Threat Found after reboot (BH/GenKryptic.1); in unknown file that powershell tried to access: CANNOT DELETE!

[twingall1 0]

Every reboot >> 30seconds >> ESET notification pops up: "Threat (BH/GenKryptic.1) found in file that powershell tried to access"

..i click DELETE, but get the error message shown at the bottom of the screenshot attatched.

ESET does not tell me WHAT file is the infected one. But by checking EventViewer Powershell logs, looks like the file problem file was Microsoft_Framework.js(?) 

However, on scanning Microsoft_Framework.js, and Powershell.exe, individually via ESET; they come up clean. 

I'm at a loss here; need to get through two steps:

1: finding the infected file (making ESET notifs more verbose or some such??)

2: getting permissions to delete/restore the infected file

 

Any advice would be greatly appreciated,

Thanks,

T

[Marcos 4,707]

Please provide:

1, Microsoft_Framework.js
2, Logs collected with ESET Log Collector (select Threat detection from the menu)

Also move Microsoft_Framework.js to a separate folder (e.g. c:\eset), reboot the machine and see if the detection continues. Do not delete any suspicious files until we instruct you.

[twingall1 0]

I managed to turn on Log collector just moments before the threat pop-up appeared (happens v soon after reboot)

I've given links the eis_logs.zip and the Microsoft_Framework.js (former too big too attach here, latter not permitted file extension)

Google drive links:

eis_logs.zip  https://drive.google.com/file/d/1miFz5wVnTkvasMc9YvAO3LBbsZV3aYoT/view?usp=sharing

Microsoft_Framework.js https://drive.google.com/file/d/1ctXsbLYoaKMSFmtavNe7oGars1BUU_zD/view?usp=sharing

 

... After this, i moved Microsoft_Framework.js to C:\eset as instructed and this worked: No threat message pop-up, yay, progress!

Please advise what i should do now; is there an easy way to replace Microsoft_Framework.js with non-infected version?

I am Windows 10 Home: Version 10.0.19043 Build 19043

Thanks for your speedy response and advice,

T

[twingall1 0]

7 hours ago, twingall1 said:

... After this, i moved Microsoft_Framework.js to C:\eset as instructed and this worked: No threat message pop-up, yay, progress!

*no threat message pop-up after reboot

[Marcos 4,707]

Delete also HKCU\SOFTWARE\Microsoft\Mircosoft. It's just a benign blob that the PowerShell script reads, decrypts and loads. After decryption, it's detected as @Backdoor.MSIL/Agent.DAK, most likely with the detection added in 2016.

[twingall1 0]

hmm, HKCU\SOFTWARE\Microsoft\Mircosoft doesn't seem to exist:

[twingall1 0]

probably removed by ESET or malwarebytes already (just installed both in last couple days)

Can i live without Microsoft_Framework.js in it's original folder?

[Marcos 4,707]

You can delete it. The file is benign unless decrypted and run, however, it would be detected at this point. We are also going to add a detection for the PowerShell script that reads data from the file and runs the code after decryption.

[twingall1 0]

Ok, I will delete Microsoft_Framework.js completely.

Thank you so much for your help, Problem solved from my perspective.

All best,

T