mayowa 1 Posted May 24, 2018 Share Posted May 24, 2018 Hello All, A customer was infiltrated with coin miners malware virus, ESET file security on the server was used to scan with threat-sense parameters of in-depth scan and strict cleaning, We are still experiencing pop up's of the presence of coin miner on the server as detected by ESET every minutes Does anyone have any ideal on how to deal with this situation ? For you perusal kindly find attached document for the Log collected from the file security installed on the server eset log.rar Link to comment Share on other sites More sharing options...
Administrators Marcos 5,288 Posted May 24, 2018 Administrators Share Posted May 24, 2018 Does temporarily disconnecting the server from the network stop the malware from being created / detected ? Please gather logs with ESET Log Collector and provide me with the generated archive. Link to comment Share on other sites More sharing options...
mayowa 1 Posted May 24, 2018 Author Share Posted May 24, 2018 (edited) 1 hour ago, Marcos said: Does temporarily disconnecting the server from the network stop the malware from being created / detected ? Please gather logs with ESET Log Collector and provide me with the generated archive. Thanks Marcos for your swift response Kindly check the ftp support server for the log as requested with the name Egbin efsw_logs.zip I await your feedback for a resolution Thanks in anticipation Best Regards Edited May 24, 2018 by mayowa Link to comment Share on other sites More sharing options...
mayowa 1 Posted May 28, 2018 Author Share Posted May 28, 2018 On 5/24/2018 at 4:18 PM, mayowa said: Thanks Marcos for your swift response Kindly check the ftp support server for the log as requested with the name Egbin efsw_logs.zip I await your feedback for a resolution Thanks in anticipation Best Regards Hello Macros I will like to follow up on the subject matter as reported earlier Link to comment Share on other sites More sharing options...
mayowa 1 Posted May 30, 2018 Author Share Posted May 30, 2018 On 5/28/2018 at 1:43 PM, mayowa said: Hello Macros I will like to follow up on the subject matter as reported earlier Hello All, kindly help with above subject caption,we need immediate remediation because the client is running out of patience as it keeps coming backing after ESET detects and deletes it Actually we thought of isolating the server,but it has spread to other servers and work stations Link to comment Share on other sites More sharing options...
itman 1,755 Posted May 30, 2018 Share Posted May 30, 2018 Post screen shots of what Eset is detecting. For example, the actual alert popup and entries from the log file. Link to comment Share on other sites More sharing options...
mayowa 1 Posted May 30, 2018 Author Share Posted May 30, 2018 15 minutes ago, itman said: Post screen shots of what Eset is detecting. For example, the actual alert popup and entries from the log file. Thanks Itman for your response as requested please find attached document for "screen shot of what ESET is detecting "on entries from the log file",Kindly check the ftp support server for the log as requested with the name Egbin efsw_logs.zip I await your response in anticipation for a quick resolution Regards Link to comment Share on other sites More sharing options...
itman 1,755 Posted May 30, 2018 Share Posted May 30, 2018 Since it sounds like it is pretty well entrenched in your network, I would start with the servers and then proceed to the endpoints. Download SysInternals Autoruns: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns . Run it as Admin. Under the Options setting, the only thing "hidden" should be empty locations. Under Scan Options in this section, checkmark VirusTotal. Look for anything suspicious in any auto start locations such as registry run keys, etc. and Task Scheduler entries. Also under the WMI tab, look for suspicious events. Best way to remove items is to "uncheck" them in Autoruns. This way they are not permanently deleted and can be restored by re-checkmarking them if anything gets "borked." Link to comment Share on other sites More sharing options...
Recommended Posts