#XMRig Miner Virus Problem

xmrig is a legit program lol, how tf did you get a virus version of it

I don't even know myself.. That's a really good question

I've used it many times myself to mine monero

Yeah I used it on another computer a while ago too. This time went to a virus thing lol

also the virus faking the svchost.exe in svshost.exe

Did you download it from the correct site? How did you even get this virus

I didn't even try to download it. I haven't used it in years.

Wow damn, someone got a botnet out there using it

i'm very careful about what I download or do on the internet in general, very rare from myself to get infected but this time, maybe I didn't pay enough atention

Are you able to go to the source directory of the .exe files

yeah it redirects me to "C:\Windows"

and the 2 files are there

I can delete it if I use Rkill to kill the process (also detects that these two are malware )

but will come back in a few hours or tomorrow or in 2 days maximum

Another script must be hiding somewhere to load them back in

I guess bc I did a test about it. Once it came back an hour ago, I didn't try to delete them and went to safe mode with networking and it didn't even start. Once I came back to normal mode, it instantly launches

So yeah, something is clearly hiding but what...

Do you know what program you downloaded that might have contained the virus

The only thing I remember downloading was AutoCad and tried a language pack, which worked. But then I deleted it and got the legit version of it. so don't know if it's there bc of it or not. I can't remember...

Do you know how I could check what scripts goes on when I start windows? and which doesn't if I go to Safe mode?

In powershell run Get-Process

It should list stuff

yes

The thing is a smart virus would disguise itself as a normal process

Yeah.. So here I opened task manager before running powershell and DlHost & svshost wasn't appearing bc it hides when I open it. Now, when closed, I can see them

As I showed when I close the task manager, processhacker tells me that a service was created and it's called WinRing0_1_2_0

Does this work Get-Process | Select-Object Name, StartTime

Shows the processes in order of which they started

This lists them in alphabetical order

Try this maybe Get-Process | Sort-Object StartTime | Select-Object Name, StartTime

got some of these and then I guess it worked, it isn't in alphabetical order this time

Coz im thinking if you get the start times, delete the virues in the windows folder, wait for them to start up again you might be able to see the script that starts it up

but some doenst have time

if I delete it now, it will not comeback until at least tomorrow night or even wednesday

Hmm

now that I closed task manager, it lists me DlHost and svshost (the viruses) at the bottom of the list

so something is still running that means it can make them work, right?

bc in safe mode they didn't even start x)

You could compare the list from safemode and normal mode

the very first thing that launched first is this

svchost, and svshost doesn't even exist, it's like it tries to fake svchost

would you want me to compare right now?

also is there anyway to save this list?

Get-Process | Select-Object Name, StartTime >> C:/processes.txt

Or just get-process

Whatever command you are using lol

will bother you again, this time they aren't listed by the first who launched, is it possible to get it?

So now I have my 2 lists

So I can see that DlHost, svshost and one of 6 Discord services clearly starts at the same time : 23:20:02 (for me)

@spiral robin Once I restarted my computer, I went instantly to Processhacker. I saw a Powershell window quickly appearing (couldn't see anything) and instantly closed, then the viruses appeared

is there anyway to check what was started ?

Hello

Have you removed the malware?

Hey, I did

Has it come back?

not at the moment

I see it still comes back. Does it come back even with a good antivirus such as malwarebytes installed?

idk man

that's why I was here asking for help lol

What antivirus do you have right now?

but no one couldn't so, someone else helped me

Windows Defender x)

Was that someone anothergame?

Wondering if you came into contact with him, hes good at this stuff

No, not from this server

also Why would you keep the normal useless (mind you..TRASH) antivirus? Could you maybe install kasperksy or avast one to scan your network and keep logs? Feels like a router malware, not sure.

I will in the future

I had a malware keep coming back even when I reset my PC. It was a router infestation.

Now it's gone, the guy who helped me was a pro at it. We went very deep to remove it so I think it should have comeback now but it hasnt

Alright good, just curious was his username anothergame?

No, I just told you

ah alr

hes a friend of mine

was wondering if you knew him

That's cool

No :/

alr

well

if it comes back again, please install kaspersky

i will

it keeps logs on scripts from the internet trying to download malware

and block them

anyways good day