Author Topic: aron (Read 3306 times)

REDACTED · « **on:** November 18, 2017, 01:07:59 AM »

I found a directory in my windows user account that seemed odd:

C:\Users\Troy\AppData\Local\aron\ which contained several files - one of which named "windows.exe" which was running as a service that I could not locate in services
Another file was named 1.cmd which I opened in text and it had the following command:

"svchost -a cryptonight -o stratum+tcp://xmr.pool.minergate.com:45560 -u andalousy8@gmail.com -p x"

Avast never caught anything but when I ran the suggested scans using Malwarebytes, it did pick it up.

I've attached the suggested log files. Thank you for any help and suggestions

Michael (alan1998) · « **Reply #1 on:** November 20, 2017, 05:02:11 PM »

LOL, that would be a BTC mining trojan/malware. Yes, that sucks. Not, it's not bad. It just can kill your hardware really fast. (Is your CPU always at 100% or GPU?)

OK, so let's start with the basics before I say or continue anything else.

1) I like you, epic job on posting some dudes gmail account he's using for BTC mining. (I really hope that isn't yours.. Because, that'd suck..)

1) Do you bitcoin mine by chance? The code you posted there goes to a pool for bitcoin mining, that's his (your? I hope not..) username (I don't suppose you have the password too.... because "x" doesn't work. (You're Australian right? If you are, send that email to the AFP (Australian Federal Police) and report it as Cyber Crime. )). If not, send it to your countries version of the FBI. (RCMP (CDN), FBI (US), AFP (AU), NCA (UK) to name a couple)/

2) If you don't mine: ZIP all those files (including the one you've already deleted via MBAM) and attach them with that email to the AFP. Also, send them to a dropbox or something. I'd like to see if someone signed them.

3) I've notified the malware team to come see you.

REDACTED · « **Reply #2 on:** November 20, 2017, 11:13:01 PM »

Sorry for the late reply - I'm on tge road right now.

- I dont bitcoin, and no that isn't my email lol
- I have no idea what the password is....I tried a few my self

- I did save and zip ul all the files! Ill post them when I get home later this week.

I think Ill shoot an email off to our RCMP as well.....they may be interested. Id really like to know how they got on my computer though.

I'm from Canada

Michael (alan1998) · « **Reply #3 on:** November 20, 2017, 11:43:15 PM »

Yes, courtesy of a moderator here.. I found that out. (Mod's can see your IP address so if you misbehave they just ban the IP)

You and I are both Canadian. Reason I asked if you were Aussie is because one of your Windows update files has -au... short for Australia.

The RCMP here usually deal more with Child Porn more then financial stuff, but I'm sure they'll enjoy the break. I will also send them a tip on that email. (I actually seriously considered dropping Computer Science to go out to "The Depot" in Sask to train for general policing then to go into [Investigative] Cyber Security.)

As for how it got on... Couple ways. Anything from an email attachment, to trojan horse to a hacked website. There are so many ways you can be infected, it's impossible to list them all.

Ideally, dbrise (or someone else, like Magna or Twin) will be with you sometime today or tomorrow. (dbrise is also Canadian. I want to say he's in BC, but I'm not sure.) They'll be the ones who actually help remove the files.

Michael (alan1998) · « **Reply #4 on:** November 20, 2017, 11:53:53 PM »

Quote from: tnttroy on November 20, 2017, 11:13:01 PM

Sorry for the late reply - I'm on tge road right now.

- I dont bitcoin, and no that isn't my email lol
- I have no idea what the password is....I tried a few my self
- I did save and zip ul all the files! Ill post them when I get home later this week.

I think Ill shoot an email off to our RCMP as well.....they may be interested. Id really like to know how they got on my computer though.

I'm from Canada

Ay,

Went to their [RCMP] website to get their email: http://www.rcmp-grc.gc.ca/cont/index-eng.htm

In short, you can't actually email them to report a crime (... really? How irritating!)

Find the detachment closest to you: --> http://www.rcmp-grc.gc.ca/detach/en/find/ON#l

I'll see about giving J Division a call tomorrow and letting them know (If that's alright with you that is.).

Since you've zipped the files, you can remove the other ones to stop the mining. They'll kill your hardware. (If you do delete those files before someone comes to see you, just post a fresh FRST log. Saves them from asking)

Sass Drake · « **Reply #5 on:** November 21, 2017, 12:12:40 PM »

Open Notepad (click Start button -> type notepad.exe -> press Enter)
Copy text from code block below and paste it into Notepad

Code: [Select]

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Windows Sound.lnk [2017-07-31]
C:\Users\Troy\AppData\Local\aron
2014-06-15 08:08 - 2017-11-17 09:26 - 000015360 _____ () C:\Users\Troy\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-04-15 10:42 - 2017-11-17 05:29 - 000007598 _____ () C:\Users\Troy\AppData\Local\resmon.resmoncfg
2016-11-02 15:32 - 2016-11-02 15:33 - 025397336 _____ (One Click Root) C:\Users\Troy\AppData\Local\TempOneClickRoot.exe
EmptyTemp:

Go to File -> Save As
Make sure that UTF-8 is selected as Encoding (left side of Save button)
Save it as fixlist.txt on Desktop
Open again FRST and click on button Fix
Wait until FRST finishes
fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

REDACTED · « **Reply #6 on:** November 21, 2017, 04:04:04 PM »

I think malwarebytes removed all those when I ran it. I will check when I get home Fri

REDACTED · « **Reply #7 on:** November 24, 2017, 09:07:00 PM »

Finally home!

Ran FRST with fixlist and attached the results

I also uploaded the files: https://www.dropbox.com/s/ei7x9jx550w4vvb/aron.zip?dl=0

My system is feeling really sluggish

Sass Drake · « **Reply #8 on:** November 25, 2017, 11:06:22 AM »

Dropbox link is not working. Please post fresh FRST logs.

REDACTED · « **Reply #9 on:** November 25, 2017, 12:40:34 PM »

That's really odd - it says my Dropbox has reached transfer limit. Pretty sure I haven't used 20 Gb lol.

I uploaded it to my webserver

www.chudzik.ca/aron.zip

Here's the new logs. Had a quick look and it seems "windows" is still trying to start in the registry

Task: {47B938EE-B6A7-4BC0-8D24-0E331274A478} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION

Sass Drake · « **Reply #10 on:** November 25, 2017, 04:01:08 PM »

I don't see traces of miner in logs so I can say you are now clean. As for GWX it is leftover from Windows 7/8.1 to 10 upgrade application and you can safely delete them.

Sass Drake · « **Reply #11 on:** November 25, 2017, 04:15:22 PM »

• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.
Run the tool and check the following boxes below;
Remove disinfection tools
Create registry backup
Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

REDACTED · « **Reply #12 on:** November 26, 2017, 12:09:35 AM »

All done - thank you for all the help.

Did those files hold any signatures or information that was useful?

Sass Drake · « **Reply #13 on:** November 26, 2017, 01:56:32 PM »

Yes. Malicious files in archive are now detected by more antivirus applications.

Author Topic: aron (Read 3306 times)

REDACTED

aron

Michael (alan1998)

Re: aron

REDACTED

Re: aron

Michael (alan1998)

Re: aron

Michael (alan1998)

Re: aron

Sass Drake

Re: aron

REDACTED

Re: aron

REDACTED

Re: aron

Sass Drake

Re: aron

REDACTED

Re: aron

Sass Drake

Re: aron

Sass Drake

Re: aron

REDACTED

Re: aron

Sass Drake

Re: aron