Jump to content
Moneesh

Frequently receiving notification of blocked website

Recommended Posts

Hi,

i am frequently receiving notification from  eset  of a website that it is blocking. I don't know what application in my PC is trying to access this website. Please help. I have attached a screenshot of this.

image.png

Share this post


Link to post
Share on other sites

Please provide logs gathered with ESET Log Collector to start off.

Share this post


Link to post
Share on other sites

Hey @Marcos, thanx for the reponse. I was not sure as to logs of which kind of activities should i be posting, so i ticked all the boxes. 

eav_logs.zip

 

Share this post


Link to post
Share on other sites
2 hours ago, Moneesh said:

I don't know what application in my PC is trying to access this website.

If you expand the "Application" column in the log, it will show you the full path name for the source app Eset is detecting.

Eset also shows the source app in the desktop alert generated if you click on the "Details" section in the alert.

Share this post


Link to post
Share on other sites
14 hours ago, itman said:

If you expand the "Application" column in the log, it will show you the full path name for the source app Eset is detecting.

Eset also shows the source app in the desktop alert generated if you click on the "Details" section in the alert.

The application column shows the following:

C:\Windows\SysWOW64\dllhost.exe

Now, what action do you suggest i follow ? should i delete the file ? i don't have any experience regarding system files.

Share this post


Link to post
Share on other sites
14 hours ago, Marcos said:

Please create another Procmon log but from a boot. The instructions are available at https://support.eset.com/kb6308 - section Gather boot log files.

@Marcos, here is the boot log file. But eset is not showing notifications today. I have done nothing to stop this. Will it start again in future ? 

 

Share this post


Link to post
Share on other sites

The Procmon log was corrupt, most likely it was not closed properly. Try to generate it again and open it in Procmon then as well to make sure that it was saved alright before you supply it to me.

Share this post


Link to post
Share on other sites

This is interesting. The IP address, 51.15.90.178, associated with the URL blacklisted is in Paris, France and appears to be associated with a gov. web site; UK Government Department for Work and Pensions. A UK gov. web site hosted in France?

In any case, a web connection from C:\Windows\SysWOW64\dllhost.exe definitely is not normal. For the time being, you could create an firewall rule to block all TCP/UDP traffic inbound/outbound for IP address 51.15.90.178. Once it is determined what is causing the dllhost.exe traffic, you can delete the firewall rule.

Share this post


Link to post
Share on other sites

@itman i don't from where did u get all that but i'm certainly going to block that ip address just incase. Those were some scary lines i just read. Thank you for the concern. Now i just i have figure out how to block "all TCP/UDP traffic inbound/outbound for IP address 51.15.90.178".

Share this post


Link to post
Share on other sites

I would suggest temporarily uninstalling EAV and installing ESET Internet Security while we are trying to find the root cause. It could be that the machine is not fully patched and the computer is getting re-infected from a remote machine . Since EAV doesn't include Network attack protection, it cannot detect and block possible exploitation of vulnerabilities in network protocols. Also please provide me with the logs generated by this tool.

According to the logs there was TinukeBot trojan detected in memory as well as Win32/Kryptik.GOUM, Win64/CoinMiner.MN and PowerShell/Kryptik.H trojan  detected on the disk and cleaned.

Share this post


Link to post
Share on other sites

I did a bit of research yesterday in dllhost.exe usage. It is associated with COM processing. Malicious browser extensions will employ COM. So I would be suspect of any recent Chrome extensions installed or the like.

Share this post


Link to post
Share on other sites

@Marcos since this activity appears to be COM based, check the logs for any WMI consumer or command event existence/activity.

Share this post


Link to post
Share on other sites

@Marcos Link to the tool you mentioned, it does not work. And btw, i have created a firewall rule to block anything inbound/outbound related to the IP address 51.15.90.178.

Edited by Moneesh

Share this post


Link to post
Share on other sites
9 hours ago, Moneesh said:

i have created a firewall rule to block anything inbound/outbound related to the IP address 51.15.90.178.

Did that stop the Eset alerts you were receiving?

Share this post


Link to post
Share on other sites

As far as the TinukeBot trojan, Symantec has a write up on it dating to 2017. It is a backdoor and probably what is establishing the remote C&C connection. That variant was run via:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"" = "%AppData%\[RANDOM NUMBERS FOLDER NAME]\[RANDOM NUMBERS FILE NAME].exe"

So it might be worth a look at the registry run keys; especially the HKEY_CURRENT_USER ones.

Share this post


Link to post
Share on other sites

Pretty sure this is the bugger: https://www.virusradar.com/en/Win32_Tinukebot.B/description since its using dllhost.exe:

Quote

The trojan creates and runs a new thread with its own program code within the following processes:

%system%\­dllhost.exe

And again, starts from:

Quote

In order to be executed on every system start, the trojan sets the following Registry entry:

[HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]

"%variable1%" = "%appdata%\­%variable1%\­%variable1%.exe"

 

Edited by itman

Share this post


Link to post
Share on other sites
On 1/24/2019 at 8:25 PM, itman said:

Did that stop the Eset alerts you were receiving?

@itman Notifications from eset halted even before i created the firewall rules. maybe eset took care of the virus. About the registry, i cud not find anything of that sort of entry. Here's the screenshot.

image.thumb.png.61573ee98dee78961055ad0fb42e6313.png

Share this post


Link to post
Share on other sites

@Moneesh, still waiting for logs from the ESET System Vulnerability Checker tool so that I can provide you with further instructions.

Share this post


Link to post
Share on other sites

@Marcos link is broken. Upon clicking the link, a .exe file was downloaded but the file does not run while trying to open it. 

 

But i searched for Eset Vulnerability Checker and ran the application and i got this,

 

image.thumb.png.62a528570b59314a0d55a880c9cc5bb5.jpg

Edited by Moneesh

Share this post


Link to post
Share on other sites

I can download the tool from the links above. The tool you run is a different one - ESET EternalBlue Vulnerability Checker. Obviously your computer is vulnerable to EternalBlue exploits.

Please install all important and critical patches for the OS, especially this one: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010

 

Share this post


Link to post
Share on other sites
6 hours ago, Moneesh said:

But i searched for Eset Vulnerability Checker and ran the application and i got this,

As posted above, here's the download link: ftp://ftp.nod.sk/samples/svchecker/ESETSysVulnCheck.exe

Right click on the downloaded file and run it as administrator. It will create a zipped file in your Downloads folder. Attach that to your reply.

After seeing you are still vulnerable to the EternalBlue exploit, I am "bowing out" from any further replies.

Share this post


Link to post
Share on other sites
3 hours ago, Marcos said:

I can download the tool from the links above. 

@Marcos  even i can download the file but when i open the file, it does nothing. A cmd window opens for half a second and nothing else happens.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×