itman 1,659 Posted January 8, 2021 Share Posted January 8, 2021 (edited) A couple of closing comments here. 1. You disabled Eset thereby allowing the malware to install a bootkit on your device. Hopefully, you learned a lesson to never do that again. 2. You need to upgrade to Win 10 ASAP. Why? The likelihood of boot/rootkits occurring on Win 10 x(64) is greatly reduced due to kernel patch protection; i.e. KPP, employed in Win 10. Additionally, Eset running on Win 10 employs an early launch anti-malware; i.e. ELAM, driver that loads at boot time prior to any other app drivers. In this case, Eset would have been able to block the bootkit from loading and interfering with Eset execution mechanisms at system startup time. My best guess as to why Eset doesn't provide specialized bootkit removal and MBR repair tools is they don't want to take responsibility for borking a system due to boot failure from a corrupted MBR. Bootkit removal is an "iffy" thing and does run the risk of corrupting the MBR. Hence, the Eset recommendation to repair the MBR via established Microsoft recommended methods to do so. -EDIT- Referring to the MBAM link posted above in regards to TDSSKiller use is the following: Quote TDSSKiller found Rootkit.Boot.DarkGalaxy.a. I selected "cure" as instructed and got the message "Can´t cure MBR. Write standard boot code?". Selected "Yes" and then rebooted....during Windows load I got and error message on cmd screen.....but then everything loaded fine (and I got the impression that load time was a little faster). As long as the device employed default Win bootloader code in the MBR, performing the above would result in no issues. Such is not the case if the device used OEM manufacturer, etc.., custom bootloader code. Edited January 8, 2021 by itman Link to comment Share on other sites More sharing options...
henrik_admiral 0 Posted January 10, 2021 Author Share Posted January 10, 2021 (edited) On 1/8/2021 at 7:16 PM, Marcos said: ESET actually protected you from getting infected by the malware. Once AV protection is disabled and malware is run, it may be very difficult to remove it and specialized tools must be used. So basically this means that ESET will always require installation on a clean computer, otherwise it cannot guarantee finding viruses that are not even that new? because that doesn't make any sense, considering there is no way one can make sure a system is clean before installing ESET.. that is literally one of the main points of buying an Anti virus but OK. Edited January 10, 2021 by henrik_admiral Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted January 10, 2021 Administrators Share Posted January 10, 2021 46 minutes ago, henrik_admiral said: So basically this means that ESET will always require installation on a clean computer, otherwise it cannot guarantee finding viruses that are not even that new? That's true for any antivirus, not only specifically for ESET. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 393 Posted January 10, 2021 Most Valued Members Share Posted January 10, 2021 2 hours ago, henrik_admiral said: So basically this means that ESET will always require installation on a clean computer, otherwise it cannot guarantee finding viruses that are not even that new? because that doesn't make any sense, considering there is no way one can make sure a system is clean before installing ESET.. that is literally one of the main points of buying an Anti virus but OK. As Marcos has basically said no AV is ever 100 percent. I'm no expert but it seems its much easier to catch a virus as it infects rather than one already on the system as they can hide themselves and burry themselves well. As mentioned you disabled eset. I presume the virus then buried itself and prevented eset from running. Anything that asks you to disable your AV really should be a red flag. As itman noted while there are tools like the one you used to fix the MBR they can bork a system which is probably why eset doesn't supply one but @Marcoswould have to confirm this? If there is a safe way to do this like the tool the user used could eset not develop their own tool to fix the MBR? Also I'd like to point out something slightly of topic but relatable. Often the forum sees people posting YouTube tests showing eset not picking something up but these tests often don't show the full picture e.g. they will disable Web protection first before trying to download anything but not show this. The fact is if they had showed the full thing web protection would have blocked it. Eset has different layers of protection but they work together best and disabling one can effect others. Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 10, 2021 Share Posted January 10, 2021 (edited) 2 hours ago, peteyt said: If there is a safe way to do this like the tool the user used could eset not develop their own tool to fix the MBR? As far as a safe way or more specifically a tool that would work on all Win OS versions and different device hardware configurations, the answer is no, Knowledgeable security sources recommend the first thing to be done after the OS is installed is to backup the MBR. This is done not only for potential malware infection but in the instance the MBR becomes corrupted for other reasons. There are a number of third party tools that can backup and restore the MBR. What I recommend Eset explore is backing up the MBR at Eset product installation time. Eset would also provide a MBR restore utility most likely invoked via Eset command line interface; e.g. ecls, that could restore the prior MBR backup in the event of resident malware present or corrupted MBR. Edited January 10, 2021 by itman Link to comment Share on other sites More sharing options...
Recommended Posts