gluca-88 0 Posted October 11, 2021 Share Posted October 11, 2021 Hello, I have an Exchange Windows server with Eset Mail Security installed. Every few hours it detects a Powershell/TrojanDownloader.Agent.CRU trojan horse event and Eset cleans it every time, but this detection event keeps coming back regularly after 3 to 6 hours. How can I remove this malware once for all? Thank you Link to comment Share on other sites More sharing options...
Administrators Marcos 5,399 Posted October 11, 2021 Administrators Share Posted October 11, 2021 Please provide logs collected with ESET Log Collector. Use the template "Threat detection" in ELC. Link to comment Share on other sites More sharing options...
gluca-88 0 Posted October 11, 2021 Author Share Posted October 11, 2021 7 minutes ago, Marcos said: Please provide logs collected with ESET Log Collector. Use the template "Threat detection" in ESET Log Collector. Here you can find the logs you requested. Thank you emsx_logs.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 5,399 Posted October 11, 2021 Administrators Share Posted October 11, 2021 Delete the following registry keys in safe mode please: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{017BE0C6-5CD2-4095-A15E-35C4A9EED7A0} HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{46EAA988-CF7F-4D36-8759-127A14389D11} HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6ACD282A-F6F8-4385-AC36-1D7910B9DEFA} HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{774D6847-E406-4023-8A4C-CE86D4F4045F} HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7951902F-E30F-4FC1-9B60-5A95EA4FBD53} HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{825A3202-C79B-43AA-8FFF-05A52FC198DD} HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{82AE92E7-C842-4355-98E6-D977E1A3419F} HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B4D645A4-4E05-416E-B03A-F9615D420A37} HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B6EF8B13-5F13-48DE-A4A9-B5D0444E75C6} HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C09CFFE3-E222-4AE5-ADD3-02173E39A2FE} HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F2E9597D-6482-41B8-8951-B3D854032BEF} HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F6CE8E10-F653-45FB-987D-D5BCAE1CD222} Link to comment Share on other sites More sharing options...
gluca-88 0 Posted October 12, 2021 Author Share Posted October 12, 2021 I deleted those keys from the registry as you suggested, I'll keep checking if Mail Security will find any other threats and keep you updated. Thank you again! Link to comment Share on other sites More sharing options...
Recommended Posts