Jump to content

URL/Urlik.AAR Object - pastebin - virus?


Go to solution Solved by Nataniell,

Recommended Posts

My best guess at this point is a Win service has been created that auto runs at system startup time. I saw something similar running as;

svchost.exe cmd http:\\some Ip address with pastebin.com URL.

Link to comment
Share on other sites

1 hour ago, Nataniell said:

Ok so any more ideas what I can do? 

Let's wait till Eset scan completes to see if it found anything.

Edited by itman
Link to comment
Share on other sites

Something new today. Eset has blacklisted the pastebin.com domain used by this coinminer;

Eset_Pastebin.thumb.png.3e1a6e7be3702646a73b9964526f4b3b.png

As such, you should no longer be receiving any Eset alerts when the coinminer attempts to connect to the pastebin.com domain in question. Rather the connection attempt is silently blocked by Eset HTTP filtering. This can be verified by reviewing Eset filtered web sites log. 

However, the coinminer still exists on your device.

Link to comment
Share on other sites

32 minutes ago, Nataniell said:

Ok so I have to format disk? 

Wait till tomorrow to see what @Marcos can come up with. It's the weekend and Eset support personnel are not at work.

Link to comment
Share on other sites

  • Administrators

What if you rename procmon.exe to proc.cmd for instance and run it under this name?

Link to comment
Share on other sites

50 minutes ago, Nataniell said:

Renaming does not work

Do you mean that Process Monitor would not start when named proc.cmd? If that is the case, rename it to monitor.exe and see if that works.

Link to comment
Share on other sites

  • Administrators

Please provide logs from the Autoruns and Gmer tools as well.

Also to rule out a possible active rootkit being on the machine and hiding the malware, I'd recommend starting the system from a clean medium and running a disk scan, e.g. with the ESET Online scanner.

Link to comment
Share on other sites

3 hours ago, Marcos said:

Please provide logs from the Autoruns and Gmer tools as well.

Also to rule out a possible active rootkit being on the machine and hiding the malware, I'd recommend starting the system from a clean medium and running a disk scan, e.g. with the ESET Online scanner.

What do you mean by starting system from clean medium? 

I sending logs from Autoruns and Gmer but I'm not sure if I've collected them correctly with the correct settings.

 

 

logs.rar

Link to comment
Share on other sites

I believe we can use HIPS rules to identify which file is executing the command to connect to pastebin.com Here's how you can do it:

1. Navigate to Settings > HIPS > Rules
2. Click Add
3. Enter a name for the rule
4. For the action, select Block
5. Enable the Application toggle, the Enable toggle, and the Notify user toggle
6. Set the logging severity to Warning
7. In the Source applications window, click Add and enter C:\Windows\System32\cmd.exe
8. On the next page, enable the Start new application toggle
9. Select All applications from the drop-down menu and click Finish

After this, you will be able to see in the HIPS logs which application is executing cmd.exe

Edited by MHRSFI
Link to comment
Share on other sites

22 minutes ago, Nataniell said:

This one?  @MHRSFI

image.thumb.png.2f61dbaee4ccfade9057d9a83247d369.png

I don't see anything wrong with the log in your picture. Could you try adding another rule similar to the previous one?

For step 5, instead of adding cmd.exe, select All applications. On the next page, enable All application operations. Then, click Add and enter C:\Windows\System32\cmd.exe

If you find these rules unhelpful, you should remove them.

Link to comment
Share on other sites

Posted (edited)
5 minutes ago, MHRSFI said:

I don't see anything wrong with the log in your picture. Could you try adding another rule similar to the previous one?

For step 5, instead of adding cmd.exe, select All applications. On the next page, enable All application operations. Then, click Add and enter C:\Windows\System32\cmd.exe

If you find these rules unhelpful, you should remove them.

Conhost.exe is in that picture... This Conhost use CMD.exe after reboot.

Edited by Nataniell
Link to comment
Share on other sites

1 hour ago, MHRSFI said:

7. In the Source applications window, click Add and enter C:\Windows\System32\cmd.exe
8. On the next page, enable the Start new application toggle
9. Select All applications from the drop-down menu

Change the rule to the following;

1 . In the Source applications window, delete C:\Windows\System32\cmd.exe. In the top window, select "All applications."

2. In the Applications section, in the top window select "Specific applications." Then add C:\Windows\System32\cmd.exe and C:\Windows\SysWOW64\cmd.exe.

This will show what is running cmd.exe. I suspect it will show svchost.exe which really tell us nothing since we need to know what service is being used.

Post a screen shot of the Eset alert. I believe that might show the service being used.

Edited by itman
Link to comment
Share on other sites

5 minutes ago, Nataniell said:

What now? 

Something is wrong with your HIPS rule.

Post a screen shot of Source applications and Applications sections.

Link to comment
Share on other sites

2 minutes ago, Nataniell said:

First source apps

Does the shown wording translate to All Applications?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...