Skip to content
View in the app

A better way to browse. Learn more.
Thailand News and Discussion Forum | ASEANNOW

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Bitcoin Miner/TVF/Bitdefender/Attack?

simoh1490
in Forum Support Desk

Featured Replies

Yesterday my desktop was logged on to TVF, nothing else was running - I use TOT fibre.

 

Bitdefender Internet Security flashes a message to say it's blocked a malicious website which it shows as https://api.aalbbh84.info/lib/main.js (which looks very much like an api).

 

Over the next ten minutes I get the same message several times so I come out of TVF and the messages stop. I scan for virus and malware, clean temporary files and reboot, after an hour nothing unusual has happened. I start up TVF again and after 45 minutes the attacks start again, they appear to be a bitcoin data miner!

 

Anyone, TVF is this your api that shows a false positive or something else entirely?

  • Author

Twenty-one minutes after posting it seems that TVF has started doing it again, here's the message from Bitdefender: "This webpage https://api.aalbbh84.info/lib/main.js is identified as infected with malware. Virus name: Trojan.CoinMiner.I. The webpage has been successfully blocked by Antimalware filter and your PC is now safe".

 

Whatever are you doing?

  • Author

I just checked, my wife's laptop is delivering the same message andI'm now getting them from the only site that is running, TVF, about every six minutes or so.

Its a virus/redirect trying to get to, download from that website, Try connecting to other sites and see if the same message, use a different browser etc. If its coming from Thaivisa site the reports would say thaivisa.com etc.  Who is on the domain shows it as being in russia, registered 2 weeks ago.

Task manager to see if anything using resources in the background, look for weird additions to startups in msconfig etc.

Is the other computer also running bitdefender ?

 

    • Like 1
    • Author
    1 minute ago, Peterw42 said:

    Its a virus trying to get to, download from that website, Try connecting to other sites and see if the same message, use a different browser etc. If its coming from Thaivisa site the reports would say thaivisa.com etc.  Who is on the domain shows it as being in russia, registered 2 weeks ago.

    Task manager to see if anything using resources in the background, look for weird additions to startups in msconfig etc.

    Is the other computer also running bitdefender ?

    No problem with any other sites both in country and internationally.

     

    Same results using Chrome or Firefox.

     

    Laptop is also using same version of (paid for) Bitdefender.

     

    Task Manager/resource utilisation looks normal.

     

    Am looking at startups etc currently.

     

     

    Maybe malwarebytes, hitman pro etc. My way of thinking, bitdefender is letting a process run so it thinks its ok, but blocking what the process is trying to do.

    • Like 1
    • Author
    7 minutes ago, Peterw42 said:

    Maybe malwarebytes, hitman pro etc. My way of thinking, bitdefender is letting a process run so it thinks its ok, but blocking what the process is trying to do.

    MSCONFIG and startup look fine, Zonealarm logs are clean, not running Admin. account.....perhaps it's gods way of telling me I'm spending too much time on TVF. :shock1:

     

    Thanks for your input, appreciated.

    • Haha 1

    Go to the root of that site and it says its a javascript miner, so need to get to the bottom of who is dishing it up. Possibly only pops up on sites with Java etc, not somuch the Thaivisa site, rather than something TV sends is triggering it.

     

    api.aalbbh84.info

    • Author
    6 minutes ago, Peterw42 said:

    Go to the root of that site and it says its a javascript miner, so need to get to the bottom of who is dishing it up. Possibly only pops up on sites with Java etc, not somuch the Thaivisa site, rather than something TV sends is triggering it.

     

    api.aalbbh84.info

    Now that's interesting, it seems CoinHave is the name to look for, I wonder who. I think I'll try disabling Java and see what that does.

    6 minutes ago, simoh1490 said:

    Now that's interesting, it seems CoinHave is the name to look for, I wonder who. I think I'll try disabling Java and see what that does.

    It even gives a sample of the code to add to a website, <script src="SITE_LINK"></script>, if you can find whats adding that code. So thaivisa site loads then something puts that script in and it trys to load etc but bitdefendr blocks etc.

     

    The thing that throws me is 2 computers doing it, anything thats recent and common across both, a browser extension etc.

    • Author

    No, nothing, the laptop hasn't been used in over a month!

     

    I just switched to Explorer to see what happens plus I turned off Java.

    2 minutes ago, simoh1490 said:

    No, nothing, the laptop hasn't been used in over a month!

     

    I just switched to Explorer to see what happens plus I turned off Java.

    And ?????, dont leave me hanging, lol

     

    • Author
    13 minutes ago, Peterw42 said:

    And ?????, dont leave me hanging, lol

     

    Nature called :)

     

    No more Bitdefender messages so I'm now switching back to see what happens next.

    • Like 1

    Create an account or sign in to comment
    Go to topic listing

    Recently Browsing 0

    • No registered users viewing this page.

    Account

    Navigation

    Search

    Search

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.