Jump to content

ESET I.S. Agressively blocking URL, can't find app


Recommended Posts

Hi !

I have the same problem from today  :

hxxp://api.backend-app.com:8880; Bloqué par la liste noire interne; C:\Windows\System32\wscript.exe;PC-GAMER\Cyril;172.64.173.30;542C46C652DDEFC87414213A8BEA0C65DD0377A9.

I did the HIPS rules the popup stoped but i think it s not resolved :eset1.thumb.jpg.701085afb6675aab31fe06429f3a8cb8.jpg

It seems like explorer.exe use wscript.exe

I hope you can help me

 

 

Link to comment
Share on other sites

  • Administrators
7 hours ago, Vince said:

Hi !
I have the same problem from today  :

hxxp://api.backend-app.com:8880; Bloqué par la liste noire interne; C:\Windows\System32\wscript.exe;PC-GAMER\Cyril;172.64.173.30;542C46C652DDEFC87414213A8BEA0C65DD0377A9

Please provide logs collected with ESET Log Collector. Most likely you have a malicious lnk file in the startup folder.

Link to comment
Share on other sites

Same issue with me! :(

Now I can't get into Windows. Last message was "System detected an overrun of a stack-based buffer in this application" - restarted and my PC is now flashing black and white at boot, with a black desktop and a black/white flashing taskbar - I can see the clock time and the start/magnifying glass/Task View button, but it's flickering.

Had hundreds of requests to that site mentioned with the port number.

Link to comment
Share on other sites

2 hours ago, Marcos said:

Please provide logs collected with ESET Log Collector. Most likely you have a malicious lnk file in the startup folder.

sent to you !

Link to comment
Share on other sites

  • Most Valued Members
9 minutes ago, Vince said:

sent to you !

Did you run a deep full system scan?

Link to comment
Share on other sites

Hi!

I having problem with pop up hxxp://api.backend-app.com:8880

I created new HIPS rule!
Looks like the pop-ups has been stopped.

I found:
C:\Users\xxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updatewins.lnk

updatewins.lnk - >Target: C:\WINDOWS\system32\wscript.exe  /E:jscript "C:\Users\xxx\AppData\Roaming\updatewins" wscript.exe/e:key:przSlksUf6ucMA

Question.
Can updatewins.lnk file be deleted?

Thank you!

 

Edited by Jozef76
Link to comment
Share on other sites

  • Most Valued Members
15 minutes ago, Vince said:

yes , found nothing

Give HitmanPro a try , it can find some bad stuff

Link to comment
Share on other sites

  • Most Valued Members
5 minutes ago, Vince said:

same, nothing

Download https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

And run it as Administrator and see if there are suspicious startup programs/scripts , then you can see it's location , and see for yourself if it's malicious or not , upload it to VT

Malicious reg mostly can be found here : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\

Edited by Nightowl
Link to comment
Share on other sites

  • Administrators
2 hours ago, Jozef76 said:

I found:

C:\Users\xxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updatewins.lnk

updatewins.lnk - >Target: C:\WINDOWS\system32\wscript.exe  /E:jscript "C:\Users\Joe\AppData\Roaming\updatewins" wscript.exe/e:key:przSlksUf6ucMA

Question.
Can updatewins.lnk file be deleted?

Please do not delete any files without keeping a copy of them. Move the file to a new folder, reboot the machine and upload the file here along with logs collected with ESET Log Collector.

Link to comment
Share on other sites

3 hours ago, Nightowl said:

Download https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

And run it as Administrator and see if there are suspicious startup programs/scripts , then you can see it's location , and see for yourself if it's malicious or not , upload it to VT

Malicious reg mostly can be found here : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\

eset2.thumb.jpg.b34f8ed55298caf45dbd92ef2b079722.jpg

Link to comment
Share on other sites

  • Most Valued Members

Can you please try to remove this software from your PC :

image.png.cc51c2b8210b21290fad8837d3e6dca2.png

If you see some suspicious applications in Startup category (Or if you press Logon at top) , also try to unselect it , and remove it from windows through add or remove

----

In ESET Settings , Set it to detect Possibly Unwanted Programs & Unsafe Programs , and scan again and see if it will detect threats , probably these blocks are coming from one of these dodgy softwares , IDMan or Free Download Manager

 

Here is an example of your problem :

https://any.run/report/8d33d5c74a877dc2030ec36b79db8630e20dc476e3374d24b65dee6222d7d498/934cb24f-6b03-4d87-9f32-a038caa1790b

Do you have this here ? :

C:\Users\admin\AppData\Roaming\update-win.js

 

Edited by Nightowl
Link to comment
Share on other sites

7 minutes ago, Nightowl said:

Can you please try to remove this software from your PC :

image.png.cc51c2b8210b21290fad8837d3e6dca2.png

If you see some suspicious applications in Startup category (Or if you press Logon at top) , also try to unselect it , and remove it from windows through add or remove

----

In ESET Settings , Set it to detect Possibly Unwanted Programs & Unsafe Programs , and scan again and see if it will detect threats , probably these blocks are coming from one of these dodgy softwares , IDMan or Free Download Manager

I think FDM is not the likely source of it. It's a malware/adware free trusted app used by many people. 

Link to comment
Share on other sites

  • Most Valued Members
10 minutes ago, Nightowl said:

Can you please try to remove this software from your PC :

image.png.cc51c2b8210b21290fad8837d3e6dca2.png

If you see some suspicious applications in Startup category (Or if you press Logon at top) , also try to unselect it , and remove it from windows through add or remove

----

In ESET Settings , Set it to detect Possibly Unwanted Programs & Unsafe Programs , and scan again and see if it will detect threats , probably these blocks are coming from one of these dodgy softwares , IDMan or Free Download Manager

 

Here is an example of your problem :

https://any.run/report/8d33d5c74a877dc2030ec36b79db8630e20dc476e3374d24b65dee6222d7d498/934cb24f-6b03-4d87-9f32-a038caa1790b

Do you have this here ? :

C:\Users\admin\AppData\Roaming\update-win.js

 

I'll add i use free download manager and have had no issues

Link to comment
Share on other sites

  • Most Valued Members
1 minute ago, SeriousHoax said:

I think FDM is not the likely source of it. It's a malware/adware free trusted app used by many people. 

Yea could be , never heard of it and it's using a simple name and not verified , so thought it should be gone , but it could be good I don't know , I never used it and don't use managers

It could be also in Startup part in Autoruns , there can be some dodgy software there

The malicious javascript should be in %AppData% with a name of update-win.js in Roaming Folder

Link to comment
Share on other sites

32 minutes ago, Vince said:

eset2.thumb.jpg.b34f8ed55298caf45dbd92ef2b079722.jpg

Scroll down and post more pictures here. Your startup folder is not fully visible here. Also, beore sharing enable from Options > Scan Option > Check VirusTotal.com. 

Link to comment
Share on other sites

4 minutes ago, Nightowl said:

Yea could be , never heard of it and it's using a simple name and not verified , so thought it should be gone , but it could be good I don't know , I never used it and don't use managers

It could be also in Startup part in Autoruns , there can be some dodgy software there

The malicious javascript should be in %AppData% with a name of update-win.js in Roaming Folder

I used it before. It's also available on Linux. If he downloaded from the original source then it's safe. He got the malicious script from cracked Adobe installer.

Right, I also think there maybe something in the Startup directory. 

Edited by SeriousHoax
Link to comment
Share on other sites

  • Most Valued Members
2 minutes ago, SeriousHoax said:

I used it before. It's also available on Linux. If he downloaded from the original source then it's safe. He got the malicious script from cracked Adobe installer.

Right, I also think there maybe something in the Startup directory. 

Argh I missed the part of cracked Adobe , it could be yea I am not correct about what I've said about the download managers , I lack experience with them because I don't use them but I remember them from Windows XP days they used to make some troubles.

It's different then if there is a script from a cracked Adobe download which can be malicious or fake crack.

Link to comment
Share on other sites

11 minutes ago, SeriousHoax said:

Scroll down and post more pictures here. Your startup folder is not fully visible here. Also, beore sharing enable from Options > Scan Option > Check VirusTotal.com. 

1100266146_esetscroll1.thumb.jpg.a59054f23dd068ec9b661507db04a727.jpg1808857304_esetscroll2.thumb.jpg.7c9975cdb1783ff9a152d7fedbfe0bd6.jpg1230810821_esetscroll3.thumb.jpg.f3a658502fc9cb3521e61137e08e5e69.jpg1593301108_esetscroll4.thumb.jpg.9b3fd7695554d95ba29d4fac84e79d2b.jpg

Edited by Vince
Link to comment
Share on other sites

  • Most Valued Members

UpdateWins.INK - Unselect this ,

It probably points to C:\Users\%USERPROFILE%\AppData\Roaming\update-win.js

check your roaming appdata folder if there are malicious files over there.

 

Can you please run a deep full system scan with Unwanted Programs and Unsafe Programs options enabled?

So it could pickup Adobe crack also.

Edited by Nightowl
Link to comment
Share on other sites

7 minutes ago, Nightowl said:

UpdateWins.INK - Unselect this ,

It probably points to C:\Users\%USERPROFILE%\AppData\Roaming\update-win.js

yes it s there C:\Users\%USERPROFILE%\AppData\Roaming but different name updatewin.jpg.f49b2a9f3cf328c7df7d4e97d62f73c6.jpg

Link to comment
Share on other sites

  • Most Valued Members
10 minutes ago, Vince said:

yes it s there C:\Users\%USERPROFILE%\AppData\Roaming but different name updatewin.jpg.f49b2a9f3cf328c7df7d4e97d62f73c6.jpg

Upload it please to virustotal to see the results also you can try hybrid analysis web site and app anyrun

You can manually put in Quarantine in ESET to see if the blocks stops or not , most probably if you change the ext to .bak or something un-relevant , it should stop working as a script.

It's probably a Trojan Downloader , but I can't know what Trojan it is trying to get

Startup shortcut calls this script and probably this script calls another infected EXE in your PC so it can continue it's job.

---

Try a deep scan with PUA and Unsafe Applications enabled.

Edited by Nightowl
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...