PowerShell/TrojanDownloader.Agent.CRU

[Paco Ciesta 0]

Good Morning,

In my company we had a Trojan (PowerShell/TrojanDownloader.Agent.CRU) infection long time ago in several of our servers, it was all cleaned and everything is working but the Trojan keeps trying to launch in the servers. ESET finds it and delete it but it keeps coming back and we are unable to find it and get rid of it for good. I have read similar infections in this forums but the answer is deleting some registry keys with no more explanations so I can't find a proper solution for my issue.

Could someone please help?

I'm attaching 2 logs from 2 of our servers

Thank you very much

ESET.zip

[Marcos 5,074]

Please run ELC and select "Threat detection" template prior to collecting files. The generated zip archive will be probably too big to be uploaded here so please upload it to a safe location and drop me a personal message with a download link.

[Paco Ciesta 0]

here it is, Thanks

efsw_logs2.zip

[Paco Ciesta 0]

That is the log from one of our servers, but we have the same Trojan in several of them, would you need a log from every single one?

Thanks

[Marcos 5,074]

Yes, I will need ELC logs from each server / machine. Make sure to select Threat detection profile prior to collecting logs:

[Marcos 5,074]

Again, "Threat detection" profile was not selected in ELC. For instance, the registry export is missing among others. I'd expect the generated archive to be more than 100 MB in size.

[Paco Ciesta 0]

Sorry Marcos, I have sent it to you in a personal message.