Malware Hunter 0 Posted July 4, 2023 Share Posted July 4, 2023 Hello! I, demonstrated and tested ESET. The first thing : 1) Eset does not know how to install the system when the miner is running on a charged machine. 2) DisallowRun branch - registry blocks eset. 3) Does not know how to unlock folder permissions. 4) Can't install if Eset antivirus is blocking miner. 5) Setup Eset can not genet random name, i.e. Eset can not install names because of the miner. Link to comment Share on other sites More sharing options...
Malware Hunter 0 Posted July 4, 2023 Author Share Posted July 4, 2023 Eset - does not provide complete protection against Miner, Miner is stronger than Eset. Unfortunately , Eset - remains a problematic installer, because there is no generated filename , that is bypassing restrictions. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,085 Posted July 5, 2023 Administrators Share Posted July 5, 2023 1, If malware is already running it could prevent any antivirus or program from running so it may be necessary to clean the machine first. However, honestly I haven't heard about any such real case for a long time, if ever. 2, I don't think malware could misuse DisallowRun to block the crucial process ekrn.exe, especially not if ESET is installed and protecting the machine. More info would be needed on if and how you managed to block ekrn, if at all. 3, An antivirus is not supposed to modify permissions on existing files or folders. 4, See point 1. In certain cases it may be necessary to clean malware first, e.g. by running an online scanner or an offline scan after booting from a clean disk. 5, See point 4 and 1. 6, What Miner are you referring to? Any hash, sample or a link to VirusTotal? Without more information, we can't tell if it's really: a) subject to detection, b) undetected by ESET even upon execuction and with PUA/PUsA enabled. Nightowl 1 Link to comment Share on other sites More sharing options...
Malware Hunter 0 Posted July 5, 2023 Author Share Posted July 5, 2023 Hello Macros! I regret that Eset is not qualified enough . The problem, Miner - knows how to disable any Eset installer. Group policy banned because of the Miner action in DisallowRun- where Explorer is spelled out. Eset - does not generate files , bypassing the Eset installer. Reason Miner - Miner killing install Esets, and disable process for active . Eset - will not be able to execute on safe mode. This scanner function is very old as safe startup does not work. This vulnerable eset without gui interface and will not work in safe mode - another failure . Link to comment Share on other sites More sharing options...
itman 1,665 Posted July 5, 2023 Share Posted July 5, 2023 14 hours ago, Malware Hunter said: I, demonstrated and tested ESET. We need a proof of concept write up here. 1. Current device configuration; OS and version installed; any other security software installed other than Microsoft Defender, etc.. 2. Proof a coin miner is installed and running prior to attempted Eset installation. As noted previously, we need specifically to identify what coin miner is installed. 3. Proof coin miner is what prevented Eset from being installed. Link to comment Share on other sites More sharing options...
Malware Hunter 0 Posted July 5, 2023 Author Share Posted July 5, 2023 HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Ограничение <==== ВНИМАНИЕ HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Ограничение <==== ВНИМАНИЕ HKLM\SOFTWARE\Policies\Microsoft\MRT: Ограничение <==== ВНИМАНИЕ HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center: Ограничение <==== ВНИМАНИЕ HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center: Ограничение <==== ВНИМАНИЕ GroupPolicy: Ограничение ? <==== ВНИМАНИЕ HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Ограничение <==== ВНИМАНИЕ Policies: C:\ProgramData\NTUSER.pol: Ограничение <==== ВНИМАНИЕ Policies: D:\ProgramData\NTUSER.pol: Ограничение <==== ВНИМАНИЕ Policies: F:\ProgramData\NTUSER.pol: Ограничение <==== ВНИМАНИЕ Policies: %ProgramData%\NTUSER.pol: Ограничение <==== ВНИМАНИЕ IFEO\CompatTelRunner.exe: [Debugger] C:\Windows\system32\systray.exe C:\ProgramData\Windows Tasks Service\winserv.exe C:\Windows\SysWow64\unsecapp.exe C:\ProgramData\ReaItekHD\taskhost.exe C:\ProgramData\ReaItekHD\taskhostw.exe C:\ProgramData\WindowsTask\MicrosoftHost.exe C:\ProgramData\WindowsTask\audiodg.exe C:\ProgramData\WindowsTask\AppModule.exe C:\ProgramData\WindowsTask\AMD.exe C:\Program Files\RDP Wrapper The Folder of block and disable install. 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Users\Никита\Downloads\AV_block_remover 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Users\Никита\Downloads\AutoLogger 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Users\Никита\Desktop\AV_block_remover 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Users\Никита\Desktop\AutoLogger 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\ProgramData\WavePad 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\ProgramData\RobotDemo 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\ProgramData\PuzzleMedia 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\ProgramData\Norton 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\ProgramData\McAfee 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\ProgramData\MB3Install 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\ProgramData\Malwarebytes 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\ProgramData\grizzly 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\ProgramData\Evernote 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\ProgramData\Doctor Web 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\ProgramData\AVAST Software 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\ProgramData\360safe 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\SpyHunter 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\Ravantivirus 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\Rainmeter 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\Process Lasso 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\Malwarebytes 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\Loaris Trojan Remover 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\HitmanPro 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\ESET 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\Enigma Software Group 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\DrWeb 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\COMODO 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\Common Files\McAfee 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\Common Files\Doctor Web 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\Common Files\AV 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\Cezurity 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\ByteFence 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\Bitdefender Agent 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\AVG 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\AVAST Software 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\7-Zip 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files (x86)\SpyHunter 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files (x86)\Microsoft JDX 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files (x86)\GRIZZLY Antivirus 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files (x86)\Cezurity 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files (x86)\AVG 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files (x86)\AVAST Software 2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files (x86)\360 2023-05-20 12:09 - 2023-05-20 12:09 - 000000000 __SHD C:\ProgramData\ESET 2023-05-20 12:09 - 2023-05-20 12:09 - 000000000 __SHD C:\Program Files\SUPERAntiSpyware 2023-05-20 12:09 - 2023-05-20 12:09 - 000000000 __SHD C:\Program Files\RogueKiller 2023-05-20 12:09 - 2023-05-20 12:09 - 000000000 __SHD C:\Program Files\Process Hacker 2 2023-05-20 12:09 - 2023-05-20 12:09 - 000000000 __SHD C:\Program Files\EnigmaSoft 2023-05-20 12:09 - 2023-05-20 12:09 - 000000000 __SHD C:\Program Files (x86)\Transmission 2023-05-20 12:09 - 2023-05-20 12:09 - 000000000 __SHD C:\Program Files (x86)\SpeedFan 2023-05-20 12:09 - 2023-05-20 12:09 - 000000000 __SHD C:\Program Files (x86)\Panda Security 2023-05-20 12:09 - 2023-05-20 12:09 - 000000000 __SHD C:\Program Files (x86)\Moo0 2023-05-20 12:09 - 2023-05-20 12:09 - 000000000 __SHD C:\Program Files (x86)\IObit It is list of miner's block eset install and more. Run them on Windows Hyper-V. 1) Install Eset - without database updates. 2) Run Malware Miner. 3) Run base updates - most likely malware will not give eset and will disable ekrn and eset. 4) Observe it. Unfortunately your Eset won't be able to handle it. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,085 Posted July 6, 2023 Administrators Share Posted July 6, 2023 No antivirus program can clean a machine before it's actually run or installed. Moreover, I hardly remember a real case when there was a problem installing ESET on an already infected machine. I recollect there were some cases in the past when activation was prevented by malware, however, the user must clean the machine first in such case. Still, we'd be interested in getting a hash or the sample of the miner which prevented installation of ESET. Link to comment Share on other sites More sharing options...
itman 1,665 Posted July 6, 2023 Share Posted July 6, 2023 (edited) Is AMD.exe your coin miner: https://www.greatis.com/appdata/d/_/_common appdata__windowstask_amd.exe.htm ? As far as RDP Wrapper use goes: https://www.ncomputing.com/blog-post/rdp-wrapper-safe . -EDIT- Use of RDP Wrapper also "doesn't' play nicely" with Windows Update. Assume the same is true for AV installer update processing. Uninstall it since its use is illegal anyway. Then retest. Edited July 6, 2023 by itman Link to comment Share on other sites More sharing options...
itman 1,665 Posted July 6, 2023 Share Posted July 6, 2023 (edited) 18 hours ago, Malware Hunter said: Install Eset - without database updates. No. You install Eset as designed. Part of the installation process is to immediately run a full system scan. Did Eset detect your coin miner during the scan processing? Edited July 6, 2023 by itman Link to comment Share on other sites More sharing options...
itman 1,665 Posted July 6, 2023 Share Posted July 6, 2023 5 hours ago, itman said: You install Eset as designed. Let's elaborate a bit. You shouldn't use AV web based installer on a PC with known malware. Instead, use Eset offline installer to install the product of your choice: https://support.eset.com/en/kb2885-download-and-install-eset-offline-or-install-older-versions-of-eset-products . Prior to saving the installer to your PC, name the installer download something else. Better yet, do the above download on a PC known be malware free. Copy the download to external media. On the infected PC, copy external media saved download to the infected PC and run it. On 7/5/2023 at 3:01 PM, Malware Hunter said: Run Malware Miner. Err ........ You don't manually start a coin miner. Most run at system startup time via registry run key option or via a scheduled task. Therefore, this coin miner should be running prior to running Eset offline installer. Link to comment Share on other sites More sharing options...
Malware Hunter 0 Posted July 6, 2023 Author Share Posted July 6, 2023 Itman , Unfortunately Eset can not generate a random number, i.e. names can not generate random, i.e. Miner kills eset_installer.exe and other classifications associated with Esets. The Miner self-destructs the Eset installer and blocks access to them during the first installation. So, the Eset-packer is not enough to install and bypass the Miner and can not destroy it, i.e. the Miner 2023 is aggressive. Eset - is not comprehensive, there is no complete base. Miner block Eset... O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [1] = eav_trial_rus.exe O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [2] = avast_free_antivirus_setup_online.exe O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [3] = eis_trial_rus.exe O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [4] = essf_trial_rus.exe O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [5] = hitmanpro_x64.exe O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [6] = ESETOnlineScanner_UKR.exe O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [7] = ESETOnlineScanner_RUS.exe O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [8] = HitmanPro.exe O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [9] = 360TS_Setup_Mini.exe O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [10] = Cezurity_Scanner_Pro_Free.exe O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [11] = Cube.exe O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [12] = AVbr.exe O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [13] = AV_br.exe O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [14] = KVRT.exe O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [15] = cureit.exe O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [16] = FRST64.exe O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [17] = eset_internet_security_live_installer.exe O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [18] = esetonlinescanner.exe O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [19] = eset_nod32_antivirus_live_installer.exe O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [20] = MBSetup.exe O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [21] = PANDAFREEAV.exe O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [22] = bitdefender_avfree.exe O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [23] = drweb-12.0-ss-win.exe O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [24] = Cureit.exe O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [25] = TDSSKiller.exe O7 - Policy: HKLM\Software\Microsoft\Windows Defender: [DisableAntiSpyware] = 1 O7 - Policy: HKLM\Software\Microsoft\Windows Defender: [DisableAntiVirus] = 1 O7 - Taskbar policy: HKCU\..\Policies\Explorer: [DisallowRun] = 1 Link to comment Share on other sites More sharing options...
Malware Hunter 0 Posted July 6, 2023 Author Share Posted July 6, 2023 I take CollectionLogs - you can look complete it , it is Logger speciial based on the AutoLogger. CollectionLog-2023.07.04-22.45.zip Link to comment Share on other sites More sharing options...
Malware Hunter 0 Posted July 6, 2023 Author Share Posted July 6, 2023 And look see FRSFRST.txtAddition.txt Link to comment Share on other sites More sharing options...
Malware Hunter 0 Posted July 6, 2023 Author Share Posted July 6, 2023 Look see , @Marcos make your special Desinfection signature with esets clean , this is AVZ Script based and good clean miner and remove politic and more , remove John. Look code : Miner Removal Script on the Based AVZ Script..txt Link to comment Share on other sites More sharing options...
Malware Hunter 0 Posted July 6, 2023 Author Share Posted July 6, 2023 Example removed and unlock port , more , and etc . AV_block_remove_2023.07.06-12.22.log Link to comment Share on other sites More sharing options...
itman 1,665 Posted July 6, 2023 Share Posted July 6, 2023 (edited) 28 minutes ago, Malware Hunter said: Itman , Unfortunately Eset can not generate a random number, i.e. names can not generate random, i.e. I stated you rename the Eset installer .exe prior to downloading it. You do this by setting your browser to prompt you where to save downloads to; Finally, your whole scenario is ludicrous. What you're stating is you downloaded a coin miner without knowing it was malicious I assume. Then you just happened to manually start this coin miner while Eset was installing. Edited July 6, 2023 by itman Link to comment Share on other sites More sharing options...
Malware Hunter 0 Posted July 6, 2023 Author Share Posted July 6, 2023 (edited) You need to first look for a game, for example, a torrent miner, let's say ru torrent or some kind of . Need you to run as exe - waiting to malicously attack system , after wait for finish malwared. And, then the last install Eset - test him... Eset isnt 100% installed.. The process have disable with eset... Because , The Live USB ESets remove miner , after miner back on the restart on the tcp port... Because , miner calling computer and miner back... Edited July 6, 2023 by Malware Hunter Link to comment Share on other sites More sharing options...
itman 1,665 Posted July 6, 2023 Share Posted July 6, 2023 Since you mentioned AVZ, it can be downloaded from Kaspersky's web site: https://support.norton.com/sp/en/us/home/current/solutions/kb20100824120155EN. It requires malware detection expertise to use the tool effectively. Another more friendly alternative is Norton's Power Eraser: https://support.norton.com/sp/en/us/home/current/solutions/kb20100824120155EN . Tools like this have the potential to do more harm than good in unskilled hands. The bottom line is the longer undetected malware exists on a device, the more harm will be done. One would be better off in the long run just wiping the hard drive and reinstalling Windows. Link to comment Share on other sites More sharing options...
Malware Hunter 0 Posted July 7, 2023 Author Share Posted July 7, 2023 This script is specially made for cleaning and unlocking after a charged virus.However, this script is specially made by regist specialists, which is made to clean up viruses that are not installed by Eset and the scanner. Kaspersky developers have already added a signature database for cleaning and unlocking all types of anti-miners and anti-john. You can take AVBR - it collects the current version for cleaning up after unsuccessful installations of antiviruses. Попробуйте у себя протестировать эту файл @Marcos @itman AVbr.zip Link to comment Share on other sites More sharing options...
Malware Hunter 0 Posted July 7, 2023 Author Share Posted July 7, 2023 (edited) @Marcos It pops up every day with a new threat, AVBR - starts in safe mode with or without networking for complete disinfection of viruses. https://avbr.safezone.cc/AVbr.zip - Every updating and actually bases and cleaning. AV block remover or AVbr for short is a utility designed to remove a specific miner, including blocking the installation of antivirus software and access to AV company sites and forums with cures. It can also be used in other cases with similar anti-virus blocking methods. Symptoms of this miner: The virus does not allow you to download antivirus, blocks sites, closes the task manager and gpedit.msc, closes your browser when you try to find or download cureit and other antivirus utilities, "disappeared" the installed antivirus. By the way, in addition to mining and anti-virus blocking, this virus installs RMS. So your data could also be stolen. AV_block_remove_date-time.log - utility log. quarantine.zip - standard AVZ archive with quarantine of deleted files. Backup - the folder with the backup copy of some settings changed during the treatment. The utility removes the miner itself and its derivatives. Removes bans on installation of antivirus software. Including deletes folders from anti-virus software if they are empty, and if they are not empty, restores the standard access rights to them. Restores the "Software shadow copy provider (Microsoft)" service. If the user agrees, it deletes the "John" account that the miner creates, which is not visible in Account Management. If the Hosts file does not exist, it creates one. If it exists and does not pass the check (changed), depending on the user's choice, it resets it to the default state or opens it for manual editing. Edited July 7, 2023 by Malware Hunter Link to comment Share on other sites More sharing options...
Malware Hunter 0 Posted July 7, 2023 Author Share Posted July 7, 2023 (edited) History : 1) Existing of Hosts file check was added. a) Tool will create clean Hosts file if it does not exist. b) Tool will reset Hosts file attributes to default if it exist. c) Tool will offer to edit, create new Hosts file or ignore changes if Hosts file differs from etalon, same behavior as it was in previous version. 2) Check for existence of hidden account John is added. You will be prompted to delete this account only if it exists 3) Version actuality check is changed. File "Date.ini" is not used anymore. 4) Windows version check is improved. 5) Filewall backup file now contains date and time at the start of file name. 6) Logging is improved. 7) Path length check is added. If it exceed 200 symbols then there will be warning and proposal to run tool from different place. ============================= 1) Added AppLocker policy check and reset if policies are detected. 2) Added resetting Windows Defender settings to defaults if changes made by a mining tool are detected. 3) Improved resetting of the rights for antivirus folders. 4) Improved logging. 5) Various minor improvements and refinements related to the Miner update. =============================================================== 1) Added removal of anti-virus launch blocking added by CertLock type viruses by adding their signatures to untrusted. Edited July 7, 2023 by Malware Hunter Link to comment Share on other sites More sharing options...
itman 1,665 Posted July 7, 2023 Share Posted July 7, 2023 (edited) 1 hour ago, Malware Hunter said: You can take AVBR - it collects the current version for cleaning up after unsuccessful installations of antiviruses. Something doesn't appear right here. This coin miner will also block AVBR per your posted screen shot; Policy: HKCU\..\Policies\Explorer\DisallowRun: [12] = AVbr.exe I have to assume this coin miner is also running in Safe mode. Again referring to the above screen shot of file names of security products this coin miner monitors for, none of the Eset off-line consumer products installer file names; essp_nt64.exe eis_nt64.exe eav_nt64.exe are referenced. As such, I still see no proof these installers would not run successfully with the coin miner installed. Edited July 7, 2023 by itman Link to comment Share on other sites More sharing options...
Malware Hunter 0 Posted July 7, 2023 Author Share Posted July 7, 2023 (edited) @itman Download, unzip and run AV block remover in safe mode with network support (as an administrator).If it does not start, rename it (for example, to AV_b_r.exe) or use a version with a random file name When all the procedures are done, the system will reboot. Attach the AV_block_remove.log created by the utility to the next message. Edited July 7, 2023 by Malware Hunter Link to comment Share on other sites More sharing options...
SeriousHoax 83 Posted July 7, 2023 Share Posted July 7, 2023 At what location does ESET Online Scanner installs? I don't know that. Can you install that and run a scan? Link to comment Share on other sites More sharing options...
itman 1,665 Posted July 7, 2023 Share Posted July 7, 2023 (edited) 41 minutes ago, SeriousHoax said: At what location does ESET Online Scanner installs? The coin miner blocks it regards of where its installed; 23 hours ago, Malware Hunter said: Policy: HKCU\..\Policies\Explorer\DisallowRun: [18] = esetonlinescanner.exe On the other hand, renaming it prior to execution might work. Also, the malware might be checking PE header which would defeat all file renaming activities. Edited July 7, 2023 by itman Link to comment Share on other sites More sharing options...
Recommended Posts