How do I find a task I believe is related to coinminer malware?

Page 1 of 2 12 LastLast

  1. Posts : 113
    Win 10 Home
       #1

    How do I find a task I believe is related to coinminer malware?


    I am having an odd problem that I think may be related to malware.

    A few days ago Windows Defender stopped working. I also use Comodo AV. Comodo AV was disabled from the system tray but it was apparently still able to run. It ran a scheduled scan and discovered a miner.

    For some time I had noticed that every time I boot C:\Windows\Temp\signtool.exe wants to connect to the web.

    However no such file exists on my machine.

    This got me to thinking that there must be a task somewhere that is running signtool.exe from the temp folder. And then deleting that file.

    I started logging tasks with Task Scheduler.

    I have identified two tasks I think are suspicious. Signtool.exe attempted to connect to the web 2 mins after one of these tasks ran.


    How do I find a task I believe is related to coinminer malware?-image.png


    However I can't interact with the task at all because Task Scheduler doesn't allow you to open tasks from the Task Status box. How can I find out more information about this task?



    I am not sure but I think this is the first stage of the malware process. Signtool will connect to the internet, and then download the payload, and then the miner will start again. The miner will disable Microsoft Security Center, will disable updates, and then start doing the mining.


    Or maybe I am being paranoid and signtool.exe is a legitimate process and I am being paranoid. However, I use the same programs on multiple machines and never seen this signtool.exe on any other machine.

    I will also note that startupchecklibrary.dll has returned to my machine, although I deleted this file as part of malware removal efforts.

    Any help, any information is appreciated.

    At this point I am trying to determine

    1. If I am overreacting and signtool.exe is legitimate
    2. Why signtool.exe seeks to the connect to the internet at boot, and then at scheduled intervals
    3. What these strange tasks are and how I can find them
      My Computers


  2. Posts : 5,478
    2004
       #2

    It may not be a task. There are various ways to start a process - it could be a registry run setting or a service etc.

    Download autoruns from Microsoft (here), run as administrator, click on the "Everything" tab and search (ctrl+F as normal) for signtool

    How do I find a task I believe is related to coinminer malware?-capture.png

    The signtool program is not necessarily malicious - it is part of visual studio (see here) but that doesn't mean you didn't at one time have malware with the same name.
      My Computer


  3. Posts : 113
    Win 10 Home
    Thread Starter
       #3

    Thanks lx07. I searched Autoruns previously.
    Was part of my malware remediation process.

    Uploaded all suspicious entries to VirusTotal.

    There is nothing I can identify in autoruns that would be calling signtool.exe

    There is nothing suspicious in my autoruns, or anything I an unfamiliar with.

    This is why I started checking tasks. Because there is nothing suspicious in any of the startup locations, nothing that appears to be calling signtool.exe, and signtool.exe does not appear anywhere in any startup location.
      My Computers


  4. Posts : 113
    Win 10 Home
    Thread Starter
       #4

    Bump
      My Computers


  5. Posts : 3,105
    W10 Pro + W10 Preview
       #5

    A useful free program which might turn up a suspect installation.
    https://www.voidtools.com/Everything....x64-Setup.exe
      My Computers


  6. Posts : 113
    Win 10 Home
    Thread Starter
       #6

    Thank you dencal.
    So here's the thing. Signtool.exe is only available for about 2 seconds during boot. It is in the temp directory. And then it disappears. Can't find it afterwards.
      My Computers


  7. Posts : 3,105
    W10 Pro + W10 Preview
       #7

    PlatypusKnight said:
    Thank you dencal.
    So here's the thing. Signtool.exe is only available for about 2 seconds during boot. It is in the temp directory. And then it disappears. Can't find it afterwards.
    Have you tried looking for Signtool.exe in Safe Mode?
      My Computers


  8. Posts : 16,782
    Windows 10 Home x64 Version 22H2 Build 19045.4170
       #8

    I also suffer from an unknown task, as did @RaveBlack
    Unknown tasks running - e9e87558-3d46-49e9-bde6-f8b84dace1c6
    What is "JD_TaskSchedulerSchedule"?

    I have never got anywhere with sorting my problem out but I believe it started after I installed Intel's update assistant. RaveBlack found that Trillian was the culprit

    Denis
      My Computer


  9. Posts : 34
    Windows 10
       #9

    PlatypusKnight said:
    However I can't interact with the task at all because Task Scheduler doesn't allow you to open tasks from the Task Status box. How can I find out more information about this task?
    As Try3 has posted, I did have to deal with something like this a few years back. The only way I was able to find out more about what it was trying to do was to go into the operational log of the Task Scheduler via the Event Viewer.

    I'd think back as to what you've recently installed. In my case, I was able to link my problem to Trillian because that was the odd program out. I'd remembered that I didn't have the issue the night I reset, and that it only started occurring again after I reinstalled Trillian the next day. Uninstalling it didn't make the problem go away, I needed another reset. I've avoided reinstalling Trillian and haven't had it happen since then.
      My Computer

  10.   My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 10:11.
Find Us




Windows 10 Forums