The virus (backdoor) DoublePulsar and miner (WINSec.exe/msiexev.exe)
First important information which I found out after a detailed study of the problem. The miner is just a symptom. Gets into a computer through a Backdoor he DOUBLEPULSAR. He DOUBLEPULSAR appeared online 12 April 2017, when a leak occurred in the Network utilities for hacking used by the National Security Agency of the United States. These utilities immediately got his hands on all and Sundry, and by the 15th of April, there were 1,951,075 servers infected with the Backdoor DOUBLEPULSAR. Miner which will be discussed in this thread use this backdoor. But through the backdoor on the computer may appear anything, so I wait for further developments.I have a virus survived the format hard disk, remove hard disk partitions, re-flash the BIOS and the router, format the flash drive with Windows, try to install Windows from another image - all to no avail. Still, 2 weeks later, no one has found the source of the appearance of this backdoor in the computer. So if you have described the theme of the miner, it more than likely appeared a backdoor through which this miner is downloaded.
The decision at the moment, there is only one: urgently to update Windows to the latest updates, and to close the 445 port. Microsoft wrote that in a recent update exploit ETERNALBLUE used in this bedorom, removed. He is knocking on the backdoor via port 445.
And please note - the latest version download miner files marked as system. So to see them, don't forget to enable viewing of system files in Folder options.
Here is a link to one I used in my sources:
http://www.theregister.co.uk/2017/04/21/windows_hacked_nsa_shadow_brokers/
In Russian version there, but all the important info I gave above.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here you can be infected if you do bedorom:
www.binaryedge.io/doublepulsar.html
(thanks to Embrace Futility)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
While it is not known whether this is walking (initially server) system servers Internet service providers, or simply roams the network in search of victims.
----------------------------
Such situation: if I leave the computer for minutes... well, let's say 10, and the load percent (Core i5 3570 @4.2 GHz) up to 90% on all cores. But it is necessary to open Task Manager or Process Explorer and load magically drops to zero (miner prosekaet and stops?).
Comp spontaneously rebooted when I was over there for about 30 minutes. There is no overheating, for sure. Even when the load is under 90% (temperature rises up to 65, but before the actual overheating is very far away).
And just noticed that the open (minimized) Task Manager suddenly spontaneously shut down.
--------------
The bottom line: Yes, I think by all indications it is a very smart-ass miner. But here's the problem - I just yesterday formatos. The problem was that to that after. And I'm neither their software nor their games, not updates for a month. And nothing new was shaking. So how could he take is unclear.
Have any suggestions on catching this miracle?
UPDATE:
Now found that:
C:Windows\Security\WINSec.exe
Eating 70-75% of the Prots. In my life I had ever seen. I will now Google. But I suspect that happiness in it.
UPDATE 2:
VirusTotal scan of the file:
https://www.virustotal.com/en/file/450cb5593d2431d00455cabfecc4d28d42585789d84c25d25cdc5505189b4f9f/analysis/1493461158/
PS If anyone can find clear info on this rainbow, I'd appreciate it. And in Google only some vague bits and pieces.
All In White
Will do so if there again. After reset'and router for 24 hours did not appear and file miner has not rebooted the computer, even in my absence. Typically, the files appear again in the next hour or two. But the format still will have, because the near certainty that crashes in Overwatch is also responsible for the malware. Presumably I settled rocking viruses. Here again if the crashes continue after the reformatting, I'll bite her in the ass and keep looking.
But in General, if the router was redirected to leap virus, reset was supposed to fix it.
PS has Anyone found the source of the virus/miner? You know where it came from? It would help me any bit of information about the source, to at least approximately to know where to dig. Repack fall away, because there was literally clean the computer after the reformatting.
Yesterday also rebooted the PC with the error, and a process WINSec.exe and secscan.exe. vincek loads percents, antivirus Avira caught and removed today is a miner, but the process still hangs, scanning the Dr. web cure it and Kaspersky removal tool effect is not brought, malwarebytes also found nothing,try zemana antimalware what else to do and how to remove the enemy does not know( and blame if Avira missed? the Internet via cable directly,the new file did not shake, in addition to expanding frigate sdn from chrome extensions,as the old app ( without frigate sdn) has stopped working
--Proquanil system zemana antimalware malwarebytes and removed what they found, removed the security folder
folder Windows, as it was the location of the process, and rebooted the computer while the miner is not visible, scanning once again the new utility from Dr. web and Kaspersky utility and I think to replace the antivirus software to avast, as the folder security I Packed in the archive and threw on virus total, there is shown the file winsec.EXE, and Explorer was not visible from all antivirus engines, avast and a few other identified malware
Well, in fairness I want to note that I have a miner and mine did not. No loads on Prots, once rebooted the computer and I moved. The router I have, sitting through the wire. Some signs of self-healing have not yet noticed. All my suspicious files sent drveb. Updated the system, because long time did not. Perhaps some of us have different versions, so a different set of files. But in any case it should be clear what files have been created over the last couple of days (your browser cache can be pre-removed).
Evermus
Look for files by creation date - it helps a lot. Not, it is created. Nothing new in Windows key files should not be created. And under them, he disguises often. Look at the folders that were changed on may 1st. See what happens in the Temp folder, I have constantly created new. exe files and this is a direct real-time was noticeable. At the root of windows can be running processes (hidden under the system) who should live in system32.
oscarbin
I searched the files in the folder with Windows, sorted on creation, but there are a lot of files, they say nothing to me, I'm a noob in these files, and what is needed what is unnecessary, what from miner do not understand,but the log files miner removed, they are called s4hk.7_Miner_.log and change the number where I have seven, the beginning of the file the next time the company
[2017-05-02 09:50:59] Using JSON-RPC 2.0
[2017-05-02 09:50:59] Starting Stratum on stratum+tcp://xmr.crypto-pool.fr:443
[2017-05-02 09:50:59] 1 miner threads started, using 'cryptonight' algorithm.
[2017-05-02 09:50:59] Pool set diff to 18000
[2017-05-02 09:50:59] Stratum detected new block
[2017-05-02 09:51:22] Stratum detected new block
[2017-05-02 09:53:22] Stratum connection timed out
[2017-05-02 09:53:22] Stratum connection interrupted
[2017-05-02 09:53:22] Stratum detected new block
[2017-05-02 09:55:14] accepted: 1/1 (100.00%), 65.84 H/s at diff 18000 (yay!!!)
[2017-05-02 09:56:26] accepted: 2/2 (100.00%), 63.44 H/s at diff 18000 (yay!!!)
[2017-05-02 09:58:21] Stratum detected new block
[2017-05-02 09:59:53] Stratum detected new block
and end the file with the following
[2017-05-02 10:54:42] Stratum connection timed out
[2017-05-02 10:54:42] Stratum connection interrupted
[2017-05-02 10:54:42] Stratum detected new block
[2017-05-02 10:54:53] Stratum detected new block
[2017-05-02 10:56:03] Stratum detected new block
[2017-05-02 10:56:26] accepted: 13/13 (100.00%), 66.50 H/s at diff 18000 (yay!!!)
there's nothing in the log, at this time Avira has deleted some files miner, Malwarebytes I cleaned and tamanoi, Zeman found a connection with some kind of change to the proxy server 127.0.0.1:8888 is also removed, I just don't particularly understand, then rebooted proquanil utility of the web and Casper, they found nothing, silent until now, neither the process nor load percent
Evermus wrote:
what else to do and how to remove the enemy does not know
So the topic is written - first kill the process secscan.exe and prowess:
C:Windows\Prefetch\secscan.exe
Then:
C:Windows\security\WINSec.exe
WINSec.exe creates file secscan.exe. After removal I kind of became normal. But the source of the problem was never found. Formatnul again and again to the C: drive appeared rocking a virus called qqss77889900.exe.
I'm already on a wall climb from what can't find the source of this shit.
I'm back secscan.exe and WINSec.exe - but this time in the form of hidden system files. That, download new version where files are marked as system? Then this confirms my suspicion that the virus is very new and someone is working on it.
Yesterday, too, fought with this nonsense. And also do not understand, where he managed to pick her up. Just sitting in the browser for YouTube and VK, flipping through a harmless forum in which I go almost every day (lingvoforum.net). Suddenly climbing out the window with approximately the same text is critical error, computer will restart. Immediately realized that it's murky, Windows or the browser will usually not give such errors. Here and NOD32 gave a message about Troyan file C:\Windows\start.bat Win32/VB.OEA is a Trojan horse program cleanup impossible Event happened in a new file created by the following application: C:\Windows\Temp\s2q8.1_.exe
While the comp did not have time to reboot immediately deleted the batch file and executable. Booted in safe mode. Found via a search of new files with the file extension .exe: WINSec.exe, secscan.exe. Deleted them. About the virus found a bit of information here:
http://remove-spyware-tech.com/post/Remove-Win32TrojanDropper.VB.OEA-Are-You-in-Need-of-a-Win32TrojanDropper.VB.OEA-Removal-_7_232458.html
But in the registry such records are not found, at startup everything is empty, including checked in msconfig-startup. Search in the registry found one entry with the word secscan.exe (something like Windows Security Scan Services WINSS). It also thundered.
Now it is all in normal mode works, FIE-FIE. Either fully removed or masked. But the fresh executables did not seem to appear suspicious processes running either.
About the source, I read the logs Node. The very first entry:
02.05.2017 19:11:56 HTTP Filter file http: play*best01011*com/445*exe Win32/VB.OEA is a Trojan horse program cleanup impossible threat Detected while trying to access the Internet the following application: C:\Windows\Prefetch\secscan.exe.
What is this fucking site, I have no idea. Deliberately I would not go. And, if I understand this entry, it is executable soedinilis tried with this address but not the transition at this address was the root cause. And where this file came from on the computer, and when it happened - that's the question.
dihlofos2009 wrote:
Suddenly climbing out the window with approximately the same text is critical error, computer will restart.
Yes! I have the same thing, and after reboot appear the files miner.
dihlofos2009 wrote:
Either fully removed or masked. But the fresh executables did not seem to appear
I also do not appear. But some time after format the drive with Windows (within 24 hours) again there is a critical error, the computer reboots, see the files miner.
Guys, I'm afraid that I have, all of you have the virus POPs up after the format. And it is unclear how. I have a BIOS reflash, and the router dropped, and all programs are checked and stick with Windows formatnul - all to no avail. This bitch is EXTREMELY tenacious.
dihlofos2009 wrote:
About the virus found a bit of information here
I'm afraid that all this is useless, because the source of the virus hides so that neither God nor the Devil will not find. I don't care how to remove it - I can always farmackutica. But he's hurting the format.
The point I want to emphasize. I very much doubt that we are all eating virus at the same time. I am more inclined to think that he was with us for a long time, and was waiting for a certain date of activation. I'll try to download another image Windows.
rambling
More LAZ every site with giveaways, freebies and free by Repack. fools still think that they are specially good people doing a good deed from the heart. In our world there is to pay for everything.
GG4
Don't tell me how to live, I'm a 32-year-old programmer. I can not shake absolutely no Repack and take the releases only from very reliable sources. The fool here is you, thinking that everyone around you is stupid and you are smart. Nerd, do you really think that we have all the virus problems strictly at the same time? Disappoint - most likely it was something with the timer.
dihlofos2009
On your link there is mention that the virus can solder itself to the Windows files (then why it creates WINSec.exe/msiexev.exe?). I suspect that may have been infected with the image file of Windows with a timer-activation of the virus. Especially considering that he appears on quite clean system, but neither in BIOS nor in the router it is not.
Still can not understand why it does not appear on my laptop. Shun dual core processors?
rambling
I use a lifetime license and never reason has not caught any virus. Strange perhaps?
GG4
Not to catch a virus very easily when they really don't use the computer for work and only buying the Incentive. I have to use dozens of tools. And if you read the link that otpostil dihlofos2009 before the debate, the surprise would have discovered that in most cases the miner there is on software sites hostami licensed programs. Yes, it is sites where people like you coated with licenses.
And given that you use a lifetime license, I guess you're from a very poor family. If so, then not for you to lecture me.
rambling
Hi, it's been over 24 hours since I ran the scanners and aviras the system until the miner makes itself felt, or lost , or hid, try , too, worse in fact will not, that both scanners(malwarebyt 3.0 and Zeman antimalware) and antivirus ( I had Avira free) was working at the time of mining, it may also work to get rid of him.
Evermus
All right. After removal of the miner doesn't, I have the same thing. But I cringe at the thought that after a format, it will appear again (already appeared after four formats). I want to find the source.
You have as much interest as there is a high probability that after the format of the miner POPs up and you. If you find a source (and I do not intend to give up), be sure to unsubscribe about it in this thread.
GG4 wrote:
Install to another hard disk with the same Windows and see what happens.
Another hard drive I have engaged in important projects. Installed it on laptop - the virus is not apparent.
BattleEffect wrote:
uTorrent is? In this software bonus puts miner.
Does not roll. Miner appears after you format before you installed uTorrent. The plus version of uTorrent I have a very old (think at least a couple years old). Yes, and I set it in silent mode automatically disables the installation of any bonus of the software.
Bomber wrote:
Tenacious slut caught
Not the right word. I think I will have to format the hard a utility like Webroot, which wipes everything. Cache, and so on. All.
I'm honored you are here and my paranoia immediately requested a General inspection.
I'm sorry for offtopic.
rambling
You're still prog Dr.Web CureIt scan is necessary. Go to the AppData - Roaming uTorrent, and remove the traces of torrents. And the Temp folders and Prefetch should be cleaned regularly (I have shortcuts to those folders made on the slave. table).
And defend yourself against the likes generally have to stand on a PC, in addition to the antivirals.