[weisation]

I am constantly getting Norton warnings about a bitcoin miner virus for the past 2 days and I have already ran Malwarebytes and Norton antivirus scans many times but I am unable to find anything. I am a complete noob that has downloaded Farbar and ran a scan to create some log files but I am afraid to continue as I have read that many people have destroyed their computers using the tool uneducated. Please help!

Attached Files

•  FRST.txt   51.69KB   158 downloads
•  Addition.txt   59.43KB   152 downloads

[Advertisements]

Hi, weisation.

 

 

Welcome to GTF Forums.

I will be assisting you regarding your computer's issues. Here, we will check your computer for malware.

Please, adhere to the guidelines below, and then carefully follow, with the same order, all the instructions after:

1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

4. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.

5. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.

 

 

=================================

 

I am currently reviewing your logs and will be back to you as soon as I am ready.

[DR M]

Hi, weisation.

 

 

Welcome to GTF Forums.

I will be assisting you regarding your computer's issues. Here, we will check your computer for malware.

Please, adhere to the guidelines below, and then carefully follow, with the same order, all the instructions after:

1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

4. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.

5. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.

 

 

=================================

 

I am currently reviewing your logs and will be back to you as soon as I am ready.

[weisation]

Thanks for the fast reply!

[DR M]

Thanks for the fast reply!

 
You are very welcome.

 

A quick question first: Does this computer belong to a company? If yes, the company's IT Department should take care of its issues.

[weisation]

No it is my personal laptop

[DR M]

No it is my personal laptop

 

Thanks. I will be back.

[DR M]

Hi, weisation.

 

I have reviewed the logs, and there are many things to comment.

 

The most important is that there is evidence of potentially illegal software on your computer. Have in mind that using pirated/cracked software is an easy way to infect your computer. Almost as easy as intentionally downloading malware.

 

I am going to request you completely uninstall all products for which you do not have a valid Product Key, including all "cracked" software and methods which bypass activation. 

 

If you are willing to do that, let me know, so I can give you a complete set of instructions to clean the system.

 

If you prefer to leave the programs on your computer let me know that and I will be closing the Topic.

[weisation]

Yes I am willing to do that. Do I need to delete them manually or will the tools remove them for me?

Edited by weisation, 09 January 2022 - 05:34 AM.

[DR M]

No, you can do manually that.
 
Since you decided to do so, please also uninstall the following:
 
1. Outdated Java
 
There are very few reasons these days to continue having Java installed on your computer. However, if you do elect to keep Java, it needs to be updated to the latest version. If you need Java, install the latest version at the end of the cleaning procedure. 
 
2. Web Companion
 
 It is supposed to be a legitimate program, but it also may have been bundled with a third party software, and has to be uninstalled, if you didn't install it intentionally.
 
3. Questionable program
 
What is this? 孕ませオナホ退魔剣士学園 
 
4. P2P program

You have qBitTorrent installed in your computer. This is a P2P program. P2P programs form a direct conduit on to a computer. They have always been a target of malware writers and are increasingly so of late. P2P security measures are easily circumvented and if your P2P program is not configured correctly, you may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program. If you don't uninstall it, your computer will probably get infected again, as soon as you use it again. But it is your computer and of course your decision.

• If you decide to keep it, DON'T use it during the cleaning procedure.
• If you decide to uninstall it, uninstall it along with the unwanted programs.

 

5. Norton

 

You talked about a cryptominer in your initial post. You may read this article about Norton and perhaps consider to uninstall it. If you have concerns about your security, I can assure you that the built-in Windows 10 antivirus, Windows Defender, is good enough to protect you, assuming that you follow the safe computing rules. 

 

If you decide to uninstall Norton: Uninstall your Norton device security product on Windows

 

=================================

 

To uninstall programs 1-4:

• Press the Windows Key + R.
• Type appwiz.cpl in the Run box and click OK.
• The Add/Remove Programs list will open. Locate the following programs on the list:

Java 8 Update 271 
Java SE Development Kit 8 Update 261 
Web Companion 
孕ませオナホ退魔剣士学園 
qBittorrent 4.4.0 *

• Select the above programs, one by one, and click Uninstall.
• Restart the computer.

 

After uninstalling the programs, please attach fresh FRST logs (Addition and FRST) for me to review.

 

 

In your next reply please post:

1. Which programs did you uninstall
2. Fresh FRST logs, Addition and FRST

[weisation]

Web Companion 
孕ませオナホ退魔剣士学園 
qBittorrent 4.4.0 *

 

These are the programs that I have uninstalled. I still need that old version of java for school projects that my lecturer tells us to use for some reason.

For some reason, the 孕ませオナホ退魔剣士学園 program says that it has already been uninstalled when I clicked on it, and only asked if I would like to remove it from the program list.

Attached Files

•  FRST.txt   51.27KB   205 downloads
•  Addition.txt   58.82KB   159 downloads

[DR M]

What about Adobe Photoshop and Windscribe? The fixes we will use next will remove the method used for bypassing these programs' activation. 

 

There is no sense to keep the old Java, while the latest version would also work. Have in mind that Adobe’s Reader and Flash and all versions of Java are together responsible for a total of 66 percent of the vulnerabilities in Windows systems exploited by malware. Therefore, it is important to keep them updated. In other words, it's a security risk to keep the old version.

 

As for the Chinese program, yes, remove it from the list if you have the opportunity. 

[weisation]

Alright I have removed Photoshop, Windscribe, and both javas and attached my latest logs.

Attached Files

•  Addition.txt   55.25KB   145 downloads
•  FRST.txt   48.31KB   144 downloads

[DR M]

Thanks. Good job. 

 

I'll be back to you in a couple of hours. 

[DR M]

My comments/next instructions regarding your logs:
 
 
1. Chrome Remote Desktop Host
 
Did you intentionally install it? If no, please uninstall.
 
In that case, also uninstall the two related Chrome extensions: Chrome Remote Desktop

• Open Chrome.
• At the top right choose More (the three vertical dots) > More Tools > Extensions
• Find Chrome Remote Desktop, and remove it, clicking on Remove.
• Confirm the action by clicking Remove once again.

 

2. FRST fix

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
CreateRestorePoint:
CloseProcesses:
Shortcut: C:\Users\seezo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MinGW-W64 project\x86_64-8.1.0-posix-seh-rt_v6-rev0\Run terminal.lnk -> C:\Program Files\mingw-w64\mingw-w64.bat ()
AlternateDataStreams: C:\Users\seezo\Application Data:28e6fcdf43004128d29f013a87360b4a [394]
AlternateDataStreams: C:\Users\seezo\Application Data:374c9b336db4fa9522b72c58dcd0c3f9 [394]
AlternateDataStreams: C:\Users\seezo\AppData\Roaming:28e6fcdf43004128d29f013a87360b4a [394]
AlternateDataStreams: C:\Users\seezo\AppData\Roaming:374c9b336db4fa9522b72c58dcd0c3f9 [394]
IE trusted site: HKU\.DEFAULT\...\webcompanion.com -> hxxp://webcompanion.com
IE trusted site: HKU\S-1-5-21-1333255723-3266158280-2740484146-1001\...\webcompanion.com -> hxxp://webcompanion.com
HKU\S-1-5-21-1333255723-3266158280-2740484146-1001\...\StartupApproved\Run: => "AnyTransToolHelper"
FirewallRules: [{78E4F936-D3C3-4426-83BD-697675E11B96}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe => No File
FirewallRules: [{6B6DF8BD-7132-4E9F-A960-377F8DDC762C}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe => No File
FirewallRules: [TCP Query User{211A8EDC-AAB3-42F6-8E3B-8FE6522F7CF9}C:\program files (x86)\steam\steamapps\common\tera\client\binaries\tera.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\tera\client\binaries\tera.exe => No File
FirewallRules: [UDP Query User{2F1F378E-D6D7-48A3-8BCC-B0A0EE164652}C:\program files (x86)\steam\steamapps\common\tera\client\binaries\tera.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\tera\client\binaries\tera.exe => No File
FirewallRules: [{A9253A66-FFDB-41B4-A5CD-5C750EDAC6D2}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Tera\launcher.exe => No File
FirewallRules: [{ED8C03F4-115D-4F60-B198-2F427B5AE172}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Tera\launcher.exe => No File
FirewallRules: [{65DF5E37-5AA1-4A4F-9DB0-327724323A93}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Tera\launcher.exe => No File
FirewallRules: [{2F9BA7EA-FA86-41D6-B005-2997CD5E51CA}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Tera\launcher.exe => No File
FirewallRules: [{19EA6926-BD72-4B70-8842-EA9238D10680}] => (Allow) C:\Users\seezo\AppData\Roaming\BitTorrent Web\btweb.exe => No File
FirewallRules: [{27585A5B-975B-4A3C-8116-47B7ADB520FB}] => (Allow) C:\Users\seezo\AppData\Roaming\BitTorrent Web\btweb.exe => No File
FirewallRules: [{35FE1E1B-30EA-459C-BE8B-9A84BEFC128E}] => (Allow) C:\Program Files (x86)\iMobie\AnyTrans\xldownload\download\MiniThunderPlatform.exe => No File
FirewallRules: [{44BF3DA1-1E5F-48E6-8540-24A95C66BF85}] => (Allow) C:\Program Files (x86)\iMobie\AnyTrans\xldownload\download\MiniThunderPlatform.exe => No File
FirewallRules: [{14E2AB96-761F-4B34-A38D-9D8DDA9D8D3C}] => (Allow) C:\Program Files (x86)\iMobie\AnyTrans\AnyTrans.exe => No File
FirewallRules: [TCP Query User{6A763A4D-559B-4D20-814C-621457CC5FBE}C:\program files (x86)\imobie\anytrans\airbackuphelper.exe] => (Block) C:\program files (x86)\imobie\anytrans\airbackuphelper.exe => No File
FirewallRules: [UDP Query User{324C728D-E6F8-4280-B563-BD5616EE02C9}C:\program files (x86)\imobie\anytrans\airbackuphelper.exe] => (Block) C:\program files (x86)\imobie\anytrans\airbackuphelper.exe => No File
FirewallRules: [TCP Query User{9AAE5470-2CBB-49DC-AAF2-4337BBDEC4D9}C:\program files (x86)\imobie\anytrans\airbackuphelper.exe] => (Block) C:\program files (x86)\imobie\anytrans\airbackuphelper.exe => No File
FirewallRules: [UDP Query User{34D16A7A-B7F2-4259-98DF-24692BF081D3}C:\program files (x86)\imobie\anytrans\airbackuphelper.exe] => (Block) C:\program files (x86)\imobie\anytrans\airbackuphelper.exe => No File
FirewallRules: [{AD19B712-D652-46C2-8FAE-92861901594C}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Don't Starve Together\bin\dontstarve_steam.exe => No File
FirewallRules: [{6BBDE282-4589-4FEF-AC60-633CD6C5C9BA}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Don't Starve Together\bin\dontstarve_steam.exe => No File
FirewallRules: [{313C58EE-6DD1-4A1C-9340-3C432C1DF167}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Don't Starve Together\bin\dontstarve_steam.exe => No File
FirewallRules: [{48E385C7-64D0-4187-B6F6-87F99D7D66ED}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Don't Starve Together\bin\dontstarve_steam.exe => No File
HKU\S-1-5-21-1333255723-3266158280-2740484146-1001\...\Run: [AnyTransToolHelper] => C:\Program Files (x86)\iMobie\AnyTrans\AnyTransToolHelper.exe (No File)
HKU\S-1-5-21-1333255723-3266158280-2740484146-1001\...\Run: [btweb] => "C:\Users\seezo\AppData\Roaming\BitTorrent Web\btweb.exe" /MINIMIZED (No File)
Task: {DABC0B83-F36C-4B3A-B371-98ED4F40639F} - System32\Tasks\unityhub => C:\Users\seezo\AppData\Roaming\Microsoft\unityhub.exe [1383718400 2021-11-17] (Unity Hub) [File not signed] <==== ATTENTION
Edge Extension: (No Name) -> AutoFormFill_5ED10D46BD7E47DEB1F3685D2C0FCE08 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\AutoFormFill [not found]
Edge Extension: (No Name) -> BookReader_B171F20233094AC88D05A8EF7B9763E8 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\BookViewer [not found]
Edge Extension: (No Name) -> LearningTools_7706F933-971C-41D1-9899-8A026EB5D824 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\LearningTools [not found]
Edge Extension: (No Name) -> PinJSAPI_EC01B57063BE468FAB6DB7EBFC3BF368 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\PinJSAPI [not found]
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
CHR DefaultSearchURL: Default -> hxxps://ssl.gstatic.com/chromoting/chromoting_logo_512.png
CHR HKLM-x32\...\Chrome\Extension: [mfhcmdonhekjhfbjmeacdjbhlfgpjabp]
S3 tapwindscribe0901; C:\WINDOWS\System32\drivers\tapwindscribe0901.sys [57768 2021-12-19] (Windscribe Limited -> The OpenVPN Project)
S3 windtun420; C:\WINDOWS\System32\drivers\windtun420.sys [47544 2021-12-19] (Windscribe Limited -> WireGuard LLC)
C:\WINDOWS\system32\Tasks\unityhub
C:\Users\seezo\AppData\Local\NPE
C:\WINDOWS\system32\unityhub.exe
C:\Users\seezo\Downloads\qbittorrent_4.4.0_x64_setup.exe
C:\Users\seezo\Desktop\Photoshop.exe - Shortcut.lnk
C:\Users\seezo\AppData\LocalLow\Adobe
C:\Users\seezo\Documents\Adobe
C:\ProgramData\regid.1986-12.com.adobe
C:\Program Files\Common Files\Adobe
C:\ProgramData\Adobe
C:\Users\seezo\AppData\Local\Adobe
C:\Users\seezo\Downloads\Windscribe.exe
C:\Users\seezo\AppData\Local\Windscribe
C:\Users\seezo\AppData\Roaming\Microsoft\unityhub.exe
C:\Program Files\mingw-w64\mingw-w64.bat 
C:\WINDOWS\System32\drivers\tapwindscribe0901.sys
C:\WINDOWS\System32\drivers\windtun420.sys
Hosts:
EmptyTemp: 
End::

• Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt on your Desktop.
• Please post the log in your next reply.

 

3. Run AdwCleaner (scan only)

Download AdwCleaner and save it to your desktop.

• Double click AdwCleaner.exe to run it.
• Click Scan Now.
  • When the scan has finished, a Scan Results window will open.
  • Click Cancel (at this point do not attempt to Quarantine anything that is found)
• Now click the Log Files tab.
  • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)
  • A Notepad file will open containing the results of the scan.
  • Please post the contents of the file in your next reply.

 

4. Run Malwarebytes (scan only)
 
I know you said that you already ran Malwarebytes. Let's run it once more with these specific settings enabled:

• Open Malwarebytes.
• Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
  

  Under the title Scan Options, all the options are checked.
  Under the title Windows Security Center (Premium only) the option is NOT checked.
  Under the title Potentially unwanted items all options are set to Always.

• Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
• When finished, you will see the Threat Scan Summary window open.
• If threats are not found, click View Report and proceed to the two last steps below.
  
  If threats are found, make sure that all threats are not selected, close the program and proceed to the next steps below.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.

 

In your next reply please post:

1. Wat did you do with Chrome Remote Desktop and extensions
2. The fixlog.txt
3. The AdwCleaner[S0*].txt
4. The Malwarebytes report

[weisation]

Hi, sorry for the late reply,

 

I have decided to keep the Chrome extensions.

 

Malwarebytes

www.malwarebytes.com

 

-Log Details-

Scan Date: 1/10/22

Scan Time: 5:18 PM

Log File: 51263c5a-71f6-11ec-847e-80fa5b86c078.json

 

-Software Information-

Version: 4.5.0.152

Components Version: 1.0.1538

Update Package Version: 1.0.49612

License: Trial

 

-System Information-

OS: Windows 10 (Build 19042.1415)

CPU: x64

File System: NTFS

User: DESKTOP-F0CH9P5\seezo

 

-Scan Summary-

Scan Type: Threat Scan

Scan Initiated By: Manual

Result: Completed

Objects Scanned: 366467

Threats Detected: 0

Threats Quarantined: 0

Time Elapsed: 5 min, 6 sec

 

-Scan Options-

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Detect

PUM: Detect

 

-Scan Details-

Process: 0

(No malicious items detected)

 

Module: 0

(No malicious items detected)

 

Registry Key: 0

(No malicious items detected)

 

Registry Value: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Data Stream: 0

(No malicious items detected)

 

Folder: 0

(No malicious items detected)

 

File: 0

(No malicious items detected)

 

Physical Sector: 0

(No malicious items detected)

 

WMI: 0

(No malicious items detected)

 

 

(end)

Attached Files

•  AdwCleanerS00.txt   1.49KB   143 downloads
•  Fixlog.txt   16.12KB   146 downloads