Jump to content

A new virus?! (Eset + Microsoft defender and Windows updates are gone)


Recommended Posts

11 hours ago, itman said:

Another possibility is some malware installed a malicious device driver. Those would load prior to Eset's ELAM driver and could intercept its loading.

A malicious device driver is rare, but they do exist. They are normally reserved for high-value targeted attacks though.

@ProblemNeedsSolution, do you have Win 10 Secure Boot enabled on this device?

No It is not enabled. If the issue comes back though I will try it

Link to post
Share on other sites
  • Administrators
36 minutes ago, ProblemNeedsSolution said:

Thanks I did password protect the settings I will post an update... if it comes to that again 

Also enable detection of potentially unsafe applications to protect ESET from being forcibly removed by 3rd party tools leveraging a kernel driver.

Link to post
Share on other sites
  • Most Valued Members
3 hours ago, ProblemNeedsSolution said:

At home there is another laptop connected to the main router and it does not have this issue. My laptop is connected to a wifi extender all of the time.

Is there anything software wise you can think of that is installed on both the devices that have had the issue but not on the one that seems fine? Just trying to see if we can find something common on both 

Link to post
Share on other sites
7 hours ago, ProblemNeedsSolution said:

At home there is another laptop connected to the main router and it does not have this issue. My laptop is connected to a wifi extender all of the time.

TP-Link Wi-FI extenders have a vulnerability that can allow a hacker to completely control a targeted system: https://www.cnet.com/news/these-wi-fi-extenders-had-vulnerabilities-that-gave-hackers-complete-control/ .

Also note this:

Quote

Range extender security

Now, the fact that your extender isn’t giving you access to actually set up security concerns me. I don’t believe it’s common and to be honest, I’m really surprised that it’s not there. I can’t believe LinkSys would make a range extender that doesn’t include security, so my first suggestion is to turn to the documentation for that specific model.

Without security, you’re effectively setting up an open WiFi hotspot and anyone or anything that came into range could connect to it. They won’t necessarily see the traffic in your home, but anything that’s going over that open WiFi hotspot will be snoopable.

https://askleo.com/does-a-wireless-range-extender-compromise-my-security/

Additionally if you are using a Tenda PA6 Wi-Fi Powerline extender, version 1.0.1.21, note this:

Quote

Multiple vulnerabilities have been found in Tenda PA6 Wi-Fi Powerline extender, version 1.0.1.21. This device is part of Tenda’s PH5 Powerline Extender Kit and extends the wireless network through home’s existing electrical circuitry.

https://securityintelligence.com/posts/vulnerable-powerline-extenders-underline-lax-iot-security/

Edited by itman
Link to post
Share on other sites

I also believe this is a rootkit.

You can try MBAM's Anti-Rootkit tool here: https://www.malwarebytes.com/antirootkit/

Note: If the tool detects anything and cleans it, the tool must be run again to verify everything is removed. This must be done repeatedly until the tool states you're clean.

Link to post
Share on other sites

Here's a posting from Nov.14 with a lot of similar behavior to what is occurring on the OP's device: https://answers.microsoft.com/en-us/windows/forum/all/cant-run-windows-update-windows-security-or/44ca6d86-5742-48ca-bd47-8038651bd433

Whatever this bugger is, it appears "to be flying under the radar" of anti-virus solutions.

Link to post
Share on other sites

Since the OP is using Cisco VPN, this is worth "a read."

Quote

Cisco has announced that its VPN is currently experiencing a major security flaw, and there's no fix yet.

https://tech.co/news/cisco-vpn-security-bug-without-fix

Ref.: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK

Edited by itman
Link to post
Share on other sites
18 hours ago, itman said:

I also believe this is a rootkit.

You can try MBAM's Anti-Rootkit tool here: https://www.malwarebytes.com/antirootkit/

Note: If the tool detects anything and cleans it, the tool must be run again to verify everything is removed. This must be done repeatedly until the tool states you're clean.

Well, it found 3 things

shite.png

shite2.jpg

Link to post
Share on other sites

I am sorry for posting this here but can be this the same thing like here: https://forums.malwarebytes.com/topic/255632-winlogui-keeps-coming-back/

it looks like it is using browser sync to reinfect the machine. Has anyone any idea what the fix file could be?

Link to post
Share on other sites
4 hours ago, ProblemNeedsSolution said:

I am sorry for posting this here but can be this the same thing like here: https://forums.malwarebytes.com/topic/255632-winlogui-keeps-coming-back/

Can't tell anything from what is posted in that thread.

What is fairly obvious by now is this is a coin miner using a rootkit or, like rootkit behavior. The one most widely deployed in this category is ZeroAccess:

Quote

ZeroAccess (discovered in 2011) – another Trojan horse with rootkit attributes. It infects the master boot record (MBR) as well as a random system driver and then deactivates the Windows Security Center, Windows Defender and the firewall. Once this has occurred, the computer is used for a bot net operated for Bitcoin mining and click fraud.

My best guess is what is infecting you is a new variant that Eset is not detecting.

Eset has a tool to remove ZeroAccess but don't know if it will detect this new variant:

Quote

STEP 1:  Use ESETSirfefCleaner tool to remove ZeroAccess rootkit

In this first step, we will use the ESETSirefefCleaner tool to remove the ZeroAccess rootkit from your computer.

Unable to download “ESETSirefefCleaner.exe contained a virus and was deleted”.

More recent variants of Sirefef might prevent you from downloading this removal tool. If you cannot download the tool, follow the steps below:

1. Click Start → Computer → Local Disk (C:) → Program Files.

2. Right-click the Windows Defender folder and select Rename from the context menu.

3. Add a unique variation to the filename, such as .old (for example, Windows Defender.old).

4. Click the link above to download the ESETSirefefCleaner tool.When the download is complete, make sure to rename the Windows Defender folder back to its original filename before running the ESET SirefefCleaner tool.

You can download ESETSirefefCleaner from the below link.

ESETSIREFEFCLEANER DOWNLOAD LINK(This link will automatically download ESETSirfefCleaner on your computer.)

Double-click on ESETSirefefCleaner.exe to start this utility. You may be presented with an User Account Control pop-up asking if you want to allow this to make changes to your device. If this happens, you should click “Yes” to continue.

The message “Win32/Sirefef.EV found in your system” will be displayed if an infection is found. To remove ZeroAccess rootkit from your computer, press the Y key on your keyboard

ESETSirefefCleaner virus detected

Once the tool has run, you will be prompted to restore system services after you restart your computer. Press Y on your keyboard to restore system services and restart your computer.

ESETSirefefCleaner Press Y to remove malware

Once your computer has restarted, if you are presented with a security notification click Yes or Allow. and then continue wit the next step.

https://malwaretips.com/blogs/remove-zeroaccess-rootkit/

Edited by itman
Link to post
Share on other sites
  • Administrators

Is that a notebook that you roam with? It seems you log into a domain of a Slovak IT company; if the machine is a notebook and you take it home, would it be possible not to connect via RDP to the office for some time to rule out a domain policy removing ESET?

Link to post
Share on other sites
21 minutes ago, Marcos said:

Is that a notebook that you roam with? It seems you log into a domain of a Slovak IT company; if the machine is a notebook and you take it home, would it be possible not to connect via RDP to the office for some time to rule out a domain policy removing ESET?

Interesting observation. Didn't know that was possible.

However, OP already posted he is not using RDP but Cisco VPN client. Don't believe that has RDP two-way like capability.

Link to post
Share on other sites

I also again make reference to this posting which link I posted previously: https://answers.microsoft.com/en-us/windows/forum/windows_10-security/some-virus-keeps-removing-or-breaking-antivirus/56437d7a-5f56-4294-ad11-8f7a2da5653b which relates malware behavior almost identical to what the OP is experiencing.

In this posting, it appears two .vbs scripts were the main culprits;

Quote

Norton Power Eraser found StartupCheckLibrary.vbs and Maintenance.vbs. (I thought I had already removed these with Malwarebytes a long time ago.) I had NPE delete these .vbs files and now they are apparently gone. Upon startup, I got two error boxes that say that each of these files are missing. Fine. I know how to quit that script. No big deal. I will do that later.

So, next, I also downloaded the Malwarebytes Anti-Rootkit Tool (beta) and it listed 3 infected items:

Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{C21485C7-D40A-460F-B0D9-2024D9D1A07B}|Path --> [Trojan.Agent]

Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{C21485C7-D40A-460F-B0D9-2024D9D1A07B} --> [Trojan.Agent]

Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\MICROSOFT\WINDOWS\APPLICATION EXPERIENCE\StartupCheckLibrary --> [Trojan.Agent]

Notice how the last one says StartupCheckLibrary. Well I guess that is the rest of the virus that goes along with the .vbs file Norton found and deleted. Fine. I had the MBMAT remove these infections. Now everything seems fine. Now when I restart my computer, I don't get the error box that says StartupCheckLibrary.vbs is not found, but I DO still get the one for maintenance.vbs. I think this means part of the virus is still on my computer, but I am not sure.

-EDIT- It appears that maintenance.vbs is associated with WinSAT which would make it an ideal target for an attacker to hijack: https://www.file.net/process/maintenance.vbs.html

Ref.: https://en.wikipedia.org/wiki/Windows_System_Assessment_Tool

Edited by itman
Link to post
Share on other sites
40 minutes ago, Marcos said:

Is that a notebook that you roam with? It seems you log into a domain of a Slovak IT company; if the machine is a notebook and you take it home, would it be possible not to connect via RDP to the office for some time to rule out a domain policy removing ESET?

I do not use RDP and it is disabled. I only use Cisco AnyConnect Mobile Security VPN which checks also if there is an active and up to date AV SW installed. If it will not find any AW SW it wil fail the posture check thus will not grant access to the domain. So it is a requirement to have an AW SW.

Link to post
Share on other sites
1 hour ago, itman said:

Can't tell anything from what is posted in that thread.

What is fairly obvious by now is this is a coin miner using a rootkit or, like rootkit behavior. The one most widely deployed in this category is ZeroAccess:

My best guess is what is infecting you is a new variant that Eset is not detecting.

Eset has a tool to remove ZeroAccess but don't know if it will detect this new variant:

https://malwaretips.com/blogs/remove-zeroaccess-rootkit/

It did not find anything

Link to post
Share on other sites
9 minutes ago, ProblemNeedsSolution said:

It did not find anything

Scan the entire drive where Win 10 is installed and determine if either of these files exist; StartupCheckLibrary.vbs and Maintenance.vbs.

 

Link to post
Share on other sites
2 minutes ago, itman said:

Scan the entire drive where Win 10 is installed and determine if either of these files exist; StartupCheckLibrary.vbs and Maintenance.vbs.

 

Actually I already did this, I only did find StartupCheck.vbs and Maintenance.vbs, but just to be sure I searched all the Windows folder for scripts and deleted anything after September. After reboot the machine was giving me an error because of the Maintenance.vbs but I modified it to just this: Wscript.Quit :) Problem solved. I did change the extension of the two upper mentioned script to txt (attached below).

 

PLS DO NOT CHANGE THE EXTENSION TO SCRIPT AND RUN THESE!!!

Maintenance.txt StartupCheck.txt

Link to post
Share on other sites

So after finding this:

Quote
  1. Reads a file named updatesettings.dbf in the Windows\System32 directory.
  2. Converts the text/number stored in updatesettings.dbf to an integer.
  3. If the integer value is greater than 9, then the script does the following actions:
    • Installs a program by running its installer file ServiceInstaller.msi in silent mode, then deletes the installer automatically.
    • Configures Safe mode boot as the default using the BCDEDIT command-line.
    • Deletes updatesettings.dbf.
    • Deletes Maintenance.vbs.
    • Then, it deletes the InstallWinSAT task.
  4. If the integer value is less than 9, then the script increments the number inside updatesettings.dbf by 1, and saves the file.

It is clear how it works. So I deleted all tasks which involved Maintenance.vbs using Autoruns and deleted the ServiceInstaller.msi too. I hope I am over it but let us surprise. I checked msconfig too because the counter in updatesettings was on 10 but I it still did not switch it to Safe boot. I hope this will help you out to figure out something for detecting this PoS thing :) I do not want to say it too early but I think this time I got this mofo for good.

Link to post
Share on other sites
1 hour ago, ProblemNeedsSolution said:

So after finding this:

It is clear how it works. So I deleted all tasks which involved Maintenance.vbs using Autoruns and deleted the ServiceInstaller.msi too. I hope I am over it but let us surprise. I checked msconfig too because the counter in updatesettings was on 10 but I it still did not switch it to Safe boot. I hope this will help you out to figure out something for detecting this PoS thing :) I do not want to say it too early but I think this time I got this mofo for good.

It appears this is the reference for the above excerpt you posted: https://www.winhelponline.com/blog/script-error-maintenance-vbs-at-startup/ . You didn't post the most significant text in the posting:

Quote

Note that the InstallWinSAT task is not seen in a clean Windows 10 setup.

Also, the ServiceInstaller.msi and the maintenance.vbs files are not part of the Windows 10 ISO or DVD. It’s highly likely that the task and the related VBScript file were added by an undesirable program. If I find any further information about this task, I shall update this article.

To begin, it should be noted that winsat.exe is legit, it is located in the System32 directory, and in fact, there is a legit WinSat task that runs it once a week. It can also be run from the command prompt or using PowerShell; https://www.techrepublic.com/article/how-to-use-the-windows-10-assessment-tool-to-measure-system-performance/ .

One possible source for this bogus and obviously malicious InstallWinSAT task, related processes, and files is this Win Store app: https://www.microsoft.com/en-us/p/experience-index-system-assessment-tool/9mt9h8ptp897?activetab=pivot:overviewtab . @Marcos, Eset needs to check out this app.

Then there is the question of how the Win Store app could be installed w/o a user knowing so.

Edited by itman
Link to post
Share on other sites

One last item to cover. How to get this installer, ServiceInstaller.msi, to run "under the radar."

First, we need to employ a few registry changes described here: https://www.howtogeek.com/178826/how-to-force-an-msi-package-to-install-using-administrator-mode/ . Then we employ one of the numerous UAC bypasses out there running the installer in hidden mode.

However in this instance, assume that the InstallWinSAT task was setup to run with "highest privileges" allowing the installer to run unimpeded:

Quote

Installs a program by running its installer file ServiceInstaller.msi in silent mode, then deletes the installer automatically.

 

Edited by itman
Link to post
Share on other sites
5 minutes ago, SeriousHoax said:

@itmanIs it gonna help if he reinstalls Windows from an ISO and while installing remove C drive partition along with recovery, efi, partition. Then Windows will re-format efi at the start of the windows installation process.

Hard to say what went on in this device in the week or so since this malware was detected. From MBAM's findings to date, it appears to be coin mining related. But who knows if a backdoor or more malware, spyware, etc. were also installed in the interim?

If it were my device, I would indeed reformat and reinstall Win 10 20H2.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...