Jump to content

PowerShell/Agent.dy


GBPAN65
Go to solution Solved by Marcos,

Recommended Posts

When I turn on the computer I get an alarm from Eset: PowerShell/Agent.dy
Eset did not find the virus/ virus location.
How do I remove this virus?

Thankseset.jpg

Link to comment
Share on other sites

Procmon generated 7 files for a total of more than 2 GB. I attach the Bootlog.pml file (the first two) and the file generated by Autoruns.
If you also need the other 6 procmon files it has to make more posts.
Thanks
 

Autoruns.zip

Link to comment
Share on other sites

  • Administrators

Looks like Procmon logging was stopped too early before a detection was triggered; there was no record of Powershell.exe being run the log.

As for Autoruns, you've provided its binaries, not a log created by the Autoruns application.

Link to comment
Share on other sites

  • Administrators

Please provide the content of the C:\Users\gb\AppData\Roaming\EciYLzJxA folder. The folder should contain LfxFKWgd.ps1, hFQTJJ.exe (probably clean, renamed wscript.exe) and LfxFKWgd.txt.

Do not delete the folder/files unless I confirm receipt.

Link to comment
Share on other sites

Great "real-world" example of malware renaming Win script executable's to bypass AV HIPS rules and the like.

Time Eset offered PE header name option in the HIPS to prevent a bypass like this.

Link to comment
Share on other sites

16 minutes ago, Marcos said:

I don't think it renames the system executable but rather drops or copies it under a different name.

Yes. I suspect this is the case. But in any effect, internal PE header name would remain the same as the source process.

Eset_wscript.png.878cb19d83f93c8b2368a8862ba699b0.png

Link to comment
Share on other sites

  • Administrators

A changed name of a script interpreter cannot fool our products; we perform deep script scanning regardless of the file name of the interpreter.

Link to comment
Share on other sites

14 minutes ago, Marcos said:

A changed name of a script interpreter cannot fool our products; we perform deep script scanning regardless of the file name of the interpreter.

Hopefully that is the case. But not the issue. The issue is I want to block/monitor script execution period:

Eset_PE.thumb.png.9e87958484a731094e0c14fbb6f0c518.png

Ref.: https://docs.microsoft.com/en-us/windows/win32/debug/pe-format

Link to comment
Share on other sites

  • Administrators
1 hour ago, Nicktopa said:

I have the same problem, same warning PowerShell/Agent.dy message from Eset every 3 minutes.

Would you like the logs as you requested before?

Yes, please provide both Autoruns and logs collected with ESET Log Collector. A Procmon boot log may be needed later as well.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...