Roman_Broadway 0 Posted March 28, 2022 Share Posted March 28, 2022 Hi all The message "A potentially unwanted program (Win32 / CoinMiner.BF) has been detected in the file on your computer. File: attrib.exe (4976). Antivirus scanning does not help. How do I remove CoinMiner.BF? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,909 Posted March 28, 2022 Administrators Share Posted March 28, 2022 Please provide logs collected with ESET Log Collector. Is the PUA detected after a computer restart? Link to comment Share on other sites More sharing options...
itman 1,627 Posted March 28, 2022 Share Posted March 28, 2022 (edited) Here's an article on what I suspect is going on: https://www.bleepingcomputer.com/news/security/cryptocurrency-miner-plays-hide-and-seek-with-popular-games-and-tools/ for reference. A malware process is injecting attrib.exe, a legit Win process, to run the coinminer. The process injection can be done via method noted in the bleepingcomputer.com article or by other methods. Post the logs @Marcos requested. Edited March 28, 2022 by itman Link to comment Share on other sites More sharing options...
Roman_Broadway 0 Posted April 2, 2022 Author Share Posted April 2, 2022 (edited) On 3/29/2022 at 12:55 AM, Marcos said: Please provide logs collected with ESET Log Collector. Is the PUA detected after a computer restart? Hi. Here are Summon @itman eis_logs.zip Edited April 2, 2022 by Roman_Broadway Link to comment Share on other sites More sharing options...
itman 1,627 Posted April 2, 2022 Share Posted April 2, 2022 3 hours ago, Roman_Broadway said: Hi. Here are Summon @itman Only Eset moderators can access forum posting attachments. You will have to wait till @Marcos analyzes it. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,909 Posted April 3, 2022 Administrators Share Posted April 3, 2022 Is the PUA detected shortly after a reboot? If so, please carry on as follows: - create a Procmon boot log - after a reboot stop logging only after the PUA has been detected and save the log (unfiltered) - collect fresh logs with ELC and provide both logs for perusal. Link to comment Share on other sites More sharing options...
itman 1,627 Posted April 3, 2022 Share Posted April 3, 2022 My solution to this is create an Eset HIPS rule to detect any process modification to C:\Windows\System32\attrib.exe and C:\Windows\SysWOW64\attrib.exe. Make it an Ask rule and set rule logging level to Warning. When the Eset HIPS rule triggers, respond by allowing the activity. The post in the forum the HIPS log entries associated with this HIPS rule. Link to comment Share on other sites More sharing options...
Recommended Posts