matand317 0 Posted January 3, 2019 Share Posted January 3, 2019 I noticed I am getting the same pop-up from my antivirus (nod32 12.0) every 30 seconds or so... I am afraid for my new computer can you please help me get rid of the virus? when I try to activate a scan the scan just does nothing to help and the pop-up keeps showing... Link to comment Share on other sites More sharing options...
Administrators Marcos 5,274 Posted January 3, 2019 Administrators Share Posted January 3, 2019 To start off, please provide logs gathered by ESET Log Collector. Link to comment Share on other sites More sharing options...
itman 1,748 Posted January 3, 2019 Share Posted January 3, 2019 What file is Eset detecting the coin miner in? Click on the "file" word shown in blue in the Eset alert to determine this. Link to comment Share on other sites More sharing options...
matand317 0 Posted January 3, 2019 Author Share Posted January 3, 2019 file location is: C:\Users\user\AppData\Roaming\wow64_microsoft-windows-wow64-legacy_31bf3856ad364e35_10.0.16299.15_none_18ff2b39790378ca Link to comment Share on other sites More sharing options...
matand317 0 Posted January 3, 2019 Author Share Posted January 3, 2019 2 hours ago, Marcos said: To start off, please provide logs gathered by ESET Log Collector. logs.rar Link to comment Share on other sites More sharing options...
Administrators Marcos 5,274 Posted January 3, 2019 Administrators Share Posted January 3, 2019 Please read https://support.eset.com/kb3466 for instructions how to gather logs with ESET Log Collector. Link to comment Share on other sites More sharing options...
matand317 0 Posted January 3, 2019 Author Share Posted January 3, 2019 Sorry for my misinterpretation for "logs" I exported the logs using the guide and added them below eav_logs.zip Link to comment Share on other sites More sharing options...
itman 1,748 Posted January 3, 2019 Share Posted January 3, 2019 (edited) 5 hours ago, matand317 said: file location is: C:\Users\user\AppData\Roaming\wow64_microsoft-windows-wow64-legacy_31bf3856ad364e35_10.0.16299.15_none_18ff2b39790378ca Suspect the other file shown in your alert that begins in Russian? and ends in Microsoft Passport is also bogus and part of the coin miner attack. If the file physically exists on your hard drive, you can submit to Virus Total and see what the scanners their detect. For the time being until @Marcos gets back to you, you can create a HIPS rule to block startup of anything in "C:\Users\user\AppData\Roaming\*.*". When you create the rule, eliminate the previously shown quote marks. Make you set the logging level to warning, so a log entry is created. If the HIPS log entries created become excessive, you can subsequently set logging level to none. Make sure to post a screen shot of at least one HIPS log page of entries created by the rule. You can then clear the HIPS log if you wish. As far as I am aware of, there are no executables in C:\Users\user\AppData\Roaming\ sub-directories than run on a normal basis. If in fact you do use Microsoft Passport, make sure there is not a sub-directory created for it in C:\Users\user\AppData\Roaming\. If so and it contains executable files, then don't create the above HIPS rule mentioned Edited January 3, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,748 Posted January 3, 2019 Share Posted January 3, 2019 (edited) Also per Virus Total: https://www.virustotal.com/en/file/1d6965edad78dbaa59f02a24b98e4bb6ad3fafbd8b51aaaeee43c1dd8f8c7315/analysis/1534723852/ , this appears to be XRIG Monero coin miner based on the Eset malware detection. This coin miner is known to exploit vulnerable Win OS versions. Is your system fully up to date OS update wise? Edited January 3, 2019 by itman Link to comment Share on other sites More sharing options...
matand317 0 Posted January 4, 2019 Author Share Posted January 4, 2019 13 hours ago, itman said: Suspect the other file shown in your alert that begins in Russian? and ends in Microsoft Passport is also bogus and part of the coin miner attack. If the file physically exists on your hard drive, you can submit to Virus Total and see what the scanners their detect. For the time being until @Marcos gets back to you, you can create a HIPS rule to block startup of anything in "C:\Users\user\AppData\Roaming\*.*". When you create the rule, eliminate the previously shown quote marks. Make you set the logging level to warning, so a log entry is created. If the HIPS log entries created become excessive, you can subsequently set logging level to none. Make sure to post a screen shot of at least one HIPS log page of entries created by the rule. You can then clear the HIPS log if you wish. As far as I am aware of, there are no executables in C:\Users\user\AppData\Roaming\ sub-directories than run on a normal basis. If in fact you do use Microsoft Passport, make sure there is not a sub-directory created for it in C:\Users\user\AppData\Roaming\. If so and it contains executable files, then don't create the above HIPS rule mentioned I tried creating that "HIPS" rule but I am having trouble finding how to make it... can you help me do that? P.S thank you for your help so far. Link to comment Share on other sites More sharing options...
matand317 0 Posted January 4, 2019 Author Share Posted January 4, 2019 Now I a new threat is appearing named logs.exe in: "C:\ProgramData\SmartGuard\Logs" saying that its associated with https://www.virusradar.com/en/BAT_CoinMiner.AJN/description and a new message from Windows Script host that keeps showing. (messages in screenshots 8-9) please help me my computer is hard to use with endless notification and messages. Link to comment Share on other sites More sharing options...
matand317 0 Posted January 4, 2019 Author Share Posted January 4, 2019 15 minutes ago, matand317 said: Now I a new threat is appearing named logs.exe in: "C:\ProgramData\SmartGuard\Logs" saying that its associated with https://www.virusradar.com/en/BAT_CoinMiner.AJN/description and a new message from Windows Script host that keeps showing. (messages in screenshots 8-9) please help me my computer is hard to use with endless notification and messages. now same error leads to different file location : "This PC" Link to comment Share on other sites More sharing options...
itman 1,748 Posted January 4, 2019 Share Posted January 4, 2019 Appears the attacker is infecting your PC at will with new coin miner variants. Suggest you contact your in-country Eset support contact for malware removal assistance. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,274 Posted January 5, 2019 Administrators Share Posted January 5, 2019 I'd suggest running a full disk scan with current modules, rebooting the machine afterwards and eventually running another scan to make sure no threat is found. Link to comment Share on other sites More sharing options...
Recommended Posts