Anson 0 Posted May 24, 2022 Share Posted May 24, 2022 Hi Brother One day my server 2012 r2 got a virus. After removing the virus, the following message still appears: 時間;掃描器;物件類型;物件;偵測;處理方法;使用者;資訊;雜湊;首次在此顯示 2022/5/24 下午 01:31:00;指令列掃描器;檔案;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE;PowerShell/TrojanDownloader.Agent.CRU 木馬;已利用刪除的方式清除;NT AUTHORITY\SYSTEM;嘗試執行以下命令時發生事件: C:\Windows\system32\svchost.exe -k netsvcs;3A4C39A017272AA6E1838D563275D2E2C6945BA9; efsw_logs.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted May 24, 2022 Administrators Share Posted May 24, 2022 Please run Windows Scheduler and delete the following tasks: MicroSoft\Windows\Le1yO8rdD MicroSoft\Windows\qD1vpNAmE3F\BGXcyLV U4BY2k JcAGy4j G5AJXnFhT IBtrDa74A AN6TZemgI1 ehEj5OMkGcb\7Z1CHS3ho EgrlX27Aqc\vhofcRC8K Link to comment Share on other sites More sharing options...
Anson 0 Posted May 24, 2022 Author Share Posted May 24, 2022 2 hours ago, Marcos said: Please run Windows Scheduler and delete the following tasks: MicroSoft\Windows\Le1yO8rdD MicroSoft\Windows\qD1vpNAmE3F\BGXcyLV U4BY2k JcAGy4j G5AJXnFhT IBtrDa74A AN6TZemgI1 ehEj5OMkGcb\7Z1CHS3ho EgrlX27Aqc\vhofcRC8K Hi Brother I try to delete it, but it prompts: "The user account does not have permission to delete this work folder", the account I use is Domain Admin, Local Admin. Also, I didn't find in Windows Scheduler: U4BY2k JcAGy4j G5AJXnFhT IBtrDa74A AN6TZemgI1 But found t.ouler.cc Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,074 Posted May 24, 2022 Administrators Solution Share Posted May 24, 2022 What about deleting these keys in safe mode? HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{15C01E37-7064-4EC0-B568-CEF52B5FFFDC} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2531843A-F7CA-48E8-AB1E-ADCC69AE2011} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4ED11524-6898-4FA8-B895-1BC9FDD4C863} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{564EA983-F0CF-403C-AC41-164F199DC84A} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{718B8362-5FDA-424D-BA8A-FC92201F181D} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{71B8CFB7-EB7E-48FB-A20A-1391EDD640E5} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8CF18252-8B3C-44E1-A4E9-629C0B3A086A} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{953F7783-07C3-4852-9382-33007F6FAB27} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FFC9EAFA-6545-4D7B-92BD-ED4CA26CCCF9} Link to comment Share on other sites More sharing options...
Anson 0 Posted May 27, 2022 Author Share Posted May 27, 2022 On 5/24/2022 at 5:18 PM, Marcos said: What about deleting these keys in safe mode? HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{15C01E37-7064-4EC0-B568-CEF52B5FFFDC} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2531843A-F7CA-48E8-AB1E-ADCC69AE2011} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4ED11524-6898-4FA8-B895-1BC9FDD4C863} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{564EA983-F0CF-403C-AC41-164F199DC84A} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{718B8362-5FDA-424D-BA8A-FC92201F181D} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{71B8CFB7-EB7E-48FB-A20A-1391EDD640E5} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8CF18252-8B3C-44E1-A4E9-629C0B3A086A} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{953F7783-07C3-4852-9382-33007F6FAB27} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FFC9EAFA-6545-4D7B-92BD-ED4CA26CCCF9} Thanks, after deleting these values, eset has no prompts. Link to comment Share on other sites More sharing options...
Recommended Posts