New
#1
How do I find a task I believe is related to coinminer malware?
I am having an odd problem that I think may be related to malware.
A few days ago Windows Defender stopped working. I also use Comodo AV. Comodo AV was disabled from the system tray but it was apparently still able to run. It ran a scheduled scan and discovered a miner.
For some time I had noticed that every time I boot C:\Windows\Temp\signtool.exe wants to connect to the web.
However no such file exists on my machine.
This got me to thinking that there must be a task somewhere that is running signtool.exe from the temp folder. And then deleting that file.
I started logging tasks with Task Scheduler.
I have identified two tasks I think are suspicious. Signtool.exe attempted to connect to the web 2 mins after one of these tasks ran.
However I can't interact with the task at all because Task Scheduler doesn't allow you to open tasks from the Task Status box. How can I find out more information about this task?
I am not sure but I think this is the first stage of the malware process. Signtool will connect to the internet, and then download the payload, and then the miner will start again. The miner will disable Microsoft Security Center, will disable updates, and then start doing the mining.
Or maybe I am being paranoid and signtool.exe is a legitimate process and I am being paranoid. However, I use the same programs on multiple machines and never seen this signtool.exe on any other machine.
I will also note that startupchecklibrary.dll has returned to my machine, although I deleted this file as part of malware removal efforts.
Any help, any information is appreciated.
At this point I am trying to determine
1. If I am overreacting and signtool.exe is legitimate
2. Why signtool.exe seeks to the connect to the internet at boot, and then at scheduled intervals
3. What these strange tasks are and how I can find them