A possible bitcoin mining trojan and I can't seem to remove it.

[TheCyborgSlayer]

So my Core I5 is OCed to 4GHZ as you can see the maximum speed seems to be at 1.99GHZ and usually stays at 1.97GHZ  (Only been happening recently) Ran MalwareByte, Avira, Rogue killer and hitman pro. Found a bitcoin miner and few other pups, however even after deleting them nothing has changed, any advices? Or is the only hope to fully re-install the windows?

[Crunchy Dragon]

You could try going into System Restore from Safe Mode and going back to a previous backup of your PC

[Ryujin2003]

8 minutes ago, TheCyborgSlayer said:

So my Core I5 is OCed to 4GHZ as you can see the maximum speed seems to be at 1.99GHZ and usually stays at 1.97GHZ  (Only been happening recently) Ran MalwareByte, Avira, Rogue killer and hitman pro. Found a bitcoin miner and few other pups, however even after deleting them nothing has changed, any advices? Or is the only hope to fully re-install the windows?

A lot of new malware doesn't show up as an installed program.

Alot of it seems to be hiding an .exe and then setting itself a Task to execute. Go into Task Scheduler and see if any tasks are there that you don't know about. If it's unfamiliar, you can always disable it before you delete it. Grab the file path of the destination file and delete it manually.

[Leonard]

Try this...

1. disable your internet adapter 
2. shut down all programs
3. shut down the PC
4. take out the RAM, wait about a minute
5. put RAM back in
6. boot the system, load task manager and look for any apps running using excessive CPU resources and then right click it and hit open file location, if that is the trojan then delete the folder or uninstall any program associated with it and see if that helps.

[TheCyborgSlayer]

Just now, Ryujin2003 said:

A lot of new malware doesn't show up as an installed program.

Alot of it seems to be hiding an .exe and then setting itself a Task to execute. Go into Task Scheduler and see if any tasks are there that you don't know about. If it's unfamiliar, you can always disable it before you delete it. Grab the file path of the destination file and delete it manually.

I've done so, the only strange thing was that I could find was Chrome updater, which seemed to only represent itself under that name but author was unkown, it had a strange string, with coinmachine in the strangely spaceless title, but it still linked to actual chrome folder, regardless the scheduled task has been removed.

[TheCyborgSlayer]

1 minute ago, Leonard said:

Try this...

1. disable your internet adapter 
2. shut down all programs
3. shut down the PC
4. take out the RAM, wait about a minute
5. put RAM back in
6. boot the system, load task manager and look for any apps running using excessive CPU resources and then right click it and hit open file location, if that is the trojan then delete the folder or uninstall any program associated with it and see if that helps.

I'll wait till 2nd set of scan finishes and will try that, thank you.

 

I remember in the past both avast and bit defender used to have specific .exe files to remove bitcoining trojans sadly can no longer find them, as it used to shut down your pc and open up into terminal for scans.

[Ryujin2003]

3 minutes ago, TheCyborgSlayer said:

I've done so, the only strange thing was that I could find was Chrome updater, which seemed to only represent itself under that name but author was unkown, it had a strange string, with coinmachine in the strangely spaceless title, but it still linked to actual chrome folder, regardless the scheduled task has been removed.

Maybe its a bad chrome extension? You can always force Chrome to reset to factory

 

[TheCyborgSlayer]

2 minutes ago, Ryujin2003 said:

Maybe its a bad chrome extension? You can always force Chrome to reset to factory

 

Have done so, what would you guys would recommend for antivirus software, kaspersky or bitdefender

[Leonard]

1 minute ago, TheCyborgSlayer said:

I'll wait till 2nd set of scan finishes and will try that, thank you.

 

I remember in the past both avast and bit defender used to have specific .exe files to remove bitcoining trojans sadly can no longer find them, as it used to shut down your pc and open up into terminal for scans.

That's because they have changed the nature of malware in P2P/SSL/HTTP for it to be "light" and no longer needing a .exe, .bat/ddl are now widely used, malware companies have to catch up now which brings me to one of the reasons why a robust networking firewall with active stateful inspection is needed for all who use a PC.

[Ryujin2003]

I use Kaspersky and Malwarebytes.

[MrDrWho13]

Try malwarebytes, and also check your CPU temperatures, you may have thermal throttling. If all else fails, back up important files and reinstall Windows.

[TheCyborgSlayer]

1 minute ago, Leonard said:

That's because they have changed the nature of malware in P2P/SSL/HTTP for it to be "light" and no longer needing a .exe, .bat/ddl are now widely used, malware companies have to catch up now which brings me to one of the reasons why a robust networking firewall with active stateful inspection is needed for all who use a PC.

Ah fair enough, that makes sense now, I guess I was too careless and thought malwarebytes/avira shall keep it all away

[TheCyborgSlayer]

1 minute ago, MrDrWho13 said:

Try malwarebytes, and also check your CPU temperatures, you may have thermal throttling. If all else fails, back up important files and reinstall Windows.

After detecting the first mining trojan there's no more threats shown by malwarebytes, the cpu temp fluctuates between 38c to 40c in 13/16c ambient room

Though oddly enough, in speccy it does show corespeed fluctuating between 3998.5 and 4002 MHZ, however task manager is still showing only 1.99GHZ as maximum speed

[Leonard]

4 minutes ago, TheCyborgSlayer said:

Ah fair enough, that makes sense now, I guess I was too careless and thought malwarebytes/avira shall keep it all away

The real frightening thing is that they can install these types of malware in say  the GPU and system RAM as well as firmware chips like the BIOS or any other chip that has updateable firmware, now when that happens, the firmware malware i mean you are some what fucked because it is almost impossible to remove them.

 

Best of luck.

[MrDrWho13]

1 minute ago, TheCyborgSlayer said:

After detecting the first mining trojan there's no more threats shown by malwarebytes, the cpu temp fluctuates between 38c to 40c in 13/16c ambient room

Though oddly enough, in speccy it does show corespeed fluctuating between 3998.5 and 4002 MHZ, however task manager is still showing only 1.99GHZ as maximum speed

Sounds really weird. Personally I would do the old "boot and nuke" method - reinstalling Windows to ensure you no longer have problems.

[TheCyborgSlayer]

1 minute ago, Leonard said:

The real frightening thing is that they can install these types of malware in say  the GPU and system RAM as well as firmware chips like the BIOS or any other chip that has updateable firmware, now when that happens, the firmware malware i mean you are some what fucked because it is almost impossible to remove them.

 

Best of luck.

Thank you, I remember them being around ages ago, but not as popular though, hopefully it's nothing like that, possibly the bitcoin trojan has been removed but it might have fucked up the core speed readings for task manager maybe, so re-installing windows seems like it might be a requirement at this stage

1 minute ago, MrDrWho13 said:

Sounds really weird. Personally I would do the old "boot and nuke" method - reinstalling Windows to ensure you no longer have problems.

Agreed

 

8 minutes ago, Ryujin2003 said:

I use Kaspersky and Malwarebytes.

Kaspersky is the only one I have never tried in my whole computer having life, I'll try it now, thanks for the suggestion

 

 

Over all guys you have been amazing and very patient, thank you for your help!

 

[Ryujin2003]

Just now, TheCyborgSlayer said:

Thank you, I remember them being around ages ago, but not as popular though, hopefully it's nothing like that, possibly the bitcoin trojan has been removed but it might have fucked up the core speed readings for task manager maybe, so re-installing windows seems like it might be a requirement at this stage

Agreed

 

Kaspersky is the only one I have never tried in my whole computer having life, I'll try it now, thanks for the suggestion

 

 

Over all guys you have been amazing and very patient, thank you for your help!

 

I think they have a free version now. You can check that out. I've been a paid subscriber for a while.

[Leonard]

Just now, TheCyborgSlayer said:

Thank you, I remember them being around ages ago, but not as popular though, hopefully it's nothing like that, possibly the bitcoin trojan has been removed but it might have fucked up the core speed readings for task manager maybe, so re-installing windows seems like it might be a requirement at this stage

Agreed

 

--gone--

your welcome.

 

you can open run and then type msconfig then click on advanced options and then configure your CPU cores there, just enter the number of cores your CPU has and the cores will run @ what you set them @ in the BIOS. Now you will have to do this with all program closed and you will be prompted to restart the PC.

 

[TheCyborgSlayer]

8 minutes ago, Leonard said:

your welcome.

 

you can open run and then type msconfig then click on advanced options and then configure your CPU cores there, just enter the number of cores your CPU has and the cores will run @ what you set them @ in the BIOS. Now you will have to do this with all program closed and you will be prompted to restart the PC.

 

Thank you, have done so ! Boots up much faster, and from what I understand the only issue that stayed is the maximum speed being locked at 1.97 and 1.99 in task manager

[Leonard]

1 minute ago, TheCyborgSlayer said:

Thank you, have done so ! Boots up much faster, and from what I understand the only issue that stayed is the maximum speed being locked at 1.97 and 1.99 in task manager

So the CPU is still at 1.99Ghz?....did you take out the RAM?......Go into the BIOS and ensure the CPU speed is the 4Ghz save changes and reboot.

[TheCyborgSlayer]

7 minutes ago, Leonard said:

So the CPU is still at 1.99Ghz?....did you take out the RAM?......Go into the BIOS and ensure the CPU speed is the 4Ghz save changes and reboot.

Yup and I've followed your steps twice now, just in case i missed something last time, and nothing ran the cpu excessively.

I'm not sure if miners are complex enough to lock half of your cpu speed away and prioritise it for itself, leaving you only with the remainder, and the remainder being shown and tracked by the task manager...

 

But that's crazy talk

[TheCyborgSlayer]

13 minutes ago, Leonard said:

So the CPU is still at 1.99Ghz?....did you take out the RAM?......Go into the BIOS and ensure the CPU speed is the 4Ghz save changes and reboot.

OK PROGRESS

 

CPU-Z is ALSO showing just 1992.03

 

But not before showing this error message

 

Spoiler

[bInitDriver] path = C:\WINDOWS\temp
[bInitDriver] GetCurrentDirectory = C:\Program Files\CPUID\CPU-Z
[bInitDriver] GetModuleFileName = C:\Program Files\CPUID\CPU-Z\cpuz.exe
[vGetOSVersion] m_iOSVersion = 2 (10.0)
[vGetOSVersion] m_bIsAMD64 = 0
[bInitDriver] Extract dir = C:\WINDOWS\temp\cpuz143\
[bInitDriver] m_szPath_2=C:\WINDOWS\temp\cpuz143\, m_szFilename=cpuz143_x64.sys
[WinNT_hCreateServiceHandle] CreateFile cpuz143 returned 2 (0x2)
[WinNT_bInstallDriver] szMachineName = DESKTOP-SFBEPH6
[bDeleteFile] DeleteFile C:\WINDOWS\temp\cpuz143\cpuz143_x64.sys failed (error = 3)
[bDeleteFile] RemoveDirectory C:\WINDOWS\temp\cpuz143\ failed (error = 2)
[dwExtract_SYS] Extract C:\WINDOWS\temp\cpuz143\cpuz143_x64.sys
[WinNT_bCreateService] szDestName = C:\WINDOWS\temp\cpuz143\cpuz143_x64.sys
[WinNT_bCreateService] CreateService failed, error code = 1072
[bInitDriver] bInitDriver returned 1072
[WinNT_dwStopService] ControlService[SERVICE_CONTROL_INTERROGATE] failed, errorcode = 1062
[WinNT_dwDeleteService] Openservice failed, errorcode = 1060
[bDeleteFile] DeleteFile C:\WINDOWS\temp\cpuz143\cpuz143_x64.sys succeeded
[bDeleteFile] RemoveDirectory C:\WINDOWS\temp\cpuz143\ succeeded
[vCloseDriver] CloseHandle(mutex) = 1

 

 

This is becoming like a game now

[Leonard]

1 minute ago, TheCyborgSlayer said:

Yup and I've followed your steps twice now, just in case i missed something last time, and nothing ran the cpu excessively.

I'm not sure if miners are complex enough to lock half of your cpu speed away and prioritise it for itself, leaving you only with the remainder, and the remainder being shown and tracked by the task manager...

 

But that's crazy talk

I don't think so either but i do know some hacks do that. you may really need to do a fresh install to see if that will fix the issue.

 

Just thought of this, did you check the power plan settings and make sure that the Maximum Processor State is at 100% under Processor Power Management?...if not do a quick check.

 

[TheCyborgSlayer]

3 minutes ago, Leonard said:

I don't think so either but i do know some hacks do that. you may really need to do a fresh install to see if that will fix the issue.

 

Just thought of this, did you check the power plan settings and make sure that the Maximum Processor State is at 100% under Processor Power Management?...if not do a quick check.

 

 

So far it seems that only speccy shows the full details of the processor, as shown in post previously not even cpu z is handling it... Also just noticed max freq is set to 0... whut  

 

 

Edit : Changed it to 4000, did nothing..

[Leonard]

1 minute ago, TheCyborgSlayer said:

 

So far it seems that only speccy shows the full details of the processor, as shown in post previously not even cpu z is handling it... Also just noticed max freq is set to 0... whut

The MAX processor frequency @ 0% is normal so that the CPU can toggle the frequency up and down as needed. You only checked the High performance plan, and yes i see it is active but check the others if you have, like balanced and any others, if they all have a Maximum Processor State of 100% then a clean install is probably needed.