The virus (backdoor) DoublePulsar and miner (WINSec.exe/msiexev.exe)
First important information which I found out after a detailed study of the problem. The miner is just a symptom. Gets into a computer through a Backdoor he DOUBLEPULSAR. He DOUBLEPULSAR appeared online 12 April 2017, when a leak occurred in the Network utilities for hacking used by the National Security Agency of the United States. These utilities immediately got his hands on all and Sundry, and by the 15th of April, there were 1,951,075 servers infected with the Backdoor DOUBLEPULSAR. Miner which will be discussed in this thread use this backdoor. But through the backdoor on the computer may appear anything, so I wait for further developments.I have a virus survived the format hard disk, remove hard disk partitions, re-flash the BIOS and the router, format the flash drive with Windows, try to install Windows from another image - all to no avail. Still, 2 weeks later, no one has found the source of the appearance of this backdoor in the computer. So if you have described the theme of the miner, it more than likely appeared a backdoor through which this miner is downloaded.
The decision at the moment, there is only one: urgently to update Windows to the latest updates, and to close the 445 port. Microsoft wrote that in a recent update exploit ETERNALBLUE used in this bedorom, removed. He is knocking on the backdoor via port 445.
And please note - the latest version download miner files marked as system. So to see them, don't forget to enable viewing of system files in Folder options.
Here is a link to one I used in my sources:
http://www.theregister.co.uk/2017/04/21/windows_hacked_nsa_shadow_brokers/
In Russian version there, but all the important info I gave above.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here you can be infected if you do bedorom:
www.binaryedge.io/doublepulsar.html
(thanks to Embrace Futility)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
While it is not known whether this is walking (initially server) system servers Internet service providers, or simply roams the network in search of victims.
----------------------------
Such situation: if I leave the computer for minutes... well, let's say 10, and the load percent (Core i5 3570 @4.2 GHz) up to 90% on all cores. But it is necessary to open Task Manager or Process Explorer and load magically drops to zero (miner prosekaet and stops?).
Comp spontaneously rebooted when I was over there for about 30 minutes. There is no overheating, for sure. Even when the load is under 90% (temperature rises up to 65, but before the actual overheating is very far away).
And just noticed that the open (minimized) Task Manager suddenly spontaneously shut down.
--------------
The bottom line: Yes, I think by all indications it is a very smart-ass miner. But here's the problem - I just yesterday formatos. The problem was that to that after. And I'm neither their software nor their games, not updates for a month. And nothing new was shaking. So how could he take is unclear.
Have any suggestions on catching this miracle?
UPDATE:
Now found that:
C:Windows\Security\WINSec.exe
Eating 70-75% of the Prots. In my life I had ever seen. I will now Google. But I suspect that happiness in it.
UPDATE 2:
VirusTotal scan of the file:
https://www.virustotal.com/en/file/450cb5593d2431d00455cabfecc4d28d42585789d84c25d25cdc5505189b4f9f/analysis/1493461158/
PS If anyone can find clear info on this rainbow, I'd appreciate it. And in Google only some vague bits and pieces.
I tried to nakatat security updates, but the computer began to reboot through the recovery system all rolled as 10ку with a new update too lazy to put)
Hi Komrad!
Share their hostilities on the subject of WinSec.
Also picked up this crap 01.05, was treated with removal winsec.exe all possible antivirals.
A few days passed, everything was OK.
And then came new wave. Now restart with nothing, and high loading of Prots.
Now I found the dad of this infection secscan.exe noticed it downloading and disappearance.
Killed these both files are created empty files with the same names in the same places with limited to the stop rights.
The process stopped appearing, and the system has stabilized, but it is only the treatment of the investigation
what is shamanism with a tambourine.
And here is the reason how to treat will wait, maybe someone clever will find and give all the victims.
Happy day of victory over all infection!!!!
OK, now for the first time yet set up a firewall to block winsec.exe program
for ex. and Rin. use of traffic rules.
at the next appearance he was no longer able to transfer that over the network and off.
The updates also raised but did not help.
And one more thing.
using regedit, found the use secscan.exe and the string added the point after exe.
what would the service do not run, but was considered as if there is.
Downloaded Comodo, the activity is immediately lost
Secscan flew to the local quarantine, called the sandbox
while that pleases prog
Mayenikus
more in detail, pozhalsta where the backdoor file is located, as referred to
avi_alex
there's no need for all this shamanism with the renaming. I just deleted the prefetch folder and security windows, cleared Temp and browser cache, and also in regedit asked search the word secscan and deleted the entire folder where it was. A week has passed - everything is OK. But the question is how to close the gap to seven ten installing with the update, alas still open..
kvanch wrote:
there's no need for all this shamanism with the renaming. I just deleted the prefetch folder and security windows, cleared Temp and browser cache, and also in regedit asked search the word secscan and deleted the entire folder where it was. A week has passed - all OK.
Let's see if you say the same after formatting the hard drive. Given that we got it around the same time, most likely we picked up the same release. If I going through a format, it is logical to assume that you'll have it.
After removal it cannot be restored. But after the format, Yes. Although it is possible to remove. But you will be pleased to know that your computer sits virus?
I *think* its found. Like sitting in the disk image Windows. But with this comes two awesomeness.
First - I know the disk layout of Windows, and no viruses, I have not found.
Second - I made this image a year ago. A year used, often formatica (I need work), and all year no virus pop up. So I continue to suspect that it's something on a timer.
Spoilerphobic was temporary. I probably shouldn't have perepechatala. The mobility of the hands is restored. Hard and long, but recovering.
kvanch
called backdoor.Spy.422
was From:\ System32\Config\systemprofile\appdata\local\ microsoft\windows\temporary internet files\content.IE5
Well, as I understand it, all the same browser brought, good only as
Mayenikus wrote:
called backdoor.Spy.422
was From:\ System32\Config\systemprofile\appdata\local\ microsoft\windows\temporary internet files\content.IE5
Well, as I understand it, all the same browser brought, good only as
I was many times tougher. In this way, the Windows registered a service that rocked the Pope and the miners. No batch file, nothing to Run registry was not. Only service. When you run Task Manager'and the virus, and even his dad the process off. It only remained services.exe that is logical (it Manager himself Vindovsky services).
So nothing in the way of Windows not found. There was nothing. In addition to the new service.
here periods now it constantly after cleaningBomber wrote:
so keep playing games and programming? the paralysis disappear?
Will. Disappears isn't a word. With procedures, injections, exercises - retreat. First could only stick one finger, then slowly to keep the glass and took possession of WADS, and now - you can even poke Shift + Alt. But is given very hard, because the muscles get tired almost instantly.
Bomber wrote:
Play divinity OS?
Suggest a virus in one of the Repack of this game?
If everything is working like normally), the better to test your system to detect this shit?
rambling
Read branch as a detective, until he became so sad and serious. From my heart I wish you a speedy recovery.
User85 wrote:
what better way to test your system to detect this shit?
It very much depends on where you are picked up. My image of Windows was sitting, someone hapanuli through the browser, someone in the Repack.
Important: there should be an. EXE in folder WindowsPrefetch or Windows Security. Often hidden as systemic files, so take that into account. Are created either butikami (usually in folder Windows), or service like a Windows Security Service (sometimes sitting under other names now it's hard to remember what it was).
I now it's hard to write all what I found out in the end, as we found many species, both server and user. But most of the information from the topic should be enough. If you have this miner and you really will not be able to cut it out, you can write to me personally, I'm hand stuffed in handling it is likely to be able to cut instantly and permanently (if not rooted deep in the way the Windows you installed as I had).
Why I wrote about vipele manually? Because with so many methods that hides behind the miner to cut full automatically it probably will not work - even if the software will find and cut out miner, the batch file or service, he most likely will not touch.
Oh, and if you have everything working like normal, this is clearly not a miner, because mining primarily drives the coolers, i.e. under this load, the computer becomes much more noisy than usual. Sobsno that is why I itched, when he realized that drives for no reason.)
ziborov.s wrote:
From my heart I wish you a speedy recovery.
Thank you so much, very grateful. Very nice to hear from strangers what often from friends will not hear.
------------------
PS Intrigue in the first post in common written correctly - but this applies to server equipment.