twingall1 0 Posted November 14, 2022 Share Posted November 14, 2022 Every reboot >> 30seconds >> ESET notification pops up: "Threat (BH/GenKryptic.1) found in file that powershell tried to access" ..i click DELETE, but get the error message shown at the bottom of the screenshot attatched. ESET does not tell me WHAT file is the infected one. But by checking EventViewer Powershell logs, looks like the file problem file was Microsoft_Framework.js(?) However, on scanning Microsoft_Framework.js, and Powershell.exe, individually via ESET; they come up clean. I'm at a loss here; need to get through two steps: 1: finding the infected file (making ESET notifs more verbose or some such??) 2: getting permissions to delete/restore the infected file Any advice would be greatly appreciated, Thanks, T Link to comment Share on other sites More sharing options...
Administrators Marcos 4,707 Posted November 14, 2022 Administrators Share Posted November 14, 2022 Please provide: 1, Microsoft_Framework.js 2, Logs collected with ESET Log Collector (select Threat detection from the menu) Also move Microsoft_Framework.js to a separate folder (e.g. c:\eset), reboot the machine and see if the detection continues. Do not delete any suspicious files until we instruct you. twingall1 1 Link to comment Share on other sites More sharing options...
twingall1 0 Posted November 14, 2022 Author Share Posted November 14, 2022 I managed to turn on Log collector just moments before the threat pop-up appeared (happens v soon after reboot) I've given links the eis_logs.zip and the Microsoft_Framework.js (former too big too attach here, latter not permitted file extension) Google drive links: eis_logs.zip https://drive.google.com/file/d/1miFz5wVnTkvasMc9YvAO3LBbsZV3aYoT/view?usp=sharing Microsoft_Framework.js https://drive.google.com/file/d/1ctXsbLYoaKMSFmtavNe7oGars1BUU_zD/view?usp=sharing ... After this, i moved Microsoft_Framework.js to C:\eset as instructed and this worked: No threat message pop-up, yay, progress! Please advise what i should do now; is there an easy way to replace Microsoft_Framework.js with non-infected version? I am Windows 10 Home: Version 10.0.19043 Build 19043 Thanks for your speedy response and advice, T Link to comment Share on other sites More sharing options...
twingall1 0 Posted November 14, 2022 Author Share Posted November 14, 2022 7 hours ago, twingall1 said: ... After this, i moved Microsoft_Framework.js to C:\eset as instructed and this worked: No threat message pop-up, yay, progress! *no threat message pop-up after reboot Link to comment Share on other sites More sharing options...
Administrators Marcos 4,707 Posted November 14, 2022 Administrators Share Posted November 14, 2022 Delete also HKCU\SOFTWARE\Microsoft\Mircosoft. It's just a benign blob that the PowerShell script reads, decrypts and loads. After decryption, it's detected as @Backdoor.MSIL/Agent.DAK, most likely with the detection added in 2016. twingall1 1 Link to comment Share on other sites More sharing options...
twingall1 0 Posted November 14, 2022 Author Share Posted November 14, 2022 hmm, HKCU\SOFTWARE\Microsoft\Mircosoft doesn't seem to exist: Link to comment Share on other sites More sharing options...
twingall1 0 Posted November 14, 2022 Author Share Posted November 14, 2022 probably removed by ESET or malwarebytes already (just installed both in last couple days) Can i live without Microsoft_Framework.js in it's original folder? Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 4,707 Posted November 14, 2022 Administrators Solution Share Posted November 14, 2022 You can delete it. The file is benign unless decrypted and run, however, it would be detected at this point. We are also going to add a detection for the PowerShell script that reads data from the file and runs the code after decryption. twingall1 1 Link to comment Share on other sites More sharing options...
twingall1 0 Posted November 14, 2022 Author Share Posted November 14, 2022 Ok, I will delete Microsoft_Framework.js completely. Thank you so much for your help, Problem solved from my perspective. All best, T Link to comment Share on other sites More sharing options...
Recommended Posts