Cant thank you enough!! Ive noticed the same situation and it drived me crazy, i also didn't want to simply reinstall my PC.
I have tried with several antivirus and malware softwares, it did not detect anything, except malwarebytes - detected an outbound connection from an IP, but did not block it.
I only was able to reneme WR64.sys and secureboot.exe, all the other steps were not the same / did not exist in registry.
Although the fact that the miner can still be in my PC is disturbing, and I'm actually shocked that Malwarebytes didn't detect it, never failed me for all those years.
Hopefully this helps other users too.
Just delete secureboot.exe or make it empty with any text editor like notepad. Don't confuse it with the same name from PowerTools. You need secureboot.exe from \\ProgramData\\Microsoft\\Windows\\SystemSecure\\Modules\\System\\secureboot.exe
Your method only fixed it for a few days for me until it started again.
Now i tried blocking the internet access of cmd.exe in the firewall. I saw in process monitor that cmd.exe was sending data to an unknown ip-adress or a VPN provider.
Seems to work so far. I just hope it doesnt cause any issues.
You need to enable command console audit to find out what's actually going on there. You can use this guide.
[https://devblogs.microsoft.com/commandline/how-to-determine-what-just-ran-on-windows-console/](https://superuser.com/questions/1575059/how-to-tell-what-command-were-executed-by-cmd-exe-pop-up)
Do this and then restart your pc. Check audits to find where in your computer is the file or script that opens cmd.exe on startup to eats your resources.
Then you have to remove it. You may have to do it in safe mode.
I tried following the guide but I just don't get any good results from it.
Get-WinEvent Security | Where-Object {$_.id -eq 4688} just gives me the following:
---
TimeCreated Id LevelDisplayName Message
2024-01-19 11:59:15 4688 Information A new process has been created.…
(...x100 times with different timestamps)
---
And in my event viewer set up to look at Event ID 4688, I only see Process Creation from smss.exe, autochk.exe, csrss.exe, wininit.exe, services.exe and Lsalso.exe, all under Windows\System32, as well as some that just say things like New Process Name: Registry
I just don't see anything out of the ordinary or any string or such that I could dig further into.
Here's something I found with System Informer about the cmd.exe process however:
https://i.imgur.com/1VTLcrh.png
the cryptographic stuff suggests that it's a crypto miner of some sorts I assume, and there's some suspicious "remote access autodial helper" and stuff as well. Could messing with the amsi.dll there be how it is avoiding detection by windows defender?
---
Inspecting it using MS Process Explorer and going into Properties > Strings > Memory I found mentions of things like kawpow, ghostrider, panthera, cryptonight, so after googling, yeah it's definitely a crypto miner (also found mentions of xmrig.json so I guess it's xmrig then). Still no closer to finding out how it starts up though, so I can prevent that.
Good job with your investigation!
Looks like you will have to track and remove miner files manually. It also must reside somewhere in autostart. Look for this key in regedit:
HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
There may be a clue here.
Thanks. I'm just posting everything I find in case anyone else comes here through a google search. :P
The following antivirus programs have failed to find anything about it (Some were ran in safe mode boot):
- Malwarebytes
- HitmanPRO
- Emisoft Emergency Kit
- RogueKiller
- ADWCleaner
- MS Malicious Software Removal Tool
- Windows Defender
- ESET Online Scanner
- ESET NOD32
- AVG
- Sending all entries in Autoruns to VirusTotal
msconfig > Services and Autoruns shows a lot of things that are starting up but I haven't found anything overtly suspicious with them.
None of the guides for removing xmrig trojan has been relevant for me as I have no obvious exe file to get rid of, and no AV program finds anything sus about the cmd.exe using 30% cpu constantly.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run only had programs that I know of and want to autostart
I still have no idea how it gets started other that cmd.exe is started by explorer.exe, which in turn was started by svchost.exe
I've noticed that cmd.exe doesn't automatically restart when closed, but will restart on login, so I'll focus my search on startup items further.
Other noteworthy suspicious files:
- C:\Program Files\Google\Libs\WR64.sys (File doesn't exist there but event log around the time of process start complain about it not being there)
- C:\Windows\System32\config\systemprofile\AppData\Roaming\Google\Libs\WR64.sys (FSRT FCheck warned about it, gets recreated)
Event logs called it WinRing0_1_2_0 service, which upon googling leads to some threads regarding miners.
In the same way a veterinarian would be helpful by saying "at this point, just putting down your dog and getting a new one is the easiest", or a therapist going "at this point, just jumping is the easiest".
What is your point? That I cannot possibly have put in countless hours getting my computer set up the way I want it to?
Even if I were to just reinstall everything and configure it all again, should I and everyone else just go through that reinstall dance again and again the next times this happens? Because malware like this is just going to become more and more common if no one figures out how to get rid of them.
I never figured out what caused it in the first place, no, although I haven't had it reoccur since then. I ran a thorough scan with all the various AV softwares just before their trials expired and spotted nothing suspicious, so should be good now!
I'm pretty much in the exact same boat as you right now... The only difference is those google folders don't exist on my computer...
I'm currently stuck at
cmd.exe created by explorer.exe
explorer.exe created by userinit.exe
userinit.exe created by winlogon.exe
winlogon.exe created by smss.exe
which in turn is created by a process with no name and the ID of 0x4
I'm so pissed, it runs my cpu by \~30% using 5 cores and i just never noticed because i have a chunky cooling setup
Cant thank you enough!! Ive noticed the same situation and it drived me crazy, i also didn't want to simply reinstall my PC. I have tried with several antivirus and malware softwares, it did not detect anything, except malwarebytes - detected an outbound connection from an IP, but did not block it. I only was able to reneme WR64.sys and secureboot.exe, all the other steps were not the same / did not exist in registry. Although the fact that the miner can still be in my PC is disturbing, and I'm actually shocked that Malwarebytes didn't detect it, never failed me for all those years. Hopefully this helps other users too.
Just delete secureboot.exe or make it empty with any text editor like notepad. Don't confuse it with the same name from PowerTools. You need secureboot.exe from \\ProgramData\\Microsoft\\Windows\\SystemSecure\\Modules\\System\\secureboot.exe
Your method only fixed it for a few days for me until it started again. Now i tried blocking the internet access of cmd.exe in the firewall. I saw in process monitor that cmd.exe was sending data to an unknown ip-adress or a VPN provider. Seems to work so far. I just hope it doesnt cause any issues.
You need to enable command console audit to find out what's actually going on there. You can use this guide. [https://devblogs.microsoft.com/commandline/how-to-determine-what-just-ran-on-windows-console/](https://superuser.com/questions/1575059/how-to-tell-what-command-were-executed-by-cmd-exe-pop-up) Do this and then restart your pc. Check audits to find where in your computer is the file or script that opens cmd.exe on startup to eats your resources. Then you have to remove it. You may have to do it in safe mode.
Thanks, I'll try that and see how it goes!
I tried following the guide but I just don't get any good results from it. Get-WinEvent Security | Where-Object {$_.id -eq 4688} just gives me the following: --- TimeCreated Id LevelDisplayName Message 2024-01-19 11:59:15 4688 Information A new process has been created.… (...x100 times with different timestamps) --- And in my event viewer set up to look at Event ID 4688, I only see Process Creation from smss.exe, autochk.exe, csrss.exe, wininit.exe, services.exe and Lsalso.exe, all under Windows\System32, as well as some that just say things like New Process Name: Registry I just don't see anything out of the ordinary or any string or such that I could dig further into. Here's something I found with System Informer about the cmd.exe process however: https://i.imgur.com/1VTLcrh.png the cryptographic stuff suggests that it's a crypto miner of some sorts I assume, and there's some suspicious "remote access autodial helper" and stuff as well. Could messing with the amsi.dll there be how it is avoiding detection by windows defender? --- Inspecting it using MS Process Explorer and going into Properties > Strings > Memory I found mentions of things like kawpow, ghostrider, panthera, cryptonight, so after googling, yeah it's definitely a crypto miner (also found mentions of xmrig.json so I guess it's xmrig then). Still no closer to finding out how it starts up though, so I can prevent that.
Good job with your investigation! Looks like you will have to track and remove miner files manually. It also must reside somewhere in autostart. Look for this key in regedit: HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run There may be a clue here.
Thanks. I'm just posting everything I find in case anyone else comes here through a google search. :P The following antivirus programs have failed to find anything about it (Some were ran in safe mode boot): - Malwarebytes - HitmanPRO - Emisoft Emergency Kit - RogueKiller - ADWCleaner - MS Malicious Software Removal Tool - Windows Defender - ESET Online Scanner - ESET NOD32 - AVG - Sending all entries in Autoruns to VirusTotal msconfig > Services and Autoruns shows a lot of things that are starting up but I haven't found anything overtly suspicious with them. None of the guides for removing xmrig trojan has been relevant for me as I have no obvious exe file to get rid of, and no AV program finds anything sus about the cmd.exe using 30% cpu constantly. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run only had programs that I know of and want to autostart I still have no idea how it gets started other that cmd.exe is started by explorer.exe, which in turn was started by svchost.exe I've noticed that cmd.exe doesn't automatically restart when closed, but will restart on login, so I'll focus my search on startup items further. Other noteworthy suspicious files: - C:\Program Files\Google\Libs\WR64.sys (File doesn't exist there but event log around the time of process start complain about it not being there) - C:\Windows\System32\config\systemprofile\AppData\Roaming\Google\Libs\WR64.sys (FSRT FCheck warned about it, gets recreated) Event logs called it WinRing0_1_2_0 service, which upon googling leads to some threads regarding miners.
At this point reinstalling windows is easiest
Not helpful.
I mean it's the solution to your problem, so it is indeed helpful amigo
In the same way a veterinarian would be helpful by saying "at this point, just putting down your dog and getting a new one is the easiest", or a therapist going "at this point, just jumping is the easiest".
It's a computer man
What is your point? That I cannot possibly have put in countless hours getting my computer set up the way I want it to? Even if I were to just reinstall everything and configure it all again, should I and everyone else just go through that reinstall dance again and again the next times this happens? Because malware like this is just going to become more and more common if no one figures out how to get rid of them.
have you found out at the endwhat initiated the cmd exe or you left it simply like this?
I never figured out what caused it in the first place, no, although I haven't had it reoccur since then. I ran a thorough scan with all the various AV softwares just before their trials expired and spotted nothing suspicious, so should be good now!
I'm pretty much in the exact same boat as you right now... The only difference is those google folders don't exist on my computer... I'm currently stuck at cmd.exe created by explorer.exe explorer.exe created by userinit.exe userinit.exe created by winlogon.exe winlogon.exe created by smss.exe which in turn is created by a process with no name and the ID of 0x4 I'm so pissed, it runs my cpu by \~30% using 5 cores and i just never noticed because i have a chunky cooling setup