Bitcoin Forum

I get on process explorer, once in a while, even after I kill it, almost 100% CPU time by an iexplore.exe process. Process explorer identifies it (fully) as ""C:\Program Files (x86)\Internet Explorer\bin\iexplore.exe" -a 1 -o http://mining.eligius.st:80 -u 1JLE6hkA8QbD64G8ZknbH6HT9orWQ7dKB3 -p pass"

I will not pretend I know what bitcoin is exactly. I just learned a brief about it 10 minutes ago. I have never used or tried to use bitcoin before finding out this process.

Please help to identify what is going on or at least remove it from re-running itself. Apparently my antiviruses don't find it.

You definitely have been hit by a bitcoin virus, botnet, or worm.  There is a chance that the following tool from Kaspersky Labs might help:

http://support.kaspersky.com/viruses/solutions?qid=208280684

I don't know a lot about this kind of thing myself, but unless eligius promotes bot-net use, you should be able to contact the pool owner and tell him to ban the miner from his pool.

P.S. This is just a temporary fix until you can't figure out how to get rid of it.  This fix will only render the miner useless until some changes the setting so it can mine again.

Congratulations, you got a virus...

I don't think the real Internet Explorer resides in a folder called "bin". The whole iexplore.exe binary is probably the miner named to look like IE.

We won't necessarily know how to kill it off. The normal legitimate miner doesn't behave like a virus but it is open source, so virus writers are able to include it in their payloads and modify what it does. The whole restarting after you kill it is something definitely added in.

 :) ;)
I identified it with the help of user Red_Wolf_2 in IRC channel of Eligius.

It appears to be a "bitcoin-miner 0.20  Copyright (c) 2011 Ufasoft" in ./bin/iexplore.exe

and something that does not return anything in ./src/iexplore.exe

the 2nd one is probably a launcher. maybe running dormant.


I have a zip file with them if anyone is interested. Send me an email etc.

That user in that IRC channel already has it.


--

Ah, yahoo email identified an unpassworded zip with them as a virus but both avira and antimalwarebytes anti-malware does not detect them.

--

They required some ninja moves in cmd to make the folders and files visible for copying.

--

I removed those files, and dirs, and I suppose it won't come back. If it does come back, tough, I guess they might have a "parent creator" (rare).

--

If I'm gone and can't find me for those files, that user I mentioned may have it. Last I heard he identified the ./src file as being in .Net.

Feel free to try to shutdown the botnet. I suggest reporting it to your local authorities. In most jurisdictions, computer intrusion is a crime and the operator can go to jail. Please feel free to pass on my email to any authorities with an offer to provide assistance in any way I can.

As for blocking it at Eligius (which I operate), there is not much I can do. I could certainly block the address, but the botnet operator could easily change to another unidentified one. I figure it's better to leave the identified botnet address functional than to have it unidentified. Plus, banning a botnet would be like asking for another DDoS-- I have enough of those to deal with already without inviting them.

Good luck to you buddy

ok, you could kill the process rename the .exe to .old and see if it comes back after a reboot, you're on windows 64 bit from that are you running xp,vista or 7?

What OS do you have?

The files were just deleted and they don't appear to come back. Any other serious investigation will probably need someone to investigate the files.

We don't have user accounts.