VBS/TrojanDownloader.Banload.FA trojan - error while cleaning

[wpsullivan 0]

ESET Internet Security is reporting that it's found VBS/TrojanDownloader.Banload.FA with the following message:

Log C:\Windows\SysWOW64\slmgr.vbs - VBS/TrojanDownloader.Banload.FA trojan - error while cleaning

Microsoft Windows Malicious Software Removal Tool doesn't seem to be able to see the trojan, even though it's been able to detect Banload since 2015, as far as I've been able to determine. That said, it looks like ESET might have interrupted MSRT; it's hard to tell.

I tried to get ESET to delete the file, since that seemed to be the only available option once cleaning had failed but it said "Error while deleting" and couldn't. It keeps trying to delete the file in the background, so now I get an "error while deleting" message every few minutes. (I'm guessing that deleting is failing because slmgr.vbs is a core system file, and Windows 10 won't allow it to be deleted.

The options for "Copy to Quarantine" and "Submit for analysis" are checked, so I'm guessing you should be getting -- or maybe already have -- a copy of the file.

What should I do at this poInt?

I have ESET Internet Security with Version of detection engine: 22262 (20201104)

My system is Windows 10 Pro, version 1909

Any information you can provide will be much appreciated.
 

Edited November 4, 2020 by wpsullivan

[Marcos 5,074]

Yes, that was a false positive. Updates were already stopped a while ago and a fix is being prepared. It should be available within a few minutes.

We apologize for the inconvenience.

[wpsullivan 0]

I forgot to mention: I had MSRT work specifically on the SysWOW64 folder, but it's not clear that it worked. The results screen didn't show the SysWOW path, and I didn't see the slmgr.vbs file in the results, so it's not at all clear that MSRT was able to see the file or do anything with it.

[wpsullivan 0]

Just now, Marcos said:

Yes, that was a false positive. Updates were already stopped a while ago and a fix is being prepared. It should be available within a few minutes.

We apologize for the inconvenience.

Ah, OK. Thank you very much for responding so quickly.

[wpsullivan 0]

6 minutes ago, Marcos said:

Yes, that was a false positive. Updates were already stopped a while ago and a fix is being prepared. It should be available within a few minutes.

We apologize for the inconvenience.

Ah, OK. Thank you very much for responding so quickly.

[wpsullivan 0]

Actually, looking at the log file, I just discovered that ESET Internet Security said that it found four infected files and deleted two of them. The two it deleted were

Log
C:\Windows\WinSxS\amd64_microsoft-windows-security-spp-tools_31bf3856ad364e35_10.0.18362.1_none_17f6b61a3c58cd26\slmgr.vbs - VBS/TrojanDownloader.Banload.FA trojan - cleaned by deleting [1]

Log
C:\Windows\WinSxS\wow64_microsoft-windows-security-spp-tools_31bf3856ad364e35_10.0.18362.1_none_224b606c70b98f21\slmgr.vbs - VBS/TrojanDownloader.Banload.FA trojan - cleaned by deleting [1]

The log note says that the files contained only the virus body, so it was cleaned by deleting. Is this going to cause problems? Do I need to figure out a way to get those files back?

If I'm understanding what the following page says, ESET may have just wiped out my Windows 10 license:
https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-security-spp

 

[Inwsb 0]

We're also having this across 130 machines... ERA email alerts are battering us at the moment.

 

Is this confirmed as a false positive from ESET?

[Marcos 5,074]

Yes, it's 100% false positive. It was one of @VBS/TrojanDownloader.Banload.FA detections that detected also the clean vbs files. A fixed update is currently available on update servers.

You can safely restore the files from quarantine.

[Steven1980 0]

Dear Marcos,

Your latest message that there is "a fixed update is currently available on update servers".
I just checked the website (https://www.eset.com/int/business/endpoint-security-windows/download/) but I still see the Version 7.3.2044.0. Is this the correct version with the solution or is there a newer version ready but not yet visable or something?

 

Kind regards

[gustlik102 0]

It can't be easy to restored, because the owner this file is TrustedInstaller... So when you try to restore this file via ESMC, you got information that restored process was failed...

[VlP 0]

Hi.

Same problem here...

[Marcos 5,074]

20 minutes ago, Steven1980 said:

 Version 7.3.2044.0. Is this the correct version with the solution

That is the version of Endpoint. The FP was addressed via an automatic module update,however.

[Marcos 5,074]

8 minutes ago, gustlik102 said:

It can't be easy to restored, because the owner this file is TrustedInstaller... So when you try to restore this file via ESMC, you got information that restored process was failed...

I wil check it out. Restoring via ESMC to system folders should theoretically work since it's performed in the local system account.

[GST 0]

 

58 minutes ago, Marcos said:

Yes, it's 100% false positive. It was one of @VBS/TrojanDownloader.Banload.FA detections that detected also the clean vbs files. A fixed update is currently available on update servers.

You can safely restore the files from quarantine.

Hi Marcos,

Will the patch be available to signature updates or we need to update Endpoint and File Security Agents?

Kind regards,

[GST 0]

 

1 hour ago, Marcos said:

Yes, it's 100% false positive. It was one of @VBS/TrojanDownloader.Banload.FA detections that detected also the clean vbs files. A fixed update is currently available on update servers.

You can safely restore the files from quarantine.

Hi Marcos,

Is this issue only on Endpoint Client or File Security Client as well?

Kind regards,

[Steven1980 0]

7 minutes ago, Marcos said:

That is the version of Endpoint. The FP was addressed via an automatic module update,however.

Thank you, my apology I am not awake as it seems, after a module update the problem seems belonging to the past indeed. 

[gustlik102 0]

13 minutes ago, Marcos said:

I wil check it out. Restoring via ESMC to system folders should theoretically work since it's performed in the local system account.

Yes, but as far as I can see, Windows try to restore this file from WinSxS after delete from SysWOW64. When ESET try to replace this file after restore from Windows repository, you got access denied information, because TrustedInstaller is above SYSTEM user (SYSTEM have read only permission to this file). It is no problem when ESET didn't clean this file also in WinSxS. If ESET clean also this file in this folder, Windows will restore empty VBS file and ESET cannot replace it to correct file.

Edited November 4, 2020 by gustlik102

[Genkinger 1]

Hallo zusammen, nur das ich das richtig verstehe: Userseits ist nichts zu unternehmen weil ihr das Update bzw den Fix automatisch an eure Kunden verteilt. Oder was muss Unternehmensseitig getan werden. Vorab, vielen Dank für ein verständlich Info

 

Machine translation:

Hello everyone, just that I understand correctly: There is nothing to be done by the user because you are automatically distributing the update or fix to your customers. Or what needs to be done on the company side. First of all, thank you very much for an understandable info

Edited November 4, 2020 by Marcos
Machine translation added

[Ravenia 0]

Hello, I also had a similair detection just now while scanning my laptop but it was for the file c:\OEM\FIVT\Tools\OA3Check\slmgr.vbs

Is this also a false positive since it is also one of those slmgr files?

I was already surprised, since I scan my laptop everyday, and hadn't downloaded new files except for windows updates and a driver update offered through windows.

Can I restore it?

[Genkinger 1]

Hello everyone, only that I understand correctly: Nothing needs to be done on the company side because you automatically apply the fix to your customers. Or? Otherwise, I would be happy to receive understandable instructions on what exactly has to be done. Many thanks

[Ravenia 0]

Hello,

 

I just had a similar issue but with a slightly different file: C:\OEM\FIVT\OA3Check\slmgr.vbs

Is this also a false positive, considering it is also a slmgr.vbs file? From what I understand from google it's a pretty important file and I'm not sure what to do now.

I was already surprised when it detected something considering I scan my computer every day and I hadn't downloaded anything other than windows updates and a driver update windows pushed.

[Marcos 5,074]

The fix is distributed via a module update to all clients regardless of what ESET security product you use. The update is fully automatic but you can enforce update manually or by restarting Windows.

The vbs files should not be detected after the update any more and you can safely restore them, if possible. If the file has already been restored and exists on the disk, restoration from quarantine will fail (which is not an issue since the same file aready exists).

[FrenchItDirector 1]

Same here - spent one hour battling with a remote user before discovering this thread - thanks eset (and google).

[ihatemalware 0]

Quote

The vbs files should not be detected after the update any more and you can safely restore them, if possible.

ESET deleted my files - how do I get them back?

[Marcos 5,074]

23 minutes ago, ihatemalware said:

ESET deleted my files - how do I get them back?

Please collect logs with ESET Log Collector and upload the generated archive here. Basically whenever an operation is performed with files, the files are first quarantined (ie. a backup copy is created in encrypted form) and only then files are cleaned or deleted. The ELC logs should shed more light.