Got infected with a virus, ESET stops working and cant reinstall it anymore

[henrik_admiral 0]

I got infected by a virus, i made the mistake of turning the protection of my ESET off because i downloaded an application from somewhere and they said i need to turn off protection to install it successfully 

this is the file :

https://www.virustotal.com/gui/file/e4efd1d6c7eaf477e83f38b2dca11515c6847fddd0b8ae1f89a334f2e3326df5

 

now ESET doesn't work anymore, it got deleted by the virus after my computer got restarted, now i cant install ESET anymore! when i install it, it gets deleted again, what should i do ?

[Marcos 5,074]

Try running a disk scan with ESET Online scanner prior to installing ESET. 

[itman 1,659]

If problems persist after running ESET Online scanner, you could also try performing a Win system restore using a restore point prior to when you installed the app/malware.

This won't remove all of the malware and/or app but should reset system settings to what existed prior to the app install. This will hopefully also restore Eset functionality to the point you could run a full scan with it.

Note: the malware may have disabled system restore functionality.

[Nightowl 202]

Windows Defender AV will be able to pick it up also if it's not disabled by the malware

Here it's described how you can remove the virus manually through safemode : https://medium.com/@beckylongman2015/how-to-remove-trojan-win32-skeeyah-a-bit-completely-283cf8edbc77

[henrik_admiral 0]

22 hours ago, Marcos said:

Try running a disk scan with ESET Online scanner prior to installing ESET. 

 

21 hours ago, itman said:

If problems persist after running ESET Online scanner, you could also try performing a Win system restore using a restore point prior to when you installed the app/malware.

This won't remove all of the malware and/or app but should reset system settings to what existed prior to the app install. This will hopefully also restore Eset functionality to the point you could run a full scan with it.

Note: the malware may have disabled system restore functionality.

 

ESET online scanner didn't help i'm still infected and it couldn't find anything malicious in my system, it says all clean! and i don't have a restore point.... 

I know I'm still infected because ESET gets deleted as soon as i install it, i can open it for 5-6 second then its GONE

 

so ESET literally cannot remove this ?!!!

Edited January 6, 2021 by henrik_admiral

[henrik_admiral 0]

7 hours ago, Nightowl said:

Windows Defender AV will be able to pick it up also if it's not disabled by the malware

Here it's described how you can remove the virus manually through safemode : https://medium.com/@beckylongman2015/how-to-remove-trojan-win32-skeeyah-a-bit-completely-283cf8edbc77

That guide didn't help, in safe mode i cannot see any suspicious process in task manager

and it says delete "Trojan name", what does that even mean, whats the trojan name? couldn't see any skeeyah.exe

and that article links to websites that are down 

[itman 1,659]

Ignoring the Eset issue for the moment if this is Win 10, Windows Defender should be active and functioning as your real-time protection. Did you check Windows Security Center and verify this is the case?

[itman 1,659]

2 hours ago, henrik_admiral said:

I know I'm still infected because ESET gets deleted as soon as i install it, i can open it for 5-6 second then its GONE

Further clarification need on this.

Are you referring to the Eset desktop toolbar icon missing?

Does Eset still exist in the Win 10 Start menu?

Is the Eset service, "Eset Service," listed in Control Panel -> System and Security -> Administrative Tools ->Services? Is the service started and running?

Does this folder, "Eset", still exist in C:\Program Files? Does it contain the "Eset Security" folder? Does this folder contain sub-folders and files?

Edited January 6, 2021 by itman

[henrik_admiral 0]

22 minutes ago, itman said:

Further clarification need on this.

Are you referring to the Eset desktop toolbar icon missing?

Does Eset still exist in the Win 10 Start menu?

Is the Eset service, "Eset Service," listed in Control Panel -> System and Security -> Administrative Tools ->Services? Is the service started and running?

Does this folder, "Eset", still exist in C:\Program Files? Does it contain the "Eset Security" folder? Does this folder contain sub-folders and files?

 

I am using windows 7, 64 bit

i thought ESET got deleted or something, but Actually it seems like ESET process is still up, but i cannot open ESET, when i try to open it nothing shows up.

ESET services are running but i still  cannot interact with ESET gui anymore, i tried to reinstall it, no luck. sometimes i get blue screen as well. and ESET files doesn't seem to be deleted now that i checked again.

when i restart the computer, i can open it for 5-6 seconds and after that it gets closed and its services get stopped, and no matter how hard i try to click on different options in its icon, it wont open anymore. 

Edited January 6, 2021 by henrik_admiral

[itman 1,659]

1 hour ago, henrik_admiral said:

ESET services are running but i still  cannot interact with ESET gui anymore, i tried to reinstall it, no luck. sometimes i get blue screen as well. and ESET files doesn't seem to be deleted now that i checked again.

when i restart the computer, i can open it for 5-6 seconds and after that it gets closed and its services get stopped, and no matter how hard i try to click on different options in its icon, it wont open anymore. 

You posted two conflicting statements.

First, you stated services are running. Next, you state Eset services are stopped after boot time.

If Eset services are currently stopped, restart them. Now try to access Eset GUI via Start menu and run an Eset scan.

[peteyt 393]

1 hour ago, henrik_admiral said:

 

I am using windows 7, 64 bit

i thought ESET got deleted or something, but Actually it seems like ESET process is still up, but i cannot open ESET, when i try to open it nothing shows up.

ESET services are running but i still  cannot interact with ESET gui anymore, i tried to reinstall it, no luck. sometimes i get blue screen as well. and ESET files doesn't seem to be deleted now that i checked again.

when i restart the computer, i can open it for 5-6 seconds and after that it gets closed and its services get stopped, and no matter how hard i try to click on different options in its icon, it wont open anymore. 

You could try to uninstall eset in safe mode with the uninstaller which I will link bellow. This uninstaller can often remove stuff that somehow may have been left. Then reinstall and see if there are any issues 

https://support.eset.com/en/kb2289-uninstall-eset-manually-using-the-eset-uninstaller-tool

[henrik_admiral 0]

8 hours ago, itman said:

You posted two conflicting statements.

First, you stated services are running. Next, you state Eset services are stopped after boot time.

If Eset services are currently stopped, restart them. Now try to access Eset GUI via Start menu and run an Eset scan.

OK i started them manually using task manager, but i still cannot open the gui. also it seems like they get stopped after around 15-20 minutes of booting up, when i start them manually, again they get stopped after around 15-20 minutes.

 

8 hours ago, peteyt said:

You could try to uninstall eset in safe mode with the uninstaller which I will link bellow. This uninstaller can often remove stuff that somehow may have been left. Then reinstall and see if there are any issues 

https://support.eset.com/en/kb2289-uninstall-eset-manually-using-the-eset-uninstaller-tool

 

tried this as well, still the same thing :

i can open it for around 10 second, and can do scans with it, then it gets closed by something and i cannot open it anymore. 

i used ESET for a long time and never had problems, this only happened after i tried to run that damn installer so I'm 100% sure its because of that. everything seems slower too..

 

 

Edited January 7, 2021 by henrik_admiral

[Marcos 5,074]

As for the scan with ESET Online scanner, do you mean it has run but no threat was found?

Please provide logs collected with ESET Log Collector for perusal.

[henrik_admiral 0]

4 hours ago, Marcos said:

As for the scan with ESET Online scanner, do you mean it has run but no threat was found?

Please provide logs collected with ESET Log Collector for perusal.

i get a blue screen when i run this log collector

tried it with default, thread detection, and all options and i still got blue screened after around 10 second of running it

i copied the operation log output as fast as i could and copied it before getting a blue screen, this is the output : 

 

[9:20:02 AM] ESET Log Collector v4.1.2.0 (9/28/2020) - 64 bit
[9:20:02 AM] Copyright (c) 1992-2020 ESET, spol. s r.o. All rights reserved.
[9:20:02 AM] 
[9:20:02 AM] Detected product type: eis
[9:20:14 AM] ==============================
[9:20:14 AM] ESET logs collection mode: Filtered binary
[9:20:14 AM] Number of days to collect target files and log records for: 30
[9:20:14 AM] Saving metadata to C:\Users\henrik\AppData\Local\Temp\elc1EC6.tmp
[9:20:14 AM] Adding file: C:\Users\henrik\AppData\Local\Temp\elc1EC6.tmp -> metadata.txt
[9:20:14 AM] Adding file: C:\Users\henrik\AppData\Local\Temp\elc1EE6.tmp -> info.xml
[9:20:14 AM] Adding file: C:\ProgramData\ESET\ESET Security\versions.csv -> versions.csv
[9:20:14 AM] Adding file: C:\Users\henrik\AppData\Local\Temp\elc1F06.tmp -> features_state.txt
[9:20:14 AM] === Running processes (open handles and loaded DLLs) ===
[9:20:14 AM] Exporting...
[9:20:15 AM]   OK
[9:20:15 AM] Adding file: C:\Users\henrik\AppData\Local\Temp\elc1F17.tmp -> Windows/Processes.txt
[9:20:15 AM] Adding file: C:\Users\henrik\AppData\Local\Temp\elc1F18.tmp -> Windows/ProcessesTree.txt
[9:20:15 AM] === Drives info ===
 

[peteyt 393]

Can you confirm it is just eset? I mean what happens if you download something like malwarebytes and run a scan. Just wondering if whatever it is will disable that to

[henrik_admiral 0]

2 minutes ago, peteyt said:

Can you confirm it is just eset? I mean what happens if you download something like malwarebytes and run a scan. Just wondering if whatever it is will disable that to

can you give me a list of other suggestions that i should try out? i mostly used ESET and am not familiar with other anti viruses, should i only try malwarebytes and report back? 

[Marcos 5,074]

If possible, create a bootable SysRescue medium and run a disk scan from there.

[itman 1,659]

You can try using Kaspersky Virus Removal tool: https://support.kaspersky.com/8528 . Make sure when run to select "Change parameters" and select all objects shown including the system drive.

Note: If this app refuses to run or aborts shortly after startup, rename the file download - KVRT.exe - to something else and run the renamed executable.

[henrik_admiral 0]

6 hours ago, Marcos said:

If possible, create a bootable SysRescue medium and run a disk scan from there.

 

Tried the SysRescue, it successfully found 1 threat :

MBR sector of the /dev/sda. physical disk - Win32/Rootkit.Agent.OCL trojan - unable to clean

 

but it says unable to clean for some reason... restarted the computer and the problem still exists.. eset gets closed after 10-15 seconds of booting up..

[Marcos 5,074]

You should restore MBR as per https://neosmart.net/wiki/fix-mbr/.

[henrik_admiral 0]

24 minutes ago, Marcos said:

You should restore MBR as per https://neosmart.net/wiki/fix-mbr/.

I am not a technical person and that article is too complex for me to understand

I dont understand what is the point of an Anti virus if i have to manually fix everything myself? why can't ESET remove this, even tho it is DETECTING it? why can't ESET fix the MBR itself? whats the point of buying an anti virus then?

[peteyt 393]

21 minutes ago, henrik_admiral said:

I am not a technical person and that article is too complex for me to understand

I dont understand what is the point of an Anti virus if i have to manually fix everything myself? why can't ESET remove this, even tho it is DETECTING it? why can't ESET fix the MBR itself? whats the point of buying an anti virus then?

MBR is a very tricky thing I belive but my knowledge on that is limited. On that link Marcos gave you there is a bit that offers a download that will do most stuff for you. Other thing as I mentioned would be to download malwarebytes and run a scan but I don't know if this will be the same issue due to it being mbr related 

[itman 1,659]

I read a posting over at bleepingcomputer.com that Kaspersky's TDSSKiller will remove this type of boot/rookit. You can give it a shot and see if it detects and removes the rootkit. It runs very fast and will produce a log file. Review the log file and see if anything was detected. If so, wording will probably exist instructing you to reboot the PC to complete removal of the rootkit.

TDSSKIller can be downloaded here: https://support.kaspersky.com/5350#list

-EDIT- After opening TDSSKiller but prior to running it , select "Change parameters" and ensure all the settings shown in this article are enabled: https://forums.malwarebytes.com/topic/251556-need-help-removing-rootkit-agent/?do=findComment&comment=1335503 . Also read the entire posting which will instruct on how to respond to any detection made by TDSSKiller. 

Edited January 8, 2021 by itman

[henrik_admiral 0]

16 hours ago, itman said:

I read a posting over at bleepingcomputer.com that Kaspersky's TDSSKiller will remove this type of boot/rookit. You can give it a shot and see if it detects and removes the rootkit. It runs very fast and will produce a log file. Review the log file and see if anything was detected. If so, wording will probably exist instructing you to reboot the PC to complete removal of the rootkit.

TDSSKIller can be downloaded here: https://support.kaspersky.com/5350#list

 

THANK YOU!! this solved the problem for me. it found a virus named "DarkGalaxy" and cured the system!

ESET really dissapointed me with this one tho, why do i need to use other anti viruses to delete this virus when i purchased ESET? either way thanks everyone for their help!

[Marcos 5,074]

42 minutes ago, henrik_admiral said:

ESET really dissapointed me with this one tho, why do i need to use other anti viruses to delete this virus when i purchased ESET? either way thanks everyone for their help!

ESET actually protected you from getting infected by the malware. Once AV protection is disabled and malware is run, it may be very difficult to remove it and specialized tools must be used.