Jump to content

Malzuko

Members
  • Content Count

    18
  • Joined

  • Last visited

About Malzuko

  • Rank
    New Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Sorry i was busy yesterday, it seems the problem is still resolved the old server must have been the only other machine that was infected. Everything is running smooth, thanks again for you help!
  2. I have been working on this a little today, I discovered that our old server that we just use for very old database information was not patched for ethernal blue, I isolated that machine, went thru our above process, then repeated that on our active server, and everything seems to be holding for the moment at least. here is the file you asked for:WMILister_23.txt
  3. What would be the best way to determine if a machine is infected?
  4. It has returned . I ended the task on it then deleted the SCM Event Logs Consumer WMI entry like we did yesterday. - as it seemed that held it off the best. I ran WMILister 23 again - DumptedScripts.txt This is leading me to believe there must be more machines on the network that are infected, I can go through all the machines here at my location, the thing is everyone who logs in to this machine with Remote Desktop are from our other 4 shop locations - that will take me some to coordinate with those individuals, and I will likley have to do everything for them with teamviewer.
  5. Again, Yoan- Thanks a lot - you have provided an awesome experience.
  6. Ok ive done that and Ran WMI again and it looks clear. Thanks again for all of your help, Its good to know that there are some good people left in the world. DumptedScripts.txt
  7. Alright I ran those - I marked the one that returned yellow with the orange text. I also ran WMILister again, DumptedScripts.txt PS C:\Users\Administrator> Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path L IKE '%SCM Event Logs Consumer%'" | Remove-WMIObject -Verbose VERBOSE: Performing the operation "Remove-WmiObject" on target "\\WIN-K9REC7QI4JS\ROOT\Subscription:__FilterToConsumerBinding.Consumer="CommandLineEventConsumer.Name=\"SCM Event Logs Consumer\"",Filter="__EventFilter.Name=\"SCM Event Logs Filter\""". PS C:\Users\Administrator> Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='SCM Event Logs Consumer'" | Remove-WMIObject -Verbose PS C:\Users\Administrator> Get-WMIObject -Namespace root\DEFAULT -Class Office_Updater | Remove-WMIObject -Verbose ([Wmi Class]'root\DEFAULT:Office_Updater') | Remove-WMIObject -Verbose PS C:\Users\Administrator>
  8. I patched eternal blue sometime last week ran it again today and it still says im ok.
  9. We are still looking good here, there has been no recurrence. Do you have any idea what this malware was doing?
  10. Ok, I was able restart the server. Since I deleted the SCM Event Logs Consumer entry PowerShell has not opened. I will be monitoring it periodically throughout the night.
  11. I will have to wait till after business hours to restart the server. I will do so as soon as I can.
  12. Yoan, Fisrt I would like to thank you for your help so, it has been encouraging Ive been poking around in Sysinternals and discovered some more information that may or may not help. A lot of the scheduled task entries and the powershell entry share the same 10/28/2014 timestamp Are these the scheduled tasks I need to delete ?
  13. Still no luck, does it matter if the script if running? because I have ended it for the till it appears again PS C:\Users\Administrator> Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='SCM Event Logs Filter'" | Remove-WMIObject -Verbose ([WmiClass]'root\default:Office_Updater') | Remove-WMIObject -Verbose Remove-WMIObject : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties do not match any of the parameters that take pipeline input. At line:1 char:106 + ... ogs Filter'" | Remove-WMIObject -Verbose ([WmiClass]'root\default:Office_Updater ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (\\WIN-K9REC7QI4...nt Logs Filter":PSObject) [Remove-WmiObject], Parame terBindingException + FullyQualifiedErrorId : InputObjectNotBound,Microsoft.PowerShell.Commands.RemoveWmiObject PS C:\Users\Administrator>
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.