ESET I.S. Agressively blocking URL, can't find app

[Vince 0]

Hi !

I have the same problem from today  :

hxxp://api.backend-app.com:8880; Bloqué par la liste noire interne; C:\Windows\System32\wscript.exe;PC-GAMER\Cyril;172.64.173.30;542C46C652DDEFC87414213A8BEA0C65DD0377A9.

I did the HIPS rules the popup stoped but i think it s not resolved :

It seems like explorer.exe use wscript.exe

I hope you can help me

 

 

[Marcos 5,071]

7 hours ago, Vince said:

Hi !
I have the same problem from today  :

hxxp://api.backend-app.com:8880; Bloqué par la liste noire interne; C:\Windows\System32\wscript.exe;PC-GAMER\Cyril;172.64.173.30;542C46C652DDEFC87414213A8BEA0C65DD0377A9

Please provide logs collected with ESET Log Collector. Most likely you have a malicious lnk file in the startup folder.

[sadbhai 0]

Same issue with me!

Now I can't get into Windows. Last message was "System detected an overrun of a stack-based buffer in this application" - restarted and my PC is now flashing black and white at boot, with a black desktop and a black/white flashing taskbar - I can see the clock time and the start/magnifying glass/Task View button, but it's flickering.

Had hundreds of requests to that site mentioned with the port number.

[sadbhai 0]

[Vince 0]

2 hours ago, Marcos said:

Please provide logs collected with ESET Log Collector. Most likely you have a malicious lnk file in the startup folder.

sent to you !

[Nightowl 202]

9 minutes ago, Vince said:

sent to you !

Did you run a deep full system scan?

[Jozef76 0]

Hi!

I having problem with pop up hxxp://api.backend-app.com:8880

I created new HIPS rule!
Looks like the pop-ups has been stopped.

I found:
C:\Users\xxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updatewins.lnk

updatewins.lnk - >Target: C:\WINDOWS\system32\wscript.exe  /E:jscript "C:\Users\xxx\AppData\Roaming\updatewins" wscript.exe/e:key:przSlksUf6ucMA

Question.
Can updatewins.lnk file be deleted?

Thank you!

 

Edited June 7, 2020 by Jozef76

[Vince 0]

18 minutes ago, Nightowl said:

Did you run a deep full system scan?

yes , found nothing

[Nightowl 202]

15 minutes ago, Vince said:

yes , found nothing

Give HitmanPro a try , it can find some bad stuff

[Vince 0]

8 minutes ago, Nightowl said:

Give HitmanPro a try , it can find some bad stuff

same, nothing

[Nightowl 202]

5 minutes ago, Vince said:

same, nothing

Download https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

And run it as Administrator and see if there are suspicious startup programs/scripts , then you can see it's location , and see for yourself if it's malicious or not , upload it to VT

Malicious reg mostly can be found here : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\

Edited June 7, 2020 by Nightowl

[Marcos 5,071]

2 hours ago, Jozef76 said:

I found:

C:\Users\xxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updatewins.lnk

updatewins.lnk - >Target: C:\WINDOWS\system32\wscript.exe  /E:jscript "C:\Users\Joe\AppData\Roaming\updatewins" wscript.exe/e:key:przSlksUf6ucMA

Question.
Can updatewins.lnk file be deleted?

Please do not delete any files without keeping a copy of them. Move the file to a new folder, reboot the machine and upload the file here along with logs collected with ESET Log Collector.

[Vince 0]

3 hours ago, Nightowl said:

Download https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

And run it as Administrator and see if there are suspicious startup programs/scripts , then you can see it's location , and see for yourself if it's malicious or not , upload it to VT

Malicious reg mostly can be found here : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\

[Nightowl 202]

Can you please try to remove this software from your PC :

If you see some suspicious applications in Startup category (Or if you press Logon at top) , also try to unselect it , and remove it from windows through add or remove

----

In ESET Settings , Set it to detect Possibly Unwanted Programs & Unsafe Programs , and scan again and see if it will detect threats , probably these blocks are coming from one of these dodgy softwares , IDMan or Free Download Manager

 

Here is an example of your problem :

https://any.run/report/8d33d5c74a877dc2030ec36b79db8630e20dc476e3374d24b65dee6222d7d498/934cb24f-6b03-4d87-9f32-a038caa1790b

Do you have this here ? :

C:\Users\admin\AppData\Roaming\update-win.js

 

Edited June 7, 2020 by Nightowl

[SeriousHoax 83]

7 minutes ago, Nightowl said:

Can you please try to remove this software from your PC :

If you see some suspicious applications in Startup category (Or if you press Logon at top) , also try to unselect it , and remove it from windows through add or remove

----

In ESET Settings , Set it to detect Possibly Unwanted Programs & Unsafe Programs , and scan again and see if it will detect threats , probably these blocks are coming from one of these dodgy softwares , IDMan or Free Download Manager

I think FDM is not the likely source of it. It's a malware/adware free trusted app used by many people. 

[peteyt 393]

10 minutes ago, Nightowl said:

Can you please try to remove this software from your PC :

If you see some suspicious applications in Startup category (Or if you press Logon at top) , also try to unselect it , and remove it from windows through add or remove

----

In ESET Settings , Set it to detect Possibly Unwanted Programs & Unsafe Programs , and scan again and see if it will detect threats , probably these blocks are coming from one of these dodgy softwares , IDMan or Free Download Manager

 

Here is an example of your problem :

https://any.run/report/8d33d5c74a877dc2030ec36b79db8630e20dc476e3374d24b65dee6222d7d498/934cb24f-6b03-4d87-9f32-a038caa1790b

Do you have this here ? :

C:\Users\admin\AppData\Roaming\update-win.js

 

I'll add i use free download manager and have had no issues

[Nightowl 202]

1 minute ago, SeriousHoax said:

I think FDM is not the likely source of it. It's a malware/adware free trusted app used by many people. 

Yea could be , never heard of it and it's using a simple name and not verified , so thought it should be gone , but it could be good I don't know , I never used it and don't use managers

It could be also in Startup part in Autoruns , there can be some dodgy software there

The malicious javascript should be in %AppData% with a name of update-win.js in Roaming Folder

[SeriousHoax 83]

32 minutes ago, Vince said:

Scroll down and post more pictures here. Your startup folder is not fully visible here. Also, beore sharing enable from Options > Scan Option > Check VirusTotal.com. 

[Nightowl 202]

Try also to clear all your browsers cookies.

[SeriousHoax 83]

4 minutes ago, Nightowl said:

Yea could be , never heard of it and it's using a simple name and not verified , so thought it should be gone , but it could be good I don't know , I never used it and don't use managers

It could be also in Startup part in Autoruns , there can be some dodgy software there

The malicious javascript should be in %AppData% with a name of update-win.js in Roaming Folder

I used it before. It's also available on Linux. If he downloaded from the original source then it's safe. He got the malicious script from cracked Adobe installer.

Right, I also think there maybe something in the Startup directory. 

Edited June 7, 2020 by SeriousHoax

[Nightowl 202]

2 minutes ago, SeriousHoax said:

I used it before. It's also available on Linux. If he downloaded from the original source then it's safe. He got the malicious script from cracked Adobe installer.

Right, I also think there maybe something in the Startup directory. 

Argh I missed the part of cracked Adobe , it could be yea I am not correct about what I've said about the download managers , I lack experience with them because I don't use them but I remember them from Windows XP days they used to make some troubles.

It's different then if there is a script from a cracked Adobe download which can be malicious or fake crack.

[Vince 0]

11 minutes ago, SeriousHoax said:

Scroll down and post more pictures here. Your startup folder is not fully visible here. Also, beore sharing enable from Options > Scan Option > Check VirusTotal.com. 

Edited June 7, 2020 by Vince

[Nightowl 202]

UpdateWins.INK - Unselect this ,

It probably points to C:\Users\%USERPROFILE%\AppData\Roaming\update-win.js

check your roaming appdata folder if there are malicious files over there.

 

Can you please run a deep full system scan with Unwanted Programs and Unsafe Programs options enabled?

So it could pickup Adobe crack also.

Edited June 7, 2020 by Nightowl

[Vince 0]

7 minutes ago, Nightowl said:

UpdateWins.INK - Unselect this ,

It probably points to C:\Users\%USERPROFILE%\AppData\Roaming\update-win.js

yes it s there C:\Users\%USERPROFILE%\AppData\Roaming but different name

[Nightowl 202]

10 minutes ago, Vince said:

yes it s there C:\Users\%USERPROFILE%\AppData\Roaming but different name

Upload it please to virustotal to see the results also you can try hybrid analysis web site and app anyrun

You can manually put in Quarantine in ESET to see if the blocks stops or not , most probably if you change the ext to .bak or something un-relevant , it should stop working as a script.

It's probably a Trojan Downloader , but I can't know what Trojan it is trying to get

Startup shortcut calls this script and probably this script calls another infected EXE in your PC so it can continue it's job.

---

Try a deep scan with PUA and Unsafe Applications enabled.

Edited June 7, 2020 by Nightowl