me out with this .
 
 
C:\Users\Public\desktop.ini - Ok - 2ms, 174 bytes
C:\Users\Public\ghjjjkkjkj - Ok - 0ms, 0 bytes
>C:\Users\Public\dad.txt - packed by XOREXE
C:\Users\MSSQLSERVER\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\64b1[8].cab - Ok - 606ms, 1212519 bytes
C:\Users\Public\20207517556\dwmer.exe - Ok - 25ms, 34304 bytes
>C:\Users\Public\20207517556\x.txt - packed by XOREXE
C:\Users\MSSQLSERVER\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\64b1[9].cab - Ok - 547ms, 1212519 bytes
C:\Users\Public\winloder.exe - Ok - 181ms, 473600 bytes
C:\Users\Public\20207521533\dwmer.exe - Ok - 31ms, 34304 bytes
C:\Users\Public\20207522545\dwmer.exe - Ok - 32ms, 34304 bytes
>C:\Users\Public\20207521533\x.txt - packed by XOREXE
>C:\Users\Public\20207522545\x.txt - packed by XOREXE
C:\Users\Public\20207517556\x.txt - infected with Trojan.BtcMine.3442
C:\Users\Public\20207517556\x.txt - infected - 467ms, 2539008 bytes
C:\Users\Public\20207523557\dwmer.exe - Ok - 34ms, 34304 bytes
>C:\Users\Public\20207523557\x.txt - packed by XOREXE
C:\Users\Public\20207522545\x.txt - infected with Trojan.BtcMine.3442
C:\Users\Public\20207521533\x.txt - infected with Trojan.BtcMine.3442
C:\Users\Public\20207522545\x.txt - infected - 428ms, 2539008 bytes
C:\Users\Public\20207521533\x.txt - infected - 491ms, 2539008 bytes
>C:\Users\Public\202076169\x.txt - packed by XOREXE
C:\Users\Public\202076169\dwmer.exe - Ok - 34ms, 34304 bytes
C:\Users\Public\dad.txt - infected with Trojan.BtcMine.3442
C:\Users\Public\dad.txt - infected - 793ms, 2539008 bytes
C:\Users\Public\2020762621\dwmer.exe - Ok - 35ms, 34304 bytes
C:\Users\Public\2020765658\dwmer.exe - Ok - 40ms, 34304 bytes
>C:\Users\Public\2020765658\x.txt - packed by XOREXE
>C:\Users\Public\2020762621\x.txt - packed by XOREXE
C:\Users\Public\20207523557\x.txt - infected with Trojan.BtcMine.3442
C:\Users\Public\20207523557\x.txt - infected - 428ms, 2539008 bytes
C:\Users\Public\2020767610\dwmer.exe - Ok - 35ms, 34304 bytes
>C:\Users\Public\2020767610\x.txt - packed by XOREXE
C:\Users\Public\202076169\x.txt - infected with Trojan.BtcMine.3442
C:\Users\Public\2020765658\x.txt - infected with Trojan.BtcMine.3442
C:\Users\Public\202076169\x.txt - infected - 470ms, 2539008 bytes
C:\Users\Public\2020765658\x.txt - infected - 385ms, 2539008 bytes
C:\Users\Public\2020768622\dwmer.exe - Ok - 31ms, 34304 bytes
>C:\Users\Public\2020768622\64b1.cab is CAB archive
C:\Users\Public\2020768622\64b1.cab - Ok
C:\Users\Public\2020768622\64b1.cab - archive - 65ms, 884722 bytes
C:\Users\Public\Desktop\desktop.ini - Ok - 2ms, 174 bytes
>C:\Users\Public\2020768622\x.txt - packed by XOREXE
C:\Users\Public\2020767610\x.txt - infected with Trojan.BtcMine.3442
C:\Users\Public\2020767610\x.txt - infected - 388ms, 2539008 bytes
C:\Users\Public\2020768622\x.txt - infected with Trojan.BtcMine.3442
C:\Users\Public\2020768622\x.txt - infected - 395ms, 2539008 bytes
C:\Users\Public\2020762621\x.txt - infected with Trojan.BtcMine.3442
C:\Users\Public\2020762621\x.txt - infected - 933ms, 2539008 bytes

#8 Juliet

Juliet

    SuperHelper

  • Retired Classroom Teacher
  • 7,501 posts
  • Interests:Boo!....
  • MVP

Posted 06 July 2020 - 05:52 AM

Since everything I tend to find about this infection points to info/password stealer.
Do not use or do anything on this computer that would use or connect to anything sensitive, as in banking and other tasks related. Also, can connect to other computers through servers connected to this one.
If you run the risk of losing material and or delicate information the best solution from here if we can't locate the infection would be to have this computer reformatted. Honestly,  thats the best and safest thing to do.

We can remove those items found, and run another tool in an attempt to locate where this is hidden but, I don't think we can find it thus the design of the trojan.

All that was found to be infected was located in C:\Users\Public => folder
Finding articles that say this can be deleted and other articles saying it's not a good idea so not sure what the best solution is for that.

Let's try a couple of things.

Start Farbar Recovery Scan Tool with Administrator privileges
(Right click on the FRST icon and select Run as administrator)

highlight on the text below and select Copy.
beginning with Start:: and finishing with End::
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Highlight the entire content of the quote box below and select Copy.

 

Start::
CloseProcesses:
CreateRestorePoint:
C:\Users\Public\ghjjjkkjkj
C:\Users\Public\dad.txt
C:\Users\MSSQLSERVER\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\64b1[8].cab
C:\Users\Public\20207517556\x.txt
C:\Users\MSSQLSERVER\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\64b1[9].cab
C:\Users\Public\20207521533\x.txt
C:\Users\Public\20207522545\x.txt
C:\Users\Public\20207517556\x.txt
C:\Users\Public\20207517556\x.txt
C:\Users\Public\20207523557\x.txt
C:\Users\Public\20207522545\x.txt
C:\Users\Public\20207521533\x.txt
C:\Users\Public\20207522545\x.txt
C:\Users\Public\20207521533\x.txt
C:\Users\Public\202076169\x.txt
C:\Users\Public\dad.txt
C:\Users\Public\dad.txt
C:\Users\Public\2020765658\x.txt
C:\Users\Public\2020762621\x.txt
C:\Users\Public\20207523557\x.txt
C:\Users\Public\20207523557\x.txt
C:\Users\Public\2020767610\x.txt
C:\Users\Public\202076169\x.txt
C:\Users\Public\2020765658\x.txt
C:\Users\Public\202076169\x.txt
C:\Users\Public\2020768622\x.txt
C:\Users\Public\2020767610\x.txt
C:\Users\Public\2020767610\x.txt
C:\Users\Public\2020768622\x.txt
C:\Users\Public\2020768622\x.txt
C:\Users\Public\2020762621\x.txt
C:\Users\Public\2020762621\x.txt
C:\Windows\Temp\*.*
EmptyTemp:

End::

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Start FRST (FRST64) with Administrator privileges
Press the Fix button. FRST will process the lines copied above from the clipboard.
When finished, a log file Fixlog.txt will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Download the latest version of TDSSKiller from http://www.bleepingc...dsskiller/dl/4/
  • Doubleclick on TDSSKiller.exe to run the application
  • Then click on Change parameters.
  • Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.
  • Click the Start Scan button.

  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
  • Get the report by selecting Reports
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • Please copy and paste its contents on your next reply.
Please post these logs when finished.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings...


MS - MVP Consumer Security 2009 - 2016, WI-MVP 2016-17
Antivirus Scanners Online Scanners Firewalls Slow Computer??

#9 Juliet

Juliet

    SuperHelper

  • Retired Classroom Teacher
  • 7,501 posts
  • Interests:Boo!....
  • MVP

Posted 13 July 2020 - 05:09 AM

Glad we could help. SakDYGv.gif
Since this issue appears resolved ... this Topic is closed.


Sometimes the angels fly close enough to you that you can hear the flutter of their wings...


MS - MVP Consumer Security 2009 - 2016, WI-MVP 2016-17
Antivirus Scanners Online Scanners Firewalls Slow Computer??

Related Topics




Also tagged with one or more of these keywords: virus removal, coinminer, .aaztrojan, high cpu usage

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users