Jump to content

Found a coinminer trojan on my old PC!


Recommended Posts

First time poster here. I have an old PC that I havent used in months. I turned it on last night to transfer my files to an external drive so I can reset it and give it to a relative as a gift. I have had MalwareBytes and Eset installed ever since I bought the computer around 2013. It was a decent computer at the time (i7 processor, 16gb ram)

Last night I logged it on and it was unimaginably slow. It's been sitting overnight and some of the icons in the tray on the bottom right hand corner arent loaded and when I right click them nothing happens or they take over a minute to react. Last night applications kept crashing- basic things like firefox. It seems to be running a bit faster today but still slowly. So last night I had it transferring my C drive to my external harddrive and I decided to let Eset run a scan. When I checked on it today Eset found a coinminer application running. I cleaned it and tried running the scan again and now it has found 2 variants of them this time. Both located in my C drive under program files. The applications are variants of CoinMiner(dot)(the letter J)(the letter Y). The other one has the same name but the last two letters are different and when I tried to google it I couldnt find anything about it. The location of the file is \"MyAccount"\Data\C\Program Files\ethereum\ethminer (2021_01_01 1-_42_21 UTC).exe Eset says the application in question is svchost.exe, specifically C:\Windows\System32\svchost.exe

Here's the kicker my C drive has already finished copying onto the external hard drive by time I caught it. Luckily the hard drive was brand new so there was no data on it from other devices. I deleted the C drive off the external hard drive after I saw the Eset report.

Malwarebytes doesnt find anything.

Now- I feel really stupid because a couple years ago I used to use a website where Eset would pop up and alert me to the same CoinMiner application, except it would say it was running on the website. I figured since Eset was giving me the option to block it, as long as I didnt download anything it would be fine. And I ran malwarebytes which never detected it. So is that where I got it from? It could be a coincidence or not. I don't know. I know that last night the only thing I did online was look up reviews of different software online. One of the websites was blocked from Eset so I closed out of it. After that I began transferring files and disconnected my ethernet cable and let it run along with the Eset scan.

What do I do now guys?

1) What do I do to protect my data? So far I have changed all my main account passwords with very secure passwords but this PC is old and there could be accounts on there that I forgot about or havent used in years.

2) How can I clean my PC?

3) Is my external hard drive now compromised? Can I still backup my data?

Also, the only other thing that stands out when I run a scan is a program called Manycam which I used to use years ago but have had installed forever. It's an application that lets you play videos over your webcam. Malwarebytes or eset  ( I forget which one) used to tell me it was a PUP and that I should consider deleting it. This time when I scanned my computer (I think via Malwarebytes?) it had it listed as malware. I haven't updated the program in years I've had an outdated version forever because the newer versions make you pay for features that used to be free on the version I had.

Link to comment
Share on other sites

  • Most Valued Members
7 hours ago, Jeff1238192398123 said:

First time poster here. I have an old PC that I havent used in months. I turned it on last night to transfer my files to an external drive so I can reset it and give it to a relative as a gift. I have had MalwareBytes and Eset installed ever since I bought the computer around 2013. It was a decent computer at the time (i7 processor, 16gb ram)

Last night I logged it on and it was unimaginably slow. It's been sitting overnight and some of the icons in the tray on the bottom right hand corner arent loaded and when I right click them nothing happens or they take over a minute to react. Last night applications kept crashing- basic things like firefox. It seems to be running a bit faster today but still slowly. So last night I had it transferring my C drive to my external harddrive and I decided to let Eset run a scan. When I checked on it today Eset found a coinminer application running. I cleaned it and tried running the scan again and now it has found 2 variants of them this time. Both located in my C drive under program files. The applications are variants of CoinMiner(dot)(the letter J)(the letter Y). The other one has the same name but the last two letters are different and when I tried to google it I couldnt find anything about it. The location of the file is \"MyAccount"\Data\C\Program Files\ethereum\ethminer (2021_01_01 1-_42_21 UTC).exe Eset says the application in question is svchost.exe, specifically C:\Windows\System32\svchost.exe

Here's the kicker my C drive has already finished copying onto the external hard drive by time I caught it. Luckily the hard drive was brand new so there was no data on it from other devices. I deleted the C drive off the external hard drive after I saw the Eset report.

Malwarebytes doesnt find anything.

Now- I feel really stupid because a couple years ago I used to use a website where Eset would pop up and alert me to the same CoinMiner application, except it would say it was running on the website. I figured since Eset was giving me the option to block it, as long as I didnt download anything it would be fine. And I ran malwarebytes which never detected it. So is that where I got it from? It could be a coincidence or not. I don't know. I know that last night the only thing I did online was look up reviews of different software online. One of the websites was blocked from Eset so I closed out of it. After that I began transferring files and disconnected my ethernet cable and let it run along with the Eset scan.

What do I do now guys?

1) What do I do to protect my data? So far I have changed all my main account passwords with very secure passwords but this PC is old and there could be accounts on there that I forgot about or havent used in years.

2) How can I clean my PC?

3) Is my external hard drive now compromised? Can I still backup my data?

Also, the only other thing that stands out when I run a scan is a program called Manycam which I used to use years ago but have had installed forever. It's an application that lets you play videos over your webcam. Malwarebytes or eset  ( I forget which one) used to tell me it was a PUP and that I should consider deleting it. This time when I scanned my computer (I think via Malwarebytes?) it had it listed as malware. I haven't updated the program in years I've had an outdated version forever because the newer versions make you pay for features that used to be free on the version I had.

Not sure about the actual malware but is malwarebytes running as a real-time AV as well as Eset? This isn't recommended as having two real-time AVs can cause conflicts and slowdowns as both try to do the same thing at the same time. It's recommended if your using another AV like malwarebytes to make sure disable all its real-time protection and use it as a secondary opinion AV

Link to comment
Share on other sites

  • Administrators

If a CoinMiner is detected as a PUA it's likely a legitimate application for mining cryptocurrency. The CoinMiner.Y detection is from 2013 so it could be that you had PUA detection disabled at that time.

Link to comment
Share on other sites

Ethminer is indeed a legit coin miner. However, there are malicious versions of it but it appears this is not the case here. One possibility is you unwittingly installed it as part as other software you installed.

Legit ethminer runs via command line interface. In other words, there is a batch script; i.e. xxxx.bat, starting it; most likely at boot time and possibly as a scheduled task. Another possibility is its running from this registry key; C:\Users\xxxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup at system startup time.

Some refs. below:

https://github.com/ethereum-mining/ethminer

https://smurfy.github.io/ethminer/

Also copying the old device's drive  C:\* directory contents to an external drive will cause no issues. It is assumed that you will just be copying personal related files and the like to another device. As such, it is advisable to just copy directories related to these files and skip the full Windows boot drive copy. Disconnect Wi-Fi connection or Ethernet cable on old device for added security prior to copy activities.

Reformatting and reinstalling Windows on the old device precludes any need to do any in depth cleaning of this coin miner from the old device.

Once all your personal files have been copied, just ensure you delete the copied C;/* directory from the external drive and also the recycle bin of the current device if present there.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...