Avast WEBforum
Other => Viruses and worms => Topic started by: TheOwner on April 16, 2018, 05:26:01 PM
-
Hello,
Avast block one site and mark it as JS:Miner-S. Athough i know on that site is coinhive miner, i use ublock origin to block it. So why Avast detect it? It is some new version that ublock not block?
Before that it was Miner C now is S, what is difference?
Thank you.
-
Hi,
Yes, detection JS:Miner-S blocks new coinhive scripts.
Lukas
-
Avast block one site and mark it as JS:Miner-S. Athough i know on that site is coinhive miner, i use ublock origin to block it. So why Avast detect it? It is some new version that ublock not block?
Maybe, or avast webshield read the html code before Ublock
Before that it was Miner C now is S, what is difference?
Just like cars, there are many variations and all dont come from the same factory ;)
https://www.fortinet.com/blog/threat-research/the-growing-trend-of-coin-miner-javascript-infection.html
-
So i found Avast detect miner when i visit that site and tell me miner was found. Strange is when i look what file was blocked, it not block one javascript, it block url of that page, not file.
Also coinhive script is blocked by ublock origin, if i disable it, avast detect Miner C.
So i dont uderstand what version S means. It not block any single file. It seems Avast trying block known mining sites, but that site work even avast tried block it.
https://urlquery.net/report/1fef71de-7294-4882-b5d0-5af3dda68faa
-
they may also add url block .... double protection
what URL is it? post it none clickable
-
Sucuri >> https://sitecheck.sucuri.net/results/primeassteens.com
Malware entry: malware.cryptominer.3 >> http://labs.sucuri.net/db/malware/malware.cryptominer.3
HTML_sample scan >> https://www.virustotal.com/#/file/7da3ba6dd20d61ccb18bfb9785b5280890db417770401efd596fa0103b556d1a/detection
-
Sample.txt? Still dont understant what trigger this popup.
-
Sample.txt? Still dont understant what trigger this popup.
Website is infected with miner script ... what is strange?
post screenshot of the popup
-
I know that! coinhive.com/lib/coinhive.min.js is Miner C. But where you find S version? In which file?
-
I know that! coinhive.com/lib/coinhive.min.js is Miner C. But where you find S version? In which file?
primeassteens.com >> HTML code
-
Ok i removed coinhive.com/lib/coinhive.min.js from that html code, tried virustotal again and now is clean. So it is just two detection of that same file.
-
The .js file at that location changes, you find many previous versions (different MD5) searching VT
-
Yes it is possible, but if i go that site without ublock, avast report 2 detections. One C version that marked js. file and S version which marked html code. But when i block that js file by ublock, avast still report me S version even that miner cannot work without that js.
I found S version trigger this script:
(script)
var miner = new C o i n H i v e. A n o n y m o u s('XXXXXXXXXXXXXXXXXXXXXXXXX', {
// threads: X,
throttle: X,
});
miner.start();
(/script)
-
Today i no longer see JS:Miner-S detection on that site although that code is still present. I saved html code to .txt file and send to Virustotal and also right clicked that file -> scan by Avast. Both detect JS:Miner-S but web shield not. When i copied that code here, avast detect too. That means this code is whitelisted on that site?
-
Hello.
Script is contaminated by all links from primeassteens,not only homepage.
https://www.virustotal.com/#/file/b1a6d6d809bb0ed2c98c286cbc8b36fa0366b2a051cbb384e179685415dbea51/detection
Avast detected JS:Miner-S blocked is all, if this is not for,the address will connect to the server coinhive as authedmine unnoticed by the user and download i.e 2 variants.
worker-asmjs.min.js
https://www.virustotal.com/#/file/ee374ae08f22d91a92cfcf6b9d8b4cccfd0d57016e9d8fd3af9fbdbd36781b38/detection
coinhive.min[1].js
https://www.virustotal.com/#/file/5d514880ad502302dd4bf0ef8da5d38356385d1c43689f6739f6771ed7a4ef73/detection
JS Miner-C contained the known code Cryptojacking that used,it was modified with a new variant in the site of the coinhive, it is detected as BV:Miner-T [Trj] algoritm new CryptoNight.
-
Hello all!
I have this virus for a month or two and it connects on a site when I start firefox. Avast blocks this attempt but he doesn't show where the virus is located, or perhaps it is in firefox. Can somebody help me locate it?
(https://ibb.co/gau3Ud)
https://ibb.co/gau3Ud
-
Miner script is found on this website scanning tool: http://urlquery.net/report/22b5edd4-362f-4845-b05d-af6c5286fd78 (http://urlquery.net/report/22b5edd4-362f-4845-b05d-af6c5286fd78)
Please follow instructions here: https://forum.avast.com/index.php?topic=194892.0 (https://forum.avast.com/index.php?topic=194892.0)
Sass Drake will be notified once you post the logs.
-
I removed 51 threats but JS:Miner-S [Trj] is still there.
-
Logs from the Farbar Recovery Scan Tool.
-
Good job.
Sass Drake has been notified.
-
Hello all!
I have this virus for a month or two and it connects on a site when I start firefox. Avast blocks this attempt but he doesn't show where the virus is located, or perhaps it is in firefox. Can somebody help me locate it?
(https://ibb.co/gau3Ud)
https://ibb.co/gau3Ud
Yes "he" does
The JS:Miner-S [Trj] is detected on the website (-http://siska.tv/ = a porn site ) and not in your computer, however you have something trying to connect to that URL. Tried to clear your browsers surf history/cache ?
URL Blacklist check
https://www.virustotal.com/#/url/a160501d6ea44e2d7ebba72ccc184c5507f90a3916823132f11e59e3574cf9ec/detection
HTML scan
https://www.virustotal.com/#/file/599d2d25b1dceac8e4a8a385001b59cea6d9d92896f08be04fbb61e1cba21cd0/detection
https://sitecheck.sucuri.net/results/siska.tv
-
Open if Firefox this URL.
about:serviceworkers
And remove/unregister everything it lists.
Report status after that.
-
Hello all!
I have this virus for a month or two and it connects on a site when I start firefox. Avast blocks this attempt but he doesn't show where the virus is located, or perhaps it is in firefox. Can somebody help me locate it?
(https://ibb.co/gau3Ud)
https://ibb.co/gau3Ud
Yes "he" does
The JS:Miner-S [Trj] is detected on the website (-http://siska.tv/ = a porn site ) and not in your computer, however you have something trying to connect to that URL. Tried to clear your browsers surf history/cache ?
URL Blacklist check
https://www.virustotal.com/#/url/a160501d6ea44e2d7ebba72ccc184c5507f90a3916823132f11e59e3574cf9ec/detection
HTML scan
https://www.virustotal.com/#/file/599d2d25b1dceac8e4a8a385001b59cea6d9d92896f08be04fbb61e1cba21cd0/detection
https://sitecheck.sucuri.net/results/siska.tv
Sure, I have done all cleanings and a new installation of firefox but nothing changed.
-
Open if Firefox this URL.
about:serviceworkers
And remove/unregister everything it lists.
Report status after that.
I did, still there.
-
Try to refresh Firefox. Go to:
about:support
and click on Refresh Firefox on the right.
-
Try to refresh Firefox. Go to:
about:support
and click on Refresh Firefox on the right.
I found on the right side the option for cleaning up firefox, I used it and no change, the miner is still present.
Also Malwarebytes alarms me about additional connections to diverse sites from malware that it can not find.
-
Lets check if router is one to blame. Set Google DNS on your PC. Instructions -> https://www.windowscentral.com/how-change-your-pcs-dns-settings-windows-10
Restart your PC after this and check if notifications will appear again.
-
Lets check if router is one to blame. Set Google DNS on your PC. Instructions -> https://www.windowscentral.com/how-change-your-pcs-dns-settings-windows-10
Restart your PC after this and check if notifications will appear again.
The problem continues. :-\
-
Please post new FRST.txt and Addition.txt.
-
Please post new FRST.txt and Addition.txt.
Suddenly avast stopped to alarm about the threat.
-
Rename FRST64 to uninstall and run it. FRST should be unisntalled.
-
...