New User, Need help with infected files.

[SamHolmes 0]

Hey everyone, have got a problem. i have my ESET scan my computer every night and yesterday it came up with a threat and infected files. It did not clean those files. I copied the log report and included it here. I also have gone through a couple different steps to try and clean these files to no avail. One in particular was do a scan in safe mode but i couldnt even get ESET to run in safe mode. Any help will be appreciated thank you.

Log
Scan Log
Version of virus signature database: 14894 (20170206)
Date: 2/6/2017  Time: 8:37:09 PM
Scanned disks, folders and files: Operating memory;C:\Boot sector;F:\Boot sector;C:\;F:\
Boot sector of disk C: - error opening [4]

C:\Users\xerox\AppData\Local\Temp\HYD19ED.tmp.1486414487\HTA\3rdparty\FS.dll - a variant of Win32/FusionCore.K potentially unwanted application - action selection postponed until scan completion

Number of scanned objects: 368049
Number of threats found: 1
Number of cleaned objects: 0
Time of completion: 9:09:15 PM  Total scanning time: 1926 sec (00:32:06)

Notes:
[4] Object cannot be opened. It may be in use by another application or operating system.
 

Edited February 7, 2017 by Marcos
Redundant records removed

[Marcos 4,693]

It's actually not a threat but a potentially unwanted application. At the end of the scan, the user should have been presented with a window where the desired action could be selected.

[SamHolmes 0]

There was no such prompt after scan, which i thought was odd. I rescanned several times to see if i would give me some sort of option, nothing.

[SamHolmes 0]

This is all that it shows after scan is complete.

[mandiato 19]

at the bottom of screen you got "action after scan" and you need to select what you want to do, as you can see it is selected "No Action".

Edit: sorry yes, I've got the same problem here, action after scan reffers to action in sense shutdown/sleep etc. When I select from popup menu "scan file" on infected file I got only information tah threats are found, but no options to select cleaning it in any way.

Edited February 7, 2017 by mandiato

[SamHolmes 0]

Those are power options. Not cleaning options.

Shut Down, Reboot, Sleep, Hibernate. Helps me none.

[mandiato 19]

Yes, I figured it out... Right now I'm looking for some "suspicious" files to test it a little bit... Probably some bug in ESET

[mandiato 19]

It looks like on sshot below right now on my system, but I remember that for a long time I also cannot bring that requester to front, I was only informed about threats found. But maybe time to upgrade your installation to latest v10 version?

Regards

[SamHolmes 0]

ah yes i suppose i should. i guess i thought i was up to date. Ill try that and see what happens. thank you.

EDIT: Cant seem to find a "V10"

Edited February 7, 2017 by SamHolmes

[mandiato 19]

10 minutes ago, SamHolmes said:

EDIT: Cant seem to find a "V10"

https://www.eset.com/int/home/antivirus/#download

and on bottom at right side select "Advanced download" and select interesting for you version.

[SamHolmes 0]

do i need to do a clean install? And what if i dont have my license key?

[mandiato 19]

update should work, and during update you probably don't need key, because it will be imported form v9, but if you lost your credentials go to:

 

https://www.eset.com/us/support/lost-license/

[SamHolmes 0]

i found it in an email. thanks for your help. if this works i will post on thread.

 

[TomFace 539]

Also don't forget to set your cleaning level.

Cleaning levels

 

Real-time protection has three cleaning levels (to access cleaning level settings, click ThreatSense engine parameter setup in the Real-time file system protection section and then click Cleaning).

No cleaning – Infected files will not be cleaned automatically. The program will display a warning window and allow the user to choose an action. This level is designed for more advanced users who know which steps to take in the event of an infiltration.

Normal cleaning – The program will attempt to automatically clean or delete an infected file based on a predefined action (depending on the type of infiltration). Detection and deletion of an infected file is signaled by a notification the bottom-right corner of the screen. If it is not possible to select the correct action automatically, the program provides other follow-up actions. The same happens when a predefined action cannot be completed.

Strict cleaning – The program will clean or delete all infected files. The only exceptions are the system files. If it is not possible to clean them, the user is prompted to select an action by a warning window.

WARNING

If an archive contains a file or files which are infected, there are two options for dealing with the archive. In standard mode (Normal cleaning), the whole archive would be deleted if all the files it contains are infected files. In Strict cleaning mode, the archive would be deleted if it contains at least one infected file, regardless of the status of the other files in the archive.

http://help.eset.com/essp/10/en-US/index.html?work_avas_realtime_cleaning.htm

 

[SamHolmes 0]

16 hours ago, TomFace said:

Also don't forget to set your cleaning level.

Cleaning levels

 

Real-time protection has three cleaning levels (to access cleaning level settings, click ThreatSense engine parameter setup in the Real-time file system protection section and then click Cleaning).

No cleaning – Infected files will not be cleaned automatically. The program will display a warning window and allow the user to choose an action. This level is designed for more advanced users who know which steps to take in the event of an infiltration.

Normal cleaning – The program will attempt to automatically clean or delete an infected file based on a predefined action (depending on the type of infiltration). Detection and deletion of an infected file is signaled by a notification the bottom-right corner of the screen. If it is not possible to select the correct action automatically, the program provides other follow-up actions. The same happens when a predefined action cannot be completed.

Strict cleaning – The program will clean or delete all infected files. The only exceptions are the system files. If it is not possible to clean them, the user is prompted to select an action by a warning window.

WARNING

If an archive contains a file or files which are infected, there are two options for dealing with the archive. In standard mode (Normal cleaning), the whole archive would be deleted if all the files it contains are infected files. In Strict cleaning mode, the archive would be deleted if it contains at least one infected file, regardless of the status of the other files in the archive.

hxxp://help.eset.com/essp/10/en-US/index.html?work_avas_realtime_cleaning.htm

 

Thank You TomFace.

Also, someone please explain this to me. 18 Threats Found, 7 Cleaned. Next Scan. 0 Threats.

[itman 1,538]

45 minutes ago, SamHolmes said:

Also, someone please explain this to me. 18 Threats Found, 7 Cleaned. Next Scan. 0 Threats.

Eset performs an "Initial" scan every time it is installed/reinstalled. This is a very thorough scan of the OS installation HDD/SSD. Depending on the number of files present, the scan can take some time.

The manual scan you ran is by default a "Smart" scan. It will not scan all files present as is done by the "Initial" scan. Smart scan checks for directories/files/registry areas and the like commonly associated with malware activity. It also wlll not scan files previously scanned unless they have been modified.

Post a screen shot of the scan log showing files not cleaned. 

[SamHolmes 0]

17 hours ago, itman said:

Eset performs an "Initial" scan every time it is installed/reinstalled. This is a very thorough scan of the OS installation HDD/SSD. Depending on the number of files present, the scan can take some time.

The manual scan you ran is by default a "Smart" scan. It will not scan all files present as is done by the "Initial" scan. Smart scan checks for directories/files/registry areas and the like commonly associated with malware activity. It also wlll not scan files previously scanned unless they have been modified.

Post a screen shot of the scan log showing files not cleaned. 

Ive included screen shots of the log and the infected files. All the blue have the "error opening". This was an enormous log.

[itman 1,538]

Those detections are for "potentially unwanted applications." See this thread for reference: https://forum.eset.com/topic/10840-what-action-should-i-take-for-this-file/

If you decide to remove them, the associated software will not longer be functional. Run another Eset scan. Then note the screen shot  in the above referenced link displayed at the end of the scan. Click on the wording "Action for all listed threats." Then select what you want to do from the options shown.

Eset's definition of a potentially unwanted application i.e. PUA:

Potentially unwanted applications

A potentially unwanted application (PUA) is a program that contains adware, installs toolbars or has other unclear objectives. There are some situations where a user may feel that the benefits of a potentially unwanted application outweigh the risks

[mandiato 19]

OK. I finally reproduce that:

And after scan I can only dismiss and cannot select action. This happened with scan on demand from popup menu. This happened at default settings, so something goes wrong here. If I try to download infected file from Internet, it is blocked, and temp file is deleted, but when I run scan on demand I'm only informed about infection fact, and ESET shows that selection is postponed to end of scanning, but at end of scanning I can only dismiss information and log, I cannot select cleaning action. And as I said this is on default settings with clean install (no playing with changing detection level, or actions. Pure default settings.

When I try to run that file it is cleaned by default by deleting infected doc from archive, but there's no possibility to select action after on demand scan.

Something wrong goes here, so I'll raise bug at bugtracker.

[itman 1,538]

Try this. Enter Eset GUI. Click on Setup, then Advanced Setup on the bottom of the page.

Click on On-Demand computer scan. Then open ThreatSense settings by clicking on the "+" sign.

Change Cleaning Level to No Cleaning as shown in the below screen shot. Click OK on that screen and any subsequent screens to save your settings.

Run an On-Demand scan. At the end, you should be shown a screen that will allow you to delete/quarantine etc. the PUA's.

Then repeat the above steps and reset Cleaning Level to Normal.

Edited February 12, 2017 by itman

[mandiato 19]

This won't help at all, in both cases in log is mnessage about postponed asking user for action but no action window shows up at the end, user can only dismiss log files... At attached sshot  upper vindow is from scaning with no action lower with normal ... No difference.

[itman 1,538]

The infected file is in your desktop folder. Is it visible on your desktop screen? If so, manually delete the .zip folder.

[mandiato 19]

Yep, but this is only test file, one and only one which is actually available to such test on my system, so when I delete it, I cannot any longer reproduce that bug. And this is bug when something should ask what to do, and don't do it, leaves infection with false sense of security. Right now I'm in contact with devs to nail it down.

[mandiato 19]

I nailed it down a little bit further... And it occurs only when I start scanning from popup menu in "Fences" on desktop, using Windows Explorer or DirectoryOpus listers when selecting scan option leads to proper window with scan results and action to take. So this is something with interact between fences and ESET in my case.

[itman 1,538]

36 minutes ago, mandiato said:

Yep, but this is only test file, one and only one which is actually available to such test on my system, so when I delete it, I cannot any longer reproduce that bug. And this is bug when something should ask what to do, and don't do it, leaves infection with false sense of security. Right now I'm in contact with devs to nail it down.

Experimenting with live malware is a no-no. Since the file is in an archive, it can do no damage. If it was extracted from same, Eset would detect and delete it. Ditto if it was executed.