ProblemNeedsSolution 0 Posted November 11, 2020 Share Posted November 11, 2020 Hi! I am having a weird issue I haven’t seen before... after a week my Windows updates get corrupted and Windows Defender goes missing on the machine no big deal I restore my machine from a backup stop Windows updates for a month and buy Eset ISP to have a better protection. One week passes by and my VPN wouldn’t connect to our domain. I’ve noticed that the Eset splash screen was not showing up so I did a search for Eset and it said nothing was found. Sure enough Eset, Windows Defender and Windows updates are gone AGAIN. Did anyone had this issue or virus whatever? It’s really annoying Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted November 11, 2020 Administrators Share Posted November 11, 2020 It's unlikely that malware would "corrupt" Windows updates. If there's an issue with them, it'd be rather caused by a hardware failure than by malware. Or an attacker is able to connect via RDP and uninstalls AVs and Windows updates on a regular basis. Did you check the system event logs for possible errors? Do you have RDP disabled? Link to comment Share on other sites More sharing options...
ProblemNeedsSolution 0 Posted November 11, 2020 Author Share Posted November 11, 2020 9 minutes ago, Marcos said: It's unlikely that malware would "corrupt" Windows updates. If there's an issue with them, it'd be rather caused by a hardware failure than by malware. Or an attacker is able to connect via RDP and uninstalls AVs and Windows updates on a regular basis. Did you check the system event logs for possible errors? Do you have RDP disabled? It is a brand new machine, Windows 10 Pro, RDP disabled... The weird thing is this started to happen on my old laptop too just before the 2004 update so I thought it was the update. But now on the new machine the same thing is happening. If I open Microsoft defender > Blank screen in the app (executables gone), ESET was gone (all the executables) and Windows Update gives an error (also cannot connect to the Microsoft Store). The internet connection is fine though Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted November 11, 2020 Administrators Share Posted November 11, 2020 Please upload logs collected with ESET Log Collector here. Link to comment Share on other sites More sharing options...
ProblemNeedsSolution 0 Posted November 11, 2020 Author Share Posted November 11, 2020 2 minutes ago, Marcos said: Please upload logs collected with ESET Log Collector here. I am already after a full system restore running a full system scan as an admin. If it happens again I will try to harvest the logs. Link to comment Share on other sites More sharing options...
ProblemNeedsSolution 0 Posted November 11, 2020 Author Share Posted November 11, 2020 46 minutes ago, Marcos said: Please upload logs collected with ESET Log Collector here. Okay tried a different AM SW and it found a trojan: Quote Kľúč databázy Registry: 3 Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Microsoft\Windows\Application Experience\STARTUPCHECKLIBRARY, Bez zásahu používateľa, 502, 735770, , , , , , Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{B6F1D2B9-A39A-4018-829B-77263AED2DBE}, Bez zásahu používateľa, 502, 735770, , , , , , Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{B6F1D2B9-A39A-4018-829B-77263AED2DBE}, Bez zásahu používateľa, 502, 735770, , , , , , Hodnota databázy Registry: 1 Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{B6F1D2B9-A39A-4018-829B-77263AED2DBE}|PATH, Bez zásahu používateľa, 502, 782993, 1.0.32740, , ame, , , Údaje databázy Registry: 0 (Nezistili sa nijaké škodlivé položky) Prúd údajov: 0 (Nezistili sa nijaké škodlivé položky) Priečinok: 0 (Nezistili sa nijaké škodlivé položky) Súbor: 1 Trojan.Agent, C:\WINDOWS\SYSTEM32\TASKS\MICROSOFT\WINDOWS\APPLICATION EXPERIENCE\STARTUPCHECKLIBRARY, Bez zásahu používateľa, 502, 735770, 1.0.32740, , ame, , CD52F0B617A68EDC4533DE2EEDCF1AC8, A67A9367AEA4DD499A8EC3D7B92849C845DBC1DFBAFD7B7F4BBC3279F56B146A So I manually removed the keys from the registry plus deleted the file from the Windows folder and did a reboot. I did another scan and now it says everything is clean so lets see. It is funny how ESET did not find this though... Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted November 11, 2020 Administrators Share Posted November 11, 2020 Unfortunately without getting the file for perusal it's impossible to tell if it was an actual malware or just FP triggered by the software you used to scan the machine. The detection name is too generic (Trojan.Agent) and it was a scheduled task which was detected, ie. not actual file (clean or malware) that the task would run. Link to comment Share on other sites More sharing options...
itman 1,659 Posted November 11, 2020 Share Posted November 11, 2020 This might be legit malware. Someone over at TechNet last July reported almost the same behavior noted in this posting: https://answers.microsoft.com/en-us/windows/forum/windows_10-security/some-virus-keeps-removing-or-breaking-antivirus/56437d7a-5f56-4294-ad11-8f7a2da5653b . Same registry keys were used. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 393 Posted November 11, 2020 Most Valued Members Share Posted November 11, 2020 If both computers have had the same issue im wondering if somehow the old one has infected the new one. I don't know a lot about networking but its maybe worth a look to see if the laptop is the origin Link to comment Share on other sites More sharing options...
itman 1,659 Posted November 11, 2020 Share Posted November 11, 2020 7 hours ago, ProblemNeedsSolution said: It is a brand new machine, Windows 10 Pro, RDP disabled... The weird thing is this started to happen on my old laptop too just before the 2004 update so I thought it was the update. But now on the new machine the same thing is happening. I would say that whatever VPN you are using might be the source of this malware activity. If you get infected again, I would definitely switch to a new VPN provider. Also re-reading the TechNet posting, I noticed this: Quote One pattern I did notice, right before the virus comes back, right before I notice that my antivirus disappears, when I start up the computer, for just a brief moment, it will look like it's about to boot up into safe mode. Then it will restart again a second time and it will boot up in the normal mode. Right after this happens is when I notice that the virus is back and my antivirus is broken. I guess this thing has special UAC access in order to be able to do that. If the malware was forcing a boot into safe mode; especially one w/minimal drivers only enabled, it would explain how Eset could be uninstalled and WD disabled. Link to comment Share on other sites More sharing options...
itman 1,659 Posted November 11, 2020 Share Posted November 11, 2020 For reference, CyberArk wrote a P.O.C way back in 2016 how Win Safe mode can be exploited: https://www.cyberark.com/resources/blog/cyberark-labs-from-safe-mode-to-domain-compromise Link to comment Share on other sites More sharing options...
ProblemNeedsSolution 0 Posted November 12, 2020 Author Share Posted November 12, 2020 20 hours ago, itman said: I would say that whatever VPN you are using might be the source of this malware activity. If you get infected again, I would definitely switch to a new VPN provider. Also re-reading the TechNet posting, I noticed this: If the malware was forcing a boot into safe mode; especially one w/minimal drivers only enabled, it would explain how Eset could be uninstalled and WD disabled. I am sorry but I only use a VPN client from cisco to connect to our company domain and I was not forced to safe boot at all. It is really strange but I did find some posts even on different AW SW forums with the same problem so whatever this is it is out therebut maybe not that common Link to comment Share on other sites More sharing options...
ProblemNeedsSolution 0 Posted November 12, 2020 Author Share Posted November 12, 2020 22 hours ago, peteyt said: If both computers have had the same issue im wondering if somehow the old one has infected the new one. I don't know a lot about networking but its maybe worth a look to see if the laptop is the origin THe old lappy was sent back for a warranty repair (backlight LEDs got loose and I could see a row close to the display LOL). I got the new machine up and running on the weekend the other was sent away on friday so they were not in "contact". Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 393 Posted November 12, 2020 Most Valued Members Share Posted November 12, 2020 (edited) 2 hours ago, ProblemNeedsSolution said: THe old lappy was sent back for a warranty repair (backlight LEDs got loose and I could see a row close to the display LOL). I got the new machine up and running on the weekend the other was sent away on friday so they were not in "contact". Only other possibility could be something router based. Just strange that both devices have the same issue Edited November 12, 2020 by peteyt Link to comment Share on other sites More sharing options...
itman 1,659 Posted November 12, 2020 Share Posted November 12, 2020 (edited) Here's another posting from TechNet involving the same registry keys: https://answers.microsoft.com/en-us/windows/forum/windows_10-security/malware-removes-windows-defender/d7a0d2be-7468-425c-88e3-5929832c68a9 . Of note in this instance is: Quote Registry Data: 3 PUM.Optional.DisabledSecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|ANTIVIRUSDISABLENOTIFY, Zastąpiono, 13646, 293294, 1.0.23708, , ame, PUM.Optional.DisabledSecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|FIREWALLDISABLENOTIFY, Zastąpiono, 13646, 293295, 1.0.23708, , ame, PUM.Optional.DisabledSecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|UPDATESDISABLENOTIFY, Zastąpiono, 13646, 293296, 1.0.23708, , ame, Ref.: https://blog.malwarebytes.com/detections/pum-optional-disabledsecuritycenter/ In other words, it appears this instance might be using a variant of one of these apps specifically designed to disable WSC notifications. Then it proceeds to fully disable them. Also in this instance, it was a coin miner that was installed. Edited November 12, 2020 by itman Link to comment Share on other sites More sharing options...
ProblemNeedsSolution 0 Posted November 18, 2020 Author Share Posted November 18, 2020 Well, it happened again... Yesterday was everything fine but this morning I saw the windows update screen while I turned on my machine and eset was gone (no splash screen) and when I try to reinstall it, it says it is installed. I am so confused right now and really out of ideas at this point. I did download the log collector and made a log for You... eis_logs.zip Link to comment Share on other sites More sharing options...
itman 1,659 Posted November 18, 2020 Share Posted November 18, 2020 7 hours ago, ProblemNeedsSolution said: Well, it happened again... Yesterday was everything fine but this morning I saw the windows update screen while I turned on my machine and eset was gone (no splash screen) and when I try to reinstall it, it says it is installed. I am so confused right now and really out of ideas at this point. Next time this happens, make sure you check Windows Security Center to determine what the actual status is in regards to Eset firewall and real-time protection status. I have twice had Windows Defender "mysteriously" activate itself since upgrading to Win 20H2. In my case however, this happened sometime after initial system startup. Also you need to clarify what you mean by "I saw the windows update screen" at system startup. Are you referring to the display given via Win 10 Settings option? You should never see this display unless you manually selected it via Win 10 Start menu -> Settings -> Update & Security. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted November 18, 2020 Administrators Share Posted November 18, 2020 Looks like ekrn was forcibly removed and thus could not be started: "Spustenie služby ekrn zlyhalo kvôli nasledujúcej chybe: The system cannot find the file specified." 18/11/2020 06:54:57. Normally it's not possible to remove it while self-defense is active. Did you have password protection and detection of potentially unsafe applications enabled? Link to comment Share on other sites More sharing options...
ProblemNeedsSolution 0 Posted November 18, 2020 Author Share Posted November 18, 2020 (edited) 1 hour ago, Marcos said: Looks like ekrn was forcibly removed and thus could not be started: "Spustenie služby ekrn zlyhalo kvôli nasledujúcej chybe: The system cannot find the file specified." 18/11/2020 06:54:57. Normally it's not possible to remove it while self-defense is active. Did you have password protection and detection of potentially unsafe applications enabled? I did not tamper with the settings as far as I know and since last time I raised the UAC settings to the maximum. I only could reinstall Eset by booting into Safe mode and to use the uninstall tool but my Windows Updates and Windows Defender are still destroyed at this point so the only option is to do a full restore - otherwise the posture check from Ciscos VPN client fails and I can not gain access to the domain of our company. @itman When this happens the Windows Security screen is completely empty - no small icons with checkmarks and if I open it is a completely blank page. By the Windows Update screen I mean the blue screen when You reboot Your machine but this happens when I turn on the machine and Yesterday I have not noticed any updates The weird thing is that it happens periodically - exactly one week - sort of a time bomb (so an update on the 25th I guess) Edited November 18, 2020 by ProblemNeedsSolution Link to comment Share on other sites More sharing options...
itman 1,659 Posted November 18, 2020 Share Posted November 18, 2020 2 hours ago, Marcos said: Looks like ekrn was forcibly removed and thus could not be started: "Spustenie služby ekrn zlyhalo kvôli nasledujúcej chybe: The system cannot find the file specified." 18/11/2020 06:54:57. Normally it's not possible to remove it while self-defense is active. Did you have password protection and detection of potentially unsafe applications enabled? Another possibility is some malware installed a malicious device driver. Those would load prior to Eset's ELAM driver and could intercept its loading. A malicious device driver is rare, but they do exist. They are normally reserved for high-value targeted attacks though. @ProblemNeedsSolution, do you have Win 10 Secure Boot enabled on this device? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted November 18, 2020 Administrators Share Posted November 18, 2020 I'd reinstall v14.0 and after installation enable password protection as well as detection of potentially unsafe applications. Let us know if ekrn is still being removed then. Link to comment Share on other sites More sharing options...
itman 1,659 Posted November 18, 2020 Share Posted November 18, 2020 (edited) There is also the rootkit possibility. Microsoft has a nice diagram on how those load and can bypass/disable anti-virus: Edited November 18, 2020 by itman Pug 1 Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 393 Posted November 19, 2020 Most Valued Members Share Posted November 19, 2020 4 hours ago, itman said: There is also the rootkit possibility. Microsoft has a nice diagram on how those load and can bypass/disable anti-virus: Could this also be router based? I mentioned it above, the key thing being two devices have the same issue. If the router was involved it would explain how the issue kept coming back and how it had appeared on two devices. Only other thing I can think is its related to something software wise that both devices have. It seems a strange virus but what's even stranger is two devices have had the same issue. Interestingly as itman mentioned some of the registry keys on Google seemed to talk about coin mining malware. Google does seem to show coin mining malware have infected routers in the past but I'm not sure the best way to check routers for this kind of infection Link to comment Share on other sites More sharing options...
ProblemNeedsSolution 0 Posted November 19, 2020 Author Share Posted November 19, 2020 10 hours ago, Marcos said: I'd reinstall v14.0 and after installation enable password protection as well as detection of potentially unsafe applications. Let us know if ekrn is still being removed then. Thanks I did password protect the settings I will post an update... if it comes to that again Link to comment Share on other sites More sharing options...
ProblemNeedsSolution 0 Posted November 19, 2020 Author Share Posted November 19, 2020 5 hours ago, peteyt said: Could this also be router based? I mentioned it above, the key thing being two devices have the same issue. If the router was involved it would explain how the issue kept coming back and how it had appeared on two devices. Only other thing I can think is its related to something software wise that both devices have. It seems a strange virus but what's even stranger is two devices have had the same issue. Interestingly as itman mentioned some of the registry keys on Google seemed to talk about coin mining malware. Google does seem to show coin mining malware have infected routers in the past but I'm not sure the best way to check routers for this kind of infection At home there is another laptop connected to the main router and it does not have this issue. My laptop is connected to a wifi extender all of the time. Link to comment Share on other sites More sharing options...
Recommended Posts