Coun mining malware

Discussion in 'The Computer Room - Computer Talk' started by Reedone816, Mar 8, 2018.

  1. Reedone816

    Reedone816 Blue Belt

    Joined:
    Apr 27, 2014
    Messages:
    277
    Likes Received:
    65
    Trophy Points:
    43
    Location:
    Indonesia
    I have a windows 10 notebook.
    It was infected with various malwares, i'd clean it using malware bytes and eset av.
    But there is one remain, the coin mining malware that attached oneself to explorer.exe.
    Eset able to stop its process but when after a while the process will try again.
    I tried full scan but nothing found.
    Tried multiple live scanner but no result.
    Anyone has advice?

    Sent from my BV8000Pro using Tapatalk
     
  2. Dirty Dog

    Dirty Dog MT Senior Moderator Staff Member

    • LifeTime Supporting Member
    Joined:
    Sep 3, 2009
    Messages:
    14,955
    Likes Received:
    3,338
    Trophy Points:
    308
    Location:
    Pueblo West, CO
    Backup data files only. Reformat. Clean install.
    I don't want to start an OS war (though I might), but your best option would be to ditch windoze entirely. It's bloated, slow, unstable, incredibly easy to hack, and massively invasive of your privacy.
    Personally, I'd recommend one of the various flavors of Linux. Linux is free, fast, stable, generally more secure, and because it's open source your privacy is assured. And unlike Windoze, it's a true multi-threaded multi-tasking OS. Not a shell running over the 1980's era MS-DOS that emulates multi-threading and multi-tasking (which is big part of it's instability). You will never see the BSOD or the interminable "Updating" screen with Linux.
    Linux Mint is popular with people switching from MicroSloth, because it has a similar 'feel' but Ubuntu (which is what I primarily use) and Arch are also very popular. I also like Kali, but that's more oriented towards security testing and hacking so it's not for everyone.
     
    • Agree Agree x 2
  3. Xue Sheng

    Xue Sheng All weight is underside

    • Supporting Member
    Joined:
    Jan 8, 2006
    Messages:
    28,352
    Likes Received:
    3,757
    Trophy Points:
    308
    Location:
    North American Tectonic Plate
    Panda Cloud Cleaner

    HitMan Pro

    TrendMicro Housecall
     
  4. Buka

    Buka Grandmaster

    • MartialTalk Mentor
    Joined:
    Jun 27, 2011
    Messages:
    8,149
    Likes Received:
    4,873
    Trophy Points:
    448
    Location:
    Maui
    I'm with Dirty Dog. Linux rocks.
     
    • Like Like x 1
  5. Xue Sheng

    Xue Sheng All weight is underside

    • Supporting Member
    Joined:
    Jan 8, 2006
    Messages:
    28,352
    Likes Received:
    3,757
    Trophy Points:
    308
    Location:
    North American Tectonic Plate
    I too like Linux, use to run a Linux box for AV and security. But it is not necessarily more secure, it is just not as popular in an enterprise setting, it still should be running Antivirus and security software. Also not all revs of Linux are created equal. For enterprise always go Redhat, it is not free and it is more secure. But the freeware version of that is CentOS. That is a rather good version of Linux
     
  6. JowGaWolf

    JowGaWolf Grandmaster

    Joined:
    Aug 3, 2015
    Messages:
    6,334
    Likes Received:
    1,825
    Trophy Points:
    263
    This particular pain the
    Not sure if this will help you but it helped me. In my case it was attached to Google Chrome Browser and would reinstall when the Google Chrome Browser was opened. To solve it, (save any bookmarks you want to keep) and do the following
    1. Uninstall Google Chrome.
    2. Run your antivirus and your Malware Bytes Software. Doing this will get rid of any left over registry information that was used for Google Chrome.
    3. Reinstall the updated version of Google Chrome.

    This should get rid of it. If you research Coin Mining and google, you will come across discussions and articles about this issue. The problem isn't a Windows 10 problem. The problem is a Google Chrome problem. As of January 2018, google chrome has fixed the problem, but that new fix is only going to work with New Installs which is why you have to uninstall and then reinstall it.

    Just make sure you run your Malware Bytes software after you uninstall, because if the old registry stuff is still in the system, then you'll most likely won't get rid of the issue.
     
  7. Martial D

    Martial D Senior Master

    Joined:
    May 18, 2017
    Messages:
    2,172
    Likes Received:
    673
    Trophy Points:
    213
    Man, I remember spending like 16 hours trying to set up redhat 2.0. When the X system finally booted(after many many failed compiles and recompiles) I felt like I had just summited Everest.

    I didn't even care that my sound wasn't happening.

    That was of course many moons ago. These days Linux installs (at least most of them) are as easy as taking a piss.
     
  8. Reedone816

    Reedone816 Blue Belt

    Joined:
    Apr 27, 2014
    Messages:
    277
    Likes Received:
    65
    Trophy Points:
    43
    Location:
    Indonesia
    Thank you all for the advice,
    As for Linux, i'm in dual mode now, been using OracleOS for a while now.
    The windows one is for working purpose.

    As the scanners I'd used Hitman and panda, i'll try the trendmicro one.

    And for the last one, I'm afraid it's much trickier than that since it's attaching to the explorer.exe process. Can't uninstall that.
    But none the less i'll try to uninstall my chrome first.

    Anyway, somehow after reading the replies, it reminds me of firewall, so in case I'm unable to clean it, at least I'll prevent it to leave my computer.

    Sent from my BV8000Pro using Tapatalk
     
  9. JowGaWolf

    JowGaWolf Grandmaster

    Joined:
    Aug 3, 2015
    Messages:
    6,334
    Likes Received:
    1,825
    Trophy Points:
    263
    For some reason I want to say that from first looks it appears that the issue is with the explorer.exe process but in reality it's Google Chrome. My wife was able to run Malwarebytes which would get it, but every she starts her computer it would come back. So what I did, was to do 2 scans. I cleaned the computer using Malwarebytes then restarted the computer, and then scanned the computer immediately after the restart (I didn't open any other application). The scan came up clean so I knew that the issue wasn't with the explorer.exe. Next I pretty much followed the next step of what my wife does which is to open a browser. I opened up Google Chrome, and I did another scan, and Malwarebytes found the coin miner again.
     
    • Like Like x 1
  10. Dirty Dog

    Dirty Dog MT Senior Moderator Staff Member

    • LifeTime Supporting Member
    Joined:
    Sep 3, 2009
    Messages:
    14,955
    Likes Received:
    3,338
    Trophy Points:
    308
    Location:
    Pueblo West, CO
    This could be argued forever (and is...). I'll just say this. I am not a professional, but I've been using and coding in Unix since your only options were BSD and SunOS. And I've done more than a little testing of security on various versions. So I'll just say this. If I can social engineer physical access to your unlocked *nix box, it takes all of 12 seconds to have remote shell access on your account, without needing a password. I will get your password, too, of course, but I don't need it to have a shell. I can do the same thing to your Windoze box, but it doesn't even have to be unlocked, or even have anybody logged on. And I'll get not only your user account, I'll get your browser history, including online passwords. I can get a lot more info out of a Windoze box with a lot less time and effort. That's why I think it's less secure.
    Sure, putting in a BEEF hook is the same on either, since they run ported versions of the same browsers.
    And it's super easy to get a Windoze user to sit there and do nothing for as long as you need, while you're installing and running tons of stuff behind it. The first part of your script just calls iexplore to send them HERE, and with the -k option it makes it full screen. Windows users are trained to sit there and let this run. So then your script grabs alllllll kinds of stuff to install in the background, while the user sits.
     
  11. Reedone816

    Reedone816 Blue Belt

    Joined:
    Apr 27, 2014
    Messages:
    277
    Likes Received:
    65
    Trophy Points:
    43
    Location:
    Indonesia
    Yup it seems this works.
    I uninstall my old chrome, the warning popup no longer popup for coin mining malware.
    Thanks alot...

    Sent from my BV8000Pro using Tapatalk
     
  12. Xue Sheng

    Xue Sheng All weight is underside

    • Supporting Member
    Joined:
    Jan 8, 2006
    Messages:
    28,352
    Likes Received:
    3,757
    Trophy Points:
    308
    Location:
    North American Tectonic Plate
    And I have a Knoppix disk (and flash drive) that will own your PC, or any other, in seconds, don't care what OS you run...that is, unless you secure it properly and most don't, not even Linux users.

    I am not going to argue anything, I know better than to argue security with those committed to linux or Mac.... but professionally speaking, I stand by my original post.
     
  13. pdg

    pdg Senior Master

    Joined:
    Feb 19, 2018
    Messages:
    2,542
    Likes Received:
    673
    Trophy Points:
    213
    Not to argue... ;)

    Can someone use that disc to 'own' my computer (running whatever OS) here in England while they're sat in their mum's basement in the US?
     
  14. Dirty Dog

    Dirty Dog MT Senior Moderator Staff Member

    • LifeTime Supporting Member
    Joined:
    Sep 3, 2009
    Messages:
    14,955
    Likes Received:
    3,338
    Trophy Points:
    308
    Location:
    Pueblo West, CO
    No, but there are other ways to do it remotely. It's just easier if you can get physical access for just a few seconds. That's not at all difficult, for most business computers. "I'm here for a meeting, but I forgot to print out some documents I need. Can you print the papers on this USB drive for me?" It takes a LOT longer to print those documents than it does for the script I've also put on the device to run.
    Without physical access, you use things like MItM attacks, BEEF hooks, Captive Portals, Packet sniffers and such. You'll still get there, it just takes more time and effort.
    And I'm on the second floor of my own home, not my mums basement. :)
     
  15. pdg

    pdg Senior Master

    Joined:
    Feb 19, 2018
    Messages:
    2,542
    Likes Received:
    673
    Trophy Points:
    213
    My point really was that if you have access to insert a disc the security requirements are different.

    Out of the box, with no extra effort to 'secure', *nix beats ios beats doze from a remote access standpoint.

    And, securing a machine against a bootable disc (round or usb) is OS independent.

    If you can socially engineer access (click here for nudes), that's a whole lot easier than brute force entry too...
     
  16. JowGaWolf

    JowGaWolf Grandmaster

    Joined:
    Aug 3, 2015
    Messages:
    6,334
    Likes Received:
    1,825
    Trophy Points:
    263
    Glad it solved your problem. It's unfortunate that google caused this problem as the coin mining malware was part of their browser install. Hopefully in the future they will focus more on security than being trendy.
     
  17. Xue Sheng

    Xue Sheng All weight is underside

    • Supporting Member
    Joined:
    Jan 8, 2006
    Messages:
    28,352
    Likes Received:
    3,757
    Trophy Points:
    308
    Location:
    North American Tectonic Plate
    Got an e-mail address..... do you look at your e-mail on your computer.....then yes...it's called Phishing
    all you need to do is click the link in the e-mail that was socially engineered to get you to open it.

    Do you peruse the web? Do you get surprise popups about viruses or free offers...do you click yes, or no or scroll across the popup with your cursor.....then yes
     
  18. Xue Sheng

    Xue Sheng All weight is underside

    • Supporting Member
    Joined:
    Jan 8, 2006
    Messages:
    28,352
    Likes Received:
    3,757
    Trophy Points:
    308
    Location:
    North American Tectonic Plate
    yes it is OS independent, it is done in the BIOS and it can also be a GPO

    Knoppix is an OS on a disk that is Linux based. And you would need physical access to the box. Or remote access rights
     
  19. Dirty Dog

    Dirty Dog MT Senior Moderator Staff Member

    • LifeTime Supporting Member
    Joined:
    Sep 3, 2009
    Messages:
    14,955
    Likes Received:
    3,338
    Trophy Points:
    308
    Location:
    Pueblo West, CO
    Agreed. In my experience (which is certainly less extensive than yours), most peoples security is what is set out of the box. And 'out of the box', I think Linux (at least the distros I use) is more secure. Those who tweak things (on any OS) can make it harder, but nothing connected is unhackable, given enough time and commitment.
    Even systems that are geared towards security. A buddy at work runs Parrot, which he thought was more secure. I plugged in. Owned. He was able to stop me eventually, but he was doing things that required foreknowledge of exactly how the script worked; i.e. he changed perms on a directory I was using to store a loot file to read only. So I changed to a different directory. Or I had the loot emailed to me at a throw-away gmail account.
    Ultimately, he created a USB whitelist. That works, sure. And it's fine on a single user system. But as an enterprise solution, it's awfully cumbersome; nobody can throw work on a USB drive to take home, unless they come get a special one from you. Which they will inevitably lose anyway. Nor can they look at some PowerPoints from a seminar I went to.
    The tighter your security, the more difficult it becomes to actually use the computer. It's a trade off.
     
    Last edited: Mar 9, 2018
  20. pdg

    pdg Senior Master

    Joined:
    Feb 19, 2018
    Messages:
    2,542
    Likes Received:
    673
    Trophy Points:
    213
    Those aren't really using your knoppix usb drive to 'own' my pc though ;)

    Although, your message has made me think...

    Is there a possibility that the Nigerian prince who sent me an email asking for help to move his money wasn't genuine?

    What about the one I got that said "we am from you bank council of english in america, needed your password confirm with here clicking" - surely that was genuine?
     
    • Funny Funny x 1

Share This Page