Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Cryptonight BitCoin Miner (Trojan?)


  • Please log in to reply
26 replies to this topic

#1 Nyasu

Nyasu

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 14 January 2017 - 11:08 AM

Hi,

 

I have been trying to get rid of this BitCoin Miner for quite a while now and I could really need some help from you guys.

 

It seems like it's changing the permissions of the guest acccount (even though it's deactivated) to create it's own user accounts with higher privileges. The new user accounts then creates a task called "ngm", this task starts every evening at 11:00 PM. The task runs a file called "kit.bat" which is located either in the "C:\Windows\Temp\ngmtx" folder. The files are not always in the same folders, sometimes they are located in "C:\Windows\ngmtx" as well. The process called "servies.exe" starts which utilizes 100% of the CPU's capacity. This process used to be called "MSTDC.exe" before it was called "servies.exe". This is a BitCoin Miner which is using the Cryptonight algorithm, the IP addresses that I have seen leads to Germany. The user that is behind all of this is called "bond007.01" and is using the email address "leebond986@gmail.com".

 

The BitCoin Miner is connecting to the following addresses:

 

• xmr.pool.minergate.com

• bcn.pool.minergate.com

• r.pool.minergate.com

• yxmr.pool.minergate.com

• pool.minexmr.com

• mine.moneropool.com

• xmr-usa.dwarfpool.com

• te.com

 

The "ngmtx" folder contains the following files:

 

• bv2.txt
• kit.bat
• libcurl-4.dll
• libeay32.dll
• libffi-6.dll
• libgmp-10.dll
• libgnutls-30.dll
• libhogweed-4-1.dll
• libiconv-2.dll
• libidn-11.dll
• libintl-8.dll
• libjansson-4.dll
• libnettle-6-1.dll
• libp11-kit-0.dll
• librtmp-1.dll
• libssh2-1.dll
• libtasn1-6.dll
• libwinpthread-1.dll
• servies.exe
• ssleay32.dll
• zlib1.dll
 
Applications that I have used to scan the computer with:
 
• AdwCleaner
• AVG
• Emisoft Anti-Malware
• ESET Online Scanner
• HitmanPro
• Malwarebytes
• MiniToolBox
• Rkill
• SUPERAntiSpyware
• Norton Online Scanner
 
And probably some more applications that I can't remember.
 
Things that I have done to try to remove, block and/or disable the trojan:
 
• I have used all the applications in the list above to scan and analyze the harddrives.
• Deleted all the files and folders that it creates in the Windows\Temp folder. Shift-Delete works but the .tmp files comes back instantly. I have tried to delete them with AVG's "Shred" function as well as putting them in SUPERAntiSpyware's "File Removal" function.
• Blocked %SystemRoot%\Temp\ngmtx\servies.exe in the Windows Firewall (Outbound Rules) This executable file comes with the rest of the trojan-related files automatically.
• Blocked %SystemRoot%\Temp\ex.exe in the Windows Firewall (Outbound Rules) This executable file comes with the rest of the trojan-related files automatically.
• Blocked 243.47.9.176 in the Windows Firewall (Outbound Rules) This IP address was being used by servies.exe (static.243.47.9.176.clients.your-server.de) according to the Resource Manager.
• Disabled the Guest account in the Control Panel.
• Tried to verify that the Guest account was fully disabled by running this code (net user guest | findstr /C:"active") in the Command Prompt. It turned out that the Guest account was still activated.
• Disabled the Guest account by running this code (net user guest /active:no) in the Command Prompt.
• Enabled a password on the Guest account.
• Disabled so that the Guest account can't change the password of the account.
 
And much more, I stopped writing down all the things that I've done unfortunately.
 
No matter what I have done so far, the files keeps coming back and the same process keeps starting at 11:00 PM every evening. What should I do next? Reinstalling the computer is not an option since this is one of my server computers which has many years of undocumented complicated installations. Any help is greatly appreciated, thanks in advance!
 
Regards, Nyasu

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Jo*

Jo*

  • Malware Response Team
  • 3,417 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:38 AM

Posted 14 January 2017 - 12:27 PM

:welcome: to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / music / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


Did you set Group policies?
GroupPolicyScripts\User: Restriction <======= ATTENTION

Did you install Chrome there:
HKU\S-1-5-21-3683815079-3417825062-3341043080-500\...\ChromeHTML: -> C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.) <==== ATTENTION
 

***


:step1: Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***


:step2: Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(it takes a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:



createsrpoint;
filesrcm; 
uninstall-list;
iedefaults;
ffdefaults;
chrdefaults;
emptyclsid;
emptyalltemp;
autoclean;
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Copy and paste the log to your next reply please.
 

***


:step3: FRST / FSRT64: run it again.
  • Right-click FRST / FSRT64 then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Put a check into the box next to Addition.txt and press the Scan button.
  • When finished, it will produce logs called FRST.txt and Addition.txt in the same directory the tool was run from.
  • Please copy and paste both logs in your next reply.

***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 Nyasu

Nyasu
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 15 January 2017 - 05:56 PM

Hi,

 

Thanks for your fast response! I have followed your steps now and I will post the log files in this thread tomorrow.

 

Regards, Nyasu



#4 Jo*

Jo*

  • Malware Response Team
  • 3,417 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:38 AM

Posted 16 January 2017 - 04:08 AM

OK,

did you create these files:

2017-01-12 23:59 - 2017-01-12 23:18 - 25599371 _____ C:\Users\Administrator\Desktop\servies.zip
2017-01-12 23:59 - 2017-01-12 23:06 - 42765518 _____ C:\Users\Administrator\Desktop\servies.DMP
2017-01-12 23:18 - 2017-01-12 23:18 - 25599371 _____ C:\Users\Administrator\AppData\Local\Temp\servies.zip
2017-01-12 23:05 - 2017-01-12 23:06 - 42765518 _____ C:\Users\Administrator\AppData\Local\Temp\servies.DMP

Edited by Jo*, 16 January 2017 - 04:08 AM.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#5 Nyasu

Nyasu
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 16 January 2017 - 04:23 AM

Hi, 

 

 

Did you set Group policies?
GroupPolicyScripts\User: Restriction <======= ATTENTION

Did you install Chrome there:
HKU\S-1-5-21-3683815079-3417825062-3341043080-500\...\ChromeHTML: -> C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.) <==== ATTENTION

 

No, I did not set those group policies and I did not install Google Chrome in that location.

 

 

OK,

did you create these files:

2017-01-12 23:59 - 2017-01-12 23:18 - 25599371 _____ C:\Users\Administrator\Desktop\servies.zip
2017-01-12 23:59 - 2017-01-12 23:06 - 42765518 _____ C:\Users\Administrator\Desktop\servies.DMP
2017-01-12 23:18 - 2017-01-12 23:18 - 25599371 _____ C:\Users\Administrator\AppData\Local\Temp\servies.zip
2017-01-12 23:05 - 2017-01-12 23:06 - 42765518 _____ C:\Users\Administrator\AppData\Local\Temp\servies.DMP                  

 

Yes, I created a dump file of the process "servies.exe" so I could analyze it further. The files that you listed have been created by me.

I will include the log files that you required in a post as soon as I get home from work.

 

Regards, Nyasu



#6 Nyasu

Nyasu
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 16 January 2017 - 05:14 PM

Hi,

 

I have attached the new log files in this post.

The files are still being recreated at 11:00 PM and then it runs servies.exe like before.

 

Regards, Nyasu

Attached Files



#7 Jo*

Jo*

  • Malware Response Team
  • 3,417 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:38 AM

Posted 16 January 2017 - 05:34 PM

I need the logs without any edits.

It makes no sense when make a scan and then remove things and give me a so called "fixed log".

Please post the ZOEK log without any edits too.

Thanks.

EDIT:
The attached logs are 2 days old !!!
Ran by Administrator (administrator) on WIN-COD93430P79 (15-01-2017 23:42:44)


Edited by Jo*, 16 January 2017 - 06:28 PM.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#8 Nyasu

Nyasu
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 17 January 2017 - 02:16 AM

Hi,

 

I spoke to Nasdaq before opening this thread regarding the edits, I'll send you a PM with the information. The rows that I have removed is irrelevant to this issue.

Yes, the scans were made at that time. What about it?

 

Regards, Nyasu



#9 Jo*

Jo*

  • Malware Response Team
  • 3,417 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:38 AM

Posted 17 January 2017 - 06:41 AM

Hi,
 
I spoke to Nasdaq before opening this thread regarding the edits, I'll send you a PM with the information. The rows that I have removed is irrelevant to this issue.
Yes, the scans were made at that time. What about it?
 
Regards, Nyasu

 
I cannot work with fake logs where a lot of proccesses, services and other things are missing.
The rest of the logs show some unusual lines, but not the root of the "Cryptonight BitCoin Miner" Problem.

Because you do not follow my instructions, I'm out here now.

Perhaps you find another helper who wants to take over this topic under your bad conditions.

Thanks and good luck.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#10 Nyasu

Nyasu
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 17 January 2017 - 06:55 AM

Hi,

 

There is nothing fake about my logs, I explained to you in a PM that I have removed sensitive information about my organization (like Nasdaq instructed me to do). However, I would like to thank you for your help so far and I hope that someone else will be interested in helping me with this issue instead.

 

Regards, Nyasu



#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:38 PM

Posted 17 January 2017 - 08:12 AM

Nyasu

We need the information that your marked as Removed.

On your logs replace only the personal information with the word Removed

Personal name, or Company names are not required but all the operating setting we must see.

Do this for both your logs and post them for my review.

Nasdaq

#12 Nyasu

Nyasu
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 17 January 2017 - 08:30 AM

Nyasu

We need the information that your marked as Removed.

On your logs replace only the personal information with the word Removed

Personal name, or Company names are not required but all the operating setting we must see.

Do this for both your logs and post them for my review.

Nasdaq

 

Hi Nasdaq,

 

Okay, I understand. I will post the log files again when I get back from work. Thanks a lot!

 

Regards, Nyasu



#13 Nyasu

Nyasu
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 17 January 2017 - 01:09 PM

Hi,

 

Here are the log files that you requested. I have only replaced a few words with "Removed", hope that's okay.

 

Regards, Nyasu

Attached Files



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:38 PM

Posted 17 January 2017 - 02:10 PM


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellIconOverlayIdentifiers-x32: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
FF Plugin-x32: @videolan.org/vlc,version=2.0.1 -> D:\Program\x86\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin HKU\S-1-5-21-3683815079-3417825062-3341043080-500: wacom.com/WacomTabletPlugin -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [No File]
S3 IntcAzAudAddService; system32\drivers\RTKVHD64.sys [X]
S3 NAVENG; \??\C:\Program Files (x86)\Norton Security\NortonData\22.8.0.50\Definitions\SDSDefs\20160915.023\ENG64.SYS [X]
S3 NAVEX15; \??\C:\Program Files (x86)\Norton Security\NortonData\22.8.0.50\Definitions\SDSDefs\20160915.023\EX64.SYS [X]
CustomCLSID: HKU\S-1-5-21-3683815079-3417825062-3341043080-500_Classes\CLSID\{092dfa86-5807-5a94-bf3b-5a53ba9e5308}\InprocServer32 -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll => No File
CustomCLSID: HKU\S-1-5-21-3683815079-3417825062-3341043080-500_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3683815079-3417825062-3341043080-500_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3683815079-3417825062-3341043080-500_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3683815079-3417825062-3341043080-500_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3683815079-3417825062-3341043080-500_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3683815079-3417825062-3341043080-500_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3683815079-3417825062-3341043080-500_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3683815079-3417825062-3341043080-500_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3683815079-3417825062-3341043080-500_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3683815079-3417825062-3341043080-500_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.29.2\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3683815079-3417825062-3341043080-500_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3683815079-3417825062-3341043080-500_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3683815079-3417825062-3341043080-500_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll => No File
Task: {B7554023-7F84-4B6A-906D-FEC6F6EBBEC3} - System32\Tasks\ngm => C:\Windows\ngmtx\kit.bat [Argument = -s] <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:11DB9E5E [135]
AlternateDataStreams: C:\ProgramData\TEMP:B6418BC9 [205]
C:\Windows\ngmtx\kit.bat

Hosts:
Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

===

These versions are outdated . Not sure if these can be updated in a Windows Server 2008.
Adobe Flash Player 12 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 12.0.0.43 - Adobe Systems Incorporated)
Java™ 7 Update 5 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86417005FF}) (Version: 7.0.50 - Oracle)

Please let me know what problem persists with this computer.

#15 Nyasu

Nyasu
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 17 January 2017 - 04:20 PM

Hi,

 

Thanks, I have done what you said and here is the fixlog.

 

Regards, Nyasu

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users