Jump to content
Sign in to follow this  
deanpepler

ESET internet Security Pop-Up

Recommended Posts

To begin with, have you added any Eset HIPS rules to monitor Win registry modification?

It is rare to have Eset HIPS generate any alert lest one for registry modification assuming the default rule set is used. Refer to the below screen shot. The reg key modification attempt is in an area where sensitive user credential data is stored. However the process attempting modification is svchost.exe; a trusted Win process. One possibility is malware may have installed a rouge Win service on your device. Another possibility is the malware has injected malicious code into a running svchost.exe instance.

In any case, I definitely would not allow this activity until it has been verified what Win service is attempting this reg key modification and if that service is a legit Win service.

Eset_HIPS.thumb.png.236e2542a36a0abf46e44e5798dd0252.png

Share this post


Link to post
Share on other sites

The Win service that you need to fully examine is Microsoft Passport; i.e. NgcSvc. It is the only thing that should be modifying registry keys in this registry section. It is not normal to see this service running.

Ref.: http://servicedefaults.com/10/ngcsvc/

Share this post


Link to post
Share on other sites
22 minutes ago, deanpepler said:

how can i check with ESET offline if i blocked i am sure i did

There should be an entry for it in the Eset HIPS log.

A suspicion of what might be going on is the following. The Eset HIPS is not flagging the attempted modification of the applicable registry key by the Microsoft Passport service per se. What is possibly being flagged is the service was started using methods associated with malware behavior; e.g. using the SC command from a .bat script for example. This probably was detected by the Augur engine in ver 13.0.22. Since the behavior was not sufficient to block it outright with a ML/Augur detection, it deferred the action to a HIPS alert with user decision.

If the alert appears again, click on "Details."  This should show if a script engine was the source of the service startup.

Share this post


Link to post
Share on other sites
2 hours ago, deanpepler said:

how do i open up the ESET HIPS Log ?

Right mouse click on the Eset icon in the desktop toolbar and select log files. Then select HIPS from the drop down box.

Share this post


Link to post
Share on other sites

i turned off ESET protection to access a website... the website had a trojan and the trojan got into my pc how do i get the trojan out my windows pc ?

Share this post


Link to post
Share on other sites

i think the Trojan ran away with its tail between its legs..  i scanned with RKill. i scanned with hitman pro it found no threats i scanned with zemana no threats i blocked the Virus with eset i scanned with malwarebytes 4.0 no threats so ? is the virus gone or is it hiding in my pc ?

Share this post


Link to post
Share on other sites

unfortunately the virus came from Dubbed anime dot Net i wanted to watch the digimon movies.  i wish i had 200 US dollars to buy all 9 digimon movies from amazon. 

Share this post


Link to post
Share on other sites
4 hours ago, deanpepler said:

how do i get the trojan out my windows pc ?

Start out by running a full Eset scan with Admin privileges. Refer to the below screen shot. Select Advanced scan -> Custom scan.

Click on the gear symbol. Then from Scan Profile drop down box, select "In-depth scan." Leave all the other options there unchecked.

Then check mark "This PC." This in turn will check mark all the below connected device options. Finally, click on "Scan as Administrator." The scan should run for a very long time.

If Eset doesn't detect and clean any malware after the scan completes, I would then contact your local Eset support for further assistance in malware removal.

Eset_Admin_Scan.thumb.png.27152e9befc55069bb975167678b5e82.png

Share this post


Link to post
Share on other sites
2 hours ago, deanpepler said:

is the virus gone or is it hiding in my pc ?

Based on the limited information posted, I would say it is still hiding in your PC. I you receive any further Eset HIPS or other alerts, this would be confirmation that the malware possibly still exists. Note however that there is still no direct proof that the HIPS alert was indeed malware related. You mention that a Trojan was downloaded. How did you determine that?

Share this post


Link to post
Share on other sites
7 minutes ago, itman said:

Based on the limited information posted, I would say it is still hiding in your PC. I you receive any further Eset HIPS or other alerts, this would be confirmation that the malware possibly still exists. Note however that there is still no direct proof that the HIPS alert was indeed malware related. You mention that a Trojan was downloaded. How did you determine that?

One thing I am wondering is if the HIPS is set to manual, which is something I would not recommend for general users. I just have it set to automatic because while I have some knowledge it is not enough and I would probably end up blocking or allowing the wrong thing

Share this post


Link to post
Share on other sites
8 minutes ago, peteyt said:

One thing I am wondering is if the HIPS is set to manual

There is no manual mode. Perhaps you meant Interactive mode. If this was the mode, OP would be bombarded with HIPS alerts.

Share this post


Link to post
Share on other sites
1 minute ago, itman said:

There is no manual mode. Perhaps you meant Interactive mode. If this was the mode, OP would be bombarded with HIPS alerts.

Strange - And I did presume that but I've never had a hips alert myself. Unless it was set to smart?

Share this post


Link to post
Share on other sites
3 minutes ago, peteyt said:

Unless it was set to smart?

That is one possibility. However even if set to default Auto mode, a HIPS alert would display if an internal rule had been triggered. I believe this is what happened in this case.

Share this post


Link to post
Share on other sites

i re installed my pc and recovered all my accounts i bought ESET internet security and Malwarebytes.

Share this post


Link to post
Share on other sites
2 hours ago, deanpepler said:

i bought ESET internet security and Malwarebytes

You shouldn't be running MBAM in real-time mode concurrent with Eset. They will conflict with each other. Turn off MBAM's real-time protection mode.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...