itman
-
Posts
12,387 -
Joined
-
Last visited
-
Days Won
327
Posts posted by itman
-
-
8 minutes ago, sypticle said:
here is the link for the analysis: https://www.hybrid-analysis.com/sample/c1ac18c9c98e3fffc50553950c154601032048b4e007ef502bc9362f1acec90f/5be9cbea7ca3e132553fd388
With a behavior analysis score of 89/100 which is one point below the high confidence level, I would say this bugger is malicious. Especially so using the MITRE indicators noted.
Did AdwCleaner get rid of the Search Service.exe in the C:\Windows directory?
-
2 hours ago, 0x55 said:
I did notice that Eset had changed the sites' favicons in Chrome, but that has reverted back in the past few days. I can manually open the secure browser, and that seems fine.
The sites are definitely set to use secure browser in Advanced Setup. I've also tried variants like adding www or the index.html landing page, with no success.
Also discussed in a recent like thread on this subject, Eset doesn't support HTTPS/2 yet. So any like web site will not cause the opening of BP&P secure browser regardless of the source browser used.
-
1 hour ago, pronto said:
The actual question is whether it is enough to set up the directories in the 'Dectection Engine - Exclusions' dialog to exclude them both in the Real Time Scan
As far as I am aware of, process and file exclusions entered for the detection engine apply to any Eset options subordinate to it. This would include any of the manual or scheduled malware scanning options.
-
DATEV develops accounting software that appears to be quite popular in Austria and Germany: https://www.datev.at/321-about-datev
-
Another suggestion is to submit Search Service.exe for a scan on the Hybrid Analysis web site here: https://www.hybrid-analysis.com/ . As best as I can determine, the file hash you submitted to Virus Total has not been previously scanned at Hybrid Analysis. If you do this, copy the link for the scan and post it. I will take a look at the sandbox analysis performed.
-
41 minutes ago, Bordonbert said:
Can anyone envisage a way it is possible for an email to create a brand new folder in this way?
I use ThunderBird and have the latest version 63 installed.
I just opened it up and have no "Black Friday" folder being shown. I also have no Thunderbird spam settings enabled other than the default ones.
I would direct your concerns to the Mozilla Thunderbird forum.
-
11 hours ago, sypticle said:
Do you know if its supposed to open on startup?
edit: i just checked and my version of of searchservice.exe has a space..What I do know is this.
Many of the detections for it on VT were for Gen:Variant.Mikey.24795. Gen:Variant.Mikey is a generic detection for adware/browser hijacker/etc..
Malwaretips.com has a few cleaning guides for earlier versions of it. Here's one: https://malwaretips.com/blogs/gen-variant-adware-mikey-10000-removal/ . Since AdwCleaner was recommended for removal of it, I would give it a shot on getting rid of this variant. You can download it here: https://www.bleepingcomputer.com/download/adwcleaner/ .
What I will say about Search Service.exe is that it is located in the Windows directory. As far as I am aware of, this is not a Windows system process or utility and has no business being in that directory. Additionally, the fact that it is located in a Windows directory significantly ups the probability that the process is dangerous.
-
Below are link references to the "This App Can't Run On Your PC" alert. There a many more on the web.
https://www.ghacks.net/2017/10/30/fix-this-app-cant-run-on-your-pc-on-windows/
https://www.easeus.com/todo-backup-resource/this-app-cant-run-on-your-pc-in-windows-10.html
The fact that the alert window is being displayed in red, leads me to suspect that Win 10 native SmartScreen is the source of the alert. You can try to temporarily disable it by setting to it "Off" as shown in the below screen shot. If the problem goes away with SmartScreen disabled, you have found the source of the issue.
Also corrupted files can cause this alert in regards to software publisher: https://www.overclockers.com/forums/showthread.php/722938-Corrupted-files-are-the-cause-of-Windows-8-quot-This-app-can-t-run-on-your-PC-quot-error
-
I use T-Bird e-mail on version 12.0.27 to access my AOL e-mail which is in essence now Yahoo e-mail. I don't have any issues. However, I don't use the POP/S protocol but the IMAP/S protocol.
For starters, you should verify that Eset's Windows root CA store certificate is installed in T-Bird's root CA certificate store. If it is installed, then you might as a test try switching to the IMAP/S protocol in T-Bird and see if e-mail can be retrieved. Note: Yahoo might use a different URL for their IMAP/S servers.
-
I am not so sure that the search service.exe is a benign process. Here is a write up on the legit version: https://www.file.net/process/searchservice.exe.html .
The important point to note is the legit version is named searchservice.exe. Note there is no space between "search" and "service" in the process name. If the process running doesn't point back to this directory, C:\Program Files\Ticno\, I would be doubly suspicious.
-
According to Comodo, there are almost as many malicious versions of Dexon Agent as there are legit versions. And the malware versions are nasty indeed:
https://file-intelligence.comodo.com/windows-process-virus-malware/exe/Agent
-
9 minutes ago, Jesse S. said:
Also, when I use the eset banking icon to access the url, I now see "not secure" on the url line- on Google Chrome browser.
FYI - https://www.engadget.com/2018/05/18/chrome-to-kill-secure-indicator/
-
10 hours ago, Veremo said:
VT says 1fa45104b40630d08b83513cd2424ab72d79b0e1 was signed by Dexon Software.
Additionally this file contains timestamp countersignature which proofs it is not "recent"Date signed 11:53 PM 11/30/2005
I figured we would get around to this.
Here is an AV vendor that found it to be "clean": https://www.reasoncoresecurity.com/agent.exe-0eced01089ae9cba59f2e6b94173cd7dd495b9c8.aspx . Well, sort of. It did find two variants that it classified as PUAs. For the heck of it, I submitted the following "clean" variant to VT:
Agent.exe 5,1,3,648 06db69c21a367a7df46f24d70a8cf7734306b904
Interestingly, Microsoft indicated this one was clean although many other vendors did not including Eset. Do note that VT does indicate that its code signing cert. has expired.
Which gets us to just what the hell is this bugger? Well, it turns out it is part of a legit trusted installer software. You can read about it here: https://www.neuber.com/taskmanager/process/agent.exe.html . This makes its use an ideal target for malware, adware, you name it to abuse.
The bottom line is that this bugger does not "mysteriously" appear on your PC. It relies on some user unwittingly installing it via what appears to be a legit software installation.
So for those Eset users that insist on overriding Eset's PUA alert and installing some software that they "know" to be safe, you have been warned.
-
13 hours ago, Jesse S. said:
I also noticed that when using Google Chrome, it says "Not Secure" on the ese tbanking and payment protection url
This is due to Chrome's recent changes to override the "lock" symbol processing for HTTPS web sites since "big brother" Google feels nothing on the web can be trusted unless Google "has in hands into it."
-
I will say it appears Dexon has a way of "worming", pun intended, its way onto networks.
Here's an interesting Sophos posting from an endpoint installation wondering how it could be infected a second time with "not a beep" from Sophos when it had detected it in the first infection episode: https://community.sophos.com/products/endpoint-security-control/f/sophos-enterprise-console/88576/sophos-doesnt-detect-a-virus-that-was-previusly-detected.
My take on this is some backdoor remained in place on some device. The old rule of complete OS drive wiping, reformatting, and OS reinstallation comes to mind in the case of a backdoor infection. Or for corps., might just be cheaper to replace the drives.
-EDIT- Forgot to mention Sophos also initially detected the bugger as a PUA. I am starting to see a pattern forming ………………..
-
Since the issue persists with the Logitech drivers connected to non-USB 3.0 port, there must be a conflict between those drivers and something in ver. 12.0.27.
I suggest you open a support ticket in Eset as shown in the below screen shot:
-
16 minutes ago, Wistblade said:
I tried to both reinstall Logitech SetPoint and Logitech Unifying itself, also reinstalling the drivers themselves did not help
Are the mouse and keyboard connected to a USB 1.1/2 port or to USB 3.0 ports? On my Gigabyte motherboard, I have many USB 1.1/2 ports and only a few USB 3.0 ports. I see no reason why a mouse and keyboard would need to be attached to a high speed USB 3.0 port. The norm is to use USB 3.0 ports for drives.
-
1 hour ago, Wistblade said:
After update ESET Smart Security from 11.2.49.0 to 12.0.27 my USB 3.0 driver crash.
You need to provide more detail on the USB 3.0 driver crash. Does this happen immediately after boot time? Is a USB drive installed on the port when the driver crash occurs at boot time? Does the USB 3.0 driver crash occur when you connect the cable to the port? Etc., etc..
-
Here are what appear to be recent variants of the worm:
https://totalhash.cymru.com/analysis/?1fa45104b40630d08b83513cd2424ab72d79b0e1https://totalhash.cymru.com/analysis/?c14be28193a1e2abc6069a2bc057c41b5e38f855-EDIT- Eset detects both these as PUA's. Don't know if that is appropriate or not for anything with worm capability.
Also the worm aspect is secondary in concern. The primary concern is this bugger installs a backdoor on every device it infects. In my book, anything that can install a backdoor is definitely not a PUA.
-
52 minutes ago, Marcos said:
This one is unfortunately corrupted.
Hybrid-Analysis has sample of it: https://www.hybrid-analysis.com/sample/dcab729a04d58c0b1d4971a75f9a2410bcbee117f8346db25aee0794bebc1611?environmentId=100
-
Researching this a bit further confirmed my suspicion that there is a worm version of Dexon. When it surfaced in 2016, Microsoft was the only major AV vendor that detected it: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Spraxeth.A
This lead me to the OPSWAT site that yielded the following file hash:
QuoteDCAB729A04D58C0B1D4971A75F9A2410BCBEE117F8346DB25AEE0794BEBC1611
https://metadefender.opswat.com/results#!/file/e34f6c0712ca497582bd47adb92b9639/regular/overview
Submitting that file hash to VirusTotal yields that Eset does not detect it there: https://www.virustotal.com/#/file/dcab729a04d58c0b1d4971a75f9a2410bcbee117f8346db25aee0794bebc1611/detection
Something for Eset to check out if the OP can submit a sample of it.
-
On 11/6/2018 at 5:06 PM, CSA cucuta said:
I tried to delete it manually by removing the root folder from this but it comes back and the only solution I found was to install the Malwarebytes and place it to scan if it detects and it finishes but when removing or stopping the malwarebytes this virus comes back.
Hopefully you still have your MBAM logs? If so, check if MBAM recorded the hash value for agent.exe in the log file. If this hash exists, please post it in a forum reply. We can then check out actually what MBAM is detecting.
-
19 hours ago, TomFace said:
Well changing the task to the logon/dial up setting did not make any changes
.
Short of Eset adding a trigger event to the Scheduler to detect establishment of a broadband network connection which I honestly don't believe is going to happen, what you could do is the following. Once you establish your broadband network connection after boot time, logoff and then logon on again to Windows. This should trigger the existing Eset scheduler rule to check for updates at logon time.
-
Assuming this malware was a result of an endpoint user download and installation, I will state this.
Regardless of how the user responded to the Eset PUA alert in corporate environments, users need to be prevented from installing software directly or indirectly via appropriate Windows software restriction polices to prevent this activity.
.
SearchService.exe 30/68 on VirusTotal.com, virus?
in Malware Finding and Cleaning
Posted
Yes.
But I would zip it up in a folder in your download directory, etc. in the very remote chance its removal borks something in the near future. After a while with no issue related to its removal surfacing, you can then delete the folder.