Jump to content

mcrouse

Members
  • Content Count

    21
  • Joined

  • Last visited

Everything posted by mcrouse

  1. Ahh ok, I did not think to check that log and was going off of what was reported to the ESMC. Thanks for the heads up on that
  2. Yeah, in a prior scan the following was detected and cleaned : file:///C:/eNNzmNj/wLrKvzZ/UQEZPGU.dll edit: It was not in the same folder but related to the initial infection I believe
  3. Hey Marcos, tt doesn't exist/was deleted. There was also a DLL in that same folder which was deleted it looks like. That ArtPress task was deleted from the system scheduler. Thank you for taking a look at those logs. Based on the info provided and the fact that scans are no longer detecting anything, do think the issue has been remediated? or should I still reimage the machine?
  4. Logs attached. It looks like the infection was caused by a freeware application called ArtPress that the user had downloaded. Checking the task scheduler today, I noticed a task set to run everytime the user logged on which I deleted. My most recent ESET scan showed 0 detections but hopefully someone can confirm via the logs ees_logs.zip
  5. Good point, I checked the scheduled tasks and didn't see anything out of the ordinary. I'll be collecting logs and posting them tomorrow when the user is back in the office. In the meantime, the machine is isolated and off the network. Thanks guys!
  6. I had a workstation which was infected with Trickbot and Kryptik. ESET found and cleaned several items related to this including a malicious Kryptik DLL and .MGB file. It also remediated malicious svchost and wermgr.exe processes which is consistent with Trickbot IOC's. However, it is still detecting Trickbot in subsequent scans. It does not detect any malicious DLLs or processes anymore. Only a single file:/// from the ERAAgent process. The following is the detection detail: Hash Name Win64/TrickBot.BU Uniform Resource Identifier (URI) file:/// Process name C:\Program Files\ESET\RemoteAdministrator\Agent\ERAAgent.exe Is this just picking up some sort of artifact or is this a persistant threat that ESET is unable to clean. I'm about to image the machine but thought i'd check and see if this has been seen before. Thanks!
×
×
  • Create New...