ccminer cryptonight infection

chuky53

Estimable
Oct 30, 2014
9
0
4,510
0
Somehow yesterday a trojan installed on my computer which keeps installing and running ccminer-cryptonight (which gets installed in multiple folders each ending in a different numeral RarSFX0, RarSFX1, RarSFX2 etc. in this location : c:\users\\appdata\local\temp\RarSFX0 )

The strange thing is that I did not install anything to provoke this. I haven't installed anything for weeks, no new software, games or anything. Last night was just watching some videos on youtube and all of a sudden 2 dialogs popped up after each other asking if I wanted to allow the installation of a certain numbered .exe (example 54656.exe) of course I declined both of the install requests.
Did a scan with spybot and malware bytes, both came up clean and seeing as it was late at night i just ignored what happened and moved on. Now today when I started my computer 2 prompt windows popped up running mining software. So instantly reminded of what happened last night I went on the hunt to find what and where it was coming from and found the folders listed above.

Manually deleting the folders doesnt work, spybot and malware bytes dont register it.

these items are inside the rarsfx folders:

- a folder named ccminer-cryptonight with the miner software inside.
- a application named starter_0.03a.exe
- a notepad file named starter_config.

text inside the config file:
Ïîêàçûâàòü îêíî ìàéíåðà (0-íåò, 1-äà)
1
Ïîêàçûâàòü çíà÷îê â òðåå (0-íåò, 1-äà)
1
Çàäåðæêà ïåðåä âêëþ÷åíèåì ìàéíèíãà â ñåêóíäàõ
5
Ïàïêà, â êîòîðîé íàõîäèòñÿ ìàéíåð (ââîäèòü òîëüêî åå íàçâàíèå)
ccminer-cryptonight
Çàïóñêàåìûé ôàéë ìàéíåðà (èìÿ ôàéëà ñ ðàñøèðåíèåì)
ccminer.exe
Ñòðîêà ïàðàìåòðîâ (ñ ïðîáåëîì â íà÷àëå!). Ñèíòàêñèñ çàâèñèò îò âûáðàííîãî ìàéíåðà. Íå äîëæíà íà÷èíàòüñÿ ñ èìåíè ôàéëà ìàéíåðà! Åñëè ïóë ïðåäîñòàâèë ñòðîêó ñ èìåíåì ìàéíåðà, óäàëèòå åãî èç ñòðîêè.
-a cryptonight -o stratum+tcp://xmr.pool.minergate.com:45560 -u xdem777@gmail.com -p x -l 8x32
Ðåæèì ðàáîòû (0 - âî âðåìÿ íåàêòèâíîñòè ïîëüçîâàòåëÿ, 1 - ïàðàëëåëüíî ñ ïîëüçîâàòåëåì)
1

please help me get rid of this. Dont feel like helping someone mine cryptocurrency on my dime.
 

JoshRoss

Estimable
Jul 11, 2017
228
0
5,260
60
Thorough solution time. Since you tried all of the conventional methods, see if these help you:

1. Restart your PC in “Safe mode with networking.”
2. Install and run RKill to kill malicious processes and services
3. Check your Programs and features and see if there are any new recently installed programs that you don’t recognize. If there are, remove them.
4. Check your task manager for any suspicious processes, if found, identify folders and try to remove them manually. Or just "Win key + R" and type %appdata%. Afterward, delete potentially malicious folders.
5. Do a full scan with anti-virus software of your choice or use Windows Defender to clean up initial infections.
6. Scan your PC with Hitman Pro, Malwarebytes, and AdwCleaner. Multiple anti-malware solutions will confirm that the threat was removed.
7. Clean up your Registry and Cached files with CCleaner
8. Restart your PC in normal mode and do an additional scan to confirm that the malware is gone.

After that, your malware should be gone! Let me know how it goes!
 

Avast-Team

Estimable
Mar 3, 2017
225
1
5,165
57
Hm, I'm passing this information on directly to our threat labs so they can have a look. It sounds like this could have come through the browser. Also, have you checked your browser extensions/addons to make sure nothing questionable is in there? (Possible malware could have been delivered through a malicious extension)

You might want to try running a boot time scan with your AV of choice (here's how to do it with Avast Free: https://www.avast.com/en-us/faq.php?article=AVKB132) after disconnecing the computer from the net. This may help to catch the malware if it's self-propagating.

If you are able, you can submit samples directly to us: https://www.avast.com/faq.php?article=AVKB258
 

chuky53

Estimable
Oct 30, 2014
9
0
4,510
0


That was my first concern so I did check my plugins and extensions right away last night, there are no plugins nor extensions listed that I didn't install myself. I have always had remote assistance and remote desktop options disabled in windows. This is right there at position #1 as THE weirdest thing I have had happen.

Normally its partly your own fault, you know.. clicked something you shouldn't have kinda thing.... but this... I was in the middle of watching a youtube video, hands no where near a keyboard or mouse, and *poof* there it is.
 

chuky53

Estimable
Oct 30, 2014
9
0
4,510
0


Deleting the RarSFX folders alone manually didnt work as I said before, they just kept respawning, but I think I just found a crude, i mean very crude solution. I just rudely and crudely deleted every single item from the specific temp folder that windows allowed me to delete. rebooted and so far the folders have not come back yet, nor have I seen the starter app or any of the other related processes in task manager since. Will still do a boot time scan and see if I get any results.
 

JoshRoss

Estimable
Jul 11, 2017
228
0
5,260
60
Thorough solution time. Since you tried all of the conventional methods, see if these help you:

1. Restart your PC in “Safe mode with networking.”
2. Install and run RKill to kill malicious processes and services
3. Check your Programs and features and see if there are any new recently installed programs that you don’t recognize. If there are, remove them.
4. Check your task manager for any suspicious processes, if found, identify folders and try to remove them manually. Or just "Win key + R" and type %appdata%. Afterward, delete potentially malicious folders.
5. Do a full scan with anti-virus software of your choice or use Windows Defender to clean up initial infections.
6. Scan your PC with Hitman Pro, Malwarebytes, and AdwCleaner. Multiple anti-malware solutions will confirm that the threat was removed.
7. Clean up your Registry and Cached files with CCleaner
8. Restart your PC in normal mode and do an additional scan to confirm that the malware is gone.

After that, your malware should be gone! Let me know how it goes!
 
Thread starter Similar threads Forum Replies Date
P Antivirus / Security / Privacy 2
T Antivirus / Security / Privacy 4
S Antivirus / Security / Privacy 4
Astralv Antivirus / Security / Privacy 9
A Antivirus / Security / Privacy 2
C Antivirus / Security / Privacy 5
M Antivirus / Security / Privacy 1
N Antivirus / Security / Privacy 2
J Antivirus / Security / Privacy 4
D Antivirus / Security / Privacy 5
G Antivirus / Security / Privacy 2
T Antivirus / Security / Privacy 16
A Antivirus / Security / Privacy 5
G Antivirus / Security / Privacy 7
P Antivirus / Security / Privacy 31
G Antivirus / Security / Privacy 3
P Antivirus / Security / Privacy 6
C Antivirus / Security / Privacy 6
B Antivirus / Security / Privacy 2
M Antivirus / Security / Privacy 9

ASK THE COMMUNITY