I think I have Bitcoin Mining Malware that is posing as a Windows process

JohnnieW18

New Member
Thread author
Jan 4, 2018
5
I checked the task manager to see it's because of Windows Process Manager (32 bit). I open the file location getting an error message saying "C:\Users\John\AppData\Local\niibtve is not accessible. Access is denied."

When I look at it using Process Explorer it shows between 2-5 instances of a process called "sibktpr.exe" which is using all of the CPU. Google searching this .exe has shows no results.

I downloaded Malwarebytes after the issues started if that is important too. It doesn't find anything wrong.
 

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Hello,


Please download Farbar Recovery Scan Tool x64 and save it to a flash drive.
  • Now you should get a window like this where you need to click Troubleshoot.
Windows-10-2.jpg

  • In the next window, click Advanced options and select Command Prompt.
  • Now you should log in into your account and after that Command Promptwindow.
notepad.png
Access the notepad and identify your USB drive

In the Command Prompt please type in:
Code:
notepad
and press Enter.
  • When the notepad opens, go to File menu.
  • Select Open.
  • Go to Computer and search there for your USB drive letter.
  • Note down the letter and close the notepad.


FRST.gif
Scan with Farbar Recovery Scan Tool

Once back in the command prompt window, please do the following:
  • Type in e:\frst64.exe and press Enter.
    You need to replace e with the letter of your USB drive taken from notepad!
  • FRST will start to run. Give him a minute or so to load itself.
  • Click Yes to Disclaimer.
  • In the main console, please click Scan and wait.
  • When finished it will produce a logfile named FRST.txt in the root of your pendrive and display it. Close that logfile.

Transfer it to your clean machine and include it in your next reply.
 

JohnnieW18

New Member
Thread author
Jan 4, 2018
5
Thank you so much for help! A little bit of an update, Roguekiller actually flags the processes and is able to kill them but not delete the files calling on the processes. They start right back up after 20 minutes or so or after a reboot.

I was unable to download the file and save it to my USB on my own computer, this is what I got:
upload_2018-1-8_15-4-59.png

I did download and save the FRST.exe from another computer, here is the .txt file you asked for!
 

Attachments

  • upload_2018-1-8_15-2-50.png
    upload_2018-1-8_15-2-50.png
    91.5 KB · Views: 3
  • FRST.txt
    74.9 KB · Views: 7
Last edited:

JohnnieW18

New Member
Thread author
Jan 4, 2018
5
MY computer refuses to boot into advanced startup, I cannot get to recovery mode; I've tried every possible method and it just boots normally every time. Only thing that works is running msconfig and safe boot. What do I do?
 

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
You'll need to get to recovery, there is no way around it. On that link there is a guide how to burn a recovery to USB and to use it to boot on infected machine. You'll need to have FRST tool on that USB too so you can run it.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top