Hey! recently I have caught something Im not exactly sure where it appeared from, but one of the following days my Malwarebytes did a scan, and I got a few detections that looked like that:
Detections showing I have been infected with whats appears to be called Trojan.VBS.TaskExecution Trojan.BitCoinStealer in different locations of my system.
I've had them quarantined, however seeing that this is a task scheduling virus that tried infecting areas of my system that have to do with boot, I am sure just getting these files quarantined is just not enough, this virus is just bound to return upon the next time I restart my pc.
I booted my system from safe mode and I scanned my pc with various anti viruses, without luck I couldnt find really much of anything, HOWEVER, the ESET on the other hand has detected that theres a powershell execution virus in my Google Chrome's cache folder!
I had the virus deleted, scans my computer a few times more and I couldnt find anything.
launching chrome again or restarting my pc (while remaining in safe mode) doesnt seem to bring the ransom/malware back.
howvever since defender just plain out crashes when I try launching it in safe mode (win11 btw), I booted my operating system through normal boot and I accessed defender to do an offline scan, which returned with no results.
I went back to safe mode and I did a quickscan with ESET, and nothing came up, I ran another scan however this time it was a custom scan targeting the chrome folder, and I the Powershell/agent.GZ.trojan came back!
And when I try and do a quickscan with my malwarebytes, the scan ends within seconds as soon as its starts scanning files after scanning memory files and all the stuff it does in the beginning, however the scan works whenever I do a custom scan. obviously no results,
When researching the virus I stumbled by this github topic, and the behavior within my virus and the spoken virus in the thread are similar, it seems like my virus is using different directories and places to hide in.
https://gist.github.com/infernoboy/cf114fda56ff3706478e0d1e6a1a1b27?permalink_comment_id=4140687#gistcomment-4140687
I also found this thread on malwarebytes, this person is facing a virus under the same name:
https://forums.malwarebytes.com/topic/286641-was-trojanvbstaskexecution/?do=findComment&comment=1515706
However, it seems that the virus's infected directories are more similar to that github thread I linked,
BUT! the user on the malwarebytes topic mentions the virus runs a powershell execution from this location:
%localappdata%\\Google\\Chrome\\User Data\\Default\\Extensions
However for me, it runs from:
%localappdata%\\Google\\Chrome\\User Data\\Default\\Cache\\Cache_Data Which makes me assume am I facing a slightly altered version of the same virus.
I also ran the infected cache file through virustotal which suggests more information about what this virus could be, like how Kasparsky rather named it "HEUR:Trojan-Banker.PowerShell.ClipBanker.gen" while Eset names it ""PowerShell/Agent.GZ".
https://www.virustotal.com/gui/file/3cd4d63a2f17e72f725aaa0d5babbf645f2947ca129f08b5f7c4f67cbb04973a?nocache=1
Help putting a fight against this thing would be really appreciated, thanks!