How do I find a task I believe is related to coinminer malware? Solved

Page 1 of 2 12 LastLast
  1.    #1

    How do I find a task I believe is related to coinminer malware?


    I am having an odd problem that I think may be related to malware.

    A few days ago Windows Defender stopped working. I also use Comodo AV. Comodo AV was disabled from the system tray but it was apparently still able to run. It ran a scheduled scan and discovered a miner.

    For some time I had noticed that every time I boot C:\Windows\Temp\signtool.exe wants to connect to the web.

    However no such file exists on my machine.

    This got me to thinking that there must be a task somewhere that is running signtool.exe from the temp folder. And then deleting that file.

    I started logging tasks with Task Scheduler.

    I have identified two tasks I think are suspicious. Signtool.exe attempted to connect to the web 2 mins after one of these tasks ran.


    Click image for larger version. 

Name:	image.png 
Views:	8 
Size:	20.9 KB 
ID:	229163


    However I can't interact with the task at all because Task Scheduler doesn't allow you to open tasks from the Task Status box. How can I find out more information about this task?



    I am not sure but I think this is the first stage of the malware process. Signtool will connect to the internet, and then download the payload, and then the miner will start again. The miner will disable Microsoft Security Center, will disable updates, and then start doing the mining.


    Or maybe I am being paranoid and signtool.exe is a legitimate process and I am being paranoid. However, I use the same programs on multiple machines and never seen this signtool.exe on any other machine.

    I will also note that startupchecklibrary.dll has returned to my machine, although I deleted this file as part of malware removal efforts.

    Any help, any information is appreciated.

    At this point I am trying to determine

    1. If I am overreacting and signtool.exe is legitimate
    2. Why signtool.exe seeks to the connect to the internet at boot, and then at scheduled intervals
    3. What these strange tasks are and how I can find them
      My ComputersSystem Spec

  2.    #2

    It may not be a task. There are various ways to start a process - it could be a registry run setting or a service etc.

    Download autoruns from Microsoft (here), run as administrator, click on the "Everything" tab and search (ctrl+F as normal) for signtool

    Click image for larger version. 

Name:	Capture.PNG 
Views:	0 
Size:	111.4 KB 
ID:	229164

    The signtool program is not necessarily malicious - it is part of visual studio (see here) but that doesn't mean you didn't at one time have malware with the same name.
      My ComputerSystem Spec

  3.    #3

    Thanks lx07. I searched Autoruns previously.
    Was part of my malware remediation process.

    Uploaded all suspicious entries to VirusTotal.

    There is nothing I can identify in autoruns that would be calling signtool.exe

    There is nothing suspicious in my autoruns, or anything I an unfamiliar with.

    This is why I started checking tasks. Because there is nothing suspicious in any of the startup locations, nothing that appears to be calling signtool.exe, and signtool.exe does not appear anywhere in any startup location.
      My ComputersSystem Spec

  4.    #4

    Bump
      My ComputersSystem Spec

  5. dencal's Avatar
    Posts : 2,920
    W10 Pro + W10 Preview
       #5

    A useful free program which might turn up a suspect installation.
    https://www.voidtools.com/Everything....x64-Setup.exe
      My ComputersSystem Spec

  6.    #6

    Thank you dencal.
    So here's the thing. Signtool.exe is only available for about 2 seconds during boot. It is in the temp directory. And then it disappears. Can't find it afterwards.
      My ComputersSystem Spec

  7. dencal's Avatar
    Posts : 2,920
    W10 Pro + W10 Preview
       #7

    PlatypusKnight said: View Post
    Thank you dencal.
    So here's the thing. Signtool.exe is only available for about 2 seconds during boot. It is in the temp directory. And then it disappears. Can't find it afterwards.
    Have you tried looking for Signtool.exe in Safe Mode?
      My ComputersSystem Spec

  8. Try3's Avatar
    Posts : 1,748
    Windows 10 Home x64 and Pro x86
       #8

    I also suffer from an unknown task, as did @RaveBlack
    Unknown tasks running - e9e87558-3d46-49e9-bde6-f8b84dace1c6
    What is "JD_TaskSchedulerSchedule"?

    I have never got anywhere with sorting my problem out but I believe it started after I installed Intel's update assistant. RaveBlack found that Trillian was the culprit

    Denis
      My ComputerSystem Spec

  9.    #9

    PlatypusKnight said: View Post
    However I can't interact with the task at all because Task Scheduler doesn't allow you to open tasks from the Task Status box. How can I find out more information about this task?
    As Try3 has posted, I did have to deal with something like this a few years back. The only way I was able to find out more about what it was trying to do was to go into the operational log of the Task Scheduler via the Event Viewer.

    I'd think back as to what you've recently installed. In my case, I was able to link my problem to Trillian because that was the odd program out. I'd remembered that I didn't have the issue the night I reset, and that it only started occurring again after I reinstalled Trillian the next day. Uninstalling it didn't make the problem go away, I needed another reset. I've avoided reinstalling Trillian and haven't had it happen since then.
      My ComputerSystem Spec

  10.   My ComputerSystem Spec


 
Page 1 of 2 12 LastLast

Related Threads
On my Win 10 Pro 64-bit Version 1803 machine with 16GB RAM and an i5 Intel chip, I like Task Manager to start automatically on startup. 1) If I put its shortcut in the Startup folder, nothing happens. 2) If I create a TaskScheduler task for it, to...
Read more: New XBash malware combines ransomware, coinminer, botnet, and worm features in deadly combo | ZDNet Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows - Palo Alto Networks Blog
Every...i mean every anti malware blocked by unknown malware/virus in AntiVirus, Firewalls and System Security
i have looked up this issue and apparently this must be a new one since there is no solution what so ever, even the hidden admin account is defenseless, here is what's going on 1. the PC got infected on windows defenders watch, the infection...
Unknown User accounts appearing (malware related??) in User Accounts and Family Safety
Hello, Today I discovered strange account names on my laptop after trying to open files on one of my drives which also had strange names and were not mine. I suspect my laptop is infected with some kind of malware but unfortunately all scans...
Is there a way to make the "Command Prompt" window show when I have a task running in Windows task Scheduler? I would like to be able to view the progress of the task. For example, I have a program called "Zap2xml" that collects TV EPG data. It...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 14:24.
Find Us