itman 1,806 Posted October 27, 2018 Posted October 27, 2018 1 hour ago, koolholio said: That's strange, my OS install date is about a month and a half after the malware! How did you check install date: https://www.isumsoft.com/it/check-windows-10-installation-date/
koolholio 4 Posted October 27, 2018 Posted October 27, 2018 (edited) Creation of eventvwr files, gave me a quick indication of when I had a corrupted config registry hive... systeminfo confirms the eventvwr dates match... Edited October 27, 2018 by koolholio
itman 1,806 Posted October 27, 2018 Posted October 27, 2018 (edited) Did you perform a Win 10 1809 upgrade prior to it being pulled from the update servers? -EDIT- Also a Win 10 reset install will change the installation date. Also I found out that a reset install doesn't touch anything in the AppData directories. I found that one out after I ran SFC after a Win 10 reset. Edited October 27, 2018 by itman
koolholio 4 Posted October 27, 2018 Posted October 27, 2018 1 minute ago, itman said: Did you perform a Win 10 1809 upgrade prior to it being pulled from the update servers? We're talking about events that apparently took place between 11/04/2018 (file date of the malware) and 05/2018... (OS Install month)... this is almost dating back to the Creators update... Haven't even touched the 1809 update! (for it's delete bug...)
itman 1,806 Posted October 27, 2018 Posted October 27, 2018 Most of my system files for example for 1803 show a date of 4/11/2018.
koolholio 4 Posted October 27, 2018 Posted October 27, 2018 Look for files modified at the same time as the malware file dates... include the time and that narrows it a little...
itman 1,806 Posted October 27, 2018 Posted October 27, 2018 I finally found another posting related to this on the Malwarebytes forum. Activity is almost an exact match posted here to date. It is most definitely Bitcoin miner related. OP posted it on the MBAM forum on 8/27/2018. As such, it is highly unlikely it was related to the recent Task Manager vulnerability. But who knows? The pen tester who found it could have been selling the vulnerability on the dark web sometime before deciding to get some "glory" by publicly posting it. Or as he discovered it, so did others. Most interesting, it appears the MBAM poster was using Norton which detected the bitcoin mining activity. In any case at this point, I don't see a 100% positive correlation between the Task Scheduler vulnerability and this bitcoin miner. https://forums.malwarebytes.com/topic/235808-system-infected-bitcoinminer-activity-7-and-9/
koolholio 4 Posted October 27, 2018 Posted October 27, 2018 (edited) On 10/27/2018 at 9:01 PM, itman said: In any case at this point, I don't see a 100% positive correlation between the Task Scheduler vulnerability and this bitcoin miner. This is where the codebase usually comes into detection: it's detected as a software bundler malware family: Unwaders.C ... occamy.C for the appleversions.dll, and it goes by a few other names... We'll have to wait and see I guess! Edited October 30, 2018 by koolholio
riang23 0 Posted October 30, 2018 Posted October 30, 2018 guys... my problem is gone several days ago. until this time, there is no notification anymore. my problem is gone after I uninstalled pirat*d game.
itman 1,806 Posted October 30, 2018 Posted October 30, 2018 4 hours ago, riang23 said: my problem is gone after I uninstalled pirat*d game. Easiest way to get infected is to install cracked/pirated software. Amazing how so few realize this.
riang23 0 Posted October 31, 2018 Posted October 31, 2018 ikr. that's why I tell it. maybe Ian Ng as thread starter had installed a pirated / cracked software. so it may cause the problem. ^^
Recommended Posts