Jump to content

itman

Most Valued Members
  • Content Count

    8,189
  • Joined

  • Last visited

  • Days Won

    198

Everything posted by itman

  1. As far as a safe way or more specifically a tool that would work on all Win OS versions and different device hardware configurations, the answer is no, Knowledgeable security sources recommend the first thing to be done after the OS is installed is to backup the MBR. This is done not only for potential malware infection but in the instance the MBR becomes corrupted for other reasons. There are a number of third party tools that can backup and restore the MBR. What I recommend Eset explore is backing up the MBR at Eset product installation time. Eset would also provide a MBR restore u
  2. Look for shutdown events and note any that reference equi.exe.
  3. Assuming you're accessing the French language Google drive web site, you can add this domain; www.google.com/intl/fr/drive/* to Eset Web access protection -> URL Address Management -> Address list -> List of allowed addresses -> Edit -> Add. Note: doing so will prevent all Eset scanning for this domain/sub-domains. That includes not only uploads but also any downloads. This also applies to the Google certificate exclusion you added. This URL method is preferable to the Google cert. exclusion since it appears that cert. is used for multiple Google web sites. Theref
  4. Eset SSL/TLS protocol filtering uses an internal whitelist to exclude web sites from scanning. I believe it is URL/domain name based although EV certificate status might play a factor. Unfortunately, the only exclusion method other than by certificate is by IP address which is not suitable to most. Note: unless the Google certificate you excluded is specific to the Google drive web site, this exclusion would apply to any other web site using the same cert..
  5. How are you performing file uploads? Via a browser or outside of a browser?
  6. My advice is to use Process Explorer versus Win Task Manager to get a full picture of what is going on in regards to equi.exe. When the Eset GUI interface is not open, the following should be observed: Once the Eset GUI interface is opened, the following is observed: Once the Eset GUI interface is closed and approximately 10 secs or so thereafter, equi.exe will terminate itself with the result being what is shown in the first screen shot. In other words, equi.exe should never be running as a stand-alone process but always as a child process to the parent ekrn.ex
  7. Links appear to be fixed now. Or possibly, there was a redirection issue from forum servers.
  8. The invoice also has discrepancies. Order subtotal is shown in U.S. $, but tax and total amount are shown in Turkish currency amounts. The 4446 Visa card prefix is associated with Ziraat Bankasi: https://www.creditcardvalidator.org/visa/ziraat-bankasi/444677 . However the invoice shows bank name of card issuer as İşbank. Additionally, İşbank is a commercial bank; i.e. does not offer accounts to the general public.
  9. When I select either "How do I create a Process Monitor file" or "How do I use Eset Log Collector," I am being redirected to the Slovak language web page versus the English language ones.
  10. Is this a direct Win 7 sign off by the user? Or is some type of custom log off script being deployed at user sign off time?
  11. YouTube scams are nothing new. Below are a couple of them: https://www.msn.com/en-us/news/technology/how-malware-started-a-bitcoin-hack-that-youtube-just-can-e2-80-99t-keep-up-with/ar-BB17JlUW https://www.leaprate.com/cryptocurrency/regulation-cryptocurrency/crypto-fraud-alert-new-trojan-horse-malware-on-youtube-bitcoin-video/ This is one reason many security forums prohibit YouTube reference link posting.
  12. A couple of closing comments here. 1. You disabled Eset thereby allowing the malware to install a bootkit on your device. Hopefully, you learned a lesson to never do that again. 2. You need to upgrade to Win 10 ASAP. Why? The likelihood of boot/rootkits occurring on Win 10 x(64) is greatly reduced due to kernel patch protection; i.e. KPP, employed in Win 10. Additionally, Eset running on Win 10 employs an early launch anti-malware; i.e. ELAM, driver that loads at boot time prior to any other app drivers. In this case, Eset would have been able to block the bootkit from loading a
  13. I read a posting over at bleepingcomputer.com that Kaspersky's TDSSKiller will remove this type of boot/rookit. You can give it a shot and see if it detects and removes the rootkit. It runs very fast and will produce a log file. Review the log file and see if anything was detected. If so, wording will probably exist instructing you to reboot the PC to complete removal of the rootkit. TDSSKIller can be downloaded here: https://support.kaspersky.com/5350#list -EDIT- After opening TDSSKiller but prior to running it , select "Change parameters" and ensure all the settings shown in this
  14. Panda has an article on this: https://www.pandasecurity.com/en/mediacenter/mobile-news/youtube-virus-tips/ .
  15. You can try using Kaspersky Virus Removal tool: https://support.kaspersky.com/8528 . Make sure when run to select "Change parameters" and select all objects shown including the system drive. Note: If this app refuses to run or aborts shortly after startup, rename the file download - KVRT.exe - to something else and run the renamed executable.
  16. You posted two conflicting statements. First, you stated services are running. Next, you state Eset services are stopped after boot time. If Eset services are currently stopped, restart them. Now try to access Eset GUI via Start menu and run an Eset scan.
  17. Further clarification need on this. Are you referring to the Eset desktop toolbar icon missing? Does Eset still exist in the Win 10 Start menu? Is the Eset service, "Eset Service," listed in Control Panel -> System and Security -> Administrative Tools ->Services? Is the service started and running? Does this folder, "Eset", still exist in C:\Program Files? Does it contain the "Eset Security" folder? Does this folder contain sub-folders and files?
  18. Ignoring the Eset issue for the moment if this is Win 10, Windows Defender should be active and functioning as your real-time protection. Did you check Windows Security Center and verify this is the case?
  19. Same here connecting from the U.S. No issues from Eset connecting to this URL, https://status.camerfirma.com , using Firefox, Edge - Chromium, or Internet Explorer.
  20. Do you have an existing Eset product installed on this device? If it is not Eset Endpoint Antivirus, it should be uninstalled prior to installing the version of Eset Endpoint Antivirus you downloaded. Perhaps you have Eset Endpoint Security installed on the device?
  21. If problems persist after running ESET Online scanner, you could also try performing a Win system restore using a restore point prior to when you installed the app/malware. This won't remove all of the malware and/or app but should reset system settings to what existed prior to the app install. This will hopefully also restore Eset functionality to the point you could run a full scan with it. Note: the malware may have disabled system restore functionality.
  22. No offense taken. My advice is submit the installer to Hybrid-Analysis: https://www.hybrid-analysis.com/ , for a full sandbox analysis and see what it determines.
  23. Further analysis of VT sandbox findings confirms my early suspicions. To understand what is going on, two epi.exe, aka bootstrapper.exe, processes are running. One as the parent process and one as a child processes. Note that the epi.exe processes are not the same. The malicious process being detected at VT is the unsigned parent epi.exe process. The child epi.exe process spawned is legit and validly signed. Ref.: https://www.virustotal.com/gui/file/a7af6d852fadd2bf4b9ef36b3f96e322e08254b20682fe174b0c38738e5f3864/detection Of note is most of the VT detection's for the pare
  24. VT is slowing conflicting info. per the below screen shot. Again, its flagging bootstrapper.exe as the problem. This file is signed. Also, VT lists epi.exe. But, when I scanned the hash for the extracted file, there were no detections. It's as if VT is perhaps detecting the downloaded ver. of epi.exe which I assume is a latest ver. update of the file?
×
×
  • Create New...