itman

I am wondering if the issue here is the same Microsoft account is being used for both devices. MyEset might be using that somehow internally to ID devices. You might have just figured out a way to bypass Eset's license validation processing.🤭

You might want to refer to this article: Also of note: https://www.sophos.com/en-us/press-office/press-releases/2021/01/sophos-identifies-source-of-mrbminer-attacks-targeting-database-servers.aspx -EDIT- In regards to the above "similar techniques" referenced is all employed some form of brute force attack element against the server and/or exploiting of system vulnerabilities. Since it appears sqlserver.exe in your situation is directly initiating the Trojan download attempt, I assume some type of code injection is being performed against it. Again, this assumes that

Based on the posted my Eset screen shot, it appears you purchased one Eset NOD32 license for two PCs; not two 1 PC Eset licenses. If you bought two 1 PC Eset licenses, the key for each license would be different.

What about sqlbase.exe since this is the malicious parent process? Does that show in SysInspector? BTW - I believe a malicious sqlbase engine was installed. Also it appears you found the malicious versions sqlbase.exe and sqlconn.exe since they are sitting on your desktop. Is the issue these keep reappearing on the infected devices? Also submit sqlservr.exe on one of these devices with issues to VirusTotal for a scan.

For registry subordinate keys under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\", you need to code the following, "HKEY_LOCAL_MACHINE\SYSTEM\*\". For example: HKEY_LOCAL_MACHINE\SYSTEM\*\Services\USBSTOR\Start

For starters on an infected device check if the following exists: %WINDIR%\\FONTS\\SQLCONN.EXE

Make sure the settings highlighted in the below screen shot are enabled:

I would remove the -1 named devices.

I assume the device names with Eset installed are Suzanne, Angel, and Shuriken-PC? If so, delete all other devices shown other than these three.

Avast paid products include a sandbox feature. Eset consumer products do not.

You can set up the Comodo firewall so that everything runs in an isolated environment: https://www.youtube.com/watch?v=vktNQCwB2UY . You then just set up exclusions for your trusted apps. Video author states on the various security forums that no 0-day malware has been able to bypass her custom Comodo setup.

As far as desktop notifications go, refer to the following per Eset on-line help: I have mine set to "Diagnostic" and have no issue with Eset HIPS rule desktop notifications appearing.

Eset's System Cleaner feature primary function is to reset Windows settings back to default values. The "Cleaner" reference in my opinion is misleading. Also as the Help for this feature states, it should not be run w/o Eset tech support instruction to do so. System Cleaner's primary purpose is to remove system modifications made by malware. However, many also perform custom modifications to Windows system settings and those will be removed when System Cleaner is run.

Eset Push Notifications option uses process ekrn.exe, TCP protocol, and remote port 8883. Verify that outbound network traffic for this is not being blocked by whatever firewall you are using.

There is no sandboxing used since Eset doesn't have one in contrast to its major competitors. At least, a stand alone sandbox employing virtualization. Eset employs an internal sandbox in regards to the hueristic scanning done by its real-time protection.