Jump to content
Mickyb

solicitation.cgb & thermometer.exe

Recommended Posts

Hi All,

 

Newbie here - first time poster.  Apologises if in the wrong section, however I have been searching all over the web to try and find info out any two files that have very suspicious activity, and have been unable to locate anything whatsoever.

Over the past couple of days I've seen some serious issues with one of my PC's.

This evening finally managed to take a further look.

As I'm not sure if this is the correct thread to raise the topic, ill keep it short.

Somehow a file(s) has managed to install itself on the system.

Create a startup item.

Trigger another file to load and the process sits within the process list hammering the CPU usage.  It also appears to hit the network bandwidth up.

Upon reset, the process repeats. (You can see the file loads a command screen, but it has a black/blank screen).

File(s) is/are hidden flie(s).  Only located via the CMD and searching for the process name and seeking hidden files across the whole drive.

Attributes are marked as - system, archived and hidden.  (Hence unable to be seen by File Exp in Windows).

Changing attrib from CMD (as admin) and files appear.

500+ meg (each) in size.

NFI what they are doing...

"solicitation.cgb & thermometer.exe" - location hiding out in C:\Users\All Users\*user name* and C:\ProgramData\*user name* 

Only remedy I have found so far; search and manually remove listing via reg edit.  Disable in startup, and make changes noted above via CMD (admin) for visibility.

Does anyone have any idea what the file(s) is/are all about...?

Happy to compress and upload, but dont think 500meg will get under 100meg.

Keen to hear thoughts, and happy to be called out as crazy on this one...

Share this post


Link to post
Share on other sites

Please compress the file, upload it to a safe location (OneDrive, Dropbox, etc.) and drop me a private message with a download link. It's unusual for malware to be that big but we'll see.

Share this post


Link to post
Share on other sites

It's been detected as Win64/CoinMiner.PO potentially unwanted application since Aug 2019. Most likely you have detection of potentially unsafe applications disabled.

Share this post


Link to post
Share on other sites
On 3/4/2020 at 2:10 AM, Marcos said:

It's been detected as Win64/CoinMiner.PO potentially unwanted application since Aug 2019. Most likely you have detection of potentially unsafe applications disabled.

Hi Marco, 

Was this detected using eset?
With respect, I have scanned a few times and it was not found, nor cleaned anything.

 

Share this post


Link to post
Share on other sites
21 minutes ago, Mickyb said:

Hi Marco, 

Was this detected using eset?
With respect, I have scanned a few times and it was not found, nor cleaned anything.

 

Check if you have detection of potentially unsafe applications enabled

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...