Jump to content

New Trojan? cvhost.exe

xiphen

By xiphen
in Resolved Malware Removal Logs

 Share

Recommended Posts

xiphen

xiphen

Posted
Posted

So I started transfering some files from one drive to the other after a fresh reboot on my computer and I was downloading some old files to replaces some others. Not sure what the source was but all of a sudden I started noticing my transfer speed slow down and then look all out of wack, looked like I was starting to get low system memory.

Opened up task manager and sure enough there was a program called cvhost eating 45-79% of my cpu. I thought this was the file transfer but no... so I closed it and kept my eye on my task manager, hours later the program came back and checked into it. 

Location: C:\Windows\System32\winrs

e03553ce87f634e362b3bae2c25776d3.png
https://gyazo.com/e03553ce87f634e362b3bae2c25776d3

I opened the config.txt 

Here the .txt that is in the 

"cpu_threads_conf" virus folder: 
[ 
{"low_power_mode": false, "no_prefetch": true, "affine_to_cpu": 0}, 
{"low_power_mode": false, "no_prefetch": true, " affine_to_cpu ": 1}, 
{" low_power_mode ": false," no_prefetch ": true," affine_to_cpu ": 2}, 
{" low_power_mode ": false," no_prefetch ": true," affine_to_cpu ": 3}, 
], 
" use_slow_memory ":" warn ", 
" nicehash_nonce ": false, 
" aes_override ": null, 



"pool_address": "monerohash.com:80" 
"wallet_address": "43jRngiH5giMCM9Co4fKxsbsM2uA2kDqGSzi7PX2wzYRdmAo63zz7gYcVc477iWDjr26bTSHeSSuoGVFb1MrmMzTNm6DcK9"
"pool_password": "PC NAME HERE" 
"call_timeout": 10, 
"RETRY_TIME": 10, 
"giveup_limit": 0, 
"verbose_level": 3, 
"h_print_time": 60, 
"daemon_mode": false, 
"output_file": "", 
"httpd_port": 0, 
"prefer_ipv4": true,

Now heres the kicker, this is NO WHERE online no flags no nothing until a few hours ago someone else was affected by the same thing

http://www.bringdownie6.com/topic/35111670-virus-cvhost-qui-mine-du-bitcoin-sur-mon-pc-help

Someone somehow injected a bit coin miner into my pc and I have no idea that the source is. I have deleted this file it comes back, I have deleted the folder after hours it comes back. Malwarebytes comes of negative

AVG, negative.

Bitdefender all negative this is something brand new and people need to keep their eye on it.... Also how the crap do I remove this replicating file or find the source?

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted
Hello xiphen and welcome to Malwarebytes,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.

Thank you,

Kevin

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

This is the connection url inside winrs\context.txt file "hxxps://monerohash.com/"

winrs is a Microsoft management tool https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/winrs

It allows remote management and execution of programs on your system... If that folder returns after each time you`ve deleted it there must be a hidden tool or protective rootkit making those actions...

Do the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Run FRST one more time:

Type or copy/paste the following as listed into the edit box after "Search:".

Quote

winrs
akumuichinoana

Click Search Registry button and post the log (Search.txt) it makes to your reply.

Next,

Download RogueKiller and save it on your desktop, ensure to download correct version..

RogueKiller (X86)

RogueKiller (x64)
 
  • Exit all running applications.
  • Double-click on RogueKiller.exe to launch the tool. On its first execution, RogueKiller will disply the software license (EULA), click on "Accept" to continue.
  • If RogueKiller is unable to load, do not hesitate to try launching it several times or rename it winlogon.
  • Click "Start Scan" to begin the analysis. This may take some time.
  • Once the scan is complete, click the "Open TXT" button to display the scan report.
  • Copy/Paste it's content in your next reply.
Do not use the Remove Selected option until i`ve had a look at the log..

Let me see those logs in your reply..

Thanks,

Kevin...

 

fixlist.txt

Link to post
Share on other sites
xiphen

xiphen

Posted
  • Author
Posted

I've scanned the file with bitdefender and malwarebytes and they came up negative and I submitted a form to BD as well notifying of this fourm on MB, so perhaps they updated it because now when the file is copied its removed via protection. I will keep my eyes on it to see if it comes back however.

Also that seemed to have worked better. Here are the results.

 

 

SearchReg.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Run RogueKiller again....

  •   Wait for the scan to complete
  •   On completion, the results will be displayed
  •   Checkmark all found entries then click on the Remove Selected button
  • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
  • This will open the report in Notepad. Copy/paste its content in your next reply....


Regarding WINRS it would seem the only problem entry was picked up by BitDefender, maybe worthwhile running your system for maybe 24 hours and see if the malicious entry does return...

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Thanks for the update, clean up as follows:

Delete RogueKiller portable from your Desktop, also delete this folder if present: C:\ProgramData\RogueKiller

Next,

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

 
  • Remove disinfection tools <----- this will remove tools we may have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection


Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image

 

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.