Jump to content

ProblemNeedsSolution

Members
  • Content Count

    22
  • Joined

  • Last visited

Profile Information

  • Location
    Slovakia

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. I did checks with Eset at admin level and with MB too and it stayed clean since the day of discovery of Maintenance.vbs. They should really work this into an update at Eset so that they could be the first useful AW SW against this Anyways thanks for the help people my issue is solved.
  2. In my case I believe the thing was present in the backup itself so that is why it kept coming back. Just to be sure I disabled google sync on my machine and deleted all the extensions and cookies. I keep doing checks with the anti rootkit tool from MB and I also keep an eye on the WIndows/system32 folders and so far everything seems to be clean.
  3. So after finding this: It is clear how it works. So I deleted all tasks which involved Maintenance.vbs using Autoruns and deleted the ServiceInstaller.msi too. I hope I am over it but let us surprise. I checked msconfig too because the counter in updatesettings was on 10 but I it still did not switch it to Safe boot. I hope this will help you out to figure out something for detecting this PoS thing I do not want to say it too early but I think this time I got this mofo for good.
  4. Tried to organise the folder via date and found another interesting file (attached below). It also connects to the Maintenance.vbs InstallWinSAT.txt
  5. Actually I already did this, I only did find StartupCheck.vbs and Maintenance.vbs, but just to be sure I searched all the Windows folder for scripts and deleted anything after September. After reboot the machine was giving me an error because of the Maintenance.vbs but I modified it to just this: Wscript.Quit Problem solved. I did change the extension of the two upper mentioned script to txt (attached below). PLS DO NOT CHANGE THE EXTENSION TO SCRIPT AND RUN THESE!!! Maintenance.txt StartupCheck.txt
  6. I do not use RDP and it is disabled. I only use Cisco AnyConnect Mobile Security VPN which checks also if there is an active and up to date AV SW installed. If it will not find any AW SW it wil fail the posture check thus will not grant access to the domain. So it is a requirement to have an AW SW.
  7. I am sorry for posting this here but can be this the same thing like here: https://forums.malwarebytes.com/topic/255632-winlogui-keeps-coming-back/ it looks like it is using browser sync to reinfect the machine. Has anyone any idea what the fix file could be?
  8. Good morning guys, so it happened again. I did password protect my settings and enabled the app detection also. Today the windows update screen came up after I turned on my machine (before the logon screen) and sure enough eset was gone...
  9. At home there is another laptop connected to the main router and it does not have this issue. My laptop is connected to a wifi extender all of the time.
  10. Thanks I did password protect the settings I will post an update... if it comes to that again
  11. I did not tamper with the settings as far as I know and since last time I raised the UAC settings to the maximum. I only could reinstall Eset by booting into Safe mode and to use the uninstall tool but my Windows Updates and Windows Defender are still destroyed at this point so the only option is to do a full restore - otherwise the posture check from Ciscos VPN client fails and I can not gain access to the domain of our company. @itman When this happens the Windows Security screen is completely empty - no small icons with checkmarks and if I open it is a completely blank page. By
×
×
  • Create New...