There's "service.exe" virus that for some reason managed to add "exception" in windows defender

orangpelupa

orangpelupa

Elite Bug Hunter
Legend
I dont know how. I checked the files and folders, turns out its been there since 2020 (does "Date Created" able to be faked?). Not detected by windows defender, because turns out it adds

"Appdata/roaming" as "Exception" folder.

fortunately it was blocked by TinyWall firewall. But i don't know what kind of data it has exfiltrated (someone on reddit says it talks to a telegram chatbot) as i only has used tinywall firewall on 2021.

so to be safe, go check your antivirus exception folder, make sure it only listed folders that you know you've put exceptions.

also check %USERPROFILE%\AppData\Roaming\d_temp
and %USERPROFILE%\AppData\Roaming\

to cleanup

I'm also not sure how to completely remove this thing as according to right-click, properties. This thing keeps getting openened/called/run every few minutes.

EDIT:
it also able to silently add "exclusion folder" again into windows defender without UAC prompt!

i think i would need to nuke this windows....
 
to see whats launching it try task scheduler and process explorer
if you cant delete it make a bootable linux usb thumbdrive and delete it from linux
 
it can be deleted, its just curious that it was only detected by 3 antivirus according to virus total
 
DmitryKo said:
I've uploaded your archive to VirusTotal and it's detected as Trojan/Malware/Riskware miner by 36 antivirus programs out of 63, including Windows Defender antivirus (detected as PUA:Win64/CoinMiner).

https://www.virustotal.com/gui/file...e2e51b1a92029fc32b497f44412b9cb93d7/detection
Click to expand...

Its the service.exe file thats only detected by 3 antivirus. It's the one that keeps auto running again and again even after killed.

https://www.virustotal.com/gui/file...01649013780d3f9528b5c87fd9ba256f35da8/summary

Dunno its also the one silently add windows down fender exception or other modules (the other files inside the zip are just txt files and zip files)
 
Well, unfortunately malware can be hard to remove even manually. You need to launch Task Manager details tab or SysInternals Process Explorer and check for suspicious processes which are running from unusual locations. They are typically launched by Task Scheduler tasks, shortcuts in Startup folder (MsConfig and Task Manager startup tab), and Run/RunOnce keys in the registry. Advanced triojans install themselves into system services or Winlogon/Userinit processes - these can successfully circumvent all attempts to remove them.

I suggest you to ask for help on enthusiast forums like Bleeping Computer. Typically you will need to run their preferred diagnostic/removal tool (such as FRST64, AVZ, AdAware etc) and attach the logs to your forum post, then you will be given further instructions or a script file to remove your specific infection.

https://www.bleepingcomputer.com/fo...ng-malware-removal-tools-and-requesting-help/
https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/
https://www.malwareremoval.com/forum/viewtopic.php?t=47959
etc.
 
Last edited:
If you've got an Nvidia card it will be linking into CUDA, also the work file is a PK, it's a zipped EXE file which contains AMD gpu specific code and a large amount of plain old C. Which itself appears to be the source to the coin miner. Enjoy :)
 

Attachments

  • coin_miner.txt
    297.5 KB · Views: 3
You must log in or register to reply here.

Similar threads

Babel-17
Windows 8 and Later Fail to Properly Apply ASLR, Here's How to Fix
2
Replies
35
Views
6K
Grall
G
A
Regional settings in Win98
Replies
1
Views
2K
Basic
B
K
I was looking for a way to change priority timings in CLI
Replies
2
Views
2K
K.I.L.E.R
K
Back
Top