Jump to content

win64/coinminer.afz


B69
 Share

Recommended Posts

Hallo,

I am not a computer expert but : 

I've been experiencing a notification via ESET for the past few months.

Win64/Coinminer.afz. ( Trojan horse) Object spoolsv.exe.

After the message, shut down the computer and start up again. How can I get rid of / fix this?

Link to comment
Share on other sites

  • Administrators

It appears that you have excluded the process C:\Windows\System32\spoolsv.exe in which the malware was detected. This exclusion must be removed.

Is the threat detected after removing the process exclusion, disconnecting the machine from network and rebooting the machine?

Link to comment
Share on other sites

Marcos,

 

we have performed the above unfortunately this does not have the desired result.

Machine keeps seeing the coinminer and restarting .

See Log File

 

Also we did a boot with rescue disk Eset, with deep scan

Does not find anything  at all.

What to do?

 

eea_logs.zip

Link to comment
Share on other sites

Copy the the Eset Detections log entry related to this coin miner detection and post it in your next reply.

I, for one, am not convinced the spoolsv.exe process being abused here is the one resident in C:\Windows\System32\ directory.

Link to comment
Share on other sites

I will also ask if your Win OS version is fully patched?

Quote

Hackers Exploiting Recently Reported Windows Print Spooler Vulnerability in the Wild

A security flaw in the Windows Print Spooler component that was patched by Microsoft in February is being actively exploited in the wild, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned.

To that end, the agency has added the shortcoming to its Known Exploited Vulnerabilities Catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to address the issues by May 10, 2022.

Tracked as CVE-2022-22718 (CVSS score: 7.8), the security vulnerability is one among the four privilege escalation flaws in the Print Spooler that Microsoft resolved as part of its Patch Tuesday updates on February 8, 2022.

https://thehackernews.com/2022/04/hackers-exploiting-recently-reported.html

Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...