Computer Support Forum

Bitcoin Miner on Server 2008 R2 Datacenter

Question: Bitcoin Miner on Server 2008 R2 Datacenter

Hello Fellow Bleepers,
I recently discovered a Bitcoin Miner on a server hosting a website. I went through the Preparation Guide but, unfortunately, DDS will not run on Server 2008 R2 Datacenter so I am just pleading for help without it. I have tried a few things but this bugger is persistent and keeps coming back and filling up the hard drive with cached files. 
 
Any help would be much appreciated!
 
Thank you

Relevance 100%
Preferred Solution: Bitcoin Miner on Server 2008 R2 Datacenter

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: Bitcoin Miner on Server 2008 R2 Datacenter

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/522387 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.Please do this even if you have previously posted logs for us.If you were unable to produce the logs originally please try once more.If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.If you are unsure about any of these characteristics just post what you can and we will guide you.Please tell us if you have your original Windows CD/DVD available. Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.
Thank you for your patience, and again sorry for the delay.
***************************************************
We need to see some information about what is happening in your machine. Please perform the following scan again: Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.DDS.com Download LinkDouble click on the DDS icon, allow it to run. A small box will open, with an explanation about the tool. No input is needed, the scan is running. Notepad will open with the results. Follow the instructions that pop up for posting the results. Close the program window, and delete the program from your desktop.Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control can be found HERE.As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

2 more replies
Relevance 92.25%

Going on my 11th hour of trying to get this to work. This is x64 by the way. Needs to be 64 bit.

I've tried the Sun Installation Assistant, I've tried right from the Server 2008 DVD, and Server 2008 R2 DVD, nothing works.

Most common point of failure: Copying, Expanding and Installing features/updates completes, server restarts, immediately after restart I get the "Clock Interrupt was not received on a secondary processor within the allocated time interval" BSOD.

Before this error the Server would simply lock up before it finished expanding files so I updated the BIOS and ILOM to the latest versions and now I'm stuck again with the above error.

Am I missing something? I have tried loading RAID drivers from my updated Tools and Drivers CD and from a floppy even though it only finds the LSI RAID card that isn't even in use. My RAID config is Adaptec mirrored 2x 73Gb SAS drives. According to all documentation, no drivers are even NEEDED for Server 2008.

Called Sun support but they can't get back to me until tomorrow morning. I kind of need this fixed now though.

Thanks in advanced !
 

More replies
Relevance 92.25%

Greetings,

We have a 2008 R2 Citrix server that shows -6 GMT (correct) when we RDP into the server on the same administrator account. We have been having problems with the server rebooting at the wrong time. When the datacenter techs login into the same administrator account, for them it shows that the timezone is set to -5 GMT (incorrect).

Same user account, same server, different timezones. Could someone explain this?
 

Answer:2008 R2 server in datacenter has different timezones for the same logon

Is this a VDI deployment? if so a VDI container could have a different time zone i believe
 

5 more replies
Relevance 91.84%

Hi;
I am having the KMS Server with Server 2012 KMS Key,which is hosted on Windows server 2012 R2.

We need to update the KMS Server 2K12 Key to 2K16 KMS Key, Is there any way to Get the detail that the key will activate these OS Versions?

MBAM Report Feature Error Alert

More replies
Relevance 91.43%

Hello and thanks for looking in to this.

I recently bought a new computer to use for all sorts of hosting. Specs are following:
Intel Quad 2.99 GHz
6gb RAM
1 tb harddrive
Windows 7 Home premium 64 bit
fibre/ethernet cable

So after using it for hosting for a while, I realized that I could need Remote Desktop Connection (RDC) for other people using it. I couldn't get it to work, so I looked it up. Apparently the version of windows I had doesn't support it, so I decided to try the evaluation version of Windows Server 2008 Datacenter 64-bit.

I managed to dual boot it along with 7 just fine, but problems started revealing themselves quickly upon startup.
The first thing I saw in the "initial configuration tasks" was: "Network adapters: None detected".
I tried reconnecting my cable to the computer, with no success. I also tried "add new hardware" through control panel to add network adapters, with no success. The adapters shows up as faulty, due to being unable to load drivers.

Out of my arena of knowledge, I can't do so much more about this issue. But I need windows server 2008 datacenter up and running.

My question is, can anyone help me, or guide me step by step for setting up any network connection at all? I'm available through msn, phone, skype or these forums. Although skype or phone is prefered.

Thank you ever so much!

-Adrian
 

Answer:Windows server 2008 Datacenter 64-bit network issues

15 more replies
Relevance 90.61%

I am trying to ue Win Server 2008 R2 Datacenter OS and its the first time ever using it and was wondering if there are any good tutorials. It is really modulated and I have no idea what I need to install and what works on it.

I am using it for my SnapRAID NAS and a couple other things and could use a tutorial that teaches me what it can do and cant do as an OS.

Thanks

EDIT: I also need one for 2012 datacenter. I have that version too.
 

More replies
Relevance 84.87%

Hi All,
 
I have an issue with a Windows Server 2008 64 bit that was infected with a crypto miner.
I ran Malwarebytes, Kaspersky, AVG to scan the server and some files were removed.
Now i have an issue where at startup. It seems the virus is trying to re-install itself.
I noticed the following :
 
At startup. The windows host files is replaced with one which block access to popular antivirus websites. Deleting the host file does not help since at next restart the host files with be replaced again.
At startup.IFEO entries are being added to registry to block execution of antivirus.
The virus create a file at C:Windows\Rdpinst
The virus create a file at C:\Windows\Temp:1
Windows Update has been disable and cannot update the OS
 
Deleting the registry entries and files does not help because it is being recreated at startup. I tried to find the origin service or program of the files and registry hijack but was unsucessful. Please i would be grateful if anyone can help.
 
Thanks
 
FRST Log below : 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:10-01-2015 01
Ran by administrator (administrator) on MEA-HV1 (18-01-2016 09:25:25)
Running from C:\Users\Administrator\Desktop
Loaded Profiles: administrator & MsDtsServer110 & ReportServer (Available Profiles: wing & polly & updater & ta.operator & administrator & MsDtsServer110 & MSSQLServerOLAPService & ReportServer & MSSQLFDLauncher & SQLSER... Read more

Answer:Windows Server 2008 infected with malware - crypto miner

Greetings virtuoso and to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.If you would allow me to call you by your first name I would prefer to do that.===================================================Ground Rules:First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problem... Read more

17 more replies
Relevance 82.82%
Question: Bitcoin Miner

Malwarebytes Anti-Malware is reporting 6 instances of a bit coin miner.  I have tried 4 times to quarantine and delete, but on every reboot they return.  Any help would be appreciated.

Answer:Bitcoin Miner

Hi there,can you please post up the log file from Malwarebytes that shows what exactly has been found.And run a FRST scan:Please download Farbar Recovery Scan Tool and save it to your Desktop.(If you are not sure which version (32-/64-bit) applies to your system, download and try to start both of them as just the right one will run.)Start FRST with administator privileges.Make sure the option Addition.txt is checked and press the Scan button.When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.Please copy and paste these logs in your next reply.

8 more replies
Relevance 82.82%
Question: Bitcoin Miner Help

Hello, i think i have a Bitcoin Miner becuase my System is running a lot slower. It happened before about 1-2 months but i found out about bitcoin minner's existing before 1 week. I am really asking you for help because my pc is running very slow and the red light under the Turn On button at the case is blinking and sometimes stays on completely. Also i find svchost.exe taking a lot of resources.
 

Answer:Bitcoin Miner Help

Helllo,

My name is Argus and and I will be helping you with your computer problems.

Before we begin, please note the following:

I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
The logs can take some time to research, so please be patient with me.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not be able to help you if you do not follow my instructions.


Rules and policies

We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled befor... Read more

26 more replies
Relevance 82%

hi guys i am new here and didnt understand the forum excacly anyways. i have coinminer.mg trojan virus which in c:/zec\myxmr.bat its shown in the cmd and svchost.exe. NOD32 delete it but everytime i restart i show itself again. i am not at computer if you can help me it would be awesome.
 

More replies
Relevance 82%

I have a problem when loading my regular windows everything slows. My computer only works in Safe Mode with Networking please help.

Answer:Possible Bitcoin Miner Virus Please Help!!!!

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===--RogueKiller--Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit Quit all programs that you may have started.Please disconnect any USB or external drives from the computer before you run this scan!For Vista or Windows 7, right-click and select "Run as Administrator to start"For Windows XP, double-click to start.Wait until Prescan has finished ...Then Click on "Scan" buttonWait until the Status box shows "Scan Finished"click on "delete"Wait until the Status box shows "Deleting Finished"Click on "Report" and copy/paste the content of the Notepad into your next reply.The log should be found in RKreport[1].txt on your DesktopExit/Close RogueKiller+===Please download AdwCleaner by Xplode onto your Desktop.Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click the Scan button and wait for the process to complete.Click the Report button and the report will open in Notepad.IMPORTANTIf you click the Clean button all items listed in the report will be removed.If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click the Scan button and wait for t... Read more

5 more replies
Relevance 82%

I look at other threads, and I saw bleeping computer help those with this issue...
I tried to copy the process they post on other threads, but doesn't seem to work.
Please help
I have the fake lsm problem that shows in the appdate folder and random number exe that takes up 97% of my cpu usage. 
I have no idea what to do... please help

Answer:I am new, but please help, bitcoin miner 100% cpu usage

AH Sorry I wasn't very clear on the Issue, so I have a virus that is taking up 100% cpu usage, and I don't know what it is. I delete from the process, I went into my appdata /roaming folder and deleted as well... but it still keeps coming back. Any Idea on how to fix it?

4 more replies
Relevance 82%

Hi,
 
Few hours ago I got infected with the Timeserver Bitcoin miner and I need some help getting my PC back to normal again.
 
Because I was 100% sure I was infected with it ( C:\ProgramData\Microsoft\Windows\Time, it was all there ) I tried some things to get rid of it. This including using Combofix and running the CFScript with it together. 
 
The folder is no longer there and both my GPU and CPU-usage are fairly low, but when I try to watch a movie, play games or even do small things in windows I notice my computer has trouble loading things at a normal speed. Is there something I missed? Is the virus still out there? It has to be something with my GPU.
 
Thanks alot! 
 
 
Edit: Reinstalling the newest display driver helped the problem. It probably bugged out after the removal attempt. So everything is fine now as far as I can see. But is there a way, like a last scan I can do to be 100% sure there are no more remaining files of the Bitcoin miner?

Answer:TimeServer Bitcoin Miner

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===Lets start with these scans.Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.Please download AdwCleaner by Xplode onto your Desktop.Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click the Scan button and wait for the process to complete.Click the Report button and the report will open in Notepad.IMPORTANTIf you click the Clean button all items listed in the report will be removed.If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click the Scan button and wait for the process to complete.Check off the element(s) you wish to keep.Click on the Clean button follow the prompts.A log file will automatically open after the scan has finished.Please post the content of that log file with your next answer.You can find the log file at C:\AdwCleaner[Sn].txt (n is a number). Please downloadJunkware Removal Tool to your Desktop.Please close your security software to avoid potential conflicts.Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.The tool will open and... Read more

2 more replies
Relevance 82%

my notebook is infected with trojan bitcoin miner. i need help to remove it.

Answer:trojan bitcoin miner

Hello and Welcome.

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Spyware 1st Steps




link at the top of each page.

---------------------------------------------------------------------------------------------

Please follow our pre-posting process outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.

1 more replies
Relevance 82%

Hello, I have a rather persistent bit of software that runs as 'macromedia.exe' with the description 'coin-miner' that uses 50% of my CPU at all times. I can change affinity and set it to only use one core but obviously I'd like it gone.
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.16576  BrowserJavaVersion: 10.21.2
Run by Steven at 22:48:33 on 2013-06-11
#Option Extended Search is enabled.
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.2.1033.18.16367.12775 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Program Files\Tablet\Pen\WTabletServiceCon.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system... Read more

Answer:Macromedia.exe bitcoin miner

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

--RogueKiller--
Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit Quit all programs that you may have started.Please disconnect any USB or external drives from the computer before you run this scan!For Vista or Windows 7, right-click and select "Run as Administrator to start"For Windows XP, double-click to start.Wait until Prescan has finished ...Then Click on "Scan" buttonWait until the Status box shows "Scan Finished"click on "delete"Wait until the Status box shows "Deleting Finished"Click on "Report" and copy/paste the content of the Notepad into your next reply.The log should be found in RKreport[1].txt on your DesktopExit/Close RogueKiller+
===

Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click on Delete tab follow the prompts.A log file will automatically open after the scan has finished.Please post the content of that log file with your next answer.You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
===

Please download
Junkware Removal Tool to your Desktop.
Please close your security software to avoid potential co... Read more

2 more replies
Relevance 82%

There are several different applications that just won't be removed even after I delete it. One is called lsm.exe *32 (this is NOT the local session manager service) and other(s) is just a random string of numbers that keep popping up in my AppData\Local\Temp folder. Both have 100% CPU usage, and no matter how many times I delete them, they keep coming back; lsm.exe *32 every time I restart my computer and the random string of numbers every several hours as a different set of numbers. Malwarebytes doesn't seem to detect them. I know I downloaded something stupid and got infected, but I don't know why they keep coming back. I haven't downloaded anything since.

Answer:100% CPU usage. I think there's a bitcoin miner.

Welcome aboard   Download Security Check from here or here and save it to your Desktop. Double-click SecurityCheck.exe Follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderOther ServicesPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply. Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeClick Go and post the result. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.* Double-click mbam-setup.exe and follow the prompts to install the program.* At the end, be sure a checkmark is placed next to Up... Read more

14 more replies
Relevance 82%

Hello everyone,
As the title says, i have a little problem with svchost.exe (which could also be the bitcoin miner).
 
Kaspersky found something in C:\Windows\temp\svchost.exe around one month ago. I tried to fix it but it came back after every restart. As it did nothing to my pc and as it was called svchost.exe i thought that it is a mistake of Kaspersky.
 
My gpu is on 100% while idling. As i had a bitcoin mining virus before, i rememberred the same symptom and did some things:
 
Combo fix: I ran it once and it seemed to fix my problem until i restartet.
 
Kaspersky: Was unable to do anything but recognise the virus. I tried the secure Disc but it couldn't get rid of the virus.
 
Malwarebytes: It found two svchost.exe and two lsass.exe. But because it needs a restart and my pc was unable to shut down, nothing happened. I ran it again later in secure mode and the restart was possible. It seems like it solved the problem but Kaspersky still tells me there is svchost.exe in my temp folder.
 
RogueKiller, HitmanPro and ESETPoweliksClean... didn't work.
 
When i run Combofix my gpu usage goes down and everything seems to be normal but i have no internet connection and when i restart it's like i never ran combofix.
 
 
 
Could anyone please help me to fix this problem so that it doesn't start again in a month.

Answer:svchost.exe bitcoin miner

Crossposting:
https://forums.malwarebytes.org/index.php?/topic/168405-svchostexe-bitcoin-miner/

1 more replies
Relevance 82%

hello .ive been trying to get rid of this virus for a while now . my avg anti virus(free) sends me a warning evertime i start my pc.
 
Threat: IDP.program.D1B0A5C0
object name: c:\windows\temp\svchost.exe
 
i click on protect me and it deletes the files but it keeps coming back at bootup. i have malwarebytes anti-malware.i scan and if i dont click on AVG anti virus Protect me option the scan results in 6 founds. and when i click on remove , malwarebytes says i have to restart but the svchost.exe will apear again . if i click protect me option then malwarebytes only finds 5 threats.. i remove all and i even delete in the quarantine tab. but it always comes back.. this is what malwarebytes says.
 
C:\Users\DisPak\Downloads\New_Super_Mario_Forever.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Windows\temp\phatk121016.cl (Trojan.BitcoinMiner) -> Quarantined and deleted successfully.
C:\Windows\temp\scrypt130511.cl (Trojan.BitcoinMiner) -> Quarantined and deleted successfully.
C:\Windows\temp\diablo130302.cl (Trojan.BitcoinMiner) -> Quarantined and deleted successfully.
C:\Windows\temp\poclbm130302.cl (Trojan.BitcoinMiner) -> Quarantined and deleted successfully.
C:\Windows\temp\diakgcn121016.cl (Trojan.BitcoinMiner) -> Quarantined and deleted successfully
 
this is my DDS
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16750
Run by DisPak at 17:45:58 on 2014-01-24
Microsoft Windows 7 Professional   6.1.7601.1... Read more

Answer:SVCHOST, BITCOIN MINER

Hello and welcome.  Please follow these guidelines while we work on your PC:Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.”  Absence of symptoms does not mean your machine is clean!Please do not run any scans or install/uninstall any applications without being directed to do so.Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.   Please download Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

16 more replies
Relevance 82%

Hi. Apparently I ran into a malware program and its been removed, mostly. but whats left is a bitcoinminer. it produces two files called winvnc86.exe and rpcminer-cpu.exe in the system these reproduce at each restart since my AV removes it right away. I have no idea how to eradicate it but I really need to put this thing out of it's misery

Here are the logs and files that's required. each post will contain a log of a different program that you requested
 

Answer:bitcoin miner infected on my PC

13 more replies
Relevance 82%

Hope you can help as you appear to have helped another. Here's the previous post describing issue, very similar to mine, that I found from a Google Search:
Bitcoin Miner, possible SVC infection, missing files, DDS won't run
http://www.bleepingcomputer.com/forums/t/499741/bitcoin-miner-possible-svc-infection-missing-files-dds-wont-run/
 

 
Everytime I reboot, I get a Malwarebytes notification stating the above "vendor" trojan.bitcoinminer, "item" c:\\windows\syswow64\winvnc86.exe has been quarantined. 
 
Following your "Preparation Guide", below is a copy paste of the DDS.txt file.
I've also attached the the txt and zipped versions attach.txt file
 
Thanks in advance for instructions how to correct this issue if indeed it is one.
Lars
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16635  BrowserJavaVersion: 10.25.2
Run by Lars at 0:43:54 on 2013-08-04
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.5879.1813 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C... Read more

Answer:Bitcoin.Miner Trojan?

Hello and welcome to Bleeping Computer, please do the following:Refer to the ComboFix User's GuideDownload ComboFix from the following location:Link * IMPORTANT !!! Place ComboFix.exe on your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.You can get help on disabling your protection programs hereDouble click on ComboFix.exe & follow the prompts.Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.When finished, it shall produce a log for you. Post that log in your next replyNote:Do not mouseclick combofix's window whilst it's running. That may cause it to stall.---------------------------------------------------------------------------------------------Ensure your AntiVirus and AntiSpyware applications are re-enabled.---------------------------------------------------------------------------------------------NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

18 more replies
Relevance 82%

Hello comunity,
So it was brought to attention that one of our senior IT's at my company which I cannot disclose our name might be using a Bitcoin miner on our network without the knowledge of management. Another IT found it under the senoir IT's profile and it is called Quarkcpu_Miner. We also founf it located under his desktop folder located on 35 other employee machines.

The question is how can we see if they are running on the machines and is there a way to monitor the network traffic on the company network and output to a log so we could catch the person using this app. Does Bitcoin mining pose a threat to the security of the network as a whole? If you have any information or input I would appreciate it, Thanks.

Answer:Bitcoin miner on the network? Need help, please!

Originally Posted by DMGrier


Hello comunity,
So it was brought to attention that one of our senior IT's at my company which I cannot disclose our name might be using a Bitcoin miner on our network without the knowledge of management. Another IT found it under the senoir IT's profile and it is called Quarkcpu_Miner. We also founf it located under his desktop folder located on 35 other employee machines.

The question is how can we see if they are running on the machines and is there a way to monitor the network traffic on the company network and output to a log so we could catch the person using this app. Does Bitcoin mining pose a threat to the security of the network as a whole? If you have any information or input I would appreciate it, Thanks.



I would leave that for your IT director/CIO/Security Officer to handle

2 more replies
Relevance 81.18%

Hello,

I suspect a possible very crafty Bitcoin miner. When I view videos on youtube after a few minutes of not moving my mouse the video starts to lag and when I move my mouse it fixes itself in a bit.

I've tried both with latest Firefox version 45.0.2 with HTML5 player and on IE 10 with Flash Player. When I have Task Manager open in the background this doesn't happen.

If I leave my PC idle for a few minutes and then immediately check temps with Speccy I see that my CPU is running a bit hot and especially my GPU was under load but as soon as I've moved my mouse to open Speccy temps begin to go down to idle ones. I have a GTX 960 and normally it idles at ~40 degrees C with fans turned off and they turn on only under load, I think I hear them turn on when my PC should be on idle.

This issue appeared a few days ago, after I was trying to install a program and got a message: "operation did not complete successfully because the file contains a virus or potentially unwanted software" - after some googling I took it as a false positive and turned off Widnows Defender but the .exe appeared corrupted so I just deleted it and found it from another source. I suspect this could be the source of the infection.

I suspect it's some very stealthy bitcoin miner that only turns itself on when the PC is idle and immediately shuts off when any mouse or keyboard input is detected, additionally it detects when Task Manager is open and doesn't turn itself on to avoid dete... Read more

More replies
Relevance 81.18%

hello!  recently im getting these notifications from avast saying that a trojan horse was blocked i ran a full system scan yesterday and deleted all detected files also i downloaded malwarebyte antimal ware and ran a scan and deleted all the detected files still when i turned on my pc today i get the same notification saying a trojan detected how to remove it 

Answer:BitCoin miner removal issue please help!

bump*  plz help

10 more replies
Relevance 81.18%

I recently downloaded a game to try before purchasing and ended up getting a bad torrent with a bitcoin miner in it. I've since removed the game itself, but the miner is still around. I found a similar topic on these forums and decided to make a post since that guy got his removed pretty easily. The file shows up as svchost.exe in my task manager, and when I open the file location it's in the temp folder of C:\Windows. It also has a file called lsass.exe in there as well that seems associated with it.
 
There's a couple of log files from this program in there as well, and it seems to be called Claymore CryptoNote CPU Miner  v3.3 Beta
 
Any help removing this would be appreciated.
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:13-07-2015
Ran by FloppyDesktop (administrator) on FLOPPYDINGOPC on 14-07-2015 18:00:19
Running from C:\Users\FloppyDesktop\Desktop
Loaded Profiles: FloppyDesktop (Available Profiles: FloppyDesktop & HollyFish)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\W... Read more

Answer:svchost.exe (bitcoin miner?) runs 90%+ CPU

I seem to have smote the beast. A search on google for the name I found in those log files lead me to reddit where they noted that people who had this problem found a script that was running from appdata local and appdata roaming (as well as C:\ProgramData) from folders labeled Origin. I deleted all three Origin folders, ran some clean up, and it doesn't seem to have returned.
 
I'd still like to clean up my PC if anyone doesn't mind, if there's other stuff on it. I learned a harsh lesson about torrents today (my friend said they were a safe way to try games, seems not). If I need a new FRST log and Addition.txt let me know.

5 more replies
Relevance 81.18%

Fixed my issue, do not know how to delete post.

Answer:GPU Fan Spins Nonstop, Possible Bitcoin Miner.

you should have posted how you fixed it, instead of deleting your old post

2 more replies
Relevance 81.18%

Greeting Bleeping Computer!
 
Just a few minutes ago while searching on Google, it suddenly jumped to "https://ipv4.google.com/sorry/" page. After researching about this, Google seemed to detect unusual activity from my network. Furthermore, many people have said it could be caused by a host piece of malware that is doing that to me. My laptop currently runs fine, but I'm afraid I could be infected! I would appreciate it if anyone could help me check if there's anything suspicious on my device.
 
To start off, I did the FRST scan and my logs are attached.
 
Thanks again.

Answer:Bitcoin Miner/Botnet - Need to make sure

Hi, CloseToHome,
My name is Zach, and, though I generally go by Sasschary, you may call me whatever you want. I will be helping you get your computer working again. Please give me a little bit to look over the logs you posted, and I will post back here again as soon as I can.
Also, please be aware that I am currently in training, so all of my posts need to be reviewed before you can see them. As such, it may take a day or two for me to post my replies.
Sincerely,
Sasschary

7 more replies
Relevance 81.18%

Hello,

I suspect a possible very crafty Bitcoin miner. When I view videos on youtube after a few minutes of not moving my mouse the video starts to lag and when I move my mouse it fixes itself in a bit.

I've tried both with latest Firefox version 45.0.2 with HTML5 player and on IE 10 with Flash Player. When I have Task Manager open in the background this doesn't happen.

If I leave my PC idle for a few minutes and then immediately check temps with Speccy I see that my CPU is running a bit hot and especially my GPU was under load but as soon as I've moved my mouse to open Speccy temps begin to go down to idle ones. I have a GTX 960 and normally it idles at ~40 degrees C with fans turned off and they turn on only under load, I think I hear them turn on when my PC should be on idle.

This issue appeared a few days ago, after I was trying to install a program and got a message: "operation did not complete successfully because the file contains a virus or potentially unwanted software" - after some googling I took it as a false positive and turned off Widnows Defender but the .exe appeared corrupted so I just deleted it and found it from another source. I suspect this could be the source of the infection.

I suspect it's some very stealthy bitcoin miner that only turns itself on when the PC is idle and immediately shuts off when any mouse or keyboard input is detected, additionally it detects when Task Manager is open and doesn't turn itself on to avoid dete... Read more

Answer:Suspected Bitcoin miner virus

Hello nddcndndd,

We need to see some information about what is happening in your machine. Therefore, We want all our members to perform the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

After running through all the steps, you shall have a proper set of logs. Please post/attach the logs in your next reply.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

6 more replies
Relevance 81.18%

Hi, I'm on Windows 7, and in an effort to download something, I clicked the wrong link, and downloaded the wrong file.
 
Without thinking, I ran it, and as a result I believe my system is infected.
 
When I ran the file, firefox crashed, and then when I reopened it, address bar searches were directing to "foxsearch.me" before google.
 
I am also getting random popups when clicking, but only on firefox (I also have chrome installed, and I haven't had any random popups using it).
 
After running this program, I updated Malwarebytes to 3.2.2, or whatever the latest version is as of 2 hours ago, and the GUI will not launch.  I have mbam.exe, mbamtray.exe, and MBAMservice.exe running in my the processes tab of the task manager, but regardless of what I do, the GUI will not pop up, and I suspect this may be due to an infection.
 
In searching for a solution to that, I was directed to a program linked in this post on the malwarebytes forums: https://forums.malwarebytes.com/topic/209359-malwarebytes-3-wont-start/?page=2
 
I am currently running mbar.exe, which has found 4 pieces of malware; one listed as Adware.YoBrowser, one as RiskWare.BitCoinMiner, and two as Trojan.Agent.
 
I just now uploaded the file I downloaded originally (which mbar is identifying as Adware.YoBrowser) to virustotal, and got these results: https://www.virustotal.com/#/file/ed1ea75dd62295487a3d34c75155ddd14a0e577bbb442b6cccc610d60031b409/detection
 
I hope someone c... Read more

Answer:Bitcoin miner or trojan infection?

Did you allow MBAR to delete/ quarantine what it found? If you did, run a scan using Malwarebytes.
 
Once you have done the above...run the programs below.
 
Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the
Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of Google Chrome and Avast.
After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.
CCleaner - PC Optimization and Cleaning - Free Download
 
Download AdwCleaner by Xplode onto your desktop. (compatible with Windows 7, 8 and 10)
Close all open programs and internet browsers.
Double click on adwcleaner.exe to run the tool.
Click on Scan button.
When the scan has finished click on Clean button.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the contents of that logfile with your next reply.
You can find the logfile at C:\AdwCleaner[S1].txt as well.
 
Download and run the FREE online scanner from Free Virus Scan | Online Virus Scan from ESET | ESET
Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
Select Enable detection of potentially unwanted applications.
Click Advanced Settings, then place a checkmark in the following:
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

... Read more

7 more replies
Relevance 80.36%

Hello, a fellow new member here.
 
A few days ago I had been installing heaps of stuff on my computer. Games, videos etc.
 
The next day I log on to my computer, a new cmd window pops up. I've added the photo for you guys to check it out. My computer's CPU fan began to go crazy and when I checked my process, it says that "vshost" was using all the CPU, even though the new window shows as "svchost" I've checked previous posts about svchost but no one seems to have the process named vshost. Whenever I kill the process from the task manager, it restarts again trying to get back up to %100. The only way to kill it seems by closing it from the cmd window but I'm still concerned.
 
I've used ComboFix, RogueKiller, CCleaner and TDSS Killer but the window still pops up
 
Please help ._.
 Extra, probably useful help:
1) The Miner can't mine my GPU because my computer's language is Turkish, which changes the GPU's main name(?)
2) I notice a sound of trying to press something when it shows "Welcome". This is the same sound when pressing any letter on the keyboard when waiting for "Welcome". I guess that this shows it opens as user status(?)

Answer:svchost/vshost BitCoin Miner Virus

Since you ran Combofix... Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

2 more replies
Relevance 80.36%

It appears as though I have a Bitcoin Miner on my system, and I can't seem to get rid of it. It shows up as "jusched.exe" in the Task Manager, and it consistently uses around 30% of my CPU resources. It also utilizes and unknown amount of my GPU resources, as games are very laggy when it's running.
 
I would attach a DDS file, but it seems as though it's incompatible with my OS, Windows 8.1. MalwareBytes didn't find anything, but I'm 100% sure it's still on my system, as I've found the folder it's hiding in. I reran the scan, only searching in that particular folder, and allowed for scanning for rootkits. It seems to have found it, and I've attached the log file.
 
Any suggestions on what I can do? Thanks

Answer:Bitcoin Miner masquerading as Java Updater won't go away

Hi llamas612, My name is Valinorum and I will be the acolyte today. Before we proceed, please, acknowledge yourself the following(s):Please do not create any new threads on this while we are working on your system as it wastes another volunteer's time. If you are being helped/have solved the issue/no longer wish to continue, notify me in your reply and I will quickly close this thread. Failing to comply will result in denial of future assistance.Please do not install any new software while we are working on this system as it may hinder our process.Malware removal is a complicated process so don't stop following the steps even if the symptoms are not found. Keep up with me until I declare you clean.Please do not try to fix anything without being ask.Please do not attach your logs or put them inside code/quote tags. Do a Copy/Paste of the entire contents of the log file and submit it inside your post unless directed otherwise.Please print or save the instructions I give you for quick reference. We may be using Safe mode which will cut you off from internet and you will not always be able to access this thread.Back up your data. I will not knowingly suggest your any course that might damage your system but sometimes Malware infections are so severe that only option we have is to re-format and re-install the operating system.If you are confused about any instruction, stop and ask. Do not keep on going.Do not repeat the steps if you face any problems.I am not an omniscient. There... Read more

2 more replies
Relevance 80.36%

I actually feel pretty ashamed that I couldn't solve this on my own, being a software developer and having some previous experience in topics like these, this one is still kinda tricky.
 
So there is a virus that infected my PC (Win7 64bit Ultimate) that keeps installing a bitcoin miner, more specifically a TR/BitCoinMiner.Gen (as noted by Avira) every time I connect to the internet. (So basically every time I start my PC.)
It creates a hidden folder in my Windows folder that looks like this: C:\Windows\init\spoolv\ and starts a process called init.exe (twice) that resides in this folder and takes up a lot of cpu power before I (obviously notice, then) close it from the task manager.
Interestingly, previously it created an (also hidden) folder called spoolv where it installed a (possibly modified version of a) mIRC client, that I could only remove booting my Windows up in safe mode.
 
Whenever I start my PC, Avira also notes that it has blocked the registry to prevent something from editing it. (I don't know why in god's name doesn't it display What tried to edit it..)
So this is a good notification to check whether the virus has made the directory again and put itself to autostart in the registry, which I then delete.. both.. and then start again the next day.
 
I scanned my PC with Malwarebytes's Anti-malware whatever, RogueKiller, some other random anti-malware software and of course Avira's full system scan.
None of them finds anything remotely useful.
... Read more

Answer:Help finding a virus that keeps installing a bitcoin miner

Welcome aboard   Download Security Check from here or here and save it to your Desktop. Double-click SecurityCheck.exe Follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderOther ServicesPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply. Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeList Restore PointsClick Go and post the result. Please download Malwarebytes Anti-Malware to your desktop.NOTE. If you already have MBAM 2.0 installed scroll dow... Read more

16 more replies
Relevance 80.36%

Hello everyone
First and foremost, thanks for your time . I appreciate ur good will to help.

Background information :

1) SSD has been formatted 1 week ago or less (Cant remember) the second drive (1tb) remained as backup.

2) each time I open Skype /Certain games/ Battle.net EVEN Google Chrome.
my GPU temp jumps from 30 idle to 50 and the GPU uses its full functions (Clock speed jumps to max, etc)

3)My computer's clock time is not stable, keeps on changing (has been like that for more than a year, even tho I formatted 2 times since the problem arise) I suspect this problem is due to having a motherboard battery burnt although it may be a virus in the BIOS.( my assumptions) I never tried to replace a motherboard battery, I currently have Asus Z97 motherboard.
PC scanned with - Rogue-killer, Anti-malware bytes and Hitman PRO.

SSD Has been formatted 2 times in the last 3 years and a half

from win 8.1 to win10. and from win10 to win7. (SINCE THE FIRST FORMAT THE CLOCK STARTED BUGGING.

since then I have had the problem with time.

*bitcoin miner : New problem that I have just noticed recently, which is taking all my attention to cure my GPU.

*Note: Currently If I don't run the apps I mentioned above my GPU temp is OK. therefore the main problems are Clock time changes, and Temp jumps super high for no reason while running certain applications.

I used Process Explorer to try and track which applications cause GPU traffic,
that's how I know when the bitcoi... Read more

More replies
Relevance 80.36%

Hello! I a have bitcoin miner that Malwarebytes can't get rid of. I can stop the process in Task Manager and it doesn't come back while I have the computer on, but comes back on reboot.  I have Bufferzone installed and some of the infected files seem to have been INSIDE the buffer zone, with a .virtual suffix. However, they got out somehow and are loose on the OS drive. I deleted the virtual files I found but it has not helped. I also got some kind of drive by download of WebCake and a load of other crap which I was able to uninstall. Should I go ahead and empty Bufferzone or wait for instructions? Also, on reboot a cmd prompt window flashes and then I get a pop up that says failed installation. I tried to run DDS, and it says it won't run on my OS. I tried running viruclean.exe and it stopped working about 80% of the way through the scan. It did this twice. I didn't click on it while it was scanning. I have hijack this installed and it does work. I ran a scan earlier and there were a lot of 'missing' files the registry pointed to, some of which look important.
Thank you so much for your help.

Answer:Bitcoin Miner, possible SVC infection, missing files, DDS won't run

Hi there,my name is Marius and I will be assisting you with your Malware related problems.Before we move on, please read the following points carefully. First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem. Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me. Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts. If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean. My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.   Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)Run FRST. Don´t change one of the checkboxes and hit Scan. Logfiles are created on your desktop. Poste the FR... Read more

41 more replies
Relevance 80.36%

Hello.
 
I am new to this site, so please pardon me if I speak out of protocol.
 
I recently found out that I had a Bitcoin Miner on my computer (Dell Inspiron N7010 Laptop). I hadn't known immediately, but I noticed a significant drop in my computer's performance. It began running ever slower, and games that it could usually handle began crashing and coming down to as low as 4 FPS. Also, error messages involving programs by the names of "mswaqrus.exe" and "Atk0yR7.exe" began coming up, saying they generated exceptions which could not be handled and to click "OK" to terminate the program or "Cancel" to debug the program. I only ever clicked "OK". The only reason I even know it's a Bitcoin Miner is because a few days ago, a window came up (black background, gray text) saying something about starting a Bitcoin Miner. Unfortunately, the window disappeared before I could screenshot it. Without further ado, here are the DDS logs. Thank you.
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16635  BrowserJavaVersion: 10.25.2
Run by Gudz at 12:23:37 on 2013-07-17
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.2933.803 [GMT -4:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enab... Read more

Answer:Infected with Bitcoin Miner and Slow Computer

Hello AllergicToCats I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the... Read more

17 more replies
Relevance 80.36%

My boss' computer seems to have a serious infection. AVG and MalwareBytes will not remove the files because they are system files. My boss says that the computer seems to be running fine, however since I've been on here there's been a few popups and redirects to adware(?) sites. Thank you in advance for taking time to check this out. Here's the log from MWB so you can see what we're dealing with:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.16.10

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Brown :: BROWN-PC [administrator]

8/16/2012 3:57:47 PM
mbam-log-2012-08-16 (16-26-14).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 340368
Time elapsed: 23 minute(s), 38 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 3592 -> No action taken.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 6
C:\Users\Brown\AppData\LocalLow\FE9E.tmp (Rootkit.ZeroAccess) -> No action taken.
C:\Users\Brown\AppData\LocalLow... Read more

Answer:RootKit ZeroAccess and Trojan Bitcoin Miner

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

22 more replies
Relevance 80.36%

Hello, my PC has been infected with a Trojan.
 
This two files (svchost.exe and lsass.exe) in C:\Windows\TEMP are recreated at startup if I try to delete them and there are log files in that same folder that appear to be from something called "Claymore CryptoNote CPU Miner  v3.3 Beta".
If I disable the network connection the GPU returns to the normal usage. I have tried to run several malware removal software and they delete the files but the keep reapearing once I restart the pc.
I'm runing Windows 10 so I can't use Combofix.
Here are the FRST logs (I'm not a native english speaker so I'm sorry if this is difficult to understand)
 
FRST log.
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-03-2016
Ran by Servatis (administrator) on ANDRES (05-03-2016 11:40:01)
Running from E:\Downloads
Loaded Profiles: Servatis (Available Profiles: Servatis)
Platform: Windows 10 Pro (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(PACE Anti-Piracy, Inc.) C:\Program Files (x86)\... Read more

Answer:GPU at 99% usage idle. Posible Bitcoin Miner

Hello Servatis and Welcome to the BleepingComputer.
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.
Before we move on, please read the following points carefully.
Please complete all steps in the specified order.
Even if tools don't find malware, I want you to post the logfiles anyway.
Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
Don't install or uninstall software during the cleanup unless you are told to do so.
If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
Please reply to this thread. Do not start a new topic
As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
Please open as administrator  the computer. How is open as administrator  the computer?
Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do... Read more

4 more replies
Relevance 80.36%

Greetings,
 
I've recently somehow acquired a virus that possibly uses my computer as a bitcoin miner. googeling around that's my conclusion anyway. Any attempts so far to get rid of this thing have been fruitless.
 
I come to you for help because i'm at the end of my own knowledge limits.
 
Could someone here help me with removing this?

Answer:Conhost.exe spiking GPU to 100% -> bitcoin miner virus?

Welcome aboard   Download Security Check from here or here and save it to your Desktop. Double-click SecurityCheck.exe Follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderOther ServicesPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply. Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeClick Go and post the result. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.* Double-click mbam-setup.exe and follow the prompts to install the program.* At the end, be sure a checkmark is placed next to Up... Read more

25 more replies
Relevance 79.54%

It appears as though I have a Bitcoin Miner on my system, and I can't seem to get rid of it. It shows up as "jusched.exe" in the Task Manager, and it consistently uses around 30% of my CPU resources. It also utilizes and unknown amount of my GPU resources, as games are very laggy when it's running.
 
I would attach a DDS file, but it seems as though it's incompatible with my OS, Windows 8.1. MalwareBytes didn't find anything, but I'm 100% sure it's still on my system, as I've found the folder it's hiding in. I reran the scan, only searching in that particular folder, and allowed for scanning for rootkits. It seems to have found it, and I've attached the log file.
 
Any suggestions on what I can do? Thanks

Answer:Bitcoin Miner Masquerading as Java Update Manager

Hi & to Bleeping Computer Forums!My name is Jürgen and I will be assisting you with your Malware related problems. Before we move on, please read the following points carefully: My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.Perform everything in the correct order. Sometimes one step requires the previous one.If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.If I don't reply within 24 hours please PM me!Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.Step 1Please run a FRST scan. This will help us diagnose your problem.Please download Farbar Recovery Scan Tool and save it to your Desktop.(If you are not sure which version (32-/64-bit) applies to your system, ... Read more

10 more replies
Relevance 79.54%

My Toshiba Satellite was infected with a virus one day when I noticed my CPU usage was really high every time I opened task manager and my CPU immediately went up to 100% CPU. I searched up on the internet thinking it was a bug but I read many forums and people have claimed it is not a bug. most people stated Hackers have found a way to take control of other computers and use them as bitcoin mining and send the data back to the hacker. This is really slowing down my Laptop. I have tried many antivirus programs, Even Malwarebytes but none of them have worked. I also tried resetting everything on my laptop back to factory settings deleted every program but the virus stayed. Even when I boot into safe mode the virus is there also. If I turn off all my antivirus protection the Virus takes over my computer and i can't open task manager and all my programs will stop working but I can still use browsers. The Virus may also be a Worm because 2 days after my laptop got infected it also infected my other PC. I think it was passed from my emails cause both of the computers were logged into the same email. Please help this problem is really getting harder for me I am out of Options Thank You!.
 

More replies
Relevance 79.54%

Hi. Recently I believe that my computer has become enslaved as a bitcoin miner, as it has become SUPER unusually slow all of a sudden. It started 3 days ago when I was simply watching youtube videos and then typing up stuff. All of a sudden my computer would get so slow that minimizing a window took forever, and moving the mouse was virtually impossible. This has never happened before, and my computer is quite powerful so I doubt that it is because of my hardware.
 
Games that I've played without problems in the past are also now unplayable even in lowest settings, as the FPS drops to 2. My computer wakes itself up from sleep often now, and on start up GPU usage immediately spikes as well as temperature, leading to very loud fan noise. I was recently infected by ZeroAccess rootkit, and although I "fixed" it with the help of this forum, many say that it is impossible to completely remove ZeroAccess, and I believe this is just ZeroAccess coming back (but my computer knowledge is limited).
 
Attach.txt is attached, and the following is my DDS log:
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16635  BrowserJavaVersion: 10.25.2
Run by Eric at 3:33:05 on 2013-08-14
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4094.768 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft S... Read more

Answer:Have a BitCoin miner virus making my computer unuseable

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===--RogueKiller--Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit Quit all programs that you may have started.Please disconnect any USB or external drives from the computer before you run this scan!For Vista or Windows 7, right-click and select "Run as Administrator to start"For Windows XP, double-click to start.Wait until Prescan has finished ...Then Click on "Scan" buttonWait until the Status box shows "Scan Finished"click on "delete"Wait until the Status box shows "Deleting Finished"Click on "Report" and copy/paste the content of the Notepad into your next reply.The log should be found in RKreport[1].txt on your DesktopExit/Close RogueKiller+===Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.Please download AdwCleaner by Xplode onto your Desktop.Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click on Delete tab follow the prompts.A log file will automatically open after the scan has finished.Please post the content of that log file with your next answer.You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).=== Please downloadJunkware Removal Tool to your Desktop.Please close your security software to avoid potential ... Read more

1 more replies
Relevance 79.54%

So my laptop seemed a little more sluggish and slow to start up recently. I decided to run SuperAntiSpyware and Mbam to see if there was any crap on it. 
 
SAS found some cookies and I deleted them
 
Mbam found minerd in my user folder.
 
I asked googled and also asked some friends about this before I did anything.
 
I saw an exe with a weird name in my task manager. Something like tn_23_RN_lled dkcap something or other. I ended the process.
 
I checked it with Norton and it says it's fine. Then I used Norton Rootkit and Spyware and scanner and restarted and sure enough this popped up. Also something aboutusers nt 32bit. I deleted the files in the scan. 
 
minerd is still in my users folder though.
 
Using Trend Micro's Housecall now also and then MBAM again on recommendation.
 
What is this exactly and what does it do? How did I get it and please help me fully remove it from my laptop. Could any of my passwords or Internet banking be compromised already?
 
Thanks
 
Logs after following post on here.
 
 

Answer:Minerd Bitcoin Miner found with Mbam. Am I safe?

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===--RogueKiller--Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit Quit all programs that you may have started.Please disconnect any USB or external drives from the computer before you run this scan!For Vista or Windows 7, right-click and select "Run as Administrator to start"For Windows XP, double-click to start.Wait until Prescan has finished ...Then Click on "Scan" buttonWait until the Status box shows "Scan Finished"click on "delete"Wait until the Status box shows "Deleting Finished"Click on "Report" and copy/paste the content of the Notepad into your next reply.The log should be found in RKreport[1].txt on your DesktopExit/Close RogueKiller+==============Please download AdwCleaner by Xplode onto your Desktop.Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click the Scan button and wait for the process to complete.Click the Report button and the report will open in Notepad.IMPORTANTIf you click the Clean button all items listed in the report will be removed.If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click the Scan button and... Read more

35 more replies
Relevance 79.54%

So my laptop seemed a little more sluggish and slow to start up recently. I decided to run SuperAntiSpyware and Mbam to see if there was any crap on it. 
 
SAS found some cookies and I deleted them
 
Mbam found minerd in my user folder.
 
I asked googled and also asked some friends about this before I did anything.
 
I saw an exe with a weird name in my task manager. Something like tn_23_RN_lled dkcap something or other. I ended the process.
 
I checked it with Norton and it says it's fine. Then I used Norton Rootkit and Spyware and scanner and restarted and sure enough this popped up. Also something about users nt 32bit. I deleted the files in the scan. 
 
minerd is still in my users folder though.
 
Using Trend Micro's Housecall now also and then MBAM again on recommendation.
 
What is this exactly and what does it do? How did I get it and please help me fully remove it from my laptop. Could any of my passwords or Internet banking be compromised already?
 
Thanks

Answer:Minerd Bitcoin Miner found with Mbam. How to delete?

Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

3 more replies
Relevance 79.54%

Warning: EpicScale "riskware" silently installed with latest uTorrent
One more reason to not use torrent software.
Credits to Malware Study Hall Sophomore iangcarroll for sharing this with me.
Edit: Apparently users can opt out as per Malware Study Hall Admin Elise's post in #3 down below - it's the users that are not looking.
Still, I do not approve of bundling anything in with legistimate software ever.
Alex

Answer:uTorrent installs Bitcoin miner on customers' machines

Well, time to change torrent client, this is just not acceptable. Also, I made a member uninstall that program from its computer yesterday, I'll try to find the thread.

29 more replies
Relevance 78.72%

My GPU is running at about 90% load at around 75 degrees C. This sudden change did not seem to accompany the download of any external software as it occured while my computer ran overnight. Uninstalling and updating/reverting drivers seems to have no effect. The hardware itself seems to be working correctly, no problems with the fan or dust buildup and no previous issues, leaving malicious software as the only possible culprit. I have Malwarebytes and AVG both installed and have run scans with them, each failing to locate any malware. I attempted to locate the process causing the high load with Process Explorer, but found that no processes other than the Desktop Window Manager are using my GPU. Advice from others leads me to believe that this could possibly be a bitcoin virus, using my GPU to mine for bitcoins. I am running Windows 7 64-Bit. Is this a hardware/driver issue or is it indeed caused by malware?

Answer:GPU idles at 90% load, search results suggest a bitcoin miner.

Welcome aboard   Download Security Check from here or here and save it to your Desktop. Double-click SecurityCheck.exe Follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderOther ServicesPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply. Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeClick Go and post the result. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.* Double-click mbam-setup.exe and follow the prompts to install the program.* At the end, be sure a checkmark is placed next to Up... Read more

15 more replies
Relevance 78.72%

Hi, I am having some trouble with the video card GTX660 or the NVidia driver but I really don't know for sure which one is not working properly. So, in normal mode the video card parameters are : gpu load o %, clock: 324 MHz / 324 MHz @ 0.90v, fan at 1140 rpm, temp: 31 and memory load : 109mb / 2048mb. EVERY TIME I restart my computer all these parameters goes high and never come back to normal until I reinstall the NVidia driver v. 320.49. Abnormal parameters are : gpu load : 98 %, clock 1110 MHz / 3005 MHz @ 0.98v, fan 1500 rpm, temp: 51 and memory load 210 / 2048mb. I looks like the card is overclocking itself after pc restart but I NEVER overclocked it.
Also the Realtek network adapter driver is causing me trouble meaning I have to disable/enable a few times a week to get full internet speed (I have 125 mb broadband speed when it works and when is not I get only a few mbs before disabling/enabling the network adaptor).
All these started after I got pup.bitcoinminer and Trojan.win32.bitmin.x from a game I tried to install, even if I managed, I think, to erase them with Kaspersky internet security 2013.
OS: windows 7 ultimate x64, all the drivers are the newest ones.
I would appreciate some help because it is so annoying to reinstall the windows with everything else. Thank you !
 

Answer:bitcoin miner and trojan.win32.bitmin.x removed but still got problems

Hello bogdanukRun these next please.Please download Malwarebytes Anti-Malware and save it to your desktop.Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.Double-click on the renamed file to install, then follow these instructionsfor doing a Quick Scan in normal mode.Don't forget to check for database definition updates through the program's interface (preferable method) before scanning.If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. IssuesMalwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.After completing the scan, a log report will open in Notepad.The log is automatically saved and can be viewed by clicking the Logs tab .Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.Exit Malwarebytes when done.Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. F... Read more

3 more replies
Relevance 78.72%

So recently I noticed that my GPU utilization was at a constant 100% so I ran hitman pro and which had informed me of two exe files in windows/temp that were Trojans, Isass.exe and svchost.exe how do I remove them and prevent them from reappearing when I boot up my pc?
 

Answer:Bitcoin miner Trojans reappear when rebooting every time I remove them

Preliminary instructions: http://www.techspot.com/community/t...lware-removal-preliminary-instructions.58138/
 

25 more replies
Relevance 77.9%

Hello, my PC has been infected by this Trojan. It appears to be using my CPU and GPU for Bitcoin mining.I noticed this because the PC ran slowly and task manager showed svchost.exe increasing CPU to 100%.  Below is information I've been able to gather about this infection, hopefully it can assist you. Behavior:The svchost.exe is recreated if the process is ended from task manager.It is only visible in task manager if "Show process from all users" is checked.It is located in C:\Windows\Temp.A file called lsass.exe is also located in C:\Windows\TempIn C:\Windows\Temp there are also several log files with the earliest one being created on 3/29/15. These log files seem to be configuration logs for "Claymore CryptoNote GPU Miner v9.2 Beta" which suggests 3/29/15 as the infection date. I can upload a log file here if it will help. On first booting the PC, the C:\Windows\Temp folder has all the log files but svchost.exe and lsass.exe are not there and CPU usage is normal.After aprox. 1 minute, svchost.exe appears in this folder followed shortly by lsass.exe and CPU usage spikes to 100%.Disconnecting the network cable returns CPU usage to normal level after aprox. 1 minute. svchost.exe and lsass.exe remain in the folder.Reconnecting the network cable returns the CPU usage to 100% after aprox. 1 minute. If the PC is booted up with the network cable disconnected, both svchost.exe and lsass.exe are not created in C:\Windows\Temp and CPU usage is normal.Once the ... Read more

Answer:Trojan.Agent.Mnr (Bitcoin Miner) running fake svchost.exe and lsass.exe

Greetings Alex2K and to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.If you would allow me to call you by your first name I would prefer to do that.===================================================Ground Rules:First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems... Read more

20 more replies
Relevance 70.52%

Hi, I need help removing these 2 viruses that keep reappearing after I tried to clean them with malwarebyte.
 
Here is my dds.txt below, I have also attached the attach.txt from dds scan.
 
 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 9.0.8112.16502  BrowserJavaVersion: 10.25.2
Run by HM at 0:33:02 on 2013-10-26
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.8162.5929 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
AV: Avira Desktop *Enabled/Outdated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Outdated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\Sy... Read more

Answer:Need help removing Trojan.Agent.Gen and Trojan.Bitcoin.Miner

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===--RogueKiller--Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit Quit all programs that you may have started.Please disconnect any USB or external drives from the computer before you run this scan!For Vista or Windows 7, right-click and select "Run as Administrator to start"For Windows XP, double-click to start.Wait until Prescan has finished ...Then Click on "Scan" buttonWait until the Status box shows "Scan Finished"click on "delete"Wait until the Status box shows "Deleting Finished"Click on "Report" and copy/paste the content of the Notepad into your next reply.The log should be found in RKreport[1].txt on your DesktopExit/Close RogueKiller+===Please download AdwCleaner by Xplode onto your Desktop.Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click the Scan button and wait for the process to complete.Click the Report button and the report will open in Notepad.IMPORTANTIf you click the Clean button all items listed in the report will be removed.If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click the Scan button and wait for t... Read more

8 more replies
Relevance 69.29%

Hi, and thanks for your time.
 
I need assistance in getting rid of Trojan.Agent.Gen and Trojan.Bitcoin.Miner that keeps coming back after cleaning by MalwareBytes.
 
 
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 8.0.7601.17514  BrowserJavaVersion: 10.7.2
Run by Vagrant at 19:55:57 on 2013-08-14
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.8173.5400 [GMT 8:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Program Files\Tablet\Pen\WTabletServiceCon.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\ASUS\AXSP\1.00.14\atkexComSvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\ASUS\AI Suite II\AsRoutineController.exe
C:\Program Files (x86)\ASUS\AAHM\1.0... Read more

Answer:Trojan.Agent.Gen and Trojan.Bitcoin.Miner

Hello aelwyd I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", ... Read more

20 more replies
Relevance 66.42%

ok, i know little about FTP servers, but i would like to setup my rig as an FTP server... i want to set it up as an FTP server so i can download or upload files when i am away from home. incase you need my system specs, they can be found in the document below. i need to know how i can set this thing up as a simple FTP file server. so i can upload or download documents, images, music files, ect, while i am at school, work, or where ever i may need a file. since the my documents of my school laptop synchronizes to a server, files sometimes go missing, so, i will back them up on here.i am going to upgrade to 512mbs of ram, and put a linksys 10\100 eitherfast card in here, i seem to have them laying around everywhere, and i cant get the onboard lan to work. i will pull out the d-link wireless adapter when i get a LAN line ran to my room, which will be some time after the 20th, which is when i get paid. i am also going to modify two 120mm fans to the front of the case, the case is a gateway 2000 P5-133, i removed the plate that covered the fan vents, with alittle sawing of plastic, and some drilling, it will fit nicely. i am also putting in a hard drive cooler that takes up 3 5.25 bays, and has a 120mm fan to cool the hard drives, although i will have to swap the fan, i dont want one with blue LED's in my server, which may have to run at times while i am sleeping, it will be setup at the foot of my bed, so, a bright blue light isnt a good idea. i can stand the noise though. i will... Read more

Answer:how do i setup w2k datacenter server for FTP?

Acquire an FTP server, punch a hole in your firewall and watch the leeches come out to play...

6 more replies
Relevance 65.6%

Hi All, I need to install Windows Server 2012 Datacenter with Hyper-V features installed to a Thinkpad laptop, as it is more durable compare to others, and I'm planning buy Lenovo ThinkPad T61 with below specs: CPU Processor : INTEL CORE2DUO T7100 (1.80GHz)MEMORY: 2GBHDD: 80GB/SATAOPTICAL DRIVE: DVD DRIVENETWORK: WIRELESS + Gigabit LAN My questions are:1. Is it a good idea?2. If it's not a good idea, how to make it work on this series? Thank you in advance.













Solved!

Go to Solution.

Answer:T61 - Windows Server 2012 Datacenter

Hello,
 
From looking at the system requirements here on Microsoft's web site, it looks like the T61 meets the requirements for running Windows Server 2012, but that's largely because Microsoft doesn't seem differentiate between requirements for the Foundation, Essentials, Standard and Datacenter editions.
 
Personally, I'd suggest going with the biggest, fastest 2012-vintage (or newer) laptop that I could find, such as a W520 or W530.
 
Regards,
 
Aryeh Goretsky
 

3 more replies
Relevance 64.78%

Starting a migration from SBS 2011 to Server 2012 R2 Datacenter.

The migration doc says to "run the Migration Preparation Tool on the Source Server". I've found one link online stating that when going from SBS 2011 to Server 2012 R2 this step isn't necessary - but I've yet to find any other proof of this.

If I am supposed to run the prep tool, where the heck is it??? Because it's not in the listed location on the ISO from MS:
2.Open Windows Explorer, browse to the \support\tools folder of the DVD, and then double-click the sourcetool.msi file.Click to expand...

Ideas?
Thx
 

Answer:Migrate SBS 2011 to Server 2012 R2 (Datacenter)

What on the server are you migrating? "Everything" is not what I'm looking for
 

3 more replies
Relevance 64.78%

Can u please tell me how to club windows 7 64 bit, window server 2008 R2(64 bit) and SQL Server 2008 in a single DVD.?
please reply how? Give Me Details

Answer:how to club windows 7, window server 2008 and SQL Server 2008 in a single DVD

Hi welcome
I beg your pardon, what do you mean for "Club Windows 7, windows 2008 in a single DVD"?
Can you please use a synonim?
Thank you

6 more replies
Relevance 64.37%

This is my home server I use for DLNA, backup, main storage, and streaming:
Windows server 2008 R2
Intel Core i5 3570k
asus P8z77-i Deluxe
4x Samsung f4 2tb
LSI megaraid 9260-4i
8gb Samsung 30nm ddr3
40gb Intel 320 SSD(boot)
60gb Corsair Force GT(windows server 8)
500gb Seagate Momentus(temp install files)

Originally the server had x4 635 amd processor etc and I had a perc 5i card in there and my server worked great, I had no issues at all nor when I upgraded again to i7 2600k server and threw down a megaraid lsi card in there. I was able to transfer with ease and got extremely high copy rates etc. and of course streaming was flawless.

Now that I've upgrade my system(just a week ago) I've been stressing on trying to get my system to what I had before. I CANNOT copy ANY files from or to the server through mapped drives which I mainly use to access the server itself; streaming, storage, etc. I'll get a copy popup and it'll transfer at 16.kbs and even though the file was 1meg> it simply freezes.

Accessing the mapped drive has been a nightmare, requiring me to wait minutes before being able to enter folders or even open up files becomes worst; I cannot even stream a 7meg Mp3 at all. Before I streamed my entire library of music directly off the server and had no issues at all.

I've tried: swapping routers(wndr3700-r6300) both gigabit, cat 5e/6 cable swaps, disabled netsh autotuninglevel etc, reinstalling windows server, and updating all hardware etc.

Thing to note:
... Read more

Answer:Windows Server 2008r2 Datacenter; slow transfers

Arkuatic welcome to the windows 7 forums.

Something leads me to question....

"I had to force install gigabit drivers as intel decided decided to not have the 82579v 2008 r2 driver support.(this is my biggest concern "

It could be the drivers not working properly. Did you try a gigabit ethernet card and disable the on-board one?

Rich

6 more replies
Relevance 62.73%

Hello everyone, this is my first post and I count on your support.
I am currently trying to install Windows Server 2016 Datacenter Edition using Windows Deployment Services on two discs 136.12gb raid 1, but this will not let me because it says I need at least 150GB HDD to proceed with the installation, the same method is applied in virtualized machines in hyperv and Proxmox and does not throw me any error. (see attached image)
The server details are as follows:
DELL poweredge r610 128gb ramintel xeon 2.67ghz 6 core
4 hdd en raid 0 each independent:hdd 931gbhdd 931gbssd 446.42 gbhdd 1862.50 gb
2 hdd both raid 1:hdd 136.12 gbhdd 136.12 gb
I count on your support.
Thankful in advance.
Best regards.

More replies
Relevance 60.68%

Hi All,
 
I tried to run the DDS program but it would not work b/c the problem is on my server using windows 2003. I believe it is infected. I'm seeing CPU usage of 100% with the ltc-miner.exe running. I have located two files folders from c:\\windows\ltc-miner and C:\\windows\tanechka. I have isolated these programs to a new folder.
 
Please advise what I should do? My antivirus program is out of date. Any suggestions at this point would be most appreciated and helpful. I've run the Malwarebytes Anti-Malware and have detected two viruses.
 
Thank you all.
 
Mongooseba

Answer:Server 2003 ltc-miner

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/512694 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

2 more replies
Relevance 60.27%

I plan on doing a straightforward upgrade from Win 2008 Server (x64) to Win 2008 Server R2 on my work computer Monday. I assume the process will be painless but wanted to know if there may be any surprises. I'd like to keep any time to fix upgrade errors to a minimum since this is my work computer. Thoughts? Thanks.
 

Answer:Windows 2008 Server R2 upgrade from 2008 Server?

done it many times, works fine.
 

1 more replies
Relevance 59.45%

Maybe worth a heads up to some on Vista as application compatability is high on the agenda for many Vista users and this update should be filtering through now on WU.



INTRODUCTION

This article describes the May 2008 Windows Vista and Windows Server 2008 Application Compatibility Update. This update is a package of software updates that address common application compatibility issues that occur in Windows Vista.


This update is cumulative. Therefore, it contains all fixes that were included in previous application compatibility updates. These fixes improve application compatibility in Windows Vista for the following applications:

? Absolute Poker Version 5.7
? ACDSee 8
? Adobe Creative Suite CS2
? Adobe Acrobat Reader 7.0 - 7.07
? Adobe Photoshop 7.0.1
? Adobe Photoshop CS 8.0
? Adobe Photoshop Elements Version 4.0
? Adobe Premiere Elements 3
? AOL 9.0 - x64
? AOL Safety and Security Center 2.5.4.1
? ArcSoft PhotoImpression 5
? Auslogics Disk Defrag 1.0.3
? AVG Anti-Spyware 7.5.0.47
? Azureus 1.0
? Battlefield 2 Deluxe

and many more but see link below for full list and manual download if you have not been offered it yet on Windows Update ( WU )



http://support.microsoft.com/kb/947562
 

More replies
Relevance 59.04%

Will Visual Studio 2008, SQL Server 2008 support .NET version 4.5 or higher?

More replies
Relevance 59.04%

Hello,
In the DISA Security Technical Implementation Guides (STIGS) there is a test for event tracing (#V31026). 
The STIG indicates that if you are running Win 2008 the absence of etwenable = false is not a 'finding' because event tracing is enabled by default (on 2008 servers) and it should be enabled and running.
Is this the same for windows 2008 R2 Enterprise Server?
I cannot find the element etwenable in my 2008 R2 Enterprise server test system, it does not exist.
Does that mean the requirement for the STIG is met, and event tracing IS enabled by default on Win 2008 R2 Enterprise Servers?  No further action is required to enable? 

Is there an easy way to verify it actually is enabled?  Check registry value, run script?

Excerpt from the STIG:
Microsoft Dot Net Framework 4.0 STIG
Rule Title:  Event tracing for Windows (ETW) for Common Language Runtime events must be enabled.
STIG ID: APPNET0067  Rule ID: SV-41075r1_rule 
Vuln ID: V-31026
Severity: CAT II Class: Unclass
NOTE:
Beginning with Windows Vista and Windows Server 2008, ETW Tracing is enabled by default and the "etwEnable" setting is not required in order for Event Tracing to be enabled. 
An etwEnable setting of "true" IS required in earlier versions of Windows as ETW is disabled by default.
Thank you,
V/R
Bill
William C. ?BC? Davis PMP, CISSP, IASO
Lead Infosec Engineer/Scientist
Comm:   781.271.5221
DSN: ... Read more

More replies
Relevance 58.63%

I am going be moving all the shared folders on my Server 2003 file server to my new Server 2008 VM and want to do it in a way that will allow my clients to be able to access them as if nothing happened. I have been reading about the Windows FSMT (File Server Migration Toolkit) http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=10268 and it will copy over all the permissions and everything but I am not sure how to go about making sure the client will still be able to access the shares especially if they have mapped any of them. If i change the IP and host name of the new machine to the old one after the migration is complete and then shutdown the old server will everything run smoothly? What is the best way to go about doing this?
 

Answer:Migrate Server 2003 file server shares to new machine (Server 2008)

you can do this or you can change DNS so that the old server name points to the new server IP. You need to turn off StrictNameChecking

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"DisableStrictNameChecking"=dword:00000001

this means that you can name the server what ever you want but if you go to the old host name it will also take you to the new server.

Don't forget this needs to be completed and rolled out after the users log off but before they log back in

As old user move on and new users join make sure that you link them to the share via the new host name so eventually the old host name is fased out and you can remove the above reg key.
 

26 more replies
Relevance 58.63%

how can i remove all my old computer programs from my new hp slimline desktop260-po26 . mircosoft keeps loading all my old computer stuff everytime i hook up my att internet connection 

Answer:how to remove window server 2008 2008 sp1,sp2 vista,sp1,sp2,...

chuck5014 wrote:how can i remove all my old computer programs from my new hp slimline desktop260-po26 . mircosoft keeps loading all my old computer stuff everytime i hook up my att internet connection Could you clarify what you're having a problem with?   Post a screenshot if possible.

1 more replies
Relevance 56.58%

Is this possible? I've got my free copy of server 08 and a 'older' spare PC that I'd like to install it on (I hope). Putting system requirements aside, is this attainable? The main thing that attracts me is the advertisement that server 08 can run php and asp.net side by side.

I've searched and looked around, but I haven't really found anything useful. That might be a sign...
 

Answer:Server 2008 as a Web Server/File Server/Print Server

I tested Server 2008 on an old HP Compaq nx9600 laptop (P4 3ghz, 512mb RAM, ATI Radeon Mobility X300) I had lying around in my cabinet in an attempt to practice migrating and upgrading WSS 2.0 from a 2003 server to WSS 3.0 on the 2008 server on the laptop. It ran slow as shit when the WMSDE database running lol.. but without it, it was as smooth as Win2003.

I say give it a try.
 

10 more replies
Relevance 56.17%

Hey guys, I have two domain controllers running Server 2008 x64, and I want to move them both to R2. What do I need to do to make this migration happen? Is there any type of in place upgrade solution? Do I need to do anything with the FSMO roles for this? The servers also take care of DNS and DHCP for my users. And one of them is also a print server. Any kind of basic checklist for this sort of thing would be great. Thanks!
 

Answer:Server 2008 x64 to Server 2008 R2 migration for DC's.

You can do an in-place upgrade, as long as the current DCs are x64 (which you've already stated).

Here's my list:

Very important: Take a system state backup of one of the DCs.
Verify replication topology
Verify that replication is healthy between both DCs
Check event logs for anything weird
Run adprep /forestprep and domainprep on the schema master to prep the domain for R2 DCs
Move the FSMO roles off of the server that you're going to upgrade first
Verify that the roles have actually moved and that the change replicated
Check the location of primary/secondary DNS for each DC
Upgrade

If you had three DCs, what you could also do is completely take down one of the DCs until the upgrade was successful on the other two. That leaves you with a completely intact, untouched DC that you could use to perform an authoritative restore on the other two should things get really FUBAR.

DNS shouldn't be a concern since users willl hopefully hit the other DC. DHCP will be a problem as users won't be able to get an IP while the DHCP box is down. I can't say for sure about printers as I avoid print servers like the plague

I think that's everything. I'll post more if I remember something else.
 

9 more replies
Relevance 56.17%

Hello everyone. I am a new member and I have read the how to and tried to run the scanning tools as recommended. The first scan from Roguekiller produced some scary results and I am not sure how to proceed, but as the forum states, I will attach the log from the scan here for the geniuses to guide me to a safe removal of any malware or viruses.
 

Answer:Server 2008 and server 2008 R2 Malware

I have attached the log from Roguekiller




weidy said:





Hello everyone. I am a new member and I have read the how to and tried to run the scanning tools as recommended. The first scan from Roguekiller produced some scary results and I am not sure how to proceed, but as the forum states, I will attach the log from the scan here for the geniuses to guide me to a safe removal of any malware or viruses.Click to expand...


 

4 more replies
Relevance 55.35%

So right now I'm running a Windows 2003 server at the house. It was one of my first forays into real server technologies - the AD is a disaster, and my DNS is less than optimal. Additionally, the system needs some new hardware. So, over the summer, I want to upgrade the CPU, and I want to replace my aging RAID5 array of 6x400GB array with a larger and more reliable 3x1TB. (Yes, this is a true hard RAID5 board that runs like a bat out of hell and cost a minor fortune.)

Anyway, I get all sorts of free MS software through school, so I can put pretty much anything I want on here. I want to run my own Exchange server as well. I installed and run SBS2008 at work, and very much like the tight integration and nice management tools. So the question is, do I just run SBS 2008, or do I set up Server 2008 R2, and manually set up Exchange 2007, SQL 2008, etc.? I want the integration of SBS, but I kind of like the idea of using a server OS based on Win7 instead of Vista.
 

Answer:Home: Server 2008 R2 or SBS 2008?

Server 2008 is Vista-based.

Personally, if I had both, I'd just use Server 2008, especially if you're used to 2003.
 

3 more replies
Relevance 55.35%

While I'm still stabilising the overclock on my PC, can I ask if anyone has installed Visual Studio 2008 & SQL Server 2008 on Windows 7 x64 7600? If you do get any hiccups during install but manage to install it, does it run alright? Any problems? I'm interested in C# and ASP.NET development only. Thanks.

Answer:VS 2008 & SQL Server 2008 compatibility

Get the service packs. They run just fine.

1 more replies
Relevance 54.53%

Please help! I have installed Server 2008 x64 and as soon as I install the motherboard Initial Configuration Tasks stops working.

this is the errors I get

Description:
Stopped working

Problem signature:
Problem Event Name: CLR20r3
Problem Signature 01: oobe.exe
Problem Signature 02: 6.0.6001.18000
Problem Signature 03: 47917945
Problem Signature 04: Microsoft.Windows.ServerManager
Problem Signature 05: 6.0.0.0
Problem Signature 06: 4791ad96
Problem Signature 07: 1f26
Problem Signature 08: 1e
Problem Signature 09: System.NullReferenceException
OS Version: 6.0.6001.2.1.0.256.1
Locale ID: 2057

I have no idea what it means and I cant find the .exe that opens Initial Configuration Tasks to try and start it again without restarting, I have tried going into msconfig and disabling all start programs to see if that helped, it didn't

Someone please, please, tell me this has happened to you and you have fixed it?.:banghead:banghead
 

Answer:Server 2008 x64 Windows Server Initial Configuration Tasks has stopped working

I got the same problem after installing my mother board driver's.

I'll let you know if I find something !
 

5 more replies
Relevance 54.53%

Hi,

I'm not sure if this is the correct place to ask for a help in hand here, but i'm having trouble tracking down the source of a problem. My dedicated server provider has informed me that 1 of my servers has been sending syn flood attacks to another one of my servers connected to the same router and has unplugged the network cable on it for now as a precaution.

I can still remote desktop to the machine to work on it though.

Here is what they sent me:
This was a flood of traffic between the following two IPs 174.*.*.218,
174.*.*.219 Mainly traffic from 174.*.*.218 to the 174.*.*.219. All
4096 packets, that are the limit for a capture on the router, were strictly
traffic to and from these two IPs, and mainly traffic from 174.*.*.218 to the
.219 IP. This traffic was causing the CPU on the router to spike, thus causing
packetloss on the device.

It would appear that the 174.*.*.218 server was
performing a syn attack to the server 174.*.*.219. As this traffic was
originating from a host on this router to another host on this router. Cisco
Guard would not have mitigated this issue.

---

Now I have done some tests with netstat -o to try and find any rouge applications but everything seems normal to me, I have done a scan with Avast server edition and also MalwareBytes to see if anything could be picked up but both came back clean.

Has anyone got any advice?

Paul
 

Answer:Dedicated Server - Windows Server 2008 Standard. Been told it is sending syn floods

Re: Dedicated Server - Windows Server 2008 Standard. Been told it is sending syn floo

Welcome to Major Geeks!

Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and attach the requested logs when you finish these instructions.

**** If something does not run, write down the info to explain to us later but keep on going. ****
Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.


After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
Helpful Notes:


If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections c... Read more

6 more replies
Relevance 54.53%

I have install the administration toolpack on Windows 7 and enabled remote connections on my server 2008 box, When i try and connect with my Windows 7 server manager it does not work.

I see stuff on google about enabling a trustedhost with winrm but can't find a way to do this.

this seem more difficult than it should be?

this is what I keep getting
 

Answer:Can't connect to Server 2008 via Windows 7 Administration tools/Server Manager

Check Technet for the WinRM reference and or make sure that WinRM is enabled on the servers you are trying to access.

Use group policy to enable it if you need to do a bunch of machines at once. I'm using this with no problems.
 

1 more replies
Relevance 54.53%

I have received a new windows 7 pro computer to replace my old windows xp computer. I have used the Windows easy transfer tool to move the files from my old computer to the new one. The old computer is still connected for the time being. I named the computer the same name and have the same password. I did an update from xp to windows 7 on another computer and it seemed to work fine using the same process. It connected to the server automatically. I would really like to have it where the computer is just a workstation on the network and anyone can sign in with any name and password. How do I do it?

More replies
Relevance 54.53%

I have 2 servers; windows 2000 & windows 2008, I can always access them via XP but my system 7 home can't authenticate. It appears to add the domain name as a preamble my user name in the authentication....does this make sense?


thank
-Jeff

More replies
Relevance 54.53%

Heroes Happen {Here} is what Microsoft calls the promotional tour for three of its 2008 products which will come to many cities in the United States this year. Users who attend a launch event will get a promotional kit of the three Microsoft products Windows Server? 2008 operating system, Microsoft? SQL Server? 2008, and Microsoft Visual Studio? 2008.
Not everyone can just walk in though and grab the copies, you need to register to be able to attend an event and even then kits will only be given out as long as supplies last. Events will also take place in other countries. A quick check revealed one event in Germany where attendees have to pay a fee to be able to attend the event. They still get the software kit with the newest versions of the applications though.
News Source: http://www.ghacks.net/2008/01/22/free-copies-of-windows-server-sql-server-and-visual-studio-2008/
You have to give a company name and job title during registration. It is unclear if Microsoft will reject applications if they do not meet certain criteria. The first event is on February 27th in Los Angeles, the last on May 22nd in Reston.

Free Copies of Windows Server, SQL Server and Visual Studio 2008 : Welcome To Tech-Dump

More replies
Relevance 54.53%

We have a requirement to get the windows services from one of our remote server. We already have a group with admin rights on that machine and users added to it. But while fetching the services from that details we get below error.
We are using C#.net to fetch the services.
Error:
InvalidOperationException Was caught
Cannot open Service Control Manager on computer :"". This operation might require other privileges.

More replies
Relevance 54.53%

I'm experimenting with implimenting this and am having a few issues.

When I install a print device and deploy with GPO, it works great.

When I update the driver on the server to a newer version using the 'new driver' button, I have issues. It prompts the user saying they need to install the driver. If you choose to install, it prompts for administrator credentials, which obviously negates the whole point of centralized management.

If I remove the printer from deployment, delete it and the driver, then add it again with an older version driver, and redeploy, the clients are still using the newer driver (sometimes I have reasons to roll back print drivers).

One thing I did notice is the driver is not listed as a package, where the default stuff by Microsoft is. I don't know if that makes a difference. If it is, how can I create the package? Do I have to use WDS or something similar?

So, what am I doing wrong when I'm changing the drivers that it won't automatically deploy the new driver without user intervention? Also, if there is no way to force the change, is there a way to force client stations to delete the old driver without getting into a bunch of scripting (I don't care for it).
 

More replies
Relevance 54.53%

I have a Access 2000 database residing on one sever and an installation of SQL Server 2008 residing on another. Both servers are running Windows Server 2003. I created a linked server using the code below. When I run EXEC sp_tables_ex 'PropCont' I get the following,
"OLE DB error trace [OLE/DB Provider 'Microsoft.Jet.OLEDB.4.0' IDBInitialize::Initialize returned 0x80004005: The provider did not give any information about the error.].
Msg 7399, Level 16, State 1, Procedure sp_tables_ex, Line 13
OLE DB provider 'Microsoft.Jet.OLEDB.4.0' reported an error. The provider did not give any information about the error."

I tried changing the code to specify my account information, which has Administrative privileges on the domain and I get,
"OLE DB error trace [OLE/DB Provider 'Microsoft.Jet.OLEDB.4.0' IDBInitialize::Initialize returned 0x80040e4d: Authentication failed.].
Msg 7399, Level 16, State 1, Procedure sp_tables_ex, Line 13
OLE DB provider 'Microsoft.Jet.OLEDB.4.0' reported an error. Authentication failed."

Originally I was getting an error that said, "The workgroup information file is missing or opened exclusively by another user" I found an article on line that suggested I do the following,
"1. Open SSMS
2. Expand Server Objects, Linked Servers, Providers
3. Double click the provider (Microsoft.Jet.OLEDB.4.0)
4. UNTICK the "Allow inprocess" option"
I did this and I stopped ... Read more

Answer:Linked Server from SQL Server 2008 to Access 2000 db gives error

7 more replies
Relevance 54.53%

Hi, I am going to install windows 2008 server on the IBM server x3650 7979 and couldn't get the supportive RAID Serv as the I am currently got the IBM ServerGuide Setup and Installation CD version 7.4.17 for adaptec RAID controller 8K but it does not have windows 2008 server option. Do assist me in this regard. thanks
 

More replies
Relevance 53.71%

My Server 2008 Enterprise key from the academic alliance won't work on my new server, says it activation limit has been reached. What can I do to work around this? What do you do when you run into this problem with home lab environments?
 

Answer:Server 2008 key wont activate on new server build

Call Microsoft and tell them you had to reinstall. They should give you a new key if it's a Retail key.
 

2 more replies
Relevance 53.71%

As my final project for the year i am setting up a server that we will eventually move all our computers on to. I am using a poweredge 2900 as a server with windows server 2008 installed. As of now i have 2 computers connected to the domain which they can log on to.

- what i need help with
- How do i give all users access to programs?
- Each student needs to have access to her own drive through the server not locally.
The client computers are connected to a switch using dhcp.
Any help would be greatly appreciated.

Answer:setting up a server for school help (windows server 2008)

I'm quite sure your instructor/teacher did not intend for anybody but you to do the final project for the year and nobody else.

9 more replies
Relevance 53.71%

I have install the administration toolpack on Windows 7 and enabled remote connections on my server 2008 box, When i try and connect with my Windows 7 server manager it does not work.

I see stuff on google about enabling a trustedhost with winrm but can't find a way to do this.

this seem more difficult than it should be?

this is what I keep getting
 

Answer:Can't connect to Server 2008 via Server Manager on Windows 7?

edit, I was wrong. https requires a non self signed cert
do the following in powershell, this is for powershell remoteing but it does the winrm stuff as well:

on the server:

Code:
Enable-PSRemoting &#8211;force
on the client:

Code:

Start-Service WinRM
Set-ItemProperty &#8211;Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System &#8211;Name LocalAccountTokenFilterPolicy &#8211;Value 1 &#8211;Type DWord
Set-Item WSMan:\localhost\Client\TrustedHosts &#8211;Value <ServerName> -Force -Concatenate

Be warned that this is very insecure.
 

18 more replies
Relevance 53.71%

I'm about to pull my hair out

C:\Users\Administrator>dcdiag /fix

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
Home Server = dc
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\DC
Starting test: Connectivity
The host 661bcd5c-ba25-4e96-81b3-64c2db98a63b._msdcs.cwmg.local could
not be resolved to an IP address. Check the DNS server, DHCP, server
name, etc.
Got error while checking LDAP and RPC connectivity. Please check your
firewall settings.
......................... DC failed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\DC
Skipping all tests, because server DC is not responding to directory
service requests.


Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation

Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation

Runnin... Read more

Answer:AD and DNS server roles not playing nicely in Server 2008

How many DCs?
 

22 more replies
Relevance 53.71%

Im running into issues with a Terminal Server I setup. We migrated from a Terminal Server running on Server 2003, to a new server running Server 2008. All of our applications are running just fine in the new 64 bit OS, however my users want to use Firefox on it, but we are having a lot of issues with it. Firefox installs fine, and you can browse web sites with it, but anytime you try to browse the filesystem on the server it freezes. If I try to just do a file open, once it brings up the filesystem the browser freezes. This is important, as we need to import SSL certificates into it for our users to be able to access certain resources. Has anyone seen this, or have any suggestions on how to fix it. I have tried to uninstall, reinstall different versions, they all seem to be doing it.
 

More replies
Relevance 53.71%

Why? Because I need proper codec and audio support, and no-brainer stuff that just does not work. I have Windows 7 Professional x64 setup on dual-boot to Server 2008 and intend to use it for video encoding and related.

I am looking for suggestions similar to http://www.win2008workstation.com/ -- except the other way around and starting with Windows 7.
 

Answer:Converting Windows 7 for server use (or Server 2008 clone)?

It probably depends on what aspects of Server 2008 you want. What server roles do you want to be able to perform with Windows 7?
 

31 more replies
Relevance 53.71%

Hey guys,

I'm trying to boot from a USB Memory Stick to install 2008 SP2 (Non-R2) on a Quad-Xeon ECC-Ram Supermicro Server from around 2002 that has with it only a CD-ROM Drive.

Fortunately,
The USB Memory Stick shows up as a Hard Drive boot device in the CMOS, but after following some instructions to format thumb drive to fat32, and run the following command: xcopy d:\*.* /s/e/f e:\ --- The drive will not boot to the installation, it simply boots to a black screen which says "Operating System Not Found"

The thread I originally came across that discussed how to do this (through diskpart)
But, diskpart doesn't list the USB Removable Memory Stick as a Device, so I can't follow the instructions which were:

1) diskpart
2) list disk
3) select disk 1
4) clean
5) create partition primary
6) select partition 1
7) active
8) format fs=fat32
9) assign
10) exit

Anyway,
I think I'm missing a step.
I'm also sure theres a utility out there that would handle this,
Can someone point me in the right direction?
 

Answer:Booting from USB to install Server 2008 on an old Supermicro Server.

The diskpart instructions can be completed through Explorer. Right click the drive and select format.

Next, you are missing to the bootsect.exe step. On the original Server 2008 installation media there should be a folder named boot. Inside you will find bootsect.exe.

You will need to run the following command against the USB drive and make sure you are running the command prompt in elevated mode(admin rights).

As an example, if your USB drive is E: then type:
Code:
bootsect.exe /nt60 e:

 

1 more replies
Relevance 53.71%

since enterprise is discontinued. what version can 2008 R2 ent be updgraded to?
 

Answer:server 2008 R2 Enterprise to Server 2012 ...... what verison

I went with Datacenter since I wasn't sure.

Here's what I found though
If you are upgrading from Standard Edition or Enterprise Edition you can upgrade to Windows Server 2012 Standard Edition or Datacenter Edition. If you are upgrading from Datacenter Edition, you can only upgrade to Windows Server 2012 Datacenter Edition.Click to expand...

Source: http://technet.microsoft.com/en-us/library/hh994618.aspx#BKMK_UpgradePaths
 

6 more replies
Relevance 53.71%

Hey guys,

We are running an MSSQL 2005 Server with a clients database on it. The client uses a developer in India who is using SQL 2008 Server Management Studio. When he tries to connect to our 2005 Server, he gets an error. We have downloaded and reproduced the error and it appears to be a problem with 2008 studio trying to connect to a 2005 server. I have asked the developer to move to a different version of Studio, but for the future I was wondering if anyone here knew of any kind of fix for this at all?
 

Answer:SQL 2008 Server Management Studio and SQL 2005 Server

they expect everyone to upgrade their entire infrastructure and clients to the new version the very second they come out simultaneously, thats why
 

2 more replies
Relevance 53.71%

We had:

1) 1 Windows Server 2003 running Active Directory services to manage logon and permissions for file sharing.
2) 15 workstations.

We now want to have:

1) 1 Windows Server 2008 R2 server running Active Directory services to manage logon and permissions for file sharing.
2) 15 same workstations, with their same user profiles.

So I joined the 2008 R2 server to the domain, and then used the dcpromo tool to make it a domain controller.

Problem is, whenever I take the old server offline, (the 2003 one) everything flips out, logons are slow, and the 2008 server gives people trying to access shared files weird errors like that the server that authenticated them cannot be contacted, and asks them to log in again with their username and password before accessing shared files on the server.

What did I do wrong? I must be forgetting something.
 

Answer:Replacing a Windows 2003 AD DS server with a 2008 R2 AD DS server

1. Transfer all FSMO roles to your 2008 R2 server
2. Uninstall AD on 2003 server
3. You can now permanently take 2003 server offline
 

13 more replies
Relevance 53.71%

My migration from Server 2003 to Server 2008 was going great until i just shutdown the last Server 2003 box that still had DNS running. Apparently DNS on my new Server 2008 DC was not really working and was forwarding requests to the old 2003 server. Once i shut it down outside requests and the entire internet stopped working until i turned that server back on again. Do i need to setup DNS forwarders with the IP of my ISP's DNS server for this to work or simply remove all forwarder IP's? i noticed on the old 2003 box it had no forwarders setup so that means it was using the root hints all along? internal host lookups work fine.
 

Answer:Server 2003 to Server 2008 migration DNS trouble

Yes remove the forwarders, and let the server use the Root Hints to get what it needs. You might make sure your Root Hints are up to date, just in case.
 

4 more replies
Relevance 53.71%

Ok so here's the deal:

2008 domain
GPP extension on all clients

Old server:
2003 32bit
has ~150 network printers
old name

New server:
2008 x64
cannot have same name as old server

My questions:

Since I can't use Print Migrator 3.1 (from 2003 to 2008 x64) can I install the new printers on the new server without conflicting with the old printers/server? If so I should just be able to roll the new printers out via GPP to each respective OU, right? Any advice on removing the old printers from the clients? It's 4-500 clients so I can't touch each one physically. I'm aware I will need x64 drivers when installing on the server then will need to manually add the 32bit drivers during each install (on the server).

Any advice would be appreciated. I've migrated 20-30 printers but never 150 off one server before.
 

Answer:Advice for print server cutover? (Server 2008 x64)

From my experience you can add the printers on any server without conflict. They are basically just "there" and people can connect to them if they want to. So you should be able to set up the printers on the new server without issue.

I don't know much about removing the existing printers from the client machines, especially with GPP. I have to brush up on my GPP skills as well as upgrade my functional domain level.

I was researching a script to delete all printers when the clients logged in and got it working, but never used it other than testing.
Thread here: http://hardforum.com/showthread.php?t=1566408
 

3 more replies
Relevance 53.71%

Hi guys,
 
What free Antivirus software for servers?
What free anti-malware would NOT be a good idea?
 
Info:
My friend has purchased a Poweredge server to act as a fileserver for a private network not connected to the internet..  He uses 2 laptops at the most  to access files on the server.
 
However at some points he will update Windows Server 2008 plus odd bits by temporaily hooking up to the Internet., and obviously leave himself open to malware etc. for a short time.
 
The cost of server Antivirus is very high and usually effective for 10 workstations upwards, and obviously he would appreciate keeping costs down.
 
 
Questions:
I would appreciate thoughts on ideas for avoiding a costly solution.
 
Also, if he got Malware on it (e.g. Rootkit or Delta) would current Bleeping Computer tools (e.g. Rkill, RogueKiller etc) still work on the server - or does it require another approach? 
 
I am asking fior advice BEFORE he gets started while options are open.
 
 
Thanks in advance guys
 
 
 
 
 

Answer:Free Server Antivirus ? e.g. for Windows Server 2008

The answer is fairly simple. Just read the details on the site -
Microsoft Security Essentials is available for small businesses with up to 10 PCs.
 
• Microsoft Security Essentials:
Microsoft updated it’s free Anti-Virus solution at the end of 2010 to support Windows 2008/R2.
This is easily one of the better free offerings as Microsoft has updated this solution to complete directly with some of the biggest solutions, such as Mcafee and Symantec paid versions.

When downloading, simply choose Windows Vista / Windows 7, as Microsoft has yet to update the website.http://www.microsoft.com/security_essentials/
 
Regards -

6 more replies
Relevance 53.71%

I am going to be upgrading a Server 2003 domain and Exchange server 2003 to Server 2008 and Exchange server 2010. We have one main DC and one backup DC along with another Server 2003 machine running Exchange.

Can anyone point me to some good how-to's or instructions for doing this? This is a small organization, about 40-50 clients total.

Any help would be appreciated.
 

Answer:How to migrate Server/Exchange 2003 to Server 2008

I'm in the same boat at work. I have about 120 clients and I'm taking the approach of building of building a new AD domain and installing exchange as a new organization in the new domain. From there I plan on exporting the mailboxes and importing them to the new exchange server. At this point I haven't decided how I'm going to export the mailboxes, probably have to exmerge the mail store to PST's or use Powershell if I can extract the old mail store from the new Exchange server.
 

2 more replies