notimportant

Hello,

ESET is a private business.  It is not an agency of the Slovak Republic, or any other government for that matter.

Since the unwarranted invasion of Ukraine and illegal annexation of Ukrainian territory by Russia, ESET has worked steadfastly to help its neighboring country, ranging from donating hundreds of thousands of euros to charities involved in relief efforts, to providing additional security software and services, which includes numerous investigations into and blocking of attacks on Ukraine's critical infrastructure.
For more information on ESET's support of Ukraine, see the following:
ESET Response Center - Ukrainian Crisis ESET WeLiveSecurity blog - #Ukraine tagged articles As you enjoy reading The Guardian, here is another, more recent article from their website you might find of interest:  https://www.theguardian.com/world/2024/mar/30/slovakia-brain-drain-populist-leader-robert-fico.  Please carefully read the entire article, especially the last sentence.
Although my last name is Ukrainian, I am one of ESET's American employees.  Like my Slovak colleagues, I have been working tirelessly to help Ukraine where I can, and I hope this answers your questions about ESET's commitment to Ukraine.
Regards,

Aryeh Goretsky
 

The detection is from Sept 2023 plus we'd been monitoring it for several months before.

Correct, JS/Adware.Agent.CY and JS/PopunderJS.H PUA are detected on alphabetlayout.com while browsing the site. Plus there are many links to blocked sites, such as hoaxbasesalad.com,  poshhateful.com,  jetordinarilysouvenirs.com, etc. All in all, these are very good reasons to block the website in question completely if the above issues are not fixed soon.

Not Marcos but, I see that there are still many more rubbish popups on the website which opens up if no adblocker is installed. Tested in a VM with Avast multiple times before and after you removed the suggested domain and Avast still blocks many more as malvertisement and blacklisted URLs. 

Having ads on your website is fine but don't add popup ads that leads to potential malware or adware.

Hello @Nightowl,
thank you for the submissions.
 
Png files are encrypted blobs, they can't be executed without loader decrypting them.
This is multicomponent malware, there is a chain of files used.
Our detection brakes the chain, making the undetected component useless and that is our goal here.

btw. the Vbs script is already detected.
Peter

Provide also a Procmon boot log. After enabling boot logging and restarting the machine, stop logging only after the threat has been detected and save the log unfiltered.  Before you upload the log, compress it.
Also it would help if you generated new logs with ELC then.
I suspect Virtual Desktop to be involved since d:\programy\virtual desktop streamer\virtualdesktop.injector32.dll is injected in dialer.exe which continually creates the detected file. While being a legit application, it's not very popular according to LiveGrid and might be vulnerable. The Procmon log should shed more light.

@Mauro Tre
Thank you for gathering these final logs.  This helped me to confirm my suspicions.  There is no sign of any malicious scripts or executables being executed on your system.  The on demand scans you are running, are scanning the WMI database and the specific location in the WMI causing detections is the "Windows PowerShell" event log.  There are no infections living inside of the WMI database, its just a coincidence that one can access event logs via WMI, which means that ESET can access and scan the event logs via WMI.
I am not finding any way to delete specific entries inside of an event log.  It looks like Microsoft only allows for all entries to be cleared from an event log.  What this means is that in order to stop the On Demand scan from triggering detections, you need to clear the "Windows PowerShell" event logs.
Before clearing out the "Windows PowerShell" Event Viewer logs, definitely back them up first.  Technically, you already backed them up with the second command I provided previously.  Here are the steps to first backup, then clear the "Windows PowerShell" event logs
Backup "Windows PowerShell" logs: Copy-Item -Path "$($env:SystemRoot)\System32\Winevt\Logs\Windows PowerShell.evtx" -Destination "$($env:USERPROFILE)\Desktop\ForESET_Windows_PowerShell.evtx"  
Clear "Windows PowerShell" logs: Clear-EventLog "Windows PowerShell"  
After this, you should no longer receive detections when running a scan with ESET.
 
Summary of findings from all the logs we gathered:
"Windows PowerShell" event viewer logs show logging of multiple PowerShell commands being executed as far back as 2021 ESET installed sometime in 2022 and immediately cleaned up multiple WebShells related to CVE-2021-26855 The above shows that it it is very likely that CVE-2021-26855 was used to remotely plant and execute the WebShells which were executing PowerShell commands that were then logged in the "Windows PowerShell" event logs
-Edited- to add one picture showing the link between the ESET scan logs and the Event Viewer log containing the malicious PowerShell command.

@Mauro Tre I have 2 more logs I would like to gather from your computer.  This will require you to manually run the 2 powershell commands.
 
First open PowerShell as Admin Next run the following 2 commands Get-WmiObject -ComputerName "." -Query "SELECT * FROM Win32_NTLogEvent WHERE Logfile='Windows PowerShell' AND (RecordNumber=4363 OR RecordNumber=4362 OR RecordNumber=4361 OR RecordNumber=4360 OR RecordNumber=4359 OR RecordNumber=4358 OR RecordNumber=4357 OR RecordNumber=4356 OR RecordNumber=4355 OR RecordNumber=4354 OR RecordNumber=4353 OR RecordNumber=4352 OR RecordNumber=4351 OR RecordNumber=4350 OR RecordNumber=4349 OR RecordNumber=4348 OR RecordNumber=4347 OR RecordNumber=4346 OR RecordNumber=4345 OR RecordNumber=4344 OR RecordNumber=4343 OR RecordNumber=4342 OR RecordNumber=4321 OR RecordNumber=4320 OR RecordNumber=4319 OR RecordNumber=4318 OR RecordNumber=4317 OR RecordNumber=4316 OR RecordNumber=4315 OR RecordNumber=4314 OR RecordNumber=4313 OR RecordNumber=4312 OR RecordNumber=4311 OR RecordNumber=4310 OR RecordNumber=4309 OR RecordNumber=4308 OR RecordNumber=4307 OR RecordNumber=4306)" | ConvertTo-Csv -NoTypeInformation | Set-Content -Path "$($env:USERPROFILE)\Desktop\ForESET_PwshWmiQEventLog.csv" Copy-Item -Path "$($env:SystemRoot)\System32\Winevt\Logs\Windows PowerShell.evtx" -Destination "$($env:USERPROFILE)\Desktop\ForESET_Windows_PowerShell.evtx"  
This will save 2 files to your desktop
ForESET_PwshWmiQEventLog.csv ForESET_Windows_PowerShell.evtx Please run the commands, then zip up the 2 logs on the desktop and provide them here.
 
My theory is that there is no active infection or backdoor.  And that sometime in the past, you had malicious PowerShell commands executed on your system, and these were logged to a Windows Event log.  Gathering the above logs will help me to verify this and to form a plan to stop ESET from detecting these old event logs.

The redirector is very similar to malicious redirectors. I've asked the author of the detection to make an exception for this particular case.

Look for 'Ly9yZWd0ZWNoLnNicw' in the source code of main page. You will find malicious part.

Without getting the files and analyzing them it's impossible to tell if they are subject to detection, if they are malware or PUA/PUsA or simply false positives by the said scanner. Please provide the files or files from quarantine for perusal. I'd recommend emailing them to samples[at]eset.com in an archive encrypted with the password "infected" and a link to this topic enclosed.
1, The uninstall executables marked as High risk - probably false alarms.
2, The apk file - an application for Android, doesn't run on Windows
3, KMSAuto - Windows activator, should be detected by ESET with PUsA detection enabled.
4, GenAutorun task - sounds like a Scheduler task that was detected. The name doesn't tell anything about the task, could be FP.

@3D Joe Ng
While hardening your SQL Server is a very good idea, there is a good chance that persistence was already added to the SQL server and that detections by ESET will continue until the persistence is removed.  In my last DM to you, I provided a simple way to log SQL persistence.
Where you able to run the final batch file I provided?  If yes, can you please supply the zip file generated?
There are many types of SQL Persistence, and if your MS SQL is hosting more than one instance, each instance will need to be checked.  There are the following types of MS SQL persistence:
Stored Procedures At start of MS SQL service, a procedure will start and execute ever certain amount of seconds/minutes/hours A stored procedure can be "encrypted" to hide its definition from being easily seen More info on Stored Procedures here: https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/ Triggers DDL Triggers - Data Definition Language Triggers Server based triggers which can be set to execute when specific queries like CREATE, ALTER, or DROP are used These triggers can be "encrypted" to hide the definition from being easily seen DML Triggers - Data Manipulation Language Triggers Database based triggers which can be set to execute on specific queries like INSERT, UPDATE, or DELETE Untested if these can be "encrypted" but it should be assumed that they can be encrypted as well Logon Triggers As their name implies, these are triggers which execute queries whenever a user logs in to MS SQL. And can theoretically, prevent a user from logging in. Untested if these can be "encrypted" but it should be assumed that they can be encrypted as well More info on Triggers here: https://blog.netspi.com/maintaining-persistence-via-sql-server-part-2-triggers/ Other notes In order to allow MS SQL to execute external applications, the use of advanced options is needed.  You will want to check and disable these settings (Ensure you make not of what you changed, and monitor your SQL server for any issues afterwards.  Your SQL server may have legitimately been using these settings) "show advanced options" - Allows the following settings to be used "xp_cmdshell" - Allows MS SQL to directly execute external applications like Ping.exe or any other executables on disk. "Ole Automation Procedures" - Allows MS SQL to execute Windows Script Host and VBScript macros, which allows wscript.shell to execute other executables on the computer's disk, without the use of xp_cmdshell. "clr enabled" - Allow you to store .net code inside of SQL which can be executed by a stored procedure. This is one of the more powerful ways of providing code execution to SQL. But these should easily be spotted when reviewing all stored procedures on a server.

For those managing multiple computers via ESET Protect, and would like a more streamline way of removing this software from all computers, this can be done for the installed software, but not for the browser plugins.  Browser plugins are managed by the individual browsers, and not directly by the OS.
 
These steps are not working 100% for the Bing Software mentioned in this thread.  If I can improve upon this, I will post later.
 
Here are the steps to use ESET Protect to uninstall 3rd party software which can be seen by ESET:
This will guide you through the following:
Ensure ESET Protect can see installed non-ESET Applications Create a dynamic group to group all computers with unwanted applications Create tasks that will run... ...anytime a computer has the undesired software installed and shows up in the dynamic group (thus uninstalling the unwanted software anytime a new computer joins this group) ...one time run of the tasks on computers that already joined the group while you created the tasks (to uninstall the unwanted software from computers that had already joined this group)  
I. Setup ESET Management Agent to report non-ESET Applications (only needed if not already configured)
In ESET Protect, navigate to "Policies > New Policy" Name the policy "Report Non-ESET Applications" In "Settings" ensure you select "ESET Management Agent" from the drop-down at the top Expand "Advanced Settings" and locate and turn on "Report non-ESET-installed applications" Assign to either the "All" group, or to specific groups/computers of desire. Continue and finish creating the policy At this point, it may take a bit for the non-ESET software to be reported to ESET Protect.  Your endpoints will need to check in once to get the policy, then check in again to supply the new info, then ESET Protect will need to parse and put the info into the database.  Default check in times are 10 minutes.  So you should start seeing the non-ESET applications in about 30 minutes in the following area:
II. Check to see if ESET Protect sees the 3rd party applications:
In ESET Protect, open the details of an individual computer, then click on "Installed Applications" If you can see Non-ESET applications, your settings are applied and working. You can also check to see if you see your undesired software is visible and has a "Yes" in the column "Agent supports uninstall" which means ESET can attempt to uninstall this software III. Create a dynamic group to group all computers with undesired software (this will help you see how many computers you have with the unwanted software, and allow for a quick way to uninstall the software)
In ESET Protect, click on Computers on the left, locate "Windows Computers" in the list of Groups. Click on the gear to the right of this, and select "New Dynamic Group" Name the group "Has Unwanted Software" in the "Template" section, choose "New" and set the following: Name: Unwanted Software Expression: Operation: AND (All conditions have to be true) Click Add Rule and choose: "Installed Software > Application Name", and click OK Click Add Rule and choose: "Installed Software > Application Vendor", and click OK For Application Name, set to "is one of" and fill in the name "Microsoft Bing Service" In the Application Name section, click "Add" and then fill in the name "Bing Wallpaper" For Application Vendor, set to "is one of" , and fill in "Microsoft Corporation" Should look like this: Click Finish Over a short time, you will see computers start to appear here.  Next we will make a task to remove the undesired software. IV. Create a task to start uninstalling unwanted software
In ESET Protect, click on Computers on the left, then locate your newly made dynamic group named "Has Unwanted Software" Click the gear next to the group name and click "Tasks > New Task..." Name the task "Uninstall unwanted software - Microsoft Bing Service" and in the "Task" drop down, select "Software Uninstall" and click "Continue" In this Settings section, click on "<Select package to uninstall>" and select the first piece of software to uninstall "Microsoft Bing Service" You may desire to click on "Uninstall all versions of package" to ensure any version gets removed. Click "Continue" to get to the targets and ensure your desired target group "Has Unwanted Software" is showing in the list and then click "Continue" In the "Trigger section" set the trigger type to "Joined Dynamic Group Trigger" (this will run this task on any computer as it gets added to our dynamic group, but not on computers already in this group.  We will remedy this shortly.) Continue and finish. On your group "Has Unwanted Software" click the gear and choose "Tasks > Run Tasks" Click on "Add Tasks" and find and checkmark your "Uninstall unwanted software - Microsoft Bing Service" and click OK For the "Trigger" section, ensure trigger type is "As Soon As Possible" and click finish. Repeat steps 1 through 11 but: in step 4 select "Bing Wallpaper" in step 3 and 10 use the task name "Uninstall unwanted software - Bing Wallpaper"

Edge + Bing skor ukazuje, že ste klikli (alebo si aspoň Windows myslia, že ste klikli) na odkaz „Paci sa mi to“ o obrázkoch na pozadí, keď je PC zamknuté. Nemusi to byť ono, ale každopádne pokiaľ sa neotvorí reklama alebo niečo na ten spôsob, malware by som v tom nehľadal.

You failed to mention that is like 10 archives inside each other. By default context menu scan scans only X levels of archive. Maximum is 20 so if u set it to 20 in settings, it will detect it.
Not menioning realtime scan, it would be waste of time unpacking so many levels of arhive realtime

That doesn't mean it is not capable of dropping malicious files later.
https://www.hybrid-analysis.com/sample/09430fa20aac3815ba456f4644f41b41073d4994e538797c172c10a19f825b35?environmentId=120
MITRE ATT&CK™ Techniques Detection: This report has 10 indicators that were mapped to 11 attack techniques and 3 tactics

It must be malicious. Kaspersky wasn't detecting it. Then I submitted to them an hour ago and got a reply with 20 minutes stating that it's a malware and detection will be added. 
Hello, New malicious software was found in the requested file. Its detection with verdict Trojan.Win64.Agentb.ktqd will be included in the next update. Thank you for your help. Best regards, Alexander Kryazhev, Malware Analyst So, if you still want to use this file even after detections from all these top AV vendors, then that's your choice. Use at own risk.

It's virtually same as the legitimate system file C:\Windows\System32\SyncAppvPublishingServer.vbs which is often misused by malware, virtually the only difference is that it doesn't run the script with the RemoteSigned execution policy. The system script file is not detected by any vendor:
https://www.virustotal.com/gui/file/b8a5c42bf6f7a14ba73660be29f5c061d30b41c6d14e42b880a4ea522f43ce66
We've added a detection for the slightly modified file.

We are working on a fix which will also restore counter settings automatically. We apologize for the inconvenience and thank you for patience.

I'm not angry about you reporting it. Quite the contrary, we are happy if you report us possible malicious samples or urls.
I just wanted you to point in the right direction, ie. to report stuff directly to samples[at]eset.com according to the KB if you want the submission to receive better attention.
Also I wanted to point out that even if a particular website is not blocked (ie. it may be a completely legitimate one with just somebody posting links to cracks), the point is to detect possible threat in the end no matter how it is achieved, ie. by blocking access to the malicious website or by detecting the malware upon download or execution at latest.

Is it the same machine / case as this one?
https://forum.eset.com/topic/29656-server-100-cpu-performance/
Detection for XblGameUpdateTask.exe will be added in the next update, then ESET should be able to detect and clean it.

Basically potentially unwanted applications are never false positivies since they exactly detect applications that had been carefully already analyzed by ESET and it turned out they met criteria for PUA detection.

This forum is not intended for disputing blocks or detections. Since the malware has been removed, the website was unblocked but the applications will continue to be detected.
Having said that, we'll draw this topic to a close.

We've nailed it down. A legit tool was backdoored and loads a malicious dll with zero detection at VT which loads the following encrypted payload:

I expect the detection to be available momentarily via streamed/pico updates.
Also please confirm that you have enabled the LiveGrid Feedback system for maximum protection.

Note: It is not Eset's responsibility to help web site owners remove malware from their web sites. Recently, @Marcos has far exceeded what is required as an Eset moderator in assisting web site owners identify malware on their web sites.