Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rkill didn't work on "Acnom.exe and Acnon.exe Monero Miner"


  • Please log in to reply
1 reply to this topic

#1 NewsTech

NewsTech

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 08 December 2017 - 10:23 AM

I have a VPS (Win 2008 R2) that became extremely slow after the host moved the server to a new IP. They disabled the firewall to test it (since I had it set to refuse all IP connections except those coming from my own), and I believe that's when someone managed to install the malware.

 

Following this page:

 

https://www.bleepingcomputer.com/virus-removal/remove-the-acnom.exe-acnon.exe-monero-miners

 

The infected VPS has SysData, with control.exe, kill.exe, install.exe, acnon.exe, and acnom.exe.

 

Task Manager shows Control.exe *32 running.

 

When I followed that page's instructions and ran Rkill.exe as iExplore.exe, it completed but did not find anything.

 

I was able to end task on control.exe.

 

I will try to follow that page's instructions on running Emsisoft Anti-Malware, AdwCleaner, and Hitman Pro, in that order. But I'm not sure if it's going to work since Rkill didn't work.

 

(Incidentally I have Windows Defender running and that's not detecting it either.)

 

Here's the CRC32's I have and rkill.txt, however if there's a rootkit involved who knows what's actually going on.

acnom.exe    725C0F4D
acnon.exe    0AD4006B
control.exe  A327A885
install.exe  1B5A5AC2
kill.exe     FC19BFBC


 

Rkill 2.9.1 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 12/08/2017 09:34:32 AM in x64 mode.
Windows Version: Windows Server 2008 R2 Standard Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Searching for Missing Digital Signatures: 

 * No issues found.

Checking HOSTS File: 

 * HOSTS file entries found: 

  127.0.0.1	www.007guard.com
  127.0.0.1	007guard.com
  127.0.0.1	008i.com
  127.0.0.1	www.008k.com
  127.0.0.1	008k.com
  127.0.0.1	www.00hq.com
  127.0.0.1	00hq.com
  127.0.0.1	010402.com
  127.0.0.1	www.032439.com
  127.0.0.1	032439.com
  127.0.0.1	www.0scan.com
  127.0.0.1	0scan.com
  127.0.0.1	1000gratisproben.com
  127.0.0.1	www.1000gratisproben.com
  127.0.0.1	1001namen.com
  127.0.0.1	www.1001namen.com
  127.0.0.1	100888290cs.com
  127.0.0.1	www.100888290cs.com
  127.0.0.1	www.100sexlinks.com
  127.0.0.1	100sexlinks.com

  20 out of 15633 HOSTS entries shown.
  Please review HOSTS file for further entries.

Program finished at: 12/08/2017 09:48:19 AM
Execution time: 0 hours(s), 13 minute(s), and 47 seconds(s)

(All of the HOSTS entries are from Spybot's Innoculate.)

 



BC AdBot (Login to Remove)

 


#2 JohnC_21

JohnC_21

  • Members
  • 23,606 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:23 PM

Posted 08 December 2017 - 11:03 AM

Don't know if it will work but can you kill the processes with Process Explorer?

 

https://www.howtogeek.com/school/sysinternals-pro/lesson2/

 

https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users