B69 0 Posted May 11, 2022 Share Posted May 11, 2022 Hallo, I am not a computer expert but : I've been experiencing a notification via ESET for the past few months. Win64/Coinminer.afz. ( Trojan horse) Object spoolsv.exe. After the message, shut down the computer and start up again. How can I get rid of / fix this? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,714 Posted May 11, 2022 Administrators Share Posted May 11, 2022 Please provide logs collected with ESET Log Collector for a start. Make sure to select "Threat detection" in the ELC menu. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,714 Posted May 12, 2022 Administrators Share Posted May 12, 2022 It appears that you have excluded the process C:\Windows\System32\spoolsv.exe in which the malware was detected. This exclusion must be removed. Is the threat detected after removing the process exclusion, disconnecting the machine from network and rebooting the machine? Link to comment Share on other sites More sharing options...
B69 0 Posted May 13, 2022 Author Share Posted May 13, 2022 Marcos, we have performed the above unfortunately this does not have the desired result. Machine keeps seeing the coinminer and restarting . See Log File Also we did a boot with rescue disk Eset, with deep scan Does not find anything at all. What to do? eea_logs.zip Link to comment Share on other sites More sharing options...
itman 1,542 Posted May 13, 2022 Share Posted May 13, 2022 Copy the the Eset Detections log entry related to this coin miner detection and post it in your next reply. I, for one, am not convinced the spoolsv.exe process being abused here is the one resident in C:\Windows\System32\ directory. Link to comment Share on other sites More sharing options...
itman 1,542 Posted May 13, 2022 Share Posted May 13, 2022 (edited) I will also ask if your Win OS version is fully patched? Quote Hackers Exploiting Recently Reported Windows Print Spooler Vulnerability in the Wild A security flaw in the Windows Print Spooler component that was patched by Microsoft in February is being actively exploited in the wild, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned. To that end, the agency has added the shortcoming to its Known Exploited Vulnerabilities Catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to address the issues by May 10, 2022. Tracked as CVE-2022-22718 (CVSS score: 7.8), the security vulnerability is one among the four privilege escalation flaws in the Print Spooler that Microsoft resolved as part of its Patch Tuesday updates on February 8, 2022. https://thehackernews.com/2022/04/hackers-exploiting-recently-reported.html Edited May 13, 2022 by itman Link to comment Share on other sites More sharing options...
B69 0 Posted May 17, 2022 Author Share Posted May 17, 2022 Machine fully patched. CVE-2022-22718 also processed. Machine continues to report. Anyone else have a suggestion? Link to comment Share on other sites More sharing options...
itman 1,542 Posted May 17, 2022 Share Posted May 17, 2022 54 minutes ago, B69 said: Anyone else have a suggestion? You never posted the Eset Detections log entry I previously requested. Link to comment Share on other sites More sharing options...
B69 0 Posted May 30, 2022 Author Share Posted May 30, 2022 ESVC_PC11_20220524115438.zip Link to comment Share on other sites More sharing options...
itman 1,542 Posted May 30, 2022 Share Posted May 30, 2022 On 5/17/2022 at 12:12 PM, itman said: You never posted the Eset Detections log entry I previously requested. You need to copy and paste the log entry in your forum reply. Only Eset moderators can access a forum attachment. Link to comment Share on other sites More sharing options...
B69 0 Posted June 1, 2022 Author Share Posted June 1, 2022 ESVC_PC11_20220524115438.zip Link to comment Share on other sites More sharing options...
itman 1,542 Posted June 1, 2022 Share Posted June 1, 2022 On 5/30/2022 at 9:02 AM, itman said: You need to copy and paste the log entry in your forum reply. Only Eset moderators can access a forum attachment. Do not post the Detection log entry as an attachment. Copy and paste it into your forum reply. To copy an Eset log entry, right button mouse click on the entry and select Copy. Then create a forum reply. Finally, right button mouse click in the reply window and select Paste. Link to comment Share on other sites More sharing options...
B69 0 Posted June 13, 2022 Author Share Posted June 13, 2022 ESVC_PC11_20220524115438.zip Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 187 Posted June 13, 2022 Most Valued Members Share Posted June 13, 2022 (edited) 29 minutes ago, B69 said: ESVC_PC11_20220524115438.zipUnavailable What itman means is that you copy and paste what occured to you in the detection logs because the attachments cannot be opened by normal users , only by eset staff you can copy and paste the text that appeared on the logs or just simply take a screenshot of it. You can right click the detection of the CoinMiner and press Copy and then you can after that paste it to the forum here. Edited June 13, 2022 by Nightowl Link to comment Share on other sites More sharing options...
B69 0 Posted June 29, 2022 Author Share Posted June 29, 2022 Tijd;Scanner;Objecttype;Object;Detectie;Actie;Gebruiker;Informatie;Hash;Eerst gezien hier 29-6-2022 7:59:27;Geavanceerde geheugenscanner;bestand;Werkgeheugen » spoolsv.exe(1544);een variant van Win64/CoinMiner.AFZ trojaans paard;bevatte geïnfecteerde bestanden (na de volgende keer opnieuw opstarten);;;B6D31B120E905B753109CB0985C1F7818D10A40E; Link to comment Share on other sites More sharing options...
Administrators Marcos 4,714 Posted June 29, 2022 Administrators Share Posted June 29, 2022 7 minutes ago, B69 said: Tijd;Scanner;Objecttype;Object;Detectie;Actie;Gebruiker;Informatie;Hash;Eerst gezien hier 29-6-2022 7:59:27;Geavanceerde geheugenscanner;bestand;Werkgeheugen » spoolsv.exe(1544);een variant van Win64/CoinMiner.AFZ trojaans paard;bevatte geïnfecteerde bestanden (na de volgende keer opnieuw opstarten);;;B6D31B120E905B753109CB0985C1F7818D10A40E; Please provide logs collected with ESET Log Collector and "Threat detection" template selected in ELC. Link to comment Share on other sites More sharing options...
itman 1,542 Posted June 29, 2022 Share Posted June 29, 2022 BTW - the log entry translated yields: Time;Scanner;ObjectType;Object;Detection;Action;User;Information;Hash;First seen here 6/29-2022 7:59:27;Advanced memory scanner;file;Memory memory » spoolsv.exe(1544);a variant of Win64/CoinMiner.AFZ trojan horse;contains infected files (after next reboot);;; B6D31B120E905B753109CB0985C1F7818D10A40E; B69 1 Link to comment Share on other sites More sharing options...
B69 0 Posted July 6, 2022 Author Share Posted July 6, 2022 Link to comment Share on other sites More sharing options...
itman 1,542 Posted July 6, 2022 Share Posted July 6, 2022 Very odd that your receiving the Eset detection activity once a month on the same date, the seventh. Must be a scheduled task set up to run monthly. Also, whatever the source malware is, it is injecting spoolsv.exe. You could try to create an Eset HIPS rule to monitor any process modification of C:\Windows\System32\spoolsvc.exe. Make sure you set the logging level to warning. If this rule is triggered by a non-legit Windows process, block it when the alert presents. However, this process runs as a Windows service; i.e. svchost.exe. It is possible the malware is starting svchost.exe in suspended mode and performing a process hollowing routine against spoolsv.exe to inject the malware. Link to comment Share on other sites More sharing options...
Recommended Posts