formingus 1 Posted June 9 Share Posted June 9 Annoying PowerShell/Agent.AEW, on each start.. Need assistance Uploaded all info that i read from forum in those cases SysInspector-UNLOCKER-220609-102619.zip eis_logs.zip Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,243 Posted June 9 Administrators Share Posted June 9 Unfortunately ELC logs were collected using the default template. Please select "Threat detection" from the drop-down menu in ELC prior to collecting logs. Is there any reason why you have ESET Internet Security installed instead of ESET Endpoint Security given that you have a trial license for 50 seats? Also you have a lot of cracks and folders with cracks excluded from scanning. If it's a work computer, using cracks is not recommended for security reasons. Quote Link to comment Share on other sites More sharing options...
formingus 1 Posted June 9 Author Share Posted June 9 (edited) 2 hours ago, Marcos said: Unfortunately ESET Log Collector logs were collected using the default template. Please select "Threat detection" from the drop-down menu in ESET Log Collector prior to collecting logs. Is there any reason why you have ESET Internet Security installed instead of ESET Endpoint Security given that you have a trial license for 50 seats? Also you have a lot of cracks and folders with cracks excluded from scanning. If it's a work computer, using cracks is not recommended for security reasons. Reason is TESTING. Cracks are clean and tested few times on virus total too, This PowerShell/Agent.AEW start appear 1-2 week ago , it was not present before while cracks was present. Hear it log as you request . Deleted that directory windows\tasks\xxxxx few times it will reaper mostly after reboot , not every time but it will eis_logs.zip Edited June 9 by formingus Corrected few words Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,243 Posted June 9 Administrators Share Posted June 9 Run Windows Scheduler and delete the task: Microsoft\Windows\NetService\Network\NetServices formingus 1 Quote Link to comment Share on other sites More sharing options...
formingus 1 Posted June 9 Author Share Posted June 9 4 hours ago, Marcos said: Run Windows Scheduler and delete the task: Microsoft\Windows\NetService\Network\NetServices If you didnt pay attention, deleted few times, task will be recreated . Thanks for advice, any other solution? Quote Link to comment Share on other sites More sharing options...
formingus 1 Posted June 9 Author Share Posted June 9 4 hours ago, Marcos said: Run Windows Scheduler and delete the task: Microsoft\Windows\NetService\Network\NetServices 111.mp4 Quote Link to comment Share on other sites More sharing options...
itman 1,398 Posted June 9 Share Posted June 9 Review this posting: https://forum.eset.com/topic/32255-powershellgentaew-trojan-keeps-coming-back-after-cleaning-and-reboot/?do=findComment&comment=150540 . Perhaps @Marcos can consult with @JamesR to determine what additional scheduled tasks have to be removed. Quote Link to comment Share on other sites More sharing options...
formingus 1 Posted June 10 Author Share Posted June 10 12 hours ago, itman said: Review this posting: https://forum.eset.com/topic/32255-powershellgentaew-trojan-keeps-coming-back-after-cleaning-and-reboot/?do=findComment&comment=150540 . Perhaps @Marcos can consult with @JamesR to determine what additional scheduled tasks have to be removed. Thanks, will try there in same time will follow this thread... Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,243 Posted June 10 Administrators Share Posted June 10 I'd suggest at least temporarily disabling admin shares in case that the task is being re-created remotely from another infected machine in the network. Or you can try disconnecting the machine from the network for some time to see if the task is re-created. Quote Link to comment Share on other sites More sharing options...
formingus 1 Posted June 10 Author Share Posted June 10 (edited) 12 minutes ago, Marcos said: I'd suggest at least temporarily disabling admin shares in case that the task is being re-created remotely from another infected machine in the network. Or you can try disconnecting the machine from the network for some time to see if the task is re-created. So, removing LAN Cable will be enough and then to check? I just got message again... but task is not there!!!! Other PC is connected but not turned ON. So you are suggesting to disconnect LAN Cable and check will it appear tomorow ? Edited June 10 by formingus Quote Link to comment Share on other sites More sharing options...
formingus 1 Posted June 10 Author Share Posted June 10 But service folder is not there!!! Quote Link to comment Share on other sites More sharing options...
formingus 1 Posted June 21 Author Share Posted June 21 Nothing against this gr8 Antivirus, but for those who want to get rid or this annoying task use Kaspersky standalone virus scanner, He did gr8 job, He found start up shell command hidden that cause to recreate that task. Use KVRT.exe with last updates... Quote Link to comment Share on other sites More sharing options...
itman 1,398 Posted June 21 Share Posted June 21 (edited) No one in the security field is currently recommending any use of Kaspersky software or for that matter, any software where the developers reside within Russia. That includes AdGuard as far as I am concerned: Quote Kaspersky Anti-Virus has enjoyed two decades of robust competition in the cybersecurity space. It might be quite user-friendly, and it might be quite popular. However, the reputation and the security ties of the company are much more important than bells and whistles of an antivirus app. Let's not beat around the bush here – Kaspersky is in bad company. The Russian-owned company has been reported to be in communication with Russia’s Federal Security Service (FSB) and is responsible for providing them with real-time intelligence and identifying data of customers’ computers. Plus, the domain of the Russian Ministry of Defense is hosted in Kaspersky's infrastructure, and Eugene Kaspersky, the owner of the company, has recently refused to condemn the Russian army's cruel and unlawful military actions in Ukraine. With that in mind, many users might have a serious problem using any products with such a connection – let alone a personal cybersecurity product. https://cybernews.com/best-antivirus-software/kaspersky-antivirus-review/ The above said, KVRT does an excellent job of removing entrenched malware. The question is what did KVRT additionally install on your device? Another such reference: https://www.komando.com/security-privacy/kaspersky-antivirus-dangers/830542/ among the many that currently exist on the web. Edited June 21 by itman Quote Link to comment Share on other sites More sharing options...
formingus 1 Posted June 22 Author Share Posted June 22 12 hours ago, itman said: No one in the security field is currently recommending any use of Kaspersky software or for that matter, any software where the developers reside within Russia. That includes AdGuard as far as I am concerned: https://cybernews.com/best-antivirus-software/kaspersky-antivirus-review/ The above said, KVRT does an excellent job of removing entrenched malware. The question is what did KVRT additionally install on your device? Another such reference: https://www.komando.com/security-privacy/kaspersky-antivirus-dangers/830542/ among the many that currently exist on the web. What they recommend i dont know and is not my business. All i know is that i ask for help and ESET wasn't able to solve it (i am not saying disrespectfully ) What KVRT did is found that annoying TASK that ESET quarantine on each startup. Now, after use KVRT i am free of that annoying stuff. AS I MENTION BEFORE i am not Kaspersky user or recommending Kaspersky but for this problem Kaspersky will solve it 100% Quote Link to comment Share on other sites More sharing options...
formingus 1 Posted June 22 Author Share Posted June 22 12 hours ago, itman said: No one in the security field is currently recommending any use of Kaspersky software or for that matter, any software where the developers reside within Russia. That includes AdGuard as far as I am concerned: https://cybernews.com/best-antivirus-software/kaspersky-antivirus-review/ The above said, KVRT does an excellent job of removing entrenched malware. The question is what did KVRT additionally install on your device? Another such reference: https://www.komando.com/security-privacy/kaspersky-antivirus-dangers/830542/ among the many that currently exist on the web. BTW you are believing a site that has world ranking 20,585, you can find 100 russian sites that says dont use ESET, dont believe everything that you red on internet. I use Kaspersky long time ago and its gr8 , quite, excellent antivirus. There are 2 Antiviruses that worth all others are joke. ESET and Kaspersky Quote Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 156 Posted June 23 Most Valued Members Share Posted June 23 (edited) About Kaspersky and Russia that applies to every country and software , the question is to where or which place you want your data to be looked at, NSA was developing tools to hack Windows and still , Kaspersky detected them and uploaded them to their cloud as the program is programmed to do so Yet people were sad that Kaspersky did it's job , but weren't sad that NSA were trying to develope tools to hack people's privacy or whatever the reason was which obviously would have been said to be for defense reasons Doesn't Microsoft gather all data it can about your usage in Windows? There is no evidence that Kaspersky work with Russian government , yet they moved their headquarters to Switzerland, and anyway a security company that big would assist the government , as would any AV company / security company would assist and work with the government specially if the gov asked for their assistance. So if that was Norton or ESET , and automatically it detected the tools and uploaded them to their cloud not knowing this was a government employee since Office cracks were inside that folder uploaded per the story , and then Norton/ESET/TrendMicro whatever other company detected and flagged those tools as malicious So then ESET and Norton or Trend Micro should be distrusted? or well done to that AV , it did it's job to detect an unknown sample. Per the logic here , that for example X person is malicious software developer , he develops one , by mistake he forgets he have an AV running , the AV is programmed smart , picks up the samples because it's set to do so , sends it to the cloud AI , cloud AI decides it's malicious The developer is sad and mad now , and wants to boycott the AV program he installed because it has done it's job. Per the political view , it's also a bad view , since technology shouldn't be mixed with politics , and other countries has done attacks on other countries , but yet we only see news about 1 country, there is a side of media brainwash we shouldn't fall into. Edited June 23 by Nightowl Quote Link to comment Share on other sites More sharing options...
formingus 1 Posted June 23 Author Share Posted June 23 27 minutes ago, Nightowl said: About Kaspersky and Russia that applies to every country and software , the question is to where or which place you want your data to be looked at, NSA was developing tools to hack Windows and still , Kaspersky detected them and uploaded them to their cloud as the program is programmed to do so Yet people were sad that Kaspersky did it's job , but weren't sad that NSA were trying to develope tools to hack people's privacy or whatever the reason was which obviously would have been said to be for defense reasons Doesn't Microsoft gather all data it can about your usage in Windows? There is no evidence that Kaspersky work with Russian government , yet they moved their headquarters to Switzerland, and anyway a security company that big would assist the government , as would any AV company / security company would assist and work with the government specially if the gov asked for their assistance. So if that was Norton or ESET , and automatically it detected the tools and uploaded them to their cloud not knowing this was a government employee since Office cracks were inside that folder uploaded per the story , and then Norton/ESET/TrendMicro whatever other company detected and flagged those tools as malicious So then ESET and Norton or Trend Micro should be distrusted? or well done to that AV , it did it's job to detect an unknown sample. Per the logic here , that for example X person is malicious software developer , he develops one , by mistake he forgets he have an AV running , the AV is programmed smart , picks up the samples because it's set to do so , sends it to the cloud AI , cloud AI decides it's malicious The developer is sad and mad now , and wants to boycott the AV program he installed because it has done it's job. Per the political view , it's also a bad view , since technology shouldn't be mixed with politics , and other countries has done attacks on other countries , but yet we only see news about 1 country, there is a side of media brainwash we shouldn't fall into. Why members should mass , politics, war and some other strange things . guy's, i open thread to get help, they didnt solve mine problem. What i did was user Kaspersky and it solve mine problem!!! Why is so hard for someone to understood that KASPERSKY solved mine problem, do you understood. It solved mine problem and i dont care about Russia politics and what ever. Who want to get rid of annoying problem that i have need to use that tool, thats all and is simply. When members have some trouble there are no REPLAY at all, when need to arguing for some stupid politics thigs they will come. Dude, i dont need politics lessons, what i need was help to get rid from that task and for last time Kaspersky did it,(and i post to help others not to make Kaspersky better) i like and use ESET. Understoooood!!!!!!! Quote Link to comment Share on other sites More sharing options...
safety 1 Posted June 23 Share Posted June 23 (edited) @formingus, Can you show what exactly KVRT found and removed to solve this problem? Edited June 23 by safety Quote Link to comment Share on other sites More sharing options...
formingus 1 Posted June 24 Author Share Posted June 24 20 hours ago, safety said: @formingus, Can you show what exactly KVRT found and removed to solve this problem? Actually i made video of it but i cant find it.... As far i remember there was some text file (script of half page) inside c:\Windows\System32\xxxxx\ some non usually name like OcgXsfG folder. I Believe its random created so what ever was its name it will be different in your case. But 100% is for sure that this kind of problem it will be solve Quote Link to comment Share on other sites More sharing options...
safety 1 Posted June 24 Share Posted June 24 4 hours ago, formingus said: Actually i made video of it but i cant find it.... As far i remember there was some text file (script of half page) inside c:\Windows\System32\xxxxx\ some non usually name like OcgXsfG folder. I Believe its random created so what ever was its name it will be different in your case. But 100% is for sure that this kind of problem it will be solve Please check if a file with the following name has been saved on the disk: report_2022.06.23_18.10.58.klr.enc1 Quote Link to comment Share on other sites More sharing options...
formingus 1 Posted June 24 Author Share Posted June 24 (edited) 3 hours ago, safety said: Please check if a file with the following name has been saved on the disk: report_2022.06.23_18.10.58.klr.enc1 I dont have that file , but i found which file was. I Know that i have saved some where. This was folder name... C:\Windows\System32\rMZ0nIulz9 Script is inside the rar Script was on system32 not partition D on partition D i saved only to help others rMZ0nIulz9.rar Edited June 24 by formingus Added text safety 1 Quote Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 4,243 Posted June 24 Administrators Solution Share Posted June 24 50 minutes ago, formingus said: I dont have that file , but i found which file was. I Know that i have saved some where. This was folder name... C:\Windows\System32\rMZ0nIulz9 Script is inside the rar It's virtually same as the legitimate system file C:\Windows\System32\SyncAppvPublishingServer.vbs which is often misused by malware, virtually the only difference is that it doesn't run the script with the RemoteSigned execution policy. The system script file is not detected by any vendor: https://www.virustotal.com/gui/file/b8a5c42bf6f7a14ba73660be29f5c061d30b41c6d14e42b880a4ea522f43ce66 We've added a detection for the slightly modified file. Quote Link to comment Share on other sites More sharing options...
formingus 1 Posted June 24 Author Share Posted June 24 28 minutes ago, Marcos said: It's virtually same as the legitimate system file C:\Windows\System32\SyncAppvPublishingServer.vbs which is often misused by malware, virtually the only difference is that it doesn't run the script with the RemoteSigned execution policy. The system script file is not detected by any vendor: https://www.virustotal.com/gui/file/b8a5c42bf6f7a14ba73660be29f5c061d30b41c6d14e42b880a4ea522f43ce66 We've added a detection for the slightly modified file. Dunno, but until it was removed i got ESET warring almost at each start, even i delete task as i was advised hear. Thanks for assistance... 👍 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.