jzukerman
Active Member
- Reaction score
- 176
- Location
- Central Maine
I had a client last week e-mail me letting me know his office PC (core i7-2600 w/4GB RAM running 7 Pro) was running really slow, locking up, having to frequently reboot, etc. I took a look at it last Friday and heard loudish system fans. I originally thought it was a hardware issue. I found the Intel HSF wasn't clipped in all the way and fixed that. Ran Prime95 on it just fine. Temps were around 160F when running the tests, back down to 110F without tests running.
Client e-mailed me yesterday saying that he was still having problems. I checked it out today, ran ProcessExplorer & TCPView and finally caught the issue. Some type of virtual currency mining malware running on the GPU, based upon the commandline of the malware. Mind you, the GPU is integrated Intel graphics. Ended up using Autoruns to disable it from bootup.
Cannot find the attack vector at the moment. Cannot run Combofix in Normal or Safe Mode (programs starts, I can see some of the Combofix apps running, but nothing happens after a few minutes). Rkill seems to just sit there after checking services. TDSSKiller didn't find anything. Running Windows Defender Offline scan now on my home office bench.
Fan issue appears to be a junker PSU (Coolermaster offbrand TM-420-PMSR). It's fan runs at full throttle. No fan sensor cable either.
This is the first client PC I've seen with virtual currency malware. Kind of interested in how it works. Maybe figure out if I can disrupt their network (i.e. notify host to shut down command&control server).
Client e-mailed me yesterday saying that he was still having problems. I checked it out today, ran ProcessExplorer & TCPView and finally caught the issue. Some type of virtual currency mining malware running on the GPU, based upon the commandline of the malware. Mind you, the GPU is integrated Intel graphics. Ended up using Autoruns to disable it from bootup.
Cannot find the attack vector at the moment. Cannot run Combofix in Normal or Safe Mode (programs starts, I can see some of the Combofix apps running, but nothing happens after a few minutes). Rkill seems to just sit there after checking services. TDSSKiller didn't find anything. Running Windows Defender Offline scan now on my home office bench.
Fan issue appears to be a junker PSU (Coolermaster offbrand TM-420-PMSR). It's fan runs at full throttle. No fan sensor cable either.
This is the first client PC I've seen with virtual currency malware. Kind of interested in how it works. Maybe figure out if I can disrupt their network (i.e. notify host to shut down command&control server).
Last edited:
