OrionsBelt
Members-
Posts
5 -
Joined
-
Last visited
-
Hello. I fear my laptop has been infected. Quite unsure of how deep in the system the malware has reached. But I suspect it may have managed to read many of the basic systems through access to my laptop's Microsoft account, and maybe even read my laptop's ESET licence. Not sure if this would go in somenother sub-forum. I apologize I placed it wrong. Main issue is malware threat, and system vulnerable because apparently I didn't understand how to configure Anti-theft with Windows and an active Microsoft account. Trying shorten the details of a long story: ESET warns me of strange device using my wifi. (I've changed router name and wifi signal's name and password. Still haven't discovered how to block another device.) I find a strange User in the files of my system. (I remove the strange user, supposedly.) My phone starts showing small but very suspicious sudden issues. (My smartphone's main email is the same as my laptop's Microsoft account. Dumb. I realize now. I plan on changing that if I can.) On my laptop, MyEset starts warning me my Anti-theft feature isn't optimized for Windows/Microsoft. (Why didn't it warn me before?) I don't, not sure if it might make things worse. Yeah, probably another bad move. Full deep scan with Eset Internet Security reveals 9 suspicious files. Unfortunately, I didn't see the note at the end of the detection details that advised me to wait for the scan to complete before taking an action. Another Eset window opened, during the scan, offering to erase the first 6 (I think), and I did. But once the scan ended, it didn't let me erase the last 3 suspicious files. And a later scan finds no detections. Which makes me fear the system has already accepted and integrated those 3 files. I restart my laptop on Safe Mode, and scan with Eset SysInspector. And it finds many many suspicious files. I completely disconnect my laptop from the internet. MyEset registers strange logins from "my phone" in cities I've never been. (Bug? Or more serious?) After much, I seem to have recovered control of my phone. But not sure how much that will change once I reconect my laptop, and it reconnects to my Microsoft account. Now, I do have month-old Windows System Copy ("Copia de Seguridad de Windows", no idea what's the technical name in english), on an external USB drive. From before I activated Anti-theft. Not sure if I should just use that, and skip restarting my laptop as it is now, or if it would just activate the Anti-theft feature as it is now, without optimization and leaving my Microsoft account exposed anyway. I'll greatly appreciate any information and advice on my next options. Specially regarding: - any insight into the potential danger of the files detected and my general situation described; - my options with managing the Anti-theft feature; - how to check and make sure no-one else has access to my laptop's ESET licence. I know it's a lot. Thank you seriously in advance for any and all assistance. SUSPICIOUS FILES DETECTED: c:\windows\system32\driverstore\filerepository\capsule.inf_amd64_4fcb7dad6b5872d4\systemfirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {C9C9C056-98EC-4026-BDE9-5C8C950250EC}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - la selección de la acción queda pospuesta hasta que finalice la exploración c:\windows\system32\driverstore\filerepository\capsule.inf_amd64_4fcb7dad6b5872d4\systemfirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {881EC7F2-82EE-477C-A829-78518783EC1F}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - la selección de la acción queda pospuesta hasta que finalice la exploración c:\windows\system32\driverstore\filerepository\capsule.inf_amd64_4fcb7dad6b5872d4\systemfirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {F6D787F3-D9C5-4E45-9C81-DA2D83628EE3}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - la selección de la acción queda pospuesta hasta que finalice la exploración c:\windows\system32\driverstore\filerepository\capsule.inf_amd64_4fcb7dad6b5872d4\systemfirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {C9C9C056-98EC-4026-BDE9-5C8C950250EC}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - la selección de la acción queda pospuesta hasta que finalice la exploración c:\windows\system32\driverstore\filerepository\capsule.inf_amd64_4fcb7dad6b5872d4\systemfirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {881EC7F2-82EE-477C-A829-78518783EC1F}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - la selección de la acción queda pospuesta hasta que finalice la exploración c:\windows\system32\driverstore\filerepository\capsule.inf_amd64_4fcb7dad6b5872d4\systemfirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {F6D787F3-D9C5-4E45-9C81-DA2D83628EE3}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - la selección de la acción queda pospuesta hasta que finalice la exploración C:\Windows\Firmware\SystemFirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {C9C9C056-98EC-4026-BDE9-5C8C950250EC}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - la selección de la acción queda pospuesta hasta que finalice la exploración C:\Windows\Firmware\SystemFirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {881EC7F2-82EE-477C-A829-78518783EC1F}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - la selección de la acción queda pospuesta hasta que finalice la exploración C:\Windows\Firmware\SystemFirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {F6D787F3-D9C5-4E45-9C81-DA2D83628EE3}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - la selección de la acción queda pospuesta hasta que finalice la exploración -------------------- FULL SCAN REGISTRY: Registro Registro de la exploración Versión del motor de detección: 23983 (20210918) Fecha: 18-09-2021 Hora: 12:46:51 Discos, carpetas y archivos explorados: Memoria operativa;Sectores de inicio/UEFI;Base de datos WMI;Registro del sistema;C:\Sectores de inicio/UEFI;C:\;D:\Sectores de inicio/UEFI;D:\ \Device\HarddiskVolume3\EFI\Microsoft\Boot\BCD - no se puede abrir [4] \Device\HarddiskVolume3\EFI\Microsoft\Boot\BCD.LOG - no se puede abrir [4] Memoria operativa = C:\Windows\explorer.exe - está correcto Memoria operativa = C:\Windows\System32\dllhost.exe - está correcto c:\windows\notepad.exe - no se puede abrir [4] c:\windows\system32\notepad.exe - no se puede abrir [4] c:\windows\syswow64\notepad.exe - no se puede abrir [4] c:\windows\notepad.exe - no se puede abrir [4] c:\windows\system32\notepad.exe - no se puede abrir [4] c:\windows\syswow64\notepad.exe - no se puede abrir [4] c:\windows\system32\windowspowershell\v1.0\powershell.exe - no se puede abrir [4] ... c:\windows\system32\driverstore\filerepository\capsule.inf_amd64_4fcb7dad6b5872d4\systemfirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {C9C9C056-98EC-4026-BDE9-5C8C950250EC}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - eliminado c:\windows\system32\driverstore\filerepository\capsule.inf_amd64_4fcb7dad6b5872d4\systemfirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {881EC7F2-82EE-477C-A829-78518783EC1F}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - eliminado c:\windows\system32\driverstore\filerepository\capsule.inf_amd64_4fcb7dad6b5872d4\systemfirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {F6D787F3-D9C5-4E45-9C81-DA2D83628EE3}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - eliminado C:\Windows\Firmware\SystemFirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {C9C9C056-98EC-4026-BDE9-5C8C950250EC}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - eliminado C:\Windows\Firmware\SystemFirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {881EC7F2-82EE-477C-A829-78518783EC1F}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - eliminado C:\Windows\Firmware\SystemFirmware.bin = UEFI = uefi:\\Volume 1\Raw volume {F6D787F3-D9C5-4E45-9C81-DA2D83628EE3}\Unnamed partition\Volume 1\Firmware Volume Image {9E21FD93-9C72-4C15-8C4B-E77F1DB2D792}\Volume 1\Application {6F1C17F3-0D88-4775-BF36-07140931376A} - una variante de EFI/CompuTrace.A aplicación potencialmente no segura - eliminado C:\Windows\System32\DriverStore\FileRepository\capsule.inf_amd64_4fcb7dad6b5872d4\SystemFirmware.bin - no se puede abrir [4] Cantidad de objetos explorados: 730210 Cantidad de detecciones: 9 Cantidad de objetos desinfectados: 6 Tiempo restante: 13:30:24 Tiempo total de exploración: 2613 seg (00:43:33) Notas: [4] El objeto no se puede abrir. Es posible que otra aplicación o sistema operativo lo estén usando.
-
Scan can't open many files & virtumonde alert
OrionsBelt replied to OrionsBelt's topic in Malware Finding and Cleaning
Aha! Okay. Thanks very everyone. For all the clarifications and suggestions. I'll try out scanning as administrator, and searching for hidden files. Yes. I've already been using VirusTotal to scan pages. Didn't think to scan the file itself. Thanks. Would have to find it first, of course, if it's truly in my system. And oh! Spybot may be just showing what it's scanning for... Hm. That could be it, actually. Hm. Sorry. Not sure yet, of course. And no, I haven't seen any suspicious activity on the desktop nor any internet redirection. Though as mentioned, haven't really risked much internet activity yet anyway. I'll try out your advice, and test the laptop with a secondary and less important email account. I assume the custom administrator scan will give me more clarity, too. -
Greetings. I've discovered a pair of suspicious issues on my office laptop. Regular full system scan with Eset Internet Security doesn't detect any threats. However, on the scan's information report it does show a series of files it "cannot open". Message below says "may be being used by another program or operating system" (translated from spanish). Which seems very strange to me. And I don't know which other system or program could be involved. Would like to know if this is something that might require some deeper attention and intervention. This laptop has been configured with a "liberated" user system, no need for synchronized email account, 2 users, 1 with direct access (no password needed), and 1 for public use, that has never been used. Very sure no one but me has physically accessed it. Well, after receiving it for my tec shop that did the reformat and Windows reinstallation. It's very simple HP laptop, with 1 solid disk, no partition, Windows 10 Pro. I've run Eset Online Scanner. I've installed Firefox, Spybot Search & Destroy Pro, and Eset Internet Security (purchased licence). And that's it. But when scanning through the system with Spybot Search & Destroy Pro, I find the scan tends to slow down and delay on a "virtumonde.dll" file. Spybot doesn't seem to warn me about it, nor send it to quarantine. And searching for this file with Windows Explorer comes out blank. But when searching for this file online, I find it's notified on several online assistance forums (including a pair of microsoft forum threads) as a severe spyware threat, that can develop and cause severe problems. What can you tell me about this file? How worried should I be? And, if necessary, what would you suggest I do with this issue? Just to further contextualize, this is a recently reformated laptop, after a bad malware infection (with keylogger spyware activity). Given the very minimal use this laptop has had untill now, I suspect this file somehow survived the hard reformat and reinstalled Windows. As such, another hard factory reformat is an option, but it doesn't seem to suffice. So I'm assuming some measures must be taken to ensure it doesn't survive the reformat. Unless some other measure is posible. Please help. In much need of trust worthy information and advice. PS: Im attaching 3 pics. In spanish, sorry. But I believe the list of files themselves can be read without issue.
-
Thanks Marcos. Hm. It doesn't appear in the main app. Main app -> Main menu -> Licence -> I find "your Premium licence is renewed every year", the Public ID code, the last sincronization date, a link to a client support page in the upper right corner, but no Licence Key nor "enter Licence Key" type link. Might as well explain the whole strange situation. I have, as far as I know, 2 purchased licences. 1 Eset Internet Security (for 4 devices) and 1 Eset Mobile Security. First off, I say I have 2 licences "as far as I know", because I had a free-trial Mobile Security app on my phone that I tried to purchase through my phone company. I received several emails that the payment didn't go through, and that free trial was going to be suspended, and then that it actually was suspended. But some time after my last payment to my phone company, when I enter myEset account I find a purchased Mobile Security licence, for one device, already taken and active and fully protected, set to expire in 2041. In fact it's named as "Eset Mobile Security for Free" which also makes me suspicious. I'm actually quite sure that when I re-installed Mobile Security on my smartphone, after the reboot, I entered my purchased Internet Security licence to activate it. But when I check the 9-characters public ID code, from the Eset Mobile Security app on my phone, it doesn't match either my Internet Security public ID, neither my Mobile Security public ID, as they appear in my licences on "myEset" account page. In the myEset account page, in the "Devices" directory: I have 2 smartphone devices listed (as far as I know, both the same device, my phone, with names I gave before and after the last reboot): One with Antiphishing disabled and says it hasn't been connected in more than 2 weeks. Appears associated to my Internet Security licence. (I was having issues with enabling Antiphishing, but managed to enable it, and currently Eset app says it's active.) One active and fully protected, but NO licence appears associated to it. As in, the space is blank where the link to it's associated licence should appear. In the myEset account page, in the "Licences" directory: Both licences appear, Mobile and Internet Security. Both appear purchased and with 2041 and 2023 expiration dates respectively. (No mayor issue with the Internet Security licence.) The Mobile Security licence says I have 1 device using it, active and fully protected, but no device appears named under the list of devices associated with that licence. As in, the "devices" tab of that licence is blank. This is my main concern. As I need to make sure my Mobile Security licence hasn't somehow been hacked, and/or my smartphone might even be linked to another third licence someone else has access to. Admittedly, and I hope, it may just be related to some confusion after two factory hard reboots of my smartphone, and perhaps the cancellation of the previous free trial of Eset Mobile Security. I believe I uninstalled Eset before the last reboot, but I'm not sure. Probably didn't uninstall it before the first one. I haven't experienced any serious suspicious activity on my phone yet. But this whole situation starts from the hacking of my main pc and what was then my main email account. So I'm quite wary and require some clarity to continue to operate with my devices and accounts. Two additional questions: Concerning malware detection and protection, is there any difference between the Mobile Security licence and Internet Security licence? (Particularly against phishing.) Is "Eset Mobile Security & Antivirus" the current and proper name of the Eset android app? Just to make sure. Found when checking Play Store for the Eset apps. And Play Store does say it's installed on my phone. Deep thanks for any and all help.
-
Hello! I have an issue I can't find answered anywhere. Hope this would be the right forum. My apologies if not. I have 2 purchased licences. 1 Eset Internet Security (for 4 devices) and 1 Eset Mobile Security. My android smartphone already has the Eset app installed. I want to migrate my phone from my Mobile Security licence to my Internet Security licence. (So, not switch the same licence from one device to another, but switch the same device from one licence to another.) Is there some way to do this without having to outright uninstall Eset (and leave all my apps temporarily unprotected) and re-install with the other licence? As far as I've found, regardless of the licence used, on Android, Eset is installed as Eset Mobile Security anyway. So I imagine one could simply tell the Eset app or tell the "myEset" account page to move a device from one licence to another. Which would be the safer way to do this? Don't want to disconnect my device from it's current licence until I'm sure of the next steps. Thanks in advance for any and all response and assistance.