Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

OPSWAT metadefender detects Heim.D


  • Please log in to reply
7 replies to this topic

#1 jcart1283

jcart1283

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 07 March 2018 - 02:53 AM

Hi,

I'm using a Win 10 insider build, had a Cryptojacker that windows defender detected, quarantined and removed but ever since I have had several random command line console windows pop up and then quickly close a short time after starting any browser. Windows defender detects nothing, so I downloaded OPSWAT metadefender, which detects Heim.D as part of it's comparison to AVG's database. But AVG doesn't detect it. Haven't tried Malwarebytes yet but I will soon.



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,317 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:04 PM

Posted 07 March 2018 - 07:42 AM

Welcome to BC....

 

Have you noticed your computer's processor running at max speed or close to that when it shouldn't be?

 

Use the programs below to clean, remove adware and remove malware.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of Google Chrome and Avast.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Malwarebytes - Clean Mode

  • Download and install the free version of Malwarebytes
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
  • Once Malwarebytes is installed, launch it and let it update its database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
  • Let the scan run, the time required to complete the scan depends of your system and computer specs
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
    • If it asks you to restart your computer to complete the removal, do so
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply

Download 51a5f31352b88-icon_MBAR.pngMalwarebytes Anti-Rootkit (MBAR) to your desktop.

  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click "Next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
  • "mbar-log-{date} (xx-xx-xx).txt"

 

Download AdwCleaner by Xplode onto your desktop. (compatible with Windows 7, 8 and 10)

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

 

Download and run the FREE online scanner from Free Virus Scan | Online Virus Scan from ESET | ESET

  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 jcart1283

jcart1283
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 07 March 2018 - 06:32 PM

The processor usage rarely goes over 2% when idle, but starts to turn unresponsive around 50%, then gets more responsive if I run enough programs to go over 65% usage.
Logs:

Malwarebytes: found nothing
Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/7/18
Scan Time: 1:36 PM
Log File: 8beba208-224f-11e8-a1a0-985fd35b7ff0.json
Administrator: Yes

-Software Information-
Version: 3.4.4.2398
Components Version: 1.0.322
Update Package Version: 1.0.4250
License: Trial

-System Information-
OS: Windows 10 (Build 16299.248)
CPU: x64
File System: NTFS
User: DESKTOP-1TLO84I\*snip*

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 347412
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 1 min, 45 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)

MBAR: found nothing and generated no logs.

AdwCleaner: found nothing


# AdwCleaner 7.0.8.0 - Logfile created on Wed Mar 07 22:06:03 2018
# Updated on 2018/08/02 by Malwarebytes
# Database: 2018-03-07.2
# Running on Windows 10 Pro (X64)
# Mode: scan
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries.

*************************



########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt ##########


ESET: Found 3

C:\Users\*snip*\AppData\Local\Mozilla\Firefox\Profiles\ll2kj0hh.default\cache2\entries\43415ACF7DF0004208F1D56406203F15B17FFAE9    Win32/Bundled.Toolbar.Google.D potentially unsafe application    cleaned by deleting
C:\Users\*snip*\Downloads\ccsetup540(1).exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    cleaned by deleting
C:\Users\*snip*\Downloads\ccsetup540.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    cleaned by deleting
 


Edited by jcart1283, 07 March 2018 - 06:47 PM.


#4 buddy215

buddy215

  • Moderator
  • 13,317 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:04 PM

Posted 07 March 2018 - 07:34 PM

Post the three lists mentioned below using CCleaner.

Open CCleaner and click on Tools. Choose Startups. On that page you will see a list of Windows Startups and at the top tabs for each browser and Scheduled Tasks.

At the bottom right of that page you will see a button when clicked will allow you to Copy and Paste the list of Windows Startups and Scheduled Tasks into your next

post. Please do that.

 

Open CCleaner and click on Tools. Choose Uninstall. On that page you will see a list of programs installed on your computer and at the bottom right of that page you

will see a button when clicked will allow you to Copy and Paste that list in your next post. Please do that.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 jcart1283

jcart1283
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 07 March 2018 - 08:24 PM

Startup:

No    HKCU:Run    CCleaner Monitoring    Piriform Ltd    "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
Yes    HKCU:Run    OneDrive    Microsoft Corporation    "C:\Users\*snip*\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background
No    HKCU:Run    Skype    Skype Technologies S.A.    "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
Yes    HKCU:Run    Speech Recognition    Microsoft Corporation    "C:\windows\Speech\Common\sapisvr.exe" -SpeechUX -Startup
No    HKCU:Run    Steam    Valve Corporation    "C:\Program Files (x86)\Steam\steam.exe" -silent
Yes    HKCU:RunOnce    Uninstall 18.025.0204.0007        C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\*snip*\AppData\Local\Microsoft\OneDrive\18.025.0204.0007"
Yes    HKCU:RunOnce    Uninstall 18.025.0204.0007\amd64        C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\*snip*\AppData\Local\Microsoft\OneDrive\18.025.0204.0007\amd64"
Yes    HKLM:Run    SecurityHealth    Microsoft Corporation    %ProgramFiles%\Windows Defender\MSASCuiL.exe
Yes    HKLM:Run    SunJavaUpdateSched    Oracle Corporation    "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

Scheduled tasks:

es    Task    GoogleUpdateTaskMachineCore    Google Inc.    C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c
Yes    Task    GoogleUpdateTaskMachineUA    Google Inc.    C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
Yes    Task    OneDrive Standalone Update Task-S-1-5-21-3501860178-630503674-4163059733-1001    Microsoft Corporation    %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
Yes    Task    Run Metadefender on log on    OPSWAT    "C:\Users\*snip*\AppData\Roaming\Metadefender-Local\MetadefenderApp.exe"


Installed:

3D Builder    Microsoft Corporation    12/15/2017        15.1.3342.0
Alarms & Clock    Microsoft Corporation    2/27/2018        10.1802.451.0
AmScope AmScope 3.7    AmScope    10/29/2017    100 MB    3.7
Anki        10/29/2017        
App connector    Microsoft Corporation    4/1/2017        1.3.3.0
App Installer    Microsoft Corporation    12/15/2017        1.0.12894.0
Arduino    Arduino LLC    10/29/2017    395 MB    1.6.9
Audacity 2.2.1    Audacity Team    1/23/2018    56.9 MB    2.2.1
Blender    Blender Foundation    1/23/2018    313 MB    2.79.0
Calculator    Microsoft Corporation    2/22/2018        10.1802.311.0
Camera    Microsoft Corporation    1/16/2018        2017.1117.10.0
Car Mechanic Simulator 2015    Red Dot Games    10/29/2017    2.18 GB    
CCleaner    Piriform    3/7/2018        5.40
Cisco WebEx Meetings    Cisco WebEx LLC    10/29/2017        
Drawboard PDF    Drawboard    3/7/2018        5.2.60.0
Feedback Hub    Microsoft Corporation    1/16/2018        1.1711.3412.0
Flipboard    Flipboard    7/16/2017        2.1.3.0
Fresh Paint    Microsoft Corporation    7/17/2017        3.1.10383.0
Get Help    Microsoft Corporation    1/16/2018        10.1706.3471.0
GIMP 2.8.22    The GIMP Team    12/14/2017    291 MB    2.8.22
Google Chrome    Google Inc.    3/6/2018        65.0.3325.146
Groove Music    Microsoft Corporation    2/9/2018        10.18011.13411.0
Gtk# for .Net 2.12.26    Xamarin, Inc.    4/1/2017    24.4 MB    2.12.26
HEVC Video Extension    Microsoft Corporation    1/16/2018        1.0.10084.0
Influent    Rob Howland    10/29/2017    595 MB    
Intel® Processor Graphics    Intel Corporation    10/29/2017        20.19.15.4409
Java 8 Update 161    Oracle Corporation    1/30/2018    100 MB    8.0.1610.12
Learn Japanese To Survive - Hiragana Battle    Sleepy Duck    10/29/2017    743 MB    
Mail and Calendar    Microsoft Corporation    3/3/2018        17.9029.21675.0
Malwarebytes version 3.4.4.2398    Malwarebytes    3/6/2018    177 MB    3.4.4.2398
Maps    Microsoft Corporation    3/3/2018        5.1711.10477.0
Messaging    Microsoft Corporation    2/2/2018        3.37.23004.0
Microsoft IT Showcase    Microsoft Corporation    6/7/2017        2.5.0.0
Microsoft OneDrive    Microsoft Corporation    3/6/2018    102 MB    18.025.0204.0009
Microsoft Pay    Microsoft Corporation    2/22/2018        2.2.18047.0
Microsoft Sticky Notes    Microsoft Corporation    12/15/2017        2.0.5.0
Microsoft Store    Microsoft Corporation    2/7/2018        11801.1001.6.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161    Microsoft Corporation    12/25/2016    3.23 MB    9.0.30729.6161
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219    Microsoft Corporation    3/28/2017    18.4 MB    10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219    Microsoft Corporation    3/28/2017    17.4 MB    10.0.40219
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030    Microsoft Corporation    10/29/2017    20.5 MB    11.0.61030.0
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030    Microsoft Corporation    10/29/2017    17.3 MB    11.0.61030.0
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501    Microsoft Corporation    10/29/2017    20.5 MB    12.0.30501.0
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501    Microsoft Corporation    10/29/2017    17.1 MB    12.0.30501.0
Microsoft Visual C++ 2017 Redistributable (x64) - 14.10.25008    Microsoft Corporation    1/23/2018    23.4 MB    14.10.25008.0
Microsoft Visual C++ 2017 Redistributable (x86) - 14.10.25008    Microsoft Corporation    1/23/2018    19.5 MB    14.10.25008.0
Microsoft Visual Studio 2017    Microsoft Corporation    10/29/2017    148 MB    1.5.30308.1
Microsoft Wi-Fi    Microsoft Corporation    4/1/2017        1.1604.4.0
Mixed Reality Viewer    Microsoft Corporation    3/7/2018        3.1802.26012.0
Mobile Plans    Microsoft Corporation    12/15/2017        3.1710.3044.0
Movies & TV    Microsoft Corporation    2/22/2018        10.17122.16211.0
Mozilla Firefox 58.0.2 (x64 en-US)    Mozilla    2/9/2018    144 MB    58.0.2
Mozilla Maintenance Service    Mozilla    1/31/2018    278 KB    58.0.1
Nex Machina    Housemarque    1/22/2018        
Nmap 7.40        10/29/2017        7.40
Npcap 0.78 r5    Nmap Project    10/29/2017        0.78 r5
OneNote    Microsoft Corporation    2/23/2018        17.9029.20991.0
Paint 3D    Microsoft Corporation    3/3/2018        4.1802.21027.0
People    Microsoft Corporation    12/23/2017        10.3.3472.0
Phone    Microsoft Corporation    12/15/2017        3.34.12002.0
Photos    Microsoft Corporation    3/3/2018        2018.18021.12420.0
Portal    Valve    10/29/2017    3.83 GB    
Print 3D    Microsoft Corporation    1/16/2018        2.0.3621.0
Programming Tutorials    Benny Neugebauer    4/1/2017        1.1.0.42
Pythagoria    Vladimir Maslov    10/29/2017    78.4 MB    
Rocksmith® 2014 Edition - Remastered    Ubisoft - San Francisco    10/29/2017    6.59 GB    
SHENZHEN I/O    Zachtronics    10/29/2017    357 MB    
Skype    Skype    3/3/2018        12.1807.264.0
Skype Meetings App    Microsoft Corporation    9/7/2017    30.6 MB    16.2.0.194
Skype™ 7.36    Skype Technologies S.A.    6/7/2017    171 MB    7.36.101
Sokobond    Alan Hazelden    10/29/2017    65.6 MB    
Songs2See Game    Songquito UG    10/29/2017    433 MB    
Steam    Valve Corporation    10/29/2017        2.10.91.91
Store Experience Host    Microsoft Corporation    2/2/2018        11801.1801.19001.0
Surface    Microsoft Corporation    1/16/2018        27.603.136.0
Sway    Microsoft Corporation    12/15/2017        18.1711.50601.0
TeamSpeak 3 Client    TeamSpeak Systems GmbH    10/29/2017    64.2 MB    3.0.19
Tips    Microsoft Corporation    1/18/2018        6.7.3462.0
Unity    Unity Technologies ApS    1/23/2018        2017.3.0f3
VLC media player    VideoLAN    10/29/2017    120 MB    2.2.4
Voice Recorder    Microsoft Corporation    2/27/2018        10.1802.452.0
Windows 10 Upgrade Assistant    Microsoft Corporation    10/29/2017    5.00 MB    1.4.9200.22175
XCOM 2    Firaxis    10/29/2017    36.4 GB  



#6 buddy215

buddy215

  • Moderator
  • 13,317 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:04 PM

Posted 07 March 2018 - 08:57 PM

Suggest Disabling these Startups: Use CCleaner by clicking on each item and choosing Disable on the right.

Yes    HKCU:Run    OneDrive    Microsoft Corporation    "C:\Users\*snip*\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background

Yes    HKCU:RunOnce    Uninstall 18.025.0204.0007        C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\*snip*\AppData\Local\Microsoft\OneDrive\18.025.0204.0007"
Yes    HKCU:RunOnce    Uninstall 18.025.0204.0007\amd64        C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\*snip*\AppData\Local\Microsoft\OneDrive\18.025.0204.0007\amd64"

Yes    HKLM:Run    SunJavaUpdateSched    Oracle Corporation    "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

 

Disable these Tasks: Use CCleaner by clicking on each item and choosing Disable on the right.

Yes    Task    GoogleUpdateTaskMachineUA    Google Inc.    C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
Yes    Task    OneDrive Standalone Update Task-S-1-5-21-3501860178-630503674-4163059733-1001    Microsoft Corporation    %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
Yes    Task    Run Metadefender on log on    OPSWAT    "C:\Users\*snip*\AppData\Roaming\Metadefender-Local\MetadefenderApp.exe"
 

You recently installed Java 8......unless you have a specific reason for having it installed I suggest you uninstall as most users don't need it.

 

Please let me know after completing the above and rebooting if the same problem still exists.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 jcart1283

jcart1283
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 11 March 2018 - 12:40 AM

This seems to have fixed the unexplained console windows that were popping up. And it looks like it might be a false positive for the meta defender client. Thank you.



#8 buddy215

buddy215

  • Moderator
  • 13,317 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:04 PM

Posted 11 March 2018 - 06:17 AM

You're welcome...happy surfin'


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users