Nightowl
Most Valued Members-
Posts
1,857 -
Joined
-
Days Won
17
Everything posted by Nightowl
-
I believe they are normal versions of the EXE , the .dlls are just hijacked fake firefox that came with it , had an icon from older versions of firefox , you can notice it's an old version of firefox. vlc also it looked like the real one , but the .dlls are hijacked , this is why scanners aren't picking the them , python.exe , firefox.exe , vlc.exe , because I think they are legit , just the .dlls are messed up. I believe Python.exe is needed to be able to run the Python script that is hidden somewhere , since there is no Python installed on PC. If they were edited or messed up , then I would have got an indicator that the exes aren't signed properly. tampered or edited. Edit : I didn't read properly , yes it could explain it what you have said , and could be those aren't real executables and just made by the script I sent them to ESET the whole packs of the fake stuff , but I removed the python.exe actually , and I don't think I can get it back , because at that time , ESET picked it's python39.dll , and I still believe somehow that the python.exe is a normal one. I believe , the fake stuff , firefox vlc python all were real but versions that have vulnerabilities and can be changed,modified , that's why they all packed with hijacked DLLs and weird file types that would just change after execution.
-
This is what runs the malicious Python in Adobe in Scheduler: And this what runs the malicious VLC in Scheduler :
-
It should be received from another endpoint , no I don't think there is a bug. because i sent examples from 2 endpoints , one without email , one with email. I will send in PM.
-
I worked with HIPS to see who reads and writes , but once I wasn't able to stop it , remove it or archieve it , I thought it's better to block the whole place, I blocked and restarted PC , and I removed it I believe when you run the malicious exe that is hidden as pif , it asks for admin? I don't know , I didn't ask I saved also the XMLs for Schedulers And the PC doesn't have anything to belong to Adobe , but I believe the virus will gain admin somewhere with VLC and CMD
-
Hello Peter I have attached the whole folder of fake VLC and fake Firefox and attached them to 7z archive and passworded them with "malware" , I sent through ESET GUI , with my email address , I have confirmed that they have reached through Events logs but I kept a backup incase they didn't reach , I was having a trouble cleaning the python39.dll because it kept telling me it's running somewhere , something held it but I didn't catch it , I restarted it , what held it , stopped , I tried to archieve it , but ESET got it it seems that it received updates. so I didn't pack the .dll because ESET already knows it I think what held it is Task Scheduler somewhere , I made sure it didn't come back in Task Scheduler What I noticed , I had hands on 2 infections , one with W10 and one with W11 The only difference I saw that in W10 it was able to make a startup entry , in W11 it didn't , I will double check to make sure. Thanks to all also , it's my pleasure
-
I sent 2 more remenants that aren't detected , but looked Suspicious , I cleaned the system scheduler it had a vlc and python commands to run at startup and at 7PM The remenants are here : https://www.virustotal.com/gui/file/e9262441ef8e401acce28d13100c63e90e3de2ffb0ec6763611eebdc1aa60dbd/detection/f-e9262441ef8e401acce28d13100c63e90e3de2ffb0ec6763611eebdc1aa60dbd-1679390226 https://www.virustotal.com/gui/file/e7754d8e4c33b35b85d85554488069fe731190201fa9e42d1b53f38c843025a3/detection/f-e7754d8e4c33b35b85d85554488069fe731190201fa9e42d1b53f38c843025a3-1679390159 Unsigned files for Python and VLC , It looked suspicious to scanners. This is a rememnant also not detected but I wasn't able to send it , I deleted it by mistake : https://www.virustotal.com/gui/file/65327e1555994dacee595d5da9c9b98967d1ea91ccb20e8ae4195cd0372e05a0 ssl3.dll Size . . . . . . . : 132,712 bytes Age . . . . . . . : 4.9 days (2023-03-17 12:42:24) Entropy . . . . . : 6.1 SHA-256 . . . . . : 65327E1555994DACEE595D5DA9C9B98967D1EA91CCB20E8AE4195CD0372E05A0 Product . . . . . : Network Security Services Publisher . . . . : Mozilla Foundation Description . . . : NSS SSL Library Version . . . . . : 3.11.5 RSA Key Size . . . : 2048 LanguageID . . . . : 1033 Authenticode . . . : Invalid > SurfRight . . . . : Mal/Generic-S Fuzzy . . . . . . : 122.0 Scheduler : I made a restart now , I willl check if it comes back , I believe the Scheduler is what revived it and ESET kept removing it as Spy Agent in Advanced Memory Scanner. I sent the 2 examples to ESET the same way I did for first post , Right click > ESET > Submit for Analysis.
-
Thank you Marcos , ITMAN It isn't my business account , I just worked to clean the PC because I was asked to , and ESET was there for my luck I will inform if I was asked about LiveGuard.
-
I didn't notice that , I sent manually , the product on PC is ESET Endpoint Security I think Endpoint Security doesn't have LiveGuard yet , it's only available on Smart Security And file came through Skype to the affected machine.
-
yea i noticed that now when i got into anyrun link
-
-
Yes it's targeting financial areas , it will come as a financial file for you , it isn't me , I worked to clean the person PC , shortcut isn't detected so it's made new also , the shortcut is what was got uploaded to virustotal , but virustotal takes to truecrypt.exe , but i believe the 1.5 shortcut is something hidden , it will just become something else you can see it here also : https://any.run/report/b1afbce51ad052f936b989214964d56e2290a7fb5548763273c1fc4382cd5c1c/f26fd95b-3cc1-4578-abf1-17289380ebe5
-
https://www.virustotal.com/gui/file/b1afbce51ad052f936b989214964d56e2290a7fb5548763273c1fc4382cd5c1c This is not being detected by ESET , but ESET is picking it up through Advanced Memory Scanner after being ran because it came through Skype as a 1.5mb shortcut pif , i kept a copy of it inside a passworded archieve , I sent the shortcut also for Analysis through right click and submit for analysis a variant of Win32/Spy.Agent.QGW trojan C7552D69B8A7257A489BCDC31BAD099F5C2D67EA a variant of Win32/Rescoms.B trojan D00E62B42CEE99EFF56C604CF7190E2F68B3F86E Those are files that the dropper drops them , but ESET memory scanner and startup scanner picks .dlls from Appdata\local\temp\threat.dll
-
for those who thinking Windows7 and Nod32 is safe
Nightowl replied to spacesnow's topic in ESET NOD32 Antivirus
Firewalling the RDP port to specific IP addresses , password protecting ESET , account auto lock for failures for RDP , it will limit the attack space for RDP attacks. -
for those who thinking Windows7 and Nod32 is safe
Nightowl replied to spacesnow's topic in ESET NOD32 Antivirus
If someone can log into RDP and disable ESET , then ESET is not capable of defending anything Still it is not recommended to be using Windows 7 at all , since if ESET missed the threat since that can happen with any AV available on the market , then there is no way of defense against that malware Since Microsoft doesn't fix anything with 7 and 8 anymore , you are better of with 10 and 11 , or even Linux if you are against using those two systems , but not 7 and 8. -
Both sites are official I bet See here you get the blue skin : http://www.videolan.org/index.en_GB.html And here you will get the orange skin : http://www.videolan.org/vlc/#download
-
Locking idle devices via command
Nightowl replied to Jure_SGS's topic in ESET PROTECT On-prem (Remote Management)
I am not sure about it since I don't work for ESET,but I believe ESET Protect will see the computer as idle , once the screensaver kicks in. Just from my thoughts , I could be totally wrong. Try to set that policy for one computer and leave that computer and see when it kicked in , and check in the same time the screensaver setting for that computer And also if you have Domain Controllers , you can use Group Policy to modify when the PC will be idle/locked. -
ESET Server Security for Linux supported OS
Nightowl replied to obee's topic in ESET Products for Linux Servers
You are welcome my brother. -
ESET Server Security for Linux supported OS
Nightowl replied to obee's topic in ESET Products for Linux Servers
I think the help page of the second screenshot of yours have more accurate information. https://help.eset.com/essl/91/en-US/?system_requirements.html -
ESET delete file even if I the threat
Nightowl replied to kapi9913's topic in ESET Endpoint Products
If someone said something earlier than you , we say your life is longer than mine , so it's that way Marcos I wanted to actually say the same , Are the endpoint users with enough knowledge to decide if it's really a threat or a false positive?, It is not recommended to do so because it is in purpose they are not working in I.T department, so they shouldn't have this decision. -
Try to install ESET Smart Security or ESET Internet Security - Run it as a trial for 30 days , after that you will have to buy a license to continue using it. - Run a deep scan in your system - Update your router to latest firmware available by manufacturers - Reset your router admin password , Reset your WIFI password If your router is no longer maintained and updated by the manufacturers , I highly recommend getting one that is supported , your Internet Service Provider can provide you one if you don't want to bother yourself getting one from a shop.
-
Just a suggestion , since you blocked Polish language of Facebook , it might just re-direct to some other domain or english language Try blocking *.facebook.com
-
Microsoft Defender question.
Nightowl replied to VanBuran's topic in ESET Internet Security & ESET Smart Security Premium
Indeed I was wrong , I doubled checked and they do stop , I remember seeing them for a while even when I had ESET installed. -
Microsoft Defender question.
Nightowl replied to VanBuran's topic in ESET Internet Security & ESET Smart Security Premium
You cannot stop Defender from Updating , those Updates will be received along Windows Update files , and from Windows Update Service I believe it keeps updating because it can be used as secondary scanner with ESET (not real-time) but as on demand scanner I don't think it harms , let it update and even you can schedule it to run at different time or once per certain time to scan and give you a second opinion among ESET -
autodiscover.365e.live blocked by NOD32
Nightowl replied to OnSite's topic in Malware Finding and Cleaning
It's weird , I thought it might be a crack that is trying to communicate with a weird website like this one here. Assuming you have scanned your computer and no threat is detected , and assuming that this domain wasn't bought by Microsoft suddenly , I believe there is something wrong that 365 is trying to communicate there Doing a whois search to Microsoft.com will show you that the domain is registered to Microsoft Doing a whois to the domain 365e.live shows it's privacy hidden and registered by different registrar and doesn't belong to Microsoft.