The virus (backdoor) DoublePulsar and miner (WINSec.exe/msiexev.exe)

falsepilot
Not the same. He only masquerades as Vindovsky services and files, to them he is irrelevant.

Reddit blog that I cited above, I recommend reading any sufferer. New information in it you will find a few, but it is generally interesting and informative.

dihlofos2009
dihlofos2009 wrote:
Thanks for the link. I wrote that doublepulsar not found. Interesting only this website shows the correct result, if it is closed port 445?
Most likely Yes. They carried out scans at the end of April. I wrote the date of the intrusion on April 27, then my port was still open, then I closed it.

Thanks rambling that washed down the topic and all the detail described.
With 19.04.2017. I took this stuff and for 3 week, I am fighting on all fronts, refer to the files considered infected and one of them which antivirus didn't take now will be seen and treated: You Sent the file will be added to the signature database ESET virus like Win64/BitCoinMiner.U application.
Thanks for the help in dealing with viruses!
Also these: Win64/BitCoinMiner is, U(this new campaign) as messages from Microsoft not found but with A, D is infa.
Just yesterday this reptile struck again from who knows where just happened. And the server went out, rebooted in safe mode ran along the known paths and there this thing sits removed, everything is OK, wait again.
Today another trouble sorry the name of the file is not copied, but will do it tomorrow. Virus campaign was modified and just killed almost all services on the server, stupidly, all services of DNS, domain, RDP, etc. fail and nifiga not work. Rolled on April 20, slung database. Checked and rechecked again all the directories, etc. silence, waiting for what will happen now.
The website server was shining 27.04.2017. So I think to open 445 to check will glow or not.
on one of the machines turned off the service modules Installer-TrustedInstaller. I think maybe with the help of this service very.
Find out how much it will cost lichenskie BY: around 400 T. R. and the campaign is far from the final price :(

3 days ago, started something to load the system (CPU 100%). Open Manager, look at processes - it's all good and even the CPU dropped to a normal level. Began to sin on the HDD (thought that was already being sector climbed here and system lag). Although when you open the Manager - will suffer. So Sindows started to die (two years worth). I thought I had to reinstall. But decided first to check the system prog Malwarebytes. She found this crap - http://prnt.sc/f6brup. Saw process secscan.exe and I realized that we found each other. This miner (just remember the story of the first looking dogs and Mechanics) and that's bad.
Pogugliv the situation I found this post (thank you once again playground.ru for help). I read and was a little scared. But you need something to do. The first is to delete these keys (on the screen). The second is to rummage through folders on the C drive.
The S found nothing. The keys were removed. Launched, just in case prog HitmanPro, and proquanil system. Found nothing (except a couple cracks to the games are already a couple of months). Opened the Manager and saw HIM, http://prnt.sc/f6bwkj (WINSec.exe). Earlier it wasn't there. Probably helped removing keys from the registry. Yes, and the CPU usage continued to ship 100%. I killed the process and re-proquanil system and cleaned the C drive. Nothing suspicious there. Rebooted. There is no problem.
All is well (though still not true), and I hope that more problems will not be.

fbrua

You did the main thing - nailed reg. key WINSS is a service responsible for running the miner. In services it is represented as Windows Security Service. If the miner POPs up again, the first thing you should do is disable the service and reboot. Should immediately treat.

According to the link above my computer is infected, but no processes and other things like other users I have my system not found. Che do?!)

ExxErr wrote:
Che do?!)
To eat the latest updates to Windows. Helped me, although I still infected. Himself in the background will remain, but through him nothing more crawling.

Remind users of pirated Windows with poor activators (which don't allow to be updated) are in a big ass.

rambling posted by: Remind users of pirated Windows with poor activators (which don't allow to be updated) are in a big ass.
Seriously? Are a user of pirated Windows 7. First I took place to be a miner described in the thread. Second, the link, the pulsar was not detected. The Pope was not located. The system is already four years.
Yesterday, thanks for the advice, removed ekzeshnika.
How even know what kind of creature is sitting in the system? When you start task Manager (to see CPU usage) - that quickly disappeared, to see plainly could not. Helped make Prntscrn and then upload the screenshot in photoshop. And learned the name of the bastards!
And then already in Google, with Google here, and thanks again for the tips! System to demolish is because a lot of work, not to reinstall :)
The day passed, the task Manager does not close samotyshka.
Actually, it all began in April (do not remember exactly the date), departed a couple of times from the computer, and a couple of times he samoperedelny, sometimes with a blue screen of death. Then I sinned on Evernote. I decided to upgrade. Updated overload surprisingly, it was gone. :-\
But the CPU constantly loaded. Worked in photoshop and listened to music in the browser (online radio), and while working in photoshop was felt that pojivaet screen with layers and music for a couple of seconds freezes. Got tired of it and I found the vile through the print screen. The system is not overloaded.
Rates and other folders described in the topic cleaned up - well, shit there was!!!
I hope that some time the system still will last. Regularly make important backups on several hard drives, flash drives and zapisy on dvd-r.

Thanks again for raising the topic and description of what to do with this infection!

ExxErr wrote:
According to the link above my computer is infected, but no processes and other things like other users I have my system not found. Che do?!)
rambling wrote:
To eat the latest updates to Windows. Helped me, although I still infected. Himself in the background will remain, but through him nothing more crawling.
Actually, I've read that the backdoor is killed by banal reboot. The problem is that while it was opened, the computer was able to stuff anything. In my case the system is not beyond repair, most likely installed a virus that infect system files and periodically pumped new viruses. I cure failed, so I reinstalled Windows, and I kind of helped.

What to do? Yes, put the update so again not to get close on the computer RDP and 445 tsp port just in case.

Three days ago there was this miner, drank for 2 hours, as described, finding ekzeshnika...now, after 3 days appeared again, loaded the computer in the trash that even the task Manager was problematic to access.....encrypt all the files of the ward (including the diploma, which is to protect a month). Barely was able to kill the process just to use a computer, a lot of new files appeared, and the decryptor who demands money to decrypt the files... But wanted immediately after removal to throw off all on the cloud))))
Now these ekzeshnika no (but the second time was the service started and there were already other executables), the service I nailed like, as we shall see....... I wonder how he got out again.... The application was installed left for mining. with it NET Framework.... It may have been the reason......But with the files of course did not really happen....

Avalanche161
use to delete the executables when it is necessary to close ports (port triggering in place) and clean the registry at least
By the way, currat catches bandury, my friends, the same thing happened. Didn't even do anything, just currator cleaned, a week has passed

Avalanche161 wrote:
the service I nailed like, look at how
Mayenikus wrote:
it is necessary to close ports (port triggering in place) and clean the registry at least
Service - this is what you need to clean the registry. In the registry are easy to find left service, because it will start your Chesnik. Accordingly, we find the service in the registry named EXE your virus.
Overall, just disable this service enough. But it's better then another and close ports, as advised Mayenikus.

http://avfor.ru/obsuzhdenie-antivirusov-i-faiervolov/5426-firewall-zakrytie-portov-135-i-445-vruchnuyu.html if your set is not desirable, it is possible

Oh, here is the continuation of the Banquet arrived:
http://varlamov.ru/2370148.html?utm_source=&utm_medium=&utm_campaign=smi-zayavili-o-krupnoy-virusnoy-atake-vnu
All had to be updated and close the 445 port?

https://hi-news.ru/technology/kompyutery-mnogix-stran-podverglis-atakam-virusa-vymogatelya.html
the campaign of the interior Ministry also respects piracy soft)

Rather, they just all probably on XP, which has long been unsupported.

Today at 21:19
The specialists of "Kaspersky Lab" found that the virus is actively spreading the Trojan WannaCry uses well-known network vulnerability Windows, closed by Microsoft engineers in March. This is stated in the statement submitted to the editorial Board of "media zones".

"The analysis showed that the attack occurred through well-known network vulnerability Microsoft Security Bulletin MS17-010. Then on an infected system was installed on the computer, using which attackers run a program-cipher", — the document says.

"At the moment, Kaspersky Lab has recorded about 45,000 attacks in 74 countries around the world. The greatest number of attempts of infiltrations is observed in Russia," — noted in the company.
Today at 21:27
Hackers who attacked on Friday, the medical institutions of great Britain, and the Spanish telecommunications company Telefónica, has used modified malware the national security Agency (NSA) of the USA, writes the Financial Times, citing analysts in the field of cybersecurity.

According to experts, the tool of the us intelligence services, known as eternal blue ("rich blue") was combined with "an extortionist" WannaCry.

A program developed by the NSA allows the virus to spread via file sharing protocols that are installed on computers in many organizations.

Agree with that assessment, several officials in the security agencies of Western countries, the newspaper said.
Old friend the backdoor karoch)

Also got out today))) as if at the same time) did not Even trouble the picture on your change:)))

That's why I have all the important information backupdata on external hard. And even that what is contained on the computer (copy), contained on a separate hard drive. Disconnected and let it wash.
But the fact that our wholley from the interior Ministry is allowed, it amazes me.

Embrace the Futility wrote:
Oh, here is the continuation of the Banquet arrived:
Heh, itching finally when the message on the screen came out. Advanced journalists direct. In General, nothing new. Importantly, as we understand, the hole. And to go through it many more months of joy. Miner and this is just the beginning.

Evermus wrote:
The analysis revealed that the attack occurred through well-known network vulnerability Microsoft Security Bulletin MS17-010
And our DoublePulsar gaining popularity. :)

Evermus wrote:
According to experts, the tool of the us intelligence services, known as eternal blue
How much did the journalist shoved in one sentence crazy gag... I'd be hyped, but I still difficult to print. DV and what, indeed, is the difference.

Embrace The Futility

Added a note about closing port 445 in the first post. Thank you for what you have unsubscribed.
I'm still sitting with open ports, test patch. After the update I have DoublePulsar, but nothing through it does not.

rambling wrote:
After the update I have DoublePulsar, but nothing through it does not.
He dies from a reboot, because it lives solely in memory. If something is left, then that's something else that got into the system until opened the backdoor.