Jump to content

Threat Found after reboot (BH/GenKryptic.1); in unknown file that powershell tried to access: CANNOT DELETE!


Go to solution Solved by Marcos,

Recommended Posts

Every reboot >> 30seconds >> ESET notification pops up: "Threat (BH/GenKryptic.1) found in file that powershell tried to access"

..i click DELETE, but get the error message shown at the bottom of the screenshot attatched.

ESET does not tell me WHAT file is the infected one. But by checking EventViewer Powershell logs, looks like the file problem file was Microsoft_Framework.js(?) 

However, on scanning Microsoft_Framework.js, and Powershell.exe, individually via ESET; they come up clean. 

I'm at a loss here; need to get through two steps:

1: finding the infected file (making ESET notifs more verbose or some such??)

2: getting permissions to delete/restore the infected file

 

Any advice would be greatly appreciated,

Thanks,

T

Screenshot 2022-11-14 024756.png

Link to comment
Share on other sites

  • Administrators

Please provide:

1, Microsoft_Framework.js
2, Logs collected with ESET Log Collector (select Threat detection from the menu)

Also move Microsoft_Framework.js to a separate folder (e.g. c:\eset), reboot the machine and see if the detection continues. Do not delete any suspicious files until we instruct you.

Link to comment
Share on other sites

I managed to turn on Log collector just moments before the threat pop-up appeared (happens v soon after reboot)

I've given links the eis_logs.zip and the Microsoft_Framework.js (former too big too attach here, latter not permitted file extension)

Google drive links:

eis_logs.zip  https://drive.google.com/file/d/1miFz5wVnTkvasMc9YvAO3LBbsZV3aYoT/view?usp=sharing

Microsoft_Framework.js https://drive.google.com/file/d/1ctXsbLYoaKMSFmtavNe7oGars1BUU_zD/view?usp=sharing

 

... After this, i moved Microsoft_Framework.js to C:\eset as instructed and this worked: No threat message pop-up, yay, progress!

Please advise what i should do now; is there an easy way to replace Microsoft_Framework.js with non-infected version?

I am Windows 10 Home: Version 10.0.19043 Build 19043

Thanks for your speedy response and advice,

T

Link to comment
Share on other sites

7 hours ago, twingall1 said:

... After this, i moved Microsoft_Framework.js to C:\eset as instructed and this worked: No threat message pop-up, yay, progress!

*no threat message pop-up after reboot

Link to comment
Share on other sites

  • Administrators

Delete also HKCU\SOFTWARE\Microsoft\Mircosoft. It's just a benign blob that the PowerShell script reads, decrypts and loads. After decryption, it's detected as @Backdoor.MSIL/Agent.DAK, most likely with the detection added in 2016.

Link to comment
Share on other sites

probably removed by ESET or malwarebytes already (just installed both in last couple days)

Can i live without Microsoft_Framework.js in it's original folder?

Link to comment
Share on other sites

  • Administrators
  • Solution

You can delete it. The file is benign unless decrypted and run, however, it would be detected at this point. We are also going to add a detection for the PowerShell script that reads data from the file and runs the code after decryption.

Link to comment
Share on other sites

Ok, I will delete Microsoft_Framework.js completely.

Thank you so much for your help, Problem solved from my perspective.

All best,

T

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...