Jump to content

eset quarantine everything


Recommended Posts

hi im using eset smart secutiy 7 with latest update

i encountered this problem just now  , eset quarantine everything in SYSTEM32 and SYSWOW64 folder 

on the other side i found this problem too  , for example when  i click on some  file picture  etc   i get   following error

the parameter is incorrect

server execution failed

eset even quarantine some legit files like svchost.exe and even some other files that needed for windows boot up .

 

 

any suggestion for my situation ?

Link to comment
Share on other sites

  • Administrators

It sounds like system files got infected with a virus. Please post complete recent records from your threat log for better understanding of what was detected.

Link to comment
Share on other sites

where i can find threat log ?

you mean in tools>log file ?  i  see around 100  legit files detected by realtime&start up scanner   (all of them located in system32 )

can you please help me by remote dekstop or team viewer ?

Link to comment
Share on other sites

  • Administrators

you mean in tools>log file ?  i  see around 100  legit files detected by realtime&start up scanner   (all of them located in system32 )

 

Right. Select the recent records, then select Copy from the right-click context menu and paste the records here.

Link to comment
Share on other sites

  • Administrators

My assumption is that you had your computer protected with Malwarebytes and the system got infected with Virut. After you'd installed ESET, it started to detect attempts to re-infect system executables by mbam.exe:

 

5/12/2015 3:55:12 PM Real-time file system protection file C:\WINDOWS\SYSTEM32\WKSPRT.EXE Win32/Virut.NBP virus cleaned - quarantined Event occurred on a file modified by the application: C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe

 

I'd suggest creating a rescue Live CD (iso downloadable from ESET's website) and using it to clean your system completely.

Link to comment
Share on other sites

no im using eset more than a year along with malwarrbyte

ARE YOU sure this file wksprt.exe is the one that infected my system

now i cant boot in windows i get an error saying 'logon process initialization failure'

i tried to boot im safe mode but same error

Edited by ahmaden
Link to comment
Share on other sites

Hello ahmaden,

These answers from Marcos are based to log file that you provided above. According to ESET Smart Security, Win32/Virut.NBP is in an advanced stage, it has managed to reach a number of important system files and damaged them, which has led to many problems both with the stability and performance of your system. For example, here some of them:

 

5/12/2015 7:25:56 PM Startup scanner file C:\Windows\system32\cmd.exe Win32/Virut.NBP virus cleaned - quarantined

5/12/2015 7:25:56 PM Startup scanner file C:\Windows\system32\SystemPropertiesPerformance.exe Win32/Virut.NBP virus cleaned - quarantined

5/12/2015 7:25:55 PM Startup scanner file C:\Windows\system32\rundll32.exe Win32/Virut.NBP virus cleaned - quarantined

5/12/2015 7:25:50 PM Startup scanner file C:\Windows\system32\dllhost.exe Win32/Virut.NBP virus cleaned - quarantined

Specific of this virus except that is file infector, but that is polymorphic. This makes it extremely difficult to clean.

You have two options:

  • You could try to clean your system with ESET SysRescue Live as Marcos already recommended.
  • You could reformat your system.
About first option, it is important to know that there is no guarantee that all traces of Virut will be removed as they may not find all the remnants.

About second option, reformat your system following these instructions. It is possible to make a backup your information, but skip these file types to prevent re-infection of the system: .exe, .scr, .htm, .php, .asp.

More information about this threat: Win32/Virut.NBP .

If you have any further questions, feel free to ask in this thread.

Edited by Maniac
Link to comment
Share on other sites

hi maniac , thanks for your post

im scanning my pc with eset sysrescue live  

but as i mentioned above i cant boot in my OS ,since i get  error during windows boot  'logon process initialization failure' 

its because eset quarantined too many files  from SYSTEM32 folder , can i restore them from quarantine? (considering i cant boot in in OS ) 

i tried safe mode but same error 

is there a way to restore files that eset quarantined  without loging in? 

if there is no way , so how can i recover system32  files ?   ( plelease dont recomend new OS installation )

i heard there's a method called 'sfc' (system file checker )    , will it help ?

Link to comment
Share on other sites

can i find which one is the main malware that caused all these system files to infect ?

I'm afraid that it's quite difficult to identify.

According to your log file, your system is infected very seriously. I recommend you go to the second option.

You can make a backup of the data to save photos, videos and documents using Linux LiveCD or USB. You could create one of them from a clean system.

https://help.ubuntu.com/community/LiveCD

hxxp://www.ubuntu.com/download/desktop/create-a-usb-stick-on-windows

Link to comment
Share on other sites

marcon , scan log says files quarantined :

cleaned - quarantined

so i think that means all 1184 files moved from system drive to quarantine folder  , so how they can function properly ?!

Link to comment
Share on other sites

  • Administrators

marcon , scan log says files quarantined :

cleaned - quarantined

so i think that means all 1184 files moved from system drive to quarantine folder  , so how they can function properly ?!

 

Nope. Legitimate files were infected with Virut which is a file infector (virus). ESET cleaned the virus from these files and the original infected copy was put to quarantine where malicious files are stored in a safe form so that you could restore them at a later time, if needed for whatever reason.

Link to comment
Share on other sites

 

marcon , scan log says files quarantined :

cleaned - quarantined

so i think that means all 1184 files moved from system drive to quarantine folder  , so how they can function properly ?!

 

Nope. Legitimate files were infected with Virut which is a file infector (virus). ESET cleaned the virus from these files and the original infected copy was put to quarantine where malicious files are stored in a safe form so that you could restore them at a later time, if needed for whatever reason.

 

 

omg !

i tried to restore all files from quarantine then message appeared saying the file already exsit , replace ?  ( i pressed yes  then same message showing for next file , then i pressed yes again for couple of times , and since i cant do it for 1184 files,  in some point i  exhausted then i exited sysrescue ....

and now im reading your post ... so what shall i do ?  scan again ? 

Edited by ahmaden
Link to comment
Share on other sites

  • Administrators

And why are you restoring infected files, overwriting those that ESET has already cleaned?

Link to comment
Share on other sites

And why are you restoring infected files, overwriting those that ESET has already cleaned?

 

beacase i did that before  reading your post. i thought  eset will move file to quarantine entriely  ,didnt know that only infected copy will go to quarantine and the cleaned file remain to its place...

dont laugh at me please , when my OS was working properly and i was in eset smart security , when i saw eset quarantine important files in system32  such as svchost.exe  , i restored it ! 

 

however i tried sysrescue scan again and ~20 files cleaned again ,   and i tried to boot  in os but same error 

Link to comment
Share on other sites

I installed new os , please tell me how to block  IRC protocol in eset smart security firewall  ?

 

the description says :

hxxp://www.virusradar.com/en/Win32_Virut.NBP/description

 

'The virus connects to the IRC network. It can be controlled remotely. '

 

so how can I identify which application in eset rules is using IRC protocol  ?

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...