Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

CLARITY Is Needed For Writing Script to Add to Farbar's Fixlog.txt

Bitcoin Miner Trojan Virus Removal Farbar Directive Script Help

  • Please log in to reply

#1
tedrico

tedrico

    New Member

  • Member
  • Pip
  • 4 posts

Was alerted by Malwarebytes Anti-Root Kit of existence of Bitcoin Miner Trojan in my Dell Inspiron N5050 win10 64bit Home v1909 OS Laptop. Disconnected Dell from other 5 Computers,2 Phones and PS3, as well as, WD Cloud. so as not to be on the network. USB Ports blew 3 years ago. SD Card Reader blew last year. So I still ran Farbar that I downloaded from Cloud before breaking shared access with cloud. Can't figure out whether to search and destroy most of Farbar's Output in FIRST.txt within REGEDIT or try to use directives to form script to populate  Fixlog.txt with. Am in need of help.

Attached Files


  • 0

Advertisements


#2
DR M

DR M

    GeekU Senior

  • GeekU Senior
  • 2,245 posts

Hi, tedrico.

 

Welcome to Geeks to Go Forums. :)

 

I will be assisting you with your computer's issues. I am still in training and my fixes have to be approved by my instructor, so there may be a slight delay in my replies. Look at it as a good thing though, since you will have two people looking at your problem.

Please, adhere to the guidelines below, and then carefully follow, with the same order, all the instructions after:

1. Always ask before act! Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. Please, copy all the content of the required logs and paste it inside your post. Do not attach any log or other file, unless directed otherwise.

 

4. If your computer seems to start working normally, please don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

5. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs. I will be with you, as far as I can.

 

========================================================

 

I am currently reviewing your logs and will be back to you as soon as I can.


  • 0

#3
tedrico

tedrico

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts

Hi, tedrico.

 

Welcome to Geeks to Go Forums. :)

 

I will be assisting you with your computer's issues. I am still in training and my fixes have to be approved by my instructor, so there may be a slight delay in my replies. Look at it as a good thing though, since you will have two people looking at your problem.

Please, adhere to the guidelines below, and then carefully follow, with the same order, all the instructions after:

1. Always ask before act! Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. Please, copy all the content of the required logs and paste it inside your post. Do not attach any log or other file, unless directed otherwise.

 

4. If your computer seems to start working normally, please don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

5. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs. I will be with you, as far as I can.

 

========================================================

 

I am currently reviewing your logs and will be back to you as soon as I can.

 

==================================================================================================================================

 

 

 

 

Thank you sir! :) I will let you instruct Wise Sensai and learn how to use this tool.


  • 0

#4
tedrico

tedrico

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts

Ooops you can tell I am rusty using Forum Chat platforms LOL! Thank you sir! xsmile.png.pagespeed.ic.i4t6CebReV.webp I will let you instruct Wise Sensai and learn how to use this tool.


  • 0

#5
DR M

DR M

    GeekU Senior

  • GeekU Senior
  • 2,245 posts

Hi, tedrico.

I don't see any malware sign in the existing logs.

Was the warning from Malwarebytes you have already installed in your computer? If yes, can you please find the report and post it in your next reply?

To do so, open Malwarebytes, click on Scanner and then on the Report tab. Find the report with the trojan warning, double click on it and then click on Export. Choose Copy to clipboard. Finally, prepare your next reply, right click on an empty space and choose paste. The content of the report will be pasted there.


1. FRST fix

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

Start::
CreateRestorePoint:
CloseProcesses:
C:\ProgramData\EsgInstallerResumeAction_7e211bafacdb964f2938233e4756906d.exe
ExportKey: HKLM\SOFTWARE\Policies\Microsoft\MRT
Exportkey: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
Exportkey: HKLM\SOFTWARE\Policies\Mozilla\Firefox
Exportkey: HKLM\SOFTWARE\Policies\Google
CMD: type C:\Windows\system32\GroupPolicy\Machine\registry.pol
EmptyTemp:
End::
  • Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
  • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Post the log in your next reply.

 

2. Run Malwarebytes (Scan mode)

  • Open Malwarebytes you have already installed on your computer.
  • Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
    Under the title Scan Options, all the options are checked.
    Under the title Windows Security Center (Premium only) is unchecked.
    Under the title Potentially unwanted items are set to Always.
  • Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
  • When finished, you will see the Thread Scan Summary window open.
  • If threads are not found, click View Report and proceed to the two last steps below.
  • If threats are found, make sure that all threats are not selected, close the program and proceed to the next steps below.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.

 

3. Run AdwCleaner

Download AdwCleaner and save it to your desktop.

  • Double click AdwCleaner.exe to run it.
  • Click Scan Now.
    • When the scan has finished, a Scan Results window will open.
    • Click Cancel (at this point do not attempt to Quarantine anything that is found)
  • Now click the Log Files tab.
    • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)
    • A Notepad file will open containing the results of the scan.
    • Please post the contents of the file in your next reply.

 

In your next reply, please make sure to post:

  • The Fixlog.txt content
  • The MBAM report
  • AdwCleaner[S0*].txt

  • 0

#6
tedrico

tedrico

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts

I am at work .... will be off in 3 hours. No I only had AVAST and Windows Defender in this Machine. When I installed Malwarebtyes Root Kit and ran it that is when it told me I had Bitcoinminer Trojan and that is when I made the account here at Geekstogo and posted this topic that you answered sir. I patiently waited for your response as you instructed but in the 36 hours that followed after your response .... it got UGLY. Powershell started launching all over the screen and I Admin CMD windows started launching and closing to the point where one can not Move, Size, Maximize nor Minimize. I panicked and started running Malwarebytes Consumer Premium 14 day trial, Malwarebytes Root Kit, TSA Adware Removal Tool, Adwcleaner 8, Kaspersky TDSSkiller and Emsisoft Emergency Kit at the same time and when the viruses started making my OneDrive files rename themselves from (whatever).(whatever extension) to random Alpha-numeric / Punctuation Character (whatever extension) I looked up all of the following scanner combined detection log items:

 


B] -- Fake Microsoft Sync Emulation Trojan Dropper virus called:
 
Trojan-Dropper:W32/esSync
 
C] -- PE32 GUI Executable Hack Tool Agent virus called:
 
ProxyEmu [amtemu.v0.9.1-painter.exe]
 
D] -- PE32 GUI Ransomware File Encrypter Dynamic Link Library virus called:
 
Trojan.Crypt.Heur
 
E] -- User Privilege Elevator and Windows Service Controller virus called:
 
IEETWcollector SVCHost
 
F] -- MS One Drive Emulator virus called: 
 
Win32/Floxif.H
 
G] -- BHO CryptoToken & Crypto Currency Wallet Browser Hijacker called:
 
Trojan-Downloader:W32/CryptoToken
 
 
Everything seemed to point to me loosing my machine until I load Walmart Money Cards up and send payment and hope they relinquish control, all why they Vampire Drain my Dell machine's CPU, Disk and Memory dry and profit from the DarkWeb and Crypto Currency world. Since the viruses already had unhidden my Recovery Partition and turned it into a Bulk Emailer for AliExpress remote CRON job ONLY partition .... I knew I had to do something quick so I only knew 2 things to do:
 
[a] Launch an all out assault against my attackers with COMBOFIX
[b] Reset Win 10 Keeping Files
 
I chose [b] because I am sure you know COMBOFIX unleashed is like Xmen's Phoenix having to be calmed down and turned off by Professor Xavier and the damage and outcome of using COMBOFIX is unpredictable and sometimes it beats the viruses but leaves you in BSOD situation or worst.
 
This all occured around 4am EST and then I fell asleep around 6AM and woke 3 hours ago. I ran both Malwarebytes and they detected 0 presence of viruses. However, Emsisoft has been running for 5 hours now 16 viruses detected (1 in trash ... the rest in windows.old) and they are all akin to:
 

H] -- Web Traffic Redirector and Windows Applications Manipulator Trojan Virus called:
 
Trojan.Win32/EIHB Agent.B
 
I] -- Fake Amazon Customer Service Center Orders Dept. Call Center Dialer / Emailer Ransomware Trojan Virus called:
 
JS:Trojan:Cryxos.2657 Ransomware
 
 
 
Emisisoft is at 97% now and I am so tired of sitting here waiting for it's 5 hour straight scan of files and archives and .CABs to end so I can delete Windows.old after I get my videos and client folder out of there via bluetooth since usb ports and sd card slot and cd are broken. But I will empty trash 1st Once I've done all of that I should be fine ...... yes?
 
PLEASE ADVISE sir!!

  • 0






Similar Topics


Also tagged with one or more of these keywords: Bitcoin Miner Trojan, Virus Removal, Farbar Directive Script Help

1 user(s) are reading this topic

1 members, 0 guests, 0 anonymous users


    tedrico

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP