ProblemNeedsSolution
-
Posts
23 -
Joined
-
Last visited
Posts posted by ProblemNeedsSolution
-
-
On 11/23/2020 at 4:27 PM, itman said:
It is impossible to determine what the malware did when you started the PC in normal mode and all security protection was disabled.
At a minimum, you should change all your passwords; especially those pertaining to financial web sites. If you used e-mail when all security protection was disabled, your passwords there should be changed.
You should also run a full Eset custom scan at Admin level and see if Eset can find any residual malware.
I did checks with Eset at admin level and with MB too and it stayed clean since the day of discovery of Maintenance.vbs. They should really work this into an update at Eset so that they could be the first useful AW SW against this
Anyways thanks for the help people my issue is solved.
-
17 hours ago, itman said:
Good point.
Repeated infections after a drive reformat and OS installation would most definitely point to a network security issue external to device being reinfected. Problem is one has to go through this process to confirm it is the source of repeated infections.
Additionally, the above is not the only source of residual malware. The malware may be firmware based residing on a device attached to the PC or a component of the motherboard. There also have been instances where malware has persisted a normal drive reformat. This is why it is recommended to perform an industrial grade software based wipe of hard drive, or replace the drive entirely if the same malware persists.
In my case I believe the thing was present in the backup itself so that is why it kept coming back. Just to be sure I disabled google sync on my machine and deleted all the extensions and cookies. I keep doing checks with the anti rootkit tool from MB and I also keep an eye on the WIndows/system32 folders and so far everything seems to be clean.
-
So after finding this:
Quote-
Reads a file named
updatesettings.dbfin the Windows\System32 directory. -
Converts the text/number stored in
updatesettings.dbfto an integer. -
If the integer value is greater than
9, then the script does the following actions:-
Installs a program by running its installer file
ServiceInstaller.msiin silent mode, then deletes the installer automatically. - Configures Safe mode boot as the default using the BCDEDIT command-line.
-
Deletes
updatesettings.dbf. -
Deletes
Maintenance.vbs. - Then, it deletes the InstallWinSAT task.
-
Installs a program by running its installer file
-
If the integer value is less than
9, then the script increments the number insideupdatesettings.dbfby 1, and saves the file.
It is clear how it works. So I deleted all tasks which involved Maintenance.vbs using Autoruns and deleted the ServiceInstaller.msi too. I hope I am over it but let us surprise. I checked msconfig too because the counter in updatesettings was on 10 but I it still did not switch it to Safe boot. I hope this will help you out to figure out something for detecting this PoS thing
I do not want to say it too early but I think this time I got this mofo for good.
-
Reads a file named
-
Tried to organise the folder via date and found another interesting file (attached below). It also connects to the Maintenance.vbs
-
2 minutes ago, itman said:
Scan the entire drive where Win 10 is installed and determine if either of these files exist; StartupCheckLibrary.vbs and Maintenance.vbs.
Actually I already did this, I only did find StartupCheck.vbs and Maintenance.vbs, but just to be sure I searched all the Windows folder for scripts and deleted anything after September. After reboot the machine was giving me an error because of the Maintenance.vbs but I modified it to just this: Wscript.Quit
Problem solved. I did change the extension of the two upper mentioned script to txt (attached below).
PLS DO NOT CHANGE THE EXTENSION TO SCRIPT AND RUN THESE!!!
-
1 hour ago, itman said:
Can't tell anything from what is posted in that thread.
What is fairly obvious by now is this is a coin miner using a rootkit or, like rootkit behavior. The one most widely deployed in this category is ZeroAccess:
My best guess is what is infecting you is a new variant that Eset is not detecting.
Eset has a tool to remove ZeroAccess but don't know if it will detect this new variant:
It did not find anything
-
40 minutes ago, Marcos said:
Is that a notebook that you roam with? It seems you log into a domain of a Slovak IT company; if the machine is a notebook and you take it home, would it be possible not to connect via RDP to the office for some time to rule out a domain policy removing ESET?
I do not use RDP and it is disabled. I only use Cisco AnyConnect Mobile Security VPN which checks also if there is an active and up to date AV SW installed. If it will not find any AW SW it wil fail the posture check thus will not grant access to the domain. So it is a requirement to have an AW SW.
-
I am sorry for posting this here but can be this the same thing like here: https://forums.malwarebytes.com/topic/255632-winlogui-keeps-coming-back/
it looks like it is using browser sync to reinfect the machine. Has anyone any idea what the fix file could be?
-
18 hours ago, itman said:
I also believe this is a rootkit.
You can try MBAM's Anti-Rootkit tool here: https://www.malwarebytes.com/antirootkit/
Note: If the tool detects anything and cleans it, the tool must be run again to verify everything is removed. This must be done repeatedly until the tool states you're clean.
Well, it found 3 things
-
Good morning guys, so it happened again. I did password protect my settings and enabled the app detection also. Today the windows update screen came up after I turned on my machine (before the logon screen) and sure enough eset was gone...
-
23 minutes ago, Marcos said:
Also enable detection of potentially unsafe applications to protect ESET from being forcibly removed by 3rd party tools leveraging a kernel driver.
Just enabled it
-
11 hours ago, itman said:
Another possibility is some malware installed a malicious device driver. Those would load prior to Eset's ELAM driver and could intercept its loading.
A malicious device driver is rare, but they do exist. They are normally reserved for high-value targeted attacks though.
@ProblemNeedsSolution, do you have Win 10 Secure Boot enabled on this device?
No It is not enabled. If the issue comes back though I will try it
-
5 hours ago, peteyt said:
Could this also be router based? I mentioned it above, the key thing being two devices have the same issue. If the router was involved it would explain how the issue kept coming back and how it had appeared on two devices.
Only other thing I can think is its related to something software wise that both devices have. It seems a strange virus but what's even stranger is two devices have had the same issue.
Interestingly as itman mentioned some of the registry keys on Google seemed to talk about coin mining malware. Google does seem to show coin mining malware have infected routers in the past but I'm not sure the best way to check routers for this kind of infection
At home there is another laptop connected to the main router and it does not have this issue. My laptop is connected to a wifi extender all of the time.
-
10 hours ago, Marcos said:
I'd reinstall v14.0 and after installation enable password protection as well as detection of potentially unsafe applications. Let us know if ekrn is still being removed then.
Thanks I did password protect the settings I will post an update... if it comes to that again
-
1 hour ago, Marcos said:
Looks like ekrn was forcibly removed and thus could not be started: "Spustenie služby ekrn zlyhalo kvôli nasledujúcej chybe: The system cannot find the file specified." 18/11/2020 06:54:57. Normally it's not possible to remove it while self-defense is active. Did you have password protection and detection of potentially unsafe applications enabled?
I did not tamper with the settings as far as I know and since last time I raised the UAC settings to the maximum. I only could reinstall Eset by booting into Safe mode and to use the uninstall tool but my Windows Updates and Windows Defender are still destroyed at this point so the only option is to do a full restore - otherwise the posture check from Ciscos VPN client fails and I can not gain access to the domain of our company.
@itman When this happens the Windows Security screen is completely empty - no small icons with checkmarks and if I open it is a completely blank page. By the Windows Update screen I mean the blue screen when You reboot Your machine but this happens when I turn on the machine and Yesterday I have not noticed any updates
The weird thing is that it happens periodically - exactly one week - sort of a time bomb (so an update on the 25th I guess)
-
Well, it happened again... Yesterday was everything fine but this morning I saw the windows update screen while I turned on my machine and eset was gone (no splash screen) and when I try to reinstall it, it says it is installed. I am so confused right now and really out of ideas at this point.
I did download the log collector and made a log for You...
-
22 hours ago, peteyt said:
If both computers have had the same issue im wondering if somehow the old one has infected the new one. I don't know a lot about networking but its maybe worth a look to see if the laptop is the origin
THe old lappy was sent back for a warranty repair (backlight LEDs got loose and I could see a row close to the display LOL). I got the new machine up and running on the weekend the other was sent away on friday so they were not in "contact".
-
20 hours ago, itman said:
I would say that whatever VPN you are using might be the source of this malware activity. If you get infected again, I would definitely switch to a new VPN provider.
Also re-reading the TechNet posting, I noticed this:
If the malware was forcing a boot into safe mode; especially one w/minimal drivers only enabled, it would explain how Eset could be uninstalled and WD disabled.
I am sorry but I only use a VPN client from cisco to connect to our company domain and I was not forced to safe boot at all. It is really strange but I did find some posts even on different AW SW forums with the same problem so whatever this is it is out therebut maybe not that common
-
46 minutes ago, Marcos said:
Please upload logs collected with ESET Log Collector here.
Okay tried a different AM SW and it found a trojan:
QuoteKľúč databázy Registry: 3
Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Microsoft\Windows\Application Experience\STARTUPCHECKLIBRARY, Bez zásahu používateľa, 502, 735770, , , , , ,
Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{B6F1D2B9-A39A-4018-829B-77263AED2DBE}, Bez zásahu používateľa, 502, 735770, , , , , ,
Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{B6F1D2B9-A39A-4018-829B-77263AED2DBE}, Bez zásahu používateľa, 502, 735770, , , , , ,Hodnota databázy Registry: 1
Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{B6F1D2B9-A39A-4018-829B-77263AED2DBE}|PATH, Bez zásahu používateľa, 502, 782993, 1.0.32740, , ame, , ,Údaje databázy Registry: 0
(Nezistili sa nijaké škodlivé položky)Prúd údajov: 0
(Nezistili sa nijaké škodlivé položky)Priečinok: 0
(Nezistili sa nijaké škodlivé položky)Súbor: 1
Trojan.Agent, C:\WINDOWS\SYSTEM32\TASKS\MICROSOFT\WINDOWS\APPLICATION EXPERIENCE\STARTUPCHECKLIBRARY, Bez zásahu používateľa, 502, 735770, 1.0.32740, , ame, , CD52F0B617A68EDC4533DE2EEDCF1AC8, A67A9367AEA4DD499A8EC3D7B92849C845DBC1DFBAFD7B7F4BBC3279F56B146ASo I manually removed the keys from the registry plus deleted the file from the Windows folder and did a reboot. I did another scan and now it says everything is clean so lets see. It is funny how ESET did not find this though...
-
2 minutes ago, Marcos said:
Please upload logs collected with ESET Log Collector here.
I am already after a full system restore running a full system scan as an admin. If it happens again I will try to harvest the logs.
-
9 minutes ago, Marcos said:
It's unlikely that malware would "corrupt" Windows updates. If there's an issue with them, it'd be rather caused by a hardware failure than by malware. Or an attacker is able to connect via RDP and uninstalls AVs and Windows updates on a regular basis. Did you check the system event logs for possible errors? Do you have RDP disabled?
It is a brand new machine, Windows 10 Pro, RDP disabled... The weird thing is this started to happen on my old laptop too just before the 2004 update so I thought it was the update. But now on the new machine the same thing is happening. If I open Microsoft defender > Blank screen in the app (executables gone), ESET was gone (all the executables) and Windows Update gives an error (also cannot connect to the Microsoft Store). The internet connection is fine though
-
Hi! I am having a weird issue I haven’t seen before... after a week my Windows updates get corrupted and Windows Defender goes missing on the machine no big deal I restore my machine from a backup stop Windows updates for a month and buy Eset ISP to have a better protection. One week passes by and my VPN wouldn’t connect to our domain. I’ve noticed that the Eset splash screen was not showing up so I did a search for Eset and it said nothing was found. Sure enough Eset, Windows Defender and Windows updates are gone AGAIN. Did anyone had this issue or virus whatever? It’s really annoying
Anyways thanks for the help people my issue is solved.
Adresa bola zablokovaná - Eset Internet Security 14.0.22.0
in Vírusy a iné hrozby
Posted · Edited by ProblemNeedsSolution
Dodanie informácii
Dobrý deň,
dnes ráno z ničoho nič sa mi EIS začalo hlásiť: Adresa bola zablokovaná a kým som nevypol zobrazenie hlášky to bolo cca 35x.
Je tam nejaká adresa ktorú som nenavštívil z rôznych krajín (HU/SK a najviac z PL). Spravil som scan systému s EIS a žiadnu hrozbu nenašiel, potom som skúšal aj MB Antirootkit ale tiež nič nenašiel. Mal som otvorený iba Chrome a v chrome som mal otvorené záložky a dve stránky z roboty. Mohli by ste mi s tým pomôcť, ďakujem.