Descloix
-
Posts
35 -
Joined
-
Last visited
Posts posted by Descloix
-
-
On 9/26/2019 at 9:34 AM, Marcos said:
As long as the dll was recognized, the whole exe would be detected. Maybe you ran it before the detection was added at ~`2:20, maybe you have an older product that doesn't support streamed updates, maybe you had LiveGrid not working... The case and your cfg would need to be investigated in order to tell. What can we say 100% that after 2:10-2:30 users with streamed updates and LG enabled and working were 100% protected.
This is how the detection would have looked like at that time:
Log
Scanned disks, folders and files: C:\test2\documento.exe
C:\test2\documento.exe - Suspicious Object
Number of scanned objects: 1
Number of detections: 1And here is how ESET reacted with 2-month old modules:
The malware was executed. When the injection itself was performed, AMSI scanner detected a malicious script...
Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
7/28/2019 4:06:06 PM;AMSI scanner;file;script;MSIL/Bladabindi.BC trojan;blocked;DESKTOP-5JIJ6V4\Admin;;AB122C106AC5DFA34C8168069E847F7F6DDDF550;
And the malicious process was terminated:
AMSI has been supported since Windows 8.1 so on older systems it's possible that the malware would have run with outdated modules.
-
You must be ashamed. I will send a copy of the black screen to office ESET but asking me to pay for decrypting my computer files. This happened after launch DOCUMENTO.EXE (documento.exe) This virus completely destroyed all the disks on the computer. All information was encrypted. And for the decryption they asked for 734 dollars.
Tomorrow I will remove ESET from my computer and install an antivirus that is looking for something in file firefox.exe, nightly.exe, and opera installer. I will put an antivirus with a powerful cloud service, which will remove or place any suspicious file in the sandbox.
Kaspersky, Norton, Malwarebytes, Zemana,
-
adelantado.dll - a variant of Win32 / Injector.EHZT trojan was inside the archive along with other files that were in different directories and even in the registry. the virus was in file "Documento.exe" - he infected memory and changed registry keys, he was in directories Roaming, Temp, Windows > Tasks, Roaming > Microsoft > Cripto. That is why he infected the computer's memory and files from various directories.
-
Once again.
https://imageban.ru/show/2019/09/26/e137d33ae8e08e0aedcb3e5a9327e298/png
Again Microsoft, McAfee, AVG, Avast, Sophos, Fortinet - W32/Generic.AC.4231A6, McAfee - Artemis!BDF54634DDA8, Microsoft - Trojan:Win32/FuerboosC!cl
Shame not to include files in extensions .exe
-
Tell me please when file "Documento.exe" will be detected as a virus.
Kaspersky, Microsoft, McAfee a day ago they gave a detection. And many more antiviruses recognized the Trojan in it.
This is a real Trojan.
ESET is silent when unpacking a file. Norton delete immediately this file.
-
hxxp://forum.byw.ru
content and resourse are must be blocked for visiting
-
This module collects information about web addresses and their owners. Also this module collects and sells web addresses. Disable antispam. Sent to ESET. My mail should not be read by anyone, only the addressee. This is an article of the Criminal Code on owny countries. It is forbidden you know ESET. Read your license agreement .............
-
2 minutes ago, J.D. said:
Showing the interactive window to the end-user is not very good idea, because users often click "allow" and then get "infected". The decision should be in hands of administrator (e.g. through ERA console) who should add exclusions for potentially harmful tools he wants to use. Additionally when users clicked "allow" without adding an exclusion, the tool was detected again and again (by on-demand or on-access scanners). More information here:
It's just incredible. It's just incredible. My 11-year-old sister knows that ask.com it is rare muck. One must be an idiot to allow to install this toolbar.
By the way, virustotal............................................................
-
37 minutes ago, Marcos said:
The detection is correct. Process Hacker is not detected as malware but as a potentially unsafe application. This detection covers legitimate tools that can be misused in the wrong hands for malicious purposes. It is disabled by default and users enable it at their discretion. Tools like this have been seen to be misused by hackers for killing security solutions after breaching into networks which enabled them to run ransomware and subsequently extort money from the victim.
If you want to use the tool while keeping detection of pot. unsafe application enabled, exclude it from detection.
In that case, you need to make the module, as it is implemented in Comodo. The program writes that it considers this application potentially dangerous. And this application has helped me many times and has never harmed the system. The problem is that if you have a detect, then there not a choice. The file is immediately quarantined. It would be useful to isolate the file and write Win32 / ProcessHacker.A, then give the user a choice like on the screenshot in the attachment. But only for potentially unwanted or dangerous programs. This does not apply to viruses. The virus must be deleted. I do not have time to unzip and install the program. You immediately delete it. I return it from quarantine, but again I do not have time to add it to the exceptions. It is just necessary to turn off the antivirus.
-
https://wj32.org/processhacker/forums/viewforum.php?f=5
A legitimate program that has been used by different people for many years to accurately remove processes, rootkits, to track processes and their actions in the system. Absolutely safe. ESET Endpoint Security 7.0.2053.0 delete file kprocesshacker.sys and remove from Program Files program folder.
-
-
8 hours ago, itman said:
As far as this IP: 132.148.197.187 goes, per Robtex;
Here's a report I ran on the domain, www.xyzhosting.net, associated with it: https://www.virustotal.com/#/domain/www.xyzhosting.netIt appears that anything named QTX.exe that references it could very well be malicious. You referenced QTXWPF.exe.
1) ip-132-148-197-187.ip.secureserver.net - Are you sure that behind this IP is not a maniac killer or a hacker who collects information? I do not know. It's just numbers and letters. People are behind them. What people? You know? Did you see them? Do you know them? Did you analyze the outbound traffic from computer when an application QTXWPF.exe. is connected to the Internet?
2) QTXWPF.exe - it's just letters. But and I gave you a link(!!!) with a modified file, which is a medium-level threat according to the antivirus company Symantec. Also 24 (!!!) AV company: McAfee, Kaspersky, BitDefender, Avira, Comodo etc. classify this file as a trojan.
https://www.virustotal.com/#/domain/www.xyzhosting.net - I saw this link and I can tell you one thing: if 25-30 out of 60 antivirus companies say the virus file, then it is. 30 AV companies correctly identified the virus. At somebody this file is classified as a trojan, and someone considers it adware or malware. In any case, it's a virus. Today, the virus is more and more classified according to behavioral analysis and reputation. This is correct. Because it makes it clear what harm to the person sitting at the computer is doing this or that application or file.
Now almost the middle of the 21st century, stealing a password is nonsense. 1 minute - and I'm on the phone recovering the password. The collapse of the system is not a catastrophe. 20-30 minutes - and I completely reinstalled the system. The same amount of time it takes to scan for viruses. All files and programs that harm the system should be considered a threat and the most dangerous ones must be immediately removed from the computer. The remaining medium-risk files should be isolate by means of the antivirus and give the user a choice, warning him.
For example P.S. https://www.upload.ee/files/8450398/Network_Booster_1.1.rar.html
Symantec delete this file, ESET only block at startup. File connect to internet and It creates traffic. Done.
-
1 hour ago, itman said:
As far as SciLexer.dll goes:
https://github.com/jacobslusser/ScintillaNET/issues/330
So if the CIA can do it, most certainly the Russians can. Which leads to the issue of downloading a game hack from a Russian web site.
In any case, one shouldn't be installing apps that are not validily signed.
If the program leaves files of incomprehensible content in various system directories, registers itself in startup and changes the browser's start page, then this is a HARMFUL program. It also creates empty folders and connects to the Internet. In your opinion, is this normal? A person is going to defend his doctoral dissertation, and in it are unclear files, when launching which appear game windows, windows crashes in the system and all those windows and files that I and other people have posted above.
Symantec, Kaspersky and F-Secure have detect of this virus or malware. At the top of the Norton Internet Security window written: the file contains a medium-level threat. Name: WS.Reputation.1 It is also written: the threat is eliminated. If an antivirus is not listed in the virustotal, it does not mean that it does not recognize the threat in this file.
-
This window appeared after the rules of HIPS, which prohibit the creation, launch and modification of any other files and system parameters
-
1 hour ago, Marcos said:
Correct. Sometimes even > 40 AVs in VT report even perfectly benign files as malware. That is also the reason why VirustTotal has the following listed among best practices:
The data generated by VirusTotal should not be used automatically as the unique means to blacklist/produce signatures for files. i.e. Antivirus vendors should not copy the signatures generated by other vendors without any other scrutinizing on their side.
By the way, here is how the game hack tool looks like when run:
The creation, modification and launch of the file is prohibited without my permission by the HIPS module. Try to prevent HIPS from accessing all files to the QTXWPF.exe on computer. You will see a completely different image. This is called MODIFICATION AND CREATION OF NEW APPLICATION. You are very active in antispam, which is usually a supplement to the main program. You have a rootkit detection module of 2017 and a module nettoyage spéciale 2016 in the 7th version of ESET Endpoint Security 7.0.2053.0. This is the version of 2018 !!!!!! Analyze the traffic of the program and look at its activity: the .exe file creates a .ini file and runs that window with buttons.
-
5 minutes ago, Marcos said:
We are not going to detect a file as malware based on what a user says if it's not malicious. Detection is always added based on thorough analysis of the code.
The OP was also referring to a dll which is benign and is included with many legitimate software.
OK, then just detect this application as you want. But do not miss dangerous or even potentially dangerous programs. You still do not have this application detection were. "Potentially unsafe" for example. And once again, study the detection of antivirus companies that already detect this seemingly ordinary program as Trojan. These companies are many, and there are also no fools working and define the file as malicious. Regards.
-
1 hour ago, Marcos said:
Not malware but a game tool. We'll add detection as a potentially unsafe application. The application doesn't pose any security risk.
This "game tool" is installed without my permission, configures folders and files in different directories ( Temp: ScintillaNET 3.5.10 and SciLexer.dll) and connects to the Internet. Without a license agreement and without notifications. AppData > Roaming: rbx_hook, SLX.wmp.dll, slx_version. Do you really think this is a "game tool"? No, I do not know what kind of information about me and my system transmits the application. Confidentiality of my information may be used for fraudulent purposes. BitDefender, Avira, Comodo, McAfee, TrendMicro much closer to the truth than ESET. This is W32.Trojan.Gen the least.
-
This file create new folders, files in Temp and Roaming and application connect to internet to IP 132.148.197.187. This file also create new program and tries to connect to the system file werfault.exe (system 32 Win 7 SP 1)
-
RANSOMWARE - ESET Endpoint Security does not detect this virus
-
-
-
Tell me please, Peter, beta-version of THIS product It is necessary to put on a clean system or can be on top of ESET Endpoint Security 6.6
-
Please send me link EES 7 beta
-
Hi Peter - Please sign me up for this as well. I so long awaited this version of ESET Security 7 beta, I really want to test. Do not refuse me, please. I will help you - you'll see. Do not look at me as a . I tested a lot of antivirus software from 2000 year. I like yours ESET the longest. Despite the fact that I am a novice. Please. I buy Eset Endpoint Security in febraury. I have almost a year ahead.
Thanks,
Kind Regards,
cincerelly
In any case, one shouldn't be installing apps that are not validily signed.
Virus not detected
in Malware Finding and Cleaning
Posted · Edited by Descloix
Let someone run the file documento.exe on their computer, and honestly write what happened.
documento.exe - not Suspicious Objekt, this is totally Trojan.Ransom.
I am absolutely sure that this cipher, to extort money from ignorant people. And the business version of the antivirus did not see it.It’s just a huge shame for the reputation of the company that puts advertising banners in Germany at the Bundesliga matches. Specifically - at the matches of Borussia Dortmund.
BitDefender