Jump to content

Think I have a virus that won't go away plz help


Recommended Posts

I noticed I am getting the same pop-up from my antivirus (nod32 12.0) every 30 seconds or so...

I am afraid for my new computer can you please help me get rid of the virus?

when I try to activate a scan the scan just does nothing to help and the pop-up keeps showing...

Screenshot_4.jpg

Link to comment
Share on other sites

5 hours ago, matand317 said:

file location is:

C:\Users\user\AppData\Roaming\wow64_microsoft-windows-wow64-legacy_31bf3856ad364e35_10.0.16299.15_none_18ff2b39790378ca

Suspect the other file shown in your alert that begins in Russian? and ends in Microsoft Passport is also bogus and part of the coin miner attack. If the file physically exists on your hard drive, you can submit to Virus Total and see what the scanners their detect.

For the time being until @Marcos gets back to you, you can create a HIPS rule to block startup of anything in "C:\Users\user\AppData\Roaming\*.*". When you create the rule, eliminate the previously shown quote marks. Make you set the logging level to warning, so a log entry is created. If the HIPS log entries created become excessive, you can subsequently set logging level to none. Make sure to post a screen shot of at least one HIPS log page of entries created by the rule. You can then clear the HIPS log if you wish.

As far as I am aware of, there are no executables in C:\Users\user\AppData\Roaming\ sub-directories than run on a normal basis. If in fact you do use Microsoft Passport, make sure there is not a sub-directory created for it in  C:\Users\user\AppData\Roaming\. If so and it contains executable files, then don't create the above HIPS rule mentioned

Edited by itman
Link to comment
Share on other sites

Also per Virus Total: https://www.virustotal.com/en/file/1d6965edad78dbaa59f02a24b98e4bb6ad3fafbd8b51aaaeee43c1dd8f8c7315/analysis/1534723852/ , this appears to be XRIG Monero coin miner based on the Eset malware detection. This coin miner is known to exploit vulnerable Win OS versions. Is your system fully up to date OS update wise?

Edited by itman
Link to comment
Share on other sites

13 hours ago, itman said:

Suspect the other file shown in your alert that begins in Russian? and ends in Microsoft Passport is also bogus and part of the coin miner attack. If the file physically exists on your hard drive, you can submit to Virus Total and see what the scanners their detect.

For the time being until @Marcos gets back to you, you can create a HIPS rule to block startup of anything in "C:\Users\user\AppData\Roaming\*.*". When you create the rule, eliminate the previously shown quote marks. Make you set the logging level to warning, so a log entry is created. If the HIPS log entries created become excessive, you can subsequently set logging level to none. Make sure to post a screen shot of at least one HIPS log page of entries created by the rule. You can then clear the HIPS log if you wish.

As far as I am aware of, there are no executables in C:\Users\user\AppData\Roaming\ sub-directories than run on a normal basis. If in fact you do use Microsoft Passport, make sure there is not a sub-directory created for it in  C:\Users\user\AppData\Roaming\. If so and it contains executable files, then don't create the above HIPS rule mentioned

I tried creating that "HIPS" rule but I am having trouble finding how to make it...

can you help me do that? 

P.S thank you for your help so far.

Link to comment
Share on other sites

Now I a new threat is appearing named logs.exe in: "C:\ProgramData\SmartGuard\Logs"

saying that its associated with  https://www.virusradar.com/en/BAT_CoinMiner.AJN/description

and a new message from Windows Script host that keeps showing. (messages in screenshots 8-9)

please help me my computer is hard to use with endless notification and messages.

Screenshot_5.jpg

Screenshot_6.jpg

Screenshot_7.jpg

Screenshot_8.jpg

Screenshot_9.jpg

Link to comment
Share on other sites

15 minutes ago, matand317 said:

Now I a new threat is appearing named logs.exe in: "C:\ProgramData\SmartGuard\Logs"

saying that its associated with  https://www.virusradar.com/en/BAT_CoinMiner.AJN/description

and a new message from Windows Script host that keeps showing. (messages in screenshots 8-9)

please help me my computer is hard to use with endless notification and messages.

Screenshot_5.jpg

Screenshot_6.jpg

Screenshot_7.jpg

Screenshot_8.jpg

Screenshot_9.jpg

now same error leads to different file location : "This PC"

Screenshot_10.jpg

Link to comment
Share on other sites

Appears the attacker is infecting your PC at will with new coin miner variants.

Suggest you contact your in-country Eset support contact for malware removal assistance.

Link to comment
Share on other sites

  • Administrators

I'd suggest running a full disk scan with current modules, rebooting the machine afterwards and eventually running another scan to make sure no threat is found.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...