ESET Staff
  • Content count

  • Joined

  • Last visited

  • Days Won


JamesR last won the day on October 30 2014

JamesR had the most liked content!

About JamesR

  • Rank
    ESET North America

Profile Information

  • Gender
    Not Telling
  1. Popup blocked

    Using your sysinspector, I found the following info: 1. Both mrwdaasmd64.exe and pdrws.exe are copies of wscript.exe (this will prevent the HIPS rule ITMAN mentioned from stopping this infection) 2. You have a shortcut in your User's startup folder which is pointing to the pdrws.exe To remove this infection from your computer, please do the following: 1. Run the command taskkill /im emfnsqkj\mrwdaasmd64.exe /f & taskkill /im pdrws.exe 2. Rename the folder "c:\users\fakhriatulyaya\appdata\roaming\emfnsqkj" to "emfnsqkj_vir" 3. Move the shortcut file located in "c:\users\fakhriatulyaya\appdata\roaming\microsoft\windows\start menu\programs\startup\" into the "emfnsqkj_vir" folder (you might need to turn on viewing of "Hidden" and "System" files to see the shortcuts). Check the "Properties" of any shortcuts to find the wone that is loading the "pdrws.exe" 4. Reboot your computer and verify detection stops occurring. 5. If all is well, generate an ESET Log Collector ( https://download.eset.com/com/eset/tools/diagnosis/log_collector/latest/esetlogcollector_enu.exe ) and place the generated .zip in the "emfnsqkj_vir" folder, then zip up and password protect the "c:\users\fakhriatulyaya\appdata\roaming\emfnsqkj_vir" folder. Use the password "infected" without quotes, and submit the sample to samples@eset.com Let me know if this helps.
  2. Here are some PowerShell commands to remove the WMI infections. 1. First open PowerShell as admin 2. Run the commands 3. Reboot and rerun the vbs script I provided. If its a one line text file, then you are clean on that server. 4. Verify servers and workstations are patched for EternalBlue using this tool https://help.eset.com/eset_tools/ESETEternalBlueChecker.exe (full instructions for use here: https://support.eset.com/kb6481/ ) 5. Close port 3389 on your router (this is likely open and needs to be closed while you reset all passwords for all users) To prevent an RDP brute force, you can enforce password policies to log out after a handful of attempts. Also implementing 2FA will prevent a password from being used, if it is compromised. ESET does have a 2FA product. Let us know if you are interested in that. Get-WMIObject -Namespace root\Subscription -Class __EventFilter -filter "Name= 'SCM Event Filter'" |remOVe-WMIObject -Verbose Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='SCM Event Consumer'" | Remove-WMIObject -Verbose Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%SCM Event Consumer%'" | REmOVE-WMIObject -Verbose ([WmiClass]'root\default:Win32_TaskService') | Remove-WMIObject -Verbose Get-WMIObject -Namespace root\Subscription -Class ActiveScriptEventConsumer -Filter "Name='SCM Event Consumer'" | Remove-WMIObject -Verbose This last command ins't needed for your environment. But run it just in case my logging didn't find any ActiveScriptEventConsumer items.
  3. Just messaged you a link to upload the files to. Its a secure location that only I have access to. You can also use WinRar if needed.
  4. Sounds like you have malware using WMI for persistence. Its likely using your server for bitcoin mining and might be trying to spread using EternalBlue. This type of infection is typically the result of a Brute Force RDP attack that succeeded in guessing administrative credentials. I highly recommend getting an expert on your system to assist with cleaning. I'm going to try and provide some steps here for remediation. 1. Save the attached file and rename it to have an extension of .vbs (I will supply this in a PM directly to you. This VBS will log any non-expected scripting in the WMI database) 2. from an administrative command prompt, change directories to where you saved the .vbs file and run the command: cscript //nologo WMILister_20.vbs > DumpedScrpts.txt 3. Zip up and password protect the .txt file and attach it to a reply on this thread. (I will PM you the password to use. 7zip is a good tool to zip and password protect.) I will use this log to help remediate the issue. If you are running the script on multiple servers, just add the name of each server to the logs. Some more info on what I believe you have been infected by can be found here (use google translate as needed): http://www.freebuf.com/column/149286.html
  5. From the log you provided, only the E: drive appears to be affected. This is likely a drive that is hosting shares to the network. If this is true, then it is not the Server itself which is infected and there is another computer on your network which is infected and likely not protected by a security product. These can be tricky to resolve, but if you examine the Threat Logs in the ESET Security product installed on the server, instead of ERA, then you should see a column indicating a user name which is generating the threat alert. As long as it shows an actual username (not "NT Authority/System") you will now have the user account which is creating the malicious .lnk files and you simply need to identify which computer that user is logged in from. If the above doesn't work, you can try and isolate which computers are not protected by an ESET Product in ERA and then install ESET on those computers. However, this isn't fool proof as a computer which is on your network, but not in Active Directory wont show in ERA. Attached screen shows where to go in ERA to sort your lists to find computers which don't have ESET Security products installed. In short, your server is protected but you have at least 1 or more computers on your network, which are not protected by ESET. Once you find these computers, you will be able to remedy your situation.
  6. 555-555-0199@example.com