| Page 1 of 2 |
|
|
 Posted: Sat, 16th Feb 2013 06:46 Post subject: iehighutil.exe - What the fuck is this? |
|
 |
Noticed a process running the other day - iehighutil.exe.
Open file location on the process throws me to C:\Temporary inside which is an empty folder named Bitstreams and the file poclbm121016GeForce GTX 460gv1w256l4.bin. The file name seems to say it's video card related, but I've never seen it before.
The whole reason I spotted it was because my 460's seemed to be stuck in 100% utilization on the desktop for some damned reason, and I think whatever this thing is is the cause, as when I kill it they go back to to normal.
Google yields no results aside from this is some new process. Anti-virus and TDSSKiller show up clean, but it still concerns me as I don't know how the fuck it got there. Any ideas?
I can never be free, because the shackles I wear can't be touched or be seen.
i9-9900k, MSI MPG-Z390 Gaming Pro Carbon, 32GB DDR4 @ 3000, eVGA GTX 1080 DT, Samsung 970 EVO Plus nVME 1TB
|
|
| Back to top |
|
|
Frant
King's Bounty
Posts: 24446
Location: Your Mom
|
| Posted: Sat, 16th Feb 2013 07:12 Post subject: |
|
|
poclbm121016GeForce GTX 460gv1w256l4.bin unless it's a trojan using poclbm. I'll check my temp-folder to see if I have the equivalent for my 7950: nope, didn't find such a file. You may use a different client, I use Guiminer. Other clients may give different results. If you've never mined for bitcoins you should become a litlle worried. Someone may have installed a bitcoin miner without your knowing about it, making bitcoins from your PC and 460 working 100%. You'd better check your startup folder, services and run-subfolder in the registry.
poclbm = OpenCL working engine for bitcoin mining, using the shaders to work on hashes to find bitcoins (online money/currency).
Regarding iehighutil, Are you running Win8?
Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn!
"Thank you to God for making me an Atheist" - Ricky Gervais
|
|
| Back to top |
|
|
|
|
| Posted: Sat, 16th Feb 2013 07:17 Post subject: |
|
|
I'm running Windows 7, and I've never mined for bit-coins.
I killed the process via msconfig, and it doesn't seem to restart itself. Strange that neither AVG, Kaspersky's TDSS Killer, or Malware Bytes pick this up.
I've scanned that .bin file directly several times and it shows clean. I also ran it through Virustotal, which showed clean as well. I don't see any strange entries under Services in msconfig. I checked Windows/CurrentVers/Run via Regedit and don't see anything out of place there either.
Not sure how I should go about combating it if nothing can pick it up and I can't find where to start. Any ideas?
I can never be free, because the shackles I wear can't be touched or be seen.
i9-9900k, MSI MPG-Z390 Gaming Pro Carbon, 32GB DDR4 @ 3000, eVGA GTX 1080 DT, Samsung 970 EVO Plus nVME 1TB
|
|
| Back to top |
|
|
|
|
|
| Back to top |
|
|
|
|
| Posted: Sat, 16th Feb 2013 18:51 Post subject: |
|
|
Google tells me the only information on this file is in the first search result, which happens to be this website lol 
|
|
| Back to top |
|
|
|
|
| Posted: Sat, 16th Feb 2013 19:43 Post subject: |
|
|
As Frant sayd there are viruses out there which use your gpu for bitcoin mining while your computer is not under the load, sometimes they even not utilize gpu 100% to not make it so apparent that something is using gpu. I'm not saying that this is the case here, but you should check for viruses and monitor if this process starts again.
|
|
| Back to top |
|
|
|
|
|
| Back to top |
|
|
|
|
| Posted: Sun, 17th Feb 2013 01:20 Post subject: |
|
|
Send the file to all teh AV's so they can look at it.
|
|
| Back to top |
|
|
Frant
King's Bounty
Posts: 24446
Location: Your Mom
|
| Posted: Sun, 17th Feb 2013 02:25 Post subject: |
|
|
| Immunity wrote: | I'm running Windows 7, and I've never mined for bit-coins.
I killed the process via msconfig, and it doesn't seem to restart itself. Strange that neither AVG, Kaspersky's TDSS Killer, or Malware Bytes pick this up.
I've scanned that .bin file directly several times and it shows clean. I also ran it through Virustotal, which showed clean as well. I don't see any strange entries under Services in msconfig. I checked Windows/CurrentVers/Run via Regedit and don't see anything out of place there either.
Not sure how I should go about combating it if nothing can pick it up and I can't find where to start. Any ideas? |
No bitcoin files would ever fail an antivirus test since it's legit software. The question is who put it there and how. It could be a one-time virus/trojan installing the client, setting it to start, then deleting itself to avoid detection and there you are stuck with bitmining for someone else, ie. you've made money for someone else. How much is impossible to tell unless you know fairly how long it's been running and the average time/speed your GPU has calculated the hashes, an impossible thing to find out now (and not particularly interesting).
Clever people out there though, abusing other peoples computer to generate bitcoins "legally" in a sense except for the subterfuge of getting it into your system to being with.
Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn!
"Thank you to God for making me an Atheist" - Ricky Gervais
|
|
| Back to top |
|
|
|
|
| Posted: Sun, 17th Feb 2013 02:56 Post subject: |
|
|
| Frant wrote: | | Immunity wrote: | I'm running Windows 7, and I've never mined for bit-coins.
I killed the process via msconfig, and it doesn't seem to restart itself. Strange that neither AVG, Kaspersky's TDSS Killer, or Malware Bytes pick this up.
I've scanned that .bin file directly several times and it shows clean. I also ran it through Virustotal, which showed clean as well. I don't see any strange entries under Services in msconfig. I checked Windows/CurrentVers/Run via Regedit and don't see anything out of place there either.
Not sure how I should go about combating it if nothing can pick it up and I can't find where to start. Any ideas? |
No bitcoin files would ever fail an antivirus test since it's legit software. The question is who put it there and how. It could be a one-time virus/trojan installing the client, setting it to start, then deleting itself to avoid detection and there you are stuck with bitmining for someone else, ie. you've made money for someone else. How much is impossible to tell unless you know fairly how long it's been running and the average time/speed your GPU has calculated the hashes, an impossible thing to find out now (and not particularly interesting).
Clever people out there though, abusing other peoples computer to generate bitcoins "legally" in a sense except for the subterfuge of getting it into your system to being with. |
The temp dir it was in was created on February 12th, so it was only a couple of days max. And the actual time running had to be minimal at best - I run with an open case so notice when my fans spin up when they're not supposed to.
Anyway, guess I got it sorted more or less. I'm overdue for a format anyway so no big deal. Crafty little fuckers though being able to slip it through in the first place. Fair play to them I suppose. 
Anyway, thanks for the help all.
I can never be free, because the shackles I wear can't be touched or be seen.
i9-9900k, MSI MPG-Z390 Gaming Pro Carbon, 32GB DDR4 @ 3000, eVGA GTX 1080 DT, Samsung 970 EVO Plus nVME 1TB
|
|
| Back to top |
|
|
|
|
| Posted: Sun, 17th Feb 2013 11:09 Post subject: I have left. |
|
|
|
|
|
| Back to top |
|
|
|
|
|
| Back to top |
|
|
Frant
King's Bounty
Posts: 24446
Location: Your Mom
|
| Posted: Mon, 18th Feb 2013 01:06 Post subject: |
|
|
Uninstall Java. It's a new virus/trojan using Java exploits to run bitcoin miners on your computers. If this thing has spread someone is making a shitload of bitcoins(cash) on thousands of PC's with Java installed, something that installed itself or through some page (free porn probably) you visited.
Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn!
"Thank you to God for making me an Atheist" - Ricky Gervais
|
|
| Back to top |
|
|
|
|
| Posted: Mon, 18th Feb 2013 03:55 Post subject: |
|
|
| Frant wrote: | | Uninstall Java. It's a new virus/trojan using Java exploits to run bitcoin miners on your computers. If this thing has spread someone is making a shitload of bitcoins(cash) on thousands of PC's with Java installed, something that installed itself or through some page (free porn probably) you visited. |
Is it Java or Javascript that's the issue?
Under Java I've got the "Enable Java Content in Browser" unchecked.
If I disable Javascript itself via Firefox a lot of pages that use it are fucked (Newegg, YT embed's on this site etc. etc.).
I tend to use JDownloader a lot as well, so uninstalling the 32bit Java itself isn't really an option.
Just reformatted, so if I fucking snag this thing again I'm going to be PISSED.
I can never be free, because the shackles I wear can't be touched or be seen.
i9-9900k, MSI MPG-Z390 Gaming Pro Carbon, 32GB DDR4 @ 3000, eVGA GTX 1080 DT, Samsung 970 EVO Plus nVME 1TB
|
|
| Back to top |
|
|
Frant
King's Bounty
Posts: 24446
Location: Your Mom
|
| Posted: Mon, 18th Feb 2013 04:18 Post subject: |
|
|
It's Java, not javascript.
Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn!
"Thank you to God for making me an Atheist" - Ricky Gervais
|
|
| Back to top |
|
|
Grale
Banned
Posts: 3321
Location: Invert
|
| Posted: Sat, 23rd Feb 2013 18:18 Post subject: |
|
|
How do i get rid of this thing, it keeps coming back. I don't have Java installed. Every reboot i get the Temporary folder as Jones above!
Found a program 'setupfolder 1' under programs so uninstaled that, see what happens now.
EDIT: It's reloaded's crysis 3 installer. It fails to install and instead installs this crap everytime. Has no one else come across this?
|
|
| Back to top |
|
|
VonMisk
Posts: 9421
Location: Hatredland
|
| Posted: Sat, 23rd Feb 2013 20:26 Post subject: |
|
|
| Grale wrote: | How do i get rid of this thing, it keeps coming back. I don't have Java installed. Every reboot i get the Temporary folder as Jones above!
Found a program 'setupfolder 1' under programs so uninstaled that, see what happens now.
EDIT: It's reloaded's crysis 3 installer. It fails to install and instead installs this crap everytime. Has no one else come across this? |
Kill the process in task manager, delete temporary folder on C:\. Restart computer.
Also delete any related registry keys ig.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
|
|
| Back to top |
|
|
|
|
| Posted: Sat, 23rd Feb 2013 21:35 Post subject: |
|
|
| Grale wrote: | | EDIT: It's reloaded's crysis 3 installer. It fails to install and instead installs this crap everytime. Has no one else come across this? |
Well, it's not specifically RLD's fault. It's become a practice to put the bitcoin 'virus' within various game releases. Someone along the distributive line to your preferred place of download has put it in there.
Use Malwarebytes to clean it up. It will detect all folders that it's spread into, including memory processes and start-up entries.
|
|
| Back to top |
|
|
Grale
Banned
Posts: 3321
Location: Invert
|
| Posted: Sat, 23rd Feb 2013 22:02 Post subject: |
|
|
No it's my fault for downloading it from a newbin pro search. Never downloaded a major release this way and never will again! Just bought newbin pro and was trying out the search system.
Malwarebytes never picked anything up with this one, Just had to manually remove all traces of the fucker.
MSI X570 Tomahawk |Corsair Vengeance LPX 32gb 3600mhz | Ryzen 5800X3D | EKWB Watercooling | Seasonic Focus GX 850 Gold PSU | 4090 Founders | Predator X34P UW curved monitor | Window Pro 10 x64
|
|
| Back to top |
|
|
Grale
Banned
Posts: 3321
Location: Invert
|
|
| Back to top |
|
|
|
|
|
| Back to top |
|
|
|
|
| Posted: Mon, 25th Feb 2013 21:05 Post subject: |
|
|
Just out of curiosity, does anyone know whether the latest Java Update 15 fixed this exploit?
I can never be free, because the shackles I wear can't be touched or be seen.
i9-9900k, MSI MPG-Z390 Gaming Pro Carbon, 32GB DDR4 @ 3000, eVGA GTX 1080 DT, Samsung 970 EVO Plus nVME 1TB
|
|
| Back to top |
|
|
|
|
|
| Back to top |
|
|
|
|
|
| Back to top |
|
|
[sYn]
[Moderator] Elitist
Posts: 8374
|
| Posted: Tue, 26th Feb 2013 20:55 Post subject: |
|
|
The Java exploit and the infected installers are two separate methods of spreading this "malware". Java update 15 has patched the 0day that has been rampant since December. As for tainted processes, be careful what you install and if in doubt run the exe within a sandbox such as Sandboxie (this wont work for installers which are used to bootstrap the real install process, but will for keygens etc..).
|
|
| Back to top |
|
|
|
|
| Posted: Tue, 26th Feb 2013 21:00 Post subject: |
|
|
| Double-=V=- wrote: | | Always upload downloads from untrusted/unknown sources to Virustotal. For games it's better to use a nzb download site with comments /sig posters, instead a random searching on binsearch. |
Well i used to use nzbs.org but was that was recently taken down and also nzbsrus but that went VIP only and i rarely download much anymore hence why i just quickly searched binsearch, but yeah won't be using that anymore.
|
|
| Back to top |
|
|
|
|
|
| Back to top |
|
|
[sYn]
[Moderator] Elitist
Posts: 8374
|
| Posted: Wed, 27th Feb 2013 00:16 Post subject: |
|
|
"I started the install - didn't work" <-- Infected. Never trust installers these days. This is why I no longer pirate games, not worth the hassle.
|
|
| Back to top |
|
|
|
|
|
| Back to top |
|
|
[sYn]
[Moderator] Elitist
Posts: 8374
|
| Posted: Wed, 27th Feb 2013 00:57 Post subject: |
|
|
You don't need to remove Java, just keep it updated and stop applets loading within browsers.
|
|
| Back to top |
|
|
| Page 1 of 2 |
All times are GMT + 1 Hour |
