Page 1 of 1 [ 4 posts ] 

DeepHour
Veteran
Veteran

User avatar

Joined: 1 Jun 2014
Gender: Male
Posts: 35,718
Location: United Kingdom

01 Jul 2018, 1:13 pm

I'm wondering whether anyone here has any experience or knowledge of the above.

I scan my main laptop with Malwarebytes once a week or so, and in recent months it has always revealed the presence of one or two bitcoin mining malware items. It's difficult to pin down how they get into the system - I don't use this machine to visit any obviously dubious or fringy sites, and Malwarebytes doesn't specify their origin.

Also Malwarebytes doesn't seem to give the full location of the mining malware (see screenshot - magnification needed).

On the most recent scan, the number of mining malware items shot up to nine. This came on the same day I installed 'Secure File Deleter 6', so perhaps that ought to be a suspect?

Any views most welcome. :)

Image


_________________
On a mountain range
I'm Doctor Strange


B19
Forum Moderator
Forum Moderator

User avatar

Joined: 11 Jan 2013
Gender: Female
Posts: 9,448
Location: New Zealand

01 Jul 2018, 7:42 pm

Earlier this year, Windows Defender found something that was highly suspicious during a check on my computer and put it into quarantine. I sent HitmanPro the coded description of the quarantined material and asked them to identify and explain what it actually was. They said that it was similar to what they had recently started to see in relation to Bitcoin malware, though at that stage they could not say for sure, as it was different to what they usually see.

Like you, I am fairly prudent in not visiting Bitcoin, adult or other sites that are known as likely malware propagators.

In the past I have run the HMP scan about once a week though I think I will change this to every day. I have also developed the habit recently of more frequently shutting down and restarting my computer.



DeepHour
Veteran
Veteran

User avatar

Joined: 1 Jun 2014
Gender: Male
Posts: 35,718
Location: United Kingdom

02 Jul 2018, 4:39 pm

Thanks, I might give Hitman Pro a try sometime!

Just looking at the Malwarebytes scan report, it does in fact give the exact locations of the malware it found, though it doesn't really mean a lot to me. The mention of the Registry being involved seems a bit sinister though, and I also wonder what is meant by the repeatedly used phrase 'No Action By User'. Here are the 'highlights':


Process: 1
RiskWare.BitCoinMiner, C:\PROGRAM FILES (X86)\BRTSVC\BRTSVC.EXE, No Action By User, [918], [535269],1.0.5715

Module: 1
RiskWare.BitCoinMiner, C:\PROGRAM FILES (X86)\BRTSVC\BRTSVC.EXE, No Action By User, [918], [535269],1.0.5715

Registry Key: 3
RiskWare.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\BlockchainResearchToolsSvc, No Action By User, [918], [535269],1.0.5715
RiskWare.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{C845E661-8839-471E-9419-4EB68DE83990}, No Action By User, [918], [535269],1.0.5715
RiskWare.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\BOOT\{C845E661-8839-471E-9419-4EB68DE83990}, No Action By User, [918], [535269],1.0.5715

File: 4
RiskWare.BitCoinMiner, C:\WINDOWS\SYSTEM32\TASKS\BlockchainResearchToolsSvc, No Action By User, [918], [535269],1.0.5715
RiskWare.BitCoinMiner, C:\PROGRAM FILES (X86)\BRTSVC\BRTSVC.EXE, No Action By User, [918], [535269],1.0.5715
RiskWare.BitCoinMiner, C:\WINDOWS\TEMP\TMP98B1.TMP.EXE, No Action By User, [918], [508940],1.0.5715
RiskWare.BitCoinMiner, C:\WINDOWS\TEMP\TMPE402.TMP.EXE, No Action By User, [918], [508940],1.0.5715

Maybe someone here understands what this stuff means, and could explain it to me?


It seems to me that if this issue keeps returning, there are two main options:

a) Keep doing regular scans, and remove any malware 'as and when'. Possibly experiment with other antivirus and anti-malware programs as well.

b) A more radical solution would be a 'factory reset' or even a full, clean reinstall of Windows 8.1. A real issue here seems to be that if I used some sort of 'system image' to restore my files and programs, some of the dodgy malware could well be hiding in there and still be a problem. The only real option then would be a clean reinstall, then adding files and programs from scratch, not to mention all the updates - doing it that way would be a real pain, and it would take weeks or even months to get the system back to its full previous working state.

Think I'll stick with the first option for now.....

Oh, I almost forgot, Google Chrome has a couple of apparently well regarded extensions which are supposed to be able to block crypto mining malware. I've tried both of them ('Miner Block' and 'No Coin'), but they have appeared to be completely ineffective.


_________________
On a mountain range
I'm Doctor Strange


Benfold
Butterfly
Butterfly

Joined: 5 Aug 2018
Posts: 11
Location: Italy

08 Feb 2019, 6:17 am

How do you get the updates at different cryptos at a time? I have been using a tool to get all the latest news and updates. I don't need to visit every single website right now. I can get them all in one place. H



Last edited by B19 on 14 Nov 2019, 8:36 pm, edited 1 time in total.: spammer