[Closed per OP for R/R] Recurring trojans, Sirefef.AE, Agent.BA

[abelegu2]

Edit: Typo on the title, trojans* Sorry about that, but I can't seem to fix it.

Hi there.. I'm new to this site but it seemed like the one who could offer me a solution.

Eset Nod32 keeps quarantining these viruses called Sirefef.AE, Agent.BA, and just now it asked me whether or not I want to quarantine some threat called Sirefef.EZ!

I'm sort of a newbie when it comes to these things so I have no idea what to do... I'm afraid they might harm the computer and the antivirus doesn't seem to be doing its job in protecting it..

What do I do?

 

[abelegu2]

Guys.. I'm sorry to be a bore but I need help ASAP. I just restarted my computer and it said "Invalid system disk" and for a second I thought it wouldn't start... I think it's doing some really nasty things to my computer and ESET really isn't doing anything to fix it. Please help!

 

[Bobbye]

Welcome to TechSpot! I will be glad to help but a 3 hour wait is not reason for desperation! We are volunteers here, handling multiple threads at the same time.

The most likely thing happening is not that the Trojan is recurring- but rather that is isn't all being removed. The messsages you are getting are being sent from the malware to make you think you need their 'program' to fix the system.

For now, ignore those messages and do not click on any of them.
================================================
Please follow these steps: Preliminary Virus and Malware Removal.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
=================================================
My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't follow directions given to someone else
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.

Threads are closed after 5 days if there is no reply.

 

[abelegu2]

Sorry for sounding so impatient... just that this computer is rather new and I was stressed out thinking I messed something up. I truly apologize for coming off rude. Thank you for offering your help!

I followed the instructions in the link.
Here's the MalwareBytes log, and it didn't find anything:

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.06.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
AgnesaBelegu :: AGNESABELEGU-PC [administrator]

Protection: Disabled

6/6/2012 9:22:53 PM
mbam-log-2012-06-06 (21-22-53).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 243295
Time elapsed: 4 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

I'll be following the rest of the steps as well and let you know of the progress.

 

[abelegu2]

GMER didn't come up with any logs.. it just ran, it finished, and nothing happened.

STEP 4 problem - I clicked the link for the DDS download, but it only gets me to an about:blank tab and nothing happens. I waited for a few minutes in case any thing showed up, and nothing would happen. What gives?

 

[abelegu2]

Ignore the last comment (can't edit for some reason) - it was weird but I opened the same link using Internet Explorer as I was using Google Chrome before and the download started normally. Here are the rest of the logs.

DDS.txt:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.4.0
Run by AgnesaBelegu at 21:48:18 on 2012-06-06
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8099.6124 [GMT 2:00]
.
AV: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files (x86)\Windows Sidebar\sidebar.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Users\AgnesaBelegu\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\AgnesaBelegu\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\AgnesaBelegu\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\AgnesaBelegu\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\AgnesaBelegu\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: CmjBrowserHelperObject Object: {6fe6a929-59d1-4763-91ad-29b61cffb35b} - C:\Program Files (x86)\Mindjet\MindManager 9\Mm8InternetExplorer.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
uRun: [Sidebar] C:\Program Files (x86)\Windows Sidebar\sidebar.exe /autoRun
uRun: [Facebook Update] "C:\Users\AgnesaBelegu\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
uRun: [Xvid] C:\Program Files (x86)\Xvid\CheckUpdate.exe
mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~3\Office12\ONBttnIE.dll
IE: {2F72393D-2472-4F82-B600-ED77F354B7FF} - {6FE6A929-59D1-4763-91AD-29B61CFFB35B} - C:\Program Files (x86)\Mindjet\MindManager 9\Mm8InternetExplorer.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~3\Office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{F7307C37-A42D-4AF4-BA02-09A83926F1A8} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{F7307C37-A42D-4AF4-BA02-09A83926F1A8}\0545B4F54556C656B6F6D696 : DhcpNameServer = 213.163.97.5 213.163.97.10
TCP: Interfaces\{F7307C37-A42D-4AF4-BA02-09A83926F1A8}\5524450264962737470264C6F6F627 : DhcpNameServer = 10.0.0.254
TCP: Interfaces\{F7307C37-A42D-4AF4-BA02-09A83926F1A8}\A6F6C6C656 : DhcpNameServer = 82.114.64.3 82.114.64.4 82.114.64.12
TCP: Interfaces\{F7307C37-A42D-4AF4-BA02-09A83926F1A8}\C4566756C6F4E656 : DhcpNameServer = 192.168.0.1 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
AppInit_DLLs: C:\Windows\SysWOW64\nvinit.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: CmjBrowserHelperObject Object: {6FE6A929-59D1-4763-91AD-29B61CFFB35B} - C:\Program Files (x86)\Mindjet\MindManager 9\Mm8InternetExplorer.dll
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
mRun-x64: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRunOnce-x64: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
AppInit_DLLs-X64: C:\Windows\SysWOW64\nvinit.dll
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R0 nvpciflt;nvpciflt;C:\Windows\system32\DRIVERS\nvpciflt.sys --> C:\Windows\system32\DRIVERS\nvpciflt.sys [?]
R1 nvkflt;nvkflt;C:\Windows\system32\DRIVERS\nvkflt.sys --> C:\Windows\system32\DRIVERS\nvkflt.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-4-4 63928]
R2 eamonm;eamonm;C:\Windows\system32\DRIVERS\eamonm.sys --> C:\Windows\system32\DRIVERS\eamonm.sys [?]
R2 ekrn;ESET Service;C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2011-8-9 974944]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-6-3 2348352]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-2-29 382272]
R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2012-4-10 2655768]
R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]
R3 ManyCam;ManyCam Virtual Webcam;C:\Windows\system32\DRIVERS\mcvidrv_x64.sys --> C:\Windows\system32\DRIVERS\mcvidrv_x64.sys [?]
R3 mcaudrv_simple;ManyCam Virtual Microphone;C:\Windows\system32\drivers\mcaudrv_x64.sys --> C:\Windows\system32\drivers\mcaudrv_x64.sys [?]
R3 MEIx64;Intel(R) Management Engine Interface ;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 epfwwfpr;epfwwfpr;C:\Windows\system32\DRIVERS\epfwwfpr.sys --> C:\Windows\system32\DRIVERS\epfwwfpr.sys [?]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-2-29 158856]
.
=============== Created Last 30 ================
.
2012-06-06 19:21:1124904----a-w-C:\Windows\System32\drivers\mbam.sys
2012-06-06 19:21:11--------d-----w-C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-06 15:30:53772552----a-w-C:\Windows\SysWow64\npDeployJava1.dll
2012-06-06 15:15:58--------d-----w-C:\Users\AgnesaBelegu\AppData\Roaming\Malwarebytes
2012-06-06 15:15:43--------d-----w-C:\ProgramData\Malwarebytes
2012-06-06 15:07:57--------d-----w-C:\ProgramData\regid.1986-12.com.adobe
2012-06-05 13:40:37--------d-----w-C:\ProgramData\Rockstar Games
2012-06-05 13:02:02452440----a-w-C:\Windows\SysWow64\d3dx10_40.dll
2012-06-05 13:02:022605920----a-w-C:\Windows\System32\D3DCompiler_40.dll
2012-06-05 13:02:022036576----a-w-C:\Windows\SysWow64\D3DCompiler_40.dll
2012-06-05 13:01:585631312----a-w-C:\Windows\System32\D3DX9_40.dll
2012-06-05 13:01:584379984----a-w-C:\Windows\SysWow64\D3DX9_40.dll
2012-06-05 11:09:41--------d-----w-C:\Program Files (x86)\Rockstar Games
2012-06-05 06:09:558955792----a-w-C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{268004D7-8890-4B9F-BABF-7EED4DE90D55}\mpengine.dll
2012-06-03 20:19:29--------d-----w-C:\Windows\SysWow64\NV
2012-06-03 20:19:29--------d-----w-C:\Windows\System32\NV
2012-06-03 20:14:46889664----a-w-C:\Windows\System32\nvvsvc.exe
2012-06-03 20:14:46849728----a-w-C:\Windows\System32\nv3dappshext.dll
2012-06-03 20:14:4663296----a-w-C:\Windows\System32\nvshext.dll
2012-06-03 20:14:466074176----a-w-C:\Windows\System32\nvcpl.dll
2012-06-03 20:14:4655616----a-w-C:\Windows\System32\nv3dappshextr.dll
2012-06-03 20:14:463089728----a-w-C:\Windows\System32\nvsvc64.dll
2012-06-03 20:14:462561856----a-w-C:\Windows\System32\nvsvcr.dll
2012-06-03 20:14:462515790----a-w-C:\Windows\System32\nvcoproc.bin
2012-06-03 20:14:46118080----a-w-C:\Windows\System32\nvmctray.dll
2012-06-03 20:13:13--------d-----w-C:\ProgramData\NVIDIA Corporation
2012-06-03 14:35:46--------d-----w-C:\Windows\System32\appmgmt
2012-05-31 21:14:25--------d-----w-C:\Users\AgnesaBelegu\AppData\Roaming\PDAppFlex
2012-05-31 20:48:49--------d-----w-C:\Users\AgnesaBelegu\.ssh
2012-05-31 20:46:24--------d-----w-C:\Users\AgnesaBelegu\AppData\Roaming\GitHub
2012-05-31 20:46:23--------d-----w-C:\Users\AgnesaBelegu\AppData\Local\GitHub
2012-05-31 20:41:45--------d-----w-C:\Users\AgnesaBelegu\AppData\Local\Apps
2012-05-31 20:41:44--------d-----w-C:\Users\AgnesaBelegu\AppData\Local\Deployment
2012-05-31 17:24:34--------d-----w-C:\Users\AgnesaBelegu\Cisco Packet Tracer 5.3
2012-05-31 17:21:53--------d-----w-C:\Program Files (x86)\Cisco Packet Tracer 5.3
2012-05-27 11:02:45696832----a-w-C:\Windows\System32\xvidcore.dll
2012-05-27 11:02:45255488----a-w-C:\Windows\System32\xvidvfw.dll
2012-05-27 11:02:45173568----a-w-C:\Windows\System32\xvid.ax
2012-05-27 11:02:44645632----a-w-C:\Windows\SysWow64\xvidcore.dll
2012-05-27 11:02:44240640----a-w-C:\Windows\SysWow64\xvidvfw.dll
2012-05-27 11:02:44153088----a-w-C:\Windows\SysWow64\xvid.ax
2012-05-27 11:02:31--------d-----w-C:\Program Files (x86)\Xvid
2012-05-24 15:22:37--------d-----w-C:\Program Files (x86)\Common Files\Wise Installation Wizard
2012-05-24 14:58:30--------d-----w-C:\Program Files (x86)\Mass Effect 2
2012-05-24 11:18:5331040----a-w-C:\Windows\System32\nvhdap64.dll
2012-05-24 11:18:53188736----a-w-C:\Windows\System32\drivers\nvhda64v.sys
2012-05-24 11:18:521451840----a-w-C:\Windows\System32\nvhdagenco6420103.dll
2012-05-23 14:21:25--------d-----w-C:\Program Files (x86)\iMessage
2012-05-21 12:32:35--------d-----w-C:\Users\AgnesaBelegu\AppData\Local\AutoShutdown
2012-05-21 12:31:26--------d-----w-C:\Users\AgnesaBelegu\AppData\Local\ESET
2012-05-20 20:11:33--------d-----w-C:\Program Files (x86)\Microsoft Chart Controls
2012-05-17 22:50:0671680----a-w-C:\Windows\System32\frapsv64.dll
2012-05-17 22:50:0465536----a-w-C:\Windows\SysWow64\frapsvid.dll
2012-05-14 12:36:15--------d-----w-C:\Windows\pss
2012-05-12 09:18:03--------d-----w-C:\Users\AgnesaBelegu\AppData\Roaming\NVIDIA
2012-05-12 09:16:15--------d-----w-C:\Users\AgnesaBelegu\AppData\Roaming\.minecraft
2012-05-12 09:10:54--------d-----w-C:\Users\AgnesaBelegu\AppData\Local\ElevatedDiagnostics
2012-05-09 08:51:111544704----a-w-C:\Windows\System32\DWrite.dll
2012-05-09 08:51:091077248----a-w-C:\Windows\SysWow64\DWrite.dll
2012-05-09 08:50:595559664----a-w-C:\Windows\System32\ntoskrnl.exe
2012-05-09 08:50:573146240----a-w-C:\Windows\System32\win32k.sys
2012-05-09 08:50:533968368----a-w-C:\Windows\SysWow64\ntkrnlpa.exe
2012-05-09 08:50:513913072----a-w-C:\Windows\SysWow64\ntoskrnl.exe
2012-05-09 08:49:3575120----a-w-C:\Windows\System32\drivers\partmgr.sys
2012-05-09 08:48:481918320----a-w-C:\Windows\System32\drivers\tcpip.sys
2012-05-09 08:48:421732096----a-w-C:\Program Files\Windows Journal\NBDoc.DLL
2012-05-09 08:48:411367552----a-w-C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-09 08:48:40936960----a-w-C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-05-09 08:48:391402880----a-w-C:\Program Files\Windows Journal\JNWDRV.dll
2012-05-09 08:48:391393664----a-w-C:\Program Files\Windows Journal\JNTFiltr.dll
.
==================== Find3M ====================
.
2012-06-06 15:30:10687560----a-w-C:\Windows\SysWow64\deployJava1.dll
2012-04-19 10:44:08419840----a-w-C:\Windows\System32\systemcpl.dll
2012-04-19 10:44:0814848----a-w-C:\Windows\System32\slwga.dll
2012-04-19 10:44:0813824----a-w-C:\Windows\SysWow64\slwga.dll
2012-04-19 10:44:07833024----a-w-C:\Windows\SysWow64\user32.dll
2012-04-19 10:44:071008640----a-w-C:\Windows\System32\user32.dll
2012-04-16 19:44:05175616----a-w-C:\Windows\System32\msclmd.dll
2012-04-16 19:44:05152576----a-w-C:\Windows\SysWow64\msclmd.dll
2012-04-11 12:48:41750488----a-w-C:\Windows\System32\npdeployJava1.dll
2012-04-11 12:48:41660368----a-w-C:\Windows\System32\deployJava1.dll
2012-04-10 16:10:43216064----a-w-C:\Windows\iun3405.exe
2012-04-10 14:10:57283200----a-w-C:\Windows\System32\drivers\dtsoftbus01.sys
2012-04-08 22:40:3679360----a-w-C:\Windows\SysWow64\ff_vfw.dll
2012-03-12 18:56:40947472----a-w-C:\Windows\SysWow64\msjava.dll
.
============= FINISH: 21:49:24.53 ===============

 

[abelegu2]

Attach.txt:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 4/10/2012 11:02:50 PM
System Uptime: 6/6/2012 9:04:49 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 0FXK2Y
Processor: Intel(R) Core(TM) i5-2430M CPU @ 2.40GHz | CPU 1 | 1176/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 464 GiB total, 258.625 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {e0cbf06c-cd8b-4647-bb8a-263b43f0f974}
Description: Generic Bluetooth Adapter
Device ID: USB\VID_0CF3&PID_3002\6&58952F4&0&4
Manufacturer: GenericAdapter
Name: Generic Bluetooth Adapter
PNP Device ID: USB\VID_0CF3&PID_3002\6&58952F4&0&4
Service: BTHUSB
.
==== System Restore Points ===================
.
RP76: 6/5/2012 3:40:19 PM - Installed Max Payne 3
RP77: 6/6/2012 5:29:17 PM - Installed Java(TM) 7 Update 4
RP78: 6/6/2012 9:10:44 PM - Removed LogMeIn Hamachi
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Adobe AIR
Adobe Dreamweaver CS6
Adobe Help Manager
Adobe Reader X (10.1.3)
Adobe Widget Browser
Android SDK Tools
Auto Shutdown
Cisco Packet Tracer 5.3
DAEMON Tools Lite
Dell WLAN and Bluetooth Client Installation
Electronics Workbench V5.12
Facebook Video Calling 1.2.0.159
Fallout 3
ffdshow v1.2.4422 [2012-04-09]
Fraps (remove only)
Google Chrome
iMessage
Intel(R) Management Engine Components
Intel(R) Processor Graphics
Java Auto Updater
Java(TM) 6 Update 31
Java(TM) 7 Update 4
Malwarebytes Anti-Malware version 1.61.0.1400
ManyCam 3.0.68 (remove only)
Mass Effect
Mass Effect 2
Max Payne 3
Microsoft Chart Controls for Microsoft .NET Framework 3.5 (KB2500170)
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Mindjet MindManager 9
Notepad++
NVIDIA PhysX
NVIDIA Stereoscopic 3D Driver
Realtek Ethernet Controller Driver
Realtek USB 2.0 Card Reader
Renesas Electronics USB 3.0 Host Controller Driver
Rockstar Games Social Club
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
Skype™ 5.8
System Requirements Lab CYRI
The Walking Dead (c) 3 version 1
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2598290) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VLC media player 2.0.1
Xvid Video Codec
.
==== Event Viewer Messages From Past Week ========
.
6/6/2012 9:06:03 PM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891
6/6/2012 9:06:03 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891
6/6/2012 9:05:31 PM, Error: Service Control Manager [7003] - The epfwwfpr service depends the following service: BFE. This service might not be installed.
6/6/2012 9:05:17 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
6/6/2012 9:05:11 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
6/6/2012 9:05:11 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
6/5/2012 2:54:09 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR3.
6/5/2012 10:51:00 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR2.
6/4/2012 7:43:36 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
5/31/2012 9:25:28 PM, Error: Microsoft-Windows-DistributedCOM [10001] - Unable to start a DCOM Server: {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83} as /. The error: "5" Happened while starting this command: C:\Windows\System32\slui.exe -Embedding
.
==== End Of File ===========================
And that's it... Nothing really changed.. I still get the notifications from Nod32 about more Trojans.. Serefef.EZ and AD were the new ones now.
What else do I do?

 

[Bobbye]

Troubleshooting Errors from the Event Viewer:

1). You have 2 errors showing that could be pointing to hard drive failure:

6/5/2012 2:54:09 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR3.
6/5/2012 10:51:00 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR2.

This could point to hard drive failure. Be sure you have backup anything of importance.
Are you using any external hard drives?
------------------------------------
2). 6/6/2012 9:06:03 PM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891

The Function Discovery Resource Publications service is required by the Windows 7 “Home group” connectivity feature. This service publishes this computer and its resources so they can be discovered over the network. If this service is stopped, network resources will no longer be published and they will not be discovered by other computers on the network.

1. Click Start> Search> type services.msc
2. Look for Function Discovery Resource Publication> right-click> select properties.
3. Set the service to start as “Automatic (Delayed)” as against the default “Automatic”
Exit Services when finished.
--------------------------------
3). 6/6/2012 9:05:31 PM, Error: Service Control Manager [7003] - The epfwwfpr service depends the following service: BFE. This service might not be installed.

System is unresponsive with ESET's server security products installed on Windows Vista, 7, 2008 Server, SBS 2008 and later. KB Solution ID: SOLN2567|Last Revised: April 05, 2012

Follow below to get current- it is for the Eset Firewall:>>> http://kb.eset.com/esetkb/index?page=content&id=SOLN2567
===================================================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------

• 
  Download Combofix from HERE or HEREand save to the desktop
  • Double click combofix.exe
    
    & follow the prompts.
  • If prompted for Recovery Console, please allow.
  • Once installed, you should see a blue screen prompt that says:
    

    The Recovery Console was successfully installed.

  • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
  • Note: No query will be made if the Recovery Console is already on the system.
• Close any open browsers.
• Before you run the Combofix scan, please disable any security software you have running.
  (If you need help with this, please see HERE)
• Click on Yes, to continue scanning for malware
• If Combofix asks you to update the program, allow
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Note 1o not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficultyand terminates prematurely, the connection can be manually restored by restarting your machine.
=======================================================
To run the Eset Online Virus Scan:
If you use Internet Explorer:

1. Open the ESETOnlineScan
2. Skip to #4 to "Continue with the directions"
   
   If you are using a browser other than Internet Explorer
3. Open Eset Smart Installer
   [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
   [o] Double click on the desktop icon to run.
   [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
4. Continue with the directions.
5. Check 'Yes I accept terms of use.'
6. Click Start button
7. Accept any security warnings from your browser.
   
   
8. Uncheck 'Remove found threats'
9. Check 'Scan archives/
10. Leave remaining settings as is.
11. Press the Start button.
12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
13. When the scan completes, press List of found threats
14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
15. Push the Back button, then Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

You will need to stop the resident Nod32 to run the online scan.
==================================================
Please leave logs for Combofix and Eset Online scan in your next reply.
===================================================

 

[abelegu2]

About the hard drive failure... that might have something to do with a 32GB USB I put into the computer yesterday, it was my friend's and it did come up with some errors. The date tells me that could be it... I really hope it isn't my hard drive it was referring to. Would that mean I would have to replace my hard drive entirely or is it something a complete system re-install would fix?

Speaking of re-installs, if I re-install Windows 7 entirely on this computer, would everything get back to normal? Would the trojan be deleted and stop causing troubles, or is it something not even that can fix and I have to follow these steps? Because I've had troubles following these and if re-installing everything would make things easier, I could just do that and make sure the problem's gone forever.

As for the steps you recommended... I have had troubles following them from the very first one.

The first problem:

I went here:

http://kb.eset.com/esetkb/index?page=content&id=SOLN2567

And I downloaded what I was told to, followed Part I. The file extracted, and when it ran, it said "The update is not applicable to your computer." and it closed.

I didn't go further into Part II of that page since you made it pretty clear if anything fails I stop and tell you about it.

The second problem:

I downloaded Combofix from the link you sent me, and I ran it as instructed. It extracted everything - and when it was halfway through, Google Chrome would crash(I only had this forum page open), the extraction would briefly pause, then after Google would crash, the install continued and after it ended the program closed and nothing else happened. No pop up, absolutely nothing. What gives?

After that problem, I didn't move forward to the other steps. What do I do?

 

[abelegu2]

Friend, thank you so much for your help, but I decided to completely format my computer. Something began to happen to my gpu and my games were running extremely slow, one even said I don't have the appropriate hardware when I had played that game for the past month! I was too scared it was ruining too much, and I had to format everything, re-install Windows 7 along with the drivers.

I do need to know if that has cleared the problem. I downloaded the antivirus Microsoft Security Essentials although I don't know how reliable that is. Can I be sure everything's taken care of?

 

[Bobbye]

Can I be sure everything's taken care of?

It always bothers me when someone decides to reformat/reinstall without first trying to find the problem and fix it- then wants a guarantee that all is well!

I can't give you that guarantee. I don't know the extent of the malware infection, whether processes were corrupted or missing and need to be replaced, whether any of the problem was due to hardware, not software, whether the system was compromised and/or a Backdoor was left allowing access to the system.

I would have tried to help you work through the problems with the scans. A reformat/reinstall should be the last resort, not the first, except in the case of a file infector like Virut or Ramnit.

You call the infection "recurring." Has it occurred to you that if you save files and folders and any are infected with the malware and you introduce it back into the system after you reformat/reinstall, that you can reinfect the system again and the malware will "recur"!?