Hello,
Avast block one site and mark it as JS:Miner-S. Athough i know on that site is coinhive miner, i use ublock origin to block it. So why Avast detect it? It is some new version that ublock not block?
Before that it was Miner C now is S, what is difference?
Thank you.
Hi,
Yes, detection JS:Miner-S blocks new coinhive scripts.
Lukas
Avast block one site and mark it as JS:Miner-S. Athough i know on that site is coinhive miner, i use ublock origin to block it. So why Avast detect it? [b]It is some new version that ublock not block?[/b]Maybe, or avast webshield read the html code before Ublock
Before that it was Miner C now is S, what is difference?Just like cars, there are many variations and all dont come from the same factory ;)
So i found Avast detect miner when i visit that site and tell me miner was found. Strange is when i look what file was blocked, it not block one javascript, it block url of that page, not file.
Also coinhive script is blocked by ublock origin, if i disable it, avast detect Miner C.
So i dont uderstand what version S means. It not block any single file. It seems Avast trying block known mining sites, but that site work even avast tried block it.
https://urlquery.net/report/1fef71de-7294-4882-b5d0-5af3dda68faa
they may also add url block … double protection
what URL is it? post it none clickable
Sucuri >> https://sitecheck.sucuri.net/results/primeassteens.com
Malware entry: malware.cryptominer.3 >> http://labs.sucuri.net/db/malware/malware.cryptominer.3
HTML_sample scan >> https://www.virustotal.com/#/file/7da3ba6dd20d61ccb18bfb9785b5280890db417770401efd596fa0103b556d1a/detection
Sample.txt? Still dont understant what trigger this popup.
Website is infected with miner script … what is strange?
post screenshot of the popup
I know that! coinhive.com/lib/coinhive.min.js is Miner C. But where you find S version? In which file?
primeassteens.com >> HTML code
Ok i removed coinhive.com/lib/coinhive.min.js from that html code, tried virustotal again and now is clean. So it is just two detection of that same file.
The .js file at that location changes, you find many previous versions (different MD5) searching VT
Yes it is possible, but if i go that site without ublock, avast report 2 detections. One C version that marked js. file and S version which marked html code. But when i block that js file by ublock, avast still report me S version even that miner cannot work without that js.
I found S version trigger this script:
(script)
var miner = new C o i n H i v e. A n o n y m o u s(‘XXXXXXXXXXXXXXXXXXXXXXXXX’, {
// threads: X,
throttle: X,
});
miner.start();
(/script)
Today i no longer see JS:Miner-S detection on that site although that code is still present. I saved html code to .txt file and send to Virustotal and also right clicked that file → scan by Avast. Both detect JS:Miner-S but web shield not. When i copied that code here, avast detect too. That means this code is whitelisted on that site?
Hello.
Script is contaminated by all links from primeassteens,not only homepage.
Avast detected JS:Miner-S blocked is all, if this is not for,the address will connect to the server coinhive as authedmine unnoticed by the user and download i.e 2 variants.
worker-asmjs.min.js
coinhive.min[1].js
JS Miner-C contained the known code Cryptojacking that used,it was modified with a new variant in the site of the coinhive, it is detected as BV:Miner-T [Trj] algoritm new CryptoNight.
Hello all!
I have this virus for a month or two and it connects on a site when I start firefox. Avast blocks this attempt but he doesn’t show where the virus is located, or perhaps it is in firefox. Can somebody help me locate it?
Miner script is found on this website scanning tool: http://urlquery.net/report/22b5edd4-362f-4845-b05d-af6c5286fd78
Please follow instructions here: https://forum.avast.com/index.php?topic=194892.0
Sass Drake will be notified once you post the logs.
I removed 51 threats but JS:Miner-S [Trj] is still there.
Logs from the Farbar Recovery Scan Tool.
Good job.
Sass Drake has been notified.