Abdallah 0 Posted July 18, 2022 Posted July 18, 2022 I have internet security version every 3 minutes or less the dialog pop up say address has been blocked. With different web sites but same IP address 185.170.213.96
Administrators Marcos 5,453 Posted July 18, 2022 Administrators Posted July 18, 2022 Please provide logs collected with ESET Log Collector for a start.
vilant101 0 Posted July 20, 2022 Posted July 20, 2022 I am getting these every 3sec-3min,. I have run multiple scans and tool to resolve this issue nothing has worked. see attached log and screenshot. eav_logs.zip
Administrators Marcos 5,453 Posted July 20, 2022 Administrators Posted July 20, 2022 22 minutes ago, vilant101 said: I am getting these every 3sec-3min,. I have run multiple scans and tool to resolve this issue nothing has worked. see attached log and screenshot. I've identified several tasks that run PowerShell that loads the payload from certain registry values. We'll add a detection shortly, ESET should be able to clean it automatically.
Administrators Marcos 5,453 Posted July 20, 2022 Administrators Posted July 20, 2022 Detected as @Trojan.REG/Agent.BH. Please reboot the machine so that an update is run followed by a startup scan which should clean the malicious tasks.
vilant101 0 Posted July 20, 2022 Posted July 20, 2022 Ok I have resarted and updated eset and have run a few scans. No detections were encountered. I have cleared the logs and will let my system run for awhile to see if the error still occurs. Thanks
vilant101 0 Posted July 20, 2022 Posted July 20, 2022 still encountering this issue. see new log etc attached. eav_logs.zip
Administrators Marcos 5,453 Posted July 20, 2022 Administrators Posted July 20, 2022 Please try now, reboot the machine and see if the threat is removed. I've tested it and it worked like a charm: Nightowl 1
vilant101 0 Posted July 21, 2022 Posted July 21, 2022 thanks just checked and now it has remove the trojan. will check again within the next 24hr to see if all is resolved
vilant101 0 Posted July 24, 2022 Posted July 24, 2022 (edited) After a few days ESET detects and cleans by deleting. But the Trojan still pops up. So is it fully removing the Trojan? See attached logs and screen shot eav_logs.zip Edited July 24, 2022 by vilant101
Administrators Marcos 5,453 Posted July 24, 2022 Administrators Posted July 24, 2022 We'll check it out and let you know.
itman 1,801 Posted July 24, 2022 Posted July 24, 2022 14 hours ago, vilant101 said: After a few days ESET detects and cleans by deleting. But the Trojan still pops up. So is it fully removing the Trojan? See attached logs and screen shot Appears malware is starting cmd.exe at system startup and trying to inject code into it. This implies crud still exists in Win registry startup areas.
Administrators Marcos 5,453 Posted July 24, 2022 Administrators Posted July 24, 2022 Please run Windows Scheduler and delete these tasks or wait until tomorrow, we'll be able to clean it automatically: Microsoft\Windows\Management\Provisioning\4H2gX Microsoft\Windows\Management\Provisioning\7ieOr Microsoft\Windows\Management\Provisioning\CKtVy3 Microsoft\Windows\Management\Provisioning\dNd67B963 Microsoft\Windows\Management\Provisioning\eZYNV Microsoft\Windows\Management\Provisioning\F7GUQr Microsoft\Windows\Management\Provisioning\gyUsr Microsoft\Windows\Management\Provisioning\ibfn1s Microsoft\Windows\Management\Provisioning\jXP92 Microsoft\Windows\Management\Provisioning\KPOtdabL Microsoft\Windows\Management\Provisioning\MMxWPy Microsoft\Windows\Management\Provisioning\neHdvs Microsoft\Windows\Management\Provisioning\SHuoRNQ Microsoft\Windows\Management\Provisioning\U7WbH Microsoft\Windows\Management\Provisioning\UTSxRkds Microsoft\Windows\Management\Provisioning\XeyW7U Microsoft\Windows\Management\Provisioning\zy3c0
vilant101 0 Posted July 25, 2022 Posted July 25, 2022 I was unable to find these tasks in task schedule. Any updates on ESET Removing these automatically?
Administrators Marcos 5,453 Posted July 25, 2022 Administrators Posted July 25, 2022 Check the Detections log, most likely the tasks have already been removed automatically.
vilant101 0 Posted July 25, 2022 Posted July 25, 2022 Ok I checked the detection logs and ESET did remove these tasks. It seems they were removed this AM into quarantine. Yet my log shows the there was a few detection a couple of hours later. See attached log etc. eav_logs.zip
Administrators Marcos 5,453 Posted July 25, 2022 Administrators Posted July 25, 2022 I'd expect a detection like this: 7/25/2022 3:00:24 PM;Startup scanner;file;%TaskName%;REG/Agent.BH trojan;cleaned by deleting;;;5E320B3BBAD53D04513FAC74D76B3CE012408FFF; where %TaskName% would be the name of the malicious task. Is the same command-line scanner detection triggered even after a reboot? Or the threat is no longer detected after a reboot?
vilant101 0 Posted July 25, 2022 Posted July 25, 2022 (edited) There is no detection after reboot. Checked the Task folder and do not see any commands to trigger it. Again will clear the detection logs and see if it appears again. Edited July 25, 2022 by vilant101
itman 1,801 Posted July 25, 2022 Posted July 25, 2022 4 hours ago, vilant101 said: Ok I checked the detection logs and ESET did remove these tasks. It seems they were removed this AM into quarantine. Yet my log shows the there was a few detection a couple of hours later. See attached log etc. Here's my take on what is going on. Yes, Eset now detects and removes the malicious scheduled tasks that run at system startup time. However, there is still malware on the system that is recreating these scheduled tasks after system startup time. My best guess is there is something hidden in the registry that is recreating these scheduled tasks for persistence purposes. Open this folder, C:\ProgramData\Microsoft\Provisioning, and see if the nonsense like names that were shown in the above posting: https://forum.eset.com/topic/33092-address-has-been-blocked/?do=findComment&comment=153970 exist in this folder.
vilant101 0 Posted July 25, 2022 Posted July 25, 2022 I have checked this folder and do not see these names. The threats happen 17 hits at a time and can happen hours apart. It looks to keep attacking cmd.exe and svchost.exe Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 07/25/22 3:57:02 PM;Command line scanner;file;C:\Windows\system32\cmd.exe;REG/Agent.BH trojan;cleaned by deleting Event occurred while attempting to run the following command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule;893ED6E5814EC94BCFE08FC9C024E318BED74E63;
itman 1,801 Posted July 25, 2022 Posted July 25, 2022 (edited) It is also possible this malware has created a malicious Win service and is using it to re-create the scheduled tasks it is using. The bottom line here is Eset doesn't monitor scheduled task creation activities. Edited July 25, 2022 by itman
Administrators Marcos 5,453 Posted July 25, 2022 Administrators Posted July 25, 2022 Please provide ELC logs but with "Threat detection" selected as a template in the ELC menu. Is the threat detected after a reboot when the machine is disconnected from the network?
vilant101 0 Posted July 26, 2022 Posted July 26, 2022 3 hours ago, Marcos said: Please provide ESET Log Collector logs but with "Threat detection" selected as a template in the ESET Log Collector menu. Is the threat detected after a reboot when the machine is disconnected from the network? Attached is the log using you recommend template. I will disconnect the machine from the network and will let it run overnight. The last instance of the threat was 4hrs ago. eav_logs.zip
Administrators Marcos 5,453 Posted July 26, 2022 Administrators Posted July 26, 2022 Please copy the following to a batch file (e.g. clean.bat) and run it as an administrator. You will be prompted before removing each of the tasks: schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\KPOtdabL\9991AAFE-12CB-44AD-B11B-D917E4ACAE15" schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\eZYNV\1712E1C7-1160-4F98-AD30-004E2C27D264" schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\ibfn1s\6D339F37-6F6D-4852-B2CE-8966C1C6BE73" schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\XeyW7U\F3235FFB-E530-4AA8-8381-561C54B4B908" schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\F7GUQr\E8A9B254-95C3-425F-947D-AE3486BCB600" schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\gyUsr\166C9BE2-0A20-4032-BE4F-E87211A1A313" schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\jXP92\AD2A1980-C45F-4987-A74D-AD927B8E6F11" schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\dNd67B963\05CA9AA6-D213-4A40-8258-0C2CBFA19185" schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\SHuoRNQ\CBB0E6E2-5FF3-42E8-BD4C-2D91FAF27FC1" schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\neHdvs\FF41EB1A-AAC6-4B83-99B7-3DA67A77BC0B" schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\UTSxRkds\4FF30699-4754-4242-B9A9-8DF2E5C1045D" schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\7ieOr\A97F5542-6DF5-42D6-A9FD-A82234CEF56C" schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\zy3c0\164AA25D-0435-4B8F-82F7-A705FD00E64E" schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\MMxWPy\6AADE004-A7FC-42ED-A945-444B07CCAD92" schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\4H2gX\E960ACD9-68B9-4079-8760-8462834D776D" schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\CKtVy3\38C168B4-398E-44A3-B201-A90BA709F89D" schtasks /delete /tn "\Microsoft\Windows\Management\Provisioning\U7WbH\535EEFFA-1B00-44F5-9D32-B26B3EB12FFF" UPDATE: Automatic cleaning will require an update of the Cleaner module which is preliminary planned to take place next week.
itman 1,801 Posted July 26, 2022 Posted July 26, 2022 (edited) 10 hours ago, Marcos said: Please copy the following to a batch file (e.g. clean.bat) and run it as an administrator. You will be prompted before removing each of the tasks: I would also check the RunOnReboot task shown in the below screen shot to ensure it is disabled (default) and hasn't been altered. It would be an ideal way to repopulate scheduled tasks which is occurring here. Edited July 26, 2022 by itman
Recommended Posts