Jump to content

Bitcoin miner


Arik
 Share

Recommended Posts

Hello!

I'm a guy that my systems who are running ESET products are mostly generaly clean.

But, I suspect that on my main machine which I do gaming etc I got an bitcoin miner little virus

That everytime I open boot up my computer It's running and taking ALL the CPU usage.

By the proccss called "Attribuite Utillty"

I know where the file Is at and I cannot delete It.

I've tried to perform a full scan with EIS 11 couple of times.

But It doesn't manage to detect any threats

Please from anyone who can help me solve this problem, It will mean alot to me!

This only happend recently when I downloaded something for a game and let's say It was my fault getting this thing.

 

Link to comment
Share on other sites

As far as Attribute Utility goes: https://www.file.net/process/attrib.exe.html

Also you are not alone on this issue: https://www.reddit.com/r/Windows10/comments/6bhmgk/high_cpu_usage_from_attribute_utility_process_and/

Looks like it might be Minergate related: https://linustechtips.com/main/topic/831791-what-is-attribexe-and-why-is-it-running-in-the-background/ . Note deleting attrib.exe will have adverse effects on your system as noted in this linked article. I would submit it to VirusTotal and see if anything found there before doing anything drastic with it.

Make sure Eset's PUA detection is enabled and run a full Eset scan in admin mode. 

Edited by itman
Link to comment
Share on other sites

13 minutes ago, itman said:

As far as Attribute Utility goes: https://www.file.net/process/attrib.exe.html

Also you are not alone on this issue: https://www.reddit.com/r/Windows10/comments/6bhmgk/high_cpu_usage_from_attribute_utility_process_and/

Looks like it might be Minergate related: https://linustechtips.com/main/topic/831791-what-is-attribexe-and-why-is-it-running-in-the-background/ . Note deleting attrib.exe will have adverse effects on your system as noted in this linked article. I would submit it to VirusTotal and see if anything found there before doing anything drastic with it.

Make sure Eset's PUA detection is enabled and run a full Eset scan in admin mode. 

Yes, Eset's PUA detection Is enabled and I'm currently running a full ESET scan In admin mode.

I'm hoping for this to be removed :(

Link to comment
Share on other sites

If Eset's scan doesn't find anything, run the following from an admin level command prompt window;

sfc /scannow

This will verify that all your Win system files are correct and haven't been tampered with.

Link to comment
Share on other sites

1 minute ago, itman said:

If Eset's scan doesn't find anything, run the following from an admin level command prompt window;

sfc /scannow

This will verify that all your Win system files are correct and haven't been tampered with.

Thank you for your help!

I will update you If eset's scan finds something and If not I will do as you requested.

Link to comment
Share on other sites

  • Administrators

Please locate the executable "Attribuite Utillty.exe" and upload it to www.virustotal.com to find out if some other vendors detect it.

Link to comment
Share on other sites

Just now, Marcos said:

Please locate the executable "Attribuite Utillty.exe" and upload it to www.virustotal.com to find out if some other vendors detect it.

Yes, I have done that already and for some reason no other vendors detected It.

I don't know what to do now :(

Link to comment
Share on other sites

Do the following.

First, create an Eset firewall rule to block outbound traffic from C:\Windows\System32\attrib.exe. Set the rule to alert and log - diagnostic level. There should be no reason why this process should need outbound network access.

Next, create a HIPS rule to monitor all startup activity of C:\Windows\System32\attrib.exe. Make it an "ask" rule and again, set the rule to alert and log - diagnostic level. Source Applications needs to be set to "All Applications." This rule will inform you what process is running attrib.exe at startup time. Note that legit Windows/System32 directory processes use attrib.exe such as defrag and disk cleanup use it so you don't want to block those. However, those processes don't run at boot time.

You will probably have to review the HIPS logs after boot time to determine what is running attrib.exe. This is due to the fact the HIPS will default allow your "Ask" rule for time out response reasons prior to the desktop initializing. Note that if svchost.exe is starting attrib.exe at boot time, this indicates bigger problems in that the malware has installed a service to do so. It is also possible the malware has either created a scheduled task or modified either the Windows startup directory or one of the registry "run" keys to run attrib.exe at boot time.

Oh, one more thing. Make sure you determine if C:\Windows\System32\attrib.exe is actually running at boot time. It could be the malware has installed its own version of it in another directory.

Edited by itman
Link to comment
Share on other sites

I came across this article on how coin miner Trojans use attrib.exe to hide their presence: https://blog.gridinsoft.com/trojan-coinminer-csrss-exe/ .

So you also want to open up File Explorer  - > View - > Advanced Settings and enable "Show hidden files, folders, and drives" to assist in locating where this malware is hiding.

Edited by itman
Link to comment
Share on other sites

  • Most Valued Members

Interestingly I read the latest version of the Opera browser comes with an option to block coin miners

Link to comment
Share on other sites

1 minute ago, peteyt said:

Interestingly I read the latest version of the Opera browser comes with an option to block coin miners

Yeah, I just also recently read about it. Unfortunately, this won't help the OP since his coin miner is a Trojan that has been locally installed.

Link to comment
Share on other sites

On 7.1.2018 at 4:23 PM, itman said:

Do the following.

First, create an Eset firewall rule to block outbound traffic from C:\Windows\System32\attrib.exe. Set the rule to alert and log - diagnostic level. There should be no reason why this process should need outbound network access.

Next, create a HIPS rule to monitor all startup activity of C:\Windows\System32\attrib.exe. Make it an "ask" rule and again, set the rule to alert and log - diagnostic level. Source Applications needs to be set to "All Applications." This rule will inform you what process is running attrib.exe at startup time. Note that legit Windows/System32 directory processes use attrib.exe such as defrag and disk cleanup use it so you don't want to block those. However, those processes don't run at boot time.

You will probably have to review the HIPS logs after boot time to determine what is running attrib.exe. This is due to the fact the HIPS will default allow your "Ask" rule for time out response reasons prior to the desktop initializing. Note that if svchost.exe is starting attrib.exe at boot time, this indicates bigger problems in that the malware has installed a service to do so. It is also possible the malware has either created a scheduled task or modified either the Windows startup directory or one of the registry "run" keys to run attrib.exe at boot time.

Oh, one more thing. Make sure you determine if C:\Windows\System32\attrib.exe is actually running at boot time. It could be the malware has installed its own version of it in another directory.

Okay, I've done everything you've told me.

Really thanks for the help!

For now It does not run In the background

but that Is before I restarted my computer

So, when I do that I will update you If I see something In the HIPS logs.

I Just don't know how to check the HIPS logs because I still have the problem of ESET does not show up In the system tray.

 

Link to comment
Share on other sites

3 hours ago, Arik said:

I Just don't know how to check the HIPS logs because I still have the problem of ESET does not show up In the system tray.

Open Eset GUI from the Win Start Menu then.

Link to comment
Share on other sites

33 minutes ago, itman said:

Open Eset GUI from the Win Start Menu then.

Did It, now I can see ESET Icon thanks but almost every boot up It dissapers.

I will look at the HIPS logs after I restart my PC and then update you with the Info.

Link to comment
Share on other sites

17 hours ago, itman said:

Open Eset GUI from the Win Start Menu then.

Well, after booting up my computer.

I can see that attrib.exe still running after boot BUT It doesn't take any CPU usage because It's blocked by ESET :)

and after looking at my HIPS logs I can see I have so many HIPS logs like 110K Logs It's crazy

so I looked at the recent one and It saying this - Time, application, action, target, action, rule, and more 10/01/2018 10: 58: 28; C: \ Windows \ System32 \ csrss.exe; Access another application; C: \ Program Files \ ESET \ ESET Security \ egui.exe; Ekrn and egui processes; termination / termination of another application

 

This HIPS log above ^

Is taken after the first time I booted my computer up after doing all your steps to block this miner.

 

 

Link to comment
Share on other sites

  • Administrators

First of all, it doesn't have to be necessarily a coinminer or other malware that is causing the heavy cpu load. In the past also the standard svchost.exe process used to cause this when Windows update was running.

Please drop me a private message with the archive generated by ESET Log Collector attached.

Link to comment
Share on other sites

4 hours ago, Arik said:

I can see that attrib.exe still running after boot BUT It doesn't take any CPU usage because It's blocked by ESET

Did you ever submit it to Virus Total for a scan and resultant determination?

Link to comment
Share on other sites

1 minute ago, itman said:

Did you ever submit it to Virus Total for a scan and resultant determination?

Yes.. I did

Link to comment
Share on other sites

Also I can't see your log file if you posted an extract of it or the like. So what process does it show that is attempting to start attrib.exe at boot time?

Link to comment
Share on other sites

1 minute ago, itman said:

Also I can't see your log file if you posted an extract of it or the like. So what process does it show that is attempting to start attrib.exe at boot time?

I'll Just send you In a private message.

Link to comment
Share on other sites

I will also repost this link referenced above: https://blog.gridinsoft.com/trojan-coinminer-csrss-exe/ . What has recently been posted by the OP bears a lot of similarity to this coin miner. Eset has a signature for the original one, so this might be a new variant of it.

Link to comment
Share on other sites

On 10.1.2018 at 2:16 PM, Marcos said:

First of all, it doesn't have to be necessarily a coinminer or other malware that is causing the heavy cpu load. In the past also the standard svchost.exe process used to cause this when Windows update was running.

Please drop me a private message with the archive generated by ESET Log Collector attached.

I did send you a private message that contains the ESET Logs generated by ESET's log collector.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...