JS:Miner-C

Viruses and worms
1

Avast is constantly sending messages of blocked infection of a trojan called JS:Miner-C. I tried to clean my MAC 3 times with avast and messages continue appearing.

Is my computer infected? What can I do?

Thank you

2

Post screenshot of Avast popup message

3

Mine happens as well. Here’s an screenshoot of it (macOS)

4

Detection seems to be correct

URL blacklist check > traffic.adxprts.com/tpb/na/728x90/m.js
https://www.virustotal.com/#/url/f1ba6b71bb297654de88c95ec9f8b5af3c994343e35b67ebbc07ac38e8cfbcce/detection

Java script file scan > traffic.adxprts.com/tpb/na/728x90/m.js
https://www.virustotal.com/#/file/67c0907af5d865753dfe9d74309005a3f215e5130cfd6d756702fd9a95775354/detection

5

This means that the JS you are trying to download is mining coins. Nothing to be worried about, Avast’s got your back ;). I wouldn’t visit the websites that trigger this popup though!

6

I am constantly getting the same message, but it lists is as JS:Miner-C [Trj] and the url is a google page (I am using Chrome and going to Google.com) hxxps://clients2.googleusercontent[.]com/crx/blobs/QgAAAC6zw0qH2DJtnXe8Z7rUJP0uaFhXpD7ZTt35XjX_R_SGx37EYuHnk_cl6B4R06pCQir8AVQ_bwJM-TETzp53TaEw2owsmx_Pi2j1qz_FZwesAMZSmuU5aJdYisrxGZyoSzyMwg7Uu1d5cQ/extension_4_2_5.crx. I have searched for extension_4_2_5.crx with no luck.

7
I have searched for [b]extension_4_2_5.crx [/b]with no luck.
@foley Detection seems correct https://www.virustotal.com/#/file/c6817811da485aa9cab3f5891da1d4a046dde94b81d6170c94636582f90ac060/detection

OBS: edit your post and make the malicious link unclikable to avoid accidental clicking

8

For future reference, NEVER post live links for any suspected file or website.
Thanks

9

https://blog.avast.com/ladies-and-gentlemen-prepare-your-cpu-web-browser-mining-is-coming

10

Every hour or so I get the attached warning from Avast that JS:Miner-C has been blocked. This happens after I’ve clear all browser history and cookies. I simply open Chrome and this warning comes up. I’m not going to any websites.

I re-downloaded my Chrome Browser Version 62.0.3202.62 (Official Build) (64-bit) on my Mac OSX 10.11.6.

I’m still getting this warning from Avast and this happens before I go to any websites.

How can I find out where this file is on my computer??

thanks

11
How can I find out where this file is on my computer??
What does the popup from avast say? ..... post a screenshot
12

I’ve also been getting this from one particular site and I’m curious about how dangerous it actually is. Avast says that the coinhive site is infected with this Trojan. I’ve found other sites where it’s described as a very serious trojan. Are the people writing for those sites talking bs?
http://quickremovevirus.com/methods-to-remove-jsminer-c-completely/
http://computerfixguide.com/how-to-remove-jsminer-c-effectively-windows-os-and-mac-os/

13

INFO :wink:

Coinhive Is Rapidly Becoming a Favorite Tool Among Malware Devs
https://www.bleepingcomputer.com/news/security/coinhive-is-rapidly-becoming-a-favorite-tool-among-malware-devs/

Drive-by mining and ads: The Wild Wild West
https://blog.malwarebytes.com/threat-analysis/2017/09/drive-by-mining-and-ads-the-wild-wild-west/

Hacked Websites Mine Cryptocurrencies
https://blog.sucuri.net/2017/09/hacked-websites-mine-crypocurrencies.html

14

Thank you. After reading this I wasn’t sure what all the fuss was about.

15

If it is only a mining script (which the name also suggests)… Why is it, that when you google “JS:Miner-C” you get results like:

https://www.fortiguard.com/encyclopedia/virus/7526385
“JS/Miner.C!tr is classified as a trojan.”

http://computerfixguide.com/how-to-remove-jsminer-c-effectively-windows-os-and-mac-os/
“JS:Miner-C is an dangerous Trojan Horse that invades Windows and MAC machines silently and opens backdoor for Adware or PUP.”

http://greatis.com/blog/howto/remove-jsminer-c.htm
“JS:MINER-C causes the great problems for you, such as replacing your browser starting page with malicious one, browser search redirecting, changing security settings and allowing popup advertisements to show up.”

http://quickremovevirus.com/methods-to-remove-jsminer-c-completely/
“JS:Miner-C is a Trojan and its danger index can ranked as severe. you should delete JS:Miner-C as soon as possible, especially before the tragedy happened.”

http://getridofmalware.removemalwares.com/jsminer-c-deletion-effective-way-to-uninstall-jsminer-c-manually
“Somehow, the virus can also encrypt your files if you do not get rid of it immediately. Even, the virus may ask you to pay ransom to anonymous hackers.”

These are sites making different claims. Any explanation for this?

Javascript (assumed that’s what virusscanners refer to by “js”) can only instruct the browser-window that runs the script in a very limited way (for safety purposes). In other words, JS itself can only play by the browser’s rules. AFAIK, when only javascript is involved, only an undiscovered exploit in a browser could lead to problems as big as described by these sites.
So, why would they publish this information?

16

You should learn to avoid sponsored links.
Almost any malware search you will have results that recomend Spyhunter, they have spammed the entire Internet with ads. Only your first link is good

Anyway I am not sure I understand what you think is a problem here?

17

Lol, good information on the first link? “JS/Miner.C!tr is classified as a trojan”.
Look, I know the web is full of crap, but it is not about whether these links are picked out good or not by me, these sites are the first to show up in Google and are not advertisements. It is rather concerning that this incorrect/misleading information is in Google’s top results.

18

Why is it wrong to classify it as a trojan?

19

It’s only an innocent script man. It does not infect your computer, it only uses some extra CPU while the site is open.
A trojan typically infects your computer in order to open a backdoor for a ‘hacker’ in order to gain control/access.

Seems AVG pretty much agrees:
https://www.avg.com/en/signal/what-is-a-trojan

Personally I would be careful with these definitions, but antivirus companies also need to make a living I guess.

20
It's only an innocent script man. It does not infect your computer, it only uses some extra CPU while the site is open.
Innocent or not, if the script say it is one thing but does something else (disguised) then i guess it qualify as a trojan. Some vendors call it riskware

If you dont know, avast and AVG now use same detection name >> https://blog.avast.com/avast-and-avg-become-one

The naming of malware is quite complicated

A New Virus Naming Convention
http://www.caro.org/articles/naming.html

Naming malware
https://www.microsoft.com/en-us/wdsi/help/malware-naming

A Virus by Any Other Name: Virus Naming Practices
https://www.symantec.com/connect/articles/virus-any-other-name-virus-naming-practices

from the last link, scroll down to > Where Do the Names Come From? but i recomend reading it all as it explains lots