Jump to content

Recommended Posts

Posted

I have internet security version every 3 minutes or less the dialog pop up say address has been blocked.

With different web sites but same IP address 

185.170.213.96

Posted

I am getting these every 3sec-3min,. I have run multiple scans and tool to resolve this issue nothing has worked. see attached log and screenshot.

Screenshot 2022-07-20 134413.png

eav_logs.zip

  • Administrators
Posted
22 minutes ago, vilant101 said:

I am getting these every 3sec-3min,. I have run multiple scans and tool to resolve this issue nothing has worked. see attached log and screenshot.

I've identified several tasks that run PowerShell that loads the payload from certain registry values. We'll add a detection shortly, ESET should be able to clean it automatically.

  • Administrators
Posted

Detected as @Trojan.REG/Agent.BH. Please reboot the machine so that an update is run followed by a startup scan which should clean the malicious tasks.

Posted

Ok I have resarted and updated eset and have run a few scans. No detections were encountered.

I have cleared the logs and will let my system run for awhile to see if the error still occurs.

Thanks

  • Administrators
Posted

Please try now, reboot the machine and see if the threat is removed. I've tested it and it worked like a charm:

image.png

Posted

thanks just checked and now it has remove the trojan. will check again within the next 24hr to see if all is resolved

Posted (edited)

After a few days ESET detects and cleans by deleting. But the Trojan still pops up. So is it fully removing the Trojan?  See attached logs and screen shot

eav_logs.zip

Screenshot 2022-07-23 131425.png

Edited by vilant101
  • Administrators
Posted

We'll check it out and let you know.

Posted
14 hours ago, vilant101 said:

After a few days ESET detects and cleans by deleting. But the Trojan still pops up. So is it fully removing the Trojan?  See attached logs and screen shot

Appears malware is starting cmd.exe at system startup and trying to inject code into it. This implies crud still exists in Win registry startup areas.

  • Administrators
Posted

Please run Windows Scheduler and delete these tasks or wait until tomorrow, we'll be able to clean it automatically:

Microsoft\Windows\Management\Provisioning\4H2gX
Microsoft\Windows\Management\Provisioning\7ieOr
Microsoft\Windows\Management\Provisioning\CKtVy3
Microsoft\Windows\Management\Provisioning\dNd67B963
Microsoft\Windows\Management\Provisioning\eZYNV
Microsoft\Windows\Management\Provisioning\F7GUQr
Microsoft\Windows\Management\Provisioning\gyUsr
Microsoft\Windows\Management\Provisioning\ibfn1s
Microsoft\Windows\Management\Provisioning\jXP92
Microsoft\Windows\Management\Provisioning\KPOtdabL
Microsoft\Windows\Management\Provisioning\MMxWPy
Microsoft\Windows\Management\Provisioning\neHdvs
Microsoft\Windows\Management\Provisioning\SHuoRNQ
Microsoft\Windows\Management\Provisioning\U7WbH
Microsoft\Windows\Management\Provisioning\UTSxRkds
Microsoft\Windows\Management\Provisioning\XeyW7U
Microsoft\Windows\Management\Provisioning\zy3c0

Posted

I was unable to find these tasks in task schedule. Any updates on ESET Removing these automatically?

  • Administrators
Posted

Check the Detections log, most likely the tasks have already been removed automatically.

Posted

Ok I checked the detection logs and ESET did remove these tasks. It seems they were removed this AM into quarantine. Yet my log shows the there was a few detection a couple of hours later. See attached log etc. 580990696_Screenshot2022-07-25115131.thumb.png.c3b2d872d3e549c9ad9a500ebb3bc416.png

Screenshot 2022-07-25 115229.png

eav_logs.zip

  • Administrators
Posted

I'd expect a detection like this:

7/25/2022 3:00:24 PM;Startup scanner;file;%TaskName%;REG/Agent.BH trojan;cleaned by deleting;;;5E320B3BBAD53D04513FAC74D76B3CE012408FFF;

where %TaskName% would be the name of the malicious task.

Is the same command-line scanner detection triggered even after a reboot? Or the threat is no longer detected after a reboot?

Posted (edited)

There is no detection after reboot. Checked the Task folder and do not see any commands to trigger it. Again will clear the detection logs and see if it appears again.

Edited by vilant101
Posted
4 hours ago, vilant101 said:

Ok I checked the detection logs and ESET did remove these tasks. It seems they were removed this AM into quarantine. Yet my log shows the there was a few detection a couple of hours later. See attached log etc.

Here's my take on what is going on.

Yes, Eset now detects and removes the malicious scheduled tasks that run at system startup time. However, there is still malware on the system that is recreating these scheduled tasks after system startup time. My best guess is there is something hidden in the registry that is recreating these scheduled tasks for persistence purposes.

Open this folder, C:\ProgramData\Microsoft\Provisioning, and see if the nonsense like names that were shown in the above posting: https://forum.eset.com/topic/33092-address-has-been-blocked/?do=findComment&comment=153970 exist in this folder.

Posted

I have checked this folder and do not see these names. The threats happen 17 hits at a time and can happen hours apart.

It looks to keep attacking cmd.exe and svchost.exe

 

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
07/25/22 3:57:02 PM;Command line scanner;file;C:\Windows\system32\cmd.exe;REG/Agent.BH trojan;cleaned by deleting

Event occurred while attempting to run the following command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule;893ED6E5814EC94BCFE08FC9C024E318BED74E63;

 

Posted (edited)

It is also possible this malware has created a malicious Win service and is using it to re-create the scheduled tasks it is using.

The bottom line here is Eset doesn't monitor scheduled task creation activities.

Edited by itman
  • Administrators
Posted

Please provide ELC logs but with "Threat detection" selected as a template in the ELC menu.

Is the threat detected after a reboot when the machine is disconnected from the network?

Posted
3 hours ago, Marcos said:

Please provide ESET Log Collector logs but with "Threat detection" selected as a template in the ESET Log Collector menu.

Is the threat detected after a reboot when the machine is disconnected from the network?

Attached is the log using you recommend template. I will disconnect the machine from the network and will let it run overnight. The last instance of the threat was 4hrs ago.

eav_logs.zip

  • Administrators
Posted

Please copy the following to a batch file (e.g. clean.bat) and run it as an administrator. You will be prompted before removing each of the tasks:

schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\KPOtdabL\9991AAFE-12CB-44AD-B11B-D917E4ACAE15"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\eZYNV\1712E1C7-1160-4F98-AD30-004E2C27D264"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\ibfn1s\6D339F37-6F6D-4852-B2CE-8966C1C6BE73"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\XeyW7U\F3235FFB-E530-4AA8-8381-561C54B4B908"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\F7GUQr\E8A9B254-95C3-425F-947D-AE3486BCB600"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\gyUsr\166C9BE2-0A20-4032-BE4F-E87211A1A313"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\jXP92\AD2A1980-C45F-4987-A74D-AD927B8E6F11"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\dNd67B963\05CA9AA6-D213-4A40-8258-0C2CBFA19185"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\SHuoRNQ\CBB0E6E2-5FF3-42E8-BD4C-2D91FAF27FC1"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\neHdvs\FF41EB1A-AAC6-4B83-99B7-3DA67A77BC0B"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\UTSxRkds\4FF30699-4754-4242-B9A9-8DF2E5C1045D"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\7ieOr\A97F5542-6DF5-42D6-A9FD-A82234CEF56C"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\zy3c0\164AA25D-0435-4B8F-82F7-A705FD00E64E"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\MMxWPy\6AADE004-A7FC-42ED-A945-444B07CCAD92"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\4H2gX\E960ACD9-68B9-4079-8760-8462834D776D"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\CKtVy3\38C168B4-398E-44A3-B201-A90BA709F89D"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\U7WbH\535EEFFA-1B00-44F5-9D32-B26B3EB12FFF"

UPDATE: Automatic cleaning will require an update of the Cleaner module which is preliminary planned to take place next week.

Posted (edited)
10 hours ago, Marcos said:

Please copy the following to a batch file (e.g. clean.bat) and run it as an administrator. You will be prompted before removing each of the tasks:

I would also check the RunOnReboot task shown in the below screen shot to ensure it is disabled (default) and hasn't been altered. It would be an ideal way to repopulate scheduled tasks which is occurring here.

Eset_Scheduler.thumb.png.bcef94354c5cad902bf053f983e48cd6.png

Edited by itman
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...