Hijacked/Virus

camexalted

New Member
Jan 22, 2015
2
0
1
Hello, I am familiar with litecoin and doge mining. I haven't mined in a year or so because I haven't had a stable ISP. I have no idea what it was that I downloaded, all I can think it could have been was from a Skyrim mod from Nexusmods.

My Windows 8.1 PC started beeping every 45 seconds. It was the Windows Asterisk sound. I tore my hair out for two hours trying to figure it out, going through all the processes I was familiar with. Booting into safe-mode, I noticed a hidden instance in Startup, called Background Worker.exe. The folder was C:\ProgramData\Digger. It had a .bin file named "darkcoin-modIntel(R) HD Graphics 4600gw256l4ku0". I have quarantined the files, and now I'm trying to figure out where it came from. Obviously it was installed as a trojan. I have quad R9 290X cards and onboard graphics for my CPU are disabled. I'm not sure if you guys are aware of this practice with darkcoin, but it is unethical and also illegal. If anyone knows how to trace back where this virus came from, I would appreciate the help. I have also used this time to look at Darkcoin mining, and I am interested again as the latest forks in Litecoin have diminished my returns heavily. Thanks for reading.
 
Last edited by a moderator:

oblox

Well-known Member
Aug 6, 2014
1,032
537
183
You do realize anyone can create a virus or trojan and name it whatever the fuck they want. If you actually downloaded it and hashed it from the official website (darkcoin.io) or built from source, you wouldn't have had this problem.
 
  • Like
Reactions: moli

Propulsion

The buck stops here.
Feb 26, 2014
1,008
468
183
Dash Address
XerHCGryyfZttUc6mnuRY3FNJzU1Jm9u5L
I didn't read this part

The folder was C:\ProgramData\Digger. It had a .bin file named "darkcoin-modIntel(R) HD Graphics 4600gw256l4ku0"
Someone's made a darkcoin miner trojan? camexalted which pool is the trojan using?
 

camexalted

New Member
Jan 22, 2015
2
0
1
No. I never knew about darkcoin until I found the virus. It is a trojan, installed with something else so that my computer will be used to mine Darkcoin for another person without my knowledge or consent.

I also haven't had any mining related software installed on this PC in almost a year. It has a fresh install of Windows on it, and like I said, the virus either came from a Skyrim mod or something. I need to find out if anyone knows how to parse the .bin file to find out what IP and pool is being used by the miner. Why? Because the virus is deeper than I thought, and is re-installed every time I restart my computer/windows. Please help!


I didn't read this part



Someone's made a darkcoin miner trojan? camexalted which pool is the trojan using?
You replied while I was typing that up above. Yeah it is a pretty scary one at least to me, considering a month ago this was a fresh install of windows and all I've really done is play Skyrim and some older Steam games because I haven't had internet in a month. I got it back today, and bam, this thing reinstalls itself every time I reboot my PC. The BIN file will not open readable in Notepad++ or a hex editor. If someone knows how to parse these files to find out what pool/IP is being used I can go straight to the source and call them out.
 

Scriptiee

Member
Apr 24, 2014
44
20
48
Out of this world
Have a look at things like malwarebytes and see if that can find it and remove it.

You dont need to "parse the bin file" all you need to do is check your active connections, find what port is that process using and then locate the established connection using the netstat command.

google "process explorer" that is a great process visualisation tool.

Have fun, shizzle like this is exciting and might teach you a thing or two about your OS and some working of it.
 

stan.distortion

Well-known Member
Oct 30, 2014
918
531
163
Tried blocking everything on your firewall and seeing what wants out? Not sure how it works with antivirus reporting but it could be worth submitting a report, would help others and then keep killing it until they release something to block it and clean up.
 

TanteStefana

Grizzled Member
Foundation Member
Mar 9, 2014
2,871
1,863
1,283
I'm going to second malwarebytes. You don't need the paid version. I simply run it at least 1X a week or any time my computer seems to be working when it shouldn't be (but that can sometimes be my antivirus/system mechanic doing scanning, etc..) Nothing is 100% but malwarebytes plus at least one more, such as emsisoft emergency kit, are a good thing to use and use often (just turn them on when you go to bed at night) Let us know if they manage to clean things out.
 
  • Like
Reactions: Sub-Ether

Rux

Member
Mar 9, 2014
69
32
58
if you say this virus is reinstall it self every time u format pc... then it has to be somewhere where you keep your backup files, or someone is messing with you ...someone who you know and have access to your pc

like others said... run malwarebytes and try to find that pesky miner-virus

just let us know if you need any help
 

Sub-Ether

Well-known Member
Mar 31, 2014
1,516
1,256
183
I got a virus one time from an sgminer mining file download site, it was something like sgminer.net but I can't remember the exact name because I'd had a drink. I thought I was safe because I knew better than to do any wallet transfers when drunk, all I did was click on the sgminer.exe and the (unencypted) bitcoin wallet emptied itself, never did work it out exactly because only saw it the next day and had gotten a few miner programs the day before. Had 3 trojans on the machine and ended up wiping and re installing, because no matter how good the virus scanner you can never be sure if you've got it all.
Warning: DO NOT turn back your windows registry to an an earlier time, virus's love to stay in reg backups/boot partitions and you will multiple them, its a classic error and expected by any 'good' trojan. Deleting from areas like this can be very tricky because they'll keep coming back on startup, safe mode mode may do it (but may not).
 

Rux

Member
Mar 9, 2014
69
32
58
:) well sir its your fault you downloaded "sgminer" from some unknown source... i totally understand you but you must understand that this has nothing to do with Darkcon it self... or darkcoin dev team, or darkcoin fan boy like my self ;D

i never use registry backups, dual boots, or things like that
 

Sub-Ether

Well-known Member
Mar 31, 2014
1,516
1,256
183
:) well sir its your fault you downloaded "sgminer" from some unknown source... i totally understand you but you must understand that this has nothing to do with Darkcon it self... or darkcoin dev team, or darkcoin fan boy like my self ;D

i never use registry backups, dual boots, or things like that
Sgminer is a mining program for darkcoin, so yes it is relevent, and I posted this as a warning for others to be careful when they are searching for more efficient mining programs as there are many sources.
 

Rux

Member
Mar 9, 2014
69
32
58
Sgminer is a mining program for darkcoin, so yes it is relevent, and I posted this as a warning for others to be careful when they are searching for more efficient mining programs as there are many sources.
yes its mining program for darkcoin , but bro problem is FROM WHERE DID YOU DOWNLOAD IT !!!!!!!!!

anyone can take normal non-virus sgminer and put virus in him and spread the link for download with (FASTER MINER JUST TAKE IT) :(