Sign in with
Sign up | Sign in
Your question

Bitcoin Miner, system hijacked

Tags:
Last response: in Windows 7
Share
August 16, 2012 9:57:10 PM

Hey all, don't know where to start exactly so I start here...

The past few days, I've been hunting down and removing files that are using over 95% of my CPU resources.
The source of the problems appears to be when Firefox launches itself automatically with the webpage yadoo.tv, simultaenously multiple .tmp/.exe files that are labled in the Task Manager's description as bitcoin miners; the tmp files are usually desrcibed with its filesname (ie. Image Name: example043.tmp - - - Description: example043 , they all source from my temp folder in the User/AppData folder. I've performed a few virus scans and spyware scans also and both of which had cleared numerous files. The CPU problem is somewhat under control and the files are currently not launching as frequently as they were, and when they do, they no longer use my CPU's resources. With that somewhat fixed, I've now noticed the next part of the problem I have here.

My GPU is infected.

In CCC (I'm running ATI), my GPU load is shown at over 95% almost constantly. I can't break down and see what the load is and where it sources from. Now this is not my computer being slow, below, you will that my specs are those of a powerful system. So whatever the case may be, which I'm quite certain that this is a bitcoin mining operation of sort, because apparently bitcoin processing is far more effective on a GPU. So since I had a bunch of bitcoin miners going at my CPU then it makes sense that it is also hijacking my GPU!
I have minimal progams open at the moment. 99% load on my GPU is strongly abnormal.

So I have a slight understanding of what problem is infesting my desktop PC. The next stage is how to resolve this problem.

My system:
Windows 7 64-bit
Intel Core i7 2600K
Asus Sabertooth P67
Corsair Force Series 3 120GB
Sapphire ATI Radeon HD 6870 1GB
Corsair 650HX
Kingston 8GB kit KTA-MB1333K2/8GB x2
a b $ Windows 7
August 16, 2012 10:04:36 PM

Bitcoin miners can run on your GPU via OpenCL and DirectCompute. It sounds to me like someone used your PC for bitcoin mining, possibly by remote.

The miners may be installed as a system service, they're just programs which use the OpenCL/DirectCompute APIs to access the GPU which is an otherwise legitimate program.
m
0
l
a b $ Windows 7
August 16, 2012 10:08:24 PM

Well you have very little understanding, a GPU cant become "infected". Also outside of your CPU, your system is quite mid range. I have never Bitcoin mined, however, I do know if you are Bitcoin mining, it will put a heavy load on your GPU. Which is what Bitcoin mining uses to optomize the mining so to speak.
m
0
l
Related resources
August 16, 2012 10:09:38 PM

It's hijacked. There's a progam using my GPU and CPU without my consent. I want this to stop. I'm not into Bitcoin, I don't understand a bloody thing about them.
m
0
l
a b $ Windows 7
August 16, 2012 10:18:06 PM

mael85 said:
It's hijacked. There's a progam using my GPU and CPU without my consent. I want this to stop. I'm not into Bitcoin, I don't understand a bloody thing about them.


Your GPU itself isn't hijacked. Someone hijacked your PC and is using it to bitcoin mine for them. Your GPU doesn't care whether or not you're running the bitcoin mining program intentionally or via an infection. Rather than try and hunt down the source of the infection I suggest that you just nuke your OS and start over.
m
0
l
August 16, 2012 10:22:15 PM

You're right about my system being hijacked, I alread knew that. As a final test I rebooted without my ethernet cable connected. In CCC all was calm, the second I plugged into the net the GPU load maxed out instantly.
When you say nuke my OS, you mean format the drive where Windows is installed? What if my backup internal drives have been compromised? That's why I'd rather hunt it down before starting from fresh...

-edit-
ahahaha, I think I found it... It could be Flash Player 11 plugin...
m
0
l
a b $ Windows 7
August 16, 2012 10:26:00 PM

mael85 said:
You're right about my system being hijacked, I alread knew that. As a final test I rebooted without my ethernet cable connected. In CCC all was calm, the second I plugged into the net the GPU load maxed out instantly.
When you say nuke my OS, you mean format the drive where Windows is installed? What if my backup internal drives have been compromised? That's why I'd rather hunt it down before starting from fresh...


You're part of a botnet. Even if you can hunt down whatever's running the OpenCL/DirectCompute programs there's no guarantee that the infection hasn't opened something else up. For all you know your PC could be sending out 1000 penis enlargement emails an hour.

You, your ISP, and others, are all better off if you start fresh.
m
0
l
a b $ Windows 7
August 16, 2012 10:48:47 PM

if your going to get rid of a virus infection start by using msconfig and turning everything off in start up. also look for wierd patch name and programs. (hijack this log). most clean start up should be your anti virus...java..flash..quicktime. also with viruses boot into safe mode and run some scans.
m
0
l
August 19, 2012 10:46:30 AM

Hi, I had the same problems. Im my case i found out that if i disabled the network adapter the CPU and GPU load dropped. After some research i found out that the file Rundll32.dll linked C:\ProgramData\adob was the cause of my GPU and CPU load problems. I’d disabled it in the task manager and the display driver crashed but then recoups and the GPU and CPU load drops back to normal idle levels. I have no removed the whole C:\ProgramData\adob and all works as it should.
m
0
l
a b $ Windows 7
January 24, 2013 11:19:00 AM



Really? You have been reported!

Sounds like someone needs to freshin' up on the forum rules.

Go HERE for more help!

@OP: The physical GPU itself cannot be hacked, but the driver controlling it surely can which is what Pinhedd was trying to explain. With the driver being compromised it will appear as if the phyiscal unit is compromised as well.

Most botnets only get worse as time goes by. If you've been compromised via your CPU or GPU for very long then the only true fix is to wipe it out (after backing up of course) and reinstalling. If your backups are on an external device move them to a different computer and run a scan on them to confirm they are not compromised which usually they are not.
m
0
l
!