Jump to content

Moneesh

Members
  • Posts

    15
  • Joined

  • Last visited

Kudos

  1. Upvote
    Moneesh gave kudos to itman in Frequently receiving notification of blocked website   
    Make sure you create an Eset firewall to block outbound C:\Windows\SysWOW64\dllhost.exe traffic as you did for the Win firewall. Set the logging level to warning. Then periodically monitor the Eset Networking log for any entries related to dllhost.exe. If no log entries appear after a few days, then we can safely assume the TinukeBot trojan has been removed.
    You need to create the Eset firewall rule since Eset disables the Win firewall.
  2. Upvote
    Moneesh gave kudos to stackz in Frequently receiving notification of blocked website   
    Here's the fixed link to the tool.
    ftp://ftp.nod.sk/samples/svchecker/ESETSysVulnCheck.exe
  3. Upvote
    Moneesh gave kudos to itman in Frequently receiving notification of blocked website   
    Possible but doubtful. I suspect the attacker switched to a URL not currently blacklisted by Eset.
    Modify the firewall rule you created to block inbound and outbound activity for C:\Windows\SysWOW64\dllhost.exe instead of the previous IP address. As far as I am aware of, this process should never perform any Internet activity. Assuming you are using the Win firewall, check its firewall log for blocked dllhost.exe connections.
  4. Upvote
    Moneesh gave kudos to itman in Frequently receiving notification of blocked website   
    As posted above, here's the download link: ftp://ftp.nod.sk/samples/svchecker/ESETSysVulnCheck.exe
    Right click on the downloaded file and run it as administrator. It will create a zipped file in your Downloads folder. Attach that to your reply.
    After seeing you are still vulnerable to the EternalBlue exploit, I am "bowing out" from any further replies.
  5. Upvote
    Moneesh gave kudos to itman in Frequently receiving notification of blocked website   
    As far as the TinukeBot trojan, Symantec has a write up on it dating to 2017. It is a backdoor and probably what is establishing the remote C&C connection. That variant was run via:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"" = "%AppData%\[RANDOM NUMBERS FOLDER NAME]\[RANDOM NUMBERS FILE NAME].exe"
    So it might be worth a look at the registry run keys; especially the HKEY_CURRENT_USER ones.
  6. Upvote
    Moneesh gave kudos to itman in Frequently receiving notification of blocked website   
    Pretty sure this is the bugger: https://www.virusradar.com/en/Win32_Tinukebot.B/description since its using dllhost.exe:
    And again, starts from:
     
  7. Upvote
    Moneesh gave kudos to itman in Frequently receiving notification of blocked website   
    This is interesting. The IP address, 51.15.90.178, associated with the URL blacklisted is in Paris, France and appears to be associated with a gov. web site; UK Government Department for Work and Pensions. A UK gov. web site hosted in France?
    In any case, a web connection from C:\Windows\SysWOW64\dllhost.exe definitely is not normal. For the time being, you could create an firewall rule to block all TCP/UDP traffic inbound/outbound for IP address 51.15.90.178. Once it is determined what is causing the dllhost.exe traffic, you can delete the firewall rule.
×
×
  • Create New...