1.) nod32 was uninstalled 2.) won't reinstall

[mtdog 0]

I just noticed that eset nod32 was uninstalled from my PC.  I did not do this.  I then tried to reinstall nod32 but I got a message that told me my internet connection was bad.  This is not true.  I was even able to download the installer from Eset.  Is my machine completely taken over by malicious hackers?  I don't use a proxy server, just a wireless access point and router from the phone company. 

[Marcos 5,074]

It happens that attackers get access to user's pc by performing a bruteforce RDP attack and uninstall or disable AV. We'd recommend securing RDP and using ESET Internet Security or ESET Smart Security Premium which can protect from bruteforce attacks.

Please collect logs with ESET Log Collector and provide the generated archive for perusal.

[mtdog 0]

My version doesn't support remote desktop

[itman 1,659]

2 hours ago, mtdog said:

My version doesn't support remote desktop

The Win 10 Home versions do not support inbound RDP capability. But by default, it supports outbound RDP capability. In other words, you can use RDP to connect to another remote device:

If a hacker could establish a presence on you device, he could have used multiple methods to establish a remote connection to his C&C server. Once that is done, he can do as he wishes to your device remotely.  Additionally your router might be compromised allowing the attacker to gain access to your device/internal network. This list of compromise methods goes on and on.

Edited March 13, 2020 by itman

[mtdog 0]

Does that mean that I should wipe the system disk and start over? 

Would the other two windows 10 systems on my LAN also be compromised even if they still have NOD32 installed?  There are file server connections originating on all and going to the other two.   Should I wipe those disks and start over as well? 

Would data disks also be a threat?  Those would be impossible to discard.

What would I do about my router?  Factory reset it and change the passwords?

 

[itman 1,659]

9 minutes ago, mtdog said:

Does that mean that I should wipe the system disk and start over? 

Would the other two windows 10 systems on my LAN also be compromised even if they still have NOD32 installed?  There are file server connections originating on all and going to the other two.   Should I wipe those disks and start over as well? 

Would data disks also be a threat?  Those would be impossible to discard.

All the above a bit too extreme at this point.

Since it appears you have Internet connectivity on the device which NOD32 was uninstalled, perform a scan with Eset's Online Scanner: https://www.eset.com/us/home/online-scanner/

Once that scan completes and assuming it has found and removed malware, try to reinstall NOD32 again.

15 minutes ago, mtdog said:

What would I do about my router?  Factory reset it and change the passwords?

This I would recommend.

 

[itman 1,659]

One other point.

Did you physically verify that NOD32 was actually uninstalled? For example, are Eset folders missing from the C:\Program Files, C:\ProgramData, etc. directories.

What does Windows Security Center show? Is Windows Defender the current active anti-virus solution? It should be if NOD32 was actually uninstalled. Windows Defender should have "kicked in" immediately as your real-time anti-virus solution.

Edited March 13, 2020 by itman

[Marcos 5,074]

Please provide ELC logs as I requested above.

[mtdog 0]

Attached are the collected logs from the node, GUNTHER, that had ESET NOD32 disappear.  I used the online scan and it found nothing but it only checked the C:, system, drive and not the other two drives, D and E.  I did do a factory reset on the router and then reconfigured with new passwords.  After the reconfigure of the router,  the NOD32 installation program worked and I was able to install NODE32.  There was an initial scan and I implemented a second scan in which I tried to get NOD32 to scan the other two drives, D and E, but I was not convinced that these drives were scanned because the scan was over so quickly.  Perhaps you can ally my fears that  drives D and E have been scanned.

One other unusual aspect on this and my other Windows 10 system, REMY, is the fact that I have a request icon to upgrade Windows Media Center, WMC, in the lower right corner in a pop up window (that also has icons for ESET, Windows Defender, and some other icons.)  Both of these systems have WMC downloaded and installed from a French site for people who refused to give up WMC after MS discontinued it in Windows 10.  Seems a little strange to have an update since WMC is a discontinued product so why would MS have created an update?   On the other hand, MS has deliberately inserted into Windows Updates commands that delete WMC such that it needs to be reinstalled after the Windows update.  In any case I have not selected to installed the update and I've disabled the update until I can figure out from where it comes. 

eav_logs.zip

[itman 1,659]

1 hour ago, mtdog said:

There was an initial scan and I implemented a second scan in which I tried to get NOD32 to scan the other two drives, D and E, but I was not convinced that these drives were scanned because the scan was over so quickly.  Perhaps you can ally my fears that  drives D and E have been scanned.

Appears recent versions of Eset only scan the boot drive on the initial scan after installation. As far as scanning the other two drives, open the Eset GUI and select;

Computer scan -> Advanced scans -> Custom Scan

Then select the two drives to be scanned. You can even scan with Admin privileges if you desire a more thorough scanning.

1 hour ago, mtdog said:

Seems a little strange to have an update since WMC is a discontinued product so why would MS have created an update?  

Based on this : https://www.howtogeek.com/258695/HOW-TO-INSTALL-WINDOWS-MEDIA-CENTER-ON-WINDOWS-10/ , it appears WMC is still supported for Win 8.1. So I suspect if WMC is installed on Win 10, the update request is legit. More so if WMC has a separate updater and not updated via Win 10 Win updates. -EDIT- Appears WMC has its own updater named mcupdate.exe: https://www.file.net/process/mcupdate.exe.html

BTW - you never answered my question as to whether you physically verified that NOD32 components were removed that the device.

Edited March 14, 2020 by itman

[mtdog 0]

I could not find any ESET items before I installed again.  Seems like there should have been some ESET folders under C:\Windows, etc. 

On another system, UMI, I have a NOD32 error message that I can't figure out how to eliminate.  All my systems are configure the same so I don't understand why I have this message on this system and not on the others.  The message is, Email protection by client plugins is non-functional.  I use Thunderbird on all systems and it has automatic update. 

I have also attached the logs from this system.

eav_logs.zip

[itman 1,659]

15 minutes ago, mtdog said:

Email protection by client plugins is non-functional.  I use Thunderbird on all systems and it has automatic update. 

Strange. I use T-Bird e-mail and never had an issue with leaving the plug-in setting enabled. Try disabling the setting per the below screen shot and see if that removes the Eset alert.

Note that Eset doesn't officially support T-Bird e-mail so plug-in use would be N/A. Eset will still scan incoming T-Bird e-mail but its done at the network level using the SSL/TLS protocol filtering feature.

Are you sure you're not also using another e-mail client such as Windows Live Mail?

 

Edited March 14, 2020 by itman

[mtdog 0]

One other security issue that is probably a Windows 10 "user friendly feature"  is this message below which comes up on all the systems when I try to shut them down.  Of course, there is no user(s) that I know of on the system when I request a shutdown.  So is this just a stupid attempt by MS to protect people who might shutdown a Windows 10 system while someone else is using it?  Or is there really a process that is remote that could represent another user?  It really irritates me because every time I see this message I think of some unauthorized process on my system. 

[mtdog 0]

that fixed the email error. Thank you.  I don't use any other email client but one never knows when MS might to "do something for me" by automatically activating some other client. 

[itman 1,659]

11 minutes ago, mtdog said:

One other security issue that is probably a Windows 10 "user friendly feature"  is this message below which comes up on all the systems when I try to shut them down. 

Never saw a message like that before from Windows.

Appears to me that Windows is telling you multiple users are logged onto the same device which I thought was impossible. Well, maybe not. Maybe a remote user is logged on? Something you need to check out in light of this Eset uninstall incident.

[itman 1,659]

As far as the message about another user logged on to that PC, one possibility is the attacker has set a Win user account on that device. So you need to check out what user accounts exist on this PC.

You also need to apply all available Win 10 updates to all you devices. Especially the latest one which is a patch for a SMBv3 protocol vulnerability.

I would also reset your Win 10 firewall to default settings. If the Public profile is not set by default after the reset, I would switch to the Public profile on that device. Note this will prevent any file or device sharing on that device.

Edited March 14, 2020 by itman

[mtdog 0]

Now that I have disabled remote access I notice that that warning about other users on the system is no longer coming up when I try to shutdown.  Just like Microsoft to leave a big gaping hole like remote access and while implying that it is disabled or not available for the Home version. 

All my systems have two accounts, POWELL and DUCK.  The user management interface is so dumbed down that it is not possible to find how other processes might be created that would be interpreted as other users.  Typically any OS will have two or more user accounts that run the system but MS hides those from the users so I can say that if there was an extra account created by a hacker I would not know where to find it.  But, what would keep a hacker from harvesting passwords and using my own accounts? 

Also, it may not be possible for the suspected hacker to start a new process since I reprogrammed the router.  Problem is the router is from a telephone company, Centurylink, and they probably have a back door on it. 

[itman 1,659]

For additional security, I have disabled all services related to remote desktop:

[itman 1,659]

Also verify that no remote access like software has been mysteriously installed on your device: https://answers.microsoft.com/en-us/windows/forum/windows_10-security/why-did-team-viewer-show-up-on-my-computer/c8642c6c-dfd1-44c2-84f8-3fd741618f56 .

Note that Teamviewer is a favorite for being installed via phishing methods: https://www.bleepingcomputer.com/virus-removal/remove-backdoor.teamviewer-trojan .

Edited March 15, 2020 by itman

[itman 1,659]

14 hours ago, mtdog said:

Now that I have disabled remote access I notice that that warning about other users on the system is no longer coming up when I try to shutdown.  Just like Microsoft to leave a big gaping hole like remote access and while implying that it is disabled or not available for the Home version. 

If you are referring to the two Remote Access services, those need to be set to Manual startup. Win 10 uses those services. Also ditto for the Win Remote Management service; it needs to remain at Manual startup setting. -EDIT- The OS starts these services as needed and returns them to the Manual startup mode as needed. If these services remain in the started status for an extended period of time, it would indicative of suspicious remote connection activity using them.

What should be disabled and only enabled when needed is the Remote Assistance feature:

Additionally, Microsoft starting with Win 10 1803 added a new remote assistance like feature called "Quick Assist." This is also a potential remote access vulnerability but is  much harder to abuse. It can be either uninstalled if not needed via Win Start menu Settings Optional Features option or its use monitored as follows:

Quote

For those who wish to block it on a computer level rather than network wide, as Quick Assist is an executable located at C:\Windows\System32\quickassist.exe, it is also possible to block the executable itself via the Windows Firewall or using AppLocker.

https://www.bleepingcomputer.com/news/microsoft/intro-to-quick-assist-window-10s-built-in-teamviewer-like-remote-help-tool/

Edited March 15, 2020 by itman

[itman 1,659]

15 hours ago, mtdog said:

All my systems have two accounts, POWELL and DUCK.  The user management interface is so dumbed down that it is not possible to find how other processes might be created that would be interpreted as other users. 

You need to check for suspicious user account creation by opening Windows Explorer. Ensure that the show hidden files option is enabled. Navigate to this directory, C:\Users. Shown should be folders for Default, Public, plus Powell and Duck; your local admin and standard user accounts. Any other folders there are suspect.

[mtdog 0]

The directories are a good place to look but, they they are just directories.  For example there is an entity called SYSTEM.  But, it doesn't have a directory.  And there maybe a /USER directory that is suspicious but how do I find the account linked to it.  MS hides the important details of the OS.   For example, on one system I have  /User  directories called ALL USERS, DEFAULT, DEFAULT USER, PUBLIC, and USER.  That's in addition to DUCK AND POWELL.  Where are the details on these accounts in Windows 10?  As I said I only see DUCK and POWELL in the user management section. 

Regarding the MSERT.exe scan, it found the same problem on all three nodes.  I have attached the logs. 

Start 'remove' for regkeyvalue://hklm\software\microsoft\windows defender\\DisableAntiSpyware
Operation succeeded !

msert.log

msert.log msert.log

[itman 1,659]

1 hour ago, mtdog said:

For example, on one system I have  /User  directories called ALL USERS, DEFAULT, DEFAULT USER, PUBLIC, and USER.  That's in addition to DUCK AND POWELL. 

Is this an upgrade to Win 10 from Win 7 installation? My fresh Win 10 installation only has the user accounts for Default, Public, and my local admin account.

-EDIT- You must have also disabled the Win Explorer option to hide OS files. When done so, I show shortcut entries for All Users and Default User. No Users folder exists on my Win 10 installation, but that might be a "hold over" from Win 7 if you upgraded to Win 10. At this point, I would say you're OK as far as user account setup goes. Make sure you enable the option to to hide OS files in Win Explorer.

Edited March 15, 2020 by itman

[itman 1,659]

1 hour ago, mtdog said:

Regarding the MSERT.exe scan, it found the same problem on all three nodes.  I have attached the logs. 

Start 'remove' for regkeyvalue://hklm\software\microsoft\windows defender\\DisableAntiSpyware
Operation succeeded !

Hum ........... Looks like this is/was an attempt to disabled Windows Defender. Would not have succeeded if WD self-protection was enabled.

Problem is in upgraded Win 10 versions, WD self-protection for some unknown reason is not enabled.🙄 This can be corrected by opening up Windows Security Center -> Virus and Threat Protection -> Windows Defender Anti-virus options. Then temporarily enable the Periodic scanning option. Once this is done, additional WD options will be shown. One of them is self-protection. Make sure it is enabled. You can then disable the Periodic scanning option if you wish. Note that if you keep Periodic scanning enabled, WD will load each time you boot eating up available memory.

[mtdog 0]

Would that self protection options be called Tamper Protection?  I enabled that. 

As for the accounts on that particular system I now recall that the system was imaged by the builder, US Micro.  I don't know why they would build a Windows 10 system with those left over accounts.  I'm tempted to re-image the disk to make it match the other two Window 10 systems but I have a difficulty with the Microsoft account.  It tries to insert itself into my install and then starts making decisions for me without my consent.   I miss the days when a distribution and a license key were all that one needed to build an OS.