Vince 0 Posted June 6, 2020 Share Posted June 6, 2020 Hi ! I have the same problem from today : hxxp://api.backend-app.com:8880; Bloqué par la liste noire interne; C:\Windows\System32\wscript.exe;PC-GAMER\Cyril;172.64.173.30;542C46C652DDEFC87414213A8BEA0C65DD0377A9. I did the HIPS rules the popup stoped but i think it s not resolved : It seems like explorer.exe use wscript.exe I hope you can help me Link to comment Share on other sites More sharing options...
Administrators Marcos 5,286 Posted June 7, 2020 Administrators Share Posted June 7, 2020 7 hours ago, Vince said: Hi ! I have the same problem from today : hxxp://api.backend-app.com:8880; Bloqué par la liste noire interne; C:\Windows\System32\wscript.exe;PC-GAMER\Cyril;172.64.173.30;542C46C652DDEFC87414213A8BEA0C65DD0377A9 Please provide logs collected with ESET Log Collector. Most likely you have a malicious lnk file in the startup folder. Link to comment Share on other sites More sharing options...
sadbhai 0 Posted June 7, 2020 Share Posted June 7, 2020 Same issue with me! Now I can't get into Windows. Last message was "System detected an overrun of a stack-based buffer in this application" - restarted and my PC is now flashing black and white at boot, with a black desktop and a black/white flashing taskbar - I can see the clock time and the start/magnifying glass/Task View button, but it's flickering. Had hundreds of requests to that site mentioned with the port number. Link to comment Share on other sites More sharing options...
sadbhai 0 Posted June 7, 2020 Share Posted June 7, 2020 Link to comment Share on other sites More sharing options...
Vince 0 Posted June 7, 2020 Share Posted June 7, 2020 2 hours ago, Marcos said: Please provide logs collected with ESET Log Collector. Most likely you have a malicious lnk file in the startup folder. sent to you ! Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted June 7, 2020 Most Valued Members Share Posted June 7, 2020 9 minutes ago, Vince said: sent to you ! Did you run a deep full system scan? Link to comment Share on other sites More sharing options...
Jozef76 0 Posted June 7, 2020 Share Posted June 7, 2020 (edited) Hi! I having problem with pop up hxxp://api.backend-app.com:8880 I created new HIPS rule! Looks like the pop-ups has been stopped. I found: C:\Users\xxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updatewins.lnk updatewins.lnk - >Target: C:\WINDOWS\system32\wscript.exe /E:jscript "C:\Users\xxx\AppData\Roaming\updatewins" wscript.exe/e:key:przSlksUf6ucMA Question. Can updatewins.lnk file be deleted? Thank you! Edited June 7, 2020 by Jozef76 Link to comment Share on other sites More sharing options...
Vince 0 Posted June 7, 2020 Share Posted June 7, 2020 18 minutes ago, Nightowl said: Did you run a deep full system scan? yes , found nothing Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted June 7, 2020 Most Valued Members Share Posted June 7, 2020 15 minutes ago, Vince said: yes , found nothing Give HitmanPro a try , it can find some bad stuff Link to comment Share on other sites More sharing options...
Vince 0 Posted June 7, 2020 Share Posted June 7, 2020 8 minutes ago, Nightowl said: Give HitmanPro a try , it can find some bad stuff same, nothing Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted June 7, 2020 Most Valued Members Share Posted June 7, 2020 (edited) 5 minutes ago, Vince said: same, nothing Download https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns And run it as Administrator and see if there are suspicious startup programs/scripts , then you can see it's location , and see for yourself if it's malicious or not , upload it to VT Malicious reg mostly can be found here : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ Edited June 7, 2020 by Nightowl Link to comment Share on other sites More sharing options...
Administrators Marcos 5,286 Posted June 7, 2020 Administrators Share Posted June 7, 2020 2 hours ago, Jozef76 said: I found: C:\Users\xxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updatewins.lnk updatewins.lnk - >Target: C:\WINDOWS\system32\wscript.exe /E:jscript "C:\Users\Joe\AppData\Roaming\updatewins" wscript.exe/e:key:przSlksUf6ucMA Question. Can updatewins.lnk file be deleted? Please do not delete any files without keeping a copy of them. Move the file to a new folder, reboot the machine and upload the file here along with logs collected with ESET Log Collector. Link to comment Share on other sites More sharing options...
Vince 0 Posted June 7, 2020 Share Posted June 7, 2020 3 hours ago, Nightowl said: Download https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns And run it as Administrator and see if there are suspicious startup programs/scripts , then you can see it's location , and see for yourself if it's malicious or not , upload it to VT Malicious reg mostly can be found here : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted June 7, 2020 Most Valued Members Share Posted June 7, 2020 (edited) Can you please try to remove this software from your PC : If you see some suspicious applications in Startup category (Or if you press Logon at top) , also try to unselect it , and remove it from windows through add or remove ---- In ESET Settings , Set it to detect Possibly Unwanted Programs & Unsafe Programs , and scan again and see if it will detect threats , probably these blocks are coming from one of these dodgy softwares , IDMan or Free Download Manager Here is an example of your problem : https://any.run/report/8d33d5c74a877dc2030ec36b79db8630e20dc476e3374d24b65dee6222d7d498/934cb24f-6b03-4d87-9f32-a038caa1790b Do you have this here ? : C:\Users\admin\AppData\Roaming\update-win.js Edited June 7, 2020 by Nightowl Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted June 7, 2020 Share Posted June 7, 2020 7 minutes ago, Nightowl said: Can you please try to remove this software from your PC : If you see some suspicious applications in Startup category (Or if you press Logon at top) , also try to unselect it , and remove it from windows through add or remove ---- In ESET Settings , Set it to detect Possibly Unwanted Programs & Unsafe Programs , and scan again and see if it will detect threats , probably these blocks are coming from one of these dodgy softwares , IDMan or Free Download Manager I think FDM is not the likely source of it. It's a malware/adware free trusted app used by many people. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 396 Posted June 7, 2020 Most Valued Members Share Posted June 7, 2020 10 minutes ago, Nightowl said: Can you please try to remove this software from your PC : If you see some suspicious applications in Startup category (Or if you press Logon at top) , also try to unselect it , and remove it from windows through add or remove ---- In ESET Settings , Set it to detect Possibly Unwanted Programs & Unsafe Programs , and scan again and see if it will detect threats , probably these blocks are coming from one of these dodgy softwares , IDMan or Free Download Manager Here is an example of your problem : https://any.run/report/8d33d5c74a877dc2030ec36b79db8630e20dc476e3374d24b65dee6222d7d498/934cb24f-6b03-4d87-9f32-a038caa1790b Do you have this here ? : C:\Users\admin\AppData\Roaming\update-win.js I'll add i use free download manager and have had no issues Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted June 7, 2020 Most Valued Members Share Posted June 7, 2020 1 minute ago, SeriousHoax said: I think FDM is not the likely source of it. It's a malware/adware free trusted app used by many people. Yea could be , never heard of it and it's using a simple name and not verified , so thought it should be gone , but it could be good I don't know , I never used it and don't use managers It could be also in Startup part in Autoruns , there can be some dodgy software there The malicious javascript should be in %AppData% with a name of update-win.js in Roaming Folder Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted June 7, 2020 Share Posted June 7, 2020 32 minutes ago, Vince said: Scroll down and post more pictures here. Your startup folder is not fully visible here. Also, beore sharing enable from Options > Scan Option > Check VirusTotal.com. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted June 7, 2020 Most Valued Members Share Posted June 7, 2020 Try also to clear all your browsers cookies. Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted June 7, 2020 Share Posted June 7, 2020 (edited) 4 minutes ago, Nightowl said: Yea could be , never heard of it and it's using a simple name and not verified , so thought it should be gone , but it could be good I don't know , I never used it and don't use managers It could be also in Startup part in Autoruns , there can be some dodgy software there The malicious javascript should be in %AppData% with a name of update-win.js in Roaming Folder I used it before. It's also available on Linux. If he downloaded from the original source then it's safe. He got the malicious script from cracked Adobe installer. Right, I also think there maybe something in the Startup directory. Edited June 7, 2020 by SeriousHoax Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted June 7, 2020 Most Valued Members Share Posted June 7, 2020 2 minutes ago, SeriousHoax said: I used it before. It's also available on Linux. If he downloaded from the original source then it's safe. He got the malicious script from cracked Adobe installer. Right, I also think there maybe something in the Startup directory. Argh I missed the part of cracked Adobe , it could be yea I am not correct about what I've said about the download managers , I lack experience with them because I don't use them but I remember them from Windows XP days they used to make some troubles. It's different then if there is a script from a cracked Adobe download which can be malicious or fake crack. Link to comment Share on other sites More sharing options...
Vince 0 Posted June 7, 2020 Share Posted June 7, 2020 (edited) 11 minutes ago, SeriousHoax said: Scroll down and post more pictures here. Your startup folder is not fully visible here. Also, beore sharing enable from Options > Scan Option > Check VirusTotal.com. Edited June 7, 2020 by Vince Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted June 7, 2020 Most Valued Members Share Posted June 7, 2020 (edited) UpdateWins.INK - Unselect this , It probably points to C:\Users\%USERPROFILE%\AppData\Roaming\update-win.js check your roaming appdata folder if there are malicious files over there. Can you please run a deep full system scan with Unwanted Programs and Unsafe Programs options enabled? So it could pickup Adobe crack also. Edited June 7, 2020 by Nightowl Link to comment Share on other sites More sharing options...
Vince 0 Posted June 7, 2020 Share Posted June 7, 2020 7 minutes ago, Nightowl said: UpdateWins.INK - Unselect this , It probably points to C:\Users\%USERPROFILE%\AppData\Roaming\update-win.js yes it s there C:\Users\%USERPROFILE%\AppData\Roaming but different name Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted June 7, 2020 Most Valued Members Share Posted June 7, 2020 (edited) 10 minutes ago, Vince said: yes it s there C:\Users\%USERPROFILE%\AppData\Roaming but different name Upload it please to virustotal to see the results also you can try hybrid analysis web site and app anyrun You can manually put in Quarantine in ESET to see if the blocks stops or not , most probably if you change the ext to .bak or something un-relevant , it should stop working as a script. It's probably a Trojan Downloader , but I can't know what Trojan it is trying to get Startup shortcut calls this script and probably this script calls another infected EXE in your PC so it can continue it's job. --- Try a deep scan with PUA and Unsafe Applications enabled. Edited June 7, 2020 by Nightowl Link to comment Share on other sites More sharing options...
Recommended Posts