Jump to content

Frequently receiving notification of blocked website

Moneesh

By Moneesh
in Malware Finding and Cleaning

 Share

Recommended Posts

Moneesh

Moneesh 0

Posted
Posted

Hi,

i am frequently receiving notification from  eset  of a website that it is blocking. I don't know what application in my PC is trying to access this website. Please help. I have attached a screenshot of this.

image.png

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted
2 hours ago, Moneesh said:

I don't know what application in my PC is trying to access this website.

If you expand the "Application" column in the log, it will show you the full path name for the source app Eset is detecting.

Eset also shows the source app in the desktop alert generated if you click on the "Details" section in the alert.

Link to comment
Share on other sites
Moneesh

Moneesh 0

Posted
  • Author
Posted
14 hours ago, itman said:

If you expand the "Application" column in the log, it will show you the full path name for the source app Eset is detecting.

Eset also shows the source app in the desktop alert generated if you click on the "Details" section in the alert.

The application column shows the following:

C:\Windows\SysWOW64\dllhost.exe

Now, what action do you suggest i follow ? should i delete the file ? i don't have any experience regarding system files.

Link to comment
Share on other sites
Moneesh

Moneesh 0

Posted
  • Author
Posted
14 hours ago, Marcos said:

Please create another Procmon log but from a boot. The instructions are available at https://support.eset.com/kb6308 - section Gather boot log files.

@Marcos, here is the boot log file. But eset is not showing notifications today. I have done nothing to stop this. Will it start again in future ? 

 

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,072

Posted
  • Administrators
Posted

The Procmon log was corrupt, most likely it was not closed properly. Try to generate it again and open it in Procmon then as well to make sure that it was saved alright before you supply it to me.

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted

This is interesting. The IP address, 51.15.90.178, associated with the URL blacklisted is in Paris, France and appears to be associated with a gov. web site; UK Government Department for Work and Pensions. A UK gov. web site hosted in France?

In any case, a web connection from C:\Windows\SysWOW64\dllhost.exe definitely is not normal. For the time being, you could create an firewall rule to block all TCP/UDP traffic inbound/outbound for IP address 51.15.90.178. Once it is determined what is causing the dllhost.exe traffic, you can delete the firewall rule.

Link to comment
Share on other sites
Moneesh

Moneesh 0

Posted
  • Author
Posted

@itman i don't from where did u get all that but i'm certainly going to block that ip address just incase. Those were some scary lines i just read. Thank you for the concern. Now i just i have figure out how to block "all TCP/UDP traffic inbound/outbound for IP address 51.15.90.178".

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,072

Posted
  • Administrators
Posted

I would suggest temporarily uninstalling EAV and installing ESET Internet Security while we are trying to find the root cause. It could be that the machine is not fully patched and the computer is getting re-infected from a remote machine . Since EAV doesn't include Network attack protection, it cannot detect and block possible exploitation of vulnerabilities in network protocols. Also please provide me with the logs generated by this tool.

According to the logs there was TinukeBot trojan detected in memory as well as Win32/Kryptik.GOUM, Win64/CoinMiner.MN and PowerShell/Kryptik.H trojan  detected on the disk and cleaned.

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted

I did a bit of research yesterday in dllhost.exe usage. It is associated with COM processing. Malicious browser extensions will employ COM. So I would be suspect of any recent Chrome extensions installed or the like.

Link to comment
Share on other sites
Moneesh

Moneesh 0

Posted
  • Author
Posted (edited)

@Marcos Link to the tool you mentioned, it does not work. And btw, i have created a firewall rule to block anything inbound/outbound related to the IP address 51.15.90.178.

Edited by Moneesh
Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted
9 hours ago, Moneesh said:

i have created a firewall rule to block anything inbound/outbound related to the IP address 51.15.90.178.

Did that stop the Eset alerts you were receiving?

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted

As far as the TinukeBot trojan, Symantec has a write up on it dating to 2017. It is a backdoor and probably what is establishing the remote C&C connection. That variant was run via:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"" = "%AppData%\[RANDOM NUMBERS FOLDER NAME]\[RANDOM NUMBERS FILE NAME].exe"

So it might be worth a look at the registry run keys; especially the HKEY_CURRENT_USER ones.

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)

Pretty sure this is the bugger: https://www.virusradar.com/en/Win32_Tinukebot.B/description since its using dllhost.exe:

Quote

The trojan creates and runs a new thread with its own program code within the following processes:

%system%\­dllhost.exe

And again, starts from:

Quote

In order to be executed on every system start, the trojan sets the following Registry entry:

[HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]

"%variable1%" = "%appdata%\­%variable1%\­%variable1%.exe"

 

Edited by itman
Link to comment
Share on other sites
Moneesh

Moneesh 0

Posted
  • Author
Posted
On 1/24/2019 at 8:25 PM, itman said:

Did that stop the Eset alerts you were receiving?

@itman Notifications from eset halted even before i created the firewall rules. maybe eset took care of the virus. About the registry, i cud not find anything of that sort of entry. Here's the screenshot.

image.thumb.png.61573ee98dee78961055ad0fb42e6313.png

Link to comment
Share on other sites
Moneesh

Moneesh 0

Posted
  • Author
Posted (edited)

@Marcos link is broken. Upon clicking the link, a .exe file was downloaded but the file does not run while trying to open it. 

 

But i searched for Eset Vulnerability Checker and ran the application and i got this,

 

image.thumb.png.62a528570b59314a0d55a880c9cc5bb5.jpg

Edited by Moneesh
Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,072

Posted
  • Administrators
Posted

I can download the tool from the links above. The tool you run is a different one - ESET EternalBlue Vulnerability Checker. Obviously your computer is vulnerable to EternalBlue exploits.

Please install all important and critical patches for the OS, especially this one: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010

 

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted
6 hours ago, Moneesh said:

But i searched for Eset Vulnerability Checker and ran the application and i got this,

As posted above, here's the download link: ftp://ftp.nod.sk/samples/svchecker/ESETSysVulnCheck.exe

Right click on the downloaded file and run it as administrator. It will create a zipped file in your Downloads folder. Attach that to your reply.

After seeing you are still vulnerable to the EternalBlue exploit, I am "bowing out" from any further replies.

Link to comment
Share on other sites
Moneesh

Moneesh 0

Posted
  • Author
Posted
3 hours ago, Marcos said:

I can download the tool from the links above. 

@Marcos  even i can download the file but when i open the file, it does nothing. A cmd window opens for half a second and nothing else happens.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...