- Download FixList.txt
- Save Fixlist.txt in the same folder where FRST64.exe is.
- Close all program windows.
- Launch the Farbar Scanner tool and click "Fix".
- Upload the output log file (FixLog.txt) to your OneDrive.
How can I delete this CoinMiner Malware that keeps reinstalling after removal?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous
Windows Defender alerts malware CoinMiner.I on reboot stating it was been deleted. I am assuming it's reinstalling from another process and have been trying to track it down. This is the alert that I am getting.
Detected: Behavior:Win32/CoinMiner.I
Status: Removed
A threat or app was removed from this device.
Date: 10/10/2023 5:02 AM
Details: This program is dangerous and executes commands from an attacker.
Affected items:
behavior: process: C:\Windows\explorer.exe, pid:31584:120617923854497
process: pid:31584,ProcessStart:133414021413529505
After doing some google searching. I've installed Sysmon, Autoruns and Farbar Recovery Scan Tool looking for malicious processes.
My logs are here: FRST Logs
I looked up the terminated process ID above in Sysmon. The info follows.
Process Create:
RuleName: -
UtcTime: 2023-10-10 09:02:21.352
ProcessGuid: {acbf227a-131d-6525-da01-000000000d00}
ProcessId: 31584
Image: C:\Windows\explorer.exe
FileVersion: 10.0.22621.2361 (WinBuild.160101.0800)
Description: Windows Explorer
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: EXPLORER.EXE
CommandLine: C:\WINDOWS\explorer.exe oaiwgjimtkhew0 6E3sjfZq2rJQaxvLPmXgsEwWTFCy3QOzHJaQOQ3/NEUE+I3bbyzjNI/1t5Yu7Sup8Rog9vQ+Ti3UCDf+NiXvhd3YQ2VEwoL2DsYUUjm29tpOtDCok8LlwxkP6h9eCpmL0+k8DrZqrBNYfISW2IvXi1utDC0t3M9xin2uk3s/dZw7AAMwn8yCx265sVLxL6lSb9AhWduReVVk7b2XhQMKdj31UJzOvlrJ55cz9X70Uq/Qnhdq62TnsonYHADA1JaM4ckfz4EAbJViQn9ZsOL1ZUdZqsEjpQAs4BRRAly7Jg5s264pdSlWlQRRqifrQNI7oaOkQh0JLo/5K9fkg/i1btTa1GKcoI05+E90fv0R240jMhz93FZeeF/hYYaca1xTag3azKv+KDuZ8zqQkKqdQTD1BQlXi7sAjhrrEqV6Lk/mnvenBCrNFz0TC/fsStyXrKBJCRv3Gr8+s82klS39iYBKV3Yg8cM1lOmqnzjdX3w=
CurrentDirectory: C:\WINDOWS\
User: NT AUTHORITY\SYSTEM
LogonGuid: {acbf227a-12c1-6525-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=0B25D56BD2B4D8A6DF45BEFF7BE165117FBF7BA6BA2C07744F039143866335E4
ParentProcessGuid: {acbf227a-12c7-6525-f700-000000000d00}
ParentProcessId: 9608
ParentImage: C:\Program Files\WindowsMalwareProtection\config\systemreset.exe
ParentCommandLine: "C:\Program Files\WindowsMalwareProtection\config\systemreset.exe"
ParentUser: NT AUTHORITY\SYSTEM
Followed by a termination of systemreset.exe as follows.
Process terminated:
RuleName: -
UtcTime: 2023-10-10 09:02:22.209
ProcessGuid: {acbf227a-12c7-6525-f700-000000000d00}
ProcessId: 9608
Image: C:\Program Files\WindowsMalwareProtection\config\systemreset.exe
User: NT AUTHORITY\SYSTEM
Since it shows systemreset.exe is the parent to the explorer.exe process with a large command line addition, I assume this my problem file? From the googling I have done systemreset.exe appears to be an actual system file, since it's 1.4GB in size as well. I'm unsure of where to go from here. Should I just delete that file?
Windows for home | Windows 11 | Security and privacy
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.
Answer accepted by question author
Answer accepted by question author
-
Ramesh 176.1K Reputation points Volunteer Moderator2023-10-10T11:08:33+00:00
2 additional answers
Sort by: Most helpful
-
Ramesh 176.1K Reputation points Volunteer Moderator
2023-10-10T17:13:44+00:00 You're most welcome.
Regards,