ESET Insiders amityservice 0 Posted October 10, 2016 ESET Insiders Share Posted October 10, 2016 Dear Team There Is Continuous popup Win32/TrojanDownloader.Waucho detects In memory. even after scan with online scanner in safe mood and also with ESET SysRescue Live. problem is same . screen shot attach with this. how to clean this infection. kindly help us. Thanks and regards. Harshad Mistry Link to comment Share on other sites More sharing options...
ESET Staff Gonzalo Alvarez 66 Posted October 10, 2016 ESET Staff Share Posted October 10, 2016 Hi @amityservice, In this case You should contact Support in your country. If your installed ESET can't find that malware then can be possible ESET was damaged and can "see" properly. Create a ESET SysInspector report and send to support, they will find a way to help you. Sorry, I'm not in a mood to play technical support today. Link to comment Share on other sites More sharing options...
itman 1,538 Posted October 10, 2016 Share Posted October 10, 2016 (edited) Also you might want to be careful and not use your PC till this is resolved. There is a strong possibility this is ransomware connected. See this posting: hxxp://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-and-help-topic/page-10 . You might want to check if your files have already been encrypted. -EDIT- Also it appears to me that there is a strong possibility the malware has installed a backdoor or rootkit on your PC. As such, it will keep downloading the Trojan after Eset removes it. So you need some professional malware assistance on this on. Edited October 10, 2016 by itman Link to comment Share on other sites More sharing options...
itman 1,538 Posted October 10, 2016 Share Posted October 10, 2016 Also see this posting: https://forum.eset.com/topic/9323-poweeshell-as-virus-after-update/ As an interim solution, you might want to create a HIPS "ask" rule to monitor the startup of powershell.exe in both the C:\Windows\System32\WindowsPowershell and C:\Windows\SysWOW64\WindowsPowershell folders. Make sure you enable "log the event" and that you select deny when the alert appears. This should point you to the malware process most likely running a powershell script. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,704 Posted October 11, 2016 Administrators Share Posted October 11, 2016 I reckon this is a fileless infection and the entire malicious code is located in the registry. Generate a SysInspector log and check the Run keys for suspicious values containing probably an encrypted script and remove it. Link to comment Share on other sites More sharing options...
ESET Insiders amityservice 0 Posted October 13, 2016 Author ESET Insiders Share Posted October 13, 2016 Here Is SysInspector log and found some reg entry with powershell in startup. (screen shot and reg entry attach with this) Logs.rar Link to comment Share on other sites More sharing options...
ESET Staff Gonzalo Alvarez 66 Posted October 13, 2016 ESET Staff Share Posted October 13, 2016 Hi @amityservice, This is what I found/see... HIPS, antistealth are ok, version 9.0.397.1 > upgrade available 9.0.402.x Windows is not update > install all security updates(if you worry by legal thing, use manual selection) you Need to do it! This error shows a lot, take a look."Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied. This is often caused by incorrect security settings in either the writer or requestor process." Just in case that is a terminal on a medical facility, is my suggestion your company (or whatever) migrate to a ESET Endpoint Security and use ESET Remote Administrator 6.4x. You have a lot of shared resources, if a ransomware hits you, that will be not good at all. After check what I know and dig into the log, can't find anything suspicious.As screenshot you send, is Nero. if not want it, remove it. ESET Staff should tell you better than me if is something. Please take care and do the upgrades (both) that I mention, and furthermore make some network scan with a full upgraded/updated ESET. I remember some infections from the past where the origin was a network terminal far away and pop-up in other. Hope others can bring more light on your problem. Link to comment Share on other sites More sharing options...
itman 1,538 Posted October 13, 2016 Share Posted October 13, 2016 "Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied. This is often caused by incorrect security settings in either the writer or requestor process." This is why I suspect this incident is ransomware related. The malware will disable this service so it can delete the shadow volume copies that could be used to possibly restore the encrypted files from. If I were the OP, I would be copying all my personal files to off-line storage and keep that storage device disconnected from the infected PC/network until this matter is resolved. Link to comment Share on other sites More sharing options...
ESET Staff Gonzalo Alvarez 66 Posted October 13, 2016 ESET Staff Share Posted October 13, 2016 ESET Support reply to you? Link to comment Share on other sites More sharing options...
ESET Insiders amityservice 0 Posted October 14, 2016 Author ESET Insiders Share Posted October 14, 2016 Thanks Gonzalo Alvarez. I will Do all the things you mentioned and then reply. No ,Eset support dose not reply. Link to comment Share on other sites More sharing options...
Recommended Posts