opti1
-
Posts
38 -
Joined
-
Last visited
Posts posted by opti1
-
-
Thanks for replying.
It seems others who have tried to access or get information about that domain had the same experience after this particular domain was outed as a source of the malware. Presumably the owners killed it and moved to another domain.
But there was a period of time when VirusTotal was able to find it and scan it with several dozen different anti-virus\anti-malware software packages, the vast majority of which treated it as 'Clean'.
That's kind of scary . . .
-
I have read and heard many times that Malwarebytes anti-malware plays well with ESET products.
Is this so? And does this mean Malwarebytes can also run real-time with ESET running real-time or should Malwarebytes only be run manually?
Thoughts?
-
What is ESET's position on this which appears to be the source of a "fake ‘Windows Defender’ scare":
"Along with a great deal of other information, VirusTotal maintains a separate detection webpage listing the vendors that do and do not perceive a threat in the Dothrakiz domain name shown in Figure 1."
Do the latest signatures for ESET products still treat this domain as clean, or not perceive it as a threat?
Thanks!
-
14 minutes ago, itman said:
Yes.
Great. Thanks for the quick response!
-
Hello,
I am running ESET NOD32 version 13.1.21.0.
ESET just pushed a big pop-up that asked me to install the latest update.
I checked this forum to confirm there is an update but I don't see anything.
Is there a new update to NOD32?
Thanks!
-
39 minutes ago, itman said:
There is another possibility here and it's an ugly one.
Eset's detection was memory based. That is it detected a code signature for Win32/Kryptik.KGY in the memory space used by the Adobe FlashPlayer installer that had loaded and is currently executing. It is possible that there is some other resident malware present that performed the code injection.
However, there are a couple of problems with this. The first is installers run with System privileges, the highest available. The malware therefore would require like privileges to perform the code injection. Whereas its not impossible for malware to acquire System privileges, it is a rare occurrence. Next is if malware is performing memory code injection, it is doubtful it would be doing so for just a single process; especially for one that was just downloaded.
Therefore, anyone affected by this should submit the FlashPlayer download to Eset under the False Positive category. Include a link to this forum thread in your submission.
Ugh.
Unfortunately I no longer have the Flash Player download I ran that caused trouble on the laptop. I asked ESET to delete it.
I still have the one I downloaded to the desktop, and also the one from last month, but I don't know that they would help since both ran without issues.
By the way, it seems that I have the current updated version of the Flash Player on the laptop so it appears that the update installer completed its task.
Thanks again for all of your input into my trying to understand this incident.
-
34 minutes ago, itman said:
Obviously it is impossible to determine what actually happened.
Review your Eset Detections log for entries related to this incident. It might actually show what file/s were deleted.
Barring further Eset like malware detection or abnormal PC behavior, I would say this detected threat has been removed.
My ESET Detections log, shown below, has only four entries, all associated with this incident.
I assume that is one entry for each of the four times I clicked on the Delete button (instead of the 'Allow to proceed' button) because the window was slow to close.
I cannot find anywhere that specifically shows which files were deleted, only that Delete was the action taken.
Thanks again for all of your input into my trying to understand this incident.
-
7 minutes ago, itman said:
Excluding the Eset false positive possibility, I really believe whatever Eset detected as Win32/Kryptik.KGY originated from a file associated with the existing Adobe FlashPlayer installation. The downloaded FlashPlayer installer for the new version would be accessing the current version files to update/remove them to the current version equivalents.
Note that the Eset alert/log entry only showed the downloaded FlashPlayer installer running in memory as to be expected. This does not imply that the file Eset detected as malware was associated with any new file the installer was creating.
Thanks again for your response.
What you say makes sense.
What do you make of the ESET deep scan I 'ran as Administrator' finding no threats? I.e., no Kryptik variant like it detected when I tried to update the Flash Player nor any other malware?
When ESET detected the Kryptik variant and presented me with the options to Delete 'the file' or to allow the process to continue I selected Delete.
Would you expect that ESET deleted the Kryptic variant, that it is gone, and that is why it wasn't detected on the run as Administrator scan, or that it could still be hiding somewhere?
Thanks!
-
1 minute ago, itman said:
... snipped ...
Time for anyone on Win 7 to upgrade to Win 10.
Yep. Working on it. 🙂
-
10 minutes ago, itman said:
This is correct: https://help.eset.com/eis/13/en-US/idh_page_status.html
If the Cyrillic language popup appeared on the desktop, it most likely was malware related. However, there is no direct evidence at this point that this popup is related to your recent FlashPlayer update.
Thanks again for your response.
The Cyrillic language popup did not appear on my desktop, only on my laptop, and only after I attempted to update the Flash Player and ESET detected the Kryptic variant threat.
As mentioned above the Cyrillc language popup has not returned to the laptop so far.
On my desktop the Flash Player update installed without problems or threat notification from ESET nor the Cyrillic language popup as it always has so far.
I allow Adobe to notify me that an update is ready for download but I always manually go to their site to download it and install it and I always uncheck the boxes to install McAfee or whatever additional third party software they have offered.
The file that I manually downloaded was flashplayer32_xa_install.exe which matches what you describe in your response to Nux.
As best as I can recall this episode on my laptop with ESET detecting the Kryptik variant and then my getting the Cyrillic language popup is the first time I have had any problem installing the Flash Player on any of our PCs.
-
14 hours ago, itman said:
Post if it shows up again. My suspicions are it will reappear after you reboot or perform system startup after a previous system shutdown.
Thanks again for your response.
Yesterday without success I tried to force the renewal pop up on this laptop by logging off and back on, restarting my laptop, logging off and shutting down and starting up again, launching the ESET GUI, etc.. But after all of that I didn't see any renewal pop up, neither the normal English language pop up nor the same unusual non-English language pop up shown in the image in my previous message.
I also haven't seen any renewal pop up since I started this laptop today.
It's possible that this laptop never has given me renewal pop ups and only shows the renewal message in the ESET GUI along with the orange border color coding, etc.
That non-English pop up may be just part of a one-time event associated with running the Flash Player update that ESET detected as a threat.
It would be interesting to get a translation of what the non-English pop up says.
-
56 minutes ago, itman said:
... snipped ...
Although the full Eset scan of Eset showed no malware present, the Eset renewal popup in what appears to be Cyrillic language; e.g. Russian, is not a good sign. It would be indicative of a possible compromised Eset installation. Or the renewal popup you are observing is a fake one being possibly generated by the Kryptik or some other malware.
I've tried to convert the renewal popup screen shot you posted to a .txt file so I could translate to English what it says. No success on that.
Open the Eset GUI. Is everything there shown in English language? I assume it is since you haven't commented otherwise.
Thanks again for your latest response.
No renewal pop up has popped up again since the one in what appeared to be Russian. I am waiting for the next one, not sure what triggers it.
Yes, the ESET GUI appears to be normal. I have gone through almost all of the screens and everything is in the English language.
-
30 minutes ago, itman said:
... snipped ...
Run a full scan on the device where the Eset alert appeared; i.e. custom scan selecting "This PC" checkbox, which will populate all subordinate settings - operating memory, boot sectors, and all hard drives. Select the "Scan as Administrator" tab. Then review scan results for any Eset detections.
Thanks for your response.
I ran the full "Scan as Administrator" as you suggested, results shown below.
I am still confused as to why ESET didn't also detect the Kryptik variant on my desktop when I ran the Flash installer there. I was updating from the same previous version of Flash to the same current version of Flash.
I am also still confused as to why ESET is now showing me the renewal pop up message in a language other than English . . .
-
So, in addition to this Flash Installer issue I now have this . . .
My ESET subscription runs out in a few days, 7 I think. I have been getting the appropriate pop up window reminding me to renew, always in English on all three of our Windows PCs.
Just now on this laptop the following window popped up. I don't know what language it is and I don't understand why it changed from English . . . but it seems strange that it would happen at the same time that I have this issue with the Flash installer . . .
Thoughts?
-
2 minutes ago, itman said:
Your screen shot shows that the Eset detection was memory based. As such, offline scanning would not have detected it. The shown Eset detection is a post-execution one. That is the FlashPlayer installer had loaded into memory and began executing.
Right, I figured as much. I scanned the .exe file just to confirm and eliminate that as an issue.
-
6 hours ago, Marcos said:
Do you have another machine where you installed this update? If so, what OS is installed there and was the detection triggered on that machine?
Thanks all for your responses.
From my original post:
"About an hour ago I installed this same update to Adobe Flash without any problem on my desktop that has the same versions and updates of Windows, Flash, ESET NOD32, and Malwarebytes Anti-Malware.
I still have the downloaded C:\install\flashplayer32_xa_install.exe file on my desktop so I scanned it with both ESET and Malwarebytes Anti-Malware and neither found any threats on that one."
Both the laptop and the desktop have Windows 7 Home Premium SP1 64-bit.
The detection was not triggered on the desktop.
And I 'always' manually exclude the McAfee installer although I suppose it's remotely possible that unchecking one of the two check boxes didn't take this time.
-
So I just downloaded and tried to install the latest update to Adobe Flash, 32.0.0.387, on Win7 Home Premium SP1 64-bit, on my laptop.
I'm running ESET NOD32 13.1.21.0, with Detection Engine 21489.
After I entered the Administrator password to the prompt to allow the update to install I got the pop up shown below from ESET NOD 32.
After some searching to see if I could find anything about this I selected to delete the file C:\install\flashplayer32_xa_install.exe.
My log file shows ESET detected and deleted this threat four times between 7:19:52 and 7:28:07 PM which probably represents the number of times I clicked on the Delete button before the pop up went away (I saw no other way to get rid of the pop up other than allowing the update to proceed). There's a gap of about eight minutes between the first delete entry and the second through fourth entry which all are within seconds of each other.
About an hour ago I installed this same update to Adobe Flash without any problem on my desktop that has the same versions and updates of Windows, Flash, ESET NOD32, and Malwarebytes Anti-Malware.
I still have the downloaded C:\install\flashplayer32_xa_install.exe file on my desktop so I scanned it with both ESET and Malwarebytes Anti-Malware and neither found any threats on that one.
Thoughts?
Is this a false positive on the laptop or a missed threat detection on the desktop?
Should I download the Flash update again to my laptop and allow it to proceed if I also get the ESET pop up with the warning again?
(I know, I know, uninstall Flash and be done with it . . .)
Thanks!
-
-
I'm running Windows 7 Home Premium SP1 64-bit and ESET NOD32 AV 13.1.21.0.
The attached image just popped up on my screen. ESET was not open when this happened.
Is it legitimate?
If yes, the buttons are confusing.
What happens if I click on STAY PROTECTED?
What happens if I click on POSTPONE? Does the pop up keep coming back?
What happens if I just 'X' out?
Thanks!
-
Today I noticed the orange dot on the ESET icon in Win7 system tray. I opened NOD32 and saw 'updates stopped by user'.
So I checked for updates and version 13.0.22.0 came down and installed, with reboot.
So far I'm running without issues on two Win7 Home Premium 64-bit PCs. 🙂
-
Ok, I see there is now a change log for v12.2.29.0 at the top of this forum. Thanks!
It's dated September 5 but I can't believe I didn't see it when I posted my message above . . .
-
I'm running Windows 7 Home Premium SP1 (I know, running out of time) . . .
After booting up just now I noticed a message waiting for me on the NOD32 notification icon (orange dot). I opened NOD32 and the message said downloads for an update had been stopped at my request (or words to that effect). As far as I know I did not actively stop any downloads, but I checked for updates. Notification of system updates popped up so, I downloaded them and they installed. I got the request to restart, which I did, and now I have NOD32 version 12.2.29.0.
I haven't been able to find any mention of version 12.2.29.0 anywhere. I assume the release notes are coming?
This pattern of receiving messages from NOD32 that updates were stopped because I terminated the downloads just started recently on all three of our PCs. I don't recall getting these messages before. I used to get a pop up that let me know the updates were available and ready for download. But now it seems to try to update automatically without notifying me and something prevents the update. Is this a new behavior initiated by ESET or has something else changed on our PCs to cause this?
Thanks!
-
On 3/17/2018 at 5:53 PM, opti1 said:
Malwarebytes are aware of the problem and are investigating.
Shortly after my previous post Malwarebytes released Anti-Exploit update 1.12.1.48 that appears to have fixed this problem.
-
The problem with Firefox 58.0.2 (and other versions) no longer loading pages was caused by an update to Malwarebytes Anti-Exploit on March 8. Apparently it affects only some users. Uninstalling MBAE fixes the problem.
Malwarebytes are aware of the problem and are investigating.
End date for module\virus signature updates for Windows 7?
in ESET NOD32 Antivirus
Posted
(I've searched the forum but haven't found an answer to my question . . .)
I seem to remember that earlier this year ESET NOD32 put up messages to the screen warning that updates to v16 for Windows 7 would end sometime in 2024 (please correct me if I am 'mis-remembering' 🙂).
I tucked the information away but now I cannot find it.
Can someone please clarify what is the plan going forward for Windows 7 updates?
I.e., will virus signature and module updates stop, will ESET NOD32 itself stop working, and if so after what date?
Thanks!