Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

CLARITY Is Needed For Writing Script to Add to Farbar's Fixlog.txt

Bitcoin Miner Trojan Virus Removal Farbar Directive Script Help

  • This topic is locked This topic is locked

#1
tedrico

tedrico

    New Member

  • Member
  • Pip
  • 7 posts

Was alerted by Malwarebytes Anti-Root Kit of existence of Bitcoin Miner Trojan in my Dell Inspiron N5050 win10 64bit Home v1909 OS Laptop. Disconnected Dell from other 5 Computers,2 Phones and PS3, as well as, WD Cloud. so as not to be on the network. USB Ports blew 3 years ago. SD Card Reader blew last year. So I still ran Farbar that I downloaded from Cloud before breaking shared access with cloud. Can't figure out whether to search and destroy most of Farbar's Output in FIRST.txt within REGEDIT or try to use directives to form script to populate  Fixlog.txt with. Am in need of help.

Attached Files


  • 0

Advertisements


#2
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,053 posts

Hi, tedrico.

 

Welcome to Geeks to Go Forums. :)

 

I will be assisting you with your computer's issues. I am still in training and my fixes have to be approved by my instructor, so there may be a slight delay in my replies. Look at it as a good thing though, since you will have two people looking at your problem.

Please, adhere to the guidelines below, and then carefully follow, with the same order, all the instructions after:

1. Always ask before act! Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. Please, copy all the content of the required logs and paste it inside your post. Do not attach any log or other file, unless directed otherwise.

 

4. If your computer seems to start working normally, please don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

5. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs. I will be with you, as far as I can.

 

========================================================

 

I am currently reviewing your logs and will be back to you as soon as I can.


  • 0

#3
tedrico

tedrico

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

Hi, tedrico.

 

Welcome to Geeks to Go Forums. :)

 

I will be assisting you with your computer's issues. I am still in training and my fixes have to be approved by my instructor, so there may be a slight delay in my replies. Look at it as a good thing though, since you will have two people looking at your problem.

Please, adhere to the guidelines below, and then carefully follow, with the same order, all the instructions after:

1. Always ask before act! Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. Please, copy all the content of the required logs and paste it inside your post. Do not attach any log or other file, unless directed otherwise.

 

4. If your computer seems to start working normally, please don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

5. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs. I will be with you, as far as I can.

 

========================================================

 

I am currently reviewing your logs and will be back to you as soon as I can.

 

==================================================================================================================================

 

 

 

 

Thank you sir! :) I will let you instruct Wise Sensai and learn how to use this tool.


  • 0

#4
tedrico

tedrico

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

Ooops you can tell I am rusty using Forum Chat platforms LOL! Thank you sir! xsmile.png.pagespeed.ic.i4t6CebReV.webp I will let you instruct Wise Sensai and learn how to use this tool.


  • 0

#5
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,053 posts

Hi, tedrico.

I don't see any malware sign in the existing logs.

Was the warning from Malwarebytes you have already installed in your computer? If yes, can you please find the report and post it in your next reply?

To do so, open Malwarebytes, click on Scanner and then on the Report tab. Find the report with the trojan warning, double click on it and then click on Export. Choose Copy to clipboard. Finally, prepare your next reply, right click on an empty space and choose paste. The content of the report will be pasted there.


1. FRST fix

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

Start::
CreateRestorePoint:
CloseProcesses:
C:\ProgramData\EsgInstallerResumeAction_7e211bafacdb964f2938233e4756906d.exe
ExportKey: HKLM\SOFTWARE\Policies\Microsoft\MRT
Exportkey: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
Exportkey: HKLM\SOFTWARE\Policies\Mozilla\Firefox
Exportkey: HKLM\SOFTWARE\Policies\Google
CMD: type C:\Windows\system32\GroupPolicy\Machine\registry.pol
EmptyTemp:
End::
  • Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
  • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Post the log in your next reply.

 

2. Run Malwarebytes (Scan mode)

  • Open Malwarebytes you have already installed on your computer.
  • Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
    Under the title Scan Options, all the options are checked.
    Under the title Windows Security Center (Premium only) is unchecked.
    Under the title Potentially unwanted items are set to Always.
  • Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
  • When finished, you will see the Thread Scan Summary window open.
  • If threads are not found, click View Report and proceed to the two last steps below.
  • If threats are found, make sure that all threats are not selected, close the program and proceed to the next steps below.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.

 

3. Run AdwCleaner

Download AdwCleaner and save it to your desktop.

  • Double click AdwCleaner.exe to run it.
  • Click Scan Now.
    • When the scan has finished, a Scan Results window will open.
    • Click Cancel (at this point do not attempt to Quarantine anything that is found)
  • Now click the Log Files tab.
    • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)
    • A Notepad file will open containing the results of the scan.
    • Please post the contents of the file in your next reply.

 

In your next reply, please make sure to post:

  • The Fixlog.txt content
  • The MBAM report
  • AdwCleaner[S0*].txt

  • 0

#6
tedrico

tedrico

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

I am at work .... will be off in 3 hours. No I only had AVAST and Windows Defender in this Machine. When I installed Malwarebtyes Root Kit and ran it that is when it told me I had Bitcoinminer Trojan and that is when I made the account here at Geekstogo and posted this topic that you answered sir. I patiently waited for your response as you instructed but in the 36 hours that followed after your response .... it got UGLY. Powershell started launching all over the screen and I Admin CMD windows started launching and closing to the point where one can not Move, Size, Maximize nor Minimize. I panicked and started running Malwarebytes Consumer Premium 14 day trial, Malwarebytes Root Kit, TSA Adware Removal Tool, Adwcleaner 8, Kaspersky TDSSkiller and Emsisoft Emergency Kit at the same time and when the viruses started making my OneDrive files rename themselves from (whatever).(whatever extension) to random Alpha-numeric / Punctuation Character (whatever extension) I looked up all of the following scanner combined detection log items:

 


B] -- Fake Microsoft Sync Emulation Trojan Dropper virus called:
 
Trojan-Dropper:W32/esSync
 
C] -- PE32 GUI Executable Hack Tool Agent virus called:
 
ProxyEmu [amtemu.v0.9.1-painter.exe]
 
D] -- PE32 GUI Ransomware File Encrypter Dynamic Link Library virus called:
 
Trojan.Crypt.Heur
 
E] -- User Privilege Elevator and Windows Service Controller virus called:
 
IEETWcollector SVCHost
 
F] -- MS One Drive Emulator virus called: 
 
Win32/Floxif.H
 
G] -- BHO CryptoToken & Crypto Currency Wallet Browser Hijacker called:
 
Trojan-Downloader:W32/CryptoToken
 
 
Everything seemed to point to me loosing my machine until I load Walmart Money Cards up and send payment and hope they relinquish control, all why they Vampire Drain my Dell machine's CPU, Disk and Memory dry and profit from the DarkWeb and Crypto Currency world. Since the viruses already had unhidden my Recovery Partition and turned it into a Bulk Emailer for AliExpress remote CRON job ONLY partition .... I knew I had to do something quick so I only knew 2 things to do:
 
[a] Launch an all out assault against my attackers with COMBOFIX
[b] Reset Win 10 Keeping Files
 
I chose [b] because I am sure you know COMBOFIX unleashed is like Xmen's Phoenix having to be calmed down and turned off by Professor Xavier and the damage and outcome of using COMBOFIX is unpredictable and sometimes it beats the viruses but leaves you in BSOD situation or worst.
 
This all occured around 4am EST and then I fell asleep around 6AM and woke 3 hours ago. I ran both Malwarebytes and they detected 0 presence of viruses. However, Emsisoft has been running for 5 hours now 16 viruses detected (1 in trash ... the rest in windows.old) and they are all akin to:
 

H] -- Web Traffic Redirector and Windows Applications Manipulator Trojan Virus called:
 
Trojan.Win32/EIHB Agent.B
 
I] -- Fake Amazon Customer Service Center Orders Dept. Call Center Dialer / Emailer Ransomware Trojan Virus called:
 
JS:Trojan:Cryxos.2657 Ransomware
 
 
 
Emisisoft is at 97% now and I am so tired of sitting here waiting for it's 5 hour straight scan of files and archives and .CABs to end so I can delete Windows.old after I get my videos and client folder out of there via bluetooth since usb ports and sd card slot and cd are broken. But I will empty trash 1st Once I've done all of that I should be fine ...... yes?
 
PLEASE ADVISE sir!!

  • 0

#7
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,053 posts

I patiently waited for your response as you instructed but in the 36 hours that followed after your response .... it got UGLY. Powershell started launching all over the screen and I Admin CMD windows started launching and closing to the point where one can not Move, Size, Maximize nor Minimize. I panicked and started running Malwarebytes Consumer Premium 14 day trial, Malwarebytes Root Kit, TSA Adware Removal Tool, Adwcleaner 8, Kaspersky TDSSkiller and Emsisoft Emergency Kit at the same time

 

Hi, tedrico.

 

This is what I posted in my first post to you 35 hours earlier from now:

 

1. Always ask before act! Do not continue if you are not sure, or if something unexpected happens!

 

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

 

5. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs. I will be with you, as far as I can.

 

 

I remind you this again, otherwise I will stop providing any assistance to you. I understand how frustrating it can be, but things can be worse when you do not follow the instructions given.

 

Do you have the Emsisoft report? If yes, please post it in your  next reply.

 


  • 0

#8
tedrico

tedrico

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Emsisoft Emergency Kit - Version 2020.5
Last update: 11/28/2017 7:59:49 AM
My own DELLSPACE9\Tedricospage
 DELLSPACE9
 Windows 10x64 
 
Scan settings:
 
Scan type: Custom Scan
Objects: Rootkits, Memory, Traces, C:\
 
Detect PUPs: ON
Scan archives: ON
Scan mail archives: ON
ADS Scan: ON
Direct disk access: OFF
 
Scan start: 10/25/2020 7:17:16 PM
C:\$RECYCLE.BIN\S-1-5-21-2238509832-1734413598-1206191706-1001\$RD9CRJ7\msimg32.dll detected: Trojan.Agent.EIHB (B) [krnl.xmd]
C:\Users\Tedricospage\Documents\TPWEB\Downloads\FileZilla_3.28.0_win64-setup_bundled.exe -> (NSIS o) -> $PLUGINSDIR\Fusion.dll detected: Application.Bundler.FusionCore.AX (B) [krnl.xmd]
C:\Users\Tedricospage\Documents\Vuze Downloads\MAGIX VEGAS Pro 15.0.0.387 (x64) + Patch [CracksMind]\Patch.zip -> vegas.pro.15.0.0.x.[x64]-MPT.exe detected: Gen:Trojan.Heur.nuW@!VX@WPh (B) [krnl.xmd]
C:\Users\Tedricospage\Documents\Vuze Downloads\MAGIX VEGAS Pro 15.0.0.387 (x64) + Patch [CracksMind]\vegas.pro.15.0.0.x.[x64]-MPT.exe detected: Gen:Trojan.Heur.nuW@!VX@WPh (B) [krnl.xmd]
C:\Users\Tedricospage\Pictures\Teddy Crocker 2\Food\Jeff Adam Visual C FIx Project\Adobe Acrobat XI Pro 11.0.20 + Crack [Tech-Tools.ME]\Adobe Acrobat XI Pro 11.0.20 + Crack [Tech-Tools.ME]\Crack\amtemu.v0.9.1-painter.exe detected: Application.Hacktool.YM (B) [krnl.xmd]
C:\Windows.old\Users\Tedricospage\AppData\Local\Google\Chrome\User Data\Default.old\Extensions\aiimdkdngfcipjohbjenkahhlhccpdbc\31.2.4_0\js\background.js detected: Trojan.GenericKD.42934320 (B) [krnl.xmd]
C:\Windows.old\Users\Tedricospage\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\S0\1107\Attachments637374938691730000\Amazon Costumer Service #110799[5950].docx -> word/_rels/settings.xml.rels detected: Trojan.DOC.Agent.AEE (B) [krnl.xmd]
C:\Windows.old\Users\Tedricospage\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\S0\1107\Attachments637374938691730000\Amazon-Service-Center[5864].docx -> word/_rels/settings.xml.rels detected: Trojan.DOC.Agent.AEE (B) [krnl.xmd]
C:\Windows.old\Users\Tedricospage\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\S0\1107\Attachments637374938691730000\Amazon-Service-Center[5901].docx -> word/_rels/settings.xml.rels detected: Trojan.DOC.Agent.AEE (B) [krnl.xmd]
C:\Windows.old\Users\Tedricospage\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\S0\1107\Attachments637374938691730000\Orders Requirement[7745].htm -> (INFECTED_JS) detected: JS:Trojan.Cryxos.2657 (B) [krnl.xmd]
C:\Windows.old\Users\Tedricospage\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\S0\1107\Attachments637374938691730000\PAID-USD-093421-087[7697].html -> (JAVASCRIPT-COMPILATION) detected: Trojan.Agent.EIKK (B) [krnl.xmd]
C:\Windows.old\Users\Tedricospage\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\S0\1107\Attachments\Amazon Costumer Service #110799[10041].docx -> word/_rels/settings.xml.rels detected: Trojan.DOC.Agent.AEE (B) [krnl.xmd]
C:\Windows.old\Users\Tedricospage\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\S0\1107\Attachments\Amazon-Service-Center[9955].docx -> word/_rels/settings.xml.rels detected: Trojan.DOC.Agent.AEE (B) [krnl.xmd]
C:\Windows.old\Users\Tedricospage\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\S0\1107\Attachments\Amazon-Service-Center[9992].docx -> word/_rels/settings.xml.rels detected: Trojan.DOC.Agent.AEE (B) [krnl.xmd]
C:\Windows.old\Users\Tedricospage\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\S0\1107\Attachments\Orders Requirement[8722].htm -> (INFECTED_JS) detected: JS:Trojan.Cryxos.2657 (B) [krnl.xmd]
C:\Windows.old\Users\Tedricospage\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\S0\1107\Attachments\PAID-USD-093421-087[8769].html -> (JAVASCRIPT-COMPILATION) detected: Trojan.Agent.EIKK (B) [krnl.xmd]
 
Scanned 460111
Found 16
 
Scan end: 10/25/2020 10:40:57 PM
Scan time: 3:23:41
 
C:\Users\Tedricospage\Pictures\Teddy Crocker 2\Food\Jeff Adam Visual C FIx Project\Adobe Acrobat XI Pro 11.0.20 + Crack [Tech-Tools.ME]\Adobe Acrobat XI Pro 11.0.20 + Crack [Tech-Tools.ME]\Crack\amtemu.v0.9.1-painter.exe Application.Hacktool.YM (B)
C:\Users\Tedricospage\Documents\Vuze Downloads\MAGIX VEGAS Pro 15.0.0.387 (x64) + Patch [CracksMind]\vegas.pro.15.0.0.x.[x64]-MPT.exe Gen:Trojan.Heur.nuW@!VX@WPh (B)
C:\Users\Tedricospage\Documents\Vuze Downloads\MAGIX VEGAS Pro 15.0.0.387 (x64) + Patch [CracksMind]\Patch.zip Gen:Trojan.Heur.nuW@!VX@WPh (B)
C:\Users\Tedricospage\Documents\TPWEB\Downloads\FileZilla_3.28.0_win64-setup_bundled.exe Application.Bundler.FusionCore.AX (B)
C:\$RECYCLE.BIN\S-1-5-21-2238509832-1734413598-1206191706-1001\$RD9CRJ7\msimg32.dll Trojan.Agent.EIHB (B)
 
Deleted 5

  • 0

#9
tedrico

tedrico

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

There is emisisoft report you asked about and forgive me sir .... but the machine is ever changing ... so don't take too long ... cause this will occur next and it's out of my hands.

 

Wndows 10 Featured Update version 2004 in 16 min.

 

and

 

2020-10 Cumulative Update Preview for .NET Framework 3.5 and 4.8 for Windows 10 Version 1909 for x64 (KB4580980)


  • 0

#10
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,053 posts
Hi, tedrico.
 
Emsisoft log detected several items, mostly temporary files, bundled installers and cracked software. Using pirated/cracked software is an easy way to infect your computer - almost as easy as intentionally downloading malware. Therefore, no surprise your computer has problems now. Have in mind that after Emsisoft deletions, some of your pirated programs may not work properly. I recommend you to uninstall all pirated/cracked programs before continue.
 
After that, run Emsisoft Emergency Kit once more:
  •  Run the tool as you did before. Allow updates if needed.
  • When update is complete, click Malware Scan. When asked if you want the scanner to scan for Potentially Unwanted Programs, click Yes. Emsisoft Emergency Kit will start scanning.
  • When the scan is completed click Quarantine selected objects. Note, this option is only available if malicious objects were detected during the scan.
  • When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
  • Please save the log in Notepad on your desktop and post the contents in your next reply.
  • When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.

  • 0

#11
tedrico

tedrico

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

Windows update left me with only 4 things showing in Control Panel Programs and Features. Lost nearly 170 installs. You've been terrific ... sir and I thank you. But Microsoft Win 10 2004 update that I could not stop from occuring removed windows.old and flush Recycle Bin. And now there are no viruses reported in Kaspersky Security Cloud, TDDKiller, All 3 Malwarebytes, Emissisoft and Spybot. You are the best sr and thanks for your voluntary efforts.


  • 0

#12
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,053 posts
Hi.
 
I will remind you again, what I wrote in my first post to you:
 
4. If your computer seems to start working normally, please don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.
 
So, having in mind that, please proceed with the new Emsisoft scan, as instructed here.
 
Then, provide fresh FRST logs:
  • Double-click on the FRST icon to run it, as you did before. When the tool opens click Yes to disclaimer.
  • Press Scan button and wait for a while.
  • The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
  • Please copy and paste the content of these two logs in your next reply.

  • 0

#13
DR M

DR M

    The Grecian Geek

  • Malware Removal
  • 4,053 posts

Hello, tedrico.

 

Do you still need assistance?


  • 0

#14
iMacg3

iMacg3

    GeekU PowerPC G3

  • GeekU Moderator
  • 1,921 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.


  • 0






Similar Topics


Also tagged with one or more of these keywords: Bitcoin Miner Trojan, Virus Removal, Farbar Directive Script Help

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP