Security concerns after Malwarebytes scan

Discussion in 'malware problems & news' started by Peter4667, Feb 21, 2018.

  1. Peter4667

    Peter4667 Registered Member

    Joined:
    May 31, 2013
    Posts:
    47
    I installed Malwarebyte and after i run a scan on my Windows 7 OS i get these results:

    Trojan.BitCoinMiner.E, C:\PROGRAMDATA\MICROSOFT WINDOWS STARTUP\WININIT.EXE, No Action By User, [209], [489316],1.0.4032
    Trojan.BitCoinMiner.E, C:\PROGRAMDATA\MICROSOFT WINDOWS INIT\WININIT.EXE, No Action By User, [209], [489317],1.0.4032
    Trojan.BitCoinMiner, C:\PROGRAMDATA\MICROSOFT WINDOWS\SYSTEM\WUAUCLT.EхE, No Action By User, [68], [487172],1.0.4032
    Trojan.BitCoinMiner, C:\PROGRAMDATA\MICROSOFT WINDOWS NT\SERVICE\SPPSVC.EхE, No Action By User, [68], [487172],1.0.4032
    Trojan.BitCoinMiner, C:\USERS\ANON\APPDATA\ROAMING\MICROSOFT\NETWORK\SYSTEM\WMIPRVSE.EхE, No Action By User, [68], [487172],1.0.4032
    Trojan.MalPack, C:\USERS\ANON\APPDATA\ROAMING\MICROSOFT\SYSTEMCERTIFICATES\WININIT.EXE, No Action By User, [32], [487828],1.0.4032
    Trojan.BitCoinMiner, C:\USERS\ANON\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\WINLOGON.EхE, No Action By User, [68], [487228],1.0.4032
    Trojan.BitCoinMiner, C:\USERS\ANON\APPDATA\LOCAL\MICROSOFT\WINDOWS\EXPLORER\TASKMGR.EхE, No Action By User, [68], [487172],1.0.4032
    Trojan.BitCoinMiner.E, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|WindowsSystem, No Action By User, [209], [489316],1.0.4032
    Trojan.BitCoinMiner.E, HKU\S-1-5-21-3769621780-3217232507-1090172942-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Windows Startup, No Action By User, [209], [489317],1.0.4032

    I don't have idea how these malware files get on my PC. Did i downloaded them through the browser or they get installed through other programs? Do i have to change my passwords for important online accounts? Is it possible these malware files to have sent sensitive information to a hacker? I will reinstall my Winodws to be safe but i want to find how these files get on my PC.
     
  2. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    Definately change your passwords after any kind of malware detection, bit coin miners might not be expected to steal passwords but you never can be too careful.
     
  3. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    9,659
    Location:
    Lloegyr
    Before you get too carried away I'd check the MBAM forums. These may be false positives. I've seen MBAM totally hose computers after finding and removing 'malware' that turned out to be falsely labelled. I ran MBAM for years and all it ever found were my own system drivers. It is renown for false positives IMO. Check with an online scan or your own anti virus program. If it detects no malware, I'd wait until MBAM fix their signature updates then run it again to compare.

    https://forums.malwarebytes.com/forum/122-false-positives/
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,449
    Location:
    Slovenia
    If location of those files is indeed as reported, than it's most likely malware. Legit system files are not located at those locations and malware often uses those locations and system file names to hide from malware protection software. I would also try to scan with some other on-demand scanners to find out if there are any other active infections.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    http://blogs.quickheal.com/detect-remove-bitcoin-miner-malware/
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Persistence is done from the following reg. keys to start the coin miner at boot time:

    Trojan.BitCoinMiner.E, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|WindowsSystem, No Action By User, [209], [489316],1.0.4032
    Trojan.BitCoinMiner.E, HKU\S-1-5-21-3769621780-3217232507-1090172942-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Windows Startup, No Action By User,
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Of note is that what appears to be a legit software download can contain a coin miner. Way back in 2013 this outfit was doing just that. And it was for all purposes legal since it disclosed it was installing a coin miner in the EULA:
    https://www.pcworld.com/article/206...ing-zombie-and-owns-up-to-it-in-the-eula.html
     
  8. Peter4667

    Peter4667 Registered Member

    Joined:
    May 31, 2013
    Posts:
    47
    I reinstalled my Windows 7 so i hope everything on my hard drive is malware free now. By the way, what are the best on demand online scanners and how good they are?
     
  9. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,449
    Location:
    Slovenia
    For on-demand scanning I use Emsisoft Emergency Kit, Avira PC- Cleaner, HitmanPro and Kaspersky Virus Removal Tool. They help when cleaning infected systems, but non of them finds all. So I usually use more than one when cleaning.
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Kaspersky has a great article on this issue. Appears "cracked" software downloading is the primary method; just like it is for adware and other pest-ware:
    https://www.kaspersky.com/blog/hidden-miners-botnet-threat/18488/
     
  11. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,519
    Location:
    Paris
    I really love this particular malware as it is exceptionally insidious. The blurb by Kaspersky does not do it near enough justice. In addition to dropping a couple of hidden system files, it will play in a most clever way with Windows Services- it will start a Service which will create another one (not readily apparent) then delete the initial one leavings a system that only SEEMS pristine.

    The cool thing is that the miner itself is quite compact and can be just piggybacked onto (instead of woven into) stuff like Cracks, Keygens, and even legit applications, Ophelia can do it in less than 30 seconds and she is only a two-paw typist.

    (ps- Thanks for your posts, ITMan! You are always a first read for me!)
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Your welcome, CS.

    For those who want more details on the particular coin miner referred to by Kapsersky, here's the link: https://securelist.com/miners-on-the-rise/81706/ .
     
  13. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,519
    Location:
    Paris
    Not that I would EVER think to correct Kaspersky (but I will anyway)...

    For the most prevalent type of this miner a Service (DhcF) will be initially created. This will install and setup the malware for persistence by creating a false Security Accounts Manager service. The original DhcF service will then delete itself on reboot, giving way to the new service. The files that are dropped into the Windows directory are Hidden System files and are not readily apparent.

    Personally I would throttle down the miner to about 40% of CPU use instead of the 90% that it currently uses, but that's just me (being a kind and gentle person).
     
  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    What real-time Security Software are you using on your machine? It looks like it's time to make some improvements. If you got the infection from a crack, keygen, or any trojan hiding in legitimate software then it can be hard for Security Softs to stop that. Prevention is always better than the cure.

    edited: 2/22 @ 3:52 pm
     
  15. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,519
    Location:
    Paris
    CE- As I use CF the malware would just be blown off, whether woven into code or piggybacked onto it But for those using traditional protection (AV), a zero-day sample (which is what I analyzed this morning, it being a few hours since release) would infect the system.

    M
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.