Jump to content

Recommended Posts

Posted

Hi All,

 

Newbie here - first time poster.  Apologises if in the wrong section, however I have been searching all over the web to try and find info out any two files that have very suspicious activity, and have been unable to locate anything whatsoever.

Over the past couple of days I've seen some serious issues with one of my PC's.

This evening finally managed to take a further look.

As I'm not sure if this is the correct thread to raise the topic, ill keep it short.

Somehow a file(s) has managed to install itself on the system.

Create a startup item.

Trigger another file to load and the process sits within the process list hammering the CPU usage.  It also appears to hit the network bandwidth up.

Upon reset, the process repeats. (You can see the file loads a command screen, but it has a black/blank screen).

File(s) is/are hidden flie(s).  Only located via the CMD and searching for the process name and seeking hidden files across the whole drive.

Attributes are marked as - system, archived and hidden.  (Hence unable to be seen by File Exp in Windows).

Changing attrib from CMD (as admin) and files appear.

500+ meg (each) in size.

NFI what they are doing...

"solicitation.cgb & thermometer.exe" - location hiding out in C:\Users\All Users\*user name* and C:\ProgramData\*user name* 

Only remedy I have found so far; search and manually remove listing via reg edit.  Disable in startup, and make changes noted above via CMD (admin) for visibility.

Does anyone have any idea what the file(s) is/are all about...?

Happy to compress and upload, but dont think 500meg will get under 100meg.

Keen to hear thoughts, and happy to be called out as crazy on this one...

  • Administrators
Posted

Please compress the file, upload it to a safe location (OneDrive, Dropbox, etc.) and drop me a private message with a download link. It's unusual for malware to be that big but we'll see.

  • Administrators
Posted

It's been detected as Win64/CoinMiner.PO potentially unwanted application since Aug 2019. Most likely you have detection of potentially unsafe applications disabled.

Posted
On 3/4/2020 at 2:10 AM, Marcos said:

It's been detected as Win64/CoinMiner.PO potentially unwanted application since Aug 2019. Most likely you have detection of potentially unsafe applications disabled.

Hi Marco, 

Was this detected using eset?
With respect, I have scanned a few times and it was not found, nor cleaned anything.

 

  • Most Valued Members
Posted
21 minutes ago, Mickyb said:

Hi Marco, 

Was this detected using eset?
With respect, I have scanned a few times and it was not found, nor cleaned anything.

 

Check if you have detection of potentially unsafe applications enabled

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...