formingus 2 Posted June 9, 2022 Share Posted June 9, 2022 Annoying PowerShell/Agent.AEW, on each start.. Need assistance Uploaded all info that i read from forum in those cases SysInspector-UNLOCKER-220609-102619.zip eis_logs.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 5,290 Posted June 9, 2022 Administrators Share Posted June 9, 2022 Unfortunately ELC logs were collected using the default template. Please select "Threat detection" from the drop-down menu in ELC prior to collecting logs. Is there any reason why you have ESET Internet Security installed instead of ESET Endpoint Security given that you have a trial license for 50 seats? Also you have a lot of cracks and folders with cracks excluded from scanning. If it's a work computer, using cracks is not recommended for security reasons. Link to comment Share on other sites More sharing options...
formingus 2 Posted June 9, 2022 Author Share Posted June 9, 2022 (edited) 2 hours ago, Marcos said: Unfortunately ESET Log Collector logs were collected using the default template. Please select "Threat detection" from the drop-down menu in ESET Log Collector prior to collecting logs. Is there any reason why you have ESET Internet Security installed instead of ESET Endpoint Security given that you have a trial license for 50 seats? Also you have a lot of cracks and folders with cracks excluded from scanning. If it's a work computer, using cracks is not recommended for security reasons. Reason is TESTING. Cracks are clean and tested few times on virus total too, This PowerShell/Agent.AEW start appear 1-2 week ago , it was not present before while cracks was present. Hear it log as you request . Deleted that directory windows\tasks\xxxxx few times it will reaper mostly after reboot , not every time but it will eis_logs.zip Edited June 9, 2022 by formingus Corrected few words Link to comment Share on other sites More sharing options...
Administrators Marcos 5,290 Posted June 9, 2022 Administrators Share Posted June 9, 2022 Run Windows Scheduler and delete the task: Microsoft\Windows\NetService\Network\NetServices formingus 1 Link to comment Share on other sites More sharing options...
formingus 2 Posted June 9, 2022 Author Share Posted June 9, 2022 4 hours ago, Marcos said: Run Windows Scheduler and delete the task: Microsoft\Windows\NetService\Network\NetServices If you didnt pay attention, deleted few times, task will be recreated . Thanks for advice, any other solution? Link to comment Share on other sites More sharing options...
formingus 2 Posted June 9, 2022 Author Share Posted June 9, 2022 4 hours ago, Marcos said: Run Windows Scheduler and delete the task: Microsoft\Windows\NetService\Network\NetServices 111.mp4 Link to comment Share on other sites More sharing options...
itman 1,756 Posted June 9, 2022 Share Posted June 9, 2022 Review this posting: https://forum.eset.com/topic/32255-powershellgentaew-trojan-keeps-coming-back-after-cleaning-and-reboot/?do=findComment&comment=150540 . Perhaps @Marcos can consult with @JamesR to determine what additional scheduled tasks have to be removed. Link to comment Share on other sites More sharing options...
formingus 2 Posted June 10, 2022 Author Share Posted June 10, 2022 12 hours ago, itman said: Review this posting: https://forum.eset.com/topic/32255-powershellgentaew-trojan-keeps-coming-back-after-cleaning-and-reboot/?do=findComment&comment=150540 . Perhaps @Marcos can consult with @JamesR to determine what additional scheduled tasks have to be removed. Thanks, will try there in same time will follow this thread... Link to comment Share on other sites More sharing options...
Administrators Marcos 5,290 Posted June 10, 2022 Administrators Share Posted June 10, 2022 I'd suggest at least temporarily disabling admin shares in case that the task is being re-created remotely from another infected machine in the network. Or you can try disconnecting the machine from the network for some time to see if the task is re-created. Link to comment Share on other sites More sharing options...
formingus 2 Posted June 10, 2022 Author Share Posted June 10, 2022 (edited) 12 minutes ago, Marcos said: I'd suggest at least temporarily disabling admin shares in case that the task is being re-created remotely from another infected machine in the network. Or you can try disconnecting the machine from the network for some time to see if the task is re-created. So, removing LAN Cable will be enough and then to check? I just got message again... but task is not there!!!! Other PC is connected but not turned ON. So you are suggesting to disconnect LAN Cable and check will it appear tomorow ? Edited June 10, 2022 by formingus Link to comment Share on other sites More sharing options...
formingus 2 Posted June 10, 2022 Author Share Posted June 10, 2022 But service folder is not there!!! Link to comment Share on other sites More sharing options...
formingus 2 Posted June 21, 2022 Author Share Posted June 21, 2022 Nothing against this gr8 Antivirus, but for those who want to get rid or this annoying task use Kaspersky standalone virus scanner, He did gr8 job, He found start up shell command hidden that cause to recreate that task. Use KVRT.exe with last updates... Link to comment Share on other sites More sharing options...
itman 1,756 Posted June 21, 2022 Share Posted June 21, 2022 (edited) No one in the security field is currently recommending any use of Kaspersky software or for that matter, any software where the developers reside within Russia. That includes AdGuard as far as I am concerned: Quote Kaspersky Anti-Virus has enjoyed two decades of robust competition in the cybersecurity space. It might be quite user-friendly, and it might be quite popular. However, the reputation and the security ties of the company are much more important than bells and whistles of an antivirus app. Let's not beat around the bush here – Kaspersky is in bad company. The Russian-owned company has been reported to be in communication with Russia’s Federal Security Service (FSB) and is responsible for providing them with real-time intelligence and identifying data of customers’ computers. Plus, the domain of the Russian Ministry of Defense is hosted in Kaspersky's infrastructure, and Eugene Kaspersky, the owner of the company, has recently refused to condemn the Russian army's cruel and unlawful military actions in Ukraine. With that in mind, many users might have a serious problem using any products with such a connection – let alone a personal cybersecurity product. https://cybernews.com/best-antivirus-software/kaspersky-antivirus-review/ The above said, KVRT does an excellent job of removing entrenched malware. The question is what did KVRT additionally install on your device? Another such reference: https://www.komando.com/security-privacy/kaspersky-antivirus-dangers/830542/ among the many that currently exist on the web. Edited June 21, 2022 by itman Link to comment Share on other sites More sharing options...
formingus 2 Posted June 22, 2022 Author Share Posted June 22, 2022 12 hours ago, itman said: No one in the security field is currently recommending any use of Kaspersky software or for that matter, any software where the developers reside within Russia. That includes AdGuard as far as I am concerned: https://cybernews.com/best-antivirus-software/kaspersky-antivirus-review/ The above said, KVRT does an excellent job of removing entrenched malware. The question is what did KVRT additionally install on your device? Another such reference: https://www.komando.com/security-privacy/kaspersky-antivirus-dangers/830542/ among the many that currently exist on the web. What they recommend i dont know and is not my business. All i know is that i ask for help and ESET wasn't able to solve it (i am not saying disrespectfully ) What KVRT did is found that annoying TASK that ESET quarantine on each startup. Now, after use KVRT i am free of that annoying stuff. AS I MENTION BEFORE i am not Kaspersky user or recommending Kaspersky but for this problem Kaspersky will solve it 100% angeldust 1 Link to comment Share on other sites More sharing options...
formingus 2 Posted June 22, 2022 Author Share Posted June 22, 2022 12 hours ago, itman said: No one in the security field is currently recommending any use of Kaspersky software or for that matter, any software where the developers reside within Russia. That includes AdGuard as far as I am concerned: https://cybernews.com/best-antivirus-software/kaspersky-antivirus-review/ The above said, KVRT does an excellent job of removing entrenched malware. The question is what did KVRT additionally install on your device? Another such reference: https://www.komando.com/security-privacy/kaspersky-antivirus-dangers/830542/ among the many that currently exist on the web. BTW you are believing a site that has world ranking 20,585, you can find 100 russian sites that says dont use ESET, dont believe everything that you red on internet. I use Kaspersky long time ago and its gr8 , quite, excellent antivirus. There are 2 Antiviruses that worth all others are joke. ESET and Kaspersky Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted June 23, 2022 Most Valued Members Share Posted June 23, 2022 (edited) About Kaspersky and Russia that applies to every country and software , the question is to where or which place you want your data to be looked at, NSA was developing tools to hack Windows and still , Kaspersky detected them and uploaded them to their cloud as the program is programmed to do so Yet people were sad that Kaspersky did it's job , but weren't sad that NSA were trying to develope tools to hack people's privacy or whatever the reason was which obviously would have been said to be for defense reasons Doesn't Microsoft gather all data it can about your usage in Windows? There is no evidence that Kaspersky work with Russian government , yet they moved their headquarters to Switzerland, and anyway a security company that big would assist the government , as would any AV company / security company would assist and work with the government specially if the gov asked for their assistance. So if that was Norton or ESET , and automatically it detected the tools and uploaded them to their cloud not knowing this was a government employee since Office cracks were inside that folder uploaded per the story , and then Norton/ESET/TrendMicro whatever other company detected and flagged those tools as malicious So then ESET and Norton or Trend Micro should be distrusted? or well done to that AV , it did it's job to detect an unknown sample. Per the logic here , that for example X person is malicious software developer , he develops one , by mistake he forgets he have an AV running , the AV is programmed smart , picks up the samples because it's set to do so , sends it to the cloud AI , cloud AI decides it's malicious The developer is sad and mad now , and wants to boycott the AV program he installed because it has done it's job. Per the political view , it's also a bad view , since technology shouldn't be mixed with politics , and other countries has done attacks on other countries , but yet we only see news about 1 country, there is a side of media brainwash we shouldn't fall into. Edited June 23, 2022 by Nightowl Link to comment Share on other sites More sharing options...
formingus 2 Posted June 23, 2022 Author Share Posted June 23, 2022 27 minutes ago, Nightowl said: About Kaspersky and Russia that applies to every country and software , the question is to where or which place you want your data to be looked at, NSA was developing tools to hack Windows and still , Kaspersky detected them and uploaded them to their cloud as the program is programmed to do so Yet people were sad that Kaspersky did it's job , but weren't sad that NSA were trying to develope tools to hack people's privacy or whatever the reason was which obviously would have been said to be for defense reasons Doesn't Microsoft gather all data it can about your usage in Windows? There is no evidence that Kaspersky work with Russian government , yet they moved their headquarters to Switzerland, and anyway a security company that big would assist the government , as would any AV company / security company would assist and work with the government specially if the gov asked for their assistance. So if that was Norton or ESET , and automatically it detected the tools and uploaded them to their cloud not knowing this was a government employee since Office cracks were inside that folder uploaded per the story , and then Norton/ESET/TrendMicro whatever other company detected and flagged those tools as malicious So then ESET and Norton or Trend Micro should be distrusted? or well done to that AV , it did it's job to detect an unknown sample. Per the logic here , that for example X person is malicious software developer , he develops one , by mistake he forgets he have an AV running , the AV is programmed smart , picks up the samples because it's set to do so , sends it to the cloud AI , cloud AI decides it's malicious The developer is sad and mad now , and wants to boycott the AV program he installed because it has done it's job. Per the political view , it's also a bad view , since technology shouldn't be mixed with politics , and other countries has done attacks on other countries , but yet we only see news about 1 country, there is a side of media brainwash we shouldn't fall into. Why members should mass , politics, war and some other strange things . guy's, i open thread to get help, they didnt solve mine problem. What i did was user Kaspersky and it solve mine problem!!! Why is so hard for someone to understood that KASPERSKY solved mine problem, do you understood. It solved mine problem and i dont care about Russia politics and what ever. Who want to get rid of annoying problem that i have need to use that tool, thats all and is simply. When members have some trouble there are no REPLAY at all, when need to arguing for some stupid politics thigs they will come. Dude, i dont need politics lessons, what i need was help to get rid from that task and for last time Kaspersky did it,(and i post to help others not to make Kaspersky better) i like and use ESET. Understoooood!!!!!!! Link to comment Share on other sites More sharing options...
safety 8 Posted June 23, 2022 Share Posted June 23, 2022 (edited) @formingus, Can you show what exactly KVRT found and removed to solve this problem? Edited June 23, 2022 by safety Link to comment Share on other sites More sharing options...
formingus 2 Posted June 24, 2022 Author Share Posted June 24, 2022 20 hours ago, safety said: @formingus, Can you show what exactly KVRT found and removed to solve this problem? Actually i made video of it but i cant find it.... As far i remember there was some text file (script of half page) inside c:\Windows\System32\xxxxx\ some non usually name like OcgXsfG folder. I Believe its random created so what ever was its name it will be different in your case. But 100% is for sure that this kind of problem it will be solve Link to comment Share on other sites More sharing options...
safety 8 Posted June 24, 2022 Share Posted June 24, 2022 4 hours ago, formingus said: Actually i made video of it but i cant find it.... As far i remember there was some text file (script of half page) inside c:\Windows\System32\xxxxx\ some non usually name like OcgXsfG folder. I Believe its random created so what ever was its name it will be different in your case. But 100% is for sure that this kind of problem it will be solve Please check if a file with the following name has been saved on the disk: report_2022.06.23_18.10.58.klr.enc1 Link to comment Share on other sites More sharing options...
formingus 2 Posted June 24, 2022 Author Share Posted June 24, 2022 (edited) 3 hours ago, safety said: Please check if a file with the following name has been saved on the disk: report_2022.06.23_18.10.58.klr.enc1 I dont have that file , but i found which file was. I Know that i have saved some where. This was folder name... C:\Windows\System32\rMZ0nIulz9 Script is inside the rar Script was on system32 not partition D on partition D i saved only to help others rMZ0nIulz9.rar Edited June 24, 2022 by formingus Added text safety 1 Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,290 Posted June 24, 2022 Administrators Solution Share Posted June 24, 2022 50 minutes ago, formingus said: I dont have that file , but i found which file was. I Know that i have saved some where. This was folder name... C:\Windows\System32\rMZ0nIulz9 Script is inside the rar It's virtually same as the legitimate system file C:\Windows\System32\SyncAppvPublishingServer.vbs which is often misused by malware, virtually the only difference is that it doesn't run the script with the RemoteSigned execution policy. The system script file is not detected by any vendor: https://www.virustotal.com/gui/file/b8a5c42bf6f7a14ba73660be29f5c061d30b41c6d14e42b880a4ea522f43ce66 We've added a detection for the slightly modified file. notimportant 1 Link to comment Share on other sites More sharing options...
formingus 2 Posted June 24, 2022 Author Share Posted June 24, 2022 28 minutes ago, Marcos said: It's virtually same as the legitimate system file C:\Windows\System32\SyncAppvPublishingServer.vbs which is often misused by malware, virtually the only difference is that it doesn't run the script with the RemoteSigned execution policy. The system script file is not detected by any vendor: https://www.virustotal.com/gui/file/b8a5c42bf6f7a14ba73660be29f5c061d30b41c6d14e42b880a4ea522f43ce66 We've added a detection for the slightly modified file. Dunno, but until it was removed i got ESET warring almost at each start, even i delete task as i was advised hear. Thanks for assistance... 👍 Link to comment Share on other sites More sharing options...
PewPew 0 Posted July 19, 2022 Share Posted July 19, 2022 (edited) I had the same issue. Using ESET Endpoint. Always came back every reboot. KVRT.exe cleaned it up immediately. Thanks Formingus. I was about to do a fresh install of windows. Edited July 19, 2022 by Marcos Redacted Link to comment Share on other sites More sharing options...
Recommended Posts