Clinton Babi 0 Posted September 24, 2017 Share Posted September 24, 2017 Dears, I am always getting this notification. Tried scanning and removing items using adwcleaner, it cleans but when i restarts its the same situation. ESET couldn't find any threats so far. I am using ESET Endpoint security solution in my entity. Requesting your support. Thanks and Regards, Clinton Link to comment Share on other sites More sharing options...
itman 1,746 Posted September 24, 2017 Share Posted September 24, 2017 (edited) That IP address is associated with this network provider, CHINANET jiangsu province network China Telecom A12,Xin-Jie-Kou-Wai Street Beijing 100088, and the following domains: 17yuetuan.com bthte.com lohaoshop.com ctj.33ysw.com down.9vh.net down.w7q.net Believe what you have is a bit more than adware. You state that the Eset alert appears when you restart. I assume that means when the device is booted w/o any browser connection established? For the time being, I would created a firewall rule to block any inbound/outbound traffic to that IP address. Make sure you specify logging in the firewall rule since that will indicate what process is dialing out. If you keep getting alerts from IP addresses in the same range, change the IP address in the firewall rule to 222.186.60.0/24 which is the range assigned to the network provider. Post back with a screen shot of the firewall log showing the detail of the blocked IP address event. If the source process is different, also post those events. -EDIT- Eset's log files should also currently have event entries for the alerts you have been receiving. Those will tell you the process that is causing the alerts to be generated. Edited September 24, 2017 by itman Link to comment Share on other sites More sharing options...
Clinton Babi 0 Posted September 25, 2017 Author Share Posted September 25, 2017 Dear ITman, Thanks a lot for the response. Please check the below alert details, Could you please guide me how to get rid of this. Best Regards, Clinton Link to comment Share on other sites More sharing options...
itman 1,746 Posted September 25, 2017 Share Posted September 25, 2017 (edited) -EDIT- I forgot to ask this. Are you running CCleaner on the affected device? If so, are you aware of the recent malware incident involving it? If so, did you have the infected vers. installed on the device? You can try a scan with the free ver. of Malwarebytes Anti-malware. If it doesn't detect anything or doesn't resolve the issue, download Autoruns from here: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns . While on the web page you can read Microsoft's write up on it. Autoruns does not need to be installed; just unzipped. Note.: It is strongly advised to create a registry backup prior to preforming any Autoruns modifications. If not done, see below note. Run Auroruns.exe as admin. Once it is open, do the following: 1. Click on the Options tab and ensure the only thing checkmarked is "Hide Empty Locations." 2. With the Options tab still open, scroll down to "Scan Options" and checkmark "Check Virustotal.com" and click on the rescan tab. What this does is verify all that is shown by Autoruns using the scan engines at VirusTotal. Autoruns flags suspicious entries by highlighting them in red. For these, the VirusTotal scan detection score is helpful in determining malicious status. Note that low detection scores are usually indicative of a false positive. The first few registry entries shown by Autoruns pertain to what is run at system startup time; Startup/Winlogon/Run keys. So you want to closely examine those. Next you want to examine any registry key entries with "Explorer" contained within them since it appears the malware is running from an Explorer shell. Also closely examine the entries shown in the Task Scheduler section. Note: The recommended procedure for dealing with suspect items using Autoruns is to only "uncheck" the registry key. This will deactivate it but leave the key still in place in the registry. This way if something gets "borked," you can always re-check the item to activate it again. Also make sure you keep a log of what you are changing so you have a reference to reverse changes. It is also advisable to perform changes in increments to minimize any adverse effects from those changes. Remember you need to reboot for the registry changes to take effect. Finally if you still can't identify the malware source create an Eset firewall rule to block all inbound and outbound activity for C:\Windows\explorer.exe for the IP address shown in the Eset log or, the entire China network provider IP range I posted previously. You also need to clean out your "Filtered web site" log since it contains over 10,000 entries. Edited September 26, 2017 by itman Link to comment Share on other sites More sharing options...
Clinton Babi 0 Posted September 27, 2017 Author Share Posted September 27, 2017 (edited) Dear ITman, Thanks again. I was waiting to get maximum details to share with you. I haven't installed Ccleaner. Here are the results, Scanned with free version of malwarebytes and got following results, Cleaned it and got rid of few things but not all. Now malwarebytes shows a clean report. Please find the below alerts from ESET and Malwarebytes, Malwarebytes gives more accurate information it seems. Why are they showing different IPs? It was keep coming. Then i have worked out on autoruns, unchecked every red marked. But i am still getting the alerts. 1. Why ESET is unable to find these malwares like Malwarebytes? 2. I would like to know whether the hacker succeeded in getting data from my PC. Requesting your quick support, thanks in advance. Best Regards, Clinton Edited September 27, 2017 by Clinton Babi Link to comment Share on other sites More sharing options...
itman 1,746 Posted September 27, 2017 Share Posted September 27, 2017 After making the autorun changes did you reboot? Also depending on your OS version, some reg changes will not take affect until first subsequent cold boot. As far as the different IP addresses being detected by MBAM and Eset, could be MBAM is detecting something ESET is not. Each vendor maintains their own database of blacklisted IP addresses. Link to comment Share on other sites More sharing options...
Clinton Babi 0 Posted September 27, 2017 Author Share Posted September 27, 2017 Thanks for the response ITman, Hope you have noticed it is trying to access different ports. FYI OS is Windows 10 Pro and did a normal restart. ESET clearly failed to detect many of it. Could you please help me further. Link to comment Share on other sites More sharing options...
itman 1,746 Posted September 27, 2017 Share Posted September 27, 2017 At this point, I recommend you contact Eset tech support for additional assistance. Post the url for this thread in your request so they can use it for reference. Link to comment Share on other sites More sharing options...
Clinton Babi 0 Posted September 27, 2017 Author Share Posted September 27, 2017 Okay Will do that. Thanks for all the support. Good day! Link to comment Share on other sites More sharing options...
itman 1,746 Posted September 27, 2017 Share Posted September 27, 2017 (edited) Here is also a self-help guide from malwaretips.com on how to manually remove Chinese based adware - aka the Chinad detection you received from MBAM: https://malwaretips.com/blogs/remove-adware-chinad/. Since you are a paid Eset customer, I would use their tech support first. Also please be careful when installing software and do pay attention to PUA type alerts from Eset. Edited September 27, 2017 by itman Link to comment Share on other sites More sharing options...
Recommended Posts