Hijack.BitCoinMiner.WMI attack

[Omarock]

Just made an account to say I had the same exact threats just now after scanning. Coincidentally landed on this thread after googling.

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 6/6/18
Scan Time: 5:43 AM
Log File: 3192437a-6944-11e8-be7d-d8cb8a3e9754.json
Administrator: Yes

-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.365
Update Package Version: 1.0.5374
License: Free

-System Information-
OS: Windows 10 (Build 17134.48)
CPU: x64
File System: NTFS
User: XXXXXXXXXXXXX

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 366574
Threats Detected: 3
Threats Quarantined: 3
Time Elapsed: 2 min, 1 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 3
Hijack.BitCoinMiner.WMI, \\XXXXXXX\ROOT\subscription:__FilterToConsumerBinding.Consumer="CommandLineEventConsumer.Name=\"BVTConsumer\"",Filter="__EventFilter.Name=\"BVTFilter\"", Quarantined, [14221], [528083],1.0.5374
Hijack.BitCoinMiner.WMI, \\XXXXXXX\ROOT\subscription:__EventFilter.Name="BVTFilter", Quarantined, [14221], [528083],1.0.5374
Hijack.BitCoinMiner.WMI, \\XXXXXXX\ROOT\subscription:CommandLineEventConsumer.Name="BVTConsumer", Quarantined, [14221], [528083],1.0.5374

(end)

Edited June 6, 2018 by Omarock
info

[AdvancedSetup]

Hello @Omarock and

Yes, this is a False Positive. Please check for updates and re-scan with Malwarebytes and it should no longer be detected.

The fix for this is in update  1.0.5376 which should be out within the hour.

Thanks

 

 

Edited June 6, 2018 by AdvancedSetup

[OldGreySteve]

I just received this same result scanning with update  1.0.5376

What action should I take now?

[Meathead]

Received a tech support call already regarding this today.  Re-scanning w/1.0.5376 cleared the detection.

It's getting old quick fielding support calls that are completely related to the issues with Malwarebytes. 

Edited June 6, 2018 by Meathead

[Omarock]

5 hours ago, AdvancedSetup said:

Hello @Omarock and

Yes, this is a False Positive. Please check for updates and re-scan with Malwarebytes and it should no longer be detected.

The fix for this is in update  1.0.5376 which should be out within the hour.

Thanks

 

 

Thank you.
Should I restore the items from quarantine before initiating another scan?

[dreamspinner3_kim]

I also had this malware threat show up in my latest Malwarebytes scan.  It is false?  If it is false, should I restore the quarantined items?

Edited June 6, 2018 by dreamspinner3_kim
needed to add question

[OldGreySteve]

These threats showed up on the first scan after updating to 1.0.5376. I selected "ignore once" and upon scanning again, no threats were found.  The log from the first scan showed the old version number, so go figure?

[shadowwar]

This should no longer be detected. This is a leftover wmi entry from microsoft and is not needed at all. Its ok to restore from quarantine if you still have it. It wont do any damage if it was removed.