Hi,
I am new to the forum, and apologize if I do not follow every rule. But I am at wit’s end with this SIRESEF infection which I cannot seem to get rid of.
The details are thus:
[ol]- There is a folder “C:\Program Files(x86)\Google\Desktop\Install{numbers}\.…\” which I cannot open. I tried to delete the “C:\Program Files(x86)\Google\Desktop” folder, but Windows told me “Access Denied”. I got the same error when I tried to give my account (with Administrator privileges) full control of the folder.
- There are registry keys in HKEY_LOCAL_MACHINE\System\CurrentControlSet\services listed as “gupdate”, but in fact their real name is “!etadpug”. They have a Preferences subfolder, but I cannot delete these keys. I get the error “.yek gniteled elihw rrorE” whenever I try.
- There is a Google Update service running (pointing to the folder in 1), but I cannot Stop/Disable it, because I get the error “service with the same name exists” or something like that.[/ol]
I originally became aware of this infection after avast! alerted me to another (similar) folder, “C:\Users\steve\AppData\Local\Google\Desktop\Install”. I was able to delete that folder in safe mode; the corresponding one in Program Files(x86) cannot be deleted, even in safe mode.
A boot scan by avast! does not find anything untoward. Malwarebytes’ RegASSASSIN claims to delete the offending registry keys, but does not. A Quick Scan by avast! finished with the recommendation to delete the Google Update service. I clicked OK, but the service was not removed.
All I’ve been able to do is delete that AppData folder, and change some of the Registry values in the !etadpug key (in particular, the pointer to the Program Files(x86) is now null). Can anyone tell me how to remove this darn malware? If I need to post a log or anything like that, please let me know. Also I should mention I am a novice when it comes to advanced techniques (it took me a long while to figure out how to delete that AppData folder), so please be detailed (and patient!) when replying. I greatly appreciate it.
Thanks,
Steve