CSRSS.EXE – Trojan CoinMiner

I recommend you UnHackMe - Ultimate Malware Killer for fast malware removal:

Free Download
Fully Functional 30-day Trial. No credit card is required.
Reviews
. EULA. Privacy Policy. Uninstall.

CSRSS.EXE – Trojan CoinMiner removal

FileMD5Virus Alias
CSRSS.EXE 7a137203072d840851930f1ec6696d51 Trojan CoinMiner
CSRSS.EXE 7a137203072d840851930f1ec6696d51 Trojan Bitcoin
CSRSS.EXE 7a137203072d840851930f1ec6696d51 Trojan SuspiciousFile
CSRSS.EXE 7a137203072d840851930f1ec6696d51 Trojan Generic

CSRSS.EXE size: 228485 bytes
CSRSS.EXE hash: 7A137203072D840851930F1EC6696D51

Created files:

%TEMP%\IXP000.TMP\CoolPDFReader.exe
%TEMP%\IXP000.TMP\pdf.exe
%TEMP%\_MEI24842\bin\csrss.exe
%TEMP%\_MEI24842\bin\diablo130302.cl
%TEMP%\_MEI24842\bin\diakgcn121016.cl
%TEMP%\_MEI24842\bin\explorer.exe
%TEMP%\_MEI24842\bin\libcurl.dll
%TEMP%\_MEI24842\bin\libeay32.dll
%TEMP%\_MEI24842\bin\libidn-11.dll
%TEMP%\_MEI24842\bin\minerd.dll
%TEMP%\_MEI24842\bin\OpenCL.dll
%TEMP%\_MEI24842\bin\phatk121016.cl
%TEMP%\_MEI24842\bin\poclbm130302.cl
%TEMP%\_MEI24842\bin\pthreadGC2.dll
%TEMP%\_MEI24842\bin\scrypt130511.cl
%TEMP%\_MEI24842\bin\ssleay32.dll
%TEMP%\_MEI24842\bin\winlogon.exe
%TEMP%\_MEI24842\bin\zlib1.dll
%TEMP%\_MEI24842\bz2.pyd
%TEMP%\_MEI24842\eggs\msgpack_python-0.3.0-py2.7-win32.egg
%TEMP%\_MEI24842\eggs\psutil-1.0.1-py2.7-win32.egg
%TEMP%\_MEI24842\eggs\wmi-1.4.9-py2.7-win32.egg
%TEMP%\_MEI24842\mfc90.dll
%TEMP%\_MEI24842\mfc90u.dll
%TEMP%\_MEI24842\mfcm90.dll
%TEMP%\_MEI24842\mfcm90u.dll
%TEMP%\_MEI24842\msgpack._packer.pyd
%TEMP%\_MEI24842\msgpack._unpacker.pyd
%TEMP%\_MEI24842\msvcm90.dll
%TEMP%\_MEI24842\msvcp90.dll
%TEMP%\_MEI24842\msvcr90.dll
%TEMP%\_MEI24842\pyexpat.pyd
%TEMP%\_MEI24842\pyHook._cpyHook.pyd
%TEMP%\_MEI24842\python27.dll
%TEMP%\_MEI24842\pythoncom27.dll
%TEMP%\_MEI24842\pywintypes27.dll
%TEMP%\_MEI24842\select.pyd
%TEMP%\_MEI24842\unicodedata.pyd
%TEMP%\_MEI24842\win32api.pyd
%TEMP%\_MEI24842\win32com.shell.shell.pyd
%TEMP%\_MEI24842\win32file.pyd
%TEMP%\_MEI24842\win32gui.pyd
%TEMP%\_MEI24842\win32pipe.pyd
%TEMP%\_MEI24842\win32trace.pyd
%TEMP%\_MEI24842\win32ui.pyd
%TEMP%\_MEI24842\_ctypes.pyd
%TEMP%\_MEI24842\_hashlib.pyd
%TEMP%\_MEI24842\_multiprocessing.pyd
%TEMP%\_MEI24842\_psutil_mswindows.pyd
%TEMP%\_MEI24842\_socket.pyd
%TEMP%\_MEI24842\_ssl.pyd
%TEMP%\_MEI24842\_win32sysloader.pyd

Autostart registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0: rundll32.exe %WinDir%\System32\advpack.dll,DelNodeRunDLL32 “%TEMP%\IXP000.TMP\”

Detected by UnHackMe:

CSRSS.EXE
Default location: %TEMP%\_MEI24842\BIN\CSRSS.EXE

Dropper information:
MD5: 125d357fea7d532c2bb474ecc3efd90b
File size: 8565760 bytes

Leave a Reply