Address has been blocked

[Abdallah 0]

I have internet security version every 3 minutes or less the dialog pop up say address has been blocked.

With different web sites but same IP address 

185.170.213.96

[Marcos 5,070]

Please provide logs collected with ESET Log Collector for a start.

[vilant101 0]

I am getting these every 3sec-3min,. I have run multiple scans and tool to resolve this issue nothing has worked. see attached log and screenshot.

eav_logs.zip

[Marcos 5,070]

22 minutes ago, vilant101 said:

I am getting these every 3sec-3min,. I have run multiple scans and tool to resolve this issue nothing has worked. see attached log and screenshot.

I've identified several tasks that run PowerShell that loads the payload from certain registry values. We'll add a detection shortly, ESET should be able to clean it automatically.

[Marcos 5,070]

Detected as @Trojan.REG/Agent.BH. Please reboot the machine so that an update is run followed by a startup scan which should clean the malicious tasks.

[vilant101 0]

Ok I have resarted and updated eset and have run a few scans. No detections were encountered.

I have cleared the logs and will let my system run for awhile to see if the error still occurs.

Thanks

[vilant101 0]

still encountering this issue. see new log etc attached.

eav_logs.zip

[Marcos 5,070]

Please try now, reboot the machine and see if the threat is removed. I've tested it and it worked like a charm:

[vilant101 0]

thanks just checked and now it has remove the trojan. will check again within the next 24hr to see if all is resolved

[vilant101 0]

After a few days ESET detects and cleans by deleting. But the Trojan still pops up. So is it fully removing the Trojan?  See attached logs and screen shot

eav_logs.zip

Edited July 24, 2022 by vilant101

[Marcos 5,070]

We'll check it out and let you know.

[itman 1,659]

14 hours ago, vilant101 said:

After a few days ESET detects and cleans by deleting. But the Trojan still pops up. So is it fully removing the Trojan?  See attached logs and screen shot

Appears malware is starting cmd.exe at system startup and trying to inject code into it. This implies crud still exists in Win registry startup areas.

[Marcos 5,070]

Please run Windows Scheduler and delete these tasks or wait until tomorrow, we'll be able to clean it automatically:

Microsoft\Windows\Management\Provisioning\4H2gX
Microsoft\Windows\Management\Provisioning\7ieOr
Microsoft\Windows\Management\Provisioning\CKtVy3
Microsoft\Windows\Management\Provisioning\dNd67B963
Microsoft\Windows\Management\Provisioning\eZYNV
Microsoft\Windows\Management\Provisioning\F7GUQr
Microsoft\Windows\Management\Provisioning\gyUsr
Microsoft\Windows\Management\Provisioning\ibfn1s
Microsoft\Windows\Management\Provisioning\jXP92
Microsoft\Windows\Management\Provisioning\KPOtdabL
Microsoft\Windows\Management\Provisioning\MMxWPy
Microsoft\Windows\Management\Provisioning\neHdvs
Microsoft\Windows\Management\Provisioning\SHuoRNQ
Microsoft\Windows\Management\Provisioning\U7WbH
Microsoft\Windows\Management\Provisioning\UTSxRkds
Microsoft\Windows\Management\Provisioning\XeyW7U
Microsoft\Windows\Management\Provisioning\zy3c0

[vilant101 0]

I was unable to find these tasks in task schedule. Any updates on ESET Removing these automatically?

[Marcos 5,070]

Check the Detections log, most likely the tasks have already been removed automatically.

[vilant101 0]

Ok I checked the detection logs and ESET did remove these tasks. It seems they were removed this AM into quarantine. Yet my log shows the there was a few detection a couple of hours later. See attached log etc.

eav_logs.zip

[Marcos 5,070]

I'd expect a detection like this:

7/25/2022 3:00:24 PM;Startup scanner;file;%TaskName%;REG/Agent.BH trojan;cleaned by deleting;;;5E320B3BBAD53D04513FAC74D76B3CE012408FFF;

where %TaskName% would be the name of the malicious task.

Is the same command-line scanner detection triggered even after a reboot? Or the threat is no longer detected after a reboot?

[vilant101 0]

There is no detection after reboot. Checked the Task folder and do not see any commands to trigger it. Again will clear the detection logs and see if it appears again.

Edited July 25, 2022 by vilant101

[itman 1,659]

4 hours ago, vilant101 said:

Ok I checked the detection logs and ESET did remove these tasks. It seems they were removed this AM into quarantine. Yet my log shows the there was a few detection a couple of hours later. See attached log etc.

Here's my take on what is going on.

Yes, Eset now detects and removes the malicious scheduled tasks that run at system startup time. However, there is still malware on the system that is recreating these scheduled tasks after system startup time. My best guess is there is something hidden in the registry that is recreating these scheduled tasks for persistence purposes.

Open this folder, C:\ProgramData\Microsoft\Provisioning, and see if the nonsense like names that were shown in the above posting: https://forum.eset.com/topic/33092-address-has-been-blocked/?do=findComment&comment=153970 exist in this folder.

[vilant101 0]

I have checked this folder and do not see these names. The threats happen 17 hits at a time and can happen hours apart.

It looks to keep attacking cmd.exe and svchost.exe

 

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
07/25/22 3:57:02 PM;Command line scanner;file;C:\Windows\system32\cmd.exe;REG/Agent.BH trojan;cleaned by deleting

Event occurred while attempting to run the following command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule;893ED6E5814EC94BCFE08FC9C024E318BED74E63;

 

[itman 1,659]

It is also possible this malware has created a malicious Win service and is using it to re-create the scheduled tasks it is using.

The bottom line here is Eset doesn't monitor scheduled task creation activities.

Edited July 25, 2022 by itman

[Marcos 5,070]

Please provide ELC logs but with "Threat detection" selected as a template in the ELC menu.

Is the threat detected after a reboot when the machine is disconnected from the network?

[vilant101 0]

3 hours ago, Marcos said:

Please provide ESET Log Collector logs but with "Threat detection" selected as a template in the ESET Log Collector menu.

Is the threat detected after a reboot when the machine is disconnected from the network?

Attached is the log using you recommend template. I will disconnect the machine from the network and will let it run overnight. The last instance of the threat was 4hrs ago.

eav_logs.zip

[Marcos 5,070]

Please copy the following to a batch file (e.g. clean.bat) and run it as an administrator. You will be prompted before removing each of the tasks:

schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\KPOtdabL\9991AAFE-12CB-44AD-B11B-D917E4ACAE15"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\eZYNV\1712E1C7-1160-4F98-AD30-004E2C27D264"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\ibfn1s\6D339F37-6F6D-4852-B2CE-8966C1C6BE73"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\XeyW7U\F3235FFB-E530-4AA8-8381-561C54B4B908"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\F7GUQr\E8A9B254-95C3-425F-947D-AE3486BCB600"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\gyUsr\166C9BE2-0A20-4032-BE4F-E87211A1A313"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\jXP92\AD2A1980-C45F-4987-A74D-AD927B8E6F11"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\dNd67B963\05CA9AA6-D213-4A40-8258-0C2CBFA19185"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\SHuoRNQ\CBB0E6E2-5FF3-42E8-BD4C-2D91FAF27FC1"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\neHdvs\FF41EB1A-AAC6-4B83-99B7-3DA67A77BC0B"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\UTSxRkds\4FF30699-4754-4242-B9A9-8DF2E5C1045D"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\7ieOr\A97F5542-6DF5-42D6-A9FD-A82234CEF56C"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\zy3c0\164AA25D-0435-4B8F-82F7-A705FD00E64E"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\MMxWPy\6AADE004-A7FC-42ED-A945-444B07CCAD92"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\4H2gX\E960ACD9-68B9-4079-8760-8462834D776D"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\CKtVy3\38C168B4-398E-44A3-B201-A90BA709F89D"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\U7WbH\535EEFFA-1B00-44F5-9D32-B26B3EB12FFF"

UPDATE: Automatic cleaning will require an update of the Cleaner module which is preliminary planned to take place next week.

[itman 1,659]

10 hours ago, Marcos said:

Please copy the following to a batch file (e.g. clean.bat) and run it as an administrator. You will be prompted before removing each of the tasks:

I would also check the RunOnReboot task shown in the below screen shot to ensure it is disabled (default) and hasn't been altered. It would be an ideal way to repopulate scheduled tasks which is occurring here.

Edited July 26, 2022 by itman