itman

Be as descriptive as possible in your postings. None on the forum are "mind readers." Appears you are referring to one of the most recent STOP ransomware variants. As such, this is not "new" malware: https://malwaretips.com/blogs/remove-nesa/ As noted in the malwaretips.com article, there is presently no decrypter available for this STOP ransomware variant. Are you stating that Eset failed to detect this variant?

Post a screen shot of ekrn.exe CPU utilization using Process Explorer or Win Task Manager when this occurs.

https://forum.eset.com/topic/7626-appontexe/

I am out of ideas. The event log entries you are concerned about are not unique. Here's a 2016 posting showing the same event log entries: https://www.sevenforums.com/general-discussion/400929-windows-7-home-premium-please-help-programs-will-not-update-post3285952.html#post3285952 I would say if Eset Online Scanner completed a scan successfully, it operated properly. Otherwise, you will have to wait till an Eset moderator responds on your concerns.

The only time I have seen this is when there was a network connection issue on the device.

You can also refer to this removal guide: https://www.virusguides.com/remove-bwplayer-virus/ Ignore all the Spyware Hunter ads in the guide. This guide emphasizes you must be Win Safe mode to remove the brower/s extension or add-on associated with the search engine hijacker.

Nothing strange about it. The Eset off-line installer web site is always updated somewhat after the release hits the Eset update servers. Also the situation is identical to the current status, the ver. update is offered prior to an official announcement in the forum. More so currently in that it appears all the Eset support personnel at some conference this week.

AdwCleaner is not MBAM. It's free and usually quite effective in removing nuisance- ware like this. It a stand-alone on-demand scanner and should not conflict with EIS in any way. Just run it and have it remove anything it finds.

AutoHotkey Appears you're still infected with this bugger. Per the Trend Micro article, that variant used a .lnk file in a Win startup directory for persistence. On an infected device, check this directory, C:\Users\xxxxxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup, for any .lnk files present. If they exist, checkout what they are pointing to. It might just be this AutoHotkey malware. Note that persistence can be achieved by a number of methods other than the above; registry Run keys, scheduled task, creation of a Win service, WMI consumer event, etc.. -EDIT- In the Faux Kaspersky malware instance that more closely exhibits the behavior you are experiencing, persistence was had via: So you want to closely examine any sub-directories in C:\Users\xxxxxxx\AppData\Roaming\ for a directory created by the malware. And again, look in this directory, C:\Users\xxxxxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup for any .exe's or other files present. Normally, this directory is empty aside from a hidden OS level autorun.ini file that it appears this variant also modified.

Is this still an issue? If the license key was entered correctly, it is usually a temporary access issue with the Eset license activation servers. Retrying again after a short period of time usually resolves the issue.

Did you perform all actions recommended?

Where are the folders located? If they exist in C:\Windows sub-directory for example, the access error is most likely being generated from the OS.

It also appears updating ExpressVPN might solve this issue: https://forum.eset.com/topic/21012-7g6njejxcom-pop-up/?do=findComment&comment=102270

-EDIT- The first thing to check is that Eset's Anti-Phishing protection is enabled in the Eset GUI Web and Email section. There is a very ....... long discussion on this issue in another forum thread. It turns out the person had a corrupted FireFox profile. He had to uninstall FireFox and deleted file-wise everything associated with it including his old profile file. He then reinstalled Firefox and the AMSTO Phishing Page was detected.

Not so sure on that one. As I posted in the other thread on this issue, some were receiving the Eset alert with no desktop initiated processes running. Resolution might require full ExpressVPN removal till they resolve the issue. A workaround would be to create an Eset firewall rule to block outbound TCP/UDP network traffic from C:\Program Files (x86)\ExpressVPN\xvpnd\xvpnd.exe to IP address, 3.218.219.179 . Note that this rule must be placed above any existing C:\Program Files (x86)\ExpressVPN\xvpnd\xvpnd.exe rules. Also verify the directory ExpressVPN is installed in. On x(64) systems, it may be in C:\Program Files instead. Alternatively, one could create an entry in Eset's Web Access Protection "List of blocked addresses" for *.7g6njejx.com/* . This method would be more effective if ExpressVPN changed IP address being used.

Appears to be a beacon installed in the ExpressVPN browser extension. Removing the extension fixes the Eset detection alerts. The question is if that extension is necessary for ExpressVPN to properly handle browser network traffic? In any case, folks need to contact ExpressVPN about this issue. What doesn't make any current sense is how a browser extension could result in Eset throwing the alert when the browser wasn't open as some posters have indicated? As such, an infected browser extension might only be a partial solution to this issue. Current resolution might require full removal of ExpressVPN until it can resolve the issue and issue a new product download. A workaround would be to create an Eset firewall rule to block outbound TCP/UDP network traffic from C:\Program Files (x86)\ExpressVPN\xvpnd\xvpnd.exe to IP address, 3.218.219.179 . Note that this rule must be placed above any existing C:\Program Files (x86)\ExpressVPN\xvpnd\xvpnd.exe rules. Also verify the directory ExpressVPN is installed in. On x(64) systems, it may be in C:\Program Files instead. Alternatively, one could create an entry in Eset's Web Access Protection "List of blocked addresses" for *.7g6njejx.com/* . This method would be more effective if ExpressVPN changed IP address being used.

Why do you care since you have already updated to it using the download link @Marcos previously posted.

In the e-mail is their a session id? If so, you should be able to use that to connect here: https://helpus.eset.com/ .

Make sure when you run the online scanner, you do so with at least local Admin privileges.

If you don't recognize the sender, just don't open the e-mail and delete it instead. Also an e-mail client such as Thunderbird has an option to display full e-mail header data. This will full sender data which is useful in determining if the e-mail is legit.

You're the second person to post about this URL. It could be a false positive from Eset. The IP address points to an Amazon Internet backbone server. When the alert appears again, click on the on the down arrow pointer "Details." This should show what process is performing the network connection. Also check Eset's Filtered Websites log. There should be entries there showing the source process. Submit URL address to Eset via Eset GUI as a suspicious process with verbage duplicate to what you have posted in this thread.

I assume this alert is appearing when a browser is open? The detection name would indicate Eset is blocking some malicious adware displayed on a web page.

When the alert appears again, click on the on the down arrow pointer "Details." This should show what process is performing the network connection. Also check Eset's Filtered Websites log. There should be entries there showing the source process.

Since I happened to come across this, it also could be a factor with anyone still having Eset registration issues with Windows Security center: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility

A few other e-mail security comments. Clicking on any client e-mail link is "risky business." For maximum security, one should always copy the link to a browser and open it there. For anti-phishing testing, I use this web site which I consider the best source of phishing domains on the web: https://phishbank.org/#/ . My experience is whatever Eset doesn't detect there; which by the way scores quite good, the uBlock extension for FireFox and Chrome using its standard protection lists will detect it.