I installed Malwarebyte and after i run a scan on my Windows 7 OS i get these results: Trojan.BitCoinMiner.E, C:\PROGRAMDATA\MICROSOFT WINDOWS STARTUP\WININIT.EXE, No Action By User, [209], [489316],1.0.4032 Trojan.BitCoinMiner.E, C:\PROGRAMDATA\MICROSOFT WINDOWS INIT\WININIT.EXE, No Action By User, [209], [489317],1.0.4032 Trojan.BitCoinMiner, C:\PROGRAMDATA\MICROSOFT WINDOWS\SYSTEM\WUAUCLT.EхE, No Action By User, [68], [487172],1.0.4032 Trojan.BitCoinMiner, C:\PROGRAMDATA\MICROSOFT WINDOWS NT\SERVICE\SPPSVC.EхE, No Action By User, [68], [487172],1.0.4032 Trojan.BitCoinMiner, C:\USERS\ANON\APPDATA\ROAMING\MICROSOFT\NETWORK\SYSTEM\WMIPRVSE.EхE, No Action By User, [68], [487172],1.0.4032 Trojan.MalPack, C:\USERS\ANON\APPDATA\ROAMING\MICROSOFT\SYSTEMCERTIFICATES\WININIT.EXE, No Action By User, [32], [487828],1.0.4032 Trojan.BitCoinMiner, C:\USERS\ANON\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\WINLOGON.EхE, No Action By User, [68], [487228],1.0.4032 Trojan.BitCoinMiner, C:\USERS\ANON\APPDATA\LOCAL\MICROSOFT\WINDOWS\EXPLORER\TASKMGR.EхE, No Action By User, [68], [487172],1.0.4032 Trojan.BitCoinMiner.E, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|WindowsSystem, No Action By User, [209], [489316],1.0.4032 Trojan.BitCoinMiner.E, HKU\S-1-5-21-3769621780-3217232507-1090172942-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Windows Startup, No Action By User, [209], [489317],1.0.4032 I don't have idea how these malware files get on my PC. Did i downloaded them through the browser or they get installed through other programs? Do i have to change my passwords for important online accounts? Is it possible these malware files to have sent sensitive information to a hacker? I will reinstall my Winodws to be safe but i want to find how these files get on my PC.
Definately change your passwords after any kind of malware detection, bit coin miners might not be expected to steal passwords but you never can be too careful.
Before you get too carried away I'd check the MBAM forums. These may be false positives. I've seen MBAM totally hose computers after finding and removing 'malware' that turned out to be falsely labelled. I ran MBAM for years and all it ever found were my own system drivers. It is renown for false positives IMO. Check with an online scan or your own anti virus program. If it detects no malware, I'd wait until MBAM fix their signature updates then run it again to compare. https://forums.malwarebytes.com/forum/122-false-positives/
If location of those files is indeed as reported, than it's most likely malware. Legit system files are not located at those locations and malware often uses those locations and system file names to hide from malware protection software. I would also try to scan with some other on-demand scanners to find out if there are any other active infections.
Persistence is done from the following reg. keys to start the coin miner at boot time: Trojan.BitCoinMiner.E, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|WindowsSystem, No Action By User, [209], [489316],1.0.4032 Trojan.BitCoinMiner.E, HKU\S-1-5-21-3769621780-3217232507-1090172942-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Windows Startup, No Action By User,
Of note is that what appears to be a legit software download can contain a coin miner. Way back in 2013 this outfit was doing just that. And it was for all purposes legal since it disclosed it was installing a coin miner in the EULA: https://www.pcworld.com/article/206...ing-zombie-and-owns-up-to-it-in-the-eula.html
I reinstalled my Windows 7 so i hope everything on my hard drive is malware free now. By the way, what are the best on demand online scanners and how good they are?
For on-demand scanning I use Emsisoft Emergency Kit, Avira PC- Cleaner, HitmanPro and Kaspersky Virus Removal Tool. They help when cleaning infected systems, but non of them finds all. So I usually use more than one when cleaning.
Kaspersky has a great article on this issue. Appears "cracked" software downloading is the primary method; just like it is for adware and other pest-ware: https://www.kaspersky.com/blog/hidden-miners-botnet-threat/18488/
I really love this particular malware as it is exceptionally insidious. The blurb by Kaspersky does not do it near enough justice. In addition to dropping a couple of hidden system files, it will play in a most clever way with Windows Services- it will start a Service which will create another one (not readily apparent) then delete the initial one leavings a system that only SEEMS pristine. The cool thing is that the miner itself is quite compact and can be just piggybacked onto (instead of woven into) stuff like Cracks, Keygens, and even legit applications, Ophelia can do it in less than 30 seconds and she is only a two-paw typist. (ps- Thanks for your posts, ITMan! You are always a first read for me!)
Your welcome, CS. For those who want more details on the particular coin miner referred to by Kapsersky, here's the link: https://securelist.com/miners-on-the-rise/81706/ .
Not that I would EVER think to correct Kaspersky (but I will anyway)... For the most prevalent type of this miner a Service (DhcF) will be initially created. This will install and setup the malware for persistence by creating a false Security Accounts Manager service. The original DhcF service will then delete itself on reboot, giving way to the new service. The files that are dropped into the Windows directory are Hidden System files and are not readily apparent. Personally I would throttle down the miner to about 40% of CPU use instead of the 90% that it currently uses, but that's just me (being a kind and gentle person).
What real-time Security Software are you using on your machine? It looks like it's time to make some improvements. If you got the infection from a crack, keygen, or any trojan hiding in legitimate software then it can be hard for Security Softs to stop that. Prevention is always better than the cure. edited: 2/22 @ 3:52 pm
CE- As I use CF the malware would just be blown off, whether woven into code or piggybacked onto it But for those using traditional protection (AV), a zero-day sample (which is what I analyzed this morning, it being a few hours since release) would infect the system. M
