Mickyb 0 Posted February 27, 2020 Posted February 27, 2020 Hi All, Newbie here - first time poster. Apologises if in the wrong section, however I have been searching all over the web to try and find info out any two files that have very suspicious activity, and have been unable to locate anything whatsoever. Over the past couple of days I've seen some serious issues with one of my PC's. This evening finally managed to take a further look. As I'm not sure if this is the correct thread to raise the topic, ill keep it short. Somehow a file(s) has managed to install itself on the system. Create a startup item. Trigger another file to load and the process sits within the process list hammering the CPU usage. It also appears to hit the network bandwidth up. Upon reset, the process repeats. (You can see the file loads a command screen, but it has a black/blank screen). File(s) is/are hidden flie(s). Only located via the CMD and searching for the process name and seeking hidden files across the whole drive. Attributes are marked as - system, archived and hidden. (Hence unable to be seen by File Exp in Windows). Changing attrib from CMD (as admin) and files appear. 500+ meg (each) in size. NFI what they are doing... "solicitation.cgb & thermometer.exe" - location hiding out in C:\Users\All Users\*user name* and C:\ProgramData\*user name* Only remedy I have found so far; search and manually remove listing via reg edit. Disable in startup, and make changes noted above via CMD (admin) for visibility. Does anyone have any idea what the file(s) is/are all about...? Happy to compress and upload, but dont think 500meg will get under 100meg. Keen to hear thoughts, and happy to be called out as crazy on this one...
Administrators Marcos 5,466 Posted February 27, 2020 Administrators Posted February 27, 2020 Please compress the file, upload it to a safe location (OneDrive, Dropbox, etc.) and drop me a private message with a download link. It's unusual for malware to be that big but we'll see.
itman 1,807 Posted February 27, 2020 Posted February 27, 2020 1 hour ago, Mickyb said: solicitation.cgb .cgb extension is associated with Gamboy: https://filext.com/file-extension/CGB Do you have a Windows based Gameboy emulator installed?
Administrators Marcos 5,466 Posted March 3, 2020 Administrators Posted March 3, 2020 It's been detected as Win64/CoinMiner.PO potentially unwanted application since Aug 2019. Most likely you have detection of potentially unsafe applications disabled.
Mickyb 0 Posted March 8, 2020 Author Posted March 8, 2020 On 3/4/2020 at 2:10 AM, Marcos said: It's been detected as Win64/CoinMiner.PO potentially unwanted application since Aug 2019. Most likely you have detection of potentially unsafe applications disabled. Hi Marco, Was this detected using eset? With respect, I have scanned a few times and it was not found, nor cleaned anything.
Most Valued Members Nightowl 206 Posted March 8, 2020 Most Valued Members Posted March 8, 2020 21 minutes ago, Mickyb said: Hi Marco, Was this detected using eset? With respect, I have scanned a few times and it was not found, nor cleaned anything. Check if you have detection of potentially unsafe applications enabled
Recommended Posts