Jump to content


Most Valued Members
  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by itman

  1. Does this issue only occur in FireFox? Temporarily use a different browser and determine if the issue persists. If it doesn't, the issue is with Firefox. Firefox by default now enables DNS over HTTPS; i.e. DoH, using Clouldflare DNS servers. You might have an issue connecting to those servers in Romania for some reason. You can temporarily disable DoH in FireFox and determine if that solves the issue.
  2. I will say this. When I checked Eset worldwide partners and select China, I end up at this http only web site: http://www.eset.com.cn/ . That does not appear to be right to me.
  3. It is impossible to determine what the malware did when you started the PC in normal mode and all security protection was disabled. At a minimum, you should change all your passwords; especially those pertaining to financial web sites. If you used e-mail when all security protection was disabled, your passwords there should be changed. You should also run a full Eset custom scan at Admin level and see if Eset can find any residual malware.
  4. Appears this is the URL to sign onto Intuit App Center: https://accounts.intuit.com/index.html?offering_id=Intuit.sbg-fms.ippdevx&redirect_url=https%3a%2f%2fappcenter.intuit.com . Did you add this URL to Eset B&PP?
  5. In this setting, Eset should show as the active real-time protection. If you mouse click on the "Manage providers" setting on that screen, the next screen displayed should show that Eset real-time protection and firewall are "On" and the Windows firewall and Windows Defender are "Off." In App and Browser Control, all settings shown in Reputation Based Protection should be enabled for maximum protection. Most of the settings in this section pertain to SmartScreen settings. These will provide additionally protection for example, a process that is attempting to execute that was not downl
  6. Good point. Repeated infections after a drive reformat and OS installation would most definitely point to a network security issue external to device being reinfected. Problem is one has to go through this process to confirm it is the source of repeated infections. Additionally, the above is not the only source of residual malware. The malware may be firmware based residing on a device attached to the PC or a component of the motherboard. There also have been instances where malware has persisted a normal drive reformat. This is why it is recommended to perform an industrial grade so
  7. Found one bugger using malicious maintenance.vbs script: https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html One possible way maintenance.vbs landed on the OP's device. Of note in this case, it was in a %AppData% directory.
  8. I was able to find an analysis of StartupCheck.vbs at Joe's Cloud Sandbox here: https://www.joesandbox.com/analysis/243006/0/html which they determined to be malicious. Using the file hash shown, went to VirusTotal to see if anyone detects it. The result was no one detects it. At least an explanation why this bugger "is flying under the AV radar" for so long.
  9. Appears you enabled; i.e. set to true, this setting: This feature in Firefox is experimental and always has been buggy. Set it back to the default false setting and you will have no issues with Eset in FireFox DoH mode. I can open this web site, http://kraken.com/ , w/o issue.
  10. That was the case prior to ver. 14. On my Win 10 20H2 build, EIS Private Bytes usage per Process Explorer is currently 135 MB.
  11. Also, how could this bugger delete ekrn.exe? Per maintenance.vbs script: strArgs = "%comspec% /C %SystemRoot%\System32\msiexec.exe /i %SystemRoot%\System32\ServiceInstaller.msi /qn & del %SystemRoot%\System32\ServiceInstaller.msi & %SystemRoot%\System32\bcdedit.exe /set {current} safeboot minimal & %SystemRoot%\System32\powercfg.exe /hibernate off & schtasks /Delete /TN ""Microsoft\Windows\Maintenance\InstallWinSAT"" /F" Note the reference to "safeboot." Eset unfortunately is not functional in Safe mode. The next time the PC was rebooted , it was in Safe mode. At this po
  12. Hard to say what went on in this device in the week or so since this malware was detected. From MBAM's findings to date, it appears to be coin mining related. But who knows if a backdoor or more malware, spyware, etc. were also installed in the interim? If it were my device, I would indeed reformat and reinstall Win 10 20H2.
  13. One last item to cover. How to get this installer, ServiceInstaller.msi, to run "under the radar." First, we need to employ a few registry changes described here: https://www.howtogeek.com/178826/how-to-force-an-msi-package-to-install-using-administrator-mode/ . Then we employ one of the numerous UAC bypasses out there running the installer in hidden mode. However in this instance, assume that the InstallWinSAT task was setup to run with "highest privileges" allowing the installer to run unimpeded:
  14. It appears this is the reference for the above excerpt you posted: https://www.winhelponline.com/blog/script-error-maintenance-vbs-at-startup/ . You didn't post the most significant text in the posting: To begin, it should be noted that winsat.exe is legit, it is located in the System32 directory, and in fact, there is a legit WinSat task that runs it once a week. It can also be run from the command prompt or using PowerShell; https://www.techrepublic.com/article/how-to-use-the-windows-10-assessment-tool-to-measure-system-performance/ . One possible source for this bogus and obvio
  15. Scan the entire drive where Win 10 is installed and determine if either of these files exist; StartupCheckLibrary.vbs and Maintenance.vbs.
  16. I also again make reference to this posting which link I posted previously: https://answers.microsoft.com/en-us/windows/forum/windows_10-security/some-virus-keeps-removing-or-breaking-antivirus/56437d7a-5f56-4294-ad11-8f7a2da5653b which relates malware behavior almost identical to what the OP is experiencing. In this posting, it appears two .vbs scripts were the main culprits; -EDIT- It appears that maintenance.vbs is associated with WinSAT which would make it an ideal target for an attacker to hijack: https://www.file.net/process/maintenance.vbs.html Ref.: https://en.wikiped
  17. Interesting observation. Didn't know that was possible. However, OP already posted he is not using RDP but Cisco VPN client. Don't believe that has RDP two-way like capability.
  18. Can't tell anything from what is posted in that thread. What is fairly obvious by now is this is a coin miner using a rootkit or, like rootkit behavior. The one most widely deployed in this category is ZeroAccess: My best guess is what is infecting you is a new variant that Eset is not detecting. Eset has a tool to remove ZeroAccess but don't know if it will detect this new variant: https://malwaretips.com/blogs/remove-zeroaccess-rootkit/
  19. Since the OP is using Cisco VPN, this is worth "a read." https://tech.co/news/cisco-vpn-security-bug-without-fix Ref.: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK
  20. Here's a posting from Nov.14 with a lot of similar behavior to what is occurring on the OP's device: https://answers.microsoft.com/en-us/windows/forum/all/cant-run-windows-update-windows-security-or/44ca6d86-5742-48ca-bd47-8038651bd433 Whatever this bugger is, it appears "to be flying under the radar" of anti-virus solutions.
  21. I also believe this is a rootkit. You can try MBAM's Anti-Rootkit tool here: https://www.malwarebytes.com/antirootkit/ Note: If the tool detects anything and cleans it, the tool must be run again to verify everything is removed. This must be done repeatedly until the tool states you're clean.
  22. TP-Link Wi-FI extenders have a vulnerability that can allow a hacker to completely control a targeted system: https://www.cnet.com/news/these-wi-fi-extenders-had-vulnerabilities-that-gave-hackers-complete-control/ . Also note this: https://askleo.com/does-a-wireless-range-extender-compromise-my-security/ Additionally if you are using a Tenda PA6 Wi-Fi Powerline extender, version, note this: https://securityintelligence.com/posts/vulnerable-powerline-extenders-underline-lax-iot-security/
  23. There is also the rootkit possibility. Microsoft has a nice diagram on how those load and can bypass/disable anti-virus:
  24. Correct. I also tried it recently in a firewall rule and it didn't work. Try this. I appears the firewall editor will allow just a process name. Enter just slack.exe in the rule Application field and see if that works.
  25. Another possibility is some malware installed a malicious device driver. Those would load prior to Eset's ELAM driver and could intercept its loading. A malicious device driver is rare, but they do exist. They are normally reserved for high-value targeted attacks though. @ProblemNeedsSolution, do you have Win 10 Secure Boot enabled on this device?
  • Create New...