aron

system · November 18, 2017, 12:07am

I found a directory in my windows user account that seemed odd:

C:\Users\Troy\AppData\Local\aron\ which contained several files - one of which named “windows.exe” which was running as a service that I could not locate in services
Another file was named 1.cmd which I opened in text and it had the following command:

“svchost -a cryptonight -o stratum+tcp://xmr.pool.minergate.com:45560 -u andalousy8@gmail.com -p x”

Avast never caught anything but when I ran the suggested scans using Malwarebytes, it did pick it up.

I’ve attached the suggested log files. Thank you for any help and suggestions

avastuser3796 · November 20, 2017, 4:02pm

LOL, that would be a BTC mining trojan/malware. Yes, that sucks. Not, it’s not bad. It just can kill your hardware really fast. (Is your CPU always at 100% or GPU?)

OK, so let’s start with the basics before I say or continue anything else.

I like you, epic job on posting some dudes gmail account he’s using for BTC mining. (I really hope that isn’t yours… Because, that’d suck…)
Do you bitcoin mine by chance? The code you posted there goes to a pool for bitcoin mining, that’s his (your? I hope not…) username (I don’t suppose you have the password too… because “x” doesn’t work. (You’re Australian right? If you are, send that email to the AFP (Australian Federal Police) and report it as Cyber Crime. )). If not, send it to your countries version of the FBI. (RCMP (CDN), FBI (US), AFP (AU), NCA (UK) to name a couple)/
If you don’t mine: ZIP all those files (including the one you’ve already deleted via MBAM) and attach them with that email to the AFP. Also, send them to a dropbox or something. I’d like to see if someone signed them.
I’ve notified the malware team to come see you.

system · November 20, 2017, 10:13pm

Sorry for the late reply - I’m on tge road right now.

I dont bitcoin, and no that isn’t my email lol
I have no idea what the password is…I tried a few my self
I did save and zip ul all the files! Ill post them when I get home later this week.

I think Ill shoot an email off to our RCMP as well…they may be interested. Id really like to know how they got on my computer though.

I’m from Canada

avastuser3796 · November 20, 2017, 10:43pm

Yes, courtesy of a moderator here… I found that out. (Mod’s can see your IP address so if you misbehave they just ban the IP)

You and I are both Canadian. Reason I asked if you were Aussie is because one of your Windows update files has -au… short for Australia.

The RCMP here usually deal more with Child Porn more then financial stuff, but I’m sure they’ll enjoy the break. I will also send them a tip on that email. (I actually seriously considered dropping Computer Science to go out to “The Depot” in Sask to train for general policing then to go into [Investigative] Cyber Security.)

As for how it got on… Couple ways. Anything from an email attachment, to trojan horse to a hacked website. There are so many ways you can be infected, it’s impossible to list them all.

Ideally, dbrise (or someone else, like Magna or Twin) will be with you sometime today or tomorrow. (dbrise is also Canadian. I want to say he’s in BC, but I’m not sure.) They’ll be the ones who actually help remove the files.

avastuser3796 · November 20, 2017, 10:53pm

Ay,

Went to their [RCMP] website to get their email: http://www.rcmp-grc.gc.ca/cont/index-eng.htm

In short, you can’t actually email them to report a crime (… really? How irritating!)

Find the detachment closest to you: → http://www.rcmp-grc.gc.ca/detach/en/find/ON#l

I’ll see about giving J Division a call tomorrow and letting them know (If that’s alright with you that is.).

Since you’ve zipped the files, you can remove the other ones to stop the mining. They’ll kill your hardware. (If you do delete those files before someone comes to see you, just post a fresh FRST log. Saves them from asking)

SassDrake · November 21, 2017, 11:12am

Open Notepad (click Start button → type notepad.exe → press Enter)
Copy text from code block below and paste it into Notepad

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Windows Sound.lnk [2017-07-31]
C:\Users\Troy\AppData\Local\aron
2014-06-15 08:08 - 2017-11-17 09:26 - 000015360 _____ () C:\Users\Troy\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-04-15 10:42 - 2017-11-17 05:29 - 000007598 _____ () C:\Users\Troy\AppData\Local\resmon.resmoncfg
2016-11-02 15:32 - 2016-11-02 15:33 - 025397336 _____ (One Click Root) C:\Users\Troy\AppData\Local\TempOneClickRoot.exe
EmptyTemp:

Go to File → Save As
Make sure that UTF-8 is selected as Encoding (left side of Save button)
Save it as fixlist.txt on Desktop
Open again FRST and click on button Fix
Wait until FRST finishes
fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

system · November 21, 2017, 3:04pm

I think malwarebytes removed all those when I ran it. I will check when I get home Fri

system · November 24, 2017, 8:07pm

Finally home!

Ran FRST with fixlist and attached the results

I also uploaded the files: https://www.dropbox.com/s/ei7x9jx550w4vvb/aron.zip?dl=0

My system is feeling really sluggish

SassDrake · November 25, 2017, 10:06am

Dropbox link is not working. Please post fresh FRST logs.

system · November 25, 2017, 11:40am

That’s really odd - it says my Dropbox has reached transfer limit. Pretty sure I haven’t used 20 Gb lol.

I uploaded it to my webserver

www.chudzik.ca/aron.zip

Here’s the new logs. Had a quick look and it seems “windows” is still trying to start in the registry

Task: {47B938EE-B6A7-4BC0-8D24-0E331274A478} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent → No File <==== ATTENTION

SassDrake · November 25, 2017, 3:01pm

I don’t see traces of miner in logs so I can say you are now clean. As for GWX it is leftover from Windows 7/8.1 to 10 upgrade application and you can safely delete them.

SassDrake · November 25, 2017, 3:15pm

• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.
Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

system · November 25, 2017, 11:09pm

All done - thank you for all the help.

Did those files hold any signatures or information that was useful?

SassDrake · November 26, 2017, 12:56pm

Yes. Malicious files in archive are now detected by more antivirus applications.

aron

Announcements