itman
-
Posts
12,167 -
Joined
-
Last visited
-
Days Won
319
Posts posted by itman
-
-
2 hours ago, Purpleroses said:
I looked in my Eset its says it was cleaned by deleting. Does that mean I don't have a virus on my computer?
Yes.
However, you are using Brave browser. Brave is not a Secured Browser protection supported browser. This leaves you vulnerable to browser memory based code injection attacks, keyloggers, etc.
-
There's an older thread in the forum on a similar PowerShell malware. In this case, a rogue sub-directory was created in C:\Windows\System32: https://forum.eset.com/topic/32653-annoying-powershellagentaew-on-each-start-need-assitence/#elControls_152733_menu .
In any case, diagnosis will be a bit involved.
-
5 hours ago, Karlend said:
Well. I found the file in the folder that i said about initially, and in folder called "Logs". File named "hipslog", and its size is about 130 Gb (holy molly).
Did you enable the HIPS setting shown in the below screen shot? On the other hand, I don't know why Eset HIPS would be blocking that many transactions to create a log of this size.
-
First, what is msrdc.exe;
QuoteMSRDC.exe is a process belonging to the Microsoft Remote Desktop Connection software.
It's responsible for allowing users to remotely connect to other computers or virtual machines. This tool enables users to access and control a remote desktop over a network connection. It is commonly used in business and enterprise environments to provide IT support, work remotely, and access resources on a main office network.https://spyshelter.com/exe/microsoft-corporation-msrdc-exe
Appears MS Office apps are trying to modify RDP to establish a remote connection to something? Doesn't appear to be legit activity to me.
-
1 hour ago, Nikodemsky said:
Yeah, my bad for not clearing the website cache - thanks for pointing that out, it's clean now - you can check via the same link.
Looks good. No Eset alert.
-
Disable Network Inspector via Eset GUI when using the PC at work. Re-enable Network Inspector when using the PC at home.
-
30 minutes ago, Nikodemsky said:
Please check once you will have the time.
Website still infected. Get Eset alert upon attempted site access. Here's Sucuri's report on the site: https://sitecheck.sucuri.net/results/epainfo.pl
-
1 hour ago, Guest SFI said:
I thought Safetica is owned
No, it's a separate company: https://www.safetica.com/company-profile . It does collaborate with Eset on security issues via Eset Technical Alliance.
You can create a support request to Safetica here: https://support.safetica.com/en/knowledge-base/kb-tickets/new .
-
Instructions for use of Eset's decryptor for TeslaCrypt here: https://support.eset.com/en/kb6051-how-do-i-clean-a-teslacrypt-infection-using-the-eset-teslacrypt-decrypter . It supposedly works on ver. 3.0 and 4.0 of TeslaCrypt.
If this is the decryptor you used and it didn't work, my guess is you got nailed by TeslaCrypt variant that is not decryptable.
-
3 hours ago, Ahmeduchiha said:
what is the difference between both apps?
Outlook is included as part of MS Office Pro or via MS Office 365 subscription. It can be purchased from MS Store here: https://www.microsoft.com/en-us/microsoft-365/p/outlook/cfq7ttc0hlkq?activetab=pivot:overviewtab
Also as this article notes: https://support.eset.com/en/kb2138-email-clients-compatible-with-windows-eset-products , Eset currently only supports Outlook via e-mail scanning plug-in option.
-
29 minutes ago, howardagoldberg said:
the issue only occurs on a 10+ year old system with a mechanical hard drive. My best guess is that the warning is triggered after a timeout period (the computer take quite awhile to boot up), even though it is likely functioning normally.
My system is 13 years old also using two HDDs. I have been using Win 10 since 2016 with Eset installed and have never seen this AMSI error.
-
11 minutes ago, Ahmeduchiha said:
Thank you so much for your reply, I found that Adguard for windows is the cause of the problem
This has been discussed previously in the forum. Both Adguard installed ver. and Eset use the Windows Filtering Platform. To use both Adguard installed and Eset concurrently, you must disable AdGuard's use of Windows Filtering Platform as shown here: https://adguard.com/kb/adguard-for-windows/solving-problems/wfp-driver/ .
-
3 hours ago, ELOGA said:
In our case, and possibly for others also, this seems like might be a possible conflict between Malwarebytes and ESET?
This was discussed in another forum thread which I currently can't find.
MBAM is now a full fledged AV solution and as such now registers itself in Windows Security Center as Eset does. Windows 10/11 only allows one third party AV to register itself as the active real-time AV solution. This is where the conflict is and the source of the Eset AMSI error. Why this just recently started with devices having both MBAM - real-time mode and Eset installed only Microsoft knows. The only solution is to disable MBAM real-time mode and run it as an on-demand second opinion AV.
-
The Eset recommended anti-ransomware rule for PowerShell child process startup is detecting it starting conhost.exe. You will have to create a HIPS allow rule for this activity. I did. Appears internal PowerShell maintenance scripts used by Windows perform this activity.
-
What browser did you use to perform the AMTSO test? Eset detects it when using Firefox:
-
I assume he's connecting to Zoom via Chrome browser;
QuoteGoogle Chrome
- Open the Chrome browser.
- Go to join.zoom.us.
- Enter your meeting ID provided by the host/organizer.
-
Click Join.
- If this is your first time joining from Google Chrome, you will be asked to open the Zoom desktop client to join the meeting.
- (Optional) Select the Always open these types of links in the associated app check box to skip this step in the future.
- In the pop-up window, click Open Zoom Meetings (PC) or Open zoom.us (Mac).
Alternatively, you can join the meeting without downloading or opening the Zoom app, by opening the meeting with the web client.
https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0060732#collapseWeb
-
An earlier forum posting on this detection here: https://forum.eset.com/topic/36679-jschromexagentbz-help/ .
To summarize, a malicious/corrupt Chrome extension kept loading at Chrome startup time due to the Sync feature being enabled. One poster in the thread stated in his case it was related to ChatGPT.
-
Is this the NVR software you are using: https://www.acti.com/products/software-nvr ?
-
5 hours ago, Tchenkko said:
After a few hours, same alert but with ipv4 adress.
Are the source or target IPv4 address a multicast one; i.e. 224.xxx.xxx.xxx?
-
25 minutes ago, Tchenkko said:
How are you sure it is malware?
I have checked the machine with Eset and Mbam, and nothing found.
At this point, I am not sure the source is malware based; I just gave an example.
Check the server's network adapter settings in Windows. Is IPv6 enabled?
-
4 hours ago, Tchenkko said:
How to find the machine fe80::350:xxxxxxxxxxx ? It's an IPv6 adress, and i use only IPv4 adresses ?
Refer to this posting in regards to how malware can install an IPv6 network interface: https://www.malwarebytes.com/blog/news/2021/03/perkiler-malware-turns-to-smb-brute-force-to-spread;
QuoteOnce the machine is restarted, the malware will be executed as well. After its execution, the malware will start its propagation process: the malware will generate IP ranges and start scanning them on port 445. When a machine responds to the SMB probe on port 445, it will try to authenticate to SMB by brute-forcing usernames and passwords, or by trying to establish a null session.
One interesting detail is that the malware will install an IPv6 interface on the infected machine to allow the malware to port scan IPv6 addresses as well as to maximize the efficiency of the spread over (usually unmonitored) IPv6 subnets.
-
-
For the time being, I suspect that if you disable Safe Banking & Protection Secured browser memory protection prior to playing this game, it should allow these .dlls to establish a "hook" into the browser. Just make sure you re-enable the protection after done playing your game.
Also now and in the future when this issue is fixed, you need to close the browser when done playing the game. This is to ensure these game .dll "hooks" have been cleared from browser memory space.
-
The problem here is by your previously posted admission, you have been infected for months with this malware. The longer the malware remains resident, the more system damage that can be done; e.g. downloading of additional malware, etc..
I recommend you ask for malware removal assistance at one of the like sites previously posted. These sites specialize in removing entrenched multiple malware.
Question about a Virus
in ESET Internet Security & ESET Smart Security Premium
Posted · Edited by itman
It does not support Brave;
https://help.eset.com/essp/17/en-US/banking_and_payment_protection.html?idh_config_bps.html