No replies to this topic

[Metallica]

Content is republished with permission from Malwarebytes.

What is GoogleCrashHandlerws?

The Malwarebytes research team has determined that GoogleCrashHandlerws is a Monero miner. These miners are designed to earn cryptocurrency by using system resources.
This one joins the MinerCircle Monero Pool on behalf of someone else then the owner of the system.

How do I know if my computer is affected by GoogleCrashHandlerws?

You may see this level of CPU use by the miner:



and this type of vbs file in your list of programs to run at startup:



How did GoogleCrashHandlerws get on my computer?

Trojans use different methods for distributing themselves. This particular one was installed by a trojan.

How do I remove GoogleCrashHandlerws?

Our program Malwarebytes can detect and remove this miner.

• Please download Malwarebytes to your desktop.
• Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
• Then click Finish.
• Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
• If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
• When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
• Restart your computer when prompted to do so.

Is there anything else I need to do to get rid of GoogleCrashHandlerws?

• After the reboot you can remove the vbs file that belonged to the Trojan from your list of startup programs.

How would the full version of Malwarebytes help protect me?

We hope our application and this guide have helped you eradicate this trojan.

As you can see below the full version of Malwarebytes would have protected you against the GoogleCrashHandlerws miner. It would have warned you before the trojan could install it, giving you a chance to stop it before it became too late.

Technical details for experts

Possible signs in FRST logs:

 () C:\Users\{username}\AppData\Local\Temp\chrome.exe
 HKCU\...\Run: [GoogleCrashHandlerws] => "%SystemRoot%\System32\WScript.exe" "C:\Users\{username}\AppData\Roaming\GoogleCrashHandler local files\start.vbs" "%1" %*
 Startup: C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleCrashHandlerws.vbs [2017-07-31] ()
 C:\Users\{username}\AppData\Roaming\GoogleCrashHandler local files

Alterations made by the installer:

File system details [View: All details] (Selection)
---------------------------------------------------
    Adds the folder C:\Users\{username}\AppData\Roaming\GoogleCrashHandler local files
       Adds the file GoogleCrashHandler.exe"="7/31/2017 8:41 AM, 4679368 bytes, A
       Adds the file readme.xml2.txt"="7/31/2017 10:51 AM, 19 bytes, A
       Adds the file readme.xml3.txt"="7/31/2017 10:51 AM, 22 bytes, A
       Adds the file start.vbs"="7/31/2017 10:51 AM, 444 bytes, A
    In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
       Adds the file GoogleCrashHandlerws.vbs"="7/31/2017 10:51 AM, 444 bytes, A

Registry details [View: All details] (Selection)
------------------------------------------------
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
       "GoogleCrashHandlerws"="REG_EXPAND_SZ, ""%SystemRoot%\System32\WScript.exe" "C:\Users\{username}\AppData\Roaming\GoogleCrashHandler local files\start.vbs" "%1" %*"

Malwarebytes log:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 7/31/17
Scan Time: 11:03 AM
Log File: mbamBitcoinMinerTemp.txt
Administrator: Yes

-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.160
Update Package Version: 1.0.2472
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 319808
Threats Detected: 4
Threats Quarantined: 4
Time Elapsed: 3 min, 37 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 1
PUP.Optional.BitCoinMiner, C:\USERS\{username}\APPDATA\LOCAL\TEMP\CHROME.EXE, Quarantined, [173], [421339],1.0.2472

Module: 1
PUP.Optional.BitCoinMiner, C:\USERS\{username}\APPDATA\LOCAL\TEMP\CHROME.EXE, Quarantined, [173], [421339],1.0.2472

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 2
PUP.Optional.BitCoinMiner, C:\USERS\{username}\APPDATA\LOCAL\TEMP\CHROME.EXE, Delete-on-Reboot, [173], [421339],1.0.2472
PUP.Optional.BitCoinMiner, C:\USERS\{username}\APPDATA\ROAMING\GOOGLECRASHHANDLER LOCAL FILES\GOOGLECRASHHANDLER.EXE, Delete-on-Reboot, [173], [421339],1.0.2472

Physical Sector: 0
(No malicious items detected)


(end)

As mentioned before the full version of Malwarebytes could have protected your computer against this threat.
We use different ways of protecting your computer(s):

• Dynamically Blocks Malware Sites & Servers
• Malware Execution Prevention

Save yourself the hassle and get protected.