Jump to content

itman

Most Valued Members
  • Posts

    13,107
  • Joined

  • Last visited

  • Days Won

    344

itman last won the day on November 17

itman had the most liked content!

About itman

  • Rank
    Newbie
    Newbie

Profile Information

  • Gender
    Male
  • Location
    USA

Recent Profile Visitors

29,837 profile views
  1. After I posted this, I realized you will probably have to stop the service prior to deleting it. As such, the commands to enter are; sc stop AlructisitService sc delete AlructisitService Then restart the PC. Also, I found the video again showing removal in safe mode: https://www.youtube.com/watch?v=XGGNIijDcVc&t=0s . Note the following; Finally, this coinminer might be employing self-protection to prevent modification of the service it is using in the registry plus its associated C:\Program Files (x86)\AlructisitApplication\ .exe's. Pay close attention toward the end of the video where he is accessing %AppData%\Local folder searching for and removing it. If this is the case, my above manual removal of service via sc.exe will fail.
  2. Open an admin command prompt window and enter; sc delete AlructisitService and see if it removes the Win service.
  3. My preference is to run all Eset real-time settings at Aggressive level. Are you still receiving Eset detections after a system restart with PUA setting enabled? If this is the case, it appears from this video: -EDIT- appears the link I saved doesn't direct to the video anymore, C:\Program Files (x86)\AlructisitApplication folder has to be manually deleted in Safe mode.
  4. I found a sample of this coinminer installer. If Eset had been installed and PUA detection enabled, it would have been detected upon file creation on the disk;
  5. According to this: https://hackerdose.com/malware/remove-alructisit-app/ , the Alructisit app needs to be uninstalled.
  6. This means; https://stackoverflow.com/questions/32047810/what-does-file-mean-in-a-file-path
  7. @Marcos, please advise on this.
  8. Below is the latest version of amdi2c.sys available for Win 10 from the Win Update Catalog. Notice that this driver is indeed WHQL signed;
  9. If you are referring to this offer: https://www.amazon.com/ESET-Essential-Antivirus-Protection-Ransomware/dp/B0D1SWCSN4?dib=eyJ2IjoiMSJ9.MTmuXw4Oq-eznNOtSLbkdVbtKTE7wZHKCaboQodTNU_svHuTvgDL_9aIHsu5VgbZtsF4-cF9qmYltNLKbk4-BPOwGYWjTwmNPmD_gO387HRwx-A9l4cWzJl1zkHhzvycTR3x840tR0ol3CFSNOpWYbqLh8mtR3lQsCT99jcUf4GqxkT-JmbsJqbUnqWM8RD1sQeoXxC0jGbVb-6QiIZ_s1KXguOAeXspNHw52x_SUMI.t0LPuwhr_4bcT4mCgaDEOVitI03I160sF8Ri-mBQkSQ&dib_tag=se&qid=1733414901&refinements=p_89%3AESET&s=software&sr=1-1&th=1, it is a redirect to the Eset U.S. eStore with the following restriction;
  10. https://www.fortiguard.com/encyclopedia/virus/4926019/w32-peerfrag-a-worm Since the parent process of uu.exe is svchost.exe, it would be an indication a Win service has been created to load/start the .exe. There are also strong indications the source is an infected USB drive;
  11. Some more details on this amdi2c.sys vulnerable driver: https://www.virustotal.com/gui/file/15e84d040c2756b2d1b6c3f99d5a1079dc8854844d3c24d740fafd8c668e5fb9 . The driver is not Microsoft WHQL certified and signed. The driver is attestation signed; I warned back in 2022 of the dangers posed by attestation signed drivers in a detailed forum posting here: https://forum.eset.com/topic/32841-a-clear-and-present-danger-lurking-in-windows-1011/ . Also, China based developers to date have been the primary source of abusing this kernel driver signing capability. The pathetic part is Microsoft's unwillingness to remove this attestation kernel mode signing capability despite the continual abuse of it.
  12. Forum attachments can only be viewed by Eset moderators.
  13. The only thing I could find in the forum for this error message relates to Eset Full Disk Encryption here: https://forum.eset.com/topic/40105-full-disk-encryption-recovery-password-has-reached-its-usage-limit/
  14. In reference to your Eset Server Security screenshot, the license ID shown is the public ID for the license. You need to enter the full 20 character private license key as shown above.
  15. Based on the high AV vendor detection at VT, my guess is Eset analyzed the stealer within at most; 48 hours and more likely within 24 hours of circulating in-the-wild. It gave a safe verdict and whitelisted the file.
×
×
  • Create New...