moeetee
-
Posts
56 -
Joined
-
Last visited
Posts posted by moeetee
-
-
I just restarted the PC and when I clicked on my Chrome desktop icon, I received the popup and I clicked deny twice. I also still see 20 Chrome.exe files running though.
-
17 minutes ago, itman said:
Proceed with creation of the Eset HIPS rule I posted. Once that is created; BTW verify that the rule was indeed created properly by re-opening Eset HIPS rules and verifying the rule exists, reboot and see if Eset detects whatever is running cmd.exe on your device.
Got it.
How's this?
-
24 minutes ago, itman said:
Using Win Task Manager or Process Explorer, do you see cmd.exe running?
Here and Click on the Detail's tab.
-
1 hour ago, itman said:
First, note that only Eset moderators can view forum attachments.
How do you start Chrome? Via desktop toolbar shortcut icon or from desktop shortcut icon? In either case, it appears something has hijacked normal Chrome startup and instead appears to be running a .bat script.
To start diagnosis, type "Chrome" less the quote marks into the Win 10 desktop toolbar Search box. Then select Open from the Chrome app display window. Do you see cmd.exe and multiple Chrome instances running as you described above?
Chrome is clicked through a desktop icon. I typed it in and clicked on Chrome and still see it.
-
Hey guys,
I need help. My computer has been SUPER laggy, to a point of where my mouse lags and when I type and the computer is becoming unusable.
I took a look at my Task Manager and I see cmd.exe, conhost.exe and (27) chrome.exe files start running as soon as I run Chrome. But, when I close all Chrome.exe files, the computer is still super laggy.
Here is a iCloud video I took of my task manager showing the excessive power usages.
https://share.icloud.com/photos/0eTUFKpQcbgh3Y0t9SyYn5dfg
I did a few scans from different applications.
- ESET Regular Scan: Nothing.
- ESET Online Scanner: Nothing.
- Malware Bytes: Nothing.
- Malwarebytes AdwCleaner: Nothing
- Junkware Removal Tool (JRT) by Malwarebytes: A few things found, I attached the log file.
- RogueKiller Anti-Malware V15.0.8.0: A few things found, I attached the log file.
- Rkill 2.9.1: Nothing found.
- TDSSKiller: Nothing found.
- Norton Power Eraser: Nothing found.
- Combo Cleaner: A few things found, after I deleted them. Problem still continues.
I don't know what's going on but several days ago my website was infected (it would be redirected elsewhere) and whenever users visited the website it redirected to a random site, I'm not too sure if that has any connection.
Every time I terminate the additional chrome.exes and cmd.exe and conhost.exe - Chrome, itself crashes along with the installed extensions.
I also made a 1min video show casing it: https://screencast-o-matic.com/watch/criUVXViKLY
I also attached both files from Farbar Recovery Scan Tool.
-
Just now, itman said:
As your screen shot shows, this was an auto-renewal.
As @Marcos previously replied, the license was cancelled over payment issues. Perhaps the credit card you originally used to purchase Eset and was stored on file is no longer valid? You need to contact Eset N.A.: https://www.eset.com/us/about/contact/ , to straighten out the payment issue.
Can I do it on line or by chat or my online account or must be through telephone?
-
7 hours ago, Marcos said:
The license was cancelled. Please contact ESET LLC, the seller, since it appears there was an issue with the payment.
How I got a new email that says Thank you for choosing ESET and it generated me a new license key with a new expiration date.
I also see it inside the program:
-
When I click on Update modules, I get this:
My license key is valid for another year. Can anyone help?
-
2 minutes ago, itman said:
First, check in your UEFI/BIOS settings as to what version is currently installed. Asus might have some auto update utility for this running on your system but doubt that is the case.
That is the latest UEFI/BIOS available for your motherboard. Appling that will include all currently available UEFI/BIOS updates from ASUS.
The specific update I was referring to is shown later in that same section;
Again if you don't know what you are doing here, get some professional help.
How do I check my version in the settings? No one is actually willing to help because of the covid19 issue right now plus alot of the people around me will find a way to up charge me.
So since you know about this and it seems like a widespread issue, me having this detection was not directly from my paranoia of the remote session I had especially since files cannot be installed with my permission but rather this is a worldwide problem? What will this update do for me and should I now have to spend the time to backup everything right now before I do it?
-
7 minutes ago, itman said:
Looks like this previous Asus ME noted vulnerability is much more serious that I originally thought:
If you never updated your motherboard UEFI/BIOS against this, I most definitely would do so ASAP. Appears this is a UEFI/BIOS update and if any rootkits do exist there, this update will eliminate them. The update is hard to find. Go to Asus web site here: https://www.asus.com/us/Motherboards/ROG-STRIX-B250I-GAMING/HelpDesk_Download/ . Select "Driver& Tools" and then your OS version. Scroll down to the BIOS section and select "All Downloads." Or alternatively, just update your UEFI/BIOS to the latest version available.
Note: I take no personally responsibility in regards to the impact as to any ASUS provided software/firmware might have on your current device.
I dont think I have.
Is this what you mean?
-
13 minutes ago, itman said:
Oops. Forgot to check on the Asus web site which clearly states the Live Update tool is only used on laptops/notebooks.
Its okay.
I just read this:
-
1 minute ago, itman said:
There was a fairly recent Asus vulnerability noted here: https://pokde.net/system/security/asus-releases-update-to-patch-asus-live-update-vunerability-also-created-a-new-diagnostic-tool-to-check-if-you-are-affected/ . Of note was that initially and at the time of discovery, only 600 device were targeted.
You might want to run Asus's diagnostic tool to see if it finds anything:
I just did and I got this. I have this motherboard as a desktop PC and the remaining parts of this PC Desktop is custom built - its not a notebook.
-
1 minute ago, itman said:
Thinking more about the Asus MEUpdateTool update to patch the ME Intel vulnerability, I suspect that was to patch Intel Spectre/Meltdown CPU vulnerabilities. In any case if not so done previously, this UEFI/BIOS update should be applied.
At this point I would say that the Eset Advanced Scan Computrace detection is a false positive and ignore it. I state this for the following reason. Eset at startup time by default scans the UEFI/BIOS. As I recollect, every forum posting about CompuTrace Lojax detection shortly after Eset introduced the protection was occurring at boot time. Since you have not been receiving any alerts from Eset at startup time about CompuTrace Lojax, I would say at this time you are not infected with it.
So you think it was a coincidence that I may have been paranoid from the remote session I had with someone and then did the custom scan the same day?
-
2 hours ago, itman said:
@Marcos to begin, this device is a gaming desktop. I went through the BIOS setup info here: https://dlcdnets.asus.com/pub/ASUS/mb/LGA1151/STRIX_B250I_GAMING/E12478_STRIX_B250I_GAMING_UM_WEB.pdf and there is no reference to CompuTrace. This makes sense since it is only installed on laptops/notebooks for theft protection.
This leads to the following conclusions. Eset's CompuTrace UEFI detection is a false positive. Or, Eset is detecting the presence of the Lojax rootkit in the UEFI regardless of how it was placed there.
Of note is this device's UEFI/BIOS did have a vulnerability advisor from Asus:
https://www.asus.com/us/Motherboards/ROG-STRIX-B250I-GAMING/HelpDesk_Download/
I had someone do a FixMe.IT session and I didn't know it would automatically give the person full mouse/control and how easy it was for them to install things on my computer without any large visual consenting request or a popup. I mean after I installed that software and tried to remote my laptop to see how it worked, I wasn't able to install programs in my computer on the other side in the session without a popup consent but I was able to literally install a FixMe.It Client Session.exe by simply clicking the install button on my end as the "technician". But, I'm not to sure if this can be derived from that or this Lojox just so happy to be in my computer? And I did the scan and it picked up on it?
-
15 minutes ago, Marcos said:
1, CompuTrace is classified as a potentially unsafe application. This detection is disabled by default so it's likely that you have enabled it just recently.
2, UEFI is not scanned during each automatic startup scan. However, it can be scanned on demand if selected among the targets. Maybe you didn't have it selected before.
It was the maker of your motherboard and they added it as an optional Anti-Theft feature that you can pay for.
When you say 1."... [t]his detection is disabled by default so it's likely that you have enabled it just recently." What do you mean I would have enabled it recently? I haven't disabled-reenabled my protection setups. I just did a custom-scan because someone had me do a FixMe.IT session and I didn't know it would automatically give full mouse/control to the other person on the other side so I can scared and did the same the same day.
2. UEFI is not scanned during each automatic startup scan. However, it can be scanned on demand if selected among the targets. Maybe you didn't have it selected before.
- Can you show me what do you mean by ondemand if selected? Would you please share me to check if it or wasnt selected?
Thank you for your responses.
-
1 hour ago, itman said:
I don't see that listed on the Absolute web site, so it wouldn't have been something installed by default. So let's get into the detail on this.
CompuTrace is an anti-theft feature built into the UEFI/BIOS by the computer manufacturer. Think of it as a hardware equivalent to Eset's Anti-Theft protection. The Absolute software is an optional feature also many times installed by the PC manufacture that serves two purposes. The first is to auto re-enable the CompuTrace feature if the thief tried to disable it. The second purpose is to be able to location track where the stolen device is.
The problem is this. The Absolute software was mysteriously showing up on devices where CompuTrace was installed. And the versions of the Absolute software installed were malicious. You can read all about this here: https://securelist.com/absolute-computrace-revisited/58278/ . The malicious versions allowed the hacker to install a UEFI based rootkit; i.e. Lojax, which is what Eset is detecting.
The problem is this in a nutshell. Once the Absolute software gets installed, the only concern that can remove/deactivate it is Absolute. This is by design. And they can only do so for their legit versions of the software.
Your best solution here is to contact ASUSTek and see if they have a UEFI/BIOS firmware upgrade for your PC/Laptop that does not include CompuTrace.
Why did ESET out of the blue detect this now? I did a custom scan and not a regular scan?
When you said the malicious versions allowed the "hacker" - what hacker? Who installed this Absolute software or someone who did recently on my computer?
If you meant hacker with regards to from the manufacturer, then what is harmful or potentially be harmful?
-
What device? My computer was custom build. So are you saying CompuTrace was installed in what exactly, my motherboard? I currently have a ASUSTeK COMPUTER INC. STRIX B250I GAMING.
What is this file that ESET picked up and what does it do and how has it hurted me since it was installed?
-
2 hours ago, itman said:
It might be possible to remove Computrace by accessing your UEFI settings at boot time and disabling it from there: https://forum.eset.com/topic/16830-detection-of-computrace-variants-in-uefi-and-pre-loaded-software/?do=findComment&comment=84392 . Note this only applies to the non-malware based versions of it. Also this option appears to only work for select OEM manufacturers.
https://support.eset.com/en/kb6567-you-receive-an-eset-uefi-detection
Possibly. Is this a fresh install of Eset on the device? If so, assume Computrace is OEM manufacturer related.
If this detection occurred on a device where Eset had been installed for some time, assume its malware related. One possibility is a manufacturer initiated UEFI/BIOS upgrade and the firmware update was compromised.
No this device had already had Eset. Where did this come from and what can it do? Better yet, why wasnt ESET able to detect/prevent it?
-
6 minutes ago, Marcos said:
\\Uefi Partition » UEFI » uefi:\\Volume 5\Application {057AD6B7-3525-40C8-9D21-552642894E3A} - a variant of EFI/CompuTrace.A potentially unsafe application - unable to clean \\Uefi Partition » UEFI » uefi:\\Volume 5\Application {057AD6B7-3525-40C8-9D21-552642894E3A} - a variant of EFI/CompuTrace.A potentially unsafe application - unable to clean
UEFI detections cannot be cleaned. You can try installing the latest version of the UEFI firmware and if it doesn't help, exclude the PUA from detection. For more information please read https://support.eset.com/en/kb6567-you-receive-an-eset-uefi-detection
What is a CompuTrace though? Why can't it be cleaned? Is it a virus?
-
I did a scan and ESET says scan is done but detection occurred 1 but not cleaned. What is it and how do I clean it?
Attach is the log file.
-
Just now, peteyt said:
I believe some products may flag keygens up because they are illegal rather than dangerous although I'm not 100 percent sure on that one. However the problem with using keygens and cracks apart from the legality side is you never know what you are getting - there is always a risk.
Deff understood. Other than scanning via ESET. What can I do to ensure that there is nothing other than the intent of the .exe? Do you suggest any other deep scanning to make sure there was no backdooring?
-
3 minutes ago, Marcos said:
We do not detect keygens or cracks unless they are malicious or there's a good reason to detect them.
Seriously?
-
I downloaded the above mentioned file with a program to get it cracked. MalwareBytes picked this up when I opened this file, and deleted it. Why didnt ESET pick it up?
I disabled the Malwarebytes to get the keys from the keygen and then re-enabled MWB and it detected it and deleted it.
Including my first question and doing a full scan with ESET and find nothing, what can I do to ensure there was no backdoor of this keygen that is undetectable?
-
3 hours ago, itman said:
A few other e-mail security comments.
Clicking on any client e-mail link is "risky business." For maximum security, one should always copy the link to a browser and open it there.
For anti-phishing testing, I use this web site which I consider the best source of phishing domains on the web: https://phishbank.org/#/ . My experience is whatever Eset doesn't detect there; which by the way scores quite good, the uBlock extension for FireFox and Chrome using its standard protection lists will detect it.
I mean I don't its phishing because some of the emails I can recognize that's fraudulent. It's more so also that, I'm scared if I open an email just by simply opening it - I'm afraid of getting tracked geographically ( I use a email tracker too) or just getting infected just by opening the email.
Also, for uBlock - I have a ad blocker but I use the actual program Outlook.
cmd.exe, conhost.exe & 27 Chrome.exe files auto run when I open Chrome! Computer is so slow!!
in Malware Finding and Cleaning
Posted
Thanks guys! I did not know Chrome.exe ran so many .exe files. I did a CPU clean up i.e., alot of dust around the fans and new thermal paste and computer is running fine!