B69 0 Posted Wednesday at 03:29 PM Share Posted Wednesday at 03:29 PM Hallo, I am not a computer expert but : I've been experiencing a notification via ESET for the past few months. Win64/Coinminer.afz. ( Trojan horse) Object spoolsv.exe. After the message, shut down the computer and start up again. How can I get rid of / fix this? Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,187 Posted Wednesday at 03:35 PM Administrators Share Posted Wednesday at 03:35 PM Please provide logs collected with ESET Log Collector for a start. Make sure to select "Threat detection" in the ELC menu. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,187 Posted Thursday at 06:00 PM Administrators Share Posted Thursday at 06:00 PM It appears that you have excluded the process C:\Windows\System32\spoolsv.exe in which the malware was detected. This exclusion must be removed. Is the threat detected after removing the process exclusion, disconnecting the machine from network and rebooting the machine? Quote Link to comment Share on other sites More sharing options...
B69 0 Posted Friday at 12:45 PM Author Share Posted Friday at 12:45 PM Marcos, we have performed the above unfortunately this does not have the desired result. Machine keeps seeing the coinminer and restarting . See Log File Also we did a boot with rescue disk Eset, with deep scan Does not find anything at all. What to do? eea_logs.zip Quote Link to comment Share on other sites More sharing options...
itman 1,359 Posted Friday at 02:17 PM Share Posted Friday at 02:17 PM Copy the the Eset Detections log entry related to this coin miner detection and post it in your next reply. I, for one, am not convinced the spoolsv.exe process being abused here is the one resident in C:\Windows\System32\ directory. Quote Link to comment Share on other sites More sharing options...
itman 1,359 Posted Friday at 08:41 PM Share Posted Friday at 08:41 PM (edited) I will also ask if your Win OS version is fully patched? Quote Hackers Exploiting Recently Reported Windows Print Spooler Vulnerability in the Wild A security flaw in the Windows Print Spooler component that was patched by Microsoft in February is being actively exploited in the wild, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned. To that end, the agency has added the shortcoming to its Known Exploited Vulnerabilities Catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to address the issues by May 10, 2022. Tracked as CVE-2022-22718 (CVSS score: 7.8), the security vulnerability is one among the four privilege escalation flaws in the Print Spooler that Microsoft resolved as part of its Patch Tuesday updates on February 8, 2022. https://thehackernews.com/2022/04/hackers-exploiting-recently-reported.html Edited Friday at 08:42 PM by itman Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.