3

During a regular Ridnacs check I was clearing space on my SDD, and I've discovered a large bitcoin folder with 8 gigs or more, while I've never had Bitcoin. This is apparently a rogue miner on my system that flew under the AV (ESET NOD32) and Malware Bits.

I have had a rogue miner before, about 2 years ago, the MDM.exe (Slaveware, hid itself in cache folders of another application) that also went undetected, I was only able to find it in process monitor after 2 weeks of bad performance. But this one, I am completely unable to detect it, no bad performance. For now I am going to wait and see if the bitcoin folder starts to build itself back up again, and I would like suggestions on where else to look, and what to look for?

System42
  • 31
  • 3
  • What's "Ridnacs"? You sure this isn't from that original infection? If you delete the data does it come back? You can use Autoruns to determine what's creating if so – Ramhound Oct 30 '16 at 05:11
  • Ridnacs is a free space analyst. At first I was thinking the 8 gigs were left from the original infection, but the only tool I had to check is to wait and see if the folder gets filled again, which could take a long time to happen. I am looking around in autoruns, and don't see anything familiar. – System42 Oct 30 '16 at 17:47
  • If you find that the rogue process is running again, you can use [Process Hacker](http://processhacker.sourceforge.net/), run it as an administrator, and then go to the Disk tab to see what process is writing to that Bitcoin folder. –  Nov 10 '17 at 09:20

0 Answers0