edu34 0 Posted May 31, 2021 Share Posted May 31, 2021 I have 3 computers at home all with eset internet security and even so I was contaminated by these files. Trojan: Win32 / CoinMiner.C! Rfn Trojan: Win32 / Tiggre! Plock already formatted and after 2 weeks it always appears on one of the computers Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted May 31, 2021 Administrators Share Posted May 31, 2021 Those are not ESET's detection names. Do you actually have ESET installed? Do you have detection of potentially unwanted and unsafe applications enabled? Link to comment Share on other sites More sharing options...
edu34 0 Posted May 31, 2021 Author Share Posted May 31, 2021 (edited) Eset does not detect a threat. And the threat removes Eset, windows update and central security. After losing the windows security center, I used this Microsoft Support Emergency Response Tool program that detected the threats. Windows update and the security center no longer worked after detection and removal. I had to re-install the windows again. Edited May 31, 2021 by edu34 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted May 31, 2021 Administrators Share Posted May 31, 2021 24 minutes ago, edu34 said: Windows update and the security center no longer worked after detection and removal. I had to re-install the windows again. I assume the issue has been sorted then. Unfortunately without logs and checking your ESET configuration we cannot help. CoinMiners are often detected as potentially unwanted applications which most users have disabled. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 393 Posted May 31, 2021 Most Valued Members Share Posted May 31, 2021 9 hours ago, edu34 said: I have 3 computers at home all with eset internet security and even so I was contaminated by these files. Trojan: Win32 / CoinMiner.C! Rfn Trojan: Win32 / Tiggre! Plock already formatted and after 2 weeks it always appears on one of the computers Do you mean it keeps reappearing after fully formating windows? If this is the case are you connected to a network as it sounds like another device is connected and constantly reinfecting this computer. Link to comment Share on other sites More sharing options...
edu34 0 Posted May 31, 2021 Author Share Posted May 31, 2021 I have a fourth old computer that only has the standard antivirus for windows and this one nevertheless presented this problem. I am testing another antivirus, I am curious how my home network is being attacked every week. On the eset log the threat removes eset from the system entirely. on the network the computers are not infected at the same time, yesterday when it happened again with one the other 2 will continue to function normally. the infected computer yesterday he entered the windows login screen and quickly restarted, I even thought it was a memory failure, but when he returned he was already without eset, windows security center and update disable. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted May 31, 2021 Most Valued Members Share Posted May 31, 2021 27 minutes ago, edu34 said: I have a fourth old computer that only has the standard antivirus for windows and this one nevertheless presented this problem. I am testing another antivirus, I am curious how my home network is being attacked every week. On the eset log the threat removes eset from the system entirely. on the network the computers are not infected at the same time, yesterday when it happened again with one the other 2 will continue to function normally. the infected computer yesterday he entered the windows login screen and quickly restarted, I even thought it was a memory failure, but when he returned he was already without eset, windows security center and update disable. If you have an infected PC in the network it will keep trying to spread to other computers in the Network You need to disconnect the infected PC and isolate it where you can fix it without being in a LAN that can lead to spreading of the malware to other places Check also your router/firewall if it needs to be updated if it's somehow compromised. Link to comment Share on other sites More sharing options...
itman 1,659 Posted May 31, 2021 Share Posted May 31, 2021 (edited) Here's a Microsoft TechNet posting on this coin miner: https://answers.microsoft.com/en-us/protect/forum/all/rundll-errors-after-reinstalling-windows/88c4f099-d4d4-402f-ba0d-2121c73666b6 . It is a nasty one indeed since it is attempting to also disable Microsoft Defender. It's also has a Win startup elements; Rundll enries, that have to be manually removed using SysInternals Autoruns for example. Note: Only the later versions of Microsoft Defender on Win 10 have full tamper protection. This would account for this "old" device being infected. -EDIT- There is also a scheduled task element to this coin miner which also has to be removed: https://www.itexperience.net/easy-fix-for-winscomrssrv-dll-there-was-a-problem-starting-winscomrssrv-dll/ Edited May 31, 2021 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted May 31, 2021 Share Posted May 31, 2021 1 hour ago, edu34 said: On the eset log the threat removes eset from the system entirely. Post this log entry. What you stated makes no sense. If Eset was removed from the system, it would not be logging events. Link to comment Share on other sites More sharing options...
MobileIT 0 Posted June 1, 2021 Share Posted June 1, 2021 I can side with the original poster in respect of this trojan removing the eSet Internet Security Software on the computer that is infected. Just to break this down a little; We found that we had our laptop crashing for no apparent reason late at night (NZ Time) to the point that the power light was flashing quickly but would not (Come out of sleep, as per say) so we held the power button down for 10 seconds and rebooted as normal... We have then thought heck lets go and do a virus scan in case we have some bug hidden in there... Looked in the Start menu for eSet, yes its there.... Click.... oh sorry that application doesn't exist. Look in the main system / Program Files Folder... Hmmmm the eSet Internet Security Folder is there but no files inside it. Ok, downloaded the Microsoft Security Scanner @ https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download and ran this to find 7 infected files with the following bugs: Trojan:Win32/CoinMiner.C!rfn Trojan:Win32/Tiggre!plock VirTool:Win32/DefenderTamperingRestore In the process of removing these as we speak... Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted June 1, 2021 Administrators Share Posted June 1, 2021 Since ESET was removed, you should have reinstalled it and most likely it would have detected and removed the threats. Alternatively you could run a scan with ESET Online Scanner or ESET SysRescue. In order to protect ESET from being removed, we recommend: - setting a password to protect ESET's settings and to prevent it from being uninstalled - enabling detection of potentially unsafe applications - enforcing default real-time and HIPS settings via a policy to lock them on clients. Link to comment Share on other sites More sharing options...
MobileIT 0 Posted June 1, 2021 Share Posted June 1, 2021 That's exactly what we have done on other computers (Password Protection) just this one slipped through the cracks... Tisk Tisk Tisk "enabling detection of potentially unsafe applications" - this was turned on in our case "scan with ESET Online Scanner or ESET SysRescue" - Good to know for future issues In our case we had to run the eSet AV Removal Tool then re-install for eSet to actually install again as it kept prompting us to suggest it was still installed. Link to comment Share on other sites More sharing options...
itman 1,659 Posted June 1, 2021 Share Posted June 1, 2021 (edited) As far as Eset directory files being deleted on Win 10 Home in default setup, it should not occur. If you or an attacker tried to do so, the following will be the result: Note that the default Win 10 account created at installation time is a limited admin one that does not have full admin privileges. Also note that in to regards to the displayed screen shot, no UAC prompt is displayed even if UAC is set to max. level. Now if one has manually created a full privileged Administrator account on Win 10 Home version and worse, didn't password protect that account, an attacker could log on to that account and delete Eset directory files. Even if the full admin account had been previous disabled, an attacker could enable it running a cmd script by using the following command: net user administrator /active:yes Now in the case of Win 10 Pro+ versions, I believe the default account created does have full admin privileges. As such, a limited admin account needs to be created for daily normal use and the full admin privileged account properly secured. Edited June 1, 2021 by itman Link to comment Share on other sites More sharing options...
Recommended Posts