Jump to content

Possible bitcoin miner

Recommended Posts

Hey there,

I just finished setting up a new 2012 Cloud server (needed older OS due to age of software I'm using) and Symantic endpoint has detected (but can't seem to remove) 

[SID: 30614] System infected: Miner.BitcoinMiner Activity 9 attack blocked

RKILL log:

Checking for Windows services to stop:

 * Ias Stopped. [PUP/GEN]

1 service stopped!

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * System Restore Disabled

   [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
   "DisableSR" = dword:00000001

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

 * Reparse Point/Junctions Found (Most likely legitimate)!

     * C:\Windows\SYSVOL\domain\DfsrPrivate => C:\System Volume Information\DFSR\Private\{EE4587EF-E020-4769-B0C8-7131DBFC827A}-{E2C2EB99-1396-4E75-8B85-AB78C9A17184} [Dir]
     * C:\Windows\SYSVOL\staging areas\XXXX.com => C:\Windows\SYSVOL\staging\domain [Dir]
     * C:\Windows\SYSVOL\sysvol\XXXX.com => C:\Windows\SYSVOL\domain [Dir]

Searching for Missing Digital Signatures: 

 * No issues found.

Checking HOSTS File: 

 * No issues found.

Program finished at: 04/30/2021 10:49:18 AM
Execution time: 0 hours(s), 5 minute(s), and 42 seconds(s)



I also ran a FRST scan but I can't post publicly. What would be the next steps after RKILL? 




Link to post
Share on other sites

  • Root Admin

Generally speaking most sites don't help with Server detection and clean up for free. Part of the issue is what you just said, you can't post your logs publicly and tools to clean Servers are often not designed for Servers.

Please go ahead and send me the logs from FRST in a Private Message though and I'll take a look.

Thanks @cdngy20



Link to post
Share on other sites

  • 1 month later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection



Link to post
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.