Jump to content


Most Valued Members
  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by itman

  1. I will say this in regards to anyone still using Win 7. Abobe FlashPlayer is by far the most vulnerable app ever developed. As such, it is also the most exploited app by malware developers. Win 7 is no longer supported by Microsoft and as a result is no longer receiving any security updates. If a new security vulnerability in Win 7 is discovered by malware developers, it could be used to exploit FlashPlayer or anything else for that matter. Time for anyone on Win 7 to upgrade to Win 10.
  2. I will also add that Win32/Delf detections almost universally are associated with malware installing a malcious Win service. Also, a characteristic of rootkits. The key to eliminating this rootkit is to identify the malicious service and remove it.
  3. This is correct: https://help.eset.com/eis/13/en-US/idh_page_status.html If the Cyrillic language popup appeared on the desktop, it most likely was malware related. However, there is no direct evidence at this point that this popup is related to your recent FlashPlayer update.
  4. There's a posting about this on the Adobe forum website: https://community.adobe.com/t5/flash-player/adobe-flashplayer-update-malware-how-do-i-remove-it/td-p/11131261?page=1 This gist of the posting is that the OP originally thought he was infected by the flashplayer32au_a_install.exe download. It turns out that this download appears to be the same as the flashplayer32_xa_install.exe download with slightly different security permission settings. Now the flashplayer32au_a_install.exe download is the one received via use of FlashPlayer internal updater. The flashplayer32_xa_install.exe is the one received via manual download from the Adobe web site. It may well be that Eset is throwing a false positive detection in regards to the flashplayer32au_a_install.exe download for some reason. Further prove for this assumption is I submitted this download; to VirusTotal for a scan: https://www.virustotal.com/gui/file/6ba18bf8f9d3ca2ee1751b0f7c58b1d41d808089b1918e4f7e47420bb099e85d/detection . There were zero detections.
  5. Post if it shows up again. My suspicions are it will reappear after you reboot or perform system startup after a previous system shutdown.
  6. As I posted previously, it appears that nothing was wrong with the FlashPlayer installer you downloaded. But rather that your laptop device was infected with Kryptik malware; most likely the existing FlashPlayer installation was infected. Although the full Eset scan of Eset showed no malware present, the Eset renewal popup in what appears to be Cyrillic language; e.g. Russian, is not a good sign. It would be indicative of a possible compromised Eset installation. Or the renewal popup you are observing is a fake one being possibly generated by the Kryptik or some other malware. I've tried to convert the renewal popup screen shot you posted to a .txt file so I could translate to English what it says. No success on that. Open the Eset GUI. Is everything there shown in English language? I assume it is since you haven't commented otherwise.
  7. Here's what I believed happened in regards to the original Eset Win32/Kryptik.KGY alert. The downloaded FlashPlayer installer was not infected per se. Part of that installer processing would be to uninstall the existing version of Abode FlashPlayer on the device. It was during this processing that Eset detected Krypytik malware. In other words, the existing Abode FlashPlayer installation or files associated with it had been infected with Krypytik malware. Run a full scan on the device where the Eset alert appeared; i.e. custom scan selecting "This PC" checkbox, which will populate all subordinate settings - operating memory, boot sectors, and all hard drives. Select the "Scan as Administrator" tab. Then review scan results for any Eset detections.
  8. Your screen shot shows that the Eset detection was memory based. As such, offline scanning would not have detected it. The shown Eset detection is a post-execution one. That is the FlashPlayer installer had loaded into memory and began executing.
  9. Ese't Web access protection does limited DNS validation processing; i.e.
  10. OP is running Win 7. As such, it's not possible to update FlashPlayer via Win Updating anymore.
  11. The download installer for FlashPlayer includes bundled McAfee security add-ons: https://get.adobe.com/flashplayer/npapi/ . If you didn't manually exclude those during the installation process, Eset might be triggering on those add-ons and identifying them as Kryptik malware versus flagging them as PUA's.
  12. The default setting for the Win Update service in Win 10 1909 and I assume 2004, is manual(triggered). In other words, the OS starts the service as needed and then terminates when Win Updating completes. The service is set this way on my Win 10 1909 build and I have had no issues with Win Updating with EIS 13.1.21 installed. My opinion is for anyone having issues with Win Updates, the issue is not with Eset SSL/TLS protocol scanning but rather with the Win Update feature itself. Win Updating on all OS versions is notoriously buggy and frequently becomes corrupted for various reasons.
  13. If your objective by switching to SSL/TLS protocol scanning Interactive mode is to exclude Eset's scanning of a given web site, this can be done manually. Refer to the below screen shot. Open your browser. Then open Eset GUI. Then select Setup -> Internet protection -> Web access protection -> Web and Email -> SSL/TLS -> List of known certificates -> mouse click on the Add tab. Enter URL for the web site whose certificate you wish to exclude from scanning. Mouse click on the OK tab. Eset will auto populate the certificate data. Finally, set Scan action to Ignore. Click on OK tab and every subsequent OK tab to save your changes.
  14. If these are cracked versions of Eset, it is doubtful they will be fully functional. For example, signature and module updating. Then there is the issue why anyone in their "right security mind" would use cracked AV software.
  15. As far as I am aware of, Eset's online scanner has all the features its installed paid version has in regards to file scanning. That would include heuristics, in program sandboxing, and the like. Assumed that would also include file uploading of any malicious detections since Eset uses those for analysis purposes. Also note that heuristic analysis is most beneficial when analyzing executable's at startup time. Your only going to have that capability if you purchase the full Eset version that includes real-time, HIPS, Advanced Memory Scanning, Advanced Machine Learning, and Deep Behavior Inspection protections.
  16. See this thread for reference: https://forum.eset.com/topic/13785-detected-arp-cache-poisoning-attack/
  17. Following up on @Nightowl posting, here is a detailed analysis done by Kaspersky on four VNC products including UltraVNC: https://ics-cert.kaspersky.com/media/KASPERSKY_ICS_CERT_VNC_VULN_EN.pdf .
  18. FYI: https://www.netsparker.com/blog/web-security/brave-browser-sacrifices-security/
  19. Reading through all the numerous web postings on how to stop Chrome and Google updating, the Group Policy method appears to be the best method: https://stackoverflow.com/questions/18483087/how-to-disable-google-chrome-auto-update . However, one needs a Win Pro+ version to use Group Policy. In the same above linked thread was posted: Therefore I recommend you create a new Eset HIPS user rule to do the equivalent. The screen shots given below show how to do this. After mouse clicking on the Finish tab shown in the last screen shot, mouse click on any subsequent OK tab shown to save the HIPS rule.
  20. Finally and most important, this article is a must read: UltraVNC – a security nightmare https://infosec-handbook.eu/blog/uvnc-vulnerabilities/
  21. Also the default inbound local ports UltraVNC uses are: https://www.uvnc.com/docs/uvnc-server.html
  22. The source process involved is related to UltraVNC. Assuming you have legitimately installed this app, its storage location looks suspicious. Normally, winvnc.exe runs from this directory, C:\Program Files\UltraVNC\winvnc.exe: https://www.bleepingcomputer.com/startups/winvnc.exe-17948.html Note that in your posted screen shot, winvnc.exe is running from this directory, C:\Program Files\uvncbvba\UltraVNC\. This looks suspicious to me.
  23. Assuming the IP address shown is within your local subnet, it appears the device has a configuration problem. It is broadcasting ARP packets to other devices within the local subnet and forgot to exclude itself as a target destination.
  24. Also in the referenced posting, the Eset log entry showed svchost.exe: Do not move that file! As noted in that posting, the rootkit was actually a .dll file.
  25. See my edited post. File move needs to be done in safe move. File won't show in normal Win mode.
  • Create New...