ESET service isnt starting after shutdown?

[Isee The Enemy 0]

Hi ESET developers,

i have problem with ESET Internet Security. Eset service startup type is set to manual, and after boot it dont launches eset so i have manualy to start ekrn and then run eset.

Any solution? Thanks!

Answers for common questions:

Yes, i tried reinstalling eset

[Marcos 4,694]

Please provide a Procmon boot log (read https://support.eset.com/kb6308/ - steps 1-4 and then follow the instructions Gather boot log files). Also collect logs with ELC. When done, upload both archives to a safe location and drop me a message with download links.

Before you start, temporarily disable Protected service in the HIPS setup and reboot the machine.

[Isee The Enemy 0]

Here it is. www.mediafire.com/file/yt5o9rpxof75fdg/

[Isee The Enemy 0]

Bump?

[Marcos 4,694]

As the logs showed, you have Sophos installed and running. Try running the batch file listed at https://support.home.sophos.com/hc/en-us/articles/115005679923-Unable-to-uninstall-Sophos-Home   ii in safe mode.

[Isee The Enemy 0]

i uninstalled sophos and reinstalled eset after that but problem still exist.

[galaxy 11]

Als ich gestern meinen PC gestartet habe, fängt es nicht wieder an to start ESET

Edited April 24, 2018 by galaxy

[Isee The Enemy 0]

any other help?

[itman 1,538]

As far as I am aware of, the Eset Service needs to be set to Automatic as shown in the below screen shot. I have no clue as to why it would be set to manual.

Also, you can't change its start up mode using the Win Administrator tool since the reg. key is protected. You will probably have to use regedit.exe and take ownership of the reg. key, if Eset allows that, and set the start up mode to a value of "2." If you don't know what I am talking about by "taking ownership," don't attempt it. If you take ownership, make sure you remove yourself after making the modification.

 

Edited April 27, 2018 by itman

[stackz 94]

Boot the computer into safe mode.

• Change ESET Service startup type to Automatic.
• Check the Recovery tab and ensure all failure actions are set to "Restart the Service".
• Reboot

 

Edited April 28, 2018 by stackz

[Isee The Enemy 0]

10 hours ago, itman said:

As far as I am aware of, the Eset Service needs to be set to Automatic as shown in the below screen shot. I have no clue as to why it would be set to manual.

Also, you can't change its start up mode using the Win Administrator tool since the reg. key is protected. You will probably have to use regedit.exe and take ownership of the reg. key, if Eset allows that, and set the start up mode to a value of "2." If you don't know what I am talking about by "taking ownership," don't attempt it. If you take ownership, make sure you remove yourself after making the modification.

 

How to do that?

 

4 hours ago, stackz said:

Boot the computer into safe mode.

• Change ESET Service startup type to Automatic.
• Check the Recovery tab and ensure all failure actions are set to "Restart the Service".
• Reboot

 

after i did it, first restart it launched eset,second restart not.

[stackz 94]

Download Autoruns and extract the zip to its own directory.

Run Autoruns as Administrator. Once it starts, press the Esc key and configure as follows:

• Under Options, make sure everything is unchecked except for 'Hide Empty Locations'
• Under Options -> Scan Options, make sure that 'Verify code signatures' is checked.
• Press Refresh (F5) to restart the scan.

When it has finished, Save the log (Ctrl+S) as the default Autoruns data type (*.arn)
Zip the log and attach to your next post.

[Marcos 4,694]

It appears that your computer is infected. There are malicious DNS servers used: 82.163.143.176, 82.163.142.178. If you have IPv4 configured to obtain an IP address automatically from a DHCP server, check your router's setup and configure it to use Google's DNS 8.8.8.8 or 8.8.4.4.

It is also weird that many legitimate processes aren't showing the status "running" but "unknown".

Besides that, run a full disk scan with ESET Online Scanner or better from a rescue disk.

I've also noticed that you have HIPS disabled. Re-enable it as soon as you get things working. Also you have a CoinMiner PUA excluded. If that was not deliberately excluded, remove it from the exclusion list.

[Isee The Enemy 0]

@stackz hxxp://www.mediafire.com/file/2atdah11cpboad3/JOVAN-PC.arn

@Marcos i already scanned my pc with ESET internet security

I disabled HIPS cuz i tried setting eset service to automatic.

i changed router DNS IPV4 1 and ipv4 2 to 8.8.8.8 And 8.8.4.4, third IPV4 is blank (0.0.0.0).also changed my pc dns to same.

when i scanned with EIS, it found CoinMiner in my Explorer.exe, after it fixed it, i restarted pc and internet explorer wont work. i did an sfc scannow and it fixed it.

 

 

[stackz 94]

You need to remove all the leftovers from Qihoo Total Security.

Run Autoruns (as admin) and when it has finished scanning scroll down until you see the publisher as Qihu/Qihoo 360.
Go to the file that the autoruns entry points to and delete the file. Then right click on the Autoruns entry and delete.

note: You may need to do this in safe mode.

Edited April 28, 2018 by stackz

[itman 1,538]

5 hours ago, Isee The Enemy said:

when i scanned with EIS, it found CoinMiner in my Explorer.exe, after it fixed it, i restarted pc and internet explorer wont work. i did an sfc scannow and it fixed it.

Is the Eset Service now set to Automatic and is starting at boot time? If not, you still have major problems.

[Isee The Enemy 0]

@stackz tried but stil eset isnt starting.

@itman its set to manual

[itman 1,538]

Based on the DNS server IP addresses @Marcos previously posted, I strongly suspect that Counterflix Adware has been modified to include a malicious coin miner component. You can read about Counterflix here: https://www.bleepingcomputer.com/virus-removal/remove-ad-by-counterflix-and-rockettab . Since the article w/removal instructions date to 2/2017, it is debatable if those removal instructions would work against this current variant.

The most serious problem is it appears this malware has been able to disable ekrn.exe startup. Without ekrn.exe running, Eset is basically non-functional. At this point, I would strongly recommend you not use your PC for e-commerce activities; especially online banking.

I suggest you contact your in-country Eset customer support for assistance in removing this malware from your PC.

 

[Isee The Enemy 0]

how i can ECS? if even he cant help me i give up.

Edited April 29, 2018 by Isee The Enemy

[itman 1,538]

1 hour ago, Isee The Enemy said:

how i can ECS?

If you mean how do you contact Eset technical support, regional telephone numbers are listed here: https://www.eset.com/us/about/contact/

You can also contact Eset technical support via e-mail directly from the Eset GUI as shown in the below screen shot:

[Isee The Enemy 0]

On 4/28/2018 at 8:00 PM, itman said:

Based on the DNS server IP addresses @Marcos previously posted, I strongly suspect that Counterflix Adware has been modified to include a malicious coin miner component. You can read about Counterflix here: https://www.bleepingcomputer.com/virus-removal/remove-ad-by-counterflix-and-rockettab . Since the article w/removal instructions date to 2/2017, it is debatable if those removal instructions would work against this current variant.

The most serious problem is it appears this malware has been able to disable ekrn.exe startup. Without ekrn.exe running, Eset is basically non-functional. At this point, I would strongly recommend you not use your PC for e-commerce activities; especially online banking.

I suggest you contact your in-country Eset customer support for assistance in removing this malware from your PC.

 

Thank you so much! 

i did the steps in described in that link and now eset starts up at windows startup!