B69 0 Posted May 11, 2022 Posted May 11, 2022 Hallo, I am not a computer expert but : I've been experiencing a notification via ESET for the past few months. Win64/Coinminer.afz. ( Trojan horse) Object spoolsv.exe. After the message, shut down the computer and start up again. How can I get rid of / fix this?
Administrators Marcos 5,733 Posted May 11, 2022 Administrators Posted May 11, 2022 Please provide logs collected with ESET Log Collector for a start. Make sure to select "Threat detection" in the ELC menu.
Administrators Marcos 5,733 Posted May 12, 2022 Administrators Posted May 12, 2022 It appears that you have excluded the process C:\Windows\System32\spoolsv.exe in which the malware was detected. This exclusion must be removed. Is the threat detected after removing the process exclusion, disconnecting the machine from network and rebooting the machine?
B69 0 Posted May 13, 2022 Author Posted May 13, 2022 Marcos, we have performed the above unfortunately this does not have the desired result. Machine keeps seeing the coinminer and restarting . See Log File Also we did a boot with rescue disk Eset, with deep scan Does not find anything at all. What to do? eea_logs.zip
itman 1,921 Posted May 13, 2022 Posted May 13, 2022 Copy the the Eset Detections log entry related to this coin miner detection and post it in your next reply. I, for one, am not convinced the spoolsv.exe process being abused here is the one resident in C:\Windows\System32\ directory.
itman 1,921 Posted May 13, 2022 Posted May 13, 2022 (edited) I will also ask if your Win OS version is fully patched? Quote Hackers Exploiting Recently Reported Windows Print Spooler Vulnerability in the Wild A security flaw in the Windows Print Spooler component that was patched by Microsoft in February is being actively exploited in the wild, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned. To that end, the agency has added the shortcoming to its Known Exploited Vulnerabilities Catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to address the issues by May 10, 2022. Tracked as CVE-2022-22718 (CVSS score: 7.8), the security vulnerability is one among the four privilege escalation flaws in the Print Spooler that Microsoft resolved as part of its Patch Tuesday updates on February 8, 2022. https://thehackernews.com/2022/04/hackers-exploiting-recently-reported.html Edited May 13, 2022 by itman
B69 0 Posted May 17, 2022 Author Posted May 17, 2022 Machine fully patched. CVE-2022-22718 also processed. Machine continues to report. Anyone else have a suggestion?
itman 1,921 Posted May 17, 2022 Posted May 17, 2022 54 minutes ago, B69 said: Anyone else have a suggestion? You never posted the Eset Detections log entry I previously requested.
itman 1,921 Posted May 30, 2022 Posted May 30, 2022 On 5/17/2022 at 12:12 PM, itman said: You never posted the Eset Detections log entry I previously requested. You need to copy and paste the log entry in your forum reply. Only Eset moderators can access a forum attachment.
itman 1,921 Posted June 1, 2022 Posted June 1, 2022 On 5/30/2022 at 9:02 AM, itman said: You need to copy and paste the log entry in your forum reply. Only Eset moderators can access a forum attachment. Do not post the Detection log entry as an attachment. Copy and paste it into your forum reply. To copy an Eset log entry, right button mouse click on the entry and select Copy. Then create a forum reply. Finally, right button mouse click in the reply window and select Paste.
Most Valued Members Nightowl 206 Posted June 13, 2022 Most Valued Members Posted June 13, 2022 (edited) 29 minutes ago, B69 said: ESVC_PC11_20220524115438.zipUnavailable What itman means is that you copy and paste what occured to you in the detection logs because the attachments cannot be opened by normal users , only by eset staff you can copy and paste the text that appeared on the logs or just simply take a screenshot of it. You can right click the detection of the CoinMiner and press Copy and then you can after that paste it to the forum here. Edited June 13, 2022 by Nightowl
B69 0 Posted June 29, 2022 Author Posted June 29, 2022 Tijd;Scanner;Objecttype;Object;Detectie;Actie;Gebruiker;Informatie;Hash;Eerst gezien hier 29-6-2022 7:59:27;Geavanceerde geheugenscanner;bestand;Werkgeheugen » spoolsv.exe(1544);een variant van Win64/CoinMiner.AFZ trojaans paard;bevatte geïnfecteerde bestanden (na de volgende keer opnieuw opstarten);;;B6D31B120E905B753109CB0985C1F7818D10A40E;
Administrators Marcos 5,733 Posted June 29, 2022 Administrators Posted June 29, 2022 7 minutes ago, B69 said: Tijd;Scanner;Objecttype;Object;Detectie;Actie;Gebruiker;Informatie;Hash;Eerst gezien hier 29-6-2022 7:59:27;Geavanceerde geheugenscanner;bestand;Werkgeheugen » spoolsv.exe(1544);een variant van Win64/CoinMiner.AFZ trojaans paard;bevatte geïnfecteerde bestanden (na de volgende keer opnieuw opstarten);;;B6D31B120E905B753109CB0985C1F7818D10A40E; Please provide logs collected with ESET Log Collector and "Threat detection" template selected in ELC.
itman 1,921 Posted June 29, 2022 Posted June 29, 2022 BTW - the log entry translated yields: Time;Scanner;ObjectType;Object;Detection;Action;User;Information;Hash;First seen here 6/29-2022 7:59:27;Advanced memory scanner;file;Memory memory » spoolsv.exe(1544);a variant of Win64/CoinMiner.AFZ trojan horse;contains infected files (after next reboot);;; B6D31B120E905B753109CB0985C1F7818D10A40E; B69 1
itman 1,921 Posted July 6, 2022 Posted July 6, 2022 Very odd that your receiving the Eset detection activity once a month on the same date, the seventh. Must be a scheduled task set up to run monthly. Also, whatever the source malware is, it is injecting spoolsv.exe. You could try to create an Eset HIPS rule to monitor any process modification of C:\Windows\System32\spoolsvc.exe. Make sure you set the logging level to warning. If this rule is triggered by a non-legit Windows process, block it when the alert presents. However, this process runs as a Windows service; i.e. svchost.exe. It is possible the malware is starting svchost.exe in suspended mode and performing a process hollowing routine against spoolsv.exe to inject the malware.
Recommended Posts