The virus (backdoor) DoublePulsar and miner (WINSec.exe/msiexev.exe)

rambling
I have the same trouble I was,but helped me finding the process Manager (must be very fast to have time to click on the process and go to his location,until he was gone) and easy removal (but after the removal of only one thing can begin to emerge and others but have less loading system.I had them in the same way,but in the other locations and almost with the same name).

JUnnAmmED

What was your process? I'm more and more convinced that this Winsec.exe. As I wrote, eating 75% percent, plus no FileDescription or CompanyName, and Microsoft usually signs their files.

UPDATE: Stopped process - from 75% fell to 0. File Modified: Today, April 29, 2017, 2 hours ago. Quite strange, because I do not think that this component of Windows is so often modificeres. And even with a disabled AutoUpdates.
By the way, after the stop process has restarted...

Read here https://www.bleepingcomputer.com/startups/Winsec.exe-18481.html
the campaign is a virus of some sort.

net Windows there is no such file

rambling
Try the Kaspersky Virus Removal Tool clean computer, free utility with off site companies, at me too such problem was, constantly under video card load was utilitly went and found the miner, safely removed, more problems.

zuuc

Thanks, that's helpful. Unless the discrepancy is that the description file is located in %System%, and I have in WindowsSecurity. But apparently any sluchae virus.

Now did the install.your wim image Windows, so there is generally no WINSec of the file itself. It seems that the file didn't come from the installation.

zuuc wrote:
net Windows there is no such file
Yeah, just noticed it.

PS who deleted the file immediately recovered. Process Explorer shows that daddy he C:\Windows\Prefetch\secscan.exe.

A separate post - it. Removed the dad, and then the file itself. Nothing is restored, everything is fine. But I am very concerned that the virus somewhere in my files, given that it survived the format. Nothing to do, going to dig. Thank you all.

rambling
I have tried a wood from NV to disguise themselves.The home was called,I think nvscp32.exe now I can't remember exactly.Lay it in its own folder (for example Temp183) and folders, MS and NV.Full path - C-users-username-appdata-roaming.It was a month and a half ago.No reinstalling Windows,no antivirus (Kasper,Web,Avast) did not clean it until the end,after a reboot it reappeared.Moreover,after removal of the tool through the Web he might have come up even without a reboot.Percent loaded under 100% (i5-2320).By the way,appeared exactly the same,literally from nothing.

rambling
He may not be in the files, such as a website infected with this shit, you walked in and he immediately pulled you in. and it is prescribed in startup. And then you need to clean the registry, or after you reboot or next time you turn on the computer, he again can get into your system

zuuc wrote:
He may not be in the files, such as a website infected with this shit, you walked in and he immediately pulled you in.
Oh, I didn't think about that. This is very, very likely. I have been through hell what's left mirror I go to Pirate Bay. There's a whole bunch of crap in the opening pages, banners, and other crap. I suspect that from there. Again'd get along, I will look to appear or not. In the case lubiam already knew how to remove it and are going to formatted.
In the registry there is no mention of these files.

JUnnAmmED wrote:
Full path - C-users-username-appdata-roaming
Now I remember - Yes, also take caught and removed early. Fortunately not surfaced.

rambling
try to find him and here HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows \CurrentVersion \Run
and here HKEY_CURRENT_USER\SOFTWARE \Microsoft \Windows \CurrentVersion \Run

zuuc
No. That is quite strange, because he restarted the computer (why?). I'm generally not concerned about his startup'om, because it is still going formatnut. I'm more concerned about where it came from. So now trying to restore the order of action since last format (the day before) and the monitor Prefetch\Temp.
But left mirror Bay definitely go not anymore.

rambling
Good luck

zuuc
Thank you, and thank you for your help.

Hi, comrades.
Got the same miner a few days ago apparently. First, the services found DHSWIQU, in the process found a fake wininit.exe. Very good option is to run a search of the files on the CD ( datasonde:26.04.2017 .. 01.05.2017 ) - or the date when someone noticed activity/picked up. Continue to sort by type and see what exe-shnik, and bat-Niki appeared during this time and what new files are created in windows. To see what folders are suspiciously updated for the date. So it was possible to identify most of the left of files and changes. At the root of windows I found start.bat, which creates
%windir%\db.sdb
%windir%\Prefetch\secscan.exe
%windir%\security\WINSec.exe
accordingly, it is necessary to remove/cut. Still looking, found in the root Windows csrss.exe (the original should live in system32), un.exe, winsxslog.rar (which actually is the miner) and winsxslog the folder with the files from which it's run. And in the temporary files browser 1[1].exe, which probably was the source of this garbage. winsxslog.rar Kaspersky catches as a miner (RiskTool.Win64.BitCoinMiner), drweb caught nothing (there was a version from 29.04, when first found, may day is already all catches).
Inside the archive winsxslog.rar SystemIISSec.exe, SystemIIS.exe that may still be somewhere to pop up in temporary files.
In WindowsTemp new file format s1kk.exe and so. In the registry found secscan.exe in the services.
After the sudden wrong restarting, noticed a suspicious process secscan.exe using Process Explorer, which immediately closed, if you open the task Manager. And thanks to this topic began to look for, thanks.

For winsxslog miner in a search engine is searched for article
odminblog.EN/cpu-miner-exploit-windows/

update
Fresh CureIT catches secscan.exe 1[1].exe as virus.Spy.422,
and WINSec.exe Tool.BtcMine.948

oscarbin

The continued intrigue. These are all purely from my experience with this miner.

1) the miner is going through a format.
2) it's Not like he's in any of my files because I have modified them for a long time and nothing (absolutely nothing) is not pumping.
3) miner disguised as a Windows service And renames itself. I used to have secscan.exe (process-dad) and WINSec.exe. After the format was wuaupdate.exe process-dad; called something like that, can't remember exactly) and msiexev.exe. Although miner and dad are exactly the same.
4) This miner is disabled when you call up task manager'and to avoid detection. But if the task manager remains open, about five minutes into the process his dad close and restart the miner. But process explorer is not the case.
5) the Process-dad, why it restarts the computer after half an hour of absence of the user at the computer. Very rarely it can reboot the computer while working. In this case, it appears a critical error stating that the computer will restart in a minute.

And now the main intrigue. I dug up all your files and virus do not obnaruzhil, although he survived as much as two formats. But as soon as resetнул router for 24 hours did not recover any file of the process-the Pope, nor the miner. From which I conclude that as an option, something snuck into the router and forwarded it to download this miner.
This is supported by the fact that the files are on my desktop computer and on the laptop is absolutely identical, including absolutely all the installed programs and games. But on the laptop the virus is. And the laptop is connected via Wi-Fi (don't know has this attitude to jump miner or not).

And the last one. I have Overwatch constantly crashes with various error codes (only), even after reformatting, even on older versions of fire wood. And takes off in the time intervals from several minutes to several seconds. A couple of days ago, this was not. This is not a problem of the game (since no one with such a frequency of crashes) and drivers. Anyway, it seems this also applies to the virus. Just can't imagine why he launched a paw in Overwatch. Maybe the process-dad is rocking some kind of virus. It is difficult to say. This is the best after the removal of the miner and of the process of the Pope.

oscarbin wrote:
start.bat
db.sdb
csrss.exe
un.exe
winsxslog.rar
winsxslog
I only have it there... And there.

By the way recently very actual miner. From what I dug up in Google, many caught it in the last few days.

Scan the computer with this program - Malwarebytes Anti-Malware.
I have two of their systems, after verification, was surprised to find a dozen miners, although antiviruses remained stubbornly silent. And their presence is indicated to other things.

ExxErr

Already scanned with different programs including Malwarebytes. Miner-then it catches, but its source remains unknown. Miner appears after the format almost immediately, within a couple of hours. Given that I literally didn't fix anything and does not even run, the source of the miner are hard to find. And no, he's definitely not on the drive with Windows. I formatnul and altered with image Windows 2016 year.
So as I wrote in a previous post, the suspicion falls on the router.

Is it possible to connect to the network bypassing the router? This would confirm your theory, if the miner again will light up so that's not it(the router)

Wabmig.exe hiding folders in Windows Mail which are formed themselves in User/Appdata/Roaming disguised as games folder. Kill complete removal of this stuff (using Unlocker) and removing the entry from startup / scheduled tasks (with help of CCleaner).
This is exactly the kind of Maini Chinese, ship my vidyahi and warm, was killed so after some recent Repack. I hope the information will be useful to someone...