Nightowl

I believe they are normal versions of the EXE , the .dlls are just hijacked fake firefox that came with it , had an icon from older versions of firefox , you can notice it's an old version of firefox. vlc also it looked like the real one , but the .dlls are hijacked , this is why scanners aren't picking the them , python.exe , firefox.exe , vlc.exe , because I think they are legit , just the .dlls are messed up. I believe Python.exe is needed to be able to run the Python script that is hidden somewhere , since there is no Python installed on PC. If they were edited or messed up , then I would have got an indicator that the exes aren't signed properly. tampered or edited. Edit : I didn't read properly , yes it could explain it what you have said , and could be those aren't real executables and just made by the script I sent them to ESET the whole packs of the fake stuff , but I removed the python.exe actually , and I don't think I can get it back , because at that time , ESET picked it's python39.dll , and I still believe somehow that the python.exe is a normal one. I believe , the fake stuff , firefox vlc python all were real but versions that have vulnerabilities and can be changed,modified , that's why they all packed with hijacked DLLs and weird file types that would just change after execution.

This is what runs the malicious Python in Adobe in Scheduler: And this what runs the malicious VLC in Scheduler :

It should be received from another endpoint , no I don't think there is a bug. because i sent examples from 2 endpoints , one without email , one with email. I will send in PM.

I worked with HIPS to see who reads and writes , but once I wasn't able to stop it , remove it or archieve it , I thought it's better to block the whole place, I blocked and restarted PC , and I removed it I believe when you run the malicious exe that is hidden as pif , it asks for admin? I don't know , I didn't ask I saved also the XMLs for Schedulers And the PC doesn't have anything to belong to Adobe , but I believe the virus will gain admin somewhere with VLC and CMD

Hello Peter I have attached the whole folder of fake VLC and fake Firefox and attached them to 7z archive and passworded them with "malware" , I sent through ESET GUI , with my email address , I have confirmed that they have reached through Events logs but I kept a backup incase they didn't reach , I was having a trouble cleaning the python39.dll because it kept telling me it's running somewhere , something held it but I didn't catch it , I restarted it , what held it , stopped , I tried to archieve it , but ESET got it it seems that it received updates. so I didn't pack the .dll because ESET already knows it I think what held it is Task Scheduler somewhere , I made sure it didn't come back in Task Scheduler What I noticed , I had hands on 2 infections , one with W10 and one with W11 The only difference I saw that in W10 it was able to make a startup entry , in W11 it didn't , I will double check to make sure. Thanks to all also , it's my pleasure

I sent 2 more remenants that aren't detected , but looked Suspicious , I cleaned the system scheduler it had a vlc and python commands to run at startup and at 7PM The remenants are here : https://www.virustotal.com/gui/file/e9262441ef8e401acce28d13100c63e90e3de2ffb0ec6763611eebdc1aa60dbd/detection/f-e9262441ef8e401acce28d13100c63e90e3de2ffb0ec6763611eebdc1aa60dbd-1679390226 https://www.virustotal.com/gui/file/e7754d8e4c33b35b85d85554488069fe731190201fa9e42d1b53f38c843025a3/detection/f-e7754d8e4c33b35b85d85554488069fe731190201fa9e42d1b53f38c843025a3-1679390159 Unsigned files for Python and VLC , It looked suspicious to scanners. This is a rememnant also not detected but I wasn't able to send it , I deleted it by mistake : https://www.virustotal.com/gui/file/65327e1555994dacee595d5da9c9b98967d1ea91ccb20e8ae4195cd0372e05a0 ssl3.dll Size . . . . . . . : 132,712 bytes Age . . . . . . . : 4.9 days (2023-03-17 12:42:24) Entropy . . . . . : 6.1 SHA-256 . . . . . : 65327E1555994DACEE595D5DA9C9B98967D1EA91CCB20E8AE4195CD0372E05A0 Product . . . . . : Network Security Services Publisher . . . . : Mozilla Foundation Description . . . : NSS SSL Library Version . . . . . : 3.11.5 RSA Key Size . . . : 2048 LanguageID . . . . : 1033 Authenticode . . . : Invalid > SurfRight . . . . : Mal/Generic-S Fuzzy . . . . . . : 122.0 Scheduler : I made a restart now , I willl check if it comes back , I believe the Scheduler is what revived it and ESET kept removing it as Spy Agent in Advanced Memory Scanner. I sent the 2 examples to ESET the same way I did for first post , Right click > ESET > Submit for Analysis.

Thank you Marcos , ITMAN It isn't my business account , I just worked to clean the PC because I was asked to , and ESET was there for my luck I will inform if I was asked about LiveGuard.

I didn't notice that , I sent manually , the product on PC is ESET Endpoint Security I think Endpoint Security doesn't have LiveGuard yet , it's only available on Smart Security And file came through Skype to the affected machine.

yea i noticed that now when i got into anyrun link

Yes it's targeting financial areas , it will come as a financial file for you , it isn't me , I worked to clean the person PC , shortcut isn't detected so it's made new also , the shortcut is what was got uploaded to virustotal , but virustotal takes to truecrypt.exe , but i believe the 1.5 shortcut is something hidden , it will just become something else you can see it here also : https://any.run/report/b1afbce51ad052f936b989214964d56e2290a7fb5548763273c1fc4382cd5c1c/f26fd95b-3cc1-4578-abf1-17289380ebe5

https://www.virustotal.com/gui/file/b1afbce51ad052f936b989214964d56e2290a7fb5548763273c1fc4382cd5c1c This is not being detected by ESET , but ESET is picking it up through Advanced Memory Scanner after being ran because it came through Skype as a 1.5mb shortcut pif , i kept a copy of it inside a passworded archieve , I sent the shortcut also for Analysis through right click and submit for analysis a variant of Win32/Spy.Agent.QGW trojan C7552D69B8A7257A489BCDC31BAD099F5C2D67EA a variant of Win32/Rescoms.B trojan D00E62B42CEE99EFF56C604CF7190E2F68B3F86E Those are files that the dropper drops them , but ESET memory scanner and startup scanner picks .dlls from Appdata\local\temp\threat.dll

https://support-valorant.riotgames.com/hc/en-us/articles/4406555340179-How-to-Enable-Exploit-Protection-and-Prevent-Error-Code-VAN9002

Firewalling the RDP port to specific IP addresses , password protecting ESET , account auto lock for failures for RDP , it will limit the attack space for RDP attacks.

If someone can log into RDP and disable ESET , then ESET is not capable of defending anything Still it is not recommended to be using Windows 7 at all , since if ESET missed the threat since that can happen with any AV available on the market , then there is no way of defense against that malware Since Microsoft doesn't fix anything with 7 and 8 anymore , you are better of with 10 and 11 , or even Linux if you are against using those two systems , but not 7 and 8.

Both sites are official I bet See here you get the blue skin : http://www.videolan.org/index.en_GB.html And here you will get the orange skin : http://www.videolan.org/vlc/#download

I am not sure about it since I don't work for ESET,but I believe ESET Protect will see the computer as idle , once the screensaver kicks in. Just from my thoughts , I could be totally wrong. Try to set that policy for one computer and leave that computer and see when it kicked in , and check in the same time the screensaver setting for that computer And also if you have Domain Controllers , you can use Group Policy to modify when the PC will be idle/locked.

You are welcome my brother.

I think the help page of the second screenshot of yours have more accurate information. https://help.eset.com/essl/91/en-US/?system_requirements.html

If someone said something earlier than you , we say your life is longer than mine , so it's that way Marcos I wanted to actually say the same , Are the endpoint users with enough knowledge to decide if it's really a threat or a false positive?, It is not recommended to do so because it is in purpose they are not working in I.T department, so they shouldn't have this decision.

Try to install ESET Smart Security or ESET Internet Security - Run it as a trial for 30 days , after that you will have to buy a license to continue using it. - Run a deep scan in your system - Update your router to latest firmware available by manufacturers - Reset your router admin password , Reset your WIFI password If your router is no longer maintained and updated by the manufacturers , I highly recommend getting one that is supported , your Internet Service Provider can provide you one if you don't want to bother yourself getting one from a shop.

Just a suggestion , since you blocked Polish language of Facebook , it might just re-direct to some other domain or english language Try blocking *.facebook.com

Indeed I was wrong , I doubled checked and they do stop , I remember seeing them for a while even when I had ESET installed.

You cannot stop Defender from Updating , those Updates will be received along Windows Update files , and from Windows Update Service I believe it keeps updating because it can be used as secondary scanner with ESET (not real-time) but as on demand scanner I don't think it harms , let it update and even you can schedule it to run at different time or once per certain time to scan and give you a second opinion among ESET

It's weird , I thought it might be a crack that is trying to communicate with a weird website like this one here. Assuming you have scanned your computer and no threat is detected , and assuming that this domain wasn't bought by Microsoft suddenly , I believe there is something wrong that 365 is trying to communicate there Doing a whois search to Microsoft.com will show you that the domain is registered to Microsoft Doing a whois to the domain 365e.live shows it's privacy hidden and registered by different registrar and doesn't belong to Microsoft.