Windows 7: Trend Micro still finding threat in PendingDeletes after SFC operation

I posted yesterday about sudden threats from PTCH_ZACCESS.SIX popping up on my machine. Using the info on the Trend website, I ran an SFC scan on the Services.exe file, which it found as corrupt and supposedly restored it to its proper state.

Since then Trend has flagged a few other things, including a file called simply "n" listed as the threat TROJ_SIREF64.SM, which showed up in several places. Most of those were quarantined and removed on reboot, except for one that I removed myself this morning from the Local AppData folder in my user profile.



Now this morning Trend has thrown up another notification of that PTCH_ZACCESS.SIX threat, but this time it's a file called "$$DeleteME.services.exe.01cd70f09b4bc3fd.0000" in the Windows\winsxs\Temp\PendingDeletes folder. As I understand it, the files in this folder are created after an SFC scan. Right now I have 6 files in that folder, other files from 2009, not that one. So I guess that file is gone. But I cannot manually delete those other files. The other odd thing is that if I look at the Temp folder, PendingDeletes is not shown, despite Explorer being set to show hidden files and folders. The only folder shown is PendingRenames which has thousands of files in it.

I don't understand why all these threats are popping up all of a sudden. It all started after visiting the Orbea Bikes website yesterday (very high end bicycle manufacturer). I got a notification about an Adobe Flash update, but the update was one version older than what was already installed on my machine. After that my Trend Micro started going crazy with all these threat notifications: Mal_Xin12, PTCH_ZACCESS.SIX, and TROJ_SIREF64.SM, contained within the files services.exe, that weird beacucqitear.exe file, this file called "n", and that $$DeleteMe.services.exe file.

Could there be something else malicious on my machine that's creating this stuff after Trend or myself finds the files and deletes them?

If sounds as if you have one of the newer Sirefef variants. The newer variants are hard to remove, as they take advantage though the registry by presenting a genuine MS file & then switching over to the infected file, thus eluding complete detection.

MS is recommending a complete reinstall for Sirefef and doing a disk wipe would also be a good idea.

Encyclopedia entry: Win32/Sirefef - Learn more about malware - Microsoft Malware Protection Center

Clean Install Windows 7

holy smokes man, that's crazy. Could I have gotten this thing just from going to a bicycle manufacturer's website?

*edit*
I just ran a complete, full scan with MBAM, full scan with Spybot S&D, and scan with TDSSKilller, all in safe mode in an administrator account. Nothing at all came up in any scan. I guess I'll wait and see if there are any more problems.

If you know the physical location of the file, you can always submit it to Virus Total for 40+ opinions.

https://www.virustotal.com/

A Guy

Patrick,

Borg has given you excellent advice.

Eset online scanner will help you remove this particular infection

ESET Online Virus Scanner | ESET

If so, here are some instructions to run a scan there from a security expert:

• Note: It is easiest if you use Internet explorer for this scan. (If you use an alternate browser, it will be necessary to download the ESET Smart Installer)
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the ActiveX control to install
• Click Start
• Make sure that the option Remove found threats and the Scan Archives options are ticked.
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt

A Guy