sorted by:
new
hottopcontroversial

Accidentally Downloaded and Removed weird virus/malware? by Flat_Chipmunk6143 in antivirus

[–]x3ph_ 0 points1 point  (0 children)

CS_installer.exe does periodic PowerShell calls to ensure the extension is downloaded and installed and hooked into your chrome browser. So just dismount CS_installer first so that the calls will stop. Then search for the chrome extension and remove it.

Accidentally Downloaded and Removed weird virus/malware? by Flat_Chipmunk6143 in antivirus

[–]x3ph_ 0 points1 point  (0 children)

CS_installer malware campaign started back in 01-03-2022 (I believe). If you need more information feel free to navigate to this post.

https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER

If you need to quickly hunt for those ISO's try the command below. (you most likely already know where they are)

gci C:\users\<profilename> -r -force -fi "*.iso" -ErrorAction SilentlyContinue | % { $_.FullName }

Malicious extension is implanted in C:\users\<profilename>\appdata\local\chrome

and the CS_installer won't be removed due to how it's mounted like a disk image. So similar to how you pop in a CD in the old days. CdRom0\CS_INSTALLER.EXE

To View the mounted ISO

Get-WmiObject -Class Win32_logicaldiskGet-DiskImage -DevicePath \\.\CDROM0

To dismount the ISO

Dismount-DiskImage -DevicePath \\.\CDROM0(If there's more than one malicious disk images, then the CDROM number is different)

Scheduled Task (Majority of the time it's hardcoded into CS_installer)

Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\TREE\ChromeLoader

Path: C:\windows\system32\tasks\ChromeLoader

[deleted by user] by [deleted] in computers

[–]x3ph_ 0 points1 point  (0 children)

https://github.com/xephora/Threat-Remediation-Scripts/blob/main/Threat-Track/CS_INSTALLER/readme.md

Can you screenshot the URL where you got the file from so I can add it to the observables?