Search the Community

We need some help removing the same powershell infection that that has been reported last year where the CPU runs at 100%. We have followed the instructions provided by JamesR with no success. Article here: https://forum.eset.com/topic/14821-malicious-powershell-script-wmi-for-persistance/ The WMILister_30.vbs does find and remove some entries but they keep coming back. Powershell 99%. Attached are the ESET Log Collector logs from the log collector as well as the logs from the WMILister_30.vbs Please assist! ELC_logs.zip WMILister_30 logs.zip

Hello guys, We've a new customer that moved from Hauri to ESET Secure Business. They're installing EES in 180 computers and there're at least 4 PCs that are infected by Win64/Agent.IV malware that persist upon restart. The problem is that on demand scan shows computers as clean however upon restart ESET warns again about the same malware and so on. I think it's a file less infection. PowerShell process is always in RAM and in firewall log we can see there're a lot of SMB/EternalBlue detections coming from private and public IPs. There're also some Win32/Emotet and PowerShell/Agent detections in some computers. What we tried so far: -Two or more on demand analysis of computers without success. -Installation of all Microsoft patchs including the one mentioned in the article httpsx://support.eset.com/kb6481/. -Anti-Ransomware politics applied using HIPS though ERA. I think we need @JamesR expertise. All ELC files can be downloaded from here: httpsx://we.tl/S5mP6afOQY Thank you all.