This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remove CoinMiner worm

Hi All,

My server had infected with CoinMiner "fuckyoumm_consumer and fuckyoumm2_consumer". I have tried all sugguestions follow the links:

https://support.sophos.com/support/s/article/KB-000037977?language=en_US

https://support.sophos.com/support/s/article/KB-000038535?language=en_US&c__displayLanguage=en_US

It was easy to remove all worm. But the result wasn't as expected. After server restart, all "fuckyoumm" came back again, even tried in safemode.

Have anyone can help me to completely clear these worms?

Best regards,



This thread was automatically locked due to age.
  • Hello a b15,

    this isn't an XG Firewall question, is it? Could you please tell which Sophos product (on-premise SESC, Central/Intercept X) you are using and the server's OS version. Is this the only machine affected? Do you still get alerts from Sophos, if so, please provide the SAV.txt log..

    But as the threat persisted it's better to raise a Support Case as mentioned in the Recommended Actions.

    Christian

  • Hello QC,

    I am sorry about posted on wrong thread. I am using Sophos Endpoint Agent and Malwarebytes. The Sophos have no alert, even full scanning, but when I scan with Malwarebytes, it showed worms, then I did quarantine all with Malwarebytes. I have also delete worm from Autorun. But after restart the server, all came back again.

  • Hello a b15,

    as said, you should raise a case with Support, did you already do so?
    Sophos Endpoint Agent suggests Central/Intercept X but you didn't specify. Anyway, without details it's impossible to suggest a solution. If neither Sophos nor Malwarebytes nor both together can get rid of it and you've carried out all the steps in the articles an in-depth analysis is necessary.

    Christian