Jump to content

oscarr

Members
  • Posts

    3
  • Joined

  • Last visited

About oscarr

  • Rank
    Newbie
    Newbie

Profile Information

  • Location
    Netherlands
  1. @Marcosusing Win 11 with all latest updates here as well, have them as well. @itman That's quite a list. I googled on how to exclude the programs on that list from execution but got already tired about all the steps or is there an easy way as well? For now I just rely on NOD32, never let me down.
  2. Interesting! Don't think if it's of any use but this was the powershell script I found in that pNYnr7eT1 directory. Like said I think it's just a thing to help hiding the execution of something from the user. Since I don't get a nervous ESET anymore I think renaming the directory this thing was in helped. Or, something else got changed. The file I dropped on VirusTotal is still there on it's original place but I don't get a popup anymore from ESET and I don't see it back in the EventLog. So I do have the feeling it is connected. I might have uninstalled some programs but it would be odd if uninstalling a program with a virus also removed the virus. Anyway, I'm happy it seems gone and if someone needs a file to examine I'm happy to help. ABDA11A9-426A-4502-AD21-CF4E4B5F6D59.txt
  3. Hello! I had the same nasty bugger every time I started my PC. The problem is a bit that ESET does say it found it and removed the thread but it doesn't give you any clue of where to look. I looked at some other places and found a simple powershell script which is (I think) used to supress the output/errors from the execution of the 'coin stealer'. I think it's even a legit Microsoft script but it's located in an obscure directory. In my case it was windows/system32/pNYnr7eT1 and it's name was 'ABDA11A9-426A-4502-AD21-CF4E4B5F6D59' Instead of looking in all logs I just started event viewer, looked under Applications and Services Logs > Windows PowerShell and checked the executions against the times the coin stealer was detected (see attachment), That points me directly to the location of the virus/trojan itself which is C:\Windows\System32\drivers\DfTph\D13FD5F3-3DBE-4FF7-BEFA-932CA6538238.sys (a file of 4147kB). I renamed that first directory where the normal script is located and I think it prevented the virus from getting active since ESET didn't said something after restart and the event viewer is also not showing the activity. Nasty thing is that ESET itself doesn't recognize the .sys as a virus. But none did at VirusTotal: VirusTotal - File - bbbd57acdae11e57235a1270e6663b3ea9c7c80080aac07d2711dc4c3f08b098 If I can make someone happy with the .sys file, let me know. But wanted to react since it's way easier to just check EventViewer for weird powershell access. Kind regards, Oscar
×
×
  • Create New...