Moneesh 0 Posted January 21, 2019 Share Posted January 21, 2019 Hi, i am frequently receiving notification from eset of a website that it is blocking. I don't know what application in my PC is trying to access this website. Please help. I have attached a screenshot of this. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted January 21, 2019 Administrators Share Posted January 21, 2019 Please provide logs gathered with ESET Log Collector to start off. Link to comment Share on other sites More sharing options...
Moneesh 0 Posted January 21, 2019 Author Share Posted January 21, 2019 Hey @Marcos, thanx for the reponse. I was not sure as to logs of which kind of activities should i be posting, so i ticked all the boxes. eav_logs.zip Link to comment Share on other sites More sharing options...
itman 1,741 Posted January 21, 2019 Share Posted January 21, 2019 2 hours ago, Moneesh said: I don't know what application in my PC is trying to access this website. If you expand the "Application" column in the log, it will show you the full path name for the source app Eset is detecting. Eset also shows the source app in the desktop alert generated if you click on the "Details" section in the alert. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted January 21, 2019 Administrators Share Posted January 21, 2019 Please create another Procmon log but from a boot. The instructions are available at https://support.eset.com/kb6308 - section Gather boot log files. Link to comment Share on other sites More sharing options...
Moneesh 0 Posted January 22, 2019 Author Share Posted January 22, 2019 14 hours ago, itman said: If you expand the "Application" column in the log, it will show you the full path name for the source app Eset is detecting. Eset also shows the source app in the desktop alert generated if you click on the "Details" section in the alert. The application column shows the following: C:\Windows\SysWOW64\dllhost.exe Now, what action do you suggest i follow ? should i delete the file ? i don't have any experience regarding system files. Link to comment Share on other sites More sharing options...
Moneesh 0 Posted January 22, 2019 Author Share Posted January 22, 2019 14 hours ago, Marcos said: Please create another Procmon log but from a boot. The instructions are available at https://support.eset.com/kb6308 - section Gather boot log files. @Marcos, here is the boot log file. But eset is not showing notifications today. I have done nothing to stop this. Will it start again in future ? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted January 22, 2019 Administrators Share Posted January 22, 2019 The Procmon log was corrupt, most likely it was not closed properly. Try to generate it again and open it in Procmon then as well to make sure that it was saved alright before you supply it to me. Link to comment Share on other sites More sharing options...
Moneesh 0 Posted January 22, 2019 Author Share Posted January 22, 2019 @Marcos here is the file again. Bootlog-1.zip Link to comment Share on other sites More sharing options...
itman 1,741 Posted January 22, 2019 Share Posted January 22, 2019 This is interesting. The IP address, 51.15.90.178, associated with the URL blacklisted is in Paris, France and appears to be associated with a gov. web site; UK Government Department for Work and Pensions. A UK gov. web site hosted in France? In any case, a web connection from C:\Windows\SysWOW64\dllhost.exe definitely is not normal. For the time being, you could create an firewall rule to block all TCP/UDP traffic inbound/outbound for IP address 51.15.90.178. Once it is determined what is causing the dllhost.exe traffic, you can delete the firewall rule. Moneesh 1 Link to comment Share on other sites More sharing options...
Moneesh 0 Posted January 23, 2019 Author Share Posted January 23, 2019 @itman i don't from where did u get all that but i'm certainly going to block that ip address just incase. Those were some scary lines i just read. Thank you for the concern. Now i just i have figure out how to block "all TCP/UDP traffic inbound/outbound for IP address 51.15.90.178". Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted January 23, 2019 Administrators Share Posted January 23, 2019 I would suggest temporarily uninstalling EAV and installing ESET Internet Security while we are trying to find the root cause. It could be that the machine is not fully patched and the computer is getting re-infected from a remote machine . Since EAV doesn't include Network attack protection, it cannot detect and block possible exploitation of vulnerabilities in network protocols. Also please provide me with the logs generated by this tool. According to the logs there was TinukeBot trojan detected in memory as well as Win32/Kryptik.GOUM, Win64/CoinMiner.MN and PowerShell/Kryptik.H trojan detected on the disk and cleaned. Link to comment Share on other sites More sharing options...
itman 1,741 Posted January 23, 2019 Share Posted January 23, 2019 I did a bit of research yesterday in dllhost.exe usage. It is associated with COM processing. Malicious browser extensions will employ COM. So I would be suspect of any recent Chrome extensions installed or the like. Link to comment Share on other sites More sharing options...
itman 1,741 Posted January 23, 2019 Share Posted January 23, 2019 @Marcos since this activity appears to be COM based, check the logs for any WMI consumer or command event existence/activity. Link to comment Share on other sites More sharing options...
Moneesh 0 Posted January 24, 2019 Author Share Posted January 24, 2019 (edited) @Marcos Link to the tool you mentioned, it does not work. And btw, i have created a firewall rule to block anything inbound/outbound related to the IP address 51.15.90.178. Edited January 24, 2019 by Moneesh Link to comment Share on other sites More sharing options...
ESET Insiders stackz 115 Posted January 24, 2019 ESET Insiders Share Posted January 24, 2019 Here's the fixed link to the tool. ftp://ftp.nod.sk/samples/svchecker/ESETSysVulnCheck.exe Moneesh 1 Link to comment Share on other sites More sharing options...
itman 1,741 Posted January 24, 2019 Share Posted January 24, 2019 9 hours ago, Moneesh said: i have created a firewall rule to block anything inbound/outbound related to the IP address 51.15.90.178. Did that stop the Eset alerts you were receiving? Link to comment Share on other sites More sharing options...
itman 1,741 Posted January 24, 2019 Share Posted January 24, 2019 As far as the TinukeBot trojan, Symantec has a write up on it dating to 2017. It is a backdoor and probably what is establishing the remote C&C connection. That variant was run via: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"" = "%AppData%\[RANDOM NUMBERS FOLDER NAME]\[RANDOM NUMBERS FILE NAME].exe" So it might be worth a look at the registry run keys; especially the HKEY_CURRENT_USER ones. Moneesh 1 Link to comment Share on other sites More sharing options...
itman 1,741 Posted January 25, 2019 Share Posted January 25, 2019 (edited) Pretty sure this is the bugger: https://www.virusradar.com/en/Win32_Tinukebot.B/description since its using dllhost.exe: Quote The trojan creates and runs a new thread with its own program code within the following processes: %system%\dllhost.exe And again, starts from: Quote In order to be executed on every system start, the trojan sets the following Registry entry: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "%variable1%" = "%appdata%\%variable1%\%variable1%.exe" Edited January 25, 2019 by itman Moneesh 1 Link to comment Share on other sites More sharing options...
Moneesh 0 Posted January 27, 2019 Author Share Posted January 27, 2019 On 1/24/2019 at 8:25 PM, itman said: Did that stop the Eset alerts you were receiving? @itman Notifications from eset halted even before i created the firewall rules. maybe eset took care of the virus. About the registry, i cud not find anything of that sort of entry. Here's the screenshot. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted January 27, 2019 Administrators Share Posted January 27, 2019 @Moneesh, still waiting for logs from the ESET System Vulnerability Checker tool so that I can provide you with further instructions. Link to comment Share on other sites More sharing options...
Moneesh 0 Posted January 27, 2019 Author Share Posted January 27, 2019 (edited) @Marcos link is broken. Upon clicking the link, a .exe file was downloaded but the file does not run while trying to open it. But i searched for Eset Vulnerability Checker and ran the application and i got this, Edited January 27, 2019 by Moneesh Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted January 27, 2019 Administrators Share Posted January 27, 2019 I can download the tool from the links above. The tool you run is a different one - ESET EternalBlue Vulnerability Checker. Obviously your computer is vulnerable to EternalBlue exploits. Please install all important and critical patches for the OS, especially this one: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010 Link to comment Share on other sites More sharing options...
itman 1,741 Posted January 27, 2019 Share Posted January 27, 2019 6 hours ago, Moneesh said: But i searched for Eset Vulnerability Checker and ran the application and i got this, As posted above, here's the download link: ftp://ftp.nod.sk/samples/svchecker/ESETSysVulnCheck.exe Right click on the downloaded file and run it as administrator. It will create a zipped file in your Downloads folder. Attach that to your reply. After seeing you are still vulnerable to the EternalBlue exploit, I am "bowing out" from any further replies. Moneesh 1 Link to comment Share on other sites More sharing options...
Moneesh 0 Posted January 27, 2019 Author Share Posted January 27, 2019 3 hours ago, Marcos said: I can download the tool from the links above. @Marcos even i can download the file but when i open the file, it does nothing. A cmd window opens for half a second and nothing else happens. Link to comment Share on other sites More sharing options...
Recommended Posts