Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I have infection


  • Please log in to reply
5 replies to this topic

#1 YrrehcTiurf

YrrehcTiurf

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 19 November 2015 - 01:24 AM

I have a process of SVCHOST.exe running from my C:\Windwos\Temp directory and it starts on bootup every time I reboot. It uses close to 90%CPU. The file it creates is a txt file that contains "Claymore CryptoNote CPU Miner  v3.3 Beta" somewhere in the first several lines.

 

What do I do? I can't clean it with Malwarebytes, McAfee, SpyHunter.

 

Please help.

 

Thanks.



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:14 PM

Posted 19 November 2015 - 07:54 AM

Hi YrrehcTiurf :)

My name is Aura and I'll be assisting you with your issue. Follow the instructions below please.

sUc2qjf.pngAutoruns - Start-up Entries
Follow the instructions below to give me an Autoruns log containing your start-up entries:
  • Download Autoruns.zip from the Sysinternals Suite webpage;
  • Extract the content of the Autoruns.zip folder where you want, then go in the folder, right-click on Autoruns.exe and select Run as Administrator;
  • Accept the EULA on opening, then wait for all the entries to load;
  • Click on File then Save and save the file to a location easily accessible as a .arn (Autoruns) file;
  • Upload the file on Dropbox, Google Drive or OneDrive and post the download URL for it here;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 YrrehcTiurf

YrrehcTiurf
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 19 November 2015 - 08:53 AM

Here is the autoruns file.

 

https://www.dropbox.com/s/ozzn9jxwv1nq8sk/TWE-PC.arn?dl=0



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:14 PM

Posted 19 November 2015 - 09:13 AM

Good :) Before proceeding, can you upload that svchost.exe file to VirusTotal and post the URL here?

5KB3EXa.pngUpload a file on VirusTotal
  • Open your favorite web browser, and go on virustotal.com;
  • From there, click on the Select a file button and wait for the Windows Explorer to open;
  • Browse to C:\Windows\Temp, select svchost.exe and click on Open;
  • Once it's done, click on the Analyze button;
  • If you get a message that the file was already analyzed, click on the Re-analyze button;
  • Once done, copy and paste the VirusTotal report URL in your next reply;
Also, it seems that you are using a pirated copy of Windows.

p0lK9S6.png

Before proceeding, I'll ask you to remove AutoKMS (and any other illegal loaders you have) on your system, since BleepingComputer doesn't support piracy.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 YrrehcTiurf

YrrehcTiurf
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 19 November 2015 - 09:36 AM

https://www.virustotal.com/en/file/d0326f0ddce4c00f93682e3a6f55a3125f6387e959e9ed6c5e5584e78e737078/analysis/1447943460/

 

The autoKMS is from the Microsoft Toolkit that Microsoft support had me use because my copy of Visio would not activate when they deleted my key and reissued me one. They told me someone used a keygen and created my key or something .I don't remember as it was a year or so ago.

 

My Windows is legit, as is my office, and visio.



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:14 PM

Posted 19 November 2015 - 09:52 AM

Alright :) According to the VirusTotal report you gave me, Malwarebytes is supposed to detect that file and delete it. Please update the database and run a new Malwarebytes scan.

aOpBoaQ.pngMalwarebytes Anti-Malware - Clean Mode
  • Download and install the free version of Malwarebytes Anti-Malware
    Note: It's your choice if you want to enable the free trial of Malwarebytes Premium or not. Enabling it will give you real-time protection from the program, as well as access to all the Premium features.
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point;
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the Update Now button;
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan;
  • Let the scan run, the time required to complete the scan depends of your system and computer specs;
  • Once the scan is complete, make sure that the checkbox by Threat is checked (it means that every item detected is checked), then click on the Remove Selected button;
  • Click on Save Results after the deletion (in the bottom-right corner) and select Copy to clipboard. Paste the content in your next reply;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users