Anson 0 Posted May 24 Share Posted May 24 Hi Brother One day my server 2012 r2 got a virus. After removing the virus, the following message still appears: 時間;掃描器;物件類型;物件;偵測;處理方法;使用者;資訊;雜湊;首次在此顯示 2022/5/24 下午 01:31:00;指令列掃描器;檔案;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE;PowerShell/TrojanDownloader.Agent.CRU 木馬;已利用刪除的方式清除;NT AUTHORITY\SYSTEM;嘗試執行以下命令時發生事件: C:\Windows\system32\svchost.exe -k netsvcs;3A4C39A017272AA6E1838D563275D2E2C6945BA9; efsw_logs.zip Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,237 Posted May 24 Administrators Share Posted May 24 Please run Windows Scheduler and delete the following tasks: MicroSoft\Windows\Le1yO8rdD MicroSoft\Windows\qD1vpNAmE3F\BGXcyLV U4BY2k JcAGy4j G5AJXnFhT IBtrDa74A AN6TZemgI1 ehEj5OMkGcb\7Z1CHS3ho EgrlX27Aqc\vhofcRC8K Quote Link to comment Share on other sites More sharing options...
Anson 0 Posted May 24 Author Share Posted May 24 2 hours ago, Marcos said: Please run Windows Scheduler and delete the following tasks: MicroSoft\Windows\Le1yO8rdD MicroSoft\Windows\qD1vpNAmE3F\BGXcyLV U4BY2k JcAGy4j G5AJXnFhT IBtrDa74A AN6TZemgI1 ehEj5OMkGcb\7Z1CHS3ho EgrlX27Aqc\vhofcRC8K Hi Brother I try to delete it, but it prompts: "The user account does not have permission to delete this work folder", the account I use is Domain Admin, Local Admin. Also, I didn't find in Windows Scheduler: U4BY2k JcAGy4j G5AJXnFhT IBtrDa74A AN6TZemgI1 But found t.ouler.cc Quote Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 4,237 Posted May 24 Administrators Solution Share Posted May 24 What about deleting these keys in safe mode? HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{15C01E37-7064-4EC0-B568-CEF52B5FFFDC} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2531843A-F7CA-48E8-AB1E-ADCC69AE2011} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4ED11524-6898-4FA8-B895-1BC9FDD4C863} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{564EA983-F0CF-403C-AC41-164F199DC84A} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{718B8362-5FDA-424D-BA8A-FC92201F181D} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{71B8CFB7-EB7E-48FB-A20A-1391EDD640E5} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8CF18252-8B3C-44E1-A4E9-629C0B3A086A} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{953F7783-07C3-4852-9382-33007F6FAB27} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FFC9EAFA-6545-4D7B-92BD-ED4CA26CCCF9} Quote Link to comment Share on other sites More sharing options...
Anson 0 Posted May 27 Author Share Posted May 27 On 5/24/2022 at 5:18 PM, Marcos said: What about deleting these keys in safe mode? HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{15C01E37-7064-4EC0-B568-CEF52B5FFFDC} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2531843A-F7CA-48E8-AB1E-ADCC69AE2011} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4ED11524-6898-4FA8-B895-1BC9FDD4C863} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{564EA983-F0CF-403C-AC41-164F199DC84A} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{718B8362-5FDA-424D-BA8A-FC92201F181D} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{71B8CFB7-EB7E-48FB-A20A-1391EDD640E5} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8CF18252-8B3C-44E1-A4E9-629C0B3A086A} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{953F7783-07C3-4852-9382-33007F6FAB27} HKLM\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FFC9EAFA-6545-4D7B-92BD-ED4CA26CCCF9} Thanks, after deleting these values, eset has no prompts. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.