Bitcoin miner

[Arik 5]

Hello!

I'm a guy that my systems who are running ESET products are mostly generaly clean.

But, I suspect that on my main machine which I do gaming etc I got an bitcoin miner little virus

That everytime I open boot up my computer It's running and taking ALL the CPU usage.

By the proccss called "Attribuite Utillty"

I know where the file Is at and I cannot delete It.

I've tried to perform a full scan with EIS 11 couple of times.

But It doesn't manage to detect any threats

Please from anyone who can help me solve this problem, It will mean alot to me!

This only happend recently when I downloaded something for a game and let's say It was my fault getting this thing.

 

[itman 1,659]

As far as Attribute Utility goes: https://www.file.net/process/attrib.exe.html

Also you are not alone on this issue: https://www.reddit.com/r/Windows10/comments/6bhmgk/high_cpu_usage_from_attribute_utility_process_and/

Looks like it might be Minergate related: https://linustechtips.com/main/topic/831791-what-is-attribexe-and-why-is-it-running-in-the-background/ . Note deleting attrib.exe will have adverse effects on your system as noted in this linked article. I would submit it to VirusTotal and see if anything found there before doing anything drastic with it.

Make sure Eset's PUA detection is enabled and run a full Eset scan in admin mode. 

Edited January 6, 2018 by itman

[Arik 5]

13 minutes ago, itman said:

As far as Attribute Utility goes: https://www.file.net/process/attrib.exe.html

Also you are not alone on this issue: https://www.reddit.com/r/Windows10/comments/6bhmgk/high_cpu_usage_from_attribute_utility_process_and/

Looks like it might be Minergate related: https://linustechtips.com/main/topic/831791-what-is-attribexe-and-why-is-it-running-in-the-background/ . Note deleting attrib.exe will have adverse effects on your system as noted in this linked article. I would submit it to VirusTotal and see if anything found there before doing anything drastic with it.

Make sure Eset's PUA detection is enabled and run a full Eset scan in admin mode. 

Yes, Eset's PUA detection Is enabled and I'm currently running a full ESET scan In admin mode.

I'm hoping for this to be removed

[itman 1,659]

If Eset's scan doesn't find anything, run the following from an admin level command prompt window;

sfc /scannow

This will verify that all your Win system files are correct and haven't been tampered with.

[Arik 5]

1 minute ago, itman said:

If Eset's scan doesn't find anything, run the following from an admin level command prompt window;

sfc /scannow

This will verify that all your Win system files are correct and haven't been tampered with.

Thank you for your help!

I will update you If eset's scan finds something and If not I will do as you requested.

[Arik 5]

I did the steps you have told me.

Nothing helps as after I boot up my PC attribuite utillty Is on again.

[Marcos 5,070]

Please locate the executable "Attribuite Utillty.exe" and upload it to www.virustotal.com to find out if some other vendors detect it.

[Arik 5]

Just now, Marcos said:

Please locate the executable "Attribuite Utillty.exe" and upload it to www.virustotal.com to find out if some other vendors detect it.

Yes, I have done that already and for some reason no other vendors detected It.

I don't know what to do now

[itman 1,659]

Do the following.

First, create an Eset firewall rule to block outbound traffic from C:\Windows\System32\attrib.exe. Set the rule to alert and log - diagnostic level. There should be no reason why this process should need outbound network access.

Next, create a HIPS rule to monitor all startup activity of C:\Windows\System32\attrib.exe. Make it an "ask" rule and again, set the rule to alert and log - diagnostic level. Source Applications needs to be set to "All Applications." This rule will inform you what process is running attrib.exe at startup time. Note that legit Windows/System32 directory processes use attrib.exe such as defrag and disk cleanup use it so you don't want to block those. However, those processes don't run at boot time.

You will probably have to review the HIPS logs after boot time to determine what is running attrib.exe. This is due to the fact the HIPS will default allow your "Ask" rule for time out response reasons prior to the desktop initializing. Note that if svchost.exe is starting attrib.exe at boot time, this indicates bigger problems in that the malware has installed a service to do so. It is also possible the malware has either created a scheduled task or modified either the Windows startup directory or one of the registry "run" keys to run attrib.exe at boot time.

Oh, one more thing. Make sure you determine if C:\Windows\System32\attrib.exe is actually running at boot time. It could be the malware has installed its own version of it in another directory.

Edited January 7, 2018 by itman

[itman 1,659]

I came across this article on how coin miner Trojans use attrib.exe to hide their presence: https://blog.gridinsoft.com/trojan-coinminer-csrss-exe/ .

So you also want to open up File Explorer  - > View - > Advanced Settings and enable "Show hidden files, folders, and drives" to assist in locating where this malware is hiding.

Edited January 7, 2018 by itman

[peteyt 393]

Interestingly I read the latest version of the Opera browser comes with an option to block coin miners

[itman 1,659]

1 minute ago, peteyt said:

Interestingly I read the latest version of the Opera browser comes with an option to block coin miners

Yeah, I just also recently read about it. Unfortunately, this won't help the OP since his coin miner is a Trojan that has been locally installed.

[Arik 5]

On 7.1.2018 at 4:23 PM, itman said:

Do the following.

First, create an Eset firewall rule to block outbound traffic from C:\Windows\System32\attrib.exe. Set the rule to alert and log - diagnostic level. There should be no reason why this process should need outbound network access.

Next, create a HIPS rule to monitor all startup activity of C:\Windows\System32\attrib.exe. Make it an "ask" rule and again, set the rule to alert and log - diagnostic level. Source Applications needs to be set to "All Applications." This rule will inform you what process is running attrib.exe at startup time. Note that legit Windows/System32 directory processes use attrib.exe such as defrag and disk cleanup use it so you don't want to block those. However, those processes don't run at boot time.

You will probably have to review the HIPS logs after boot time to determine what is running attrib.exe. This is due to the fact the HIPS will default allow your "Ask" rule for time out response reasons prior to the desktop initializing. Note that if svchost.exe is starting attrib.exe at boot time, this indicates bigger problems in that the malware has installed a service to do so. It is also possible the malware has either created a scheduled task or modified either the Windows startup directory or one of the registry "run" keys to run attrib.exe at boot time.

Oh, one more thing. Make sure you determine if C:\Windows\System32\attrib.exe is actually running at boot time. It could be the malware has installed its own version of it in another directory.

Okay, I've done everything you've told me.

Really thanks for the help!

For now It does not run In the background

but that Is before I restarted my computer

So, when I do that I will update you If I see something In the HIPS logs.

I Just don't know how to check the HIPS logs because I still have the problem of ESET does not show up In the system tray.

 

[itman 1,659]

3 hours ago, Arik said:

I Just don't know how to check the HIPS logs because I still have the problem of ESET does not show up In the system tray.

Open Eset GUI from the Win Start Menu then.

[Arik 5]

33 minutes ago, itman said:

Open Eset GUI from the Win Start Menu then.

Did It, now I can see ESET Icon thanks but almost every boot up It dissapers.

I will look at the HIPS logs after I restart my PC and then update you with the Info.

[Arik 5]

17 hours ago, itman said:

Open Eset GUI from the Win Start Menu then.

Well, after booting up my computer.

I can see that attrib.exe still running after boot BUT It doesn't take any CPU usage because It's blocked by ESET

and after looking at my HIPS logs I can see I have so many HIPS logs like 110K Logs It's crazy

so I looked at the recent one and It saying this - Time, application, action, target, action, rule, and more 10/01/2018 10: 58: 28; C: \ Windows \ System32 \ csrss.exe; Access another application; C: \ Program Files \ ESET \ ESET Security \ egui.exe; Ekrn and egui processes; termination / termination of another application

 

This HIPS log above ^

Is taken after the first time I booted my computer up after doing all your steps to block this miner.

 

 

[Marcos 5,070]

First of all, it doesn't have to be necessarily a coinminer or other malware that is causing the heavy cpu load. In the past also the standard svchost.exe process used to cause this when Windows update was running.

Please drop me a private message with the archive generated by ESET Log Collector attached.

[itman 1,659]

4 hours ago, Arik said:

I can see that attrib.exe still running after boot BUT It doesn't take any CPU usage because It's blocked by ESET

Did you ever submit it to Virus Total for a scan and resultant determination?

[Arik 5]

1 minute ago, itman said:

Did you ever submit it to Virus Total for a scan and resultant determination?

Yes.. I did

[itman 1,659]

Just now, Arik said:

Yes.. I did

And were there any detections for it?

[Arik 5]

2 minutes ago, itman said:

And were there any detections for it?

Nope - https://www.virustotal.com/#/file/e17685417ff4d982d9fd1ddbbcb2f4aadb3c6e8b4865ecbf786113feb8d96c1d/detection

[itman 1,659]

Also I can't see your log file if you posted an extract of it or the like. So what process does it show that is attempting to start attrib.exe at boot time?

[Arik 5]

1 minute ago, itman said:

Also I can't see your log file if you posted an extract of it or the like. So what process does it show that is attempting to start attrib.exe at boot time?

I'll Just send you In a private message.

[itman 1,659]

I will also repost this link referenced above: https://blog.gridinsoft.com/trojan-coinminer-csrss-exe/ . What has recently been posted by the OP bears a lot of similarity to this coin miner. Eset has a signature for the original one, so this might be a new variant of it.

[Arik 5]

On 10.1.2018 at 2:16 PM, Marcos said:

First of all, it doesn't have to be necessarily a coinminer or other malware that is causing the heavy cpu load. In the past also the standard svchost.exe process used to cause this when Windows update was running.

Please drop me a private message with the archive generated by ESET Log Collector attached.

I did send you a private message that contains the ESET Logs generated by ESET's log collector.