Avast WEBforum
Other => Viruses and worms => Topic started by: tomas.denver on December 05, 2018, 09:50:46 PM
-
Hi,
I am having trouble with my PC. About two months ago, my CPU started to max out while I was browsing internet (same problem in Chrome, Explorer, Opera). Avast scan before Windows boot detected miner BV:Miner-T (TRJ), JS:CryptoNightMiner-A (TRJ) , JS:Miner-AI (PUP). Avast tried to remove it, but without success. Issues continue so I installed Kaspersky, program gave me a warning every time I tried to load/connect to HTTP web page but at least stop the attack(my cpu would not get on 100% while browsing), scan and removing did not help either. HTTPS webpages are fine. I am currently using Malwarebytes that is giving me warning and stoping the alert, but I am able to use Avast with it, Malwarebytes also failed with removing those problems completely.
I attached the logs from from the manual and also the Malwarebytes pop-up warning while connecting to HTTP.
I hope, that you will be able to help me guys.
Much appreciated
-
Open Extension Manager in Chrome and remove:
Platby Internetového obchodu Chrome
Report status after that.
-
Open Extension Manager in Chrome and remove:
Platby Internetového obchodu Chrome
Report status after that.
Sorry for being stupid, but I have no idea how should I open extension manager and remove that. Three dots->more tools -> extension and then?
Thanks for replay
-
I don't use Chrome, but the three vertical dots are now pretty commonly use as the icon to access the Menu/Setting for the program including Chrome.
I have found an image on-line that shows, what I believe to be the three dots Sass Drake is talking about. Clicking them should start to give you the other menu options.
Whilst this image might be old and show different options, it should at least get you into the three dots options.
-
Open Extension Manager in Chrome and remove:
Platby Internetového obchodu Chrome
Report status after that.
Sorry for being stupid, but I have no idea how should I open extension manager and remove that. Three dots->more tools -> extension and then?
Thanks for replay
I wrote the reply with the three dots :D not Sass Drake.
I don't know what to do in the extension menu/manger, if that's the right extension manager that Drake mentioned.
I currently do not have any extensions.
-
<snip quotes>
I wrote the reply with the three dots :D not Sass Drake.
I don't know what to do in the extension menu/manger, if that's the right extension manager that Drake mentioned.
I currently do not have any extensions.
I'm aware of that, my post being directly below your was directed to you (on the information Sass Drake gave you).
Sorry if there was any confusion, I thought you couldn't find the three dots information.
EDIT: Sass Drake saw the extension (Platby Internetového obchodu Chrome) in your FRST.txt log that you attached. Since you can't find it we will have to wait for SASS Drake to get back to the topic.
-
I wrote the reply with the three dots :D not Sass Drake.
I don't know what to do in the extension menu/manger, if that's the right extension manager that Drake mentioned.
I currently do not have any extensions.
https://support.google.com/chrome_webstore/answer/2664769?hl=en&ref_topic=6238977
Click on three dots sign -> More tools -> extensions. Make screenshot of opened page and attach it your message.
-
Here is the printscreen of my extensions.
-
Maybe this could help as well. I attached log from Kaspersky, first time I did the scan it found this.
-
Do you have Mikrotik router?
-
No, I do not.
-
Try to factory reset your router because problem is not your PC as far I can tell from logs.
-
Hi again,
I restarted the router, set up the new paswword and login etc.
I also did the scans again, logs are attached togheter with pop-up alert, which is still showing up on every browser, the file where the threat is detected depends on the browser I am currently using.
Any suggestions, which could help?
Can you please look at the logs again?
If you do not find anything, what would you suggest?
Windows reinstall? Should I try local IT shop for "virus, malware cleaning"?
Anything else?
Thanks for reply
-
Hi Tomas,
it really looks like the problem is not on your computer but somewhere on the network. As mentioned above, the symptoms really resemble an infected Mikrotik router. What ISP (Internet Service Provider) do you have? May be their router got infected. You can tell this is the case by looking at the Network tab in Developer Settings in Chrome (shortcut F12). If there is a request with 403 in "Status" column and (after selecting the request) you see "Mikrotik HttpProxy" (see attached images) then there is an infected Mikrotik router between you and the websites you're visiting.
You can also try to change your DNS server IPs to 8.8.8.8/8.8.4.4 (Google) to see whether there is a problem with your DNS settings (either on PC or on your router). Guide here: https://www.lifewire.com/how-to-change-dns-servers-in-windows-2626242
I would also recommend installing at least some adblocker (uBlock Origin works great for me) - they are quite successful in blocking miners. I am also using ScriptSafe plugin, that prevents websites from running JavaScript unless I explicitly let them, so unless a trusted website gets hacked, no cryptomining on my computer. However this approach is a bit painful because you need to build your list of trusted websites first.
Jiri
EDIT: It turned out we did not have a good coverage of the omine.org miner mentioned in your screenshots, so I've added a couple of new detections that should at least prevent the miner from loading.
-
Zdravím,
podle jména usuzuji, že už není nutné nadále chatovat v AJ.
Podle příloh je vidět, že jste měl s mikrotikem pravdu, jde o "lokálního" poskytovatele, zkusím se ho na to zeptat.
Zajímavé však je, že dnes jsem se zkoušel připojit na jinou síť wifi (jiný poskytovatel) a pop-alert vyskočil stejně.
Zkusím ještě nastavit jiné DNS, nevím zda je to v tuto chvíli ještě nutné, ale přesto.
V tuhle chvíli řeším jediný problém, jediné dva programy které doposud dokázaly všechny hrozby detekovat bez problému jsou malwarebytes a kaspersky, oboje jsou placené. Pluginy v podobě addblockeru atd. jsem zkoušel, bohužel byly úspněšné tak z 50%. Neexistuje jiné řešení, pokud tedy kompletní čištění počítače není řešením, např. blokace dané IP adresy/domény, viz. druhá příloha, přímo ve wifi routru nebo avastu?
Díky za odpověď.
-
Je možné, že po připojení na jinou wifi Chrome vytáhl stránku z cache, a proto se načetl miner. Malware funguje tak, že napadený router občas přibalí k legitimní stránce kód pro těžení kryptoměn. Detailněji problematiku rozebrali kolegové ve článku na blogu: https://blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast Ve zkratce - Váš ISP by si měl co nejdříve zaktualizovat firmware na routerech.
Změna nastavení DNS serverů v tomto případě boužel nezafunguje, protože router napadá až samotné HTTP spojení. Prozatímním řešením může být použití VPNky.
Co se ochrany týče, tak žádná ochrana není dokonalá, proto je dobré mít zabezpečení na více úrovních (tím rozhodně nemyslím používat více antivirových řešení naráz, protože ty mají tendence se spolu bít a může to v extrému vést až k nestabilitě systému). Dokonalá ochrana nemůže existovat už třeba proto, že útočníci mají možnost si antivirová řešení nainstalovat a upravovat malware tak dlouho, dokud je detekován.
Avast začal URL s minerem blokovat během zhruba pět minut poté, co jsem si přečetl Váš report a vytvořil detekci. Případně můžete danou doménu přesměrovat na svůj počítač přidáním řádky "127.0.0.1 xmr.omine.org" na konec souboru C:\Windows\system32\drivers\etc\hosts.