I keep getting warnings. "IP address blocked."

[Addwork 0]

Hello;

I have been receiving constant warnings since this morning. "IP address blocked." I closed all applications, scanned the computer. I restarted the computer. But nothing changed. ESET continues to give warnings.

What is the source of the problem? How can I solve it?
Turning off alerts is not a solution. I don't want that.

[Marcos 5,234]

Please provide logs collected with ESET Log Collector.

[Addwork 0]

I am sending it as an attachment.

eis_logs.zip

[itman 1,741]

This is a strange one. The shown IP address is not routable; i.e. won't resolve.

Edited August 8 by itman

[Addwork 0]

I saw someone else having the same problem.
https://slo-tech.com/forum/t832046

I don't know why I keep getting this warning.

[Marcos 5,234]

The url was acceessed by C:\Users\fXXXh\AppData\Local\Packages\Task Manager.exe, should be detected now:  @Trojan.Win32/TrojanProxy.Agent.OEY

https://www.virustotal.com/gui/file/f184639093ad944e0a3e37aff7808b4ab86274317881946f5e4bef368a956516

[Addwork 0]

I am scanning but there doesn't seem to be any problems. What should I do?

[itman 1,741]

27 minutes ago, Addwork said:

I am scanning but there doesn't seem to be any problems.

As long as you're not receiving any further Eset detection popups related to the IP address, the problem is resolved.

[Addwork 0]

6 minutes ago, itman said:

As long as you're not receiving any further Eset detection popups related to the IP address, the problem is resolved.

Unfortunately. I'm still getting the warning. Nothing has changed.

[Marcos 5,234]

Could you restart the computer and see if the file is detected?

[itman 1,741]

1 minute ago, Marcos said:

Could you restart the computer and see if the file is detected?

If this persists, it's possible legit Win Task Manger has been replaced with this rogue one. Possibilities include reg. debugger value, etc..

[Addwork 0]

20 minutes ago, Marcos said:

Could you restart the computer and see if the file is detected?

I restarted the computer. No change. I keep getting the warning.

[Addwork 0]

I just ran an online scan and it found some things. I'll restart the computer and see what happens.

Why can't the ESET software installed on my computer find these viruses?

[Addwork 0]

I restarted my computer. The problem seems to be solved. Why couldn't the ESET application fix the problem? Did I pay for this for nothing?

[Marcos 5,234]

The other detections are potentially unsafe applications which are disabled by default and they were turned off also in your config:

However, this does not explain why the trojan was not detected. It was not registered in run keys for autostart. When testing cleaning on my machine, it was detected in memory and cleaned.

 

[itman 1,741]

2 hours ago, Marcos said:

However, this does not explain why the trojan was not detected. It was not registered in run keys for autostart. When testing cleaning on my machine, it was detected in memory and cleaned.

Wondered the same thing.

Of interest is OP's online scan log shows a restart was required to remove the rogue task manager. This would imply the .exe was locked from access by Windows.

Your screen shot shows rogue task manager running as a child process of explorer.exe. As such, access to it would not be an issue. Assume some other privileged Win process has started the rogue task manager.

Edited August 8 by itman

[itman 1,741]

4 hours ago, Marcos said:

It was not registered in run keys for autostart.

Reviewing a similar detection by Microsoft: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanProxy:Win32/Agent.E yields:

Quote

The registry is modified to execute this dropped component at each Windows start.

 

Adds value: {DA1DE019-A6A8-ED40-4B87-248B2A93DE99}

To subkey: HKLM\SOFTWARE\Classes\CLSID\

 

Adds value: "(default)"

With data: "%windir%\sysocmgr.dll"

To subkey: HKLM\SOFTWARE\Classes\CLSID\{DA1DE019-A6A8-ED40-4B87-248B2A93DE99}\InprocServer32

 

The dropped file is executed using the Windows system tool RUNDLL32.EXE and it drops another DLL component as the following:

 

<system folder>\mshta.dll

This also appears to be a DNS poisoning attack. As such, makes me wonder why Eset removed DNS poisoning from IDS protection?

[ES_ET_Novice 0]

What is the Solution?

ESET Online Scanner only?

[Marcos 5,234]

6 minutes ago, ES_ET_Novice said:

What is the Solution?

ESET Online Scanner only?

Is the file undetected by ESET if you scan it? Is it detected when scanned with the command-line scanner "C:\Program Files\ESET\ESET Security\ecls.exe" ?

[ES_ET_Novice 0]

Yes undetected by ESET Endpoint Antivirus, installed 1h ago ESET Online Scanner is running right now and it found some file, then ESET Endpoint Antivirus show popup: "detection 'through' ESET Online Scanner, [...] restart to finish," i'll wait for Online Scanner to finish, then restart.

 

Got these 2 Detections in ESET Endpoint Antivirus:

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
09.08.2024 08:53:52;Real-time file system protection;file;C:\Users\USER1~1.BEK\AppData\Local\Temp\nod485F.tmp;Win32/TrojanProxy.Agent.OEY trojan;cleaned by deleting (after the next restart);COMP1\USER1;Event occurred during an attempt to access the file by the application: C:\Windows\System32\Taskmgr.exe (05587415685CDADA02E09AF1394CE61A303D759F).;B2C8FEE980C9E337F8319E703F6835DB267BA10D;09.08.2024 08:45:22
 

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
09.08.2024 08:50:23;Real-time file system protection;file;C:\Users\USER1\AppData\Local\Temp\nod485F.tmp;Win32/TrojanProxy.Agent.OEY trojan;cleaned by deleting (after the next restart);COMP1\USER1;Event occurred during an attempt to access the file by the application: C:\Users\USER1\AppData\Local\ESET\ESETOnlineScanner\ESETOnlineScanner.exe (12F009F222DBA1A57AE2D32BC031CE95C00D6827).;B2C8FEE980C9E337F8319E703F6835DB267BA10D;09.08.2024 08:45:22
 

[Marcos 5,234]

So the file is undetected by ESET if you upload it to https://www.virustotal.com?

[ES_ET_Novice 0]

Just now, Marcos said:

So the file is undetected by ESET if you upload it to https://www.virustotal.com?

I mean i did yesterday a Full Scan with ESET Endpoint Antivirus and it didnt find it.

Online Scanner found it, and 1min later throught this Endpoint Antivirus also got the Message.

Then it finished and i just pressed Restart, so i guess i cant upload it anymore 😕 ?

[itman 1,741]

6 hours ago, ES_ET_Novice said:

Got these 2 Detections in ESET Endpoint Antivirus:

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
09.08.2024 08:53:52;Real-time file system protection;file;C:\Users\USER1~1.BEK\AppData\Local\Temp\nod485F.tmp;Win32/TrojanProxy.Agent.OEY trojan;cleaned by deleting (after the next restart);COMP1\USER1;Event occurred during an attempt to access the file by the application: C:\Windows\System32\Taskmgr.exe (05587415685CDADA02E09AF1394CE61A303D759F).;B2C8FEE980C9E337F8319E703F6835DB267BA10D;09.08.2024 08:45:22

This is the same malware and Eset log entry gives more detail how it is being executed.

In this instance, the rouge task manager was created in multiple C:\Users directories as AppData\Local\Temp\nod485F.tmp and run at system startup time as a scheduled task The question is if something else running at system startup time and copying C:\Users\XXXXX\AppData\Local\Packages\Task Manager.exe, the rouge task manager malware, into AppData\Local\Temp\nod485F.tmp also at system startup time. Also, the rouge task manager malware might not be located at C:\Users\XXXXX\AppData\Local\Packages\Task Manager.exe.

[itman 1,741]

Reflecting on above .tmp file detection, it appears it was created by Eset online scanner for detection purposes. Subsequently, the .tmp file got detected by Eset real-time scanning when the on-demand EAS scan ran.

Since, the OP's EAS on-demand scan yesterday didn't detect the rouge task manager, there might be multiple variants of it be deployed. Some of these variants being able to avoid being detected by Eset real-time/on-demand scanning.

Edited August 9 by itman

[itman 1,741]

For what is is worth, Hybrid-Analysis has detailed analysis of this malware for both Win 10 and 11 here: https://www.hybrid-analysis.com/search?query=B2C8FEE980C9E337F8319E703F6835DB267BA10D . Unfortunately, I couldn't find any details from those reports on how this bugger is being run at system startup time and evade real-time detection.

-EDIT- Reanalyzing the VirusTotal details on this malware, appears it's being installed via a fake/hacked Google update; I am assuming Chrome here. Persistence is had by creation of a service to run the update at system startup time.

Also, there appears to be a WMI factor involved; either creation of a consumer or command event.

Edited August 11 by itman