Jump to content

VBS/TrojanDownloader.Banload.FA trojan - error while cleaning


Recommended Posts

1 hour ago, gustlik102 said:

Yes, but as far as I can see, Windows try to restore this file from WinSxS after delete from SysWOW64. When ESET try to replace this file after restore from Windows repository, you got access denied information, because TrustedInstaller is above SYSTEM user (SYSTEM have read only permission to this file). It is no problem when ESET didn't clean this file also in WinSxS. If ESET clean also this file in this folder, Windows will restore empty VBS file and ESET cannot replace it to correct file.

When I restore items from quarantine, restore item task has failed on every PC..

Link to comment
Share on other sites

23 minutes ago, VlP said:

When I restore items from quarantine, restore item task has failed on every PC..

Same here, luckily only about 30 computers. But the files are fairly important, as they are used to add the Windows 7 extended ESU license each year.
C:\windows\system32\slmgr.vbs
C:\windows\sysWOW64\slmgr.vbs

Task failed error:  CNodcommChannel: Send request failed with 14, Command failed - Make sure that Agent runs with Administrator privileges.

Link to comment
Share on other sites

What virus signature version was the culprit and which version fixes this issue?  You made a lot of folks in a healthcare setting very upset with the Ryuk nonsense going on.

Link to comment
Share on other sites

21 minutes ago, GregA said:

Same here, luckily only about 30 computers. But the files are fairly important, as they are used to add the Windows 7 extended ESU license each year.
C:\windows\system32\slmgr.vbs
C:\windows\sysWOW64\slmgr.vbs

Task failed error:  CNodcommChannel: Send request failed with 14, Command failed - Make sure that Agent runs with Administrator privileges.

Why are the files on Windows 10 machines?

Link to comment
Share on other sites

  • Administrators
3 minutes ago, bigdata said:

I have the same problem with 2 detections of: VBS / Trojan.Banload.fa
I am waiting for the update.

An automatic module update with a fix was released 3 hours ago.

Link to comment
Share on other sites

3 minutes ago, Marcos said:

An automatic module update with a fix was released 3 hours ago.

How do you define fix? People are not able to restore these from quarantine. Will the restore work after the fix rolls out?

Link to comment
Share on other sites

8 minutes ago, VlP said:

Why are the files on Windows 10 machines?

slmgr.vbs is part of the licensing subsystem for all Windows versions.  If you are in a KMS environment you are pretty familiar with executing that file.  I imagine MS leveraged that file for adding the license to extend your Windows 7 support.

Link to comment
Share on other sites

When I restored my file that was affected it disappeared again from the folder after a while. I managed to then restore it using a restore point from windows. It's now back in the folder and I hope this means everything is okay now.

Link to comment
Share on other sites

42 minutes ago, GregA said:

Same here, luckily only about 30 computers. But the files are fairly important, as they are used to add the Windows 7 extended ESU license each year.
C:\windows\system32\slmgr.vbs
C:\windows\sysWOW64\slmgr.vbs

Task failed error:  CNodcommChannel: Send request failed with 14, Command failed - Make sure that Agent runs with Administrator privileges.

The same here. Unable to restore.

Link to comment
Share on other sites

1 minute ago, karlisi said:

The same here. Unable to restore.

Try running the following:

 

C:\> sfc /scannow

 

This is the Windows system file checker, should identify missing files and replace them.

Link to comment
Share on other sites

8 minutes ago, Ravenia said:

I managed to then restore it using a restore point from windows. It's now back in the folder and I hope this means everything is okay now.

I also believe that running sfc /scannow from admin command prompt window will also restore the file/s.

Link to comment
Share on other sites

1 minute ago, rsf71 said:

Try running the following:

 

C:\> sfc /scannow

 

This is the Windows system file checker, should identify missing files and replace them.

On 30+ computers in 20 remote locations? 

Link to comment
Share on other sites

13 minutes ago, karlisi said:

On 30+ computers in 20 remote locations? 

One thing I am wondering is if copying slmgr.vbs  from System32 directory to SysWOW32  directory will fix this issue? File sizes are identical and the .vbs script is plain text.

Also and most important, is the .vbs file missing from the SysWOW32 directory a major issue for anyone running Win 64 bit version? I assume Win will use the .vbs script in System32 directory for any license validations

Edited by itman
Link to comment
Share on other sites

SFC /SCANNOW is not replacing the files. It's unable to repair the files because they're missing, and ESET is saying a restore from quarantine is failing from my ESMC server.

Link to comment
Share on other sites

I no longer have detection with the scan (probably because they are in quarantine :))
See the screen (in french !)
 

I can't restore these files

image.thumb.png.72b54a2c266ece596da2e8a761d1e0d6.png

Edited by bigdata
Link to comment
Share on other sites

ESET SMC is showing 500 detections and no actions taken. Will these detections be removed automatically or do I need to clear them manually?

Link to comment
Share on other sites

11 minutes ago, bigdata said:

I no longer have detection with the scan (probably because they are in quarantine :))
See the screen (in french !)
 

I can't restore these files

image.thumb.png.72b54a2c266ece596da2e8a761d1e0d6.png

First, see if the files are aviablein the system32 or syswow64 location.

I have the same error, but the files are still there :-)

Best regards from switzerland

David

Link to comment
Share on other sites

3 hours ago, Marcos said:

Please collect logs with ESET Log Collector and upload the generated archive here. Basically whenever an operation is performed with files, the files are first quarantined (ie. a backup copy is created in encrypted form) and only then files are cleaned or deleted. The ESET Log Collector logs should shed more light.

Okay, I did that, and the file quar_info.txt indicates that the files are in quarantine in "C:\WINDOWS\system32\config\systemprofile\AppData\Local\ESET\ESET Security\Quarantine\".

How do I get them back?

Link to comment
Share on other sites

  • Administrators

You should be able to restore the files unless they were detected in the c:\windows\winsxs folder where only TrustedInstaller has permissions to write.

Link to comment
Share on other sites

44 minutes ago, Marcos said:

You should be able to restore the files unless they were detected in the c:\windows\winsxs folder where only TrustedInstaller has permissions to write.

That is not the case however.
Try restore this... file://C:\windows\system32\slmgr.vbs
And get this.... Task failed: CNodcommChannel: Send request failed with 14, Command failed - Make sure that Agent runs with Administrator privileges.
Am I in the wrong forum? Should I be posting this in Remote Management section instead since it's multiple computers?

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...