Today was a special today. I -finally- upgraded to Windows 10 1709. Fall Creators update has reached ITExperience! Woohoo! 😉 Together with that update, I was also updated to the latest Windows Defender Security Center with lots of improvements. And it was this update that notified me of a nasty coinminer virus:
Trojan:HTML/Brocoiner!rfn
My Windows Defender pointed me to the exact location. But although it told me to have cleaned the file, the Brocoiner virus kept returning. Cause? I’m using UE-V, and because of that Windows Defender kept cleaning the redirect location, but never the original location. Sigh…
So, to solve this returning issue, I had to determine the mapping of a PKGDAT file to its source file. In my case: 45A93803-F314-43C5-9D08-4EA8BDE5775F.pkgdat
Also note the UE-V application name in the folder path in above’s screenshot: Google-chrome-v-0.pkgx.Current.1284.2
In Powershell I executed the following cmdlet:
(Export-UevPackage C:\Users\%username%\AppData\Local\Temp\Google-Chrome-chrome-v-0.pkgx.Current.1284.2\Google-Chrome-chrome-v-0.pkgx).split("n")
| select-string VT_FILE | select-string -pattern "45A93803-F314-43C5-9D08-4EA8BDE5775F.pkgdat"
This cmdlet exports the exact file location of the pkgx file, with all it’s child files. By using select-string -pattern I’m filtering the results so only the relevant pkgdat file is showing its redirect file
This cmdlet returned one line which pointed me to the original infected file
<Setting Type="VT_FILE" Name="file://%SystemDrive%\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000371" Action="Create">45A93803-F314-43C5-9D08-4EA8BDE5775F.pkgdat</Setting>
In above’s case you can see the location %SystemDrive%\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000371
Navigating to that location indeed triggered a new Trojan warning. I could now easily remove the threat by running a folder scan with Windows Defender
Thanks and credits go to Description of UE-V Files stored in the Settings Storage Path for some background information related to UE-V and powershell
Hi Christian,
Windows Defender alterted me with the same issue. My threat was located in or was:
C:\Users\%username%\AppData\Local\Mozilla\Firefox\Profiles\k2ajkgn0.default\cache2\entries\CE94BF5164C04AE312403C4CA6A85F4F3B1133A2
I’m not sure if deleting this file would solve the issue.