Arik 5 Posted January 6, 2018 Share Posted January 6, 2018 Hello! I'm a guy that my systems who are running ESET products are mostly generaly clean. But, I suspect that on my main machine which I do gaming etc I got an bitcoin miner little virus That everytime I open boot up my computer It's running and taking ALL the CPU usage. By the proccss called "Attribuite Utillty" I know where the file Is at and I cannot delete It. I've tried to perform a full scan with EIS 11 couple of times. But It doesn't manage to detect any threats Please from anyone who can help me solve this problem, It will mean alot to me! This only happend recently when I downloaded something for a game and let's say It was my fault getting this thing. Link to comment Share on other sites More sharing options...
itman 1,786 Posted January 6, 2018 Share Posted January 6, 2018 (edited) As far as Attribute Utility goes: https://www.file.net/process/attrib.exe.html Also you are not alone on this issue: https://www.reddit.com/r/Windows10/comments/6bhmgk/high_cpu_usage_from_attribute_utility_process_and/ Looks like it might be Minergate related: https://linustechtips.com/main/topic/831791-what-is-attribexe-and-why-is-it-running-in-the-background/ . Note deleting attrib.exe will have adverse effects on your system as noted in this linked article. I would submit it to VirusTotal and see if anything found there before doing anything drastic with it. Make sure Eset's PUA detection is enabled and run a full Eset scan in admin mode. Edited January 6, 2018 by itman Link to comment Share on other sites More sharing options...
Arik 5 Posted January 6, 2018 Author Share Posted January 6, 2018 13 minutes ago, itman said: As far as Attribute Utility goes: https://www.file.net/process/attrib.exe.html Also you are not alone on this issue: https://www.reddit.com/r/Windows10/comments/6bhmgk/high_cpu_usage_from_attribute_utility_process_and/ Looks like it might be Minergate related: https://linustechtips.com/main/topic/831791-what-is-attribexe-and-why-is-it-running-in-the-background/ . Note deleting attrib.exe will have adverse effects on your system as noted in this linked article. I would submit it to VirusTotal and see if anything found there before doing anything drastic with it. Make sure Eset's PUA detection is enabled and run a full Eset scan in admin mode. Yes, Eset's PUA detection Is enabled and I'm currently running a full ESET scan In admin mode. I'm hoping for this to be removed Link to comment Share on other sites More sharing options...
itman 1,786 Posted January 6, 2018 Share Posted January 6, 2018 If Eset's scan doesn't find anything, run the following from an admin level command prompt window; sfc /scannow This will verify that all your Win system files are correct and haven't been tampered with. Link to comment Share on other sites More sharing options...
Arik 5 Posted January 6, 2018 Author Share Posted January 6, 2018 1 minute ago, itman said: If Eset's scan doesn't find anything, run the following from an admin level command prompt window; sfc /scannow This will verify that all your Win system files are correct and haven't been tampered with. Thank you for your help! I will update you If eset's scan finds something and If not I will do as you requested. Link to comment Share on other sites More sharing options...
Arik 5 Posted January 7, 2018 Author Share Posted January 7, 2018 I did the steps you have told me. Nothing helps as after I boot up my PC attribuite utillty Is on again. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,394 Posted January 7, 2018 Administrators Share Posted January 7, 2018 Please locate the executable "Attribuite Utillty.exe" and upload it to www.virustotal.com to find out if some other vendors detect it. Link to comment Share on other sites More sharing options...
Arik 5 Posted January 7, 2018 Author Share Posted January 7, 2018 Just now, Marcos said: Please locate the executable "Attribuite Utillty.exe" and upload it to www.virustotal.com to find out if some other vendors detect it. Yes, I have done that already and for some reason no other vendors detected It. I don't know what to do now Link to comment Share on other sites More sharing options...
itman 1,786 Posted January 7, 2018 Share Posted January 7, 2018 (edited) Do the following. First, create an Eset firewall rule to block outbound traffic from C:\Windows\System32\attrib.exe. Set the rule to alert and log - diagnostic level. There should be no reason why this process should need outbound network access. Next, create a HIPS rule to monitor all startup activity of C:\Windows\System32\attrib.exe. Make it an "ask" rule and again, set the rule to alert and log - diagnostic level. Source Applications needs to be set to "All Applications." This rule will inform you what process is running attrib.exe at startup time. Note that legit Windows/System32 directory processes use attrib.exe such as defrag and disk cleanup use it so you don't want to block those. However, those processes don't run at boot time. You will probably have to review the HIPS logs after boot time to determine what is running attrib.exe. This is due to the fact the HIPS will default allow your "Ask" rule for time out response reasons prior to the desktop initializing. Note that if svchost.exe is starting attrib.exe at boot time, this indicates bigger problems in that the malware has installed a service to do so. It is also possible the malware has either created a scheduled task or modified either the Windows startup directory or one of the registry "run" keys to run attrib.exe at boot time. Oh, one more thing. Make sure you determine if C:\Windows\System32\attrib.exe is actually running at boot time. It could be the malware has installed its own version of it in another directory. Edited January 7, 2018 by itman Link to comment Share on other sites More sharing options...
itman 1,786 Posted January 7, 2018 Share Posted January 7, 2018 (edited) I came across this article on how coin miner Trojans use attrib.exe to hide their presence: https://blog.gridinsoft.com/trojan-coinminer-csrss-exe/ . So you also want to open up File Explorer - > View - > Advanced Settings and enable "Show hidden files, folders, and drives" to assist in locating where this malware is hiding. Edited January 7, 2018 by itman Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 396 Posted January 7, 2018 Most Valued Members Share Posted January 7, 2018 Interestingly I read the latest version of the Opera browser comes with an option to block coin miners Link to comment Share on other sites More sharing options...
itman 1,786 Posted January 7, 2018 Share Posted January 7, 2018 1 minute ago, peteyt said: Interestingly I read the latest version of the Opera browser comes with an option to block coin miners Yeah, I just also recently read about it. Unfortunately, this won't help the OP since his coin miner is a Trojan that has been locally installed. Link to comment Share on other sites More sharing options...
Arik 5 Posted January 9, 2018 Author Share Posted January 9, 2018 On 7.1.2018 at 4:23 PM, itman said: Do the following. First, create an Eset firewall rule to block outbound traffic from C:\Windows\System32\attrib.exe. Set the rule to alert and log - diagnostic level. There should be no reason why this process should need outbound network access. Next, create a HIPS rule to monitor all startup activity of C:\Windows\System32\attrib.exe. Make it an "ask" rule and again, set the rule to alert and log - diagnostic level. Source Applications needs to be set to "All Applications." This rule will inform you what process is running attrib.exe at startup time. Note that legit Windows/System32 directory processes use attrib.exe such as defrag and disk cleanup use it so you don't want to block those. However, those processes don't run at boot time. You will probably have to review the HIPS logs after boot time to determine what is running attrib.exe. This is due to the fact the HIPS will default allow your "Ask" rule for time out response reasons prior to the desktop initializing. Note that if svchost.exe is starting attrib.exe at boot time, this indicates bigger problems in that the malware has installed a service to do so. It is also possible the malware has either created a scheduled task or modified either the Windows startup directory or one of the registry "run" keys to run attrib.exe at boot time. Oh, one more thing. Make sure you determine if C:\Windows\System32\attrib.exe is actually running at boot time. It could be the malware has installed its own version of it in another directory. Okay, I've done everything you've told me. Really thanks for the help! For now It does not run In the background but that Is before I restarted my computer So, when I do that I will update you If I see something In the HIPS logs. I Just don't know how to check the HIPS logs because I still have the problem of ESET does not show up In the system tray. Link to comment Share on other sites More sharing options...
itman 1,786 Posted January 9, 2018 Share Posted January 9, 2018 3 hours ago, Arik said: I Just don't know how to check the HIPS logs because I still have the problem of ESET does not show up In the system tray. Open Eset GUI from the Win Start Menu then. Link to comment Share on other sites More sharing options...
Arik 5 Posted January 9, 2018 Author Share Posted January 9, 2018 33 minutes ago, itman said: Open Eset GUI from the Win Start Menu then. Did It, now I can see ESET Icon thanks but almost every boot up It dissapers. I will look at the HIPS logs after I restart my PC and then update you with the Info. Link to comment Share on other sites More sharing options...
Arik 5 Posted January 10, 2018 Author Share Posted January 10, 2018 17 hours ago, itman said: Open Eset GUI from the Win Start Menu then. Well, after booting up my computer. I can see that attrib.exe still running after boot BUT It doesn't take any CPU usage because It's blocked by ESET and after looking at my HIPS logs I can see I have so many HIPS logs like 110K Logs It's crazy so I looked at the recent one and It saying this - Time, application, action, target, action, rule, and more 10/01/2018 10: 58: 28; C: \ Windows \ System32 \ csrss.exe; Access another application; C: \ Program Files \ ESET \ ESET Security \ egui.exe; Ekrn and egui processes; termination / termination of another application This HIPS log above ^ Is taken after the first time I booted my computer up after doing all your steps to block this miner. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,394 Posted January 10, 2018 Administrators Share Posted January 10, 2018 First of all, it doesn't have to be necessarily a coinminer or other malware that is causing the heavy cpu load. In the past also the standard svchost.exe process used to cause this when Windows update was running. Please drop me a private message with the archive generated by ESET Log Collector attached. Link to comment Share on other sites More sharing options...
itman 1,786 Posted January 10, 2018 Share Posted January 10, 2018 4 hours ago, Arik said: I can see that attrib.exe still running after boot BUT It doesn't take any CPU usage because It's blocked by ESET Did you ever submit it to Virus Total for a scan and resultant determination? Link to comment Share on other sites More sharing options...
Arik 5 Posted January 10, 2018 Author Share Posted January 10, 2018 1 minute ago, itman said: Did you ever submit it to Virus Total for a scan and resultant determination? Yes.. I did Link to comment Share on other sites More sharing options...
itman 1,786 Posted January 10, 2018 Share Posted January 10, 2018 Just now, Arik said: Yes.. I did And were there any detections for it? Link to comment Share on other sites More sharing options...
Arik 5 Posted January 10, 2018 Author Share Posted January 10, 2018 2 minutes ago, itman said: And were there any detections for it? Nope - https://www.virustotal.com/#/file/e17685417ff4d982d9fd1ddbbcb2f4aadb3c6e8b4865ecbf786113feb8d96c1d/detection Link to comment Share on other sites More sharing options...
itman 1,786 Posted January 10, 2018 Share Posted January 10, 2018 Also I can't see your log file if you posted an extract of it or the like. So what process does it show that is attempting to start attrib.exe at boot time? Link to comment Share on other sites More sharing options...
Arik 5 Posted January 10, 2018 Author Share Posted January 10, 2018 1 minute ago, itman said: Also I can't see your log file if you posted an extract of it or the like. So what process does it show that is attempting to start attrib.exe at boot time? I'll Just send you In a private message. Link to comment Share on other sites More sharing options...
itman 1,786 Posted January 11, 2018 Share Posted January 11, 2018 I will also repost this link referenced above: https://blog.gridinsoft.com/trojan-coinminer-csrss-exe/ . What has recently been posted by the OP bears a lot of similarity to this coin miner. Eset has a signature for the original one, so this might be a new variant of it. Link to comment Share on other sites More sharing options...
Arik 5 Posted January 14, 2018 Author Share Posted January 14, 2018 On 10.1.2018 at 2:16 PM, Marcos said: First of all, it doesn't have to be necessarily a coinminer or other malware that is causing the heavy cpu load. In the past also the standard svchost.exe process used to cause this when Windows update was running. Please drop me a private message with the archive generated by ESET Log Collector attached. I did send you a private message that contains the ESET Logs generated by ESET's log collector. Link to comment Share on other sites More sharing options...
Recommended Posts