Jump to content

Annoying PowerShell/Agent.AEW, on each start.. Need assitence


Go to solution Solved by Marcos,

Recommended Posts

  • Administrators

Unfortunately ELC logs were collected using the default template. Please select "Threat detection" from the drop-down menu in ELC prior to collecting logs.

Is there any reason why you have ESET Internet Security installed instead of ESET Endpoint Security given that you have a trial license for 50 seats?

Also you have a lot of cracks and folders with cracks excluded from scanning. If it's a work computer, using cracks is not recommended for security reasons.

Link to comment
Share on other sites

2 hours ago, Marcos said:

Unfortunately ESET Log Collector logs were collected using the default template. Please select "Threat detection" from the drop-down menu in ESET Log Collector prior to collecting logs.

Is there any reason why you have ESET Internet Security installed instead of ESET Endpoint Security given that you have a trial license for 50 seats?

Also you have a lot of cracks and folders with cracks excluded from scanning. If it's a work computer, using cracks is not recommended for security reasons.

Reason is TESTING.

Cracks are clean and tested few times on virus total too, This PowerShell/Agent.AEW start appear 1-2 week ago , it was not present before while cracks was present. Hear it log as you request . Deleted that directory windows\tasks\xxxxx few times it will reaper mostly after reboot , not every time but it will 

eis_logs.zip

Edited by formingus
Corrected few words
Link to comment
Share on other sites

4 hours ago, Marcos said:

Run Windows Scheduler and delete the task:
Microsoft\Windows\NetService\Network\NetServices

If you didnt pay attention, deleted few times, task will be recreated . Thanks for advice, any other solution?

Link to comment
Share on other sites

12 hours ago, itman said:

Review this posting: https://forum.eset.com/topic/32255-powershellgentaew-trojan-keeps-coming-back-after-cleaning-and-reboot/?do=findComment&comment=150540 .

Perhaps @Marcos can consult with @JamesR to determine what additional scheduled tasks have to be removed.

Thanks, will try there in same time will follow this thread...

Link to comment
Share on other sites

  • Administrators

I'd suggest at least temporarily disabling admin shares in case that the task is being re-created remotely from another infected machine in the network. Or you can try disconnecting the machine from the network for some time to see if the task is re-created.

Link to comment
Share on other sites

12 minutes ago, Marcos said:

I'd suggest at least temporarily disabling admin shares in case that the task is being re-created remotely from another infected machine in the network. Or you can try disconnecting the machine from the network for some time to see if the task is re-created.

So, removing LAN Cable will be enough and then to check? I just got message again... but task is not there!!!!


Other PC is connected but not turned ON. So you are suggesting to disconnect LAN Cable and check will it appear tomorow ?

 

Threat.jpg

No there.jpg

Edited by formingus
Link to comment
Share on other sites

  • 2 weeks later...

Nothing against this gr8 Antivirus, but for those who want to get rid or this annoying task use Kaspersky standalone virus scanner, He did gr8 job, He found start up shell command hidden that cause to recreate that task. Use KVRT.exe with last updates...

Link to comment
Share on other sites

No one in the security field is currently recommending any use of Kaspersky software or for that matter, any software where the developers reside within Russia. That includes AdGuard as far as I am concerned:

Quote

Kaspersky Anti-Virus has enjoyed two decades of robust competition in the cybersecurity space. It might be quite user-friendly, and it might be quite popular. However, the reputation and the security ties of the company are much more important than bells and whistles of an antivirus app. Let's not beat around the bush here – Kaspersky is in bad company.

The Russian-owned company has been reported to be in communication with Russia’s Federal Security Service (FSB) and is responsible for providing them with real-time intelligence and identifying data of customers’ computers. Plus, the domain of the Russian Ministry of Defense is hosted in Kaspersky's infrastructure, and Eugene Kaspersky, the owner of the company, has recently refused to condemn the Russian army's cruel and unlawful military actions in Ukraine.

With that in mind, many users might have a serious problem using any products with such a connection – let alone a personal cybersecurity product.

https://cybernews.com/best-antivirus-software/kaspersky-antivirus-review/

The above said, KVRT does an excellent job of removing entrenched malware. The question is what did KVRT additionally install on your device?

Another such reference: https://www.komando.com/security-privacy/kaspersky-antivirus-dangers/830542/ among the many that currently exist on the web.

Edited by itman
Link to comment
Share on other sites

12 hours ago, itman said:

No one in the security field is currently recommending any use of Kaspersky software or for that matter, any software where the developers reside within Russia. That includes AdGuard as far as I am concerned:

https://cybernews.com/best-antivirus-software/kaspersky-antivirus-review/

The above said, KVRT does an excellent job of removing entrenched malware. The question is what did KVRT additionally install on your device?

Another such reference: https://www.komando.com/security-privacy/kaspersky-antivirus-dangers/830542/ among the many that currently exist on the web.

What they recommend i dont know and is not my business. All i know is that i ask for help and ESET wasn't able to solve it (i am not saying disrespectfully ) What KVRT did is found that annoying TASK that ESET quarantine on each startup. Now, after use KVRT i am free of that annoying stuff. AS I MENTION BEFORE i am not Kaspersky user or recommending Kaspersky but for this problem Kaspersky will solve it 100% 

Link to comment
Share on other sites

12 hours ago, itman said:

No one in the security field is currently recommending any use of Kaspersky software or for that matter, any software where the developers reside within Russia. That includes AdGuard as far as I am concerned:

https://cybernews.com/best-antivirus-software/kaspersky-antivirus-review/

The above said, KVRT does an excellent job of removing entrenched malware. The question is what did KVRT additionally install on your device?

Another such reference: https://www.komando.com/security-privacy/kaspersky-antivirus-dangers/830542/ among the many that currently exist on the web.

BTW you are believing a site that has world ranking  20,585, you can find 100 russian sites that says dont use ESET, dont believe everything that you red on internet. I use Kaspersky long time ago and its gr8 , quite, excellent antivirus. There are 2 Antiviruses that worth all others are joke.

ESET and Kaspersky 

Link to comment
Share on other sites

  • Most Valued Members

About Kaspersky and Russia that applies to every country and software , the question is to where or which place you want your data to be looked at, NSA was developing tools to hack Windows and still , Kaspersky detected them and uploaded them to their cloud as the program is programmed to do so

Yet people were sad that Kaspersky did it's job , but weren't sad that NSA were trying to develope tools to hack people's privacy or whatever the reason was which obviously would have been said to be for defense reasons

Doesn't Microsoft gather all data it can about your usage in Windows?

There is no evidence that Kaspersky work with Russian government , yet they moved their headquarters to Switzerland, and anyway a security company that big would assist the government , as would any AV company / security company would assist and work with the government specially if the gov asked for their assistance.

So if that was Norton or ESET , and automatically it detected the tools and uploaded them to their cloud not knowing this was a government employee since Office cracks were inside that folder uploaded per the story , and then Norton/ESET/TrendMicro whatever other company detected and flagged those tools as malicious

So then ESET and Norton or Trend Micro should be distrusted? or well done to that AV , it did it's job to detect an unknown sample.

Per the logic here , that for example X person is malicious software developer , he develops one , by mistake he forgets he have an AV running , the AV is programmed smart , picks up the samples because it's set to do so , sends it to the cloud AI , cloud AI decides it's malicious

The developer is sad and mad now , and wants to boycott the AV program he installed because it has done it's job.

Per the political view , it's also a bad view , since technology shouldn't be mixed with politics , and other countries has done attacks on other countries , but yet we only see news about 1 country, there is a side of media brainwash we shouldn't fall into.

Edited by Nightowl
Link to comment
Share on other sites

27 minutes ago, Nightowl said:

About Kaspersky and Russia that applies to every country and software , the question is to where or which place you want your data to be looked at, NSA was developing tools to hack Windows and still , Kaspersky detected them and uploaded them to their cloud as the program is programmed to do so

Yet people were sad that Kaspersky did it's job , but weren't sad that NSA were trying to develope tools to hack people's privacy or whatever the reason was which obviously would have been said to be for defense reasons

Doesn't Microsoft gather all data it can about your usage in Windows?

There is no evidence that Kaspersky work with Russian government , yet they moved their headquarters to Switzerland, and anyway a security company that big would assist the government , as would any AV company / security company would assist and work with the government specially if the gov asked for their assistance.

So if that was Norton or ESET , and automatically it detected the tools and uploaded them to their cloud not knowing this was a government employee since Office cracks were inside that folder uploaded per the story , and then Norton/ESET/TrendMicro whatever other company detected and flagged those tools as malicious

So then ESET and Norton or Trend Micro should be distrusted? or well done to that AV , it did it's job to detect an unknown sample.

Per the logic here , that for example X person is malicious software developer , he develops one , by mistake he forgets he have an AV running , the AV is programmed smart , picks up the samples because it's set to do so , sends it to the cloud AI , cloud AI decides it's malicious

The developer is sad and mad now , and wants to boycott the AV program he installed because it has done it's job.

Per the political view , it's also a bad view , since technology shouldn't be mixed with politics , and other countries has done attacks on other countries , but yet we only see news about 1 country, there is a side of media brainwash we shouldn't fall into.

Why members should mass , politics, war and some other strange things .

guy's, i open thread to get help, they didnt solve mine problem. What i did was user Kaspersky and it solve mine problem!!!

Why is so hard for someone to understood that KASPERSKY solved mine problem, do you understood. It solved mine problem and i dont care about Russia politics and what ever. Who want to get rid of annoying problem that i have need to use that tool, thats all and is simply. When members have some trouble there are no REPLAY at all, when need to arguing for some stupid politics thigs they will come. Dude, i dont need politics lessons, what i need was help to get rid from that task and for last time Kaspersky did it,(and i post to help others not to make Kaspersky better) i like and use ESET. Understoooood!!!!!!!

Link to comment
Share on other sites

20 hours ago, safety said:

@formingus,

Can you show what exactly KVRT found and removed to solve this problem?

Actually i made video of it but i cant find it.... As far i remember there was some text file (script of half page) inside c:\Windows\System32\xxxxx\ some non usually name like OcgXsfG folder. I Believe its random created so what ever was its name it will be different in your case. But 100% is for sure that this kind of problem it will be solve 

Link to comment
Share on other sites

4 hours ago, formingus said:

Actually i made video of it but i cant find it.... As far i remember there was some text file (script of half page) inside c:\Windows\System32\xxxxx\ some non usually name like OcgXsfG folder. I Believe its random created so what ever was its name it will be different in your case. But 100% is for sure that this kind of problem it will be solve 

Please check if a file with the following name has been saved on the disk:

report_2022.06.23_18.10.58.klr.enc1

Link to comment
Share on other sites

3 hours ago, safety said:

Please check if a file with the following name has been saved on the disk:

report_2022.06.23_18.10.58.klr.enc1

I dont have that file , but i found which file was. I Know that i have saved some where.

This was folder name... C:\Windows\System32\rMZ0nIulz9

Script is inside the rar

Script was on system32 not partition D on partition D i saved only to help others

Clipboard Image (1).jpg

Clipboard Image.jpg

rMZ0nIulz9.rar

Edited by formingus
Added text
Link to comment
Share on other sites

  • Administrators
  • Solution
50 minutes ago, formingus said:

I dont have that file , but i found which file was. I Know that i have saved some where.

This was folder name... C:\Windows\System32\rMZ0nIulz9

Script is inside the rar

It's virtually same as the legitimate system file C:\Windows\System32\SyncAppvPublishingServer.vbs which is often misused by malware, virtually the only difference is that it doesn't run the script with the RemoteSigned execution policy. The system script file is not detected by any vendor:

https://www.virustotal.com/gui/file/b8a5c42bf6f7a14ba73660be29f5c061d30b41c6d14e42b880a4ea522f43ce66

We've added a detection for the slightly modified file.

Link to comment
Share on other sites

28 minutes ago, Marcos said:

It's virtually same as the legitimate system file C:\Windows\System32\SyncAppvPublishingServer.vbs which is often misused by malware, virtually the only difference is that it doesn't run the script with the RemoteSigned execution policy. The system script file is not detected by any vendor:

https://www.virustotal.com/gui/file/b8a5c42bf6f7a14ba73660be29f5c061d30b41c6d14e42b880a4ea522f43ce66

We've added a detection for the slightly modified file.

Dunno, but until it was removed i got ESET warring almost at each start, even i delete task as i was advised hear. Thanks for assistance... 👍 

Link to comment
Share on other sites

  • 4 weeks later...

I had the same issue. Using ESET Endpoint. 

Always came back every reboot. 

KVRT.exe cleaned it up immediately. Thanks Formingus. I was about to do a fresh install of windows. 

 

Edited by Marcos
Redacted
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...