This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[Latest KB's] How to remove WMI based JavaScript CoinMiners

Hi Community,

Sophos Anti-Virus Logs may show detection on a legitimate Microsoft executable trying to contact known malicious C2(Command and Control) Server:

20180701 091519 File "C:\windows\system32\wbem\scrcons.exe" belongs to virus/spyware 'HPmal/HPWMIJS-A': Process killed.
20180701 091524 File "C:\Windows\System32\wbem\scrcons.exe" belongs to virus/spyware 'C2/Generic-B'.
20180701 091524 Virus/spyware 'C2/Generic-B' is not removable.
20180701 091524 Item 'HPmal/HPWMIJS-A' could not be redetected.

It means that the Behavior Protection (HIPS) component has successfully killed the process which was trying to download additional malware from the URL embedded in the WMI database. 

Please visit this KBA for more information.

Regards,



This thread was automatically locked due to age.