Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bitcoin mining virus reboots server when terminated


  • This topic is locked This topic is locked
12 replies to this topic

#1 zatcham

zatcham

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 PM

Posted 01 February 2018 - 03:03 PM

As written in the title, this is a Windows Server 2012 R2 installation that has recieved a virus.  I have tried hard to remove this but everytime I end one of its processes, the system reboots.  Attached are the FRST logs. If you could please help me combat this virus, I would be grateful

 

Thanks,

Zach

 

Attached File  Addition.txt   27.69KB   4 downloads

 

Attached File  FRST.txt   48.91KB   10 downloads



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,448 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:17 PM

Posted 01 February 2018 - 04:31 PM

Hi

Welcome :)

I'll be helping you with your computer.

Please read this post completely before beginning. If there's anything that you do not understand, please don't hesitate to ask before proceeding.

Please take note of the guidelines for this fix:
  • Please note that I am a volunteer. I do have a family, a career, and other endeavors that may prevent immediate responses that meet your schedule. Do note that the differences in time zones could present a problem as well. Your patience and understanding will be greatly appreciated.
  • First of all, the procedures we are about to perform are specific to your problem and should only be used on this specific computer.
  • Do not make any changes to your computer that include installing/uninstalling programs, deleting files, modifying the registry, nor running scanners or tools of any kind unless specifically requested by me.
  • Please read ALL instructions carefully and perform the steps fully and in the order they are written.
  • If things appear to be better, let me know. Just because the symptoms no longer exist as before, does not mean that you are clean.
  • Continue to read and follow my instructions until I tell you that your machine is clean.
  • If you have any questions at all, please do not hesitate to ask before performing the task that I ask of you, and please wait for my reply before you proceed.
  • Scanning with programs and reading the logs do take a fair amount of time. Again, your patience will be necessary. :)
Let's begin... :)

Open FRST as you did before.

Type the following in the edit box on FRST, after "Search:".

wininit.exe

It then should look like:

Search: wininit.exe

Click Search Files button and post the log (Search.txt) it makes in the same location FRST64 was ran from in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 zatcham

zatcham
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 PM

Posted 03 February 2018 - 07:00 AM

Hi there, I have run done that and here is the Search file.

 

Attached File  Search.txt   1.1KB   3 downloads

 

Thanks,

Zach



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,448 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:17 PM

Posted 03 February 2018 - 09:43 AM

  • Highlight the entire content of the quote box below.

Start::  
FirewallRules: [{13B6B5FE-2D61-4DE4-910B-FF21C23E4F9D}] => (Allow) LPort=6602
FirewallRules: [{50D105C9-4B23-4E0D-88EE-538BE2762BDC}] => (Allow) LPort=8912
FirewallRules: [{97B9D506-9B77-4AAD-8925-278961C2DD51}] => (Allow) LPort=8912
FirewallRules: [{C02A00B2-77B9-4E24-8025-049507265E68}] => (Allow) LPort=65520
FirewallRules: [{3804A3FA-4B12-4227-98B3-F39AB82E7B4B}] => (Allow) LPort=8530
FirewallRules: [{7ACC90EB-3D7E-48DA-A9E5-BD75037D7E5E}] => (Allow) LPort=8531
FirewallRules: [NPS-NPSSvc-In-UDP-1645] => (Allow) LPort=1645
FirewallRules: [NPS-NPSSvc-In-UDP-1646] => (Allow) LPort=1646
FirewallRules: [NPS-NPSSvc-In-UDP-1812] => (Allow) LPort=1812
FirewallRules: [NPS-NPSSvc-In-UDP-1813] => (Allow) LPort=1813
FirewallRules: [{DCA33C4E-6C26-4257-9D24-E0D6B1F46E99}] => (Block) LPort=445
FirewallRules: [{2DA4986D-4968-4A96-8354-3F83F70CEF2D}] => (Block) LPort=445
FirewallRules: [{5642F258-021D-460E-AF58-FF3389FEE43E}] => (Block) LPort=445
FirewallRules: [{A151B159-E580-42B7-B8F4-4A4CE86B1FB2}] => (Block) LPort=445
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
URLSearchHook: [S-1-5-21-1903974420-74860015-956047711-1116] ATTENTION => Default URLSearchHook is missing
URLSearchHook: [S-1-5-80-1184457765-4068085190-3456807688-2200952327-3769537534] ATTENTION => Default URLSearchHook is missing
HKU\.DEFAULT\Software\Classes\exefile: "%1" %* <==== ATTENTION
HKU\.DEFAULT\Software\Classes\.exe: exefile => "%1" %* <==== ATTENTION
HKU\S-1-5-21-1903974420-74860015-956047711-1116\Software\Classes\exefile: "%1" %* <==== ATTENTION
HKU\S-1-5-21-1903974420-74860015-956047711-1116\Software\Classes\.exe: exefile => "%1" %* <==== ATTENTION
HKU\S-1-5-21-1903974420-74860015-956047711-1117\Software\Classes\exefile: "%1" %* <==== ATTENTION
HKU\S-1-5-21-1903974420-74860015-956047711-1117\Software\Classes\.exe: exefile => "%1" %* <==== ATTENTION
HKU\S-1-5-21-1903974420-74860015-956047711-500\Software\Classes\exefile: "%1" %* <==== ATTENTION
HKU\S-1-5-21-1903974420-74860015-956047711-500\Software\Classes\.exe: exefile => "%1" %* <==== ATTENTION
HKU\S-1-5-80-1184457765-4068085190-3456807688-2200952327-3769537534\Software\Classes\exefile: "%1" %* <==== ATTENTION
HKU\S-1-5-80-1184457765-4068085190-3456807688-2200952327-3769537534\Software\Classes\.exe: exefile => "%1" %* <==== ATTENTION
BHO: Webroot Vault -> {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} -> C:\ProgramData\WRData\pkg\LPBar64.dll => No File
BHO-x32: Webroot Vault -> {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} -> C:\ProgramData\WRData\pkg\LPBar.dll => No File
Toolbar: HKLM - Webroot Toolbar - {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\ProgramData\WRData\pkg\LPBar64.dll No File
Toolbar: HKLM-x32 - Webroot Toolbar - {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\ProgramData\WRData\pkg\LPBar.dll No File
2016-08-17 08:08 - 2016-08-17 08:08 - 000938032 _____ (Webroot) C:\Users\Administrator\AppData\Local\Temp\WRupdate80424203.exe
2018-01-31 17:30 - 2016-08-13 07:40 - 001737080 _____ (Microsoft Corporation) C:\Users\peter\AppData\Local\Temp\dllnt_dump.dll
2018-01-31 18:54 - 2018-01-31 18:54 - 000000000 ____H C:\BIT36B2.tmp
2018-01-31 18:00 - 2018-01-31 18:00 - 000000000 ____H C:\BIT47BB.tmp
2018-01-31 17:23 - 2018-01-31 17:23 - 000000000 ____H C:\BIT5554.tmp
2018-01-28 14:52 - 2018-01-28 14:52 - 000000000 ____H C:\BIT789D.tmp
2018-01-27 07:19 - 2018-01-27 07:19 - 000000000 ____H C:\BIT6380.tmp
2018-01-27 07:14 - 2018-01-27 07:14 - 000231936 ____H C:\Windows\system32\tmp68E.tmp
2018-01-27 06:16 - 2018-01-27 06:16 - 000000000 ____H C:\BITA441.tmp
2018-01-27 06:10 - 2018-01-27 06:10 - 000231936 ____H C:\Windows\system32\tmp3A21.tmp
2018-01-25 18:53 - 2018-01-25 18:53 - 000000000 ____H C:\BIT6D41.tmp
2018-01-25 18:47 - 2018-01-25 18:47 - 000231936 ____H C:\Windows\system32\tmp3A5F.tmp
2018-01-24 20:47 - 2018-01-24 20:47 - 000000000 ____H C:\BIT459.tmp
2018-01-24 20:42 - 2018-01-24 20:42 - 000231936 ____H C:\Windows\system32\tmpE385.tmp
2018-01-23 06:51 - 2018-01-23 06:51 - 000000000 ____H C:\BIT690C.tmp
2018-01-23 06:45 - 2018-01-23 06:45 - 000231936 ____H C:\Windows\system32\tmp18BE.tmp
2018-01-22 07:05 - 2018-01-22 07:05 - 000000000 ____H C:\BIT66C9.tmp
2018-01-22 06:59 - 2018-01-22 06:59 - 000231936 ____H C:\Windows\system32\tmp2CC3.tmp
2018-01-20 15:47 - 2018-01-20 15:47 - 000000000 ____H C:\BIT45B3.tmp
2018-01-20 15:41 - 2018-01-20 15:41 - 000231936 ____H C:\Windows\system32\tmp20CC.tmp
2018-01-17 11:39 - 2018-01-17 11:39 - 000000000 ____H C:\BIT3BF2.tmp
2018-01-17 11:34 - 2018-01-17 11:34 - 000231936 ____H C:\Windows\system32\tmpC4A.tmp
2018-01-16 16:35 - 2018-01-16 16:35 - 000000000 ____H C:\BIT5044.tmp
2018-01-16 16:30 - 2018-01-16 16:30 - 000231936 ____H C:\Windows\system32\tmp302E.tmp
2018-01-16 13:49 - 2018-01-16 13:49 - 000000000 ____H C:\BIT6A08.tmp
2018-01-16 13:44 - 2018-01-16 13:44 - 000231936 ____H C:\Windows\system32\tmp3C92.tmp
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
CMD: fltmc instances
Folder: C:\Windows\System32\Drivers
Reg: Reg query "HKLM\SYSTEM\Select"
HOSTS:
CMD: Removeproxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP:
Reboot:
End::

  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button. FRST will process the lines copied above from the clipboard.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.

Download AdwCleaner from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

  • XP users: Double click the AdwCleaner icon to start the program.
  • Vista/7/8/10 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

65MBhLLb.png


  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be moved to Quarantine.
  • When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this

adwcleaner_delete_restart.jpg


  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 zatcham

zatcham
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 PM

Posted 03 February 2018 - 06:07 PM

Here is the FRST fix log:

 

Attached File  Fixlog.txt   89.64KB   2 downloads

 

Thanks,

Zach



#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,448 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:17 PM

Posted 03 February 2018 - 06:14 PM

Did you run AdwCleaner?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 zatcham

zatcham
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 PM

Posted 04 February 2018 - 03:19 PM

I have now 

 

Here is the log you wanted:Attached File  AdwCleanerS1.txt   1.01KB   2 downloads



#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,448 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:17 PM

Posted 04 February 2018 - 03:52 PM

Seems clear. How is the computer doing?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 zatcham

zatcham
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 PM

Posted 04 February 2018 - 03:58 PM

The server's CPU isn't at 100 percent all the time now and there are no odd processes running. I found some accounts on the AD that I hadn't made so felted those

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,448 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:17 PM

Posted 04 February 2018 - 04:10 PM

The server's CPU isn't at 100 percent all the time now and there are no odd processes running. I found some accounts on the AD that I hadn't made so felted those

What is AD standing for?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 zatcham

zatcham
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 PM

Posted 04 February 2018 - 05:00 PM

AD is Active Directory. Basically the network domain. As this is the AD server, it doesn't have any Local Users just Domain ones and I found a bunch of weird admin accounts so I deleted them. I have now installed Avast Business Pro Trial , What do you recommend other than that? Malwarebytes ?

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,448 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:17 PM

Posted 04 February 2018 - 08:40 PM

Thank you.

 

Yes, the combination of AVAST and Malwarebytes Antimalware Pro is the right one.

 

Use the following application to remove quarantined items.

 

Please download DelFix by Xplode and save to your Desktop.

  • Double-click on delfix.exe to run the tool.
    Vista/Windows 7/8/10 users right-click and select Run As Administrator.
  • Put a check mark next to these items:
    - Remove disinfection tools
    - Create registry backup
    delfix.jpg
    .
  • Click the "Run" button.
  • When the tool has finished, it will create and open a log report (DelFix.txt)

 

Always keep your security active and updated.

 

Best regards. :)


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,448 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:17 PM

Posted 06 February 2018 - 07:12 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users