Administrators Marcos 5,286 Posted June 4, 2020 Administrators Share Posted June 4, 2020 Just don't leave Procmon logging for hours or the system will run out of memory and Procmon will crash. Link to comment Share on other sites More sharing options...
Namoh 0 Posted June 4, 2020 Share Posted June 4, 2020 Should I run ProcMon after rebooting, or once the pop-ups start? Currently no pop-ups, so no use of activating ProcMon, right? Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 4, 2020 Share Posted June 4, 2020 6 hours ago, Namoh said: Hope I've added the rule correctly. You didn't post a screen shot for this setting. Verify it is set as previously specified; On the Source Applications screen, select "All Applications" from the drop down box. You didn't set this setting as specified: On the Application operation screen, enable the "Start new application"setting. Correct the above settings. Then on the last screen, mouse click on Finish. Click on the OK tab on any subsequent screen displayed to save your HIPS change. Hopefully therafter, HIPS log entries will start appearing in the Eset HIPS log. Link to comment Share on other sites More sharing options...
Namoh 0 Posted June 4, 2020 Share Posted June 4, 2020 Not quiet sure I understand you correctly. I think I did the first, but you're correct I didn't do the second. See below, or am I on the wrong screen(s). Brontoepassing = Source Application, right? It says/said "Alle toepassing" / "All applications". So that is/was already correct. Toepassingsbewerkingen = Application operation screen, right? I've now enabled the "Nieuwe toepassing starten" setting. Correct me, if I messed up again. Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 4, 2020 Share Posted June 4, 2020 7 hours ago, Namoh said: Just to give all info, I've deleted a file from the folder: C:\Users\sande\AppData\Roaming Everytime I'm starting up my pc it now gives an Windows Script Host message. I've attached this as well. This might be the malware. You are receiving the wscript.exe error message at system startup time because whatever is running the script, can't find it since it has been deleted. Again, verify that no files show in this folder, C:\Users\sande\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ . If files exist, take a screen shot of what is present in that folder. Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 4, 2020 Share Posted June 4, 2020 4 minutes ago, Namoh said: See below, or am I on the wrong screen(s). Yes, everything appears correct now. One of the problems is your Eset version is the Dutch language version and this is an English language forum. Link to comment Share on other sites More sharing options...
Namoh 0 Posted June 4, 2020 Share Posted June 4, 2020 Small steps but we're getting there. This was located in above folder, and it says: C:\WINDOWS\system32\wscript.exe /E:jscript "C:\Users\sande\AppData\Roaming\CC-Library-mul683-x64.zip" wscript.exe/e:key:BVfnB5qsixmIFscLj6DoRCZF Link to comment Share on other sites More sharing options...
Namoh 0 Posted June 4, 2020 Share Posted June 4, 2020 Just now, itman said: Yes, everything appears correct now. One of the problems is your Eset version is the Dutch language version and this is an English language forum. Isn't there somewhere a setting to change it into English, I'm fine with that Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 4, 2020 Share Posted June 4, 2020 2 minutes ago, Namoh said: Isn't there somewhere a setting to change it into English, I'm fine with that I wouldn't worry about it at this point. I believe we are close to resolving at least the startup and running of the malicious script via wscript.exe. 13 minutes ago, Namoh said: This was located in above folder, and it says: C:\WINDOWS\system32\wscript.exe /E:jscript "C:\Users\sande\AppData\Roaming\CC-Library-mul683-x64.zip" wscript.exe/e:key:BVfnB5qsixmIFscLj6DoRCZF Delete that entry. Then reboot your PC. You should not see the previous wscript.exe error message any more. You should also no longer see any Eset HIPS log entries related to the wscript.exe created. Nor should you see anymore Eset alerts for api..... connection. However, there are still other possible issues. Do you use IE11 as your browser? Link to comment Share on other sites More sharing options...
Namoh 0 Posted June 4, 2020 Share Posted June 4, 2020 Yes, I'm using IE11 (11.836.18362.0, update versions: 11.0.190) mostly, but in some cases also Microsoft Edge (?? couldn't quickly find a version number) and Google Chrome (83.0.4103.97). Deleted the file and will restart now. Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 4, 2020 Share Posted June 4, 2020 FYI to all to what I believe is going on with this latest JavaScript incident. This; C:\WINDOWS\system32\wscript.exe /E:jscript "C:\Users\sande\AppData\Roaming\CC-Library-mul683-x64.zip" wscript.exe/e:key:BVfnB5qsixmIFscLj6DoRCZF Appears to be the running of an encrypted archive at boot time. Really something I have never seen before. Also since the archive is encrypted, Eset couldn't scan it when it was dropped on the disk. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,286 Posted June 4, 2020 Administrators Share Posted June 4, 2020 I'd like to get the file for a check. If you still have a copy of the file, please provide it. Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 4, 2020 Share Posted June 4, 2020 (edited) Another possibility is the .zip file is actually a "disguised " encrypted JavaScript file. Believe that is the case here. Note the use of; wscript.exe /E: Quote The //E argument is used to specify the script language rather than the path to the script host executable. But if you use standard file extensions — .js for JScript and .vbs for VBScript — Windows Script Host will automatically detect the script language, and there's no need to use the //E argument Somewhat detailed explanation of the //E parameter is given in this TechNet article:Running Scripts from the Command Line. https://stackoverflow.com/questions/5700431/how-to-use-the-windows-scripting-host-e-command-line-argument Edited June 4, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 4, 2020 Share Posted June 4, 2020 (edited) Confirmed. File extension is immaterial when script engine is specifically referenced via the /E parameter. Per the above linked TechNet article: Quote //E:engine Executes the script with the specified script engine. Among other things, this allows you to run scripts that use a custom file name extension. Without the //E argument, you can run only scripts that use registered file name extensions. For example, if you try to run this command: cscript test.admin You will receive this error message: Input Error: There is no script engine for file extension ".admin". To run a script that uses a custom file extension, include the //E argument: cscript //E:vbscript test.admin One advantage of using nonstandard file name extensions is that it guards against accidentally double-clicking a script and thus running something you really did not want to run. This does not create a permanent association between the .admin file name extension and VBScript. Each time you run a script that uses a .admin file name extension, you will need to use the //E argument. Edited June 4, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 4, 2020 Share Posted June 4, 2020 I will also add that the prior Javascript based variant of the malware made numerous Win registry changes. Of note were changes to Win internal network settings. It is for practical purposes impossible to determine what registry and possibly other system modification that were performed. Although removing the malware startup references from the %AppData% directory will prevent the Javascript malware from running, you have a possible likelihood to either becoming reinfected with the same malware or other malware because of these system changes. One mitigation would be to restore the registry from a registry backup as shown in this article: https://pureinfotech.com/restore-registry-backup-windows-10/ . The problem is this technique is beyond the average user. There is also a possibility it won't work. It appears later versions of Win 10 no longer backup the registry on a periodic basis as done in prior Win versions. If a registry backup exists, it may be very old. Reapplying that backup could very well bork Win system updates that were applied subsequent to the registry backup. Finally, restoring the registry might not be sufficient to mitigate all non-registry changes made by the malware. You should contact your local in-country Eset technical support on the best way to proceed on restoring your system back to pre-malware infection status. Link to comment Share on other sites More sharing options...
Namoh 0 Posted June 5, 2020 Share Posted June 5, 2020 On 6/4/2020 at 4:29 PM, Marcos said: I'd like to get the file for a check. If you still have a copy of the file, please provide it. I have a copy of the file, but it's a hyperlink (snelkoppeling) of 1kb. Still interested or no need to sent it? Mmmmm, although the file name is: CC-Library-mul683-x64.zip it won't allow me to attach it. Probably because it's a hyperlink and not a real zip-file. All this started after installing a version of Adobe Master Collection via this nzb file (no comments ). You can download it yourself and see if you get the same issue. Would advise to make a copy of your drive upfront (which I forgot). Adobe-Master-Collection-CC-2020-19-05-2020-Multilanguage.rar Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 5, 2020 Share Posted June 5, 2020 48 minutes ago, Namoh said: Mmmmm, although the file name is: CC-Library-mul683-x64.zip it won't allow me to attach it. Refer to the below screen shot. Using Windows Explorer, do the following. Mouse click on the file using the right button. Select "Send to" -> "Compressed (zipped) folder. Attached this newly created zipped folder to your forum reply. Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 5, 2020 Share Posted June 5, 2020 (edited) 1 hour ago, Namoh said: All this started after installing a version of Adobe Master Collection via this nzb file (no comments ). I did research this initially. Abode Creative Cloud component stores its files in a directory that begins with CCLibrary. Note this malicious JavaScript name begins with CC-Library ............. The legit download for Abode Creative Cloud is here: https://www.adobe.com/creativecloud.html . I did notice that there are multiple cracked versions of Adobe Master Collection posted on the web. If you downloaded one of those, that is how you most likely got infected. Ditto for file sharing web sites. Versions available there can't be 100% trusted. Edited June 5, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 5, 2020 Share Posted June 5, 2020 (edited) An interesting write-up from this crack web site: Quote Adobe Master Collection CC As I hope you know, Adobe Master Collection CC in nature does not exist, Adobe never released it. But, nevertheless, it is in front of you! I really tried to get this package born. It is a collection of programs of the Creative Cloud line, united by an old good installer with the choice of components and language of the installed programs. It all looks very much like the well-proven Adobe Master Collection CS6 in the past. Is that the current program package includes much more than its namesake Creative Suite 6. And the versions of the programs themselves, mostly fresh. https://crackzsoft.me/adobe-master-collection-cc-win/ Assume that "old good installer" is the source of the malware. -EDIT- Interesting comment from the crack author: Quote CrackzSoft 24th March 2020 at 5:49 pm nothing much to do just install an installer and enjoy it is pre-activated.Don’t forget to disable net connection or antivirus before installing. 😭 Edited June 5, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 5, 2020 Share Posted June 5, 2020 (edited) @Namoh, I advise you to read this General Discussion posting I made last February: https://forum.eset.com/topic/22398-pirated-software-is-all-fun-and-games-until-your-data’s-stolen/ Edited June 5, 2020 by itman Link to comment Share on other sites More sharing options...
Namoh 0 Posted June 6, 2020 Share Posted June 6, 2020 16 hours ago, itman said: Refer to the below screen shot. Using Windows Explorer, do the following. Mouse click on the file using the right button. Select "Send to" -> "Compressed (zipped) folder. Attached this newly created zipped folder to your forum reply. Hereby the zip-file with the hyperlink, don't think it will help but you never know CC-Library-mul683-x64.zip.zip Link to comment Share on other sites More sharing options...
Namoh 0 Posted June 6, 2020 Share Posted June 6, 2020 10 hours ago, itman said: @Namoh, I advise you to read this General Discussion posting I made last February: https://forum.eset.com/topic/22398-pirated-software-is-all-fun-and-games-until-your-data’s-stolen/ Ofcourse, I understand the risks of cracks etc, and it's not that I just use cracked software, but I do install cracked software to see if the software is good and usefull for me before I purchase it. The adobe package has a 7 day free trial option. This is for me not enough to see if it's worth the money, because I work full time. The full package costs €60,49 per month!! I'm not going to pay that much money without knowing if I like the software. And maybe a stupid thought but I assumed that my visusscanner would tackle any suspicious behaviour, what else is the reason that I purchased it...? Of course I didn't disable ESET during install but it never gave any sign or pop-ups. Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 6, 2020 Share Posted June 6, 2020 3 hours ago, Namoh said: And maybe a stupid thought but I assumed that my visusscanner would tackle any suspicious behaviour, what else is the reason that I purchased it...? Eset's PUA protection will alert on hack tools that are known to have malicious or suspect behaviors. So the first thing you need to check is that you have enabled Potentially unwanted and unsafe application settings in Eset's GUI real-time file system protection settings. Also note that there are thousands of software crack downloads on the web. As such, Eset would need to have examined one to be able to determine if it is deemed PUA status. Eset protects against botnet activity as evidenced by the blocked connection alerts you were receiving. Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 6, 2020 Share Posted June 6, 2020 A few additional comments of use of cracked software. What the cracker developer is doing is illegal. Anyone who is using his cracked creation is legally considered aiding and abetting his criminal activity. The above noted if the cracked software involves use of an installer, use some "common security sense" and pass on the software. Win installers run with System privileges. This is the highest WIn privilege available. As such, the installer can modify anything it wishes on your Win installation. Additionally, security solutions are likewise restricted in their monitoring activities of the installer due to it privilege status. Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 6, 2020 Share Posted June 6, 2020 5 hours ago, Namoh said: The adobe package has a 7 day free trial option. This is for me not enough to see if it's worth the money, Adobe was offering a free 2 month trial back in March: https://www.techradar.com/news/want-free-adobe-creative-cloud-for-two-months-heres-how-to-get-the-hidden-offer. Don't know if its still in effect but something to check out. Link to comment Share on other sites More sharing options...
Recommended Posts