Jump to content

Address has been blocked


Recommended Posts

I have internet security version every 3 minutes or less the dialog pop up say address has been blocked.

With different web sites but same IP address 

185.170.213.96

Link to comment
Share on other sites

  • Administrators
22 minutes ago, vilant101 said:

I am getting these every 3sec-3min,. I have run multiple scans and tool to resolve this issue nothing has worked. see attached log and screenshot.

I've identified several tasks that run PowerShell that loads the payload from certain registry values. We'll add a detection shortly, ESET should be able to clean it automatically.

Link to comment
Share on other sites

  • Administrators

Detected as @Trojan.REG/Agent.BH. Please reboot the machine so that an update is run followed by a startup scan which should clean the malicious tasks.

Link to comment
Share on other sites

Ok I have resarted and updated eset and have run a few scans. No detections were encountered.

I have cleared the logs and will let my system run for awhile to see if the error still occurs.

Thanks

Link to comment
Share on other sites

thanks just checked and now it has remove the trojan. will check again within the next 24hr to see if all is resolved

Link to comment
Share on other sites

After a few days ESET detects and cleans by deleting. But the Trojan still pops up. So is it fully removing the Trojan?  See attached logs and screen shot

eav_logs.zip

Screenshot 2022-07-23 131425.png

Edited by vilant101
Link to comment
Share on other sites

14 hours ago, vilant101 said:

After a few days ESET detects and cleans by deleting. But the Trojan still pops up. So is it fully removing the Trojan?  See attached logs and screen shot

Appears malware is starting cmd.exe at system startup and trying to inject code into it. This implies crud still exists in Win registry startup areas.

Link to comment
Share on other sites

  • Administrators

Please run Windows Scheduler and delete these tasks or wait until tomorrow, we'll be able to clean it automatically:

Microsoft\Windows\Management\Provisioning\4H2gX
Microsoft\Windows\Management\Provisioning\7ieOr
Microsoft\Windows\Management\Provisioning\CKtVy3
Microsoft\Windows\Management\Provisioning\dNd67B963
Microsoft\Windows\Management\Provisioning\eZYNV
Microsoft\Windows\Management\Provisioning\F7GUQr
Microsoft\Windows\Management\Provisioning\gyUsr
Microsoft\Windows\Management\Provisioning\ibfn1s
Microsoft\Windows\Management\Provisioning\jXP92
Microsoft\Windows\Management\Provisioning\KPOtdabL
Microsoft\Windows\Management\Provisioning\MMxWPy
Microsoft\Windows\Management\Provisioning\neHdvs
Microsoft\Windows\Management\Provisioning\SHuoRNQ
Microsoft\Windows\Management\Provisioning\U7WbH
Microsoft\Windows\Management\Provisioning\UTSxRkds
Microsoft\Windows\Management\Provisioning\XeyW7U
Microsoft\Windows\Management\Provisioning\zy3c0

Link to comment
Share on other sites

  • Administrators

Check the Detections log, most likely the tasks have already been removed automatically.

Link to comment
Share on other sites

Ok I checked the detection logs and ESET did remove these tasks. It seems they were removed this AM into quarantine. Yet my log shows the there was a few detection a couple of hours later. See attached log etc. 580990696_Screenshot2022-07-25115131.thumb.png.c3b2d872d3e549c9ad9a500ebb3bc416.png

Screenshot 2022-07-25 115229.png

eav_logs.zip

Link to comment
Share on other sites

  • Administrators

I'd expect a detection like this:

7/25/2022 3:00:24 PM;Startup scanner;file;%TaskName%;REG/Agent.BH trojan;cleaned by deleting;;;5E320B3BBAD53D04513FAC74D76B3CE012408FFF;

where %TaskName% would be the name of the malicious task.

Is the same command-line scanner detection triggered even after a reboot? Or the threat is no longer detected after a reboot?

Link to comment
Share on other sites

There is no detection after reboot. Checked the Task folder and do not see any commands to trigger it. Again will clear the detection logs and see if it appears again.

Edited by vilant101
Link to comment
Share on other sites

4 hours ago, vilant101 said:

Ok I checked the detection logs and ESET did remove these tasks. It seems they were removed this AM into quarantine. Yet my log shows the there was a few detection a couple of hours later. See attached log etc.

Here's my take on what is going on.

Yes, Eset now detects and removes the malicious scheduled tasks that run at system startup time. However, there is still malware on the system that is recreating these scheduled tasks after system startup time. My best guess is there is something hidden in the registry that is recreating these scheduled tasks for persistence purposes.

Open this folder, C:\ProgramData\Microsoft\Provisioning, and see if the nonsense like names that were shown in the above posting: https://forum.eset.com/topic/33092-address-has-been-blocked/?do=findComment&comment=153970 exist in this folder.

Link to comment
Share on other sites

I have checked this folder and do not see these names. The threats happen 17 hits at a time and can happen hours apart.

It looks to keep attacking cmd.exe and svchost.exe

 

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
07/25/22 3:57:02 PM;Command line scanner;file;C:\Windows\system32\cmd.exe;REG/Agent.BH trojan;cleaned by deleting

Event occurred while attempting to run the following command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule;893ED6E5814EC94BCFE08FC9C024E318BED74E63;

 

Link to comment
Share on other sites

It is also possible this malware has created a malicious Win service and is using it to re-create the scheduled tasks it is using.

The bottom line here is Eset doesn't monitor scheduled task creation activities.

Edited by itman
Link to comment
Share on other sites

  • Administrators

Please provide ELC logs but with "Threat detection" selected as a template in the ELC menu.

Is the threat detected after a reboot when the machine is disconnected from the network?

Link to comment
Share on other sites

3 hours ago, Marcos said:

Please provide ESET Log Collector logs but with "Threat detection" selected as a template in the ESET Log Collector menu.

Is the threat detected after a reboot when the machine is disconnected from the network?

Attached is the log using you recommend template. I will disconnect the machine from the network and will let it run overnight. The last instance of the threat was 4hrs ago.

eav_logs.zip

Link to comment
Share on other sites

  • Administrators

Please copy the following to a batch file (e.g. clean.bat) and run it as an administrator. You will be prompted before removing each of the tasks:

schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\KPOtdabL\9991AAFE-12CB-44AD-B11B-D917E4ACAE15"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\eZYNV\1712E1C7-1160-4F98-AD30-004E2C27D264"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\ibfn1s\6D339F37-6F6D-4852-B2CE-8966C1C6BE73"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\XeyW7U\F3235FFB-E530-4AA8-8381-561C54B4B908"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\F7GUQr\E8A9B254-95C3-425F-947D-AE3486BCB600"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\gyUsr\166C9BE2-0A20-4032-BE4F-E87211A1A313"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\jXP92\AD2A1980-C45F-4987-A74D-AD927B8E6F11"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\dNd67B963\05CA9AA6-D213-4A40-8258-0C2CBFA19185"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\SHuoRNQ\CBB0E6E2-5FF3-42E8-BD4C-2D91FAF27FC1"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\neHdvs\FF41EB1A-AAC6-4B83-99B7-3DA67A77BC0B"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\UTSxRkds\4FF30699-4754-4242-B9A9-8DF2E5C1045D"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\7ieOr\A97F5542-6DF5-42D6-A9FD-A82234CEF56C"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\zy3c0\164AA25D-0435-4B8F-82F7-A705FD00E64E"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\MMxWPy\6AADE004-A7FC-42ED-A945-444B07CCAD92"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\4H2gX\E960ACD9-68B9-4079-8760-8462834D776D"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\CKtVy3\38C168B4-398E-44A3-B201-A90BA709F89D"
schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\U7WbH\535EEFFA-1B00-44F5-9D32-B26B3EB12FFF"

UPDATE: Automatic cleaning will require an update of the Cleaner module which is preliminary planned to take place next week.

Link to comment
Share on other sites

10 hours ago, Marcos said:

Please copy the following to a batch file (e.g. clean.bat) and run it as an administrator. You will be prompted before removing each of the tasks:

I would also check the RunOnReboot task shown in the below screen shot to ensure it is disabled (default) and hasn't been altered. It would be an ideal way to repopulate scheduled tasks which is occurring here.

Eset_Scheduler.thumb.png.bcef94354c5cad902bf053f983e48cd6.png

Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...