Sneaxi 0 Posted November 27, 2020 Posted November 27, 2020 Hi everyone, when i start my Pc, the ESET Programm delete the Win32/Packed.Themida.HFL Can someone help me to fix it?
Administrators Marcos 5,444 Posted November 28, 2020 Administrators Posted November 28, 2020 What program is detected with that name? Do you consider it legitimate or malicious or grey (crack, keygen, etc.)? Please provide the whole record pertaining to the detection from the Detection log.
Sneaxi 0 Posted November 28, 2020 Author Posted November 28, 2020 HI Marcos. thanks for your answer. Its not a Programm, its a file. I think its any kind of a trojan. In the following pictures, you can see it. Here is the detecting log: Zeit;Scanner;Objekttyp;Objekt;Erkennung;Aktion;Benutzer;Information;Hash;Zuerst hier gesehen 28.11.2020 11:19:16;Echtzeit-Dateischutz;Datei;C:\WINDOWS\TEMP\ec4b3ab6-14a3-3a24-522c-23f67832b6d1\e4afb5cd-2616-2ade-b688-275bb99d0281.exe;eine Variante von Win32/Packed.Themida.HFL Trojaner;durch Löschen gesäubert;NT-AUTORITÄT\SYSTEM;Ereignis beim Erstellen einer neuen Datei durch die Anwendung: C:\Program Files (x86)\nodejs\node.exe (D4D4F25931EE30DE1BA81BEB67E0D2CE41BF7A2E).;2AFFEEDAEF525BC9FA609710DEB24AF5477E3D9A;27.11.2020 19:44:43 I´m sorry that all is wrote in german And that happen every time, when i start my pc.
Most Valued Members peteyt 396 Posted November 28, 2020 Most Valued Members Posted November 28, 2020 11 hours ago, Sneaxi said: Hi everyone, when i start my Pc, the ESET Programm delete the Win32/Packed.Themida.HFL Can someone help me to fix it? Found this old post https://www.wilderssecurity.com/threads/win32-packed-themida.184840/
Administrators Marcos 5,444 Posted November 28, 2020 Administrators Posted November 28, 2020 The detection seems to be correct and it appears that malware was detected and cleaned.
Sneaxi 0 Posted November 28, 2020 Author Posted November 28, 2020 @peteyt it already delete the file so i cant send it to the email adress. What should i do?
Sneaxi 0 Posted November 28, 2020 Author Posted November 28, 2020 And now @Marcos? The threat is still here. What should i do?
Administrators Marcos 5,444 Posted November 28, 2020 Administrators Posted November 28, 2020 Is the file continually being re-created and detected? In the post above you wrote that you had deleted the file so I assume the malware was detected and cleaned and therefore the case is solved.
Sneaxi 0 Posted November 28, 2020 Author Posted November 28, 2020 No, if i start/restart my pc the file is every time new here but it create every time a new file name.
itman 1,800 Posted November 28, 2020 Posted November 28, 2020 (edited) The first question is did you purposely install Node js. Or, does any software you have installed use Node js? Ref.: https://www.geeksforgeeks.org/installation-of-node-js-on-windows/ Per the linked reference, node js is installed on your device as evidenced by the creation on this directory, C:\Program Files (x86)\nodejs. However, a malware based install of Node js can be evidenced by creation of this Windows environment variable: Quote If you use any other format for installing node.js on your PC, you should put the system variable path for node.js as follows: PATH : C:\Users\[username]\AppData\Roaming\npm C:\Program Files\nodejs (Path to the nodejs folder) Also Eset's detection appears to be for this file, C:\WINDOWS\TEMP\ec4b3ab6-14a3-3a24-522c-23f67832b6d1\e4afb5cd-2616-2ade-b688-275bb99d0281.exe. One possibility is something running at system startup via a startup entry or scheduled task using Node js to create the C:\WINDOWS\TEMP\ file. Edited November 28, 2020 by itman
Sneaxi 0 Posted November 28, 2020 Author Posted November 28, 2020 At first. thank you for your answer @itman! How can i check if a programm use Node Js? The Path C:\Users\[username]\AppData\Roaming\npm is empty. But in C:\Program Files\nodejs are many files, documents etc. Should i delete the node js folder or what should i do?
Administrators Marcos 5,444 Posted November 28, 2020 Administrators Posted November 28, 2020 Please provide logs collected with ESET Log Collector.
itman 1,800 Posted November 28, 2020 Posted November 28, 2020 The legit installation path for Node js is C:\Program Files\nodejs. However on your device, Node js is installed in C:\Program Files (x86)\nodejs. This is highly suspicious. Also it is not easy to dump a file into C:\WINDOWS\TEMP\ directory in Win 10. You don't even have read access to that directory if running under default limited admin account. As such, I believe a scheduled task was created to run with highest privileges that is running at system startup time. This task is creating the .exe in the C:\WINDOWS\TEMP\ directory that Eset is detecting. One possibility is the scheduled task is using Node js to remotely connect to attacker's C&C server to download this .exe.
Sneaxi 0 Posted November 28, 2020 Author Posted November 28, 2020 Ok thanks @itman so what should i do next so i can fix this problem?
itman 1,800 Posted November 28, 2020 Posted November 28, 2020 2 minutes ago, Sneaxi said: Ok thanks @itman so what should i do next so i can fix this problem? 1. Upload in your next posting the logs @Marcos requested. 2. You can also use Win Task Manager to review task startup history related to Win startup times for suspicious task startup entries. Or, you can use SysInternals Autoruns: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns to do the same which will scan all Win startup tasks. This tool can also be configured to use VirusTotal to scan all startup entries. Warning! Do not remove anything anywhere unless you know what you are doing and you have provided a recovery method to restore whatever you removed in case you bork your system due to this removal.
Sneaxi 0 Posted November 28, 2020 Author Posted November 28, 2020 Now i downloaded the Eset Log Collector @Marcos. What should i do next?
Administrators Marcos 5,444 Posted November 28, 2020 Administrators Posted November 28, 2020 Node.js is not among installed applications. There are 2 tasks that launch node.exe: <NODE NAME="Task" TR="N=5601" VALUE="c:\windows\system32\tasks\MicrosoftApp-VAppvStrm" EVAL="5"> <NODE NAME="Command line" TR="N=5602" VALUE="c:\program files (x86)\nodejs\node.exe C:\WINDOWS\Installer\{408F648F-8DE2-46A2-A438-6BFE439FD553}\{84EFCD6A-635D-4ABD-8E6F-35C7E83DEA26}" EVAL="5" LINK="1038" MLINK="1035,1038" /> </NODE> <NODE NAME="Task" TR="N=5601" VALUE="c:\windows\system32\tasks\Remotezugriff-IP-ARP-Treiber RPC-Endpunktzuordnung Windows-Sofortverbindung" EVAL="5"> <NODE NAME="Command line" TR="N=5602" VALUE=""c:\program files (x86)\nodejs\node.exe" "C:\ProgramData\Package Cache\{163F3977-9019-44B0-99E1-BDDB91800A25}\{1E1869BF-A5D2-4B51-9FAB-3060C2E68ACE}"" EVAL="5" LINK="1064" MLINK="1035,1064" /> </NODE> Does the detection continue after disabling these 2 tasks? If not, please provide the 2 files that the node.exe opens. Also it appears that you have v. 6.10.3 while the latest one is 15.3.0. I'd suggest downloading and installing the latest version from https://nodejs.org/en/ and then uninstalling it. Last but not least I'd strongly recommend enabling the LiveGrid Feedback system which will also improve detection and cleaning capabilities of the ESET product. Since you have a trial version installed, if you decide to purchase a license I'd recommend that you choose ESET Internet Security (or ESET Smart Security Premium if you'd like to get also Password manager and Disk encryption features). Unlike EAV, EIS and ESSP protects you also from RDP brute-force attacks which is a common infection vector through which attackers gain access to victim's system and run ransomware, steal data or do whatever they want.
Sneaxi 0 Posted November 28, 2020 Author Posted November 28, 2020 (edited) @Marcos where can i remove these tasks? And can you tell me what node js should be used for? Because my friends haven´t Node js in programm files Edited November 28, 2020 by Sneaxi
Administrators Marcos 5,444 Posted November 28, 2020 Administrators Posted November 28, 2020 If you run Task Scheduler via the Start menu, you should see them among active tasks: Node.js is a JavaScript runtime, an alternative to the system wscript.exe.
Sneaxi 0 Posted November 28, 2020 Author Posted November 28, 2020 (edited) Hey @Marcos in the picture you can see the node js tasks. What should i do next? Edited November 28, 2020 by Sneaxi
Administrators Solution Marcos 5,444 Posted November 28, 2020 Administrators Solution Posted November 28, 2020 Disable these 2 tasks, e.g. via Autoruns:
Sneaxi 0 Posted November 28, 2020 Author Posted November 28, 2020 @Marcos it worked so Eset no longer recognizes a threat after starting the computer. Thank you! ❤️ And @itman also thanks for your all Support! If there is another problem or something similar, I will get back to you here in this post
itman 1,800 Posted November 28, 2020 Posted November 28, 2020 (edited) We can also assume this Node js based crud was created prior to the Eset trial version installation. Do yourself a favor and purchase an Eset license. -EDIT- Also heed @Marcos advice about getting rid of Node Js. Its presence opens you up to ransomware attacks that deploy components of it. Ref.: https://soanvig.github.io/node-ransomware/ Edited November 28, 2020 by itman
Recommended Posts