Jump to content

Recommended Posts

Hi ESET developers,

i have problem with ESET Internet Security. Eset service startup type is set to manual, and after boot it dont launches eset so i have manualy to start ekrn and then run eset.

Any solution? Thanks!

Answers for common questions:

Yes, i tried reinstalling eset

Link to post
Share on other sites
  • Administrators

Please provide a Procmon boot log (read https://support.eset.com/kb6308/ - steps 1-4 and then follow the instructions Gather boot log files). Also collect logs with ELC. When done, upload both archives to a safe location and drop me a message with download links.

Before you start, temporarily disable Protected service in the HIPS setup and reboot the machine.

Link to post
Share on other sites
  • Administrators

As the logs showed, you have Sophos installed and running. Try running the batch file listed at https://support.home.sophos.com/hc/en-us/articles/115005679923-Unable-to-uninstall-Sophos-Home   ii in safe mode.

Link to post
Share on other sites

As far as I am aware of, the Eset Service needs to be set to Automatic as shown in the below screen shot. I have no clue as to why it would be set to manual.

Also, you can't change its start up mode using the Win Administrator tool since the reg. key is protected. You will probably have to use regedit.exe and take ownership of the reg. key, if Eset allows that, and set the start up mode to a value of "2." If you don't know what I am talking about by "taking ownership," don't attempt it. If you take ownership, make sure you remove yourself after making the modification.

Eset_Service.thumb.png.bac7ae3643a1208d4ca70a3bd0851b4f.png

 

Edited by itman
Link to post
Share on other sites
  • ESET Insiders

Boot the computer into safe mode.

  • Change ESET Service startup type to Automatic.
  • Check the Recovery tab and ensure all failure actions are set to "Restart the Service".
  • Reboot

 

Edited by stackz
Link to post
Share on other sites
10 hours ago, itman said:

As far as I am aware of, the Eset Service needs to be set to Automatic as shown in the below screen shot. I have no clue as to why it would be set to manual.

Also, you can't change its start up mode using the Win Administrator tool since the reg. key is protected. You will probably have to use regedit.exe and take ownership of the reg. key, if Eset allows that, and set the start up mode to a value of "2." If you don't know what I am talking about by "taking ownership," don't attempt it. If you take ownership, make sure you remove yourself after making the modification.

Eset_Service.thumb.png.bac7ae3643a1208d4ca70a3bd0851b4f.png

 

How to do that?

 

4 hours ago, stackz said:

Boot the computer into safe mode.

  • Change ESET Service startup type to Automatic.
  • Check the Recovery tab and ensure all failure actions are set to "Restart the Service".
  • Reboot

 

after i did it, first restart it launched eset,second restart not.

Link to post
Share on other sites
  • ESET Insiders

Download Autoruns and extract the zip to its own directory.

Run Autoruns as Administrator. Once it starts, press the Esc key and configure as follows:

  • Under Options, make sure everything is unchecked except for 'Hide Empty Locations'
  • Under Options -> Scan Options, make sure that 'Verify code signatures' is checked.
  • Press Refresh (F5) to restart the scan.

When it has finished, Save the log (Ctrl+S) as the default Autoruns data type (*.arn)
Zip the log and attach to your next post.

Link to post
Share on other sites
  • Administrators

It appears that your computer is infected. There are malicious DNS servers used: 82.163.143.176, 82.163.142.178. If you have IPv4 configured to obtain an IP address automatically from a DHCP server, check your router's setup and configure it to use Google's DNS 8.8.8.8 or 8.8.4.4.

It is also weird that many legitimate processes aren't showing the status "running" but "unknown".

Besides that, run a full disk scan with ESET Online Scanner or better from a rescue disk.

I've also noticed that you have HIPS disabled. Re-enable it as soon as you get things working. Also you have a CoinMiner PUA excluded. If that was not deliberately excluded, remove it from the exclusion list.

Link to post
Share on other sites

@stackz hxxp://www.mediafire.com/file/2atdah11cpboad3/JOVAN-PC.arn

@Marcos i already scanned my pc with ESET internet security

I disabled HIPS cuz i tried setting eset service to automatic.

i changed router DNS IPV4 1 and ipv4 2 to 8.8.8.8 And 8.8.4.4, third IPV4 is blank (0.0.0.0).also changed my pc dns to same.

when i scanned with EIS, it found CoinMiner in my Explorer.exe, after it fixed it, i restarted pc and internet explorer wont work. i did an sfc scannow and it fixed it.

 

 

Link to post
Share on other sites
  • ESET Insiders

You need to remove all the leftovers from Qihoo Total Security.

Run Autoruns (as admin) and when it has finished scanning scroll down until you see the publisher as Qihu/Qihoo 360.
Go to the file that the autoruns entry points to and delete the file. Then right click on the Autoruns entry and delete.

note: You may need to do this in safe mode.

Edited by stackz
Link to post
Share on other sites
5 hours ago, Isee The Enemy said:

when i scanned with EIS, it found CoinMiner in my Explorer.exe, after it fixed it, i restarted pc and internet explorer wont work. i did an sfc scannow and it fixed it.

Is the Eset Service now set to Automatic and is starting at boot time? If not, you still have major problems.

Link to post
Share on other sites

Based on the DNS server IP addresses @Marcos previously posted, I strongly suspect that Counterflix Adware has been modified to include a malicious coin miner component. You can read about Counterflix here: https://www.bleepingcomputer.com/virus-removal/remove-ad-by-counterflix-and-rockettab . Since the article w/removal instructions date to 2/2017, it is debatable if those removal instructions would work against this current variant.

The most serious problem is it appears this malware has been able to disable ekrn.exe startup. Without ekrn.exe running, Eset is basically non-functional. At this point, I would strongly recommend you not use your PC for e-commerce activities; especially online banking.

I suggest you contact your in-country Eset customer support for assistance in removing this malware from your PC.

 

Link to post
Share on other sites
1 hour ago, Isee The Enemy said:

how i can ECS?

If you mean how do you contact Eset technical support, regional telephone numbers are listed here: https://www.eset.com/us/about/contact/

You can also contact Eset technical support via e-mail directly from the Eset GUI as shown in the below screen shot:

Eset_CS_Contact.thumb.png.73da770dd77b1452b6cc81d7652b1d09.png

Link to post
Share on other sites
On 4/28/2018 at 8:00 PM, itman said:

Based on the DNS server IP addresses @Marcos previously posted, I strongly suspect that Counterflix Adware has been modified to include a malicious coin miner component. You can read about Counterflix here: https://www.bleepingcomputer.com/virus-removal/remove-ad-by-counterflix-and-rockettab . Since the article w/removal instructions date to 2/2017, it is debatable if those removal instructions would work against this current variant.

The most serious problem is it appears this malware has been able to disable ekrn.exe startup. Without ekrn.exe running, Eset is basically non-functional. At this point, I would strongly recommend you not use your PC for e-commerce activities; especially online banking.

I suggest you contact your in-country Eset customer support for assistance in removing this malware from your PC.

 

Thank you so much! 

i did the steps in described in that link and now eset starts up at windows startup!

 

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...