Question on HEUR:Trojan.Script.Miner.gen

[Nathan D]

Hi everybody ?️

I hope I'm in the right part of the forum to ask my question, this is my first time on this forum after several years of using Karspersky.

Here is my situation: I have Windows 10 Professional + Karskersky Total Security.

Recently I was informed by Karspersky that there was a problem with a trojan called: HEUR:Trojan.Script.Miner.gen ?

It was indicated by Karspersky that the Trojan could not be deleted. I went to see a lot of websites or videos to solve this, but everything seemed very complicated to me (it must be said that I am a complete zero in computers).

I saw that Karspersky offered me in a drop-down menu to access the file of the trojan. I saw indeed this file but I didn't dare to do anything because it seemed extremely difficult to delete it, and I couldn't believe that it would be enough to select everything and simply do "delete".

In desperation, that's what I did anyway and surprise: Karspersky turned green again, saying that everything is fine.

It seems too good to be true, so I wonder if I did it right, or if I made a mistake, despite appearances. Maybe I believe the Trojan is deleted, Karspersky also believes it because of my manual intervention, but it is not the case? I have also heard that this malware duplicates or hides a copy of itself. This is all creepy!

Would you say that my fears are justified or that everything is fine, as it seems?

Thank you very much for your opinion anyway!

[Flood and Flood's wife]

1 hour ago, Nathan D said:

Windows 10 Professional, Kaspersky Total Security.

Kaspersky detection: trojan called: HEUR:Trojan.Script.Miner.gen . It was indicated by Kaspersky that the Trojan could not be deleted.

Hello @Nathan D
Welcome!

✳️ Do not worry, by selecting Delete -> you've taken the correct action; you've done well?✳️

• In the future, IF you ever have any concerns, do the following: 

1. Manage the original event (as you've done) then proceed to the next steps: 
2. Look in Kaspersky Reports, open Kaspersky GUI, select More Tools, select Reports, select Web Anti-Virus? Look for any similar events? 
3. Run a manual Kaspersky Database update - allow it to update. 
4. Check the Windows Updates -> make sure there's no outstanding patches & all existing patches have a 'successfully applied' status? 
5. Run a Kaspersky Full Scan - allow it to complete? 
6. At the end of the Full scan, shutdown the computer, using Shutdown, not Restart, power on by pressing the power button, login, continue using the computer. 
7. IF (you) ever have a Kaspersky detection that persistently pops up on the screen & cannot be deleted, use this guide prepared by Kaspersky - Kaspersky application blocks my website or application. What should I do?

• Generic Kaspersky information, regarding: Trojan.Script.Miner: "This family includes programs that are malicious scripts used for mining crypto currency without the knowledge of the user. The results of the mining go directly into the wallets of criminals." 

Many people knowingly use crypto currency software; Kaspersky sends detections - in part - to inform their users the crypto currency software is being downloaded or has been downloaded - in case the user ***is NOT aware***; Kaspersky is trying to protect the user, to say: 'hey, do you know this software has the potential to do harm?'

• Simplified - HEUR (Heuristic), is as follows:

A problem-solving strategy or method that's not guaranteed to find the optimal solution but is designed to find a satisfactory solution in a reasonable amount of time. Antivirus software often uses heuristic rules for detecting viruses and other forms of malware. Heuristic scanning looks for code and/or behavioral patterns common to a class or family of viruses, with different sets of rules for different viruses. If a file or executing process is found to contain matching code patterns and/or to be performing that set of activities, then the scanner infers that the file is infected. The most advanced part of behavior-based heuristic scanning is that it can work against highly randomized self-modifying/mutating (polymorphic) viruses that cannot be easily detected by simpler string scanning methods. Heuristic scanning has the potential to detect future viruses without requiring the virus to be first detected somewhere else, submitted to the virus scanner developer, analyzed, and a detection update for the scanner provided to the scanner's users.

****************

Nearly finished, L?L, when raising a topic in the Community, always share with us, 1 & 2 from the guide prepared by Danila T. Read before you create a new topic! & full screen, screen prints of the error help the Community hugely, as well.  

Any questions or ongoing problems, please do not hesitate to post back? 

Thank you?
Flood?+?

Edited March 19, 2023 by Flood and Flood's wife
Modified 1.

[Nathan D]

Thank you very much for your reassuring answer, I'm happy!?

Thanks a lot also for this detailed and very interesting answer, I will study it in detail to be sure I understand well (given my complete nullity for these things)

For now everything is fine, I'll let you know if it changes but everything seems ok! Not only Karspersky stayed green but also the computer is no longer heating (yesterday it was hotter than the radiator in the house! Mining crypto I guess...) (I turned it off right away)

Thanks again!! ??

[Nathan D]

Just one thing to be sure that there is no mistake about what I did: I specify that Karspersky did not offer me to click on a "delete" button.

In fact, Karspersky gave me the possibility to access the file (I don't remember what was written in the dropdown menu but it was something like "get access to the file")

It was after accessing this place on the pc where the virus was that I took the initiative to select and delete everything (there were something like 800 files, I deleted them all and emptied the trash like I'm closing the door to hell)

Either way, I hope that doesn't change your conclusion that I did the right thing! ?

[Berny]

@Nathan D

3 hours ago, Nathan D said:

Karspersky stayed green

The detected “HEUR:Trojan.Script.Miner.gen" object is categorized as a javascript, can you please check your Kaspersky reports and post a screenshot ? Also a Kaspersky scan without detection means that your system is clean.

[Nathan D]

Thank you for your reply! Alas I tried in vain to find the report on this trojan. I've followed the online help but I can't find it (when I told you I sucked, it wasn't false modesty!)

On the other hand I did a full (long) scan and the result is good: no threat detected.

We can therefore conclude that it is enough to say that the virus is no longer there if I follow you correctly; no risk of having a virus hidden somewhere that Kaspersky wouldn't see, right?

 

[Flood and Flood's wife]

12 hours ago, Nathan D said:

For now everything is fine, I'll let you know if it changes but everything seems ok! Not only Kaspersky stayed green but also the computer is no longer heating (yesterday it was hotter than the radiator in the house! Mining crypto I guess...) (I turned it off right away)

7 hours ago, Nathan D said:

Thank you for your reply! Alas I tried in vain to find the report on this trojan. I've followed the online help but I can't find it (when I told you I sucked, it wasn't false modesty!)

On the other hand I did a full (long) scan and the result is good: no threat detected.

We can therefore conclude that it is enough to say that the virus is no longer there if I follow you correctly; no risk of having a virus hidden somewhere that Kaspersky wouldn't see, right?

Hello @Nathan D

You're most welcome!

• 1. Sorry we did not get back to you quickly enough - *sigh*
• Don't be overwhelmed by scary alerts, you've handled this very well (as far as we can determine). 

1. Let's try again... Golden rule, when a problem happens - screen-print everything - that way, when you tell anyone about the problem, you don't have to try to remember the error - you'll have the information - from the system - Danila T. Read before you create a new topic! wrote the guide for users to help users - use it. 
2. Kaspersky offering for (you) to "get access to the file" doesn't ring any bells whatsoever, IF you've said Resolve, rather than Delete, that would make sense, but not "get access to the file", anyway; moving right along; it's not important & here's why:

▶️IF you've done all of the steps, we asked you to do (in our first reply), then your system is clean; also, the machine no longer overheating *is a very good sign*. Our conclusion would *only* change IF we discovered you'd not followed the steps precisely as they're set out? 

• Re the Reports, we did give guidance in our first reply, before it went off the rails.... 

1. Let's go thru the Reports, they're a very important resource; they will help you whenever you need information about the Kaspersky app, we've created an image to assist - note (our image is from Kaspersky v21.9 - so the Report name: (1) Safe browsing is different, your Report name will show Web Anti-Virus, other than that, the Report functionality is the same)...

2. Period = Calendar - can be filtered (dropdown)
3. *Freeform* Search field, very useful - we typed in HEUR & it displayed the event you can see in the screen-print. 
4. Event data - shows information about a collection of events or specific event depending on the filters selected. 
4 & 5. Event data, horizontal column *filter* is important; it's like a spreadsheet, rightclick anywhere in the Event data - horizontal column, select the important columns. 
6. Selecting an *actual* event in the Report, will populate the extended data below, in the lower portion of the report window - this information can be copied & pasted to (your) Community topic. 
7. The Save report is very useful; it saves as a text file; this text file can then be shared with the Community, by (you) uploading to any cloud service of your choice: OneDrive, GoogleDrive, MegaDrive, etc., & posting the sharelink
8.? wherever (you) see a question mark in Kaspersky software it represents 'Help', selecting the ? redirects to the Online Help for the resource that matches that particular GUI window; here's the available documentation: How to view the application operation report & Reports window. 

The other thing about this stuff is: now you have the machine back to normal, you can take your time, getting to know the Kaspersky app, the Reports module & Kaspersky documentation. 

Also, Kaspersky have released their new software range, eventually KTS will no longer exist: you may wish to start thinking about the transition - IF (your) existing KTS license has a reasonable length of time before it expires, you can convert to Kaspersky Plus for Free, with that you'd get: 

• Kaspersky Plus
• Kaspersky Premium Password Manager
• Kaspersky Premium Safe Kids - 1 year subscription. 
• Kaspersky VPN, Standard/Free -> not Unlimited. 

Read: Kaspersky: Basic, Standard, Plus, Premium - info & FAQ

IF (you) were to wait for (your) existing KTS license to expire & purchase a new Kaspersky Plus subscription, (you'd) get:

• Kaspersky Plus
• Kaspersky Premium Password Manager
• Kaspersky VPN Unlimited, for the Subscriber account, if there are other User accounts associated with the subscription, they get: Kaspersky VPN, Standard/Free -> not Unlimited. 

*Note: the end date for KAV, KIS, KTS & KSC is unknown, in our opinion Kaspersky will give plenty of, at least we hope they do?*

There you go, enough information, we need a coffee?

Thank you?
Flood?+?

Edited March 20, 2023 by Flood and Flood's wife
Added Note.

[Nathan D]

Thank you very much Flood and Flood's wife for this detailed answer! ?

Yes I should have made a screenshot at the time, foolishly I did not think about it (maybe the panic, people on the internet were almost saying “the explosion of your computer is imminent”…), that will serve as a lesson to me!

I followed the steps you kindly gave me (thank you so much again!).

Alas, I'm afraid I haven't found anything interesting in the headings on the left, I don't know why...

I mean I pasted "HEUR:Trojan.Script.Miner.gen" into the search bar (the only thing I had the presence of mind to exactly copy at the time of the alert) and hit “enter” in each of the headings on the left. Each time, it gives no result, except a single one: the “Analyse” (Analysis) section .

Here is the screenshot:

In the bottom box it says roughly the same thing in all 5 recorded events, with the difference that:

• In some boxes (those corresponding to events 1, 2 and 4), there is: “Evénement : désinfection impossible” (Event: Disinfection impossible) and “Résultat: Non traité” (Result: Not treated) (in the screenshot above, you have the case of event 5 with the corresponding box at the bottom)
• In other boxes (those corresponding to events 3 and 5), there is: “Evénement: Un objet malveillant a été détecté” (Event: A malicious object has been detected) and “Résultat: Détecté” (Result: Detected)

And here are the reports for each of the 5 events (I guess an analysis report is not of much interest, but here it is anyway, just in case) (“cheval de troie” means “trojan”) :

• Hier, 19/03/2023 01:20:07     C:\Users\PC\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000270\f_000270         Non traité       Désinfection impossible            HEUR:Trojan.Script.Miner.gen         Ignoré Fichier C:\Users\PC\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000270//           f_000270        Non traité       Cheval de Troie          Élevé            Analyse heuristique    DESKTOP-R8M79J9\PC      Utilisateur actif
• Hier, 19/03/2023 00:45:30     C:\Users\PC\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000270\f_000270         Non traité       Désinfection impossible            HEUR:Trojan.Script.Miner.gen         Reporté           Fichier            C:\Users\PC\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000270//            f_000270        Non traité       Cheval de Troie          Élevé   Analyse heuristique    DESKTOP-R8M79J9\PC  Utilisateur actif
• Hier, 19/03/2023 00:45:30     C:\Users\PC\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000270\f_000270         Détecté           Un objet malveillant a été détecté            HEUR:Trojan.Script.Miner.gen         Analyse des experts    Fichier            C:\Users\PC\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000270//            f_000270        Détecté           Cheval de Troie          Élevé   Analyse heuristique    DESKTOP-R8M79J9\PC  Utilisateur actif
• 18/03/2023 18:01:55  C:\Users\PC\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000270\f_000270         Non traité       Désinfection impossible            HEUR:Trojan.Script.Miner.gen         Reporté           Fichier            C:\Users\PC\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000270//            f_000270        Non traité       Cheval de Troie          Élevé   Analyse heuristique    DESKTOP-R8M79J9\PC  Utilisateur actif
• 18/03/2023 18:01:55  C:\Users\PC\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000270\f_000270         Détecté           Un objet malveillant a été détecté            HEUR:Trojan.Script.Miner.gen         Analyse des experts    Fichier            C:\Users\PC\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000270//            f_000270        Détecté           Cheval de Troie          Élevé   Analyse heuristique    DESKTOP-R8M79J9\PC  Utilisateur actif

 

Thanks again for all the help, I feel like things are ok (still no overheating), that's the main thing!

It may be naive but I tell myself that after all, if this trojan had remained, there is a good chance that Karskersky saw it in the full analysis of yesterday, since it already saw it the first time...

In any case I will let you know if something happens, if you have nothing to add thank you all again for your help! ??☺️

Edited March 20, 2023 by Nathan D

[Berny]

@Nathan D

1 hour ago, Nathan D said:

Here is the screenshot

Additional recommendation →  Vider le cache et supprimer les cookies

[Flood and Flood's wife]

7 hours ago, Nathan D said:

.

 

Edited March 20, 2023 by Flood and Flood's wife
Too many cooks?

[Nathan D]

Thank you very much Berny and Flood and Flood's wife! It's very kind of you!

Your advice seems very knowledgeable (obviously) and effective, but it's also maybe a little above my skills, I mean for the procedure you listed dear Flood and Flood's wife.

Before trying it anyway, I was wondering: wouldn't we get the same result by uninstalling googlechrome? Normally, unless I'm mistaken, uninstalling a program means removing all of its components and (I imagine) the cache is one of them, right?

Regarding a more generic search, I put simply "HEURT" and I get the 4 events you can see on the screenshot below (but no events with PDM, PUA or PUP). Apparently another trojan that I had not seen before (now it's on Firefox as it seems, and if I understand correctly, there are problems in events 1 and 3, but not 2 and 4.):

The report (I'm not sure if it's four different things or four times the same thing) :

• 13/03/2023 17:48:27    C:\Users\PC\AppData\Local\Mozilla\Firefox\Profiles\suo6a5cz.default-release-1670380309982\cache2\entries\E51B9E1167DFE7245029D49EF078470842A2B6F0    E51B9E1167DFE7245029D49EF078470842A2B6F0    C:\Users\PC\AppData\Local\Mozilla\Firefox\Profiles\suo6a5cz.default-release-1670380309982\cache2\entries    Fichier    Non traité    Désinfection impossible    Non traité    not-a-virus:HEUR:RiskTool.JS.Miner.gen    Programme légitime pouvant être exploité par un individu mal intentionné afin de nuire à l'ordinateur ou aux données de l'utilisateur    Faible    Analyse heuristique    Firefox    firefox.exe    C:\Program Files\Mozilla Firefox\firefox.exe    C:\Program Files\Mozilla Firefox    11900    DESKTOP-R8M79J9\PC    Utilisateur actif    Ignoré

• 13/03/2023 17:48:27    C:\Users\PC\AppData\Local\Mozilla\Firefox\Profiles\suo6a5cz.default-release-1670380309982\cache2\entries\E51B9E1167DFE7245029D49EF078470842A2B6F0    E51B9E1167DFE7245029D49EF078470842A2B6F0    C:\Users\PC\AppData\Local\Mozilla\Firefox\Profiles\suo6a5cz.default-release-1670380309982\cache2\entries    Fichier    Détecté    Un programme légitime pouvant être utilisé par des individus malintentionnés afin de nuire à l'ordinateur ou aux données de l'utilisateur a été détecté    Détecté    not-a-virus:HEUR:RiskTool.JS.Miner.gen    Programme légitime pouvant être exploité par un individu mal intentionné afin de nuire à l'ordinateur ou aux données de l'utilisateur    Faible    Analyse heuristique    Firefox    firefox.exe    C:\Program Files\Mozilla Firefox\firefox.exe    C:\Program Files\Mozilla Firefox    11900    DESKTOP-R8M79J9\PC    Utilisateur actif    Analyse des experts

• 13/03/2023 17:47:42    C:\Users\PC\AppData\Local\Mozilla\Firefox\Profiles\suo6a5cz.default-release-1670380309982\cache2\entries\562EDA8CD4276B647B5E243DFFE08E8C4B389B83    562EDA8CD4276B647B5E243DFFE08E8C4B389B83    C:\Users\PC\AppData\Local\Mozilla\Firefox\Profiles\suo6a5cz.default-release-1670380309982\cache2\entries    Fichier    Non traité    Désinfection impossible    Non traité    not-a-virus:HEUR:RiskTool.JS.Miner.gen    Programme légitime pouvant être exploité par un individu mal intentionné afin de nuire à l'ordinateur ou aux données de l'utilisateur    Faible    Analyse heuristique    Firefox    firefox.exe    C:\Program Files\Mozilla Firefox\firefox.exe    C:\Program Files\Mozilla Firefox    11900    DESKTOP-R8M79J9\PC    Utilisateur actif    Ignoré

• 13/03/2023 17:47:42    C:\Users\PC\AppData\Local\Mozilla\Firefox\Profiles\suo6a5cz.default-release-1670380309982\cache2\entries\562EDA8CD4276B647B5E243DFFE08E8C4B389B83    562EDA8CD4276B647B5E243DFFE08E8C4B389B83    C:\Users\PC\AppData\Local\Mozilla\Firefox\Profiles\suo6a5cz.default-release-1670380309982\cache2\entries    Fichier    Détecté    Un programme légitime pouvant être utilisé par des individus malintentionnés afin de nuire à l'ordinateur ou aux données de l'utilisateur a été détecté    Détecté    not-a-virus:HEUR:RiskTool.JS.Miner.gen    Programme légitime pouvant être exploité par un individu mal intentionné afin de nuire à l'ordinateur ou aux données de l'utilisateur    Faible    Analyse heuristique    Firefox    firefox.exe    C:\Program Files\Mozilla Firefox\firefox.exe    C:\Program Files\Mozilla Firefox    11900    DESKTOP-R8M79J9\PC    Utilisateur actif    Analyse des experts

In the box at the bottom which corresponds to the first event, here is what is written:

• Événement: Désinfection impossible
• Utilisateur: DESKTOP-R8M79J9\PC
• Type d'utilisateur: Utilisateur actif
• Nom de l'application: firefox.exe
• Chemin d'accès à l'application: C:\Program Files\Mozilla Firefox
• Module: Antivirus fichiers
• Résultat de description: Non traité
• Type: Programme légitime pouvant être exploité par un individu mal intentionné afin de nuire à l'ordinateur ou aux données de l'utilisateur
• Nom: not-a-virus:HEUR:RiskTool.JS.Miner.gen
• Exactitude: Analyse heuristique

In the box at the bottom which corresponds to the second event, here is what is written:

• Événement: Un programme légitime pouvant être utilisé par des individus malintentionnés afin de nuire à l'ordinateur ou aux données de l'utilisateur a été détecté
• Utilisateur: DESKTOP-R8M79J9\PC
• Type d'utilisateur: Utilisateur actif
• Nom de l'application: firefox.exe
• Chemin d'accès à l'application: C:\Program Files\Mozilla Firefox
• Module: Antivirus fichiers
• Résultat de description: Détecté
• Type: Programme légitime pouvant être exploité par un individu mal intentionné afin de nuire à l'ordinateur ou aux données de l'utilisateur
• Nom: not-a-virus:HEUR:RiskTool.JS.Miner.gen
• Exactitude: Analyse heuristique

In the box at the bottom which corresponds to the third event, here is what is written:

• Événement: Désinfection impossible
• Utilisateur: DESKTOP-R8M79J9\PC
• Type d'utilisateur: Utilisateur actif
• Nom de l'application: firefox.exe
• Chemin d'accès à l'application: C:\Program Files\Mozilla Firefox
• Module: Antivirus fichiers
• Résultat de description: Non traité
• Type: Programme légitime pouvant être exploité par un individu mal intentionné afin de nuire à l'ordinateur ou aux données de l'utilisateur
• Nom: not-a-virus:HEUR:RiskTool.JS.Miner.gen
• Exactitude: Analyse heuristique

In the box at the bottom which corresponds to the fourth event, here is what is written:

• Événement: Un programme légitime pouvant être utilisé par des individus malintentionnés afin de nuire à l'ordinateur ou aux données de l'utilisateur a été détecté
• Utilisateur: DESKTOP-R8M79J9\PC
• Type d'utilisateur: Utilisateur actif
• Nom de l'application: firefox.exe
• Chemin d'accès à l'application: C:\Program Files\Mozilla Firefox
• Module: Antivirus fichiers
• Résultat de description: Détecté
• Type: Programme légitime pouvant être exploité par un individu mal intentionné afin de nuire à l'ordinateur ou aux données de l'utilisateur
• Nom: not-a-virus:HEUR:RiskTool.JS.Miner.gen
• Exactitude: Analyse heuristique

Again, I would ask the same question as for the other trojan on googlechrome: can't one just "radically" uninstall Firefox (in a way that leaves no part of the program on the computer) and then reinstall it?

 

Edited March 20, 2023 by Nathan D

[Berny]

@Nathan D You are welcome.

Before taking any action , please download and run AdwCleaner(*) as ADMIN.
1) ⚠️ Don’t fix eventual detections ⚠️
2) Please attach the TXT Log in your next post

(*) No installation required

[Nathan D]

Thank you Berny for this new idea!

I just did it (by installing the program or something like that, I don't know how to run it like ADMIN).

Apparently the program does not detect anything. It says "Aucun élément n'a été détecté sur votre système" (Nothing was detected on your system). Here is the screenshot :

I don't know what to think, on the one hand, Kaspersky does not detect any trojan, nor this AdwCleaner program apparently, and the behavior of the computer seems quite normal; on the other hand, I have the feeling that there are worrying elements on the reports... ?

[Berny]

@Nathan D

Please right click AdwCleaner and choose for → "Exécuter en tant qu'administrateur"
Personally i should run CCleaner and proceed with another Kaspersky scan,
and  as already mentioned above if no detection your system is clean.

[Nathan D]

Thank you for this clarification, I redid another scan as administrator, this launches the program the same way I did just by double clicking on it and the result is the same: "Aucun élément n'a été détecté sur votre système" (Nothing was detected on your system)

I relaunched too a full scan via Karspersky: no threat detected either.

Should we conclude that there is nothing to worry about, anything in the above reports that needs going any further?

(regarding CCleaner, I'll have to do without it: with regard to my case, the interesting functions of this software are in the professional version...)

[Berny]

@Nathan D  You are welcome.

1 minute ago, Nathan D said:

I relaunched too a full scan via Kaspersky: no threat detected either.

Kaspersky blocked the malicious script before it reached your Browser and a second opinion with AdwCleaner doesn't detect other unwanted objects which means that you are safe ....  If any problem shows up again please come back.

[Nathan D]

Perfect, thank you for this conclusion, and again a big thank you to Flood and Flood's wife and you Berny for the expertise that you kindly share with incompetents like me! ?

And I wish you a great week! ?️