ProblemNeedsSolution

Dobrý deň, dnes ráno z ničoho nič sa mi EIS začalo hlásiť: Adresa bola zablokovaná a kým som nevypol zobrazenie hlášky to bolo cca 35x. Je tam nejaká adresa ktorú som nenavštívil z rôznych krajín (HU/SK a najviac z PL). Spravil som scan systému s EIS a žiadnu hrozbu nenašiel, potom som skúšal aj MB Antirootkit ale tiež nič nenašiel. Mal som otvorený iba Chrome a v chrome som mal otvorené záložky a dve stránky z roboty. Mohli by ste mi s tým pomôcť, ďakujem.

I did checks with Eset at admin level and with MB too and it stayed clean since the day of discovery of Maintenance.vbs. They should really work this into an update at Eset so that they could be the first useful AW SW against this Anyways thanks for the help people my issue is solved.

In my case I believe the thing was present in the backup itself so that is why it kept coming back. Just to be sure I disabled google sync on my machine and deleted all the extensions and cookies. I keep doing checks with the anti rootkit tool from MB and I also keep an eye on the WIndows/system32 folders and so far everything seems to be clean.

So after finding this: It is clear how it works. So I deleted all tasks which involved Maintenance.vbs using Autoruns and deleted the ServiceInstaller.msi too. I hope I am over it but let us surprise. I checked msconfig too because the counter in updatesettings was on 10 but I it still did not switch it to Safe boot. I hope this will help you out to figure out something for detecting this PoS thing I do not want to say it too early but I think this time I got this mofo for good.

Tried to organise the folder via date and found another interesting file (attached below). It also connects to the Maintenance.vbs InstallWinSAT.txt

Actually I already did this, I only did find StartupCheck.vbs and Maintenance.vbs, but just to be sure I searched all the Windows folder for scripts and deleted anything after September. After reboot the machine was giving me an error because of the Maintenance.vbs but I modified it to just this: Wscript.Quit Problem solved. I did change the extension of the two upper mentioned script to txt (attached below). PLS DO NOT CHANGE THE EXTENSION TO SCRIPT AND RUN THESE!!! Maintenance.txt StartupCheck.txt

It did not find anything

I do not use RDP and it is disabled. I only use Cisco AnyConnect Mobile Security VPN which checks also if there is an active and up to date AV SW installed. If it will not find any AW SW it wil fail the posture check thus will not grant access to the domain. So it is a requirement to have an AW SW.

I am sorry for posting this here but can be this the same thing like here: https://forums.malwarebytes.com/topic/255632-winlogui-keeps-coming-back/ it looks like it is using browser sync to reinfect the machine. Has anyone any idea what the fix file could be?

Well, it found 3 things

Good morning guys, so it happened again. I did password protect my settings and enabled the app detection also. Today the windows update screen came up after I turned on my machine (before the logon screen) and sure enough eset was gone...

Just enabled it

No It is not enabled. If the issue comes back though I will try it

At home there is another laptop connected to the main router and it does not have this issue. My laptop is connected to a wifi extender all of the time.

Thanks I did password protect the settings I will post an update... if it comes to that again

I did not tamper with the settings as far as I know and since last time I raised the UAC settings to the maximum. I only could reinstall Eset by booting into Safe mode and to use the uninstall tool but my Windows Updates and Windows Defender are still destroyed at this point so the only option is to do a full restore - otherwise the posture check from Ciscos VPN client fails and I can not gain access to the domain of our company. @itman When this happens the Windows Security screen is completely empty - no small icons with checkmarks and if I open it is a completely blank page. By the Windows Update screen I mean the blue screen when You reboot Your machine but this happens when I turn on the machine and Yesterday I have not noticed any updates The weird thing is that it happens periodically - exactly one week - sort of a time bomb (so an update on the 25th I guess)

Well, it happened again... Yesterday was everything fine but this morning I saw the windows update screen while I turned on my machine and eset was gone (no splash screen) and when I try to reinstall it, it says it is installed. I am so confused right now and really out of ideas at this point. I did download the log collector and made a log for You... eis_logs.zip

THe old lappy was sent back for a warranty repair (backlight LEDs got loose and I could see a row close to the display LOL). I got the new machine up and running on the weekend the other was sent away on friday so they were not in "contact".

I am sorry but I only use a VPN client from cisco to connect to our company domain and I was not forced to safe boot at all. It is really strange but I did find some posts even on different AW SW forums with the same problem so whatever this is it is out therebut maybe not that common

Okay tried a different AM SW and it found a trojan: So I manually removed the keys from the registry plus deleted the file from the Windows folder and did a reboot. I did another scan and now it says everything is clean so lets see. It is funny how ESET did not find this though...

I am already after a full system restore running a full system scan as an admin. If it happens again I will try to harvest the logs.

It is a brand new machine, Windows 10 Pro, RDP disabled... The weird thing is this started to happen on my old laptop too just before the 2004 update so I thought it was the update. But now on the new machine the same thing is happening. If I open Microsoft defender > Blank screen in the app (executables gone), ESET was gone (all the executables) and Windows Update gives an error (also cannot connect to the Microsoft Store). The internet connection is fine though

Hi! I am having a weird issue I haven’t seen before... after a week my Windows updates get corrupted and Windows Defender goes missing on the machine no big deal I restore my machine from a backup stop Windows updates for a month and buy Eset ISP to have a better protection. One week passes by and my VPN wouldn’t connect to our domain. I’ve noticed that the Eset splash screen was not showing up so I did a search for Eset and it said nothing was found. Sure enough Eset, Windows Defender and Windows updates are gone AGAIN. Did anyone had this issue or virus whatever? It’s really annoying