OP 09 February, 2020 - 04:26 PM
(This post was last modified: 09 February, 2020 - 04:27 PM by PizzaPie410.
Edit Reason: Add pic
)
Alright so short story. I was messing around with some free checkers i got either here or on n.to
This installed some sort of BTC Clipper that I haven't encountered before.
The persistence is insane, typically I can get rid of these like in 5 mins.
But this one I cant fine the root program.
The BTC address is 1EerXUTe8HVCiur4fCyoqBpGJJvKP2Dpu4 I didn't fall victim but i see some people are.
So Lets begin...
1) I'll provide some pics. But the Program inn the processes is ApiSetHost.AppExecutionAlias (32 bit)
2) It will only have one open at once (not like previous btc clippers i've encountered) However, to keep it up, this auto launches every 60 seconds or so.
3) The location say its in C:\Users\User\AppData\Roaming\Microsoft Drivers
4) But the folder is empty and there is no hidden files
5) When Searching for it in C: I find the same name in System32 and It's a DLL/Application Extension program.
6) I can't find the parent. I tried opening the .dll in .net Reflector but this isn't .net so it won't open. I kinda opened it in Visual Basic? But im not sure how to work it.
7) At first when inspecting, i thought Google Chrome was launching in so i deleted and reinstalled but didn't work.
8) I'm not sure what is auto relaunching it. I can't Find it in Task Scheduler or Windows Startup. But with this .dll in System32 Does that mean thats auto starting it?
9) How can I find this root program? I'm on the edge of reinstalling my windows.
Any help would be appreciated I've hit a dead end after hours of looking around.
![[Image: SqOXZBe.png]](https://i.imgur.com/SqOXZBe.png)
This installed some sort of BTC Clipper that I haven't encountered before.
The persistence is insane, typically I can get rid of these like in 5 mins.
But this one I cant fine the root program.
The BTC address is 1EerXUTe8HVCiur4fCyoqBpGJJvKP2Dpu4 I didn't fall victim but i see some people are.
So Lets begin...
1) I'll provide some pics. But the Program inn the processes is ApiSetHost.AppExecutionAlias (32 bit)
2) It will only have one open at once (not like previous btc clippers i've encountered) However, to keep it up, this auto launches every 60 seconds or so.
3) The location say its in C:\Users\User\AppData\Roaming\Microsoft Drivers
4) But the folder is empty and there is no hidden files
5) When Searching for it in C: I find the same name in System32 and It's a DLL/Application Extension program.
6) I can't find the parent. I tried opening the .dll in .net Reflector but this isn't .net so it won't open. I kinda opened it in Visual Basic? But im not sure how to work it.
7) At first when inspecting, i thought Google Chrome was launching in so i deleted and reinstalled but didn't work.
8) I'm not sure what is auto relaunching it. I can't Find it in Task Scheduler or Windows Startup. But with this .dll in System32 Does that mean thats auto starting it?
9) How can I find this root program? I'm on the edge of reinstalling my windows.
Any help would be appreciated I've hit a dead end after hours of looking around.
![[Image: Banner.gif]](https://i.ibb.co/9qFWwsy/Banner.gif)
![[Image: tgGpiZM.png]](https://i.imgur.com/tgGpiZM.png)
![[Image: HMrt0DX.png]](https://i.imgur.com/HMrt0DX.png)
![[Image: DezOufu.png]](https://i.imgur.com/DezOufu.png)
And all of my checkers are gone lol but its okay, i need to use VPS now