Announcement: Upgrade to macOS Mojave

With features like Dark Mode, Stacks, and four new built-in apps, macOS Mojave helps you get more out of every click. 
Find out how to upgrade to macOS Mojave > https://support.apple.com/macos/mojave

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Question:

Question: JS/Miner

My latest virus scan found and quarantined a trojan called JS/Miner. Does anyone know how to remove this? Or what it does?

iMac, OS X El Capitan (10.11.6)

Posted on

Reply
Question marked as Solved
Answer:
Answer:

I had the same issue. After poking around the file itself, it seems that your antivirus and the mine detect the javascript of coinhive, a script embedded in webpages using the power of your computer to mine Monero crypto money (a cousin of Bitcoin) for the owner of the website.
I would suggest installing an ad-blocker on your web browser to rid yourself of these king of scripts and ads.
[Edit : bad spelling, veri bad speeling :/ ]

Posted on

Page content loaded

Question marked as Solved

Dec 7, 2017 12:29 PM in response to memecrafter2 In response to memecrafter2

I had the same issue. After poking around the file itself, it seems that your antivirus and the mine detect the javascript of coinhive, a script embedded in webpages using the power of your computer to mine Monero crypto money (a cousin of Bitcoin) for the owner of the website.
I would suggest installing an ad-blocker on your web browser to rid yourself of these king of scripts and ads.
[Edit : bad spelling, veri bad speeling :/ ]

Dec 7, 2017 12:29 PM

Reply Helpful (1)

Dec 11, 2017 7:39 AM in response to Sobekx In response to Sobekx

I have just had the same issue, flagged up by my Intego Virusbarrier. It is the first time I have ever had malware discovered on my Mac. Most of the websites I have visited today are well-known names that I have visited many times before without problems; and I have made no downloads.


The malware file was shown as: Home ▸ Library ▸ Caches ▸ com.apple.Safari ▸ WebKitCache ▸ Version 11 ▸ Records ▸ A96A6E93C6D1D95967F4D4D86A725C47D7F5BF95 ▸ Resource ▸ 8BF1E1E0EFB2836AA4A4A06B2B3445DA51449878-blob.


Virus barrier was unable to repair the file and I was initially unable to locate it. I ran a full scan and this time it showed up as: Home ▸ Library ▸ Caches ▸ com.apple.Safari ▸ WebKitCache ▸ Version 11 ▸ Blobs ▸ 5DA700392AA09717087380102B0823FF27E3C359


I transferred the file to Quarantine and when Intego could not repair the file, I deleted it. I ran a further full scan which showed my Mac as clear of all malware.


I have since located and searched the Library caches and the malware file is not present in the location indicated.


Has the malware really been removed and is the Mac now safe again?

Dec 11, 2017 7:39 AM

Reply Helpful

Dec 11, 2017 8:11 AM in response to RBSB60 In response to RBSB60

After doing a little research, my understanding is that the JS/Miner trojan is actually part of a botnet that steals processing time from you (and others) in order to mine for a version of Bitcoin called Monero. It doesn't damage your files, but slows your computer because its using your CPU as an element in a networked "supercomputer" to find and create coin.


That being said, get rid of it.


PS: If you don't need them, delete the time machine backups from around the same time. If you ever restore from one of those backups, I'm told you might restore JS/Miner.

Dec 11, 2017 8:11 AM

Reply Helpful (1)

Dec 11, 2017 9:11 AM in response to memecrafter2 In response to memecrafter2

Thanks for both replies. They are helpful and, to an extent, reassuring. I have run further scans on both Mac and Time Machine Back-Up Disk and no malware has been identified. My Mac also seems to be operating at normal speed.


I too have read that there is a Mac Version of the malware which tries to use the power of PC or Mac to mine cyber coins. I am a little disturbed that it might have come from a website that I visit often since it might imply that one of these well-known sites have been targetted.


Thank you again. Again further comments would be very welcome.

Dec 11, 2017 9:11 AM

Reply Helpful

Dec 11, 2017 9:47 AM in response to Eric Root In response to Eric Root

I am puzzled how a trojan arrived on my Mac when I made no downloads and, as far as I recall, gave no permission for anything to be loaded into my Mac. Yet I read that trojans can only gain access to a Mac if given permission.


I also read that there are no viruses that enter a Mac uninvited.

Dec 11, 2017 9:47 AM

Reply Helpful

Dec 11, 2017 12:36 PM in response to RBSB60 In response to RBSB60

Well, to my understanding, its not really a virus; its a bit of Javascript (hence the JS). Lots of pages inject javascript as sub programming to help their design and structure, but not all of it is benign. If you look in your Safari preferences in the security section, you will find the ability to disable javascript. In Chrome, its in the context settings. Miner never goes deeper than your browser, but if its embedded, every time your browser is on, it will force your CPU to handle its calculations.


If you go to any site and look at the source code of any nice page, near the top, you will see a call for "somethingorother.js". These are calls for javascript files that your browser happily loads if allowed. JS/Miner is a Trojan not in the sense that its carrying a hidden load, but more in the sense that its pretending to be something its not.


So, if your preferences say "Enable javascript", you've given it permission.

Dec 11, 2017 12:36 PM

Reply Helpful

Dec 11, 2017 1:42 PM in response to memecrafter2 In response to memecrafter2

Thank you. These comments are very helpful. JavaScript is enabled on my Mac. I was going to switch it off but I have now read elsewhere that this will adversely affect the performance of many web sites. If that is true, maybe I have to leave JavasScript enabled but trust my malware checker to identify it should it settle in my Mac. It seems I am damned if I do and damned if I don't!

Dec 11, 2017 1:42 PM

Reply Helpful

Dec 11, 2017 11:42 PM in response to RBSB60 In response to RBSB60

Actually in order to block this kind of nefarious scripts and all the dubious tracking scripts people tend to use navigator extension to prevent unneeded scripts from running.

The simple choice is an adblocker (at least to of them have add this script to the list of thing blocked), but more powerful combos exist.

Dec 11, 2017 11:42 PM

Reply Helpful

Dec 12, 2017 10:01 AM in response to Sobekx In response to Sobekx

Thank you. I will ponder the various adblockers available. I hope they do not conflict with Intego. There seem to be many adblockers that work with Mac but no consensus as to the best.


I read that using Safari Preference Website Reader is a help in reducing the javascript risk so I am using it for now.


I also note that Safari 'Develop' provides an option to clear caches. I am not sure if it clears all Safari caches but I clicked the button and Safari seems to work just the same. 'Develop' also gives various options to monitor javascript but, as an active Mac novice, it is over my head.

Dec 12, 2017 10:01 AM

Reply Helpful
User profile for user: memecrafter2

Question: JS/Miner