JS/Coinminer.BF Keeps Poping up

[rharesh 1]

Eset keeps blocking JS/Coinminer.BF for every website i visit, even gmail, msn etc once it will popup if i hit enter again it will work

It does same for IDM, Adobe or any internet based software, done full system scan, used eset rescue disk, checked with tech support etc not sure what is the source is it from my pc or isp ?

[Marcos 5,074]

To fix this, perform a factory reset of your router and install the latest version of firmware. It appears that your router was hacked. Are you using Mikrotik? What model?

[rharesh 1]

I have a TP-Link wifi router which i configured with connection from fiber channel provider OptiLink device

[rharesh 1]

My isp has mikrotik router.. I gave direct connection to my system bypassing my tplink router same issue... Looks like issue from isp side...

[itman 1,659]

TP-Link routers have had numerous vulnerabilities recently disclosed. For example, a number of models are vulnerable to VPNFilter: https://www.tp-link.com/cz/faq-2213.html

[rharesh 1]

Its not my router i reset it aswell.. i guess its from isp or its coming from some other pc which is going through the same gateway

[itman 1,659]

1 hour ago, rharesh said:

Its not my router i reset it aswell

If your router is one of the vulnerable TP-Link ones, a reset is not enough. You will have to apply a firmware update if one is available from TP-Link to the router . 

[Marcos 5,074]

If you have an opportunity to try a router of a different brand, please do so and let us know if the issue goes away. I'd also suggest trying SysRescue and the browser included with it to see if the alert is still triggered to rule out a local system infection.

[HSW 9]

Hi,

we have many of this infection notifications since friday, could there be a bug? Different mashines and different routers. (private home office and different business locations)

[Marcos 5,074]

21 minutes ago, HSW said:

we have many of this infection notifications since friday, could there be a bug? Different mashines and different routers. (private home office and different business locations)

I'd suggest creating a SysRescue medium, booting from it and opening a website through the built-in browser. If the threat is detected, it's likely either the router or ISP that was compromised.

[HSW 9]

It is a homepage not the clients. Eset reacts to the http of this side https is all fine. Its our own hp.

[HSW 9]

@marcos i send you private the link.

 

[HSW 9]

We found out, its a router problem (https://www.zdnet.com/article/mikrotik-routers-enslaved-in-massive-coinhive-cryptojacking-campaign/)

tricky monday

[urbmend26 0]

I solve the problem, with Mikrotik Router.

[Hasan Halim 0]

On 9/5/2018 at 1:10 PM, urbmend26 said:

I solve the problem, with Mikrotik Router.

How did you solve it with Mikrotik router? Can you please explain it? Today I start getting this annoying popup JS/Coinminer.AH not BF

I am thinking to reformat my Windows, please help.

[Marcos 5,074]

12 minutes ago, Hasan Halim said:

How did you solve it with Mikrotik router? Can you please explain it? Today I start getting this annoying popup JS/Coinminer.AH not BF

I am thinking to reformat my Windows, please help.

Install the latest firmware available for your Mikrotik router and reset it to factory settings. Reinstalling Windows won't help since it's router that serves a CoinMiner script.

[Hasan Halim 0]

Hi Marcos, your reply is really helpful, it solves my problem. I was so stressed of annoying popup JS/Coinminer.AH

It was really unexpected that the cause would be MikroTik router and yes when I check my MikroTik settings, the Firewall rules and NAT had been changed.

Again, thank you.