Deleted? Or not? Help with a Trojan please!

Discussion in 'ESET Smart Security' started by Vic G, Aug 15, 2012.

Thread Status:
Not open for further replies.
  1. Vic G

    Vic G Registered Member

    Joined:
    Jun 5, 2008
    Posts:
    4
    I accidentially clicked "ok" to an Adobe update request today and immediately realised my mistake (just a little too late).

    Eset alerted me, but I'm confised as to what is actually happening. One of the objects is "C:\Windows\system32\services.exe" and the threat is "Win64/Patched.B.Gen trojan". However, when I click on delete, Eset responds by saying "error while deleting". It cannot seem to remove it.

    I also get a popup saying that object "C:\Windows\Installer\{58ef1f8f-7c6e-e7eb-ad5f-1697b8007eff}\U\80000000.@" and threat "Win64/sirefef.AL trojan has been "cleaned by deleting - quarantined". However, this pops up every few minutes.

    I strongly suspect that my system is still infected and that Eset is being surprisingly useless.

    Any help would really be appreciated. I have tried searching the internet for any help with this issue, buit not being particularly tech savvy does't help.

    Would I be better off getting rid of Eset and trying another piece of antivirus software?

    I am using Windows 7 64 with Eset Smart Security 5.0.95.0 with update module 1040 (20120313). Antivirus and antispyware scanner module: 1365 (20120724). Advanced heuristics module: 1121 (2011120:cool:. Anti-Stealth support module: 1032 (20120806)
     
    Last edited: Aug 15, 2012
  2. superssjdan

    superssjdan Registered Member

    Joined:
    Dec 11, 2011
    Posts:
    148
    Location:
    USA
    You are infact still infected with a ZeroAccess variant.DO nothing further until you have been advised by someone from ESET in these forums as attempting removal with most tools can make your system unbootable.ZeroAccess as i am most familiar it being called is steadily changing so what may work on one variant,wont work another.Please be patient and i'm sure someone from ESET will be along shortly.Most AV solutions seem to struggle with this malware,especially Norton.Eset has some especially sharp techs working for them which should have you free from infection in rather short order.Typically there will be some back and forth between yourself and the tech.Do everything exactly as stated as they in most cases have to customize a solution for you.Best of luck.
     
  3. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Have you tried rebooting then do a full system scan.Also make a Eset sysinspector log for the support as they may want to view it.
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    In order to replace a patched services.exe with the original one, run "sfc.exe /scannow".
     
  5. Vic G

    Vic G Registered Member

    Joined:
    Jun 5, 2008
    Posts:
    4
    Hi Guys,

    Thank you for the information, superssjdan; I suspected as much. I'm very wary about using the PC at the moment until I can get this problem resolved.

    Marcos; I have done a "sfc.exe /scannow" and although I get a "Verification 100% complete", underneath it is a message saying "Windows Resource Protection could not perform the requested operation".

    Dark Shadow, thank you for the PC and carried out the scan, but with the same issue. I have just created a sysinpector log.

    Thank you all for the replies; any continued help would really be appreciated.
     
  6. Janus

    Janus Registered Member

    Joined:
    Jan 2, 2012
    Posts:
    588
    Location:
    Europe - Denmark .
    Hello Vic G

    Just a suggestion. Try to run this tool, it has for me proved its worth many times. Link : http://support.kaspersky.com/faq/?qid=208283363 . If that does not work then open an Eset Customer support case, or go to a more malware removel dedicated site(s), such as : http://malwareremoval.com/forum/viewforum.php?f=11 or http://www.geekstogo.com/forum/forum/37-virus-spyware-malware-removal/ . " Always remember to completely back any important document you have before trying any tools "

    Best of luck :)

    Janus
     
  7. TomFace

    TomFace Registered Member

    Joined:
    Jan 8, 2011
    Posts:
    77
    Location:
    USA
    Vic G, Just being curious, what kind of an Adobe update did you click on? Was it a pop up at a website? Reader? or was it from the Adobe website? The reason I ask is I am getting a Adobe Reader X update notice and I do not want your issue (sorry:D ).

    I wish you well...really, open a support case with Eset-they have helped me several times. Don't panic!

    TomFace
     
  8. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I would imagine the inpostor adobe popup was web related and not from the system task.When I see a update notification in my task its from the legit abobe.When in doubt its better to initiate the update directly from the source.
     
    Last edited: Aug 16, 2012
  9. Vic G

    Vic G Registered Member

    Joined:
    Jun 5, 2008
    Posts:
    4
    Hi Tomface, yes, Dark Shadow is correct. It was a pop up - usually I know better, but what can I say? A momentary lapse :rolleyes:

    Thank you for the advice Janus - I ended up being directed to the below link, which seems to have worked. Fingers crossed!

    http://kb.eset.com/esetkb/index?page=content&id=SOLN2895&_ref=zap

    Thanks to everyone for the help and suggestions.
     
  10. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    It happens, we humans make mistakes but as long as we learn from it,Probably never happen again.
     
  11. superssjdan

    superssjdan Registered Member

    Joined:
    Dec 11, 2011
    Posts:
    148
    Location:
    USA
    After you think you are clear,probably wouldnt hurt to run Hitmanpro and or malwarebytes to look for remnants.I really like hitman pro versus malwarebytes.I keep them both on my wife's machine and mine.Best of luck:D
     
  12. TomFace

    TomFace Registered Member

    Joined:
    Jan 8, 2011
    Posts:
    77
    Location:
    USA
    That's what I figured-pop up (the origin that is). Glad to hear you got it on the run! :thumb: :thumb:
     
Thread Status:
Not open for further replies.