SRSRoot is a Trojan Miner Monero Miner Bot - Here is how you remove it

This program promises to Root your Android device, but cannot if your device has the proper security updates. Which is good.

But if you downloaded this program and ran it, you are now infected with a monero mining bot! Congrats!! ... Sorry,

Ok so you run your favorite malware removal program and it gets rid of the Monero Miner....but magically after a reboot, its back.

So you run your favorite malware removal program AGAIN. This time you have a plan! I am only going over the Highlights Here, For specifics, Google will get you there. :)
Presumably, you are running some flavor of Windows 10.
So you create a new user for your computer. But you don't logout of the one you are in, you simple switch users leaving your account that has Administrative access logged in.
The New account should be standard. This prevents SRSRoot from doing a reach-around and making you think you got rid of it.
In your newly created user account, click on the start button and type Task Manager the right click on the result that is found with the subtitle "Desktop App" and select run as administrator:

Grant the Program Administrative rights by using credentials from your other account:

and switch to the Details tab and look for the following programs:

controller.exe
getconfig.exe
nssm.exe (This program rocks by the way)

When you find them, you can end the task, and just wait a second or two... It will come right back!

"Foul!" you say?! Indeed. These applications restart because they are embedded into Windows 10 as a system service.
Infact, NSSM.exe actually stands for "Non-Sucking Service Manager" (I love it) and it is used to quickly and quietly add a system service to your pc when called from an application that you have installed and granted Administrative rights for it to run. (remember you were trying to root your phone? lol Well you RootKit.Infected your PC! Good Job.

In fact, if you browse to C:\Program Files (x86)\SRSRoot you will find these files residing here and NOT in C:\Windows\ or C:\Windows\System32
Although you may find the files "System32.exe" and "System64.exe" in C:\Windows which is where the workhorse gets put. Those are the renamed copies of the encapsulated Monero Miner. Completely equiped with a conf.json file and everything! Yes I found the payment address that this critter was paying to...

This part was fun to find - the config file is aptly named "conf4444.json" and here are the contents of the file!!!

{
"av": 0,
"background": true,
"colors": true,
"cpu-affinity": null,
"cpu-priority": 1,
"donate-level": 1,
"log-file": null,
"max-cpu-usage": 90,
"print-time": 60,
"retries": 3,
"retry-pause": 5,
"safe": false,
"syslog": false,
"threads": null,
"pools": [
{
"url": "stratum+tcp://srs4444.123unlock.nl:4444",
"user": "srsv5",
"pass": "x",
"keepalive": true,
"nicehash": true,
"keephash": true
},
{
"url": "stratum+tcp://xmr-eu1.nanopool.org:14444",
"user": "46eJw9phHi5ACj5oGMvPHS5eeBKc4HhWQHuRG6CFPyDbT5SHrFcMU22MXMpVnYSStyV25jLADKeo2Hi9QrDN5gmbNg4Jech.srsroot2/[email protected]",
"pass": "x",
"keepalive": true,
"nicehash": true,
"keephash": true
},
{
"url": "stratum+tcp://xmr-eu2.nanopool.org:14444",
"user": "46eJw9phHi5ACj5oGMvPHS5eeBKc4HhWQHuRG6CFPyDbT5SHrFcMU22MXMpVnYSStyV25jLADKeo2Hi9QrDN5gmbNg4Jech.srsroot2/[email protected]",
"pass": "x",
"keepalive": true,
"nicehash": true,
"keephash": true
}
]
}

By now the Author of this little guy is Pissing his pants, because yes... I Caught you MotherF&&Ker! And guess where this little guy talks too???

soft.srsroot.com

Yup. Busted!

Okay, enough of that. Here is how you remove this bugger.

In your newly created user account, click on the start button and type Task Manager the right click on the result that is found with the subtitle "Desktop App" and select run as administrator
Grant the Program Administrative rights by using credentials from your other account:

Then, Click on File\Run New Task
Type in CMD and place a check next to run as administrator and click ok
In the Command window, type in:

cd C:\Program Files (x86)\SRSRoot

and Press enter
Check the Folder contents by typing this:

dir

and Press enter

You Should see some files in here and one of them will be nssm.exe
Okay. Keep this Window open you will come back to it. We now need to use the nssm.exe file to remove the system services that were installed. In my system they were call zm and zmu.

Go back to Task Manager and then Click on File\Run New Task
Type in "services.msc" without the quotes. In the this Windows Sort the Services by "running" and then at the end of the services list for items that begin with "Z" as this is likely where they will be listed. They will have no description and if you look at the properties for the command line it will reflect the location of where the app is loading from as well as the executable that is runs.

note the name of the service and the go back to your Command prompt and run the following command:

nssm stop zm
nssm stop zmu
nssm remove zm (Click on the OK button that pops up, this program has a GUI)
nssm remove zmu (Click on the Ok button again)

Okay Now Go to the Task Manager and End the processes in the Details tab labeled "Controller.exe" "getconfig.exe".

Now you can have some fun!

Go back to the Command prompt and enter this command:

ren *.exe *.ohHellNO
cd C:\Windows
ren controller.exe controller.ohHellNO
ren getconfig.exe getconfig.ohHellNO

and you will now have effectively disabled this Miner Bot.

If you liked this, Share it, Post it, Tweet it, Caffeine me.... That was fun, lets do it again some time....(BlueHat)