PUA:Win32/CoinMiner and XMRig cannot get rid of

nitehawk · 13 Oct 2020

Hi guys, This has been doing my head in so after some help if possible
i have done a lot of googling and tried most things but windows av keeps showing this

Ok, so for some reason win 10 Av keeps finding PUA:Win32/CoinMiner and XMRig as (active)

PUA:Win32/CoinMiner and XMRig cannot get rid of-app.jpg

PUA:Win32/CoinMiner and XMRig cannot get rid of-coin.jpg

PUA:Win32/CoinMiner and XMRig cannot get rid of-coin2.jpg

I have run Rkill and then Malwaresbytes and ESET Online Scanner and also in Safe mode with both scanners, Under win 10 2004 (19041.508)
which have found nothing/nada
If these keeps saying (Active) does this mean that the programs are actually running?
why do two programs not show anything wrong and windows Av keeping giving me these issues?
My lappy is LAGGY as heck and usually System interrupts go up to 100% a lot of the last few weeks
What else can i try as i am going grey over this :)
Thanks guys

Edit, i cannot find any of the folders these PUAs are running under either

here is my Rkill report

Program started at: 10/13/2020 04:49:18 PM in x64 mode.
Windows Version: Windows 10 Home

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost
::1 localhost

0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
0.0.0.0 media.opencandy.com
0.0.0.0 cdn.opencandy.com
0.0.0.0 tracking.opencandy.com
0.0.0.0 api.opencandy.com
0.0.0.0 api.recommendedsw.com
0.0.0.0 rp.yefeneri2.com
0.0.0.0 os.yefeneri2.com
0.0.0.0 os2.yefeneri2.com
0.0.0.0 installer.betterinstaller.com
0.0.0.0 installer.filebulldog.com
0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
0.0.0.0 inno.bisrv.com
0.0.0.0 nsis.bisrv.com
0.0.0.0 cdn.file2desktop.com
0.0.0.0 cdn.goateastcach.us

20 out of 41 HOSTS entries shown.
Please review HOSTS file for further entries.

Program finished at: 10/13/2020 04:59:04 PM
Execution time: 0 hours(s), 9 minute(s), and 45 seconds(s)

Jacee · 13 Oct 2020

This may be hidden in your Browser. See if HitmanPro can discover it....... HitmanPro

Callender · 13 Oct 2020

Read carefully:

https://answers.microsoft.com/en-us/...d-c6059c8e0828

Note

Windows Defender is defaulted to scan its own "Scans/History". Resulting in the discovery of the malware over
and over again. Even though, other scanners see no evidence of the malware on the PC. It doesn't exist!

So try deleting Windows Defender Protection History as described.

nitehawk · 13 Oct 2020

well i ran TRON which is nothing short of amazing (though it takes hours)

Tron v11.1.3 (2020-08-20) // Minor updates; Remove PCHunter due to A/V false positives : TronScript

found nothing, this also uses Rkill and all the latest scanners/definitions which found nothing.

Callender
the read might have worked but finding detection history was kinda hard as its moved
but i finally found the folder and deleted it so lets see eh! cheers

Jacee
hitman pro site u linked to kept saying there was no file to download! thanks for the reply

Jacee · 13 Oct 2020

Jacee
hitman pro site u linked to kept saying there was no file to download! thanks for the reply

I see two downloads on that page....one for 64 bit and one for 32 bit

PUA:Win32/CoinMiner and XMRig cannot get rid of-hitmanpro.jpg

nitehawk · 13 Oct 2020

yep until u click the links themselves

Jacee · 13 Oct 2020

Try this link: HitmanPro Malware Removal and Exploit Prevention in Real-Time