Jump to content
Ian Ng

Warning about "https://list-cloud.com"

Recommended Posts

Today I keep received warning from ESET antivirus that an internet address is blocked, as the image below, eventhough my browsers closed. I am using Windows 10 and Chrome, Am I infected by malware or something??  Please help! Thank you.


Untitled-2.jpg.7c74385e0bf1ba3154e8e0ffd826c73b.jpg

Share this post


Link to post
Share on other sites

I am experiencing the same issue. First alert came about 8 hours ago, and alerts have kept coming regularly through the day even when browsers are all off. Using Windows 10.

Share this post


Link to post
Share on other sites

Currently we don't know what is accessing the site.  Unfortunately, there's no info about the registrant available:

Registrant Organization: Privacy Protect

Please provide me with ELC logs for perusal.

Share this post


Link to post
Share on other sites

Hi Macros,

Can you teach me how to get ESET Log Collector logs? 

 

Thank you.

Share this post


Link to post
Share on other sites
6 minutes ago, Ian Ng said:

Can you teach me how to get ESET Log Collector logs? 

Click on the "How do I use ESET Log Collector?" link shown in the FAQ section at the bottom of @Marcos's reply.

Edited by itman

Share this post


Link to post
Share on other sites

Marcos,

Here attached the log files. I wish it can help to solve the problem.

thank you.

eav_logs.zip

Share this post


Link to post
Share on other sites
9 minutes ago, Ian Ng said:

Here attached the log files. I wish it can help to solve the problem.

In your case the url was accessed by C:\Windows\SysWOW64\Microsoft\Protect\S-1-96-82\RB_1.4.42.60.exe  and Chome. Do you known what the application RB_1.4.42.60.exe is? If you don't use Chrome but another browser ideally without extensions, is the url still blocked?

 

Share this post


Link to post
Share on other sites

Oh, is that what it is? This is a game product that I installed recently. I will be sure to remove it. Thank you for your help!

Cheers,

Kevin

Share this post


Link to post
Share on other sites

I have no idea what is RB_1.4.42.60.exe, I didn't install game on chrome and my computer. I just add and app extension on chrome, I forgot its name, last week.

Share this post


Link to post
Share on other sites

I removed the programs mentioned and did a reboot. I thought I was in the clear, but I just received another warning a few minutes ago. I guess it must be something else. Please advise.

Thanks,

Kevin

Share this post


Link to post
Share on other sites

As far as this directory goes, C:\Windows\SysWOW64\Microsoft\Protect\S-1-96-82, I don't believe is a valid directory. There is a C:\Windows\System32\Microsoft\Protect\S-1-96-82 directory that is used for:

Quote

The Preferred file stores the Preferred Master Key GUID and a lifetime for that Master Key. When the lifetime expires a new Master Key is created and set to be Preferred. The old master key is retained in order to decrypt old data.

 

The Preferred Master Key is used by DPAPI as key material when generating symmetric keys that will be used to encrypt data. Any call to CryptProtectData or CryptUnprotectData will result in an access to this file.

 

For further understanding of the process please refer to the following article. Although it does not detail the storage locations, it describes the process for the OS.

 

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/windataprotection-dpapi.asp

https://social.technet.microsoft.com/Forums/windowsserver/en-US/2502aac1-0ba1-4a45-b1e4-aecb9191e64e/what-causes-the-cwindowssystem32microsoftprotects1518preferred-file-to-change?forum=winserversecurity

The above also might only apply to server OSes. I checked the System32 located directory on my PC and it is empty.

Edited by itman

Share this post


Link to post
Share on other sites

you guys are correct! the folder mentioned C:\Windows\SysWOW64\Microsoft\Protect is empty.

I believed I had infected by an unknown virus!

 

Share this post


Link to post
Share on other sites

I have the same issue since yesterday. XD

Share this post


Link to post
Share on other sites
12 hours ago, Ian Ng said:

you guys are correct! the folder mentioned C:\Windows\SysWOW64\Microsoft\Protect is empty.

To double verify this is the case, in Windows Explorer make sure it is set to display hidden files. Also, temporarily uncheck the option to hide OS system files.

Share this post


Link to post
Share on other sites

I always show hidden folders and files, as well as system files. So I am pretty sure the folder "C:\Windows\SysWOW64\Microsoft\Protect" is empty.

Share this post


Link to post
Share on other sites
6 hours ago, Ian Ng said:

I always show hidden folders and files, as well as system files. So I am pretty sure the folder "C:\Windows\SysWOW64\Microsoft\Protect" is empty.

The fact the directory is empty is in itself does not mean the malware is creating an executable there, running it, and then deleting it after execution.

What I advise is you create a HIPS User rule to monitor process startup in the "C:\Windows\SysWOW64\Microsoft\Protect\*" directory. 

Do the following:

1. Enter "User rule: xxxxxxxxxxxxxxxxxxxxx" in the Rule Name field where xxxxxxxxxxxxxxxxx is some name you chose .

2. In the "Operations affecting" section, select "Applications." 

2.  Set the "Action" field to "Ask" option.

3. Also enable the "Notify User" option setting.

4. Set "Logging Severity" option to "Warning." 

5. Click on the "Next" button.

6. In the Source Applications screen select "All applications."

7. Click on the "Next" button.

8. In the Application operations screen, select "Start new application."

9. Click on the "Next" button.

10. In the Applications screen, ensure "Specific applications" is shown. Then click on the "Add" button. Then enter the following:

                      C:\Windows\SysWOW64\Microsoft\Protect\*

Click on the "OK" button.

11. Click on the "Finish" button.

12. Important! Click on each "OK" button shown to save your HIPS rule.

13. Reenter the HIPS rules section and verify that that the rule was created.

This will generate an Eset HIPS alert if anything is attempting to execute from C:\Windows\SysWOW64\Microsoft\Protect\ or any subordinate directory.

Again, I don't believe this is a legitimate Windows directory but not 100% of that. The alert will show what process is trying to execute and what process is attempting to execute it. Make note of that. Also the activity will be show in the Eset log file. Then, I would respond "Allow" to the Eset alert lest we block by mistake some legit Win system activity. Finally if and when any alert activity occurs, post back with your findings along with a screen shot of the related Eset HIPS log entry.

Edited by itman

Share this post


Link to post
Share on other sites

Thank you itman, I had set up HIPS ruler and waiting for results.

BTW, A new warning was shown. Something was trying to connect to an address "https://list-cloud.icu"

Share this post


Link to post
Share on other sites
45 minutes ago, Ian Ng said:

Thank you itman, I had set up HIPS ruler and waiting for results.

BTW, A new warning was shown. Something was trying to connect to an address "https://list-cloud.icu"

Same here. The URL switched to *.icu starting just recently after some hours of limited activity the previous day.

Share this post


Link to post
Share on other sites

I followed itmen's instructions set up a new HIPS, and just minutes ago, a warning is shown. Antivirus intersected and activity of "C:\Windows\SysWOW64\Microsoft\Protect\S-1-96-82\RB_1.4.42.60.exe". I had a new log file and post here. 

eav_logs.zip

Share this post


Link to post
Share on other sites
4 hours ago, Ian Ng said:

Thank you itman, I had set up HIPS ruler and waiting for results.

BTW, A new warning was shown. Something was trying to connect to an address "https://list-cloud.icu"

same here... XD still cant found the culprit. :D

Share this post


Link to post
Share on other sites
15 hours ago, Ian Ng said:

Thank you itman, I had set up HIPS ruler and waiting for results.

BTW, A new warning was shown. Something was trying to connect to an address "https://list-cloud.icu"

 

13 hours ago, Ian Ng said:

I followed itmen's instructions set up a new HIPS, and just minutes ago, a warning is shown. Antivirus intersected and activity of "C:\Windows\SysWOW64\Microsoft\Protect\S-1-96-82\RB_1.4.42.60.exe". I had a new log file and post here. 

eav_logs.zip

This is a bit puzzling. Appears a connection was attempted and blocked and no HIPS alert was generated prior to this activity? Then 2 hours latter, the HIPS alert was generated when RB_1.4.42.60.exe attempted to execute. Is this correct?

To begin with please post a screen shot of the HIPS event log entry so we can see what is starting the .exe. Only Eset moderators can read posting attachments.

At this point, it appears that the execution of RB_1.4.42.60.exe and Eset URL web site blocking are not directly related. If the RB_1.4.42.60.exe file still exists, I would submit it to VirusTotal, https://www.virustotal.com/#/home/upload , for a scan. If there are not multiple AV solution detections for the file, it can be assumed the creation of this file is not the cause for the Eset URL blocking.

Edited by itman

Share this post


Link to post
Share on other sites

To add to the mystery, I just submitted list-cloud.com to Quttera for a malware scan and it came back 100% clean; not even any suspicious files there.

Appears perhaps this domain name was inadvertently added to Eset's botnet blacklist perhaps?

Share this post


Link to post
Share on other sites
21 minutes ago, itman said:

To add to the mystery, I just submitted list-cloud.com to Quttera for a malware scan and it came back 100% clean; not even any suspicious files there.

Appears perhaps this domain name was inadvertently added to Eset's botnet blacklist perhaps?

CyRadar & Forcepoint ThreatSeeker reports the domain as Malicious , scanned through virustotal

Share this post


Link to post
Share on other sites
1 hour ago, Rami said:

CyRadar & Forcepoint ThreatSeeker reports the domain as Malicious , scanned through virustotal

2 of 70 detections would be 'chalked up" as a false positive. Also of note is NOD32 on VT does not detect it as malicious.  

Edited by itman

Share this post


Link to post
Share on other sites

Indeed ESET states it as CLEAR

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×