�� esetnod32.ru [��: �� MSIL/CoinMiner.BGJ]

�� MSIL/CoinMiner.BGJ

Mon, 21 Dec 2020 01:11:44 +0300

�� MSIL/CoinMiner.BGJ � �� .

====quote====
�� :
��...�� , �� Asus � � ��
=============

� �� : DESKTOP-UOATVLS_2020-12-18_22-05-47_v4.11.7z (925.06 ��)

� ��:
https://forum.esetnod32.ru/messages/forum6/topic16253/message111387/?result=reply#message111387

DESKTOP-UOATVLS_2020-12-18_22-05-47_v4.11.7z (925.06 ��)
----------
�� PC
�� .
�� : 28,5GB
�� .�.
�� .

----------
�� .
21.12.2020 01:11:44, RP55 RP55.

�� MSIL/CoinMiner.BGJ

Mon, 21 Dec 2020 00:47:31 +0300

�� MSIL/CoinMiner.BGJ � �� .
��...�� , �� Asus � � ��
� �� , �� , �� .
��
21.12.2020 00:47:31, �� .

�� MSIL/CoinMiner.BGJ

Mon, 21 Dec 2020 00:14:48 +0300

�� MSIL/CoinMiner.BGJ � �� .

====quote====
�� :
%SystemDrive%\USERS\��\
=============
�� - �� \��.
�� :
�� uVS � �� : ��.
�� uVS: https://forum.esetnod32.ru/forum8/topic15785/
21.12.2020 00:14:48, RP55 RP55.

�� MSIL/CoinMiner.BGJ

Mon, 21 Dec 2020 00:08:08 +0300

�� MSIL/CoinMiner.BGJ � �� .
�� ?
https://forum.esetnod32.ru/messages/forum6/topic16253/message111387/?result=reply#message111387
�� .
21.12.2020 00:08:08, RP55 RP55.

�� MSIL/CoinMiner.BGJ

Mon, 21 Dec 2020 00:07:50 +0300

�� MSIL/CoinMiner.BGJ � �� .
%SystemDrive%\USERS\��\
�� ?
21.12.2020 00:07:50, �� .

�� MSIL/CoinMiner.BGJ

Sun, 20 Dec 2020 23:55:09 +0300

�� MSIL/CoinMiner.BGJ � �� .

====quote====
�� :
�� :
=============

��.
��.

�� - � �� .
uVS: start.exe, �� , ��, �� - �� .
�� , �� !
�� : �� !

====code====

;uVS v4.11 [http://dsrt.dyndns.org:8888]
;Target OS: NTv10.0
v400c
OFFSGNSAVE
restart
;---------command-block---------
delall %SystemDrive%\USERS\�������\APPDATA\ROAMING\MICROSOFT\ADMODNETW4B8\ADNEKMOD8B4.DLL
apply

=============

-------------------------------------

�� C:\USERS\��\APPDATA\ROAMING\MICROSOFT\ADMODNETW4B8\ADNEKMOD8B4.DLL
�� ADNEKMOD8B4.DLL
��. �� ?��? ��

www.virustotal.com �� . 2020-12-20

��
��
File_Id 5FDC35A8C000
Linker 11.0
�� 12800 ��
�� 18.12.2020 � 16:17:58
�� 18.12.2020 � 16:17:58

TimeStamp 18.12.2020 � 04:52:56
EntryPoint +
OS Version 0.0
Subsystem Windows character-mode user interface (CUI) subsystem
IMAGE_FILE_DLL +
IMAGE_FILE_EXECUTABLE_IMAGE +
�� 64-� ��
��. ��

�� AdNetwork.dll
�� 1.0.0.0
�� AdNetwork
��
��

��. ��
�� C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
CmdLine C:\USERS\��\APPDATA\ROAMING\MICROSOFT\ADMODNETW4B8\ADNEKMOD8B4.DLL,AMIGOUPDATER
SHA1 0CBA96ADD40FC610017EF4A2BA8F4220694A1018
MD5 B5BF285378916D5119D87C08917FE872

��
�� C:\WINDOWS\SYSTEM32\TASKS\ZAMIGOBROWSERUPDATE

�� HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{920AEC27-3C26-4A74-8434-613D4DEF9913}\Actions
Actions "rundll32.exe" C:\Users\��\AppData\Roaming\Microsoft\AdModNetW4b8\adnekmod8b4.dll,AmigoUpdater

�� HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{920AEC27-3C26-4A74-8434-613D4DEF9913}\
20.12.2020 23:55:09, RP55 RP55.

�� MSIL/CoinMiner.BGJ

Sun, 20 Dec 2020 23:42:44 +0300

�� MSIL/CoinMiner.BGJ � �� .
�� , �� .��!
�� :
====code====

C:\Users\Asus\AppData\Roaming\Microsoft\AdModNetW4b8\adnekmod8b4.dll,AmigoUpdater

============= ?
Fixlog.txt
20.12.2020 23:42:44, �� .

�� MSIL/CoinMiner.BGJ

Sun, 20 Dec 2020 23:27:08 +0300

�� MSIL/CoinMiner.BGJ � �� .
�� fixlist.txt � �� Farbar Recovery Scan Tool:
...
�� FRST � �� Fix � ��.

====code====

  

FirewallRules: [{8D453E32-A0AE-418F-9361-2F4B12FF6C65}] => (Allow) D:\Games\Red Dead Redemption 2\RDR2.exe => No File
FirewallRules: [{653996F3-7596-415A-82DE-CEAF69D6BECD}] => (Allow) D:\Games\Red Dead Redemption 2\RDR2.exe => No File
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\��� ������������\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION
Task: {077333D6-06BA-4EA4-BDF4-1CD1439558F2} - \Microsoft\Windows\BrokerInfrastructure\BgTaskRegistrationMaintenanceTask -> No File <==== ATTENTION
Task: {A2597AD3-0B94-4803-9A30-94B39BD37E0E} - System32\Tasks\zAmigoBrowserUpdate => rundll32.exe C:\Users\Asus\AppData\Roaming\Microsoft\AdModNetW4b8\adnekmod8b4.dll,AmigoUpdater


EmptyTemp:
Reboot:

=============
�� FRST �� -�� (Fixlog.txt). ��, �� !
20.12.2020 23:27:08, RP55 RP55.

�� MSIL/CoinMiner.BGJ

Sun, 20 Dec 2020 23:15:15 +0300

�� MSIL/CoinMiner.BGJ � �� .
1) � Malwarebytes - �� .
2) �� AdwCleaner
��:

��
# ------------------------------- # Malwarebytes AdwCleaner 8.0.8.0 # ------------------------------- # Build: 10-08-2020 # Database: 2020-09-29.1 (Local) # Support: https://www.malwarebytes.com/support # # ------------------------------- # Mode: Scan # ------------------------------- # Start: 12-20-2020 # Duration: 00:00:35 # OS: Windows 10 Home # Scanned: 31837 # Detected: 14 *** [ Services ] * No malicious services found. * [ Folders ] * No malicious folders found. * [ Files ] * No malicious files found. * [ DLL ] * No malicious DLLs found. * [ WMI ] * No malicious WMI found. * [ Shortcuts ] * No malicious shortcuts found. * [ Tasks ] * No malicious tasks found. * [ Registry ] * No malicious registry entries found. * [ Chromium (and derivatives) ] * No malicious Chromium entries found. * [ Chromium URLs ] * No malicious Chromium URLs found. * [ Firefox (and derivatives) ] * No malicious Firefox entries found. * [ Firefox URLs ] * No malicious Firefox URLs found. * [ Hosts File Entries ] * No malicious hosts file entries found. * [ Preinstalled Software ] *** Preinstalled.ASUSDeviceActivation Folder C:\Program Files (x86)\ASUS\ASUS DEVICE ACTIVATION Preinstalled.ASUSDeviceActivation Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{9C4B0706-9F9A-47BF-B417-0A111FC52B04} Preinstalled.ASUSLiveUpdate Folder C:\Program Files (x86)\ASUS\ASUS LIVE UPDATE Preinstalled.ASUSLiveUpdate Folder C:\ProgramData\ASUS\ASUS LIVE UPDATE Preinstalled.ASUSLiveUpdate Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5E315991-0334-4D2E-BA92-52628B468DAC} Preinstalled.ASUSLiveUpdate Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Update Checker Preinstalled.ASUSLiveUpdate Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{FA540E67-095C-4A1B-97BA-4D547DEC9AF4} Preinstalled.ASUSLiveUpdate Task C:\Windows\System32\Tasks\UPDATE CHECKER Preinstalled.ASUSSmartGesture Folder C:\Program Files (x86)\ASUS\ASUS SMART GESTURE Preinstalled.ASUSSmartGesture Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D15BEACB-6D7A-4787-8AC1-085D334178F2} Preinstalled.ASUSSmartGesture Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ASUS Smart Gesture Launcher Preinstalled.ASUSSmartGesture Registry HKLM\Software\Classes\CLSID\{F31B5912-07D6-4895-B4BA-5486CF3B18B1} Preinstalled.ASUSSmartGesture Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{4D3286A6-F6AB-498A-82A4-E4F040529F3D} Preinstalled.ASUSSmartGesture Task C:\Windows\System32\Tasks\ASUS SMART GESTURE LAUNCHER ########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########

��

# -------------------------------
# Malwarebytes AdwCleaner 8.0.8.0
# -------------------------------
# Build: 10-08-2020
# Database: 2020-09-29.1 (Local)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start: 12-20-2020
# Duration: 00:00:35
# OS: Windows 10 Home
# Scanned: 31837
# Detected: 14

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

Preinstalled.ASUSDeviceActivation Folder C:\Program Files (x86)\ASUS\ASUS DEVICE ACTIVATION
Preinstalled.ASUSDeviceActivation Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{9C4B0706-9F9A-47BF-B417-0A111FC52B04}
Preinstalled.ASUSLiveUpdate Folder C:\Program Files (x86)\ASUS\ASUS LIVE UPDATE
Preinstalled.ASUSLiveUpdate Folder C:\ProgramData\ASUS\ASUS LIVE UPDATE
Preinstalled.ASUSLiveUpdate Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5E315991-0334-4D2E-BA92-52628B468DAC}
Preinstalled.ASUSLiveUpdate Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Update Checker
Preinstalled.ASUSLiveUpdate Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{FA540E67-095C-4A1B-97BA-4D547DEC9AF4}
Preinstalled.ASUSLiveUpdate Task C:\Windows\System32\Tasks\UPDATE CHECKER
Preinstalled.ASUSSmartGesture Folder C:\Program Files (x86)\ASUS\ASUS SMART GESTURE
Preinstalled.ASUSSmartGesture Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D15BEACB-6D7A-4787-8AC1-085D334178F2}
Preinstalled.ASUSSmartGesture Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ASUS Smart Gesture Launcher
Preinstalled.ASUSSmartGesture Registry HKLM\Software\Classes\CLSID\{F31B5912-07D6-4895-B4BA-5486CF3B18B1}
Preinstalled.ASUSSmartGesture Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{4D3286A6-F6AB-498A-82A4-E4F040529F3D}
Preinstalled.ASUSSmartGesture Task C:\Windows\System32\Tasks\ASUS SMART GESTURE LAUNCHER

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########

Addition.txt
FRST.txt
20.12.2020 23:15:15, �� .

�� MSIL/CoinMiner.BGJ

Sun, 20 Dec 2020 23:01:10 +0300

�� MSIL/CoinMiner.BGJ � �� .
1) �� Malwarebytes - �� ( �� )

2) �� AdwCleaner
http://forum.esetnod32.ru/forum9/topic7084/

�� :
�� Mail.Ru � Yandex �� ( �� )
�� :
�� (Folders) �� Mail.Ru � Yandex �� [V]

�� AdwCleaner �� (Clean), ��
� ��

3) �� FRST: http://forum.esetnod32.ru/forum9/topic2798/
20.12.2020 23:01:10, RP55 RP55.

�� MSIL/CoinMiner.BGJ

Sun, 20 Dec 2020 22:55:47 +0300

�� MSIL/CoinMiner.BGJ � �� .
� �� .

nod.txt
20.12.2020 22:55:47, �� .

�� MSIL/CoinMiner.BGJ

Sun, 20 Dec 2020 22:33:53 +0300

�� MSIL/CoinMiner.BGJ � �� .
�� - � �� .
uVS: start.exe, �� , ��, �� - �� .
�� , �� !
�� : �� !

====code====


;uVS v4.11 [http://dsrt.dyndns.org:8888]
;Target OS: NTv10.0
v400c

deltmp
delnfr
restart

=============

+
�� (�� ) �� Malwarebytes
http://forum.esetnod32.ru/forum9/topic10688/

�� : �� .
�� ( � �� ).
�� .txt ( �� )
20.12.2020 22:33:53, RP55 RP55.

�� MSIL/CoinMiner.BGJ

Sun, 20 Dec 2020 14:30:28 +0300

�� MSIL/CoinMiner.BGJ � �� .
�� :
DESKTOP-UOATVLS_2020-12-18_22-05-47_v4.11.7z
20.12.2020 14:30:28, �� .

�� MSIL/CoinMiner.BGJ

Sun, 20 Dec 2020 14:20:27 +0300

�� MSIL/CoinMiner.BGJ � �� .
��, �� :

��
20.12.2020 11:37:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��; 20.12.2020 11:38:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��; 20.12.2020 11:39:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��; 20.12.2020 11:40:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��; 20.12.2020 11:41:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��; 20.12.2020 11:42:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��; 20.12.2020 11:43:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��; 20.12.2020 11:44:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��; 20.12.2020 11:45:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��; 20.12.2020 11:46:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��; 20.12.2020 11:47:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��; 20.12.2020 11:48:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��; 20.12.2020 11:49:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��; 20.12.2020 11:50:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��; 20.12.2020 11:51:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��; 20.12.2020 11:52:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��; 20.12.2020 11:53:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��; 20.12.2020 11:54:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��; 20.12.2020 11:55:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��; 20.12.2020 11:56:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��; 20.12.2020 11:57:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��; 20.12.2020 11:58:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��; 20.12.2020 11:59:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��;

��

20.12.2020 11:37:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��;
20.12.2020 11:38:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��;
20.12.2020 11:39:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��;
20.12.2020 11:40:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��;
20.12.2020 11:41:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��;
20.12.2020 11:42:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��;
20.12.2020 11:43:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��;
20.12.2020 11:44:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��;
20.12.2020 11:45:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��;
20.12.2020 11:46:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��;
20.12.2020 11:47:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��;
20.12.2020 11:48:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��;
20.12.2020 11:49:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��;
20.12.2020 11:50:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��;
20.12.2020 11:51:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��;
20.12.2020 11:52:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��;
20.12.2020 11:53:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��;
20.12.2020 11:54:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��;
20.12.2020 11:55:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��;
20.12.2020 11:56:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��;
20.12.2020 11:57:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��;
20.12.2020 11:58:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��;
20.12.2020 11:59:00;�� AMSI;��;script;�� MSIL/CoinMiner.BGJ �� ;��;

� �� , �� ?
20.12.2020 14:20:27, �� .

����� esetnod32.ru [����: ���������������� MSIL/CoinMiner.BGJ]

���������������� MSIL/CoinMiner.BGJ

���������������� MSIL/CoinMiner.BGJ

���������������� MSIL/CoinMiner.BGJ

���������������� MSIL/CoinMiner.BGJ

���������������� MSIL/CoinMiner.BGJ

���������������� MSIL/CoinMiner.BGJ

���������������� MSIL/CoinMiner.BGJ

���������������� MSIL/CoinMiner.BGJ

���������������� MSIL/CoinMiner.BGJ

���������������� MSIL/CoinMiner.BGJ

���������������� MSIL/CoinMiner.BGJ

���������������� MSIL/CoinMiner.BGJ

���������������� MSIL/CoinMiner.BGJ

���������������� MSIL/CoinMiner.BGJ

�� esetnod32.ru [��: �� MSIL/CoinMiner.BGJ]

�� MSIL/CoinMiner.BGJ

�� MSIL/CoinMiner.BGJ

�� MSIL/CoinMiner.BGJ

�� MSIL/CoinMiner.BGJ

�� MSIL/CoinMiner.BGJ

�� MSIL/CoinMiner.BGJ

�� MSIL/CoinMiner.BGJ

�� MSIL/CoinMiner.BGJ

�� MSIL/CoinMiner.BGJ

�� MSIL/CoinMiner.BGJ

�� MSIL/CoinMiner.BGJ

�� MSIL/CoinMiner.BGJ

�� MSIL/CoinMiner.BGJ

�� MSIL/CoinMiner.BGJ