ProblemNeedsSolution

Dobrý deň, dnes ráno z ničoho nič sa mi EIS začalo hlásiť: Adresa bola zablokovaná a kým som nevypol zobrazenie hlášky to bolo cca 35x. Je tam nejaká adresa ktorú som nenavštívil z rôznych krajín (HU/SK a najviac z PL). Spravil som scan systému s EIS a žiadnu hrozbu nenašiel, potom som skúšal aj MB Antirootkit ale tiež nič nenašiel. Mal som otvorený iba Chrome a v chrome som mal otvorené záložky a dve stránky z roboty. Mohli by ste mi s tým pomôcť, ďakujem.

I did checks with Eset at admin level and with MB too and it stayed clean since the day of discovery of Maintenance.vbs. They should really work this into an update at Eset so that they could be the first useful AW SW against this Anyways thanks for the help people my issue is solved.

In my case I believe the thing was present in the backup itself so that is why it kept coming back. Just to be sure I disabled google sync on my machine and deleted all the extensions and cookies. I keep doing checks with the anti rootkit tool from MB and I also keep an eye on the WIndows/system32 folders and so far everything seems to be clean.

So after finding this: It is clear how it works. So I deleted all tasks which involved Maintenance.vbs using Autoruns and deleted the ServiceInstaller.msi too. I hope I am over it but let us surprise. I checked msconfig too because the counter in updatesettings was on 10 but I it still did not switch it to Safe boot. I hope this will help you out to figure out something for detecting this PoS thing I do not want to say it too early but I think this time I got this mofo for good.

Tried to organise the folder via date and found another interesting file (attached below). It also connects to the Maintenance.vbs InstallWinSAT.txt

Actually I already did this, I only did find StartupCheck.vbs and Maintenance.vbs, but just to be sure I searched all the Windows folder for scripts and deleted anything after September. After reboot the machine was giving me an error because of the Maintenance.vbs but I modified it to just this: Wscript.Quit Problem solved. I did change the extension of the two upper mentioned script to txt (attached below). PLS DO NOT CHANGE THE EXTENSION TO SCRIPT AND RUN THESE!!! Maintenance.txt StartupCheck.txt

It did not find anything

I do not use RDP and it is disabled. I only use Cisco AnyConnect Mobile Security VPN which checks also if there is an active and up to date AV SW installed. If it will not find any AW SW it wil fail the posture check thus will not grant access to the domain. So it is a requirement to have an AW SW.

I am sorry for posting this here but can be this the same thing like here: https://forums.malwarebytes.com/topic/255632-winlogui-keeps-coming-back/ it looks like it is using browser sync to reinfect the machine. Has anyone any idea what the fix file could be?

Well, it found 3 things

Good morning guys, so it happened again. I did password protect my settings and enabled the app detection also. Today the windows update screen came up after I turned on my machine (before the logon screen) and sure enough eset was gone...

Just enabled it

No It is not enabled. If the issue comes back though I will try it

At home there is another laptop connected to the main router and it does not have this issue. My laptop is connected to a wifi extender all of the time.

Thanks I did password protect the settings I will post an update... if it comes to that again