mohu 0 Posted November 11, 2022 Share Posted November 11, 2022 私はこの人と同じ問題を抱えています。先日、esetをインストールしたらずっとこのポップアップが出ていました(;_;) 原因を取り除くのを手伝ってください。 eis_logs.zip Link to comment Share on other sites More sharing options...
mohu 0 Posted November 11, 2022 Author Share Posted November 11, 2022 Even after restarting the pc after disinfection, this popup continues forever. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,713 Posted November 11, 2022 Administrators Share Posted November 11, 2022 Please provide me with the file C:\WINDOWS\System32\0y0ppope.gv3. Move it to a separate folder, e.g. create c:\eset, move it there and reboot the machine. Do not delete the file until I confirm receipt. Link to comment Share on other sites More sharing options...
mohu 0 Posted November 11, 2022 Author Share Posted November 11, 2022 0y0ppope.zip Link to comment Share on other sites More sharing options...
mohu 0 Posted November 11, 2022 Author Share Posted November 11, 2022 I moved the specified file and then restarted my pc. I no longer get the "Current access blocked" message. Until then, every time I start up my pc I would monitor the task manager. PowerShell was starting by itself, After moving the specified file, PowerShell does not run by itself. I await your instructions on what to do next. ps, Thank you very much for your help. I would like to learn to find these things so that I can deal with them myself, but what did you see in the log file I gave you at the beginning that made you suspicious? I would appreciate it if you could let me know. Translated with www.DeepL.com/Translator (free version) Link to comment Share on other sites More sharing options...
mohu 0 Posted November 11, 2022 Author Share Posted November 11, 2022 I've left my pc on for a few hours since then. I have left the PC on for a few hours since then and there are no notifications, but it looks like there are about 8 PowerShells running in the background. PowerShells seem to be running in the background. Is this normal? Link to comment Share on other sites More sharing options...
itman 1,541 Posted November 11, 2022 Share Posted November 11, 2022 3 hours ago, mohu said: PowerShells seem to be running in the background. If you use Process Explorer, it should show the parent process these child PowerShell processes are running under. This should narrow down the source of the PowerShell process startups. Link to comment Share on other sites More sharing options...
mohu 0 Posted November 11, 2022 Author Share Posted November 11, 2022 Thank you very much. I will take a look. Now I will maturely wait for Marcos' reply. Link to comment Share on other sites More sharing options...
itman 1,541 Posted November 11, 2022 Share Posted November 11, 2022 Here's another thread on this coin stealer: https://forum.eset.com/topic/32298-powershellpswcoinstealerb/ . In this instance, it was a Win scheduled task starting PowerShell. This would also explain the multiple PowerShell instances. The scheduled task keeps repeating until it successfully runs. Link to comment Share on other sites More sharing options...
mohu 0 Posted November 11, 2022 Author Share Posted November 11, 2022 Thank you itman for your politeness. I will look through that as well. I am very happy that I bought eset! Link to comment Share on other sites More sharing options...
Administrators Marcos 4,713 Posted November 11, 2022 Administrators Share Posted November 11, 2022 The script is now detected as @Trojan.PowerShell/Runner.AV. If you run a scan or access the script, it should be detected and cleaned. Please provide also these files, if exist. Move them to c:\eset like the previous ps1 file and reboot the machine. C:\WINDOWS\System32\367D3749-2C54-4201-8143-349A5D20E5CC.ps1 C:\WINDOWS\System32\0B0C5764-0946-4C57-BB56-FDF5374B8F6D.ps1 Link to comment Share on other sites More sharing options...
mohu 0 Posted November 11, 2022 Author Share Posted November 11, 2022 Marcos, I have attached the two files you specified. A total of 3 files have been isolated as indicated. I will try to scan and restart my pc to try it out. Waiting for your instructions on what to do next. (2).zip Link to comment Share on other sites More sharing options...
ESET Staff JamesR 48 Posted November 11, 2022 ESET Staff Share Posted November 11, 2022 (edited) @mohu From looking at your logs, I can see 17 scheduled tasks which will start an assortment of wscript or powershell commands. To quickly clean this up, and to gather samples of all parts of this (including the .ps1 files Marcos asked for) follow these instructions. Open cmd as admin (in the windows search, type "CMD", then hold "CTRL+ Shift" and tap "Enter" while holding those keys) Paste in the commands at the bottom of this post and press enter (this will make copies of many files to a folder on your desktop named "findRegistryTaskCache" To paste into the CMD window, simply right click into the window. This should paste them. After the commands complete execution (they should complete fairly quickly, ignore any errors), reboot as soon as possible. After reboot, locate the "findRegistryTaskCache" folder on your desktop, right click, and send to zip and attach in a reply here. Commands to copy: MKDIR "%UserProfile%\Desktop\findRegistryTaskCache" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{236BB709-E2AF-4247-9C7E-57914DEE2329}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_1_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{236BB709-E2AF-4247-9C7E-57914DEE2329}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\B717FB2E-1486-499A-AB34-9CFBE6036FED" "%UserProfile%\Desktop\findRegistryTaskCache\ID_1_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\B717FB2E-1486-499A-AB34-9CFBE6036FED" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\B717FB2E-1486-499A-AB34-9CFBE6036FED" "%UserProfile%\Desktop\findRegistryTaskCache\ID_1_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\B717FB2E-1486-499A-AB34-9CFBE6036FED" /f /q copy /Y /B "C:\Windows\System32\rAQBc8Wsa1\06892F7F-5E7E-46F1-8BE6-EAFC65B2BFBD" "%UserProfile%\Desktop\findRegistryTaskCache\ID_1_TASK_2022.11.11_07.18.41.4500_exe.pwsh" copy /Y /B "C:\Windows\System32\drivers\VPfvJcrgRY\31510FF6-8D8E-4394-9A40-C44009BC2BFC.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_1_TASK_2022.11.11_07.18.41.4500_sys.Script" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2EDCA282-2EB6-4AAA-952E-C56A9583A995}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_2_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2EDCA282-2EB6-4AAA-952E-C56A9583A995}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\F6280D7D-C236-4422-B339-22DA703CA116" "%UserProfile%\Desktop\findRegistryTaskCache\ID_2_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\F6280D7D-C236-4422-B339-22DA703CA116" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\F6280D7D-C236-4422-B339-22DA703CA116" "%UserProfile%\Desktop\findRegistryTaskCache\ID_2_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\F6280D7D-C236-4422-B339-22DA703CA116" /f /q copy /Y /B "C:\Windows\System32\rAQBc8Wsa1\D4A3F8CD-4E7A-49AB-9064-1508D4EA5A6A" "%UserProfile%\Desktop\findRegistryTaskCache\ID_2_TASK_2022.11.11_07.18.41.4500_exe.pwsh" copy /Y /B "C:\Windows\System32\drivers\VPfvJcrgRY\65978E5F-8827-48F0-820A-8EB8709650AF.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_2_TASK_2022.11.11_07.18.41.4500_sys.Script" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3F725CEF-48E1-4654-8D76-285E86CFE030}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_3_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3F725CEF-48E1-4654-8D76-285E86CFE030}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\ZngJ1z\2ADA3B78-80C2-4186-991B-6624EDB475FA" "%UserProfile%\Desktop\findRegistryTaskCache\ID_3_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\ZngJ1z\2ADA3B78-80C2-4186-991B-6624EDB475FA" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\ZngJ1z\2ADA3B78-80C2-4186-991B-6624EDB475FA" "%UserProfile%\Desktop\findRegistryTaskCache\ID_3_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\ZngJ1z\2ADA3B78-80C2-4186-991B-6624EDB475FA" /f /q copy /Y /B "C:\Windows\System32\QJTZngJ\3D83AE2B-6318-4D11-BD2D-2E39A341CCC3" "%UserProfile%\Desktop\findRegistryTaskCache\ID_3_TASK_2022.11.11_07.18.41.4500_exe.pwsh" copy /Y /B "C:\Windows\System32\drivers\zzcSFeCHTT\4515CFF0-D014-44F2-BABD-8EA2C1F816CE.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_3_TASK_2022.11.11_07.18.41.4500_sys.Script" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6AB6E1CC-84CE-4E81-9A00-873FB08D7DAA}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_4_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6AB6E1CC-84CE-4E81-9A00-873FB08D7DAA}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsUpdate\Scheduled StartjQgByaOl3" "%UserProfile%\Desktop\findRegistryTaskCache\ID_4_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsUpdate\Scheduled StartjQgByaOl3" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled StartjQgByaOl3" "%UserProfile%\Desktop\findRegistryTaskCache\ID_4_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled StartjQgByaOl3" /f /q copy /Y /B "C:\WINDOWS\System32\367D3749-2C54-4201-8143-349A5D20E5CC.ps1" "%UserProfile%\Desktop\findRegistryTaskCache\ID_4_TASK_2022.11.11_07.18.41.4500_ps1.pwsh" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7448EF08-93CA-48A1-83F0-96B6F59F99C8}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_5_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7448EF08-93CA-48A1-83F0-96B6F59F99C8}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\R1hjrhU\34A198CE-4B75-4D02-AC4D-E5A7FF71E0E4" "%UserProfile%\Desktop\findRegistryTaskCache\ID_5_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\R1hjrhU\34A198CE-4B75-4D02-AC4D-E5A7FF71E0E4" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\R1hjrhU\34A198CE-4B75-4D02-AC4D-E5A7FF71E0E4" "%UserProfile%\Desktop\findRegistryTaskCache\ID_5_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\R1hjrhU\34A198CE-4B75-4D02-AC4D-E5A7FF71E0E4" /f /q copy /Y /B "C:\Windows\System32\wpUR1hjr\80307A32-6C94-463A-9BFD-AC3DE71A2D78" "%UserProfile%\Desktop\findRegistryTaskCache\ID_5_TASK_2022.11.11_07.18.41.4500_exe.pwsh" copy /Y /B "C:\Windows\System32\drivers\USxC3zQm\7CBD8B3A-B1DB-4932-8A2C-4541F2D4E1A9.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_5_TASK_2022.11.11_07.18.41.4500_sys.Script" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{83941100-FCF4-47DA-BEFE-0049AC97DE42}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_6_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{83941100-FCF4-47DA-BEFE-0049AC97DE42}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\C73681BE-B8AA-43D0-9F49-FE51DF358A49" "%UserProfile%\Desktop\findRegistryTaskCache\ID_6_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\C73681BE-B8AA-43D0-9F49-FE51DF358A49" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\C73681BE-B8AA-43D0-9F49-FE51DF358A49" "%UserProfile%\Desktop\findRegistryTaskCache\ID_6_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\C73681BE-B8AA-43D0-9F49-FE51DF358A49" /f /q copy /Y /B "C:\Windows\System32\rAQBc8Wsa1\9DB814C8-0DF0-4C12-854E-EAFE3CFD9C7C" "%UserProfile%\Desktop\findRegistryTaskCache\ID_6_TASK_2022.11.11_07.18.41.4500_exe.pwsh" copy /Y /B "C:\Windows\System32\drivers\VPfvJcrgRY\1A62C9DE-33AF-4706-9D23-E134B115A644.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_6_TASK_2022.11.11_07.18.41.4500_sys.Script" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{853E2F39-0932-4CA3-A794-C93850DEEE0E}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_7_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{853E2F39-0932-4CA3-A794-C93850DEEE0E}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Customer Experience Improvement Program\UsbCeiprGIAcA1h" "%UserProfile%\Desktop\findRegistryTaskCache\ID_7_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Customer Experience Improvement Program\UsbCeiprGIAcA1h" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\UsbCeiprGIAcA1h" "%UserProfile%\Desktop\findRegistryTaskCache\ID_7_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\UsbCeiprGIAcA1h" /f /q copy /Y /B "C:\WINDOWS\System32\0B0C5764-0946-4C57-BB56-FDF5374B8F6D.ps1" "%UserProfile%\Desktop\findRegistryTaskCache\ID_7_TASK_2022.11.11_07.18.41.4500_ps1.pwsh" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{97E480C4-D23C-4064-8EC6-4BC175CD54D1}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_8_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{97E480C4-D23C-4064-8EC6-4BC175CD54D1}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\26779417-AFA6-4DAE-AA1A-44AA0FD74A84" "%UserProfile%\Desktop\findRegistryTaskCache\ID_8_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\26779417-AFA6-4DAE-AA1A-44AA0FD74A84" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\26779417-AFA6-4DAE-AA1A-44AA0FD74A84" "%UserProfile%\Desktop\findRegistryTaskCache\ID_8_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\26779417-AFA6-4DAE-AA1A-44AA0FD74A84" /f /q copy /Y /B "C:\Windows\System32\rAQBc8Wsa1\6DE19372-27A2-4E43-9C1A-65A9C832D499" "%UserProfile%\Desktop\findRegistryTaskCache\ID_8_TASK_2022.11.11_07.18.41.4500_exe.pwsh" copy /Y /B "C:\Windows\System32\drivers\VPfvJcrgRY\9EF6C255-3AC6-4342-9E31-12BDC6CF6897.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_8_TASK_2022.11.11_07.18.41.4500_sys.Script" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9A6010F4-0C5D-4B57-978D-975F94E223F1}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_9_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9A6010F4-0C5D-4B57-978D-975F94E223F1}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\49F2093E-007D-41BA-BEE9-01B95D44D16C" "%UserProfile%\Desktop\findRegistryTaskCache\ID_9_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\49F2093E-007D-41BA-BEE9-01B95D44D16C" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\49F2093E-007D-41BA-BEE9-01B95D44D16C" "%UserProfile%\Desktop\findRegistryTaskCache\ID_9_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\49F2093E-007D-41BA-BEE9-01B95D44D16C" /f /q copy /Y /B "C:\Windows\System32\rAQBc8Wsa1\E35D66F9-22B6-49BE-8CB6-117714CE782A" "%UserProfile%\Desktop\findRegistryTaskCache\ID_9_TASK_2022.11.11_07.18.41.4500_exe.pwsh" copy /Y /B "C:\Windows\System32\drivers\VPfvJcrgRY\70742B98-5E81-4BFC-BF92-3C29CC0F0AA3.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_9_TASK_2022.11.11_07.18.41.4500_sys.Script" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AE54911A-0034-4FC0-9029-D0429C8B87EF}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_10_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AE54911A-0034-4FC0-9029-D0429C8B87EF}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Plug and Play\Sysprep Generalize Drivers RoNGUDy" "%UserProfile%\Desktop\findRegistryTaskCache\ID_10_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Plug and Play\Sysprep Generalize Drivers RoNGUDy" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Plug and Play\Sysprep Generalize Drivers RoNGUDy" "%UserProfile%\Desktop\findRegistryTaskCache\ID_10_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Plug and Play\Sysprep Generalize Drivers RoNGUDy" /f /q copy /Y /B "C:\WINDOWS\System32\0y0ppope.gv3" "%UserProfile%\Desktop\findRegistryTaskCache\ID_10_TASK_2022.11.11_07.18.41.4500_gv3.pwsh" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B83E53D6-349E-4E6B-8442-A8A595BC0A3C}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_11_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B83E53D6-349E-4E6B-8442-A8A595BC0A3C}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\ll5p0b\1DBA922B-EA59-4033-B613-AB25BAB3F5FB" "%UserProfile%\Desktop\findRegistryTaskCache\ID_11_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\ll5p0b\1DBA922B-EA59-4033-B613-AB25BAB3F5FB" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\ll5p0b\1DBA922B-EA59-4033-B613-AB25BAB3F5FB" "%UserProfile%\Desktop\findRegistryTaskCache\ID_11_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\ll5p0b\1DBA922B-EA59-4033-B613-AB25BAB3F5FB" /f /q copy /Y /B "C:\Windows\System32\3pVll\71900321-1D34-44C1-911F-2BBA328E0C99" "%UserProfile%\Desktop\findRegistryTaskCache\ID_11_TASK_2022.11.11_07.18.41.4500_exe.pwsh" copy /Y /B "C:\Windows\System32\drivers\p0bTx07Y\219FA918-B3BA-4354-A48D-E82802A4AE4D.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_11_TASK_2022.11.11_07.18.41.4500_sys.Script" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BA0BA5A1-E541-4F72-89F4-D81A46A737D3}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_12_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BA0BA5A1-E541-4F72-89F4-D81A46A737D3}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\6B03865C-9D57-4514-8164-4A866CAFF3B1" "%UserProfile%\Desktop\findRegistryTaskCache\ID_12_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\6B03865C-9D57-4514-8164-4A866CAFF3B1" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\6B03865C-9D57-4514-8164-4A866CAFF3B1" "%UserProfile%\Desktop\findRegistryTaskCache\ID_12_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\6B03865C-9D57-4514-8164-4A866CAFF3B1" /f /q copy /Y /B "C:\Windows\System32\rAQBc8Wsa1\E184E7F9-EAD9-4967-9A4B-C93407F62B41" "%UserProfile%\Desktop\findRegistryTaskCache\ID_12_TASK_2022.11.11_07.18.41.4500_exe.pwsh" copy /Y /B "C:\Windows\System32\drivers\VPfvJcrgRY\D8DEA230-186E-47C9-A8B6-07A816746A19.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_12_TASK_2022.11.11_07.18.41.4500_sys.Script" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CDFB972E-DCC2-49AB-A72A-9EA8C0794823}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_13_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CDFB972E-DCC2-49AB-A72A-9EA8C0794823}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\sszCx\568614B6-D4F7-4CD5-B465-A09FD7BBFA1B" "%UserProfile%\Desktop\findRegistryTaskCache\ID_13_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\sszCx\568614B6-D4F7-4CD5-B465-A09FD7BBFA1B" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\sszCx\568614B6-D4F7-4CD5-B465-A09FD7BBFA1B" "%UserProfile%\Desktop\findRegistryTaskCache\ID_13_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\sszCx\568614B6-D4F7-4CD5-B465-A09FD7BBFA1B" /f /q copy /Y /B "C:\Windows\System32\aHSss\43A5FAE3-33E7-4982-8684-B8065FCFA006" "%UserProfile%\Desktop\findRegistryTaskCache\ID_13_TASK_2022.11.11_07.18.41.4500_exe.pwsh" copy /Y /B "C:\Windows\System32\drivers\Cxu3rz\08DF9DFB-F4A3-47FE-992F-8287FCF6BDAF.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_13_TASK_2022.11.11_07.18.41.4500_sys.Script" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D8464CE5-A81C-4140-9B9B-59B939988C24}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_14_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D8464CE5-A81C-4140-9B9B-59B939988C24}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\FHquEokFN6\AEA353D3-B46C-43D7-880E-40B48A9CAA43" "%UserProfile%\Desktop\findRegistryTaskCache\ID_14_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\FHquEokFN6\AEA353D3-B46C-43D7-880E-40B48A9CAA43" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\FHquEokFN6\AEA353D3-B46C-43D7-880E-40B48A9CAA43" "%UserProfile%\Desktop\findRegistryTaskCache\ID_14_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\FHquEokFN6\AEA353D3-B46C-43D7-880E-40B48A9CAA43" /f /q copy /Y /B "C:\Windows\System32\RGxFHquE\921B6482-0991-4094-9EB7-ADE85548C4E3" "%UserProfile%\Desktop\findRegistryTaskCache\ID_14_TASK_2022.11.11_07.18.41.4500_exe.pwsh" copy /Y /B "C:\Windows\System32\drivers\kFN64\6A082BD8-7372-4A26-B6CA-2347EDACF01F.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_14_TASK_2022.11.11_07.18.41.4500_sys.Script" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E1B38B8D-AF08-45D0-A77F-1DAA99606315}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_15_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E1B38B8D-AF08-45D0-A77F-1DAA99606315}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\O5kUNFdpt6\96D6023F-A7C8-4CDB-85D6-8B3E0DCAE1BD" "%UserProfile%\Desktop\findRegistryTaskCache\ID_15_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\O5kUNFdpt6\96D6023F-A7C8-4CDB-85D6-8B3E0DCAE1BD" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\O5kUNFdpt6\96D6023F-A7C8-4CDB-85D6-8B3E0DCAE1BD" "%UserProfile%\Desktop\findRegistryTaskCache\ID_15_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\O5kUNFdpt6\96D6023F-A7C8-4CDB-85D6-8B3E0DCAE1BD" /f /q copy /Y /B "C:\Windows\System32\ax7O5kUNFd\60160BA7-3B5C-4B57-A5DF-E1F69A7B7685" "%UserProfile%\Desktop\findRegistryTaskCache\ID_15_TASK_2022.11.11_07.18.41.4500_exe.pwsh" copy /Y /B "C:\Windows\System32\drivers\t6vhpw\E2B41A56-2C45-458E-957A-B86F057CAF95.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_15_TASK_2022.11.11_07.18.41.4500_sys.Script" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EA281A96-9880-404A-B496-988804DC23EB}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_16_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EA281A96-9880-404A-B496-988804DC23EB}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\9fksTdrJh\A7B9F301-80AE-4323-BD41-540D693A9615" "%UserProfile%\Desktop\findRegistryTaskCache\ID_16_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\9fksTdrJh\A7B9F301-80AE-4323-BD41-540D693A9615" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\9fksTdrJh\A7B9F301-80AE-4323-BD41-540D693A9615" "%UserProfile%\Desktop\findRegistryTaskCache\ID_16_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\9fksTdrJh\A7B9F301-80AE-4323-BD41-540D693A9615" /f /q copy /Y /B "C:\Windows\System32\6iE9f\54418D46-F18D-437C-9E28-C5D08A24C95D" "%UserProfile%\Desktop\findRegistryTaskCache\ID_16_TASK_2022.11.11_07.18.41.4500_exe.pwsh" copy /Y /B "C:\Windows\System32\drivers\sTdrJhGqL\3673DF21-9DB2-4277-A18F-8D8AFE4FD671.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_16_TASK_2022.11.11_07.18.41.4500_sys.Script" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F42C9D05-58DA-4AD7-8CC6-14C6EC247CD4}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_17_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F42C9D05-58DA-4AD7-8CC6-14C6EC247CD4}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\d0LVX\E35939A6-6C63-4F8A-8621-0106AE97D8CD" "%UserProfile%\Desktop\findRegistryTaskCache\ID_17_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\d0LVX\E35939A6-6C63-4F8A-8621-0106AE97D8CD" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\d0LVX\E35939A6-6C63-4F8A-8621-0106AE97D8CD" "%UserProfile%\Desktop\findRegistryTaskCache\ID_17_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\d0LVX\E35939A6-6C63-4F8A-8621-0106AE97D8CD" /f /q copy /Y /B "C:\Windows\System32\fP2d0LVXW\0D819F39-E78C-400C-B916-D26D34F7D0B5" "%UserProfile%\Desktop\findRegistryTaskCache\ID_17_TASK_2022.11.11_07.18.41.4500_exe.pwsh" copy /Y /B "C:\Windows\System32\drivers\uhNaua8twc\82655E2E-718D-49A1-AF54-4256D82E5096.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_17_TASK_2022.11.11_07.18.41.4500_sys.Script" Edited November 11, 2022 by JamesR Corrected order of some commands Link to comment Share on other sites More sharing options...
mohu 0 Posted November 11, 2022 Author Share Posted November 11, 2022 JamesR. Thank you for your kind attention. I have quickly put it together and will attach it. findRegistryTaskCache.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 4,713 Posted November 11, 2022 Administrators Share Posted November 11, 2022 Please delete also HKLM\SOFTWARE\Act-3DcN5Ol HKLM\SOFTWARE\MalwarebytesPhOUKMm and reboot the machine. Link to comment Share on other sites More sharing options...
mohu 0 Posted November 11, 2022 Author Share Posted November 11, 2022 Mr. Marcos. I deleted the specified file and completed the reboot. I will wait for the next instructions. I really appreciate your quick response. Link to comment Share on other sites More sharing options...
itman 1,541 Posted November 11, 2022 Share Posted November 11, 2022 2 hours ago, JamesR said: I can see 17 scheduled tasks which will start an assortment of wscript or powershell commands. This just might set the record for malicious scheduled tasks. Also with so many suspected drivers installed, would not a reform and reinstall be advisable? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,713 Posted November 11, 2022 Administrators Share Posted November 11, 2022 Please run a full registry scan via the on-demand scanner, we've added some detections in the mean time. Afterwards reboot the machine and collect fresh logs. Link to comment Share on other sites More sharing options...
mohu 0 Posted November 11, 2022 Author Share Posted November 11, 2022 Mr. itman. We would like to reinstall the OS as a last resort (;_;) Sorry. Mr. Marcos I would appreciate it if you could tell me the procedure for on-demand scanner. Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 4,713 Posted November 11, 2022 Administrators Solution Share Posted November 11, 2022 Select these targets and click Scan as administrator: Link to comment Share on other sites More sharing options...
mohu 0 Posted November 11, 2022 Author Share Posted November 11, 2022 Inspection has been initiated. Link to comment Share on other sites More sharing options...
mohu 0 Posted November 11, 2022 Author Share Posted November 11, 2022 Link to comment Share on other sites More sharing options...
ESET Staff JamesR 48 Posted November 11, 2022 ESET Staff Share Posted November 11, 2022 @itman 7 minutes ago, itman said: Also with so many suspected drivers installed, would not a reform and reinstall be advisable? They were not drivers. They were text files containing PowerShell scripting and saved as .sys files. Just a simple technique to try and hide on a system. I always advise against relying on a file name and/or file path to decide what a file contains or is. In this case, the malware is reading the contents of the .sys files, and converting them to UTF8 to get PowerShell code to execute. Here is a snip it of the command being executed to read from the file, prior to executing the contents. SeriousHoax and itman 2 Link to comment Share on other sites More sharing options...
mohu 0 Posted November 11, 2022 Author Share Posted November 11, 2022 What should I do next? Is it likely that the only solution is to re-install the OS? Link to comment Share on other sites More sharing options...
ESET Staff JamesR 48 Posted November 11, 2022 ESET Staff Share Posted November 11, 2022 "What you should do next" comes down to: Are you still seeing new detected threats by ESET? Are you still seeing PowerShell processes start? If the answer is "No" to both of the above, you are all cleaned up, and I would recommend re-running scans for the next few days...just to ensure your computer stays clean. If the answer is "Yes" to any of the above, we will need a fresh set of logs to see how behavior has changed. Link to comment Share on other sites More sharing options...
Recommended Posts