ESET I.S. Agressively blocking URL, can't find app

[Marcos 5,074]

Just don't leave Procmon logging for hours or the system will run out of memory and Procmon will crash.

[Namoh 0]

Should I run ProcMon after rebooting, or once the pop-ups start?

Currently no pop-ups, so no use of activating ProcMon, right?

[itman 1,659]

6 hours ago, Namoh said:

Hope I've added the rule correctly.

You didn't post a screen shot for this setting. Verify it is set as previously specified;

On the Source Applications screen, select "All Applications" from the drop down box.

You didn't set this setting as specified:

On the Application operation screen, enable the "Start new application"setting.

Correct the above settings. Then on the last screen, mouse click on Finish. Click on the OK tab on any subsequent screen displayed to save your HIPS change.

Hopefully therafter, HIPS log entries will start appearing in the Eset HIPS log.

[Namoh 0]

Not quiet sure I understand you correctly.

I think I did the first, but you're correct I didn't do the second.

See below, or am I on the wrong screen(s).

Brontoepassing = Source Application, right? It says/said "Alle toepassing" / "All applications". So that is/was already correct.

Toepassingsbewerkingen = Application operation screen, right? I've now enabled the "Nieuwe toepassing starten" setting.

Correct me, if I messed up again.

[itman 1,659]

7 hours ago, Namoh said:

Just to give all info, I've deleted a file from the folder: C:\Users\sande\AppData\Roaming

Everytime I'm starting up my pc it now gives an Windows Script Host message.

I've attached this as well.

This might be the malware. You are receiving the wscript.exe error message at system startup time because whatever is running the script, can't find it since it has been deleted.

Again, verify that no files show in this folder,

C:\Users\sande\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .

If files exist, take a screen shot of what is present in that folder.

[itman 1,659]

4 minutes ago, Namoh said:

See below, or am I on the wrong screen(s).

Yes, everything appears correct now.

One of the problems is your Eset version is the Dutch language version and this is an English language forum.

[Namoh 0]

Small steps but we're getting there.

This was located in above folder, and it says: C:\WINDOWS\system32\wscript.exe  /E:jscript "C:\Users\sande\AppData\Roaming\CC-Library-mul683-x64.zip" wscript.exe/e:key:BVfnB5qsixmIFscLj6DoRCZF

 

[Namoh 0]

Just now, itman said:

Yes, everything appears correct now.

One of the problems is your Eset version is the Dutch language version and this is an English language forum.

Isn't there somewhere a setting to change it into English, I'm fine with that

[itman 1,659]

2 minutes ago, Namoh said:

Isn't there somewhere a setting to change it into English, I'm fine with that

I wouldn't worry about it at this point. I believe we are close to resolving at least the startup and running of the malicious script via wscript.exe.

13 minutes ago, Namoh said:

This was located in above folder, and it says: C:\WINDOWS\system32\wscript.exe  /E:jscript "C:\Users\sande\AppData\Roaming\CC-Library-mul683-x64.zip" wscript.exe/e:key:BVfnB5qsixmIFscLj6DoRCZF

Delete that entry.

Then reboot your PC. You should not see the previous wscript.exe error message any more. You should also no longer see any Eset HIPS log entries related to the wscript.exe created. Nor should you see anymore Eset alerts for api..... connection.

However, there are still other possible issues. Do you use IE11 as your browser?

[Namoh 0]

Yes, I'm using IE11 (11.836.18362.0, update versions: 11.0.190) mostly, but in some cases also Microsoft Edge (?? couldn't quickly find a version number) and Google Chrome (83.0.4103.97).

Deleted the file and will restart now.

[itman 1,659]

FYI to all to what I believe is going on with this latest JavaScript incident.

This;

C:\WINDOWS\system32\wscript.exe  /E:jscript "C:\Users\sande\AppData\Roaming\CC-Library-mul683-x64.zip" wscript.exe/e:key:BVfnB5qsixmIFscLj6DoRCZF

Appears to be the running of an encrypted archive at boot time. Really something I have never seen before. Also since the archive is encrypted, Eset couldn't scan it when it was dropped on the disk.

[Marcos 5,074]

I'd like to get the file for a check. If you still have a copy of the file, please provide it.

 

[itman 1,659]

Another possibility is the .zip file is actually a "disguised " encrypted JavaScript file. Believe that is the case here. Note the use of; wscript.exe  /E:

Quote

The //E argument is used to specify the script language rather than the path to the script host executable. But if you use standard file extensions — .js for JScript and .vbs for VBScript — Windows Script Host will automatically detect the script language, and there's no need to use the //E argument

Somewhat detailed explanation of the //E parameter is given in this TechNet article:
Running Scripts from the Command Line.

https://stackoverflow.com/questions/5700431/how-to-use-the-windows-scripting-host-e-command-line-argument

Edited June 4, 2020 by itman

[itman 1,659]

Confirmed. File extension is immaterial when script engine is specifically referenced via the /E parameter. Per the above linked TechNet article:

Quote

//E:engine

Executes the script with the specified script engine. Among other things, this allows you to run scripts that use a custom file name extension. Without the //E argument, you can run only scripts that use registered file name extensions. For example, if you try to run this command:

cscript test.admin

You will receive this error message:

Input Error: There is no script engine for file extension ".admin".

To run a script that uses a custom file extension, include the //E argument:

cscript //E:vbscript test.admin

One advantage of using nonstandard file name extensions is that it guards against accidentally double-clicking a script and thus running something you really did not want to run.

This does not create a permanent association between the .admin file name extension and VBScript. Each time you run a script that uses a .admin file name extension, you will need to use the //E argument.

 

Edited June 4, 2020 by itman

[itman 1,659]

I will also add that the prior Javascript based variant of the malware made numerous Win registry changes. Of note were changes to Win internal network settings. It is for practical purposes impossible to determine what registry and possibly other system modification that were performed.

Although removing the malware startup references from the %AppData% directory will prevent the Javascript malware from running, you have a possible likelihood to either becoming reinfected with the same malware or other malware because of these system changes. One mitigation would be to restore the registry from a registry backup as shown in this article: https://pureinfotech.com/restore-registry-backup-windows-10/ . The problem is this technique is beyond the average user. There is also a possibility it won't work. It appears later versions of Win 10 no longer backup the registry on a periodic basis as done in prior Win versions. If a registry backup exists, it may be very old. Reapplying that backup could very well bork Win system updates that were applied subsequent to the registry backup. Finally, restoring the registry might not be sufficient to mitigate all non-registry changes made by the malware.

You should contact your local in-country Eset technical support on the best way to proceed on restoring your system back to pre-malware infection status.

[Namoh 0]

On ‎6‎/‎4‎/‎2020 at 4:29 PM, Marcos said:

I'd like to get the file for a check. If you still have a copy of the file, please provide it.

 

I have a copy of the file, but it's a hyperlink (snelkoppeling) of 1kb.

Still interested or no need to sent it?

Mmmmm, although the file name is: CC-Library-mul683-x64.zip it won't allow me to attach it.

Probably because it's a hyperlink and not a real zip-file.

All this started after installing a version of Adobe Master Collection via this nzb file (no comments  ).

You can download it yourself and see if you get the same issue.

Would advise to make a copy of your drive upfront (which I forgot).

Adobe-Master-Collection-CC-2020-19-05-2020-Multilanguage.rar

[itman 1,659]

48 minutes ago, Namoh said:

Mmmmm, although the file name is: CC-Library-mul683-x64.zip it won't allow me to attach it.

Refer to the below screen shot.

Using Windows Explorer, do the following. Mouse click on the file using the right button. Select "Send to" -> "Compressed (zipped) folder. Attached this newly created zipped folder to your forum reply.

[itman 1,659]

1 hour ago, Namoh said:

All this started after installing a version of Adobe Master Collection via this nzb file (no comments  ).

I did research this initially. Abode Creative Cloud component stores its files in a directory that begins with CCLibrary. Note this malicious JavaScript name begins with CC-Library .............

The legit download for Abode Creative Cloud is here: https://www.adobe.com/creativecloud.html . I did notice that there are multiple cracked versions of Adobe Master Collection posted on the web. If you downloaded one of those, that is how you most likely got infected. Ditto for file sharing web sites. Versions available there can't be 100% trusted.

 

Edited June 5, 2020 by itman

[itman 1,659]

An interesting write-up from this crack web site:

Quote

Adobe Master Collection CC

As I hope you know, Adobe Master Collection CC  in nature does not exist, Adobe never released it. But, nevertheless, it is in front of you! I really tried to get this package born. It is a collection of programs of the Creative Cloud line, united by an old good installer with the choice of components and language of the installed programs. It all looks very much like the well-proven Adobe Master Collection CS6 in the past. Is that the current program package includes much more than its namesake Creative Suite 6. And the versions of the programs themselves, mostly fresh.

https://crackzsoft.me/adobe-master-collection-cc-win/

Assume that "old good installer" is the source of the malware.

-EDIT- Interesting comment from the crack author:

• Quote

  CrackzSoft

  24th March 2020 at 5:49 pm

  nothing much to do just install an installer and enjoy it is pre-activated.
  Don’t forget to disable net connection or antivirus before installing.

  😭

Edited June 5, 2020 by itman

[itman 1,659]

@Namoh, I advise you to read this General Discussion posting I made last February: https://forum.eset.com/topic/22398-pirated-software-is-all-fun-and-games-until-your-data’s-stolen/

Edited June 5, 2020 by itman

[Namoh 0]

16 hours ago, itman said:

Refer to the below screen shot.

Using Windows Explorer, do the following. Mouse click on the file using the right button. Select "Send to" -> "Compressed (zipped) folder. Attached this newly created zipped folder to your forum reply.

Hereby the zip-file with the hyperlink, don't think it will help but you never know

CC-Library-mul683-x64.zip.zip

[Namoh 0]

10 hours ago, itman said:

@Namoh, I advise you to read this General Discussion posting I made last February: https://forum.eset.com/topic/22398-pirated-software-is-all-fun-and-games-until-your-data’s-stolen/

Ofcourse, I understand the risks of cracks etc, and it's not that I just use cracked software, but I do install cracked software to see if the software is good and usefull for me before I purchase it.

The adobe package has a 7 day free trial option. This is for me not enough to see if it's worth the money, because I work full time.

The full package costs €60,49 per month!!

I'm not going to pay that much money without knowing if I like the software.

And maybe a stupid thought but I assumed that my visusscanner would tackle any suspicious behaviour, what else is the reason that I purchased it...? Of course I didn't disable ESET during install but it never gave any sign or pop-ups.

[itman 1,659]

3 hours ago, Namoh said:

And maybe a stupid thought but I assumed that my visusscanner would tackle any suspicious behaviour, what else is the reason that I purchased it...?

Eset's PUA protection will alert on hack tools that are known to have malicious or suspect behaviors. So the first thing you need to check is that you have enabled Potentially unwanted and unsafe application settings in Eset's GUI real-time file system protection settings.

Also note that there are thousands of software crack downloads on the web. As such, Eset would need to have examined one to be able to determine if it is deemed PUA status.

Eset protects against botnet activity as evidenced by the blocked connection alerts you were receiving.

 

[itman 1,659]

A few additional comments of use of cracked software.

What the cracker developer is doing is illegal. Anyone who is using his cracked creation is legally considered aiding and abetting his criminal activity.

The above noted if the cracked software involves use of an installer, use some "common security sense" and pass on the software. Win installers run with System privileges. This is the highest WIn privilege available. As such, the installer can modify anything it wishes on your Win installation. Additionally, security solutions are likewise restricted in their monitoring activities of the installer due to it privilege status.

[itman 1,659]

5 hours ago, Namoh said:

The adobe package has a 7 day free trial option. This is for me not enough to see if it's worth the money,

Adobe was offering a free 2 month trial back in March: https://www.techradar.com/news/want-free-adobe-creative-cloud-for-two-months-heres-how-to-get-the-hidden-offer. Don't know if its still in effect but something to check out.