itman
-
Posts
12,836 -
Joined
-
Last visited
-
Days Won
337
Posts posted by itman
-
-
You need to post in English what is shown in the Eset alert. This forum is for English language speakers.
-
Per the Process Explorer screen shot you posted. Click on the Explore tab next to the PowerShell AutoStart Location. Does it point to the WMI consumer event? If not, delete it from wherever it is located at. If that doesn't stop the activity, then do the following.
For the time being and assuming you don't use Powershell for anything, just create a HIPS user rule to block startup of C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.
-EDIT- Also create an Eset firewall rule to block any outbound communication from C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.
-
7 minutes ago, dandodds said:
An entry does show up.
Run Autoruns.exe as Admin. Right click on the SCM Win Event. Select - "Delete." This should remove the entry.
BTW - you sure this is not a legit WMI consumer event? Appears to me it has something to do with possibly harvesting Event Log data. Using PowerShell to do this in Enterprise environments is quite common.
-
Eset staff, @JamesR , wrote the code. He only infrequently visits the forum. You should PM him about your issue for a faster response.
-
2 hours ago, dandodds said:
We need some help removing the same powershell infection that that has been reported last year where the CPU runs at 100%.
This is usually indicative of a coin miner.
You can also try SysInternals Autoruns: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns. Download and unzip the folder; no installation required. Click on the WMI tab and see if anything is shown.
-
11 minutes ago, Duminda said:
---= GANDCRAB V5.2 =---
Unfortunately, no decrypter currently exists for the 5.2 version as far as I am aware of.
-
On 3/6/2019 at 7:46 PM, Tatiana said:
I was doing tests because this has happened to us before with some clients. In all the tests I have done are computers with UEFI. For example a client has 1000 pcs and this happens in 50pcs, despite having the same configurations, in fact in my test environment I have machines where I enable the computrace and I have strict security options and I do not detect it and in others yes.
One final comment.
What you are doing is ill advised to say the least. Refer to the LoJax mitigation section of the Eset .pdf link I posted previously. Re-flashing the UEFI doesn't always remove LoJax in which case, the only alternative is to replace the motherboard.
-
Continuing my prior posting, I realized I didn't answer your question why Eset is detecting LoJax on some network notebook devices but not others.
My best guess is:
1. The attacker entered your network remotely; most likely via RDP.
2. The attacker dropped an undetected worm into the network.
In either case, the attacker was able to infect devices currently attached to the network.
So my assumption as to why some devices were not infected with LoJax is they were not actively connected to the network at the time of the attack. Another possibility is the uninfected devices are newer Lenovo notebooks. Lenovo has patched the UEFI to prevent a LoJax infection although I have no direct knowledge this is the case.
-
14 hours ago, Purpleroses said:
I was just wondering if it is alright for it do it before schedule time? What did you do itman to get it to work at the right time?
Slightly change existing run time. I changed mine from 6:00:15 PM to 6:00:16 for example. Save you change.
The Log maintenance scan will immediately start running since its missed scan option is set to run ASAP. Believe this is also a bug but doesn't cause any harm. Thereafter, the scan will run at its scheduled time.
-
13 hours ago, mmatthe8667 said:
Would we know why its trying to contact those sites..since the exe is from poweriso site?
One benign reason is the software is trying to update itself. It should have an option to change/disable auto updating. Disable auto update and if the outbound connections cease, you have resolved the issue.
If the outbound connections persist, it could be indicative of malicious or other undesirable activity.
-
@Marcos, "playing" with the scheduled scan time setting did the trick. Log maintenance scan ran at its scheduled time:
-
1 hour ago, Tatiana said:
The Lenovo machines with which I am testing have the module turned on and some are detected by ESET and others are not
Appears it boils down to what is Eset detecting when it pertains to LoJax: https://www.eset.com/us/about/newsroom/corporate-blog/what-you-need-to-know-about-lojax-the-new-stealthy-malware-from-fancy-bear/.
In the Lenovo forum link I previously posted, Absolute, the software vendor, discusses how Computrace functions. Without its monitoring service:
QuoteThe Computrace service is purchased as a separate option and the monitoring Server will enable its agent security module through an interface provided by the BIOS. The Computrace tracking agent can only be used in the US, UK, Canada, and Australia. Computrace(R) and Absolute(R) are registered trademarks of Absolute Software Corporation.
it appears the code implemented in the UEFI firmware does nothing. Assumed is the code in the firmware will only connect to Absolute's monitoring servers.
Note that the legit version of Computrace's firmware code is named LoJack. The malicious version is named LoJax. Here's an Eset technical write up on LoJax: https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf . Bottom line - just because there are settings in a device's UEFI indicating Computrace is installed does not mean that you are infected with the LoJax malware.
-
31 minutes ago, mmatthe8667 said:
www.tivatuddpnoheni.com goes to 95.211.184.67
Appear the IPs are associated with a domain server - per Robtex:
QuoteThe IP number is in Netherlands. It is hosted by LEASEWEB.
That server appears to have one or more malicious domains associated with the domains it is hosting:
QuoteWe investigated 100 host names that point to 95.211.184.67 . Example: cdneu.dadafarada.com, img.conicono.com, img.yepabonocemm.com and cdneu.appchucklegift.com. We estimate that it is used as ip number by 161 host names.
QuoteTHREATMINER
Threat information such as virus etcURI
Last Seen URL 2016-05-20 02:06:45 http://cdneu.dolphinmemory.com/products/PDF-Reader-v2.cis 2016-05-07 06:04:22 http://cdneu.tokoholapisa.com/ofr/Solululadul/asgnd.cis 2016-02-07 10:47:46 http://img.mydivcdn.com/img/CH_logo_new.png 2016-01-22 07:47:47 http://img.sourceforgecdn.com/img/Rerarapepe/Rerarapepe_b.png -
15 minutes ago, mmatthe8667 said:
hxxp://www.tivatuddpnoheni.com/ofr/Solululadul/osutils.cis;Blocked by internal IP blacklist;E:\PowerISO\PowerISO7-x64.exe;THE-BREWERY
hxxp://www.tivatuddpnoheni.com;Blocked by internal IP blacklist;E:\PowerISO\PowerISO7-x64.exe;THE-BREWERY
hxxp://www.tivatuddpnoheni.com/ofr/Solululadul/icc_v5_8.cis;Blocked by internal IP blacklist;E:\PowerISO\PowerISO7-x64.exe;THE-BREWERY
You also need to post the IP addresses associated with these alerts. It's possible a redirect is going on.
-
8 minutes ago, mmatthe8667 said:
the site it shows is different ones of this: hxxp://www.tivatuddpnoheni.com
Checked this on URLVoid and site is 100% clean.
-
My question is why is this type of software attempting to connect to the Internet with the activity you posted? It is basically just software to create a .iso file for the most part. At most, the only outbound connection it would need is to the vendor's server for software updates.
-
Are your Eset firewall settings set to default values?
-
You might want to export your existing settings. Then download the offline installer for 12.1.31. Uninstall Eset. Reinstall 12.1.31 and see if that resolves your existing scan missing log issue.
-
1 minute ago, TomFace said:
I've had no issue with the icon animation,
It only occurred with the "unscheduled" scan as a result of time change. The legit scheduled scan showed the animation.
-
No problem with my Eset installation with scheduled scan logging as the below screen shot shows. Also I was wrong about my prior statement about scan starting immediately after a time change. It did start running and worse, it does not now show the scan is running via Eset desktop toolbar icon animation!
-
3 minutes ago, TomFace said:
Nevermind it's OK. Please disregard.
Are you stating your log file issue has been resolved?
-
16 minutes ago, TomFace said:
No log entry for my scheduled scan. The only log entry is from a manually requested scan via...
OK. I just modified my scheduled scan to run today at 11:25 AM. Will report back after scan runs if it created a log entry with details provided.
A short time ago, I received a modules update. What I now observe when modifying an existing scan run time is it doesn't start running the scan immediately when saving my changes. So it appears Eset fixed that issue.
-
15 minutes ago, TomFace said:
Here's the latest: I deleted the existing scheduled task and built a new one. Still got the same result-no log entry under scans.
I am trying "to get a grip" on what you are describing. Are you stating that you are not receiving any detail log information in ver. 12.1.31 as my below screen shot shows for my EIS installation?
-
13 hours ago, marintaxpro said:
Every machine purchased in past 10 years has had issue & I've spent fortune on live, remote and program attempts to fix.
What your narrative describes is akin to something out of a malware sci-fi horror movie. Are you stating that every device you have connented to your network in the last 10 years has been affected by what you posted?
Computer restart
in Malware Finding and Cleaning
Posted
Again, most of us don't know Hebrew. So you will need to post; i.e. type in your reply, what the alert states in English.