Topic: Am I infected by Trojan Miner ? (Read 2351 times)

Back in 2012/13 people would spread viruses that mined on their behalf. I heard of someone making a few bits a day from this by infecting work computers. This was when diff was so much lower though.

Just having unprotected VNC server software's enough. Many GPU miners still use VNC for remote interfacing, and some programs actually restrict password length as low as 8 characters. Especially mining on dubious fly-by-night altcoin pools and putting your IP out there as someone who uses crypto, there're a good few risks many don't account for -- like, say you keep a hot wallet backup on a MS Homegroup-shared folder and have your mining PCs in the homegroup with read access to the backup. Someone doesn't need to brute force the PC with a wallet on it, they just need to get into one of the mining PCs and search the network for files.

Yeah happens all the time if you download stuff.

i didnt know miners cant be infected with a trojan..

Save your valuable data on USB, use soft - kill disk, then make new Windows installation, after this check USB files with modern AV + antimalware + second AV soft

use netstat -tulpn to see what process owns it.

be careful sometimes its false positive

How can botnet make money except for participating in cyber crimes like DDOS ? One I heard is participating in CERN's grid computing. Do u know anything else ?

People who have an automated script to go an infect multiple machines.  They don't need to manually control your machine, they can controls herds of machines - BOTNET.

Although botnets could probably make more money doing something other than mining.

Most trojan miner mine using CPU instead, cause everyone have a cpu and not GPU....

Who would even still try and mine bitcoins with others CPU's.

Just googling that IP looks like Verizon in the Washington area.  Do you happen to be in this area?  If so i would be less worried.

If you are not I would start running a few malware and virus scans. 

Always wear protection...

Turn off your internet and see if it's still there.

it could be also a silent miner mate best is you scan it with some av and hitman

This is a sad fact that many fellas use blackhat method to mine bitcoin,everything has positive and negative aspects.Even though you have antivirus and firewalls on they bypass it by several methods.Hope you get it removed out of your system soon.

Hi bitcoindream as a greyhat hacker i can help you with this if the cpu usage or gpu is running hot on sometimes then i would be worried, if you are going to remove this kinda malware it is most often loaded with an encrypter and a persistance module in the registry so if you are trying to delete it then it will most often be tough and if it is well encrypted virus scans will do you no good because they can not pick up that it is malware i did some testing on this subject just to see how the whole progress worked and most often the miners are set to mine at -4 to reduce chances of being detected so the cpu or gpu could be using around 20% of its power to mine now if you have a powerfull computer you would not notice any changes in performance, anyways check the process explorer for an shady looking Svchost that seems to be taking high resources
it is most often set to create another process that is named svchost or similar, if you want to remove the malware and its encrypted then it is very hard especially if the miner is covered with a ring3 rootkit that hides the process from the process explorer so you can not see it, but you can easily prevent it from connecting to the mining pool and therefore it will stop mining, if you edit your hosts file in the windows settings you can add to the hosts file the desired ip or dns at the end of file and save it i will show you an example here below :

 1. go to C:\Windows\System32\drivers\etc\
 2. open hosts with notepad
 it should show something like this

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#   127.0.0.1       localhost
#   ::1             localhost


4 . ok now you want to add to the end of the file like this

hackeripormineripordns 127.0.0.1


This will make it so when the miner tries to connect to the pool it will instead of connecting to it resolve to your local ip 127.0.0.1 and will not be able to get the data from the pool to start mining therefore you have disabled the miner and it can not mine anymore because it can not connect to the pool because it automaticly redirects to your local ip and it can not get the mining data from there so proplem solved

this is just a quick easy way to disable it so it will stop hogging your resources =) .

i hope you enjoyed my little input here and it does you good

Have a nice day.

PS: sometimes the hosts file is locked so you actually need to copy it to your desktop first edit it there and then overwrite the original one with the new one and then restart the pc.

Use Process explorer to search for any weird services and processes.

I think this is a RAT/WORM

Use hitman pro to clean your pc

When I got the address, I was not running any Bitcoin client at all !!!