-
Posts
13,107 -
Joined
-
Last visited
-
Days Won
344
itman last won the day on November 17
itman had the most liked content!
About itman
-
Rank
Newbie
Profile Information
-
Gender
Male
-
Location
USA
Recent Profile Visitors
29,837 profile views
-
After I posted this, I realized you will probably have to stop the service prior to deleting it. As such, the commands to enter are; sc stop AlructisitService sc delete AlructisitService Then restart the PC. Also, I found the video again showing removal in safe mode: https://www.youtube.com/watch?v=XGGNIijDcVc&t=0s . Note the following; Finally, this coinminer might be employing self-protection to prevent modification of the service it is using in the registry plus its associated C:\Program Files (x86)\AlructisitApplication\ .exe's. Pay close attention toward the end of the video where he is accessing %AppData%\Local folder searching for and removing it. If this is the case, my above manual removal of service via sc.exe will fail.
-
Decker2124 reacted to a post in a topic: Win64/CoinMiner.QS: AlructisitService cleaned but still running after reboot
-
My preference is to run all Eset real-time settings at Aggressive level. Are you still receiving Eset detections after a system restart with PUA setting enabled? If this is the case, it appears from this video: -EDIT- appears the link I saved doesn't direct to the video anymore, C:\Program Files (x86)\AlructisitApplication folder has to be manually deleted in Safe mode.
-
Amazon (US/UK) license usage internationally
itman replied to TwinHeadedEagle's topic in General Discussion
@Marcos, please advise on this. -
Below is the latest version of amdi2c.sys available for Win 10 from the Win Update Catalog. Notice that this driver is indeed WHQL signed;
-
Amazon (US/UK) license usage internationally
itman replied to TwinHeadedEagle's topic in General Discussion
If you are referring to this offer: https://www.amazon.com/ESET-Essential-Antivirus-Protection-Ransomware/dp/B0D1SWCSN4?dib=eyJ2IjoiMSJ9.MTmuXw4Oq-eznNOtSLbkdVbtKTE7wZHKCaboQodTNU_svHuTvgDL_9aIHsu5VgbZtsF4-cF9qmYltNLKbk4-BPOwGYWjTwmNPmD_gO387HRwx-A9l4cWzJl1zkHhzvycTR3x840tR0ol3CFSNOpWYbqLh8mtR3lQsCT99jcUf4GqxkT-JmbsJqbUnqWM8RD1sQeoXxC0jGbVb-6QiIZ_s1KXguOAeXspNHw52x_SUMI.t0LPuwhr_4bcT4mCgaDEOVitI03I160sF8Ri-mBQkSQ&dib_tag=se&qid=1733414901&refinements=p_89%3AESET&s=software&sr=1-1&th=1, it is a redirect to the Eset U.S. eStore with the following restriction; -
Some more details on this amdi2c.sys vulnerable driver: https://www.virustotal.com/gui/file/15e84d040c2756b2d1b6c3f99d5a1079dc8854844d3c24d740fafd8c668e5fb9 . The driver is not Microsoft WHQL certified and signed. The driver is attestation signed; I warned back in 2022 of the dangers posed by attestation signed drivers in a detailed forum posting here: https://forum.eset.com/topic/32841-a-clear-and-present-danger-lurking-in-windows-1011/ . Also, China based developers to date have been the primary source of abusing this kernel driver signing capability. The pathetic part is Microsoft's unwillingness to remove this attestation kernel mode signing capability despite the continual abuse of it.
-
Dimitris G reacted to a post in a topic: Eset ransomware remediation
-
Forum attachments can only be viewed by Eset moderators.
-
The only thing I could find in the forum for this error message relates to Eset Full Disk Encryption here: https://forum.eset.com/topic/40105-full-disk-encryption-recovery-password-has-reached-its-usage-limit/
-
In reference to your Eset Server Security screenshot, the license ID shown is the public ID for the license. You need to enter the full 20 character private license key as shown above.
-
Based on the high AV vendor detection at VT, my guess is Eset analyzed the stealer within at most; 48 hours and more likely within 24 hours of circulating in-the-wild. It gave a safe verdict and whitelisted the file.