Jump to content

HELP "Trojan: Win32 / Tiggre! Plock""Trojan: Win32 / CoinMiner.C! Rfn"


Recommended Posts

I have 3 computers at home all with eset internet security and even so I was contaminated by these files. Trojan: Win32 / CoinMiner.C! Rfn Trojan: Win32 / Tiggre! Plock

already formatted and after 2 weeks it always appears on one of the computers

Link to comment
Share on other sites

  • Marcos changed the title to HELP "Trojan: Win32 / Tiggre! Plock""Trojan: Win32 / CoinMiner.C! Rfn"
  • Administrators

Those are not ESET's detection names. Do you actually have ESET installed? Do you have detection of potentially unwanted and unsafe applications enabled?

Link to comment
Share on other sites

Posted (edited)

Eset does not detect a threat. And the threat removes Eset, windows update and central security.
After losing the windows security center, I used this Microsoft Support Emergency Response Tool program that detected the threats.
Windows update and the security center no longer worked after detection and removal.
I had to re-install the windows again.

Edited by edu34
Link to comment
Share on other sites

  • Administrators
24 minutes ago, edu34 said:

Windows update and the security center no longer worked after detection and removal.
I had to re-install the windows again.

I assume the issue has been sorted then. Unfortunately without logs and checking your ESET configuration we cannot help. CoinMiners are often detected as potentially unwanted applications which most users have disabled.

Link to comment
Share on other sites

  • Most Valued Members
9 hours ago, edu34 said:

I have 3 computers at home all with eset internet security and even so I was contaminated by these files. Trojan: Win32 / CoinMiner.C! Rfn Trojan: Win32 / Tiggre! Plock

already formatted and after 2 weeks it always appears on one of the computers

Do you mean it keeps reappearing after fully formating windows?

If this is the case are you connected to a network as it sounds like another device is connected and constantly reinfecting this computer.

Link to comment
Share on other sites

I have a fourth old computer that only has the standard antivirus for windows and this one nevertheless presented this problem.
I am testing another antivirus, I am curious how my home network is being attacked every week.
On the eset log the threat removes eset from the system entirely.
on the network the computers are not infected at the same time, yesterday when it happened again with one the other 2 will continue to function normally.
the infected computer yesterday he entered the windows login screen and quickly restarted, I even thought it was a memory failure, but when he returned he was already without eset, windows security center and update disable.

Link to comment
Share on other sites

  • Most Valued Members
27 minutes ago, edu34 said:

I have a fourth old computer that only has the standard antivirus for windows and this one nevertheless presented this problem.
I am testing another antivirus, I am curious how my home network is being attacked every week.
On the eset log the threat removes eset from the system entirely.
on the network the computers are not infected at the same time, yesterday when it happened again with one the other 2 will continue to function normally.
the infected computer yesterday he entered the windows login screen and quickly restarted, I even thought it was a memory failure, but when he returned he was already without eset, windows security center and update disable.

If you have an infected PC in the network it will keep trying to spread to other computers in the Network

You need to disconnect the infected PC and isolate it where you can fix it without being in a LAN that can lead to spreading of the malware to other places

Check also your router/firewall if it needs to be updated if it's somehow compromised.

Link to comment
Share on other sites

Posted (edited)

Here's a Microsoft TechNet posting on this coin miner: https://answers.microsoft.com/en-us/protect/forum/all/rundll-errors-after-reinstalling-windows/88c4f099-d4d4-402f-ba0d-2121c73666b6 .

It is a nasty one indeed since it is attempting to also disable Microsoft Defender. It's also has a Win startup elements;  Rundll enries, that have to be manually removed using SysInternals Autoruns for example.

Note: Only the later versions of Microsoft Defender on Win 10 have full tamper protection. This would account for this "old" device being infected.

-EDIT- There is also a scheduled task element to this coin miner which also has to be removed: https://www.itexperience.net/easy-fix-for-winscomrssrv-dll-there-was-a-problem-starting-winscomrssrv-dll/

Edited by itman
Link to comment
Share on other sites

1 hour ago, edu34 said:

On the eset log the threat removes eset from the system entirely.

Post this log entry.

What you stated makes no sense. If Eset was removed from the system, it would not be logging events.

Link to comment
Share on other sites

I can side with the original poster in respect of this trojan removing the eSet Internet Security Software on the computer that is infected.

Just to break this down a little; We found that we had our laptop crashing for no apparent reason late at night (NZ Time) to the point that the power light was flashing quickly but would not (Come out of sleep, as per say) so we held the power button down for 10 seconds and rebooted as normal...

We have then thought heck lets go and do a virus scan in case we have some bug hidden in there... Looked in the Start menu for eSet, yes its there.... Click.... oh sorry that application doesn't exist.

Look in the main system / Program Files Folder... Hmmmm the eSet Internet Security Folder is there but no files inside it.

Ok, downloaded the Microsoft Security Scanner @ https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

and ran this to find 7 infected files with the following bugs:

  • Trojan:Win32/CoinMiner.C!rfn
  • Trojan:Win32/Tiggre!plock
  • VirTool:Win32/DefenderTamperingRestore

In the process of removing these as we speak...

Link to comment
Share on other sites

  • Administrators

Since ESET was removed, you should have reinstalled it and most likely it would have detected and removed the threats.

Alternatively you could run a scan with ESET Online Scanner or ESET SysRescue.

In order to protect ESET from being removed, we recommend:
- setting a password to protect ESET's settings and to prevent it from being uninstalled
- enabling detection of potentially unsafe applications
- enforcing default real-time and HIPS settings via a policy to lock them on clients.

Link to comment
Share on other sites

That's exactly what we have done on other computers (Password Protection) just this one slipped through the cracks... Tisk Tisk Tisk

"enabling detection of potentially unsafe applications" - this was turned on in our case

"scan with ESET Online Scanner or ESET SysRescue" - Good to know for future issues

In our case we had to run the eSet AV Removal Tool then re-install for eSet to actually install again as it kept prompting us to suggest it was still installed.

Link to comment
Share on other sites

Posted (edited)

As far as Eset directory files being deleted on Win 10 Home in default setup, it should not occur. If you or an attacker tried to do so, the following will be the result:

Eset_Admin.thumb.png.360209b5a4ff0a7b896bbc86d1e33d62.png

Note that the default Win 10 account created at installation time is a limited admin one that does not have full admin privileges. Also note that in to regards to the displayed screen shot, no UAC prompt is displayed even if UAC is set to max. level.

Now if one has manually created a full privileged Administrator account on Win 10 Home version and worse, didn't password protect that account, an attacker could log on to that account and delete Eset directory files. Even if the full admin account had been previous disabled, an attacker could enable it running a cmd script by using the following command:

net user administrator /active:yes

Now in the case of Win 10 Pro+ versions, I believe the default account created does have full admin privileges. As such, a limited admin account needs to be created for daily normal use and the full admin privileged account properly secured.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...