[SOLVED] malicious miner I can't get rid of

Toggle sidebar Toggle sidebar
Status
Not open for further replies.
T

TroyTyranitar

Honorable
Feb 4, 2016
10
0
10,510
So I started to notice lag spikes, these spikes will last maybe 2-5 seconds spaced out with a few minute intervals probably between 3 - 15 mins (ballparking it). Doesnt matter if I am playing a game or just browsing chrome, everything slows down extremely for a few seconds returning to normal after. These lag spikes will occur a few hours into booting my pc (I run my PC basically 24/7) and if I restart my pc the issue will stop for a few hours but ALWAYS return. (I do this before I play an intensive game). I am fairly tech savvy, I have built multiple custom pcs, and already suspected it to be a miner. I installed AVG free and did a deep scan, and I did find something in sys32 (screenshot included) and in another screen that I did not screenshot, it was labled a miner. So I thought I fixed my problem. It DID seem to work for maybe a day. So I uninstalled AVG... but eventually the SAME lag spikes came back. So I reinstalled AVG free, another deep scan... Nothing... but I DEFINITELY still have the same lag spikes as before the first scan. The only other thing I could add is if I am in the windows file explorer it will scroll up to the top of whatever folder I am in every once in a while (probably the same lag spike but of course it is much less noticeable there). I know I can fresh install and fix the issue, I'd prefer not to..

Ryzen 2700x
ROG strix x470-f gaming
ROG strix 1080
860 evo 500gb
5tb HDD
16 gb ddr4 (patriot 3200 I think)
750w RGB thermaltake PSU

Win 10 64 bit

https://imgur.com/a/ZBCnPQR

hopefully this screenshot posted correctly
 
Last edited:
Solution
Hellfire13
First, make sure that AVG/AVAST has not installed any browser extension...
https://thehackernews.com/2019/12/avast-and-avg-browser-plugins.html

Second, download Malwarebytes and run(as Admin.) a deep scan.

Third, keep your TASK Manager open and see what processes are running during these spikes. Look out for any weird process behaviour like sudden jump in CPU Time. CPU Time can be activated from "View > Select Columns". Set it in descending order to see maximum process consumption. Also check for any process appearing suddenly during a spike, for seconds maybe.

Fourth, check your System Logs in Event Viewer to find any anomalies during the spikes.

Fifth, run this software as Admin., and see if you find anything interesting...
Sort by date Sort by votes
Hellfire13

Hellfire13

Titan
Apr 20, 2016
15,098
1,048
92,740
First, make sure that AVG/AVAST has not installed any browser extension...
https://thehackernews.com/2019/12/avast-and-avg-browser-plugins.html

Second, download Malwarebytes and run(as Admin.) a deep scan.

Third, keep your TASK Manager open and see what processes are running during these spikes. Look out for any weird process behaviour like sudden jump in CPU Time. CPU Time can be activated from "View > Select Columns". Set it in descending order to see maximum process consumption. Also check for any process appearing suddenly during a spike, for seconds maybe.

Fourth, check your System Logs in Event Viewer to find any anomalies during the spikes.

Fifth, run this software as Admin., and see if you find anything interesting...
https://www.resplendence.com/whysoslow

Do all of the above and let us know and we can proceed from there. Please reply to each step individually in your response.
 
Last edited:
  • Like
Reactions: TroyTyranitar
Upvote 1 Downvote
Solution
T

TroyTyranitar

Honorable
Feb 4, 2016
10
0
10,510
Hellfire13 said:
First, make sure that AVG/AVAST has not installed any browser extension...
https://thehackernews.com/2019/12/avast-and-avg-browser-plugins.html

Second, download Malwarebytes and run(as Admin.) a deep scan.

Third, keep your TASK Manager open and see what processes are running during these spikes. Look out for any weird process behaviour like sudden jump in CPU Time. CPU Time can be activated from "View > Select Columns". Set it in descending order to see maximum process consumption. Also check for any process appearing suddenly during a spike, for seconds maybe.

Fourth, check your System Logs in Event Viewer to find any anomalies during the spikes.

Fifth, run this software as Admin., and see if you find anything interesting...
https://www.resplendence.com/whysoslow

Do all of the above and let us know and we can proceed from there. Please reply to each step individually in your response.
Click to expand...


Definitely not perfect but I am at least smart enough to check any advanced options when I install anything and I did not install any browser extensions. I checked anyways and did not find anything. I am sort of surprised, I haven't used AVG or really any other anti virus since 2012 and I remember it being reliable (atleast with my circle of teen tech savvy friends, but after installing malwarebytes, running it as admin and running a full scan, 19 threats. Here are the results, I left the notifications off because I am fairly sure I did that myself and uhm.. I ACCIDENTALLY left the last 2 for obvious reasons.. hopefully not judged harshly on those. I'll let you know if this works.

-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 623778
Threats Detected: 19
Threats Quarantined: 14
Time Elapsed: 2 hr, 3 min, 41 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Warn

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 9
Trojan.FakeMS, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Microsoft\Windows\Application Experience\StartupCheckLibrary, Delete-on-Reboot, 3109, 676733, , , ,
Trojan.FakeMS, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{8D0BAE8B-B751-4189-9B98-C9A5ECE7DBA6}, Delete-on-Reboot, 3109, 676733, , , ,
Trojan.FakeMS, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{8D0BAE8B-B751-4189-9B98-C9A5ECE7DBA6}, Delete-on-Reboot, 3109, 676733, , , ,
Trojan.FakeMS.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Application Experience\StartupCheckLibrary, Delete-on-Reboot, 4095, -1, 0.0.0, , action,
Trojan.FakeMS.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8D0BAE8B-B751-4189-9B98-C9A5ECE7DBA6}, Delete-on-Reboot, 4095, -1, 0.0.0, , action,
Trojan.FakeMS.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{8D0BAE8B-B751-4189-9B98-C9A5ECE7DBA6}, Delete-on-Reboot, 4095, -1, 0.0.0, , action,
Backdoor.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Microsoft\Windows\WDI\SrvHost, Delete-on-Reboot, 3583, 653658, , , ,
Backdoor.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{1399F039-D490-4C72-B45D-F29F1141E4DC}, Delete-on-Reboot, 3583, 653658, , , ,
Backdoor.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{1399F039-D490-4C72-B45D-F29F1141E4DC}, Delete-on-Reboot, 3583, 653658, , , ,

Registry Value: 0
(No malicious items detected)

Registry Data: 3
PUM.Optional.DisabledSecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|ANTIVIRUSDISABLENOTIFY, No Action By User, 13371, 293294, 1.0.15708, , ame,
PUM.Optional.DisabledSecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|FIREWALLDISABLENOTIFY, No Action By User, 13371, 293295, 1.0.15708, , ame,
PUM.Optional.DisabledSecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|UPDATESDISABLENOTIFY, No Action By User, 13371, 293296, 1.0.15708, , ame,

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 7
Trojan.FakeMS, C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\Application Experience\StartupCheckLibrary, Delete-on-Reboot, 3109, 676733, 1.0.15708, , ame,
Trojan.FakeMS.TskLnk, C:\WINDOWS\SYSTEM32\STARTUPCHECKLIBRARY.DLL, Delete-on-Reboot, 4095, 676770, 1.0.15708, , ame,
Trojan.FakeMS.TskLnk, C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\Application Experience\StartupCheckLibrary, Delete-on-Reboot, 4095, -1, 0.0.0, , action,
Backdoor.Agent, C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\WDI\SrvHost, Delete-on-Reboot, 3583, 653658, 1.0.15708, , ame,
Backdoor.Agent, C:\WINDOWS\SYSTEM32\WINSCOMRSSRV.DLL, Delete-on-Reboot, 3583, 653659, 1.0.15708, , ame,
CrackTool.SpectraLayers.Keygen, D:\VEGAS\SONY VEGAS PRO 13.0 BUILD 453 (X64) + PATCH DI\KEYGEN & PATCH BY DI\KEYGEN.EXE, No Action By User, 8524, 127005, 1.0.15708, D23167EED5156BFCFBB3FECD, dds, 00485863
CrackTool.SpectraLayers.Keygen, D:\VEGAS\SONY VEGAS PRO 13.0 BUILD 453 (X64) + PATCH DI\KEYGEN & PATCH BY DI\KEYGEN.ZIP, No Action By User, 8524, 127005, 1.0.15708, D23167EED5156BFCFBB3FECD, dds, 00485863

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)
 
Upvote 0 Downvote
D

Deleted member 14196

Guest
format boot drive and reinstall windows clean. then, don't download keygen crackz and illegal stuff like that, and you won't get infected. Also, Avast is horrible, don't use it. Use built in Windows Defender and Malwarebytes

"
CrackTool.SpectraLayers.Keygen, D:\VEGAS\SONY VEGAS PRO 13.0 BUILD 453 (X64) + PATCH DI\KEYGEN & PATCH BY DI\KEYGEN.EXE, No Action By User, 8524, 127005, 1.0.15708, D23167EED5156BFCFBB3FECD, dds, 00485863
CrackTool.SpectraLayers.Keygen, D:\VEGAS\SONY VEGAS PRO 13.0 BUILD 453 (X64) + PATCH DI\KEYGEN & PATCH BY DI\KEYGEN.ZIP, No Action By User, 8524, 127005, 1.0.15708, D23167EED5156BFCFBB3FECD, dds, 00485863
"
 
Upvote 0 Downvote
T

TroyTyranitar

Honorable
Feb 4, 2016
10
0
10,510
Mandark said:
format boot drive and reinstall windows clean. then, don't download keygen crackz and illegal stuff like that, and you won't get infected. Also, Avast is horrible, don't use it. Use built in Windows Defender and Malwarebytes

"
CrackTool.SpectraLayers.Keygen, D:\VEGAS\SONY VEGAS PRO 13.0 BUILD 453 (X64) + PATCH DI\KEYGEN & PATCH BY DI\KEYGEN.EXE, No Action By User, 8524, 127005, 1.0.15708, D23167EED5156BFCFBB3FECD, dds, 00485863
CrackTool.SpectraLayers.Keygen, D:\VEGAS\SONY VEGAS PRO 13.0 BUILD 453 (X64) + PATCH DI\KEYGEN & PATCH BY DI\KEYGEN.ZIP, No Action By User, 8524, 127005, 1.0.15708, D23167EED5156BFCFBB3FECD, dds, 00485863
"
Click to expand...


These exact files were on my previous build and I did not have this issue thanks.
 
Upvote 0 Downvote
D

Deleted member 14196

Guest
given your penchant for using stolen software, I would say your behavior online is enough to get infected.
 
Upvote 0 Downvote
Hellfire13

Hellfire13

Titan
Apr 20, 2016
15,098
1,048
92,740
TroyTyranitar said:
Definitely not perfect but I am at least smart enough to check any advanced options when I install anything and I did not install any browser extensions. I checked anyways and did not find anything. I am sort of surprised, I haven't used AVG or really any other anti virus since 2012 and I remember it being reliable (atleast with my circle of teen tech savvy friends, but after installing malwarebytes, running it as admin and running a full scan, 19 threats. Here are the results, I left the notifications off because I am fairly sure I did that myself and uhm.. I ACCIDENTALLY left the last 2 for obvious reasons.. hopefully not judged harshly on those. I'll let you know if this works.

-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 623778
Threats Detected: 19
Threats Quarantined: 14
Time Elapsed: 2 hr, 3 min, 41 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Warn

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 9
Trojan.FakeMS, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Microsoft\Windows\Application Experience\StartupCheckLibrary, Delete-on-Reboot, 3109, 676733, , , ,
Trojan.FakeMS, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{8D0BAE8B-B751-4189-9B98-C9A5ECE7DBA6}, Delete-on-Reboot, 3109, 676733, , , ,
Trojan.FakeMS, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{8D0BAE8B-B751-4189-9B98-C9A5ECE7DBA6}, Delete-on-Reboot, 3109, 676733, , , ,
Trojan.FakeMS.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Application Experience\StartupCheckLibrary, Delete-on-Reboot, 4095, -1, 0.0.0, , action,
Trojan.FakeMS.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8D0BAE8B-B751-4189-9B98-C9A5ECE7DBA6}, Delete-on-Reboot, 4095, -1, 0.0.0, , action,
Trojan.FakeMS.TskLnk, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{8D0BAE8B-B751-4189-9B98-C9A5ECE7DBA6}, Delete-on-Reboot, 4095, -1, 0.0.0, , action,
Backdoor.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Microsoft\Windows\WDI\SrvHost, Delete-on-Reboot, 3583, 653658, , , ,
Backdoor.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{1399F039-D490-4C72-B45D-F29F1141E4DC}, Delete-on-Reboot, 3583, 653658, , , ,
Backdoor.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{1399F039-D490-4C72-B45D-F29F1141E4DC}, Delete-on-Reboot, 3583, 653658, , , ,

Registry Value: 0
(No malicious items detected)

Registry Data: 3
PUM.Optional.DisabledSecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|ANTIVIRUSDISABLENOTIFY, No Action By User, 13371, 293294, 1.0.15708, , ame,
PUM.Optional.DisabledSecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|FIREWALLDISABLENOTIFY, No Action By User, 13371, 293295, 1.0.15708, , ame,
PUM.Optional.DisabledSecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|UPDATESDISABLENOTIFY, No Action By User, 13371, 293296, 1.0.15708, , ame,

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 7
Trojan.FakeMS, C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\Application Experience\StartupCheckLibrary, Delete-on-Reboot, 3109, 676733, 1.0.15708, , ame,
Trojan.FakeMS.TskLnk, C:\WINDOWS\SYSTEM32\STARTUPCHECKLIBRARY.DLL, Delete-on-Reboot, 4095, 676770, 1.0.15708, , ame,
Trojan.FakeMS.TskLnk, C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\Application Experience\StartupCheckLibrary, Delete-on-Reboot, 4095, -1, 0.0.0, , action,
Backdoor.Agent, C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\WDI\SrvHost, Delete-on-Reboot, 3583, 653658, 1.0.15708, , ame,
Backdoor.Agent, C:\WINDOWS\SYSTEM32\WINSCOMRSSRV.DLL, Delete-on-Reboot, 3583, 653659, 1.0.15708, , ame,
CrackTool.SpectraLayers.Keygen, D:\VEGAS\SONY VEGAS PRO 13.0 BUILD 453 (X64) + PATCH DI\KEYGEN & PATCH BY DI\KEYGEN.EXE, No Action By User, 8524, 127005, 1.0.15708, D23167EED5156BFCFBB3FECD, dds, 00485863
CrackTool.SpectraLayers.Keygen, D:\VEGAS\SONY VEGAS PRO 13.0 BUILD 453 (X64) + PATCH DI\KEYGEN & PATCH BY DI\KEYGEN.ZIP, No Action By User, 8524, 127005, 1.0.15708, D23167EED5156BFCFBB3FECD, dds, 00485863

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)
Click to expand...
Unfortunately this forum does not condone the usage of pirated OS or Software. It is against the forum rules. You have the results in front of you. We can only troubleshoot further if the foundation is right. Hope you understand.
Cheers...
 
  • Like
Reactions: TroyTyranitar
Upvote 1 Downvote
Status
Not open for further replies.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom