itman

This was my suspicion also. That cracked software was being installed ...............

I personally believe that a global exclusion for AutoIt is a bad idea since it is bundled with a lot of installers. But "each to their own" on this subject.

It appears that path name must be specified for the Detection name to be effective?

Are you receiving Eset PUA alerts on those?

Suspect this is the hash for the packed AutoIt file contained within DAEMON Tools Ultra 5.5.0.1048.exe

Add file hashes to installers you wish to exclude Eset real-time scanning exclusion as shown below: If this doesn't work, what is occurring is Eset is detecting the AutoIT files within the the installers when they are being copied to a new location; i.e. being created. You will have to exclude by hash the AutoIt files Eset is detecting. Note that by doing this, you are exposing yourself to a security risk if these files are included within a malicious download.

Your welcome. Also refer back to my previous posting noting that this Trojan is commonly delivered by exploiting existing system vulnerabilities. Make sure all Windows Updates have been applied to your PC. This also applies to application software you have installed. If an un-patched vulnerability exists on your device, there is a high likelihood you could be reinfected by this Trojan.

The default Safe mode Eset scan parameters provided in the .bat script do not scan boot sectors by default. I suspect there's a reason for that in that Eset can't scan all boot sectors in Safe mode; namely sector 0 where the MBR is located. So in effect, adding the /boots parameter to the script didn't do anything in regards to a MBR scan.

The following should get rid of this trojan if it is resident in the MBR: https://techlogon.com/how-to-check-for-and-fix-mbr-virus-infection/

Refer to the neosmart.net link @Marcos posted previously. If performed properly the answer is no. Note however that if the Trojan is recreating itself each time at Win startup time, it could very well reinfect the MBR again. Since this discussion has been going on for a while w/o resolution, I suggest you contact your local in-country Eset support contact for malware removal assistance: http://www.eset.hk/

I already posted that Eset does not support Win 10 preview builds. If you persist on running Eset on one, you're going to have major issues. As far as the issues with either creating or running your bootable rescue disks, I have no clue. I can't see how Eset would interfere with that in any way. Since you won't go through the effort of translating any of your posting material to English as I requested, I am done with this thread. If you have a paid Eset license, I suggest you contact your Eset representative in France for further assistance.

I also translated to English using Google's translator your posted log entries. Please do this translation prior to posting anything in the forum. Based on what the log shows, Eset is only detecting PUA software; all of which should be removed in my opinion:

It really is hard to understand in English what you are posting. If you are running preview builds of Windows 10, Eset doesn't support preview builds. Next you mention IOBit security software and from you log entries, it appears that Checkpoint ZoneAlarm is also installed. You should be running only one AV solution in real-time scanning mode. If Eset is installed, that should be Eset. Uninstall IOBit and turn off real-time scanning in ZoneAlarm if you insist on using it.

Well, stopping the scan prevented a full detection of whatever malware might exist on your device. Only Eset moderators can view Eset forum attachments. Post from the scan log what Eset could not clean automatically.

For reference the MEmu software source is here: https://www.memuplay.com/ . Appears what you are stating is the malware is affecting the operation of MEmu. It also appears that the malware was present prior to Eset's installation. To begin with, run a Custom scan via the Eset GUI option. Make sure you check mark that all drives, folders, files, and networks are to be scanned. Most important, click on the tab, "Run as Administrator." Report back if Eset detected anything.

I used Google to translate from French to English the above link referenced article. These apps all appear to be Android based. Are the issues you're trying to describe the following. Android apps you are using in this Android emulator running on a Windows based PC are having issues with Eset installed? Do the issues disappear if Eset is not installed? Finally, how does the below article relate to the issues you are having with Eset installed?

It also appears this Trojan is being deployed by exploiting existing system vulnerabilities: https://isc.sans.edu/diary/Rig+Exploit+Kit+sends+Pitou.B+Trojan/25068 . So you need to ensure that your system is fully patched by applying all available Windows Updates for it. If you are running Win 7, unfortunately this option is no longer available since it is no longer a supported product. Ditto for all application software; especially browsers and e-mail clients. Those also need all available updates applied to them.

My apologies. I thought Eset would work in Safe mode. It doesn't from the GUI interface. You have to run Eset from the command line interface in Safe mode. How to accomplish this is detailed here: https://support.eset.com/en/kb2272-run-a-scan-in-safe-mode-and-submit-a-scan-log-for-analysis . I recommend saving the .bat file on your desktop. Prior to running the script, it will have to be edited to scan boot records. Left mouse click on the .bat file and select Edit. The script code is now displayed in Notepad. You will have to scan for the below lines contain NOD32 and add the /boots parameter as shown below: ) ELSE IF EXIST "%ProgramFiles%\ESET\ESET NOD32 Antivirus\ecls.exe" ( "%ProgramFiles%\ESET\ESET NOD32 Antivirus\ecls.exe" /auto /log-file=c:\ecls.txt /aind /boots Save the file via Notepad option. Boot into Win 10 Recovery Environment and access Safe mode from there. Now double click on the .bat file to run it. When the Eset scan is complete, reboot in normal Windows mode. You can view the Eset scan log file, ecls.txt, which will be located in the C:\ directory. Also note that you can boot into Win 10 Safe mode directly from regular Win 10 mode. Type Recovery into the desktop search window. Select "Recovery options." Under "Advanced startup," select "Restart now." Do not select the "Reset this PC" option. The PC will now boot into Win 10 Recovery Environment. -EDIT- I will also add that based on this thread where Eset's SysRescue method could not remove this Trojan from the MBR: https://forum.eset.com/topic/18160-having-problem-remove-trojan-win32pitouj/ , I would say that running Eset in Safe mode probably won't do so also. Appears fixing the MBR is the only way to get rid of it.

You're still using the Eset Online Scanner. As posted previously, I don't know if that product is accurate when Eset is installed on a device. When you ran the Eset in program scan in Safe mode at Admin level that removed OpenCandy, did it also detect Win32/Pitou.J ?

@Tonylau321 to get rid of OpenCandy, try this first. In Windows; 1. Open Control Panel. Click on the "Uninstall a program" link under the Programs section. 2. Determine if OpenCandy is installed. If so, uninstall it. OpenCandy is known to exist in installers from a number of software downloads. Some are listed here: https://en.wikipedia.org/wiki/OpenCandy ; notably, uTorrent. If you downloaded and installed something recently from one of the third party download sites, that most likely was the source. Reboot into Win 10 Safe mode: https://support.microsoft.com/en-us/help/12376/windows-10-start-your-pc-in-safe-mode . 3. Now run an Eset on-demand scan Note: It appears the ver. of OpenCandy installed on your device is the rootkit one. Eset can only remove rootkits in Win Safe mode. If the Eset desktop toolbar icon is missing in Safe mode, you can access the Eset GUI via the Win 10 Start menu. This will be an Advanced scan running at admin level. Select "Custom" as shown in this screen shot: Checkmark "This PC" which cause all drives in the system to be scanned. Click on "Scan as Administrator" as shown in the below screen shot Note: Do not use the Eset online scanner. I really don't know if that product is accurate if Eset is already installed on a device.

FYI - Here's how to create a virtual CD/DVD drive and have it persist on every system restart. In Win 10, burn a .iso file to a CD/DVD disk. Win 10 will create a virtual drive to do this. At the end of the burn cycle, Win 10 will eject the disk. You believe the virtual drive is dismounted. Wrong! The virtual drive is loaded at each system boot. Worse, all the files it previously created are present on that virtual drive. The only way to get rid of the virtual drive is using device manager to uninstall the device. OpenCandy as I understand it does the above but instead of creating the files on CD/DVD media, only creates the files on the virtual drive. One reason why OpenCandy is considered by most AV solutions as malware.

Also there is a discrepancy here. Eset online scanner found Win32/OpenCandy.J in the MBR. However, installed Eset was alerting on Win32/Pitou.J. Add to this OpenCandy is adware: https://malwaretips.com/blogs/remove-win32-opencandy/ . Per this Sophos detailed analysis of it; https://www.sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/OpenCandy/detailed-analysis.aspx, I would say it might be creating a virtual CDrom drive and running from that at boot time. If this is the case, what Eset online scanner is detecting is OpenCandy on the virtual CDrom; not in the MBR for the boot drive. To verify this assumption, open Win Explorer and determine if a CD/DVD drive is shown that is not physically installed on your PC. Note that this virtual drive may be hidden. Therefore once Win Explorer is opened, change its Options settings to show hidden files, folders, and drives per the below screen shot:

Also what Windows OS version are you running? MBR based malware is quite rare on Win 10 for example.

Eset scans for MBR malware at boot time via it's startup scan. If it finds any, it will show an alert as such: https://forum.eset.com/topic/15329-urgent_eset-can-not-clean-win32agenttxv-trojan/ . This can also be confirmed by just running an Eset on-demand virus scan since the MBR is also scanned there. I would boot into Win Safe mode and run an Eset on-demand scan from there. Hopefully, Eset can clean it from Safe mode.

I am not 100% convinced this is MBR based. Provide the logs @Marcos requested. Also next time the Eset alert appears, click on "file" link in the alert and post a screen shot. Or at least, post in what directory the file shown is located.