deanpepler 0 Posted November 13, 2019 Share Posted November 13, 2019 what does this mean?is it safe to allow it?. Link to comment Share on other sites More sharing options...
itman 1,755 Posted November 13, 2019 Share Posted November 13, 2019 To begin with, have you added any Eset HIPS rules to monitor Win registry modification? It is rare to have Eset HIPS generate any alert lest one for registry modification assuming the default rule set is used. Refer to the below screen shot. The reg key modification attempt is in an area where sensitive user credential data is stored. However the process attempting modification is svchost.exe; a trusted Win process. One possibility is malware may have installed a rouge Win service on your device. Another possibility is the malware has injected malicious code into a running svchost.exe instance. In any case, I definitely would not allow this activity until it has been verified what Win service is attempting this reg key modification and if that service is a legit Win service. Link to comment Share on other sites More sharing options...
itman 1,755 Posted November 13, 2019 Share Posted November 13, 2019 The Win service that you need to fully examine is Microsoft Passport; i.e. NgcSvc. It is the only thing that should be modifying registry keys in this registry section. It is not normal to see this service running. Ref.: http://servicedefaults.com/10/ngcsvc/ Link to comment Share on other sites More sharing options...
deanpepler 0 Posted November 13, 2019 Author Share Posted November 13, 2019 I BLOCKED IT WITH ESET 😀 Link to comment Share on other sites More sharing options...
deanpepler 0 Posted November 13, 2019 Author Share Posted November 13, 2019 how can i check with ESET offline if i blocked i am sure i did Link to comment Share on other sites More sharing options...
itman 1,755 Posted November 13, 2019 Share Posted November 13, 2019 22 minutes ago, deanpepler said: how can i check with ESET offline if i blocked i am sure i did There should be an entry for it in the Eset HIPS log. A suspicion of what might be going on is the following. The Eset HIPS is not flagging the attempted modification of the applicable registry key by the Microsoft Passport service per se. What is possibly being flagged is the service was started using methods associated with malware behavior; e.g. using the SC command from a .bat script for example. This probably was detected by the Augur engine in ver 13.0.22. Since the behavior was not sufficient to block it outright with a ML/Augur detection, it deferred the action to a HIPS alert with user decision. If the alert appears again, click on "Details." This should show if a script engine was the source of the service startup. Link to comment Share on other sites More sharing options...
deanpepler 0 Posted November 13, 2019 Author Share Posted November 13, 2019 how do i open up the ESET HIPS Log ? Link to comment Share on other sites More sharing options...
itman 1,755 Posted November 13, 2019 Share Posted November 13, 2019 2 hours ago, deanpepler said: how do i open up the ESET HIPS Log ? Right mouse click on the Eset icon in the desktop toolbar and select log files. Then select HIPS from the drop down box. Link to comment Share on other sites More sharing options...
deanpepler 0 Posted November 14, 2019 Author Share Posted November 14, 2019 i turned off ESET protection to access a website... the website had a trojan and the trojan got into my pc how do i get the trojan out my windows pc ? Link to comment Share on other sites More sharing options...
deanpepler 0 Posted November 14, 2019 Author Share Posted November 14, 2019 i think the Trojan ran away with its tail between its legs.. i scanned with RKill. i scanned with hitman pro it found no threats i scanned with zemana no threats i blocked the Virus with eset i scanned with malwarebytes 4.0 no threats so ? is the virus gone or is it hiding in my pc ? Link to comment Share on other sites More sharing options...
deanpepler 0 Posted November 14, 2019 Author Share Posted November 14, 2019 unfortunately the virus came from Dubbed anime dot Net i wanted to watch the digimon movies. i wish i had 200 US dollars to buy all 9 digimon movies from amazon. Link to comment Share on other sites More sharing options...
itman 1,755 Posted November 14, 2019 Share Posted November 14, 2019 4 hours ago, deanpepler said: how do i get the trojan out my windows pc ? Start out by running a full Eset scan with Admin privileges. Refer to the below screen shot. Select Advanced scan -> Custom scan. Click on the gear symbol. Then from Scan Profile drop down box, select "In-depth scan." Leave all the other options there unchecked. Then check mark "This PC." This in turn will check mark all the below connected device options. Finally, click on "Scan as Administrator." The scan should run for a very long time. If Eset doesn't detect and clean any malware after the scan completes, I would then contact your local Eset support for further assistance in malware removal. Link to comment Share on other sites More sharing options...
itman 1,755 Posted November 14, 2019 Share Posted November 14, 2019 2 hours ago, deanpepler said: is the virus gone or is it hiding in my pc ? Based on the limited information posted, I would say it is still hiding in your PC. I you receive any further Eset HIPS or other alerts, this would be confirmation that the malware possibly still exists. Note however that there is still no direct proof that the HIPS alert was indeed malware related. You mention that a Trojan was downloaded. How did you determine that? Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 396 Posted November 14, 2019 Most Valued Members Share Posted November 14, 2019 7 minutes ago, itman said: Based on the limited information posted, I would say it is still hiding in your PC. I you receive any further Eset HIPS or other alerts, this would be confirmation that the malware possibly still exists. Note however that there is still no direct proof that the HIPS alert was indeed malware related. You mention that a Trojan was downloaded. How did you determine that? One thing I am wondering is if the HIPS is set to manual, which is something I would not recommend for general users. I just have it set to automatic because while I have some knowledge it is not enough and I would probably end up blocking or allowing the wrong thing Link to comment Share on other sites More sharing options...
itman 1,755 Posted November 14, 2019 Share Posted November 14, 2019 8 minutes ago, peteyt said: One thing I am wondering is if the HIPS is set to manual There is no manual mode. Perhaps you meant Interactive mode. If this was the mode, OP would be bombarded with HIPS alerts. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 396 Posted November 14, 2019 Most Valued Members Share Posted November 14, 2019 1 minute ago, itman said: There is no manual mode. Perhaps you meant Interactive mode. If this was the mode, OP would be bombarded with HIPS alerts. Strange - And I did presume that but I've never had a hips alert myself. Unless it was set to smart? Link to comment Share on other sites More sharing options...
itman 1,755 Posted November 14, 2019 Share Posted November 14, 2019 3 minutes ago, peteyt said: Unless it was set to smart? That is one possibility. However even if set to default Auto mode, a HIPS alert would display if an internal rule had been triggered. I believe this is what happened in this case. Link to comment Share on other sites More sharing options...
deanpepler 0 Posted November 17, 2019 Author Share Posted November 17, 2019 i re installed my pc and recovered all my accounts i bought ESET internet security and Malwarebytes. Link to comment Share on other sites More sharing options...
itman 1,755 Posted November 17, 2019 Share Posted November 17, 2019 2 hours ago, deanpepler said: i bought ESET internet security and Malwarebytes You shouldn't be running MBAM in real-time mode concurrent with Eset. They will conflict with each other. Turn off MBAM's real-time protection mode. Link to comment Share on other sites More sharing options...
Recommended Posts