Jump to content

Archived

This topic is now archived and is closed to further replies.

mandrix

ESET I.S. Agressively blocking URL, can't find app

Recommended Posts

Hi !

I have the same problem from today  :

hxxp://api.backend-app.com:8880; Bloqué par la liste noire interne; C:\Windows\System32\wscript.exe;PC-GAMER\Cyril;172.64.173.30;542C46C652DDEFC87414213A8BEA0C65DD0377A9.

I did the HIPS rules the popup stoped but i think it s not resolved :eset1.thumb.jpg.701085afb6675aab31fe06429f3a8cb8.jpg

It seems like explorer.exe use wscript.exe

I hope you can help me

 

 

Share this post


Link to post
Share on other sites
7 hours ago, Vince said:

Hi !
I have the same problem from today  :

hxxp://api.backend-app.com:8880; Bloqué par la liste noire interne; C:\Windows\System32\wscript.exe;PC-GAMER\Cyril;172.64.173.30;542C46C652DDEFC87414213A8BEA0C65DD0377A9

Please provide logs collected with ESET Log Collector. Most likely you have a malicious lnk file in the startup folder.

Share this post


Link to post
Share on other sites

Same issue with me! :(

Now I can't get into Windows. Last message was "System detected an overrun of a stack-based buffer in this application" - restarted and my PC is now flashing black and white at boot, with a black desktop and a black/white flashing taskbar - I can see the clock time and the start/magnifying glass/Task View button, but it's flickering.

Had hundreds of requests to that site mentioned with the port number.

Share this post


Link to post
Share on other sites
2 hours ago, Marcos said:

Please provide logs collected with ESET Log Collector. Most likely you have a malicious lnk file in the startup folder.

sent to you !

Share this post


Link to post
Share on other sites
9 minutes ago, Vince said:

sent to you !

Did you run a deep full system scan?

Share this post


Link to post
Share on other sites

Hi!

I having problem with pop up hxxp://api.backend-app.com:8880

I created new HIPS rule!
Looks like the pop-ups has been stopped.

I found:
C:\Users\xxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updatewins.lnk

updatewins.lnk - >Target: C:\WINDOWS\system32\wscript.exe  /E:jscript "C:\Users\xxx\AppData\Roaming\updatewins" wscript.exe/e:key:przSlksUf6ucMA

Question.
Can updatewins.lnk file be deleted?

Thank you!

 

Share this post


Link to post
Share on other sites
18 minutes ago, Nightowl said:

Did you run a deep full system scan?

yes , found nothing

Share this post


Link to post
Share on other sites
15 minutes ago, Vince said:

yes , found nothing

Give HitmanPro a try , it can find some bad stuff

Share this post


Link to post
Share on other sites
8 minutes ago, Nightowl said:

Give HitmanPro a try , it can find some bad stuff

same, nothing

Share this post


Link to post
Share on other sites
5 minutes ago, Vince said:

same, nothing

Download https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

And run it as Administrator and see if there are suspicious startup programs/scripts , then you can see it's location , and see for yourself if it's malicious or not , upload it to VT

Malicious reg mostly can be found here : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\

Share this post


Link to post
Share on other sites
2 hours ago, Jozef76 said:

I found:

C:\Users\xxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updatewins.lnk

updatewins.lnk - >Target: C:\WINDOWS\system32\wscript.exe  /E:jscript "C:\Users\Joe\AppData\Roaming\updatewins" wscript.exe/e:key:przSlksUf6ucMA

Question.
Can updatewins.lnk file be deleted?

Please do not delete any files without keeping a copy of them. Move the file to a new folder, reboot the machine and upload the file here along with logs collected with ESET Log Collector.

Share this post


Link to post
Share on other sites
3 hours ago, Nightowl said:

Download https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

And run it as Administrator and see if there are suspicious startup programs/scripts , then you can see it's location , and see for yourself if it's malicious or not , upload it to VT

Malicious reg mostly can be found here : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\

eset2.thumb.jpg.b34f8ed55298caf45dbd92ef2b079722.jpg

Share this post


Link to post
Share on other sites

Can you please try to remove this software from your PC :

image.png.cc51c2b8210b21290fad8837d3e6dca2.png

If you see some suspicious applications in Startup category (Or if you press Logon at top) , also try to unselect it , and remove it from windows through add or remove

----

In ESET Settings , Set it to detect Possibly Unwanted Programs & Unsafe Programs , and scan again and see if it will detect threats , probably these blocks are coming from one of these dodgy softwares , IDMan or Free Download Manager

 

Here is an example of your problem :

https://any.run/report/8d33d5c74a877dc2030ec36b79db8630e20dc476e3374d24b65dee6222d7d498/934cb24f-6b03-4d87-9f32-a038caa1790b

Do you have this here ? :

C:\Users\admin\AppData\Roaming\update-win.js

 

Share this post


Link to post
Share on other sites
7 minutes ago, Nightowl said:

Can you please try to remove this software from your PC :

image.png.cc51c2b8210b21290fad8837d3e6dca2.png

If you see some suspicious applications in Startup category (Or if you press Logon at top) , also try to unselect it , and remove it from windows through add or remove

----

In ESET Settings , Set it to detect Possibly Unwanted Programs & Unsafe Programs , and scan again and see if it will detect threats , probably these blocks are coming from one of these dodgy softwares , IDMan or Free Download Manager

I think FDM is not the likely source of it. It's a malware/adware free trusted app used by many people. 

Share this post


Link to post
Share on other sites
10 minutes ago, Nightowl said:

Can you please try to remove this software from your PC :

image.png.cc51c2b8210b21290fad8837d3e6dca2.png

If you see some suspicious applications in Startup category (Or if you press Logon at top) , also try to unselect it , and remove it from windows through add or remove

----

In ESET Settings , Set it to detect Possibly Unwanted Programs & Unsafe Programs , and scan again and see if it will detect threats , probably these blocks are coming from one of these dodgy softwares , IDMan or Free Download Manager

 

Here is an example of your problem :

https://any.run/report/8d33d5c74a877dc2030ec36b79db8630e20dc476e3374d24b65dee6222d7d498/934cb24f-6b03-4d87-9f32-a038caa1790b

Do you have this here ? :

C:\Users\admin\AppData\Roaming\update-win.js

 

I'll add i use free download manager and have had no issues

Share this post


Link to post
Share on other sites
1 minute ago, SeriousHoax said:

I think FDM is not the likely source of it. It's a malware/adware free trusted app used by many people. 

Yea could be , never heard of it and it's using a simple name and not verified , so thought it should be gone , but it could be good I don't know , I never used it and don't use managers

It could be also in Startup part in Autoruns , there can be some dodgy software there

The malicious javascript should be in %AppData% with a name of update-win.js in Roaming Folder

Share this post


Link to post
Share on other sites
32 minutes ago, Vince said:

eset2.thumb.jpg.b34f8ed55298caf45dbd92ef2b079722.jpg

Scroll down and post more pictures here. Your startup folder is not fully visible here. Also, beore sharing enable from Options > Scan Option > Check VirusTotal.com. 

Share this post


Link to post
Share on other sites

Try also to clear all your browsers cookies.

Share this post


Link to post
Share on other sites
4 minutes ago, Nightowl said:

Yea could be , never heard of it and it's using a simple name and not verified , so thought it should be gone , but it could be good I don't know , I never used it and don't use managers

It could be also in Startup part in Autoruns , there can be some dodgy software there

The malicious javascript should be in %AppData% with a name of update-win.js in Roaming Folder

I used it before. It's also available on Linux. If he downloaded from the original source then it's safe. He got the malicious script from cracked Adobe installer.

Right, I also think there maybe something in the Startup directory. 

Share this post


Link to post
Share on other sites
2 minutes ago, SeriousHoax said:

I used it before. It's also available on Linux. If he downloaded from the original source then it's safe. He got the malicious script from cracked Adobe installer.

Right, I also think there maybe something in the Startup directory. 

Argh I missed the part of cracked Adobe , it could be yea I am not correct about what I've said about the download managers , I lack experience with them because I don't use them but I remember them from Windows XP days they used to make some troubles.

It's different then if there is a script from a cracked Adobe download which can be malicious or fake crack.

Share this post


Link to post
Share on other sites
11 minutes ago, SeriousHoax said:

Scroll down and post more pictures here. Your startup folder is not fully visible here. Also, beore sharing enable from Options > Scan Option > Check VirusTotal.com. 

1100266146_esetscroll1.thumb.jpg.a59054f23dd068ec9b661507db04a727.jpg1808857304_esetscroll2.thumb.jpg.7c9975cdb1783ff9a152d7fedbfe0bd6.jpg1230810821_esetscroll3.thumb.jpg.f3a658502fc9cb3521e61137e08e5e69.jpg1593301108_esetscroll4.thumb.jpg.9b3fd7695554d95ba29d4fac84e79d2b.jpg

Share this post


Link to post
Share on other sites

UpdateWins.INK - Unselect this ,

It probably points to C:\Users\%USERPROFILE%\AppData\Roaming\update-win.js

check your roaming appdata folder if there are malicious files over there.

 

Can you please run a deep full system scan with Unwanted Programs and Unsafe Programs options enabled?

So it could pickup Adobe crack also.

Share this post


Link to post
Share on other sites
7 minutes ago, Nightowl said:

UpdateWins.INK - Unselect this ,

It probably points to C:\Users\%USERPROFILE%\AppData\Roaming\update-win.js

yes it s there C:\Users\%USERPROFILE%\AppData\Roaming but different name updatewin.jpg.f49b2a9f3cf328c7df7d4e97d62f73c6.jpg

Share this post


Link to post
Share on other sites
10 minutes ago, Vince said:

yes it s there C:\Users\%USERPROFILE%\AppData\Roaming but different name updatewin.jpg.f49b2a9f3cf328c7df7d4e97d62f73c6.jpg

Upload it please to virustotal to see the results also you can try hybrid analysis web site and app anyrun

You can manually put in Quarantine in ESET to see if the blocks stops or not , most probably if you change the ext to .bak or something un-relevant , it should stop working as a script.

It's probably a Trojan Downloader , but I can't know what Trojan it is trying to get

Startup shortcut calls this script and probably this script calls another infected EXE in your PC so it can continue it's job.

---

Try a deep scan with PUA and Unsafe Applications enabled.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...