Jump to content
matand317

Think I have a virus that won't go away plz help

Recommended Posts

I noticed I am getting the same pop-up from my antivirus (nod32 12.0) every 30 seconds or so...

I am afraid for my new computer can you please help me get rid of the virus?

when I try to activate a scan the scan just does nothing to help and the pop-up keeps showing...

Screenshot_4.jpg

Share this post


Link to post
Share on other sites

To start off, please provide logs gathered by ESET Log Collector.

Share this post


Link to post
Share on other sites

What file is Eset detecting the coin miner in? Click on the "file" word shown in blue in the Eset alert to determine this.

Share this post


Link to post
Share on other sites

file location is:

C:\Users\user\AppData\Roaming\wow64_microsoft-windows-wow64-legacy_31bf3856ad364e35_10.0.16299.15_none_18ff2b39790378ca

Share this post


Link to post
Share on other sites
2 hours ago, Marcos said:

To start off, please provide logs gathered by ESET Log Collector.

 

logs.rar

Share this post


Link to post
Share on other sites

Sorry for my misinterpretation for "logs" 

I exported the logs using the guide and added them below

eav_logs.zip

Share this post


Link to post
Share on other sites
Posted (edited)
5 hours ago, matand317 said:

file location is:

C:\Users\user\AppData\Roaming\wow64_microsoft-windows-wow64-legacy_31bf3856ad364e35_10.0.16299.15_none_18ff2b39790378ca

Suspect the other file shown in your alert that begins in Russian? and ends in Microsoft Passport is also bogus and part of the coin miner attack. If the file physically exists on your hard drive, you can submit to Virus Total and see what the scanners their detect.

For the time being until @Marcos gets back to you, you can create a HIPS rule to block startup of anything in "C:\Users\user\AppData\Roaming\*.*". When you create the rule, eliminate the previously shown quote marks. Make you set the logging level to warning, so a log entry is created. If the HIPS log entries created become excessive, you can subsequently set logging level to none. Make sure to post a screen shot of at least one HIPS log page of entries created by the rule. You can then clear the HIPS log if you wish.

As far as I am aware of, there are no executables in C:\Users\user\AppData\Roaming\ sub-directories than run on a normal basis. If in fact you do use Microsoft Passport, make sure there is not a sub-directory created for it in  C:\Users\user\AppData\Roaming\. If so and it contains executable files, then don't create the above HIPS rule mentioned

Edited by itman

Share this post


Link to post
Share on other sites
Posted (edited)

Also per Virus Total: https://www.virustotal.com/en/file/1d6965edad78dbaa59f02a24b98e4bb6ad3fafbd8b51aaaeee43c1dd8f8c7315/analysis/1534723852/ , this appears to be XRIG Monero coin miner based on the Eset malware detection. This coin miner is known to exploit vulnerable Win OS versions. Is your system fully up to date OS update wise?

Edited by itman

Share this post


Link to post
Share on other sites
13 hours ago, itman said:

Suspect the other file shown in your alert that begins in Russian? and ends in Microsoft Passport is also bogus and part of the coin miner attack. If the file physically exists on your hard drive, you can submit to Virus Total and see what the scanners their detect.

For the time being until @Marcos gets back to you, you can create a HIPS rule to block startup of anything in "C:\Users\user\AppData\Roaming\*.*". When you create the rule, eliminate the previously shown quote marks. Make you set the logging level to warning, so a log entry is created. If the HIPS log entries created become excessive, you can subsequently set logging level to none. Make sure to post a screen shot of at least one HIPS log page of entries created by the rule. You can then clear the HIPS log if you wish.

As far as I am aware of, there are no executables in C:\Users\user\AppData\Roaming\ sub-directories than run on a normal basis. If in fact you do use Microsoft Passport, make sure there is not a sub-directory created for it in  C:\Users\user\AppData\Roaming\. If so and it contains executable files, then don't create the above HIPS rule mentioned

I tried creating that "HIPS" rule but I am having trouble finding how to make it...

can you help me do that? 

P.S thank you for your help so far.

Share this post


Link to post
Share on other sites

Now I a new threat is appearing named logs.exe in: "C:\ProgramData\SmartGuard\Logs"

saying that its associated with  https://www.virusradar.com/en/BAT_CoinMiner.AJN/description

and a new message from Windows Script host that keeps showing. (messages in screenshots 8-9)

please help me my computer is hard to use with endless notification and messages.

Screenshot_5.jpg

Screenshot_6.jpg

Screenshot_7.jpg

Screenshot_8.jpg

Screenshot_9.jpg

Share this post


Link to post
Share on other sites
15 minutes ago, matand317 said:

Now I a new threat is appearing named logs.exe in: "C:\ProgramData\SmartGuard\Logs"

saying that its associated with  https://www.virusradar.com/en/BAT_CoinMiner.AJN/description

and a new message from Windows Script host that keeps showing. (messages in screenshots 8-9)

please help me my computer is hard to use with endless notification and messages.

Screenshot_5.jpg

Screenshot_6.jpg

Screenshot_7.jpg

Screenshot_8.jpg

Screenshot_9.jpg

now same error leads to different file location : "This PC"

Screenshot_10.jpg

Share this post


Link to post
Share on other sites

Appears the attacker is infecting your PC at will with new coin miner variants.

Suggest you contact your in-country Eset support contact for malware removal assistance.

Share this post


Link to post
Share on other sites

I'd suggest running a full disk scan with current modules, rebooting the machine afterwards and eventually running another scan to make sure no threat is found.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×