4 Replies Latest reply on Jul 25, 2013 7:44 AM by Hayton

    timeserver.exe*32 and windowstime.exe*32

      Found both these running on my pc and they where both in C:\ProgramData\Microsoft\time folder, turns out they are malware of the bitcoinminer type, seemed they where installed 5 days ago and yet McAfee anivirus plus did not detect them and its only by mistake I so them when I was doing a routine process check, what makes this worst is that it did not even detect them when I did a scan and so I had to go elsewhere to find out how to manually remove the folder etc.

       

      Now my subscription for McAfee is due in a few days, but going to consider other options due to the failure of this not being detected when it first appeared on my pc.

        • 1. Re: timeserver.exe*32 and windowstime.exe*32
          Peter M

          No antivirus no matter what brand is 100% guaranteed to stop everything there is out there.   That's why we Moderators recommend various 3rd party tools to supplement any antivirus/firewall software.

           

          See the last link in my signature below for hints and suggested tools.

           

          That said, McAfee does detect many Bitcoin Miner-type entities, maybe this was a new one not yet on the books, that happens with any software.

           

          Glad you got rid of it and good luck.

           

           

          .

           

          Message was edited by: Ex_Brit on 25/07/13 5:18:17 EDT AM
          • 2. Re: timeserver.exe*32 and windowstime.exe*32

            The McAfee software I have claims to have a firewall as well as anti-spyware etc so are you saying an all round McAfee package is not enough and one needs to buy a seperate firwall and anti maleware, I think not to the best of my knowledge an all round package should mean all round and not just selective.

             

            I might as well not bother renewing my subscription, but get a free virus killer, use microsoft security essentials and malwarebytes anti maleware which will cost me zero.

            • 3. Re: timeserver.exe*32 and windowstime.exe*32
              Peter M

              That's not what I'm saying at all.   I am saying that no antivirus software is perfect.   What you choose to use it up to you of course.

               

              I would however point out this extract from a statement by one of the lead developers of Malwarebytes (Bruce Harrison) :

              ...

              As far as why MBAM is very good at dealing with (this) infection, that is simple. MBAM is designed to be very good at dealing with malware that the AV's seem to be having problems with. I do not spend my time making MBAM detect millions of infections that any decent AV already detects as MBAM is DESIGNED to work alongside antivirus software, not replace it.  A huge chunk of the research that goes into MBAM revolves around what we see making it into HJT threads as the vast majority of these threads involve antivirus software that was in some way bypassed.

              ...

              Lets settle this now and avoid any further misinformation. MBAM is now a very good backup to any antivirus software and will only get better in the future. MBAM will NEVER add antivirus abilities to its core app and is always advised to be used WITH antivirus software. We actually get this question a lot in the forums and I assure you that we always say :

              "No, MBAM can't replace your existing antivirus software and is not designed to."

              I always keep MBAM and one or two other tools handy and updated, just in case.   A lot of security has to do with you, the user.  Care needs to be taken with surfing, downloading etc., and always keep the OS completely up to date, including any parts you may not use, Internet Explorer for example if you use another browser.

              • 4. Re: timeserver.exe*32 and windowstime.exe*32
                Hayton

                You're concentrating on the presence of those files in that location without wondering how they got there.

                 

                If you have a bitcoin-mining program running you'll notice constant high cpu and/or gpu usage. That's a definite clue. But the bitcoin-mining processes may not be the only signs of infection to look for. Something had to put them on your system.

                 

                McAfee firewall is only effective against malware threats up to a point. If you allow a program to download and run, you bypass the firewall checks. If you use IRC, uTorrent or P2P you bypass the firewall. And if you've got an out-of-date version of Java or Reader (among other favourite attack vectors) then an exploit kit can infect you despite having an AV program running. Of course, the first thing serious malware does is to cripple your antivirus protection (yes, there are ways to do it).

                 

                Your PC may have malware running that co-opts you into a botnet. In which case if you just clean the visible symptoms of bitcoin mining today you could be re-infected tomorrow. You may have a rootkit - ZeroAccess is sometimes used for bitcoin mining.

                 

                I would advise running something a bit stronger than MSE or Malwarebytes to check your system. Rootkit Remover, Stinger, GMER for a start. If you have a serious infection you may need specialist help from one of the specialist forums.

                 

                Of course, you may be lucky. Maybe you're not a part of a botnet, maybe you've not been pwned. But I wouldn't count on it.

                 

                https://krebsonsecurity.com/2013/07/botcoin-bitcoin-mining-by-botnet/

                 

                http://uga-group.com/forum/t.Timeserver-exe-Bitcoin-Miner

                 

                http://www.bleepingcomputer.com/startups/windowstime.exe-21282.html

                 

                https://secure2.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spywa re/Troj~Dloadr-AQV/detailed-analysis.aspx