Addwork 0 Posted August 8 Share Posted August 8 Hello; I have been receiving constant warnings since this morning. "IP address blocked." I closed all applications, scanned the computer. I restarted the computer. But nothing changed. ESET continues to give warnings. What is the source of the problem? How can I solve it? Turning off alerts is not a solution. I don't want that. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted August 8 Administrators Share Posted August 8 Please provide logs collected with ESET Log Collector. Quote Link to comment Share on other sites More sharing options...
Addwork 0 Posted August 8 Author Share Posted August 8 I am sending it as an attachment. eis_logs.zip Quote Link to comment Share on other sites More sharing options...
itman 1,743 Posted August 8 Share Posted August 8 (edited) This is a strange one. The shown IP address is not routable; i.e. won't resolve. Edited August 8 by itman Quote Link to comment Share on other sites More sharing options...
Addwork 0 Posted August 8 Author Share Posted August 8 I saw someone else having the same problem. https://slo-tech.com/forum/t832046 I don't know why I keep getting this warning. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted August 8 Administrators Share Posted August 8 The url was acceessed by C:\Users\fXXXh\AppData\Local\Packages\Task Manager.exe, should be detected now: @Trojan.Win32/TrojanProxy.Agent.OEY https://www.virustotal.com/gui/file/f184639093ad944e0a3e37aff7808b4ab86274317881946f5e4bef368a956516 Quote Link to comment Share on other sites More sharing options...
Addwork 0 Posted August 8 Author Share Posted August 8 I am scanning but there doesn't seem to be any problems. What should I do? Quote Link to comment Share on other sites More sharing options...
itman 1,743 Posted August 8 Share Posted August 8 27 minutes ago, Addwork said: I am scanning but there doesn't seem to be any problems. As long as you're not receiving any further Eset detection popups related to the IP address, the problem is resolved. Quote Link to comment Share on other sites More sharing options...
Addwork 0 Posted August 8 Author Share Posted August 8 6 minutes ago, itman said: As long as you're not receiving any further Eset detection popups related to the IP address, the problem is resolved. Unfortunately. I'm still getting the warning. Nothing has changed. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted August 8 Administrators Share Posted August 8 Could you restart the computer and see if the file is detected? Quote Link to comment Share on other sites More sharing options...
itman 1,743 Posted August 8 Share Posted August 8 1 minute ago, Marcos said: Could you restart the computer and see if the file is detected? If this persists, it's possible legit Win Task Manger has been replaced with this rogue one. Possibilities include reg. debugger value, etc.. Quote Link to comment Share on other sites More sharing options...
Addwork 0 Posted August 8 Author Share Posted August 8 20 minutes ago, Marcos said: Could you restart the computer and see if the file is detected? I restarted the computer. No change. I keep getting the warning. Quote Link to comment Share on other sites More sharing options...
Addwork 0 Posted August 8 Author Share Posted August 8 I just ran an online scan and it found some things. I'll restart the computer and see what happens. Why can't the ESET software installed on my computer find these viruses? Quote Link to comment Share on other sites More sharing options...
Addwork 0 Posted August 8 Author Share Posted August 8 I restarted my computer. The problem seems to be solved. Why couldn't the ESET application fix the problem? Did I pay for this for nothing? Quote Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,243 Posted August 8 Administrators Solution Share Posted August 8 The other detections are potentially unsafe applications which are disabled by default and they were turned off also in your config: However, this does not explain why the trojan was not detected. It was not registered in run keys for autostart. When testing cleaning on my machine, it was detected in memory and cleaned. Quote Link to comment Share on other sites More sharing options...
itman 1,743 Posted August 8 Share Posted August 8 (edited) 2 hours ago, Marcos said: However, this does not explain why the trojan was not detected. It was not registered in run keys for autostart. When testing cleaning on my machine, it was detected in memory and cleaned. Wondered the same thing. Of interest is OP's online scan log shows a restart was required to remove the rogue task manager. This would imply the .exe was locked from access by Windows. Your screen shot shows rogue task manager running as a child process of explorer.exe. As such, access to it would not be an issue. Assume some other privileged Win process has started the rogue task manager. Edited August 8 by itman Quote Link to comment Share on other sites More sharing options...
itman 1,743 Posted August 8 Share Posted August 8 4 hours ago, Marcos said: It was not registered in run keys for autostart. Reviewing a similar detection by Microsoft: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanProxy:Win32/Agent.E yields: Quote The registry is modified to execute this dropped component at each Windows start. Adds value: {DA1DE019-A6A8-ED40-4B87-248B2A93DE99} To subkey: HKLM\SOFTWARE\Classes\CLSID\ Adds value: "(default)" With data: "%windir%\sysocmgr.dll" To subkey: HKLM\SOFTWARE\Classes\CLSID\{DA1DE019-A6A8-ED40-4B87-248B2A93DE99}\InprocServer32 The dropped file is executed using the Windows system tool RUNDLL32.EXE and it drops another DLL component as the following: <system folder>\mshta.dll This also appears to be a DNS poisoning attack. As such, makes me wonder why Eset removed DNS poisoning from IDS protection? Quote Link to comment Share on other sites More sharing options...
ES_ET_Novice 0 Posted August 9 Share Posted August 9 What is the Solution? ESET Online Scanner only? Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted August 9 Administrators Share Posted August 9 6 minutes ago, ES_ET_Novice said: What is the Solution? ESET Online Scanner only? Is the file undetected by ESET if you scan it? Is it detected when scanned with the command-line scanner "C:\Program Files\ESET\ESET Security\ecls.exe" ? Quote Link to comment Share on other sites More sharing options...
ES_ET_Novice 0 Posted August 9 Share Posted August 9 Yes undetected by ESET Endpoint Antivirus, installed 1h ago ESET Online Scanner is running right now and it found some file, then ESET Endpoint Antivirus show popup: "detection 'through' ESET Online Scanner, [...] restart to finish," i'll wait for Online Scanner to finish, then restart. Got these 2 Detections in ESET Endpoint Antivirus: Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 09.08.2024 08:53:52;Real-time file system protection;file;C:\Users\USER1~1.BEK\AppData\Local\Temp\nod485F.tmp;Win32/TrojanProxy.Agent.OEY trojan;cleaned by deleting (after the next restart);COMP1\USER1;Event occurred during an attempt to access the file by the application: C:\Windows\System32\Taskmgr.exe (05587415685CDADA02E09AF1394CE61A303D759F).;B2C8FEE980C9E337F8319E703F6835DB267BA10D;09.08.2024 08:45:22 Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 09.08.2024 08:50:23;Real-time file system protection;file;C:\Users\USER1\AppData\Local\Temp\nod485F.tmp;Win32/TrojanProxy.Agent.OEY trojan;cleaned by deleting (after the next restart);COMP1\USER1;Event occurred during an attempt to access the file by the application: C:\Users\USER1\AppData\Local\ESET\ESETOnlineScanner\ESETOnlineScanner.exe (12F009F222DBA1A57AE2D32BC031CE95C00D6827).;B2C8FEE980C9E337F8319E703F6835DB267BA10D;09.08.2024 08:45:22 Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted August 9 Administrators Share Posted August 9 So the file is undetected by ESET if you upload it to https://www.virustotal.com? Quote Link to comment Share on other sites More sharing options...
ES_ET_Novice 0 Posted August 9 Share Posted August 9 Just now, Marcos said: So the file is undetected by ESET if you upload it to https://www.virustotal.com? I mean i did yesterday a Full Scan with ESET Endpoint Antivirus and it didnt find it. Online Scanner found it, and 1min later throught this Endpoint Antivirus also got the Message. Then it finished and i just pressed Restart, so i guess i cant upload it anymore 😕 ? Quote Link to comment Share on other sites More sharing options...
itman 1,743 Posted August 9 Share Posted August 9 6 hours ago, ES_ET_Novice said: Got these 2 Detections in ESET Endpoint Antivirus: Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 09.08.2024 08:53:52;Real-time file system protection;file;C:\Users\USER1~1.BEK\AppData\Local\Temp\nod485F.tmp;Win32/TrojanProxy.Agent.OEY trojan;cleaned by deleting (after the next restart);COMP1\USER1;Event occurred during an attempt to access the file by the application: C:\Windows\System32\Taskmgr.exe (05587415685CDADA02E09AF1394CE61A303D759F).;B2C8FEE980C9E337F8319E703F6835DB267BA10D;09.08.2024 08:45:22 This is the same malware and Eset log entry gives more detail how it is being executed. In this instance, the rouge task manager was created in multiple C:\Users directories as AppData\Local\Temp\nod485F.tmp and run at system startup time as a scheduled task The question is if something else running at system startup time and copying C:\Users\XXXXX\AppData\Local\Packages\Task Manager.exe, the rouge task manager malware, into AppData\Local\Temp\nod485F.tmp also at system startup time. Also, the rouge task manager malware might not be located at C:\Users\XXXXX\AppData\Local\Packages\Task Manager.exe. Quote Link to comment Share on other sites More sharing options...
itman 1,743 Posted August 9 Share Posted August 9 (edited) Reflecting on above .tmp file detection, it appears it was created by Eset online scanner for detection purposes. Subsequently, the .tmp file got detected by Eset real-time scanning when the on-demand EAS scan ran. Since, the OP's EAS on-demand scan yesterday didn't detect the rouge task manager, there might be multiple variants of it be deployed. Some of these variants being able to avoid being detected by Eset real-time/on-demand scanning. Edited August 9 by itman Quote Link to comment Share on other sites More sharing options...
itman 1,743 Posted August 11 Share Posted August 11 (edited) For what is is worth, Hybrid-Analysis has detailed analysis of this malware for both Win 10 and 11 here: https://www.hybrid-analysis.com/search?query=B2C8FEE980C9E337F8319E703F6835DB267BA10D . Unfortunately, I couldn't find any details from those reports on how this bugger is being run at system startup time and evade real-time detection. -EDIT- Reanalyzing the VirusTotal details on this malware, appears it's being installed via a fake/hacked Google update; I am assuming Chrome here. Persistence is had by creation of a service to run the update at system startup time. Also, there appears to be a WMI factor involved; either creation of a consumer or command event. Edited August 11 by itman Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.