New Antiexecutable: NoVirusThanks EXE Radar Pro

@novirusthanks

hello could you tell when the public beta will be available?

 

ERP may have just saved me from an exploit!! I visited a website earlier, and as soon as the page loaded ERP blocked Powershell from executing. I have Powershell on my blacklist. The command line from the attempted execution is below.

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden "& C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client"

My concern is that it is still attempting to execute now even after I have closed my browser down. That would indicate i'm still infected, and ERP is mitigating the damage that was done. I don't have the expertise yet to investigate this fully. It could be a false positive,but seeing that it's related to SMB (with the recent prevalence of SMB exploits), and it attempted to execute as soon as I visited the site makes it seem very suspicious at the least.The site I visited was a tech site. I'm going to send the url address to pbust, and other exploit experts to investigate. I received no warning from MBAE which I have set to default mitigation settings.

 

What browser, and what OS?
Would you mind sharing the URL in some form?

 

I was informed by an expert tester that this is a false positive and has already been reported on the OSArmor thread. It has been replicated on Windows 10.
So not to worry, it seems to be a Windows task.

 

Microsoft has lost their mind launching powershell in order to launch SMBShare. If it's a false positive then it makes no sense why it did not start doing this until late this evening. It's been 2 weeks since I installed any Microsoft updates on this machine. This has never attempted to run until now.

Edit: 2/1/18 @ 2:55
It looks like the command line may be disabling shares for security purposes. I still think this is super suspicious behavior because this is normally what one would see with an exploit.

 

I bet it is from a Windows Store app. They sometimes do installs/updates by powershell.

 

Possibly, but I have almost everything you could possibly disable disabled that is related to Apps, and Microsoft Store.

 

Pop Up for new version.

Have had installed for some time. Installed version is v 3.1.0.0 Build 1-24062015. [And at this point I am not sure where I DLed it.]

I keep getting pop-ups that say

'A new version v 3.0.0.0 is available for download...'

There is a link that indicates

'Read how to update the program >>'

When I click it - nothing happens.



I have not seen this reported anywhere.

Love this soft - like many of your apps!

 

According to this: https://www.reddit.com/r/Windows10/comments/7azvqs/i_tracked_down_a_powershell_script/ , it appears to be a non-Win 10 1709 SMBv1 exploit mitigation that runs as a scheduled task. In Win 10 1709, MS removed the SMBv1 protocol. I checked that directory on my Win 10 1709 build and the script doesn't exist.

I would imagine one, if not already done so, could remove SMBv1 protocol via Uninstall Win features. Then disable/delete the scheduled task. Also the scheduled task might not run at all if SMBv1 protocol was removed.

 

Yeah, I found that same post a few days ago. I was going to follow up my post, but I have been too busy due to school and work. Thanks though!

 

I use chromium and Vivaldi and every time i start either program NVTEXE asks to allow/deny process CMD.EXE is there a setting i can use so the program remembers my choice.

 

I'm not sure why CMD.exe would be trying to execute when you open your browser. What is the command line from the prompt when you get prompted? Copy, and paste it in this thread. You could whitelist the command line from the drop down menu on the prompt, but I would not do that until you know if the instance of cmd.exe is safe or malicious. Sometimes infections inject into your browser to bypass firewalls.

 

Its sticky password extension
C:\Windows\system32\cmd.exe /d /c "C:\Program Files (x86)\Sticky Password\spNMHost.exe" chrome-extension:

Can this be fixed or is something fishy? Firefox does not have this issue

 

There are several choices to whitelist the command-line.
The numbers might change with each execution so the first one shouldn't work.
But the last and penultimate should definitely work: (try one of these below)

Code:

C:\Windows\system32\cmd.exe /d /c "C:\Program Files (x86)\Sticky Password\spNMHost.exe" chrome-extension://bnfdmghkeppfadphbnkjcicejfepnbfe/ --parent-window=0 < \\.\pipe\chrome.nativeMessaging.in.e99071503148e286 > \\.\pipe\chrome.nativeMessaging.out.e99071503148e286
*"C:\Program Files (x86)\Sticky Password\spNMHost.exe" chrome-extension://bnfdmghkeppfadphbnkjcicejfepnbfe/ --parent-window=0 < \\.\pipe\chrome.nativeMessaging.in.e99071503148e286 > \\.\pipe\chrome.nativeMessaging.out.e99071503148e286
*"C:\Program Files (x86)\Sticky Password\spNMHost.exe" chrome-extension://bnfdmghkeppfadphbnkjcicejfepnbfe/ --parent-window=0 < \\.\pipe\chrome.nativeMessaging.in.*> \\.\pipe\chrome.nativeMessaging.out.*
*"C:\Program Files (x86)\Sticky Password\spNMHost.exe" chrome-extension://bnfdmghkeppfadphbnkjcicejfepnbfe/*<*\\.\pipe\chrome.nativeMessaging.in.*>*\\.\pipe\chrome.nativeMessaging.out.*
*"C:\Program Files (x86)\Sticky Password\spNMHost.exe"*<*\\.\pipe\chrome.nativeMessaging.in.*>*\\.\pipe\chrome.nativeMessaging.out.*
*"C:\Program Files (x86)\Sticky Password\spNMHost.exe"*\chrome*

 

The last one worked Awesome!!
Thanks

 

Seems like I've seen this addressed before, but don't have the time to wade through 250 pages looking for it -- and I didn't really find it by doing a Search.

Anyway, I've been using NVT ERP and NVT DRP for a long time now -- never had an issue. All of of sudden, I'm getting a FAILED TO RETRIEVE DRIVER HANDLE notice when it's trying to load. How do you correct that? Depending on which app loads first, the first one usually loads OK, but it's always the second one that where I'm getting the Driver Handle issue.

 

No need to wade through...

Paste into your favorite search engine:

Code:

FAILED TO RETRIEVE DRIVER HANDLE site:https://www.wilderssecurity.com/threads/new-antiexecutable-novirusthanks-exe-radar-pro.300552

 

Thanks for the link. That takes me to the thread alright, but I'm still not finding an answer to the Driver Handle issue.

 

Can someone help me figure out the log?
I have a block event like this:
[Date/Time: 23 02 2018 12:57:39] [Action: Blocked [Block Once]] [Bitness: 64] [Process: [3636]C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe] [MD5 Hash: FF59EF73460173ABDB10EDE1A0BC9CE6] [Publisher: Microsoft Corporation] [Parent: [1228]c:\windows\system32\svchost.exe] [Command-Line: C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden "& C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Server"]

What I do understand is that svchost with PID 1228 spawned powershell and tried to run a script.
What I don't understand is how to know which process spawned this instance of svchost.
I don't find PID 1228 listed anywhere as a child.
I see it several times as a parent, it spawned googleupdate and dropboxupdate, so I am pretty confident that it is legit. But why doesn't it appear anywhere as a child?
Perhaps because it was spawned early in the boot sequence, before ERP started logging events?

 

It's a scheduled task that Windows runs to remove older Legacy versions of vulnerable SMB software. If Windows detects that the user has not used the Legacy software for a specific period of time then Windows removes the software for the user.

I got caught off guard with this myself when it attempted to run on my machine, and thought it might be an exploit since SMB is being exploited in the wild. I had visited a website I had never visited before, and it attempted to run at the exact time the webpage loaded. It made me think the website might have an exploit on it lol It seems like they could find a better way of removing Legacy SMB software without having to use Powershell. Seeing Powershell trying to execute SMB would alarm any Security conscious person at first glance.

 

Great explanation.
I think that SpyShelter would have told me right in the prompt who was the granddaddy of this event.

 

What were you doing & apps running to make this determination? Very sleuthy indeed.

 

I was looking for information for a Networking Protocol assignment I was doing at the time. I found 3 different web pages that said it was a script that ran to remove Legacy SMB protocols. Itman also posted about it in this thread when I first thought it might be an exploit. Here is the one page about it. It's not an IT worthy source, but it says about the same thing the other sources said. https://www.reddit.com/r/Windows10/comments/7azvqs/i_tracked_down_a_powershell_script/