Jump to content

Recommended Posts

To begin with, have you added any Eset HIPS rules to monitor Win registry modification?

It is rare to have Eset HIPS generate any alert lest one for registry modification assuming the default rule set is used. Refer to the below screen shot. The reg key modification attempt is in an area where sensitive user credential data is stored. However the process attempting modification is svchost.exe; a trusted Win process. One possibility is malware may have installed a rouge Win service on your device. Another possibility is the malware has injected malicious code into a running svchost.exe instance.

In any case, I definitely would not allow this activity until it has been verified what Win service is attempting this reg key modification and if that service is a legit Win service.

Eset_HIPS.thumb.png.236e2542a36a0abf46e44e5798dd0252.png

Link to comment
Share on other sites

22 minutes ago, deanpepler said:

how can i check with ESET offline if i blocked i am sure i did

There should be an entry for it in the Eset HIPS log.

A suspicion of what might be going on is the following. The Eset HIPS is not flagging the attempted modification of the applicable registry key by the Microsoft Passport service per se. What is possibly being flagged is the service was started using methods associated with malware behavior; e.g. using the SC command from a .bat script for example. This probably was detected by the Augur engine in ver 13.0.22. Since the behavior was not sufficient to block it outright with a ML/Augur detection, it deferred the action to a HIPS alert with user decision.

If the alert appears again, click on "Details."  This should show if a script engine was the source of the service startup.

Link to comment
Share on other sites

2 hours ago, deanpepler said:

how do i open up the ESET HIPS Log ?

Right mouse click on the Eset icon in the desktop toolbar and select log files. Then select HIPS from the drop down box.

Link to comment
Share on other sites

i think the Trojan ran away with its tail between its legs..  i scanned with RKill. i scanned with hitman pro it found no threats i scanned with zemana no threats i blocked the Virus with eset i scanned with malwarebytes 4.0 no threats so ? is the virus gone or is it hiding in my pc ?

Link to comment
Share on other sites

unfortunately the virus came from Dubbed anime dot Net i wanted to watch the digimon movies.  i wish i had 200 US dollars to buy all 9 digimon movies from amazon. 

Link to comment
Share on other sites

4 hours ago, deanpepler said:

how do i get the trojan out my windows pc ?

Start out by running a full Eset scan with Admin privileges. Refer to the below screen shot. Select Advanced scan -> Custom scan.

Click on the gear symbol. Then from Scan Profile drop down box, select "In-depth scan." Leave all the other options there unchecked.

Then check mark "This PC." This in turn will check mark all the below connected device options. Finally, click on "Scan as Administrator." The scan should run for a very long time.

If Eset doesn't detect and clean any malware after the scan completes, I would then contact your local Eset support for further assistance in malware removal.

Eset_Admin_Scan.thumb.png.27152e9befc55069bb975167678b5e82.png

Link to comment
Share on other sites

2 hours ago, deanpepler said:

is the virus gone or is it hiding in my pc ?

Based on the limited information posted, I would say it is still hiding in your PC. I you receive any further Eset HIPS or other alerts, this would be confirmation that the malware possibly still exists. Note however that there is still no direct proof that the HIPS alert was indeed malware related. You mention that a Trojan was downloaded. How did you determine that?

Link to comment
Share on other sites

  • Most Valued Members
7 minutes ago, itman said:

Based on the limited information posted, I would say it is still hiding in your PC. I you receive any further Eset HIPS or other alerts, this would be confirmation that the malware possibly still exists. Note however that there is still no direct proof that the HIPS alert was indeed malware related. You mention that a Trojan was downloaded. How did you determine that?

One thing I am wondering is if the HIPS is set to manual, which is something I would not recommend for general users. I just have it set to automatic because while I have some knowledge it is not enough and I would probably end up blocking or allowing the wrong thing

Link to comment
Share on other sites

8 minutes ago, peteyt said:

One thing I am wondering is if the HIPS is set to manual

There is no manual mode. Perhaps you meant Interactive mode. If this was the mode, OP would be bombarded with HIPS alerts.

Link to comment
Share on other sites

  • Most Valued Members
1 minute ago, itman said:

There is no manual mode. Perhaps you meant Interactive mode. If this was the mode, OP would be bombarded with HIPS alerts.

Strange - And I did presume that but I've never had a hips alert myself. Unless it was set to smart?

Link to comment
Share on other sites

3 minutes ago, peteyt said:

Unless it was set to smart?

That is one possibility. However even if set to default Auto mode, a HIPS alert would display if an internal rule had been triggered. I believe this is what happened in this case.

Link to comment
Share on other sites

2 hours ago, deanpepler said:

i bought ESET internet security and Malwarebytes

You shouldn't be running MBAM in real-time mode concurrent with Eset. They will conflict with each other. Turn off MBAM's real-time protection mode.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...