solarpilot

No, this is not a joke. My computer was clearly taken over and used for crypto XRM mining after I opened up the uncompressed the archive file. Windows defender gave a warning when I uncompressed the archive, but it was not able to fix the issue and my computer was clearly compromised (couldn't install Malwarebytes, CPU was going at 100% and power consumption was ~400-500 watts). I don't necessarily think throwawaydox put anything in the zip file. I am not a cybersecurity expert. Just wanted to actually clean my computer and not delete everything and start from scratch, so I decided to research how I can remove this virus.

You would have noticed if it was activated (installed?). CPU was running at 100% (but sneakily the crypto-miner would stop working when you opened task manager), using a lot of electricity and generating a lot of heat. It blocks installation of malwarebytes (or running it if it is already installed) and several other 3rd party malware tools (e.g. ESET online scanner) and various windows services (system restore etc.). It would even try and shut down the browser when I was on the page for the tool that I used to remove it. I suspect the crypto-miner only activates for IPs in Eastern Europe as I was only able to find info about it from resources in that region (luckily I speak some of the local languages). This may be a method to avoid quick detection. That being said, the virus payload also includes a remote-access trojan, so even if the crypto-miner is not running, it could be used to steal your data. I did find that it adds Windows Defender exclusions for the following path: C:\ProgramData\WindowsTasks\apphost.exe There are several other exclusion exes for that path. "WindowsTasks" is not a real Windows folder. And that wasn't the real apphost.exe. I was not able to actually navigate to it via File Explorer while the computer was infected. It also disabled the Windows security centre. I found a solution via this thread in a seemingly legit looking russian-language forum. 2 caveats however: 1. The crypto-miner remover actually triggers windows defender (this is mentioned in the thread). It seems that this a generic ML-based identification. Without going into details, if you write your own program (not a virus) and if does certain things, Windows Defender will label it as the exact same "virus" (unless you submit to MS for whitelisting). USE AT YOUR OWN RISK. 2. The tool has horrible UI and isn't very clear about it's findings. You do get a log file that shows corrections if the virus was identified, but it may be that this is a generic log file (that you get even when no cleaning was done). URL to the tool: https://www.safezone.cc/resources/av-block-remover-avbr.224/ Click the "For english-speaking users" spoiler button for a guide. I went with [5] straight away, rebooted into "Safe Mode with Networking", ran the tool and it did remove the virus (in my case it did create a quarantine folder, maybe if you're not infected it won't). I got the infection as soon as I decompressed the archive with a licensed, fully updated copy of WinRar. Windows Defender did pop-up, but it said it had failed to clean the virus.

Archive seems to contain a crypto-miner (XRM) that is rather difficult to get rid of. It automatically installs once you decompress the archive. The in-built Windows anti-virus does not remove the virus/trojan/miner. The virus also blocks installation of tools such as Malwarebytes. It seems to enable the XMR miner at different times (when the computer is in standby). Considering the relative sophistication of the virus I wouldn't be surprised if gets enabled only for powerful CPUs. Proceed at your own risk!

Cheers!

Kindly re-up if anyone has the OG file.