TechSpot

[Closed per OP for R/R] Recurring trojans, Sirefef.AE, Agent.BA

By abelegu2
Jun 6, 2012
  1. Edit: Typo on the title, trojans* Sorry about that, but I can't seem to fix it. :(

    Hi there.. I'm new to this site but it seemed like the one who could offer me a solution.

    Eset Nod32 keeps quarantining these viruses called Sirefef.AE, Agent.BA, and just now it asked me whether or not I want to quarantine some threat called Sirefef.EZ!

    I'm sort of a newbie when it comes to these things so I have no idea what to do... I'm afraid they might harm the computer and the antivirus doesn't seem to be doing its job in protecting it..

    What do I do?
     
  2. abelegu2

    abelegu2 TS Rookie Topic Starter

    Guys.. I'm sorry to be a bore but I need help ASAP. I just restarted my computer and it said "Invalid system disk" and for a second I thought it wouldn't start... I think it's doing some really nasty things to my computer and ESET really isn't doing anything to fix it. :( Please help!
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I will be glad to help but a 3 hour wait is not reason for desperation! We are volunteers here, handling multiple threads at the same time.

    The most likely thing happening is not that the Trojan is recurring- but rather that is isn't all being removed. The messsages you are getting are being sent from the malware to make you think you need their 'program' to fix the system.

    For now, ignore those messages and do not click on any of them.
    ================================================
    Please follow these steps: Preliminary Virus and Malware Removal.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    =================================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.
     
  4. abelegu2

    abelegu2 TS Rookie Topic Starter

    Sorry for sounding so impatient... just that this computer is rather new and I was stressed out thinking I messed something up. I truly apologize for coming off rude. Thank you for offering your help!

    I followed the instructions in the link.
    Here's the MalwareBytes log, and it didn't find anything:

    Malwarebytes Anti-Malware (Trial) 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.06.06.05

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 8.0.7601.17514
    AgnesaBelegu :: AGNESABELEGU-PC [administrator]

    Protection: Disabled

    6/6/2012 9:22:53 PM
    mbam-log-2012-06-06 (21-22-53).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 243295
    Time elapsed: 4 minute(s), 16 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    I'll be following the rest of the steps as well and let you know of the progress.
     
  5. abelegu2

    abelegu2 TS Rookie Topic Starter

    GMER didn't come up with any logs.. it just ran, it finished, and nothing happened.

    STEP 4 problem - I clicked the link for the DDS download, but it only gets me to an about:blank tab and nothing happens. I waited for a few minutes in case any thing showed up, and nothing would happen. What gives?
     
  6. abelegu2

    abelegu2 TS Rookie Topic Starter

    Ignore the last comment (can't edit for some reason) - it was weird but I opened the same link using Internet Explorer as I was using Google Chrome before and the download started normally. Here are the rest of the logs.

    DDS.txt:

    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.4.0
    Run by AgnesaBelegu at 21:48:18 on 2012-06-06
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8099.6124 [GMT 2:00]
    .
    AV: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
    SP: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\Program Files (x86)\Windows Sidebar\sidebar.exe
    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    C:\Users\AgnesaBelegu\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\AgnesaBelegu\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\AgnesaBelegu\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\AgnesaBelegu\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\SysWOW64\rundll32.exe
    C:\Users\AgnesaBelegu\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    mWinlogon: Userinit=userinit.exe
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: CmjBrowserHelperObject Object: {6fe6a929-59d1-4763-91ad-29b61cffb35b} - C:\Program Files (x86)\Mindjet\MindManager 9\Mm8InternetExplorer.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
    uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
    uRun: [Sidebar] C:\Program Files (x86)\Windows Sidebar\sidebar.exe /autoRun
    uRun: [Facebook Update] "C:\Users\AgnesaBelegu\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
    uRun: [Xvid] C:\Program Files (x86)\Xvid\CheckUpdate.exe
    mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
    mRun: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~3\Office12\ONBttnIE.dll
    IE: {2F72393D-2472-4F82-B600-ED77F354B7FF} - {6FE6A929-59D1-4763-91AD-29B61CFFB35B} - C:\Program Files (x86)\Mindjet\MindManager 9\Mm8InternetExplorer.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~3\Office12\REFIEBAR.DLL
    LSP: mswsock.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    TCP: DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{F7307C37-A42D-4AF4-BA02-09A83926F1A8} : DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{F7307C37-A42D-4AF4-BA02-09A83926F1A8}\0545B4F54556C656B6F6D696 : DhcpNameServer = 213.163.97.5 213.163.97.10
    TCP: Interfaces\{F7307C37-A42D-4AF4-BA02-09A83926F1A8}\5524450264962737470264C6F6F627 : DhcpNameServer = 10.0.0.254
    TCP: Interfaces\{F7307C37-A42D-4AF4-BA02-09A83926F1A8}\A6F6C6C656 : DhcpNameServer = 82.114.64.3 82.114.64.4 82.114.64.12
    TCP: Interfaces\{F7307C37-A42D-4AF4-BA02-09A83926F1A8}\C4566756C6F4E656 : DhcpNameServer = 192.168.0.1 192.168.0.1
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    AppInit_DLLs: C:\Windows\SysWOW64\nvinit.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: CmjBrowserHelperObject Object: {6FE6A929-59D1-4763-91AD-29B61CFFB35B} - C:\Program Files (x86)\Mindjet\MindManager 9\Mm8InternetExplorer.dll
    BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
    mRun-x64: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
    mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
    mRun-x64: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRunOnce-x64: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    AppInit_DLLs-X64: C:\Windows\SysWOW64\nvinit.dll
    SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 nvpciflt;nvpciflt;C:\Windows\system32\DRIVERS\nvpciflt.sys --> C:\Windows\system32\DRIVERS\nvpciflt.sys [?]
    R1 nvkflt;nvkflt;C:\Windows\system32\DRIVERS\nvkflt.sys --> C:\Windows\system32\DRIVERS\nvkflt.sys [?]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
    R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-4-4 63928]
    R2 eamonm;eamonm;C:\Windows\system32\DRIVERS\eamonm.sys --> C:\Windows\system32\DRIVERS\eamonm.sys [?]
    R2 ekrn;ESET Service;C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2011-8-9 974944]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-6-3 2348352]
    R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-2-29 382272]
    R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2012-4-10 2655768]
    R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]
    R3 ManyCam;ManyCam Virtual Webcam;C:\Windows\system32\DRIVERS\mcvidrv_x64.sys --> C:\Windows\system32\DRIVERS\mcvidrv_x64.sys [?]
    R3 mcaudrv_simple;ManyCam Virtual Microphone;C:\Windows\system32\drivers\mcaudrv_x64.sys --> C:\Windows\system32\drivers\mcaudrv_x64.sys [?]
    R3 MEIx64;Intel(R) Management Engine Interface ;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
    R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
    R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 epfwwfpr;epfwwfpr;C:\Windows\system32\DRIVERS\epfwwfpr.sys --> C:\Windows\system32\DRIVERS\epfwwfpr.sys [?]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
    S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    S4 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-2-29 158856]
    .
    =============== Created Last 30 ================
    .
    2012-06-06 19:21:1124904----a-w-C:\Windows\System32\drivers\mbam.sys
    2012-06-06 19:21:11--------d-----w-C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-06-06 15:30:53772552----a-w-C:\Windows\SysWow64\npDeployJava1.dll
    2012-06-06 15:15:58--------d-----w-C:\Users\AgnesaBelegu\AppData\Roaming\Malwarebytes
    2012-06-06 15:15:43--------d-----w-C:\ProgramData\Malwarebytes
    2012-06-06 15:07:57--------d-----w-C:\ProgramData\regid.1986-12.com.adobe
    2012-06-05 13:40:37--------d-----w-C:\ProgramData\Rockstar Games
    2012-06-05 13:02:02452440----a-w-C:\Windows\SysWow64\d3dx10_40.dll
    2012-06-05 13:02:022605920----a-w-C:\Windows\System32\D3DCompiler_40.dll
    2012-06-05 13:02:022036576----a-w-C:\Windows\SysWow64\D3DCompiler_40.dll
    2012-06-05 13:01:585631312----a-w-C:\Windows\System32\D3DX9_40.dll
    2012-06-05 13:01:584379984----a-w-C:\Windows\SysWow64\D3DX9_40.dll
    2012-06-05 11:09:41--------d-----w-C:\Program Files (x86)\Rockstar Games
    2012-06-05 06:09:558955792----a-w-C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{268004D7-8890-4B9F-BABF-7EED4DE90D55}\mpengine.dll
    2012-06-03 20:19:29--------d-----w-C:\Windows\SysWow64\NV
    2012-06-03 20:19:29--------d-----w-C:\Windows\System32\NV
    2012-06-03 20:14:46889664----a-w-C:\Windows\System32\nvvsvc.exe
    2012-06-03 20:14:46849728----a-w-C:\Windows\System32\nv3dappshext.dll
    2012-06-03 20:14:4663296----a-w-C:\Windows\System32\nvshext.dll
    2012-06-03 20:14:466074176----a-w-C:\Windows\System32\nvcpl.dll
    2012-06-03 20:14:4655616----a-w-C:\Windows\System32\nv3dappshextr.dll
    2012-06-03 20:14:463089728----a-w-C:\Windows\System32\nvsvc64.dll
    2012-06-03 20:14:462561856----a-w-C:\Windows\System32\nvsvcr.dll
    2012-06-03 20:14:462515790----a-w-C:\Windows\System32\nvcoproc.bin
    2012-06-03 20:14:46118080----a-w-C:\Windows\System32\nvmctray.dll
    2012-06-03 20:13:13--------d-----w-C:\ProgramData\NVIDIA Corporation
    2012-06-03 14:35:46--------d-----w-C:\Windows\System32\appmgmt
    2012-05-31 21:14:25--------d-----w-C:\Users\AgnesaBelegu\AppData\Roaming\PDAppFlex
    2012-05-31 20:48:49--------d-----w-C:\Users\AgnesaBelegu\.ssh
    2012-05-31 20:46:24--------d-----w-C:\Users\AgnesaBelegu\AppData\Roaming\GitHub
    2012-05-31 20:46:23--------d-----w-C:\Users\AgnesaBelegu\AppData\Local\GitHub
    2012-05-31 20:41:45--------d-----w-C:\Users\AgnesaBelegu\AppData\Local\Apps
    2012-05-31 20:41:44--------d-----w-C:\Users\AgnesaBelegu\AppData\Local\Deployment
    2012-05-31 17:24:34--------d-----w-C:\Users\AgnesaBelegu\Cisco Packet Tracer 5.3
    2012-05-31 17:21:53--------d-----w-C:\Program Files (x86)\Cisco Packet Tracer 5.3
    2012-05-27 11:02:45696832----a-w-C:\Windows\System32\xvidcore.dll
    2012-05-27 11:02:45255488----a-w-C:\Windows\System32\xvidvfw.dll
    2012-05-27 11:02:45173568----a-w-C:\Windows\System32\xvid.ax
    2012-05-27 11:02:44645632----a-w-C:\Windows\SysWow64\xvidcore.dll
    2012-05-27 11:02:44240640----a-w-C:\Windows\SysWow64\xvidvfw.dll
    2012-05-27 11:02:44153088----a-w-C:\Windows\SysWow64\xvid.ax
    2012-05-27 11:02:31--------d-----w-C:\Program Files (x86)\Xvid
    2012-05-24 15:22:37--------d-----w-C:\Program Files (x86)\Common Files\Wise Installation Wizard
    2012-05-24 14:58:30--------d-----w-C:\Program Files (x86)\Mass Effect 2
    2012-05-24 11:18:5331040----a-w-C:\Windows\System32\nvhdap64.dll
    2012-05-24 11:18:53188736----a-w-C:\Windows\System32\drivers\nvhda64v.sys
    2012-05-24 11:18:521451840----a-w-C:\Windows\System32\nvhdagenco6420103.dll
    2012-05-23 14:21:25--------d-----w-C:\Program Files (x86)\iMessage
    2012-05-21 12:32:35--------d-----w-C:\Users\AgnesaBelegu\AppData\Local\AutoShutdown
    2012-05-21 12:31:26--------d-----w-C:\Users\AgnesaBelegu\AppData\Local\ESET
    2012-05-20 20:11:33--------d-----w-C:\Program Files (x86)\Microsoft Chart Controls
    2012-05-17 22:50:0671680----a-w-C:\Windows\System32\frapsv64.dll
    2012-05-17 22:50:0465536----a-w-C:\Windows\SysWow64\frapsvid.dll
    2012-05-14 12:36:15--------d-----w-C:\Windows\pss
    2012-05-12 09:18:03--------d-----w-C:\Users\AgnesaBelegu\AppData\Roaming\NVIDIA
    2012-05-12 09:16:15--------d-----w-C:\Users\AgnesaBelegu\AppData\Roaming\.minecraft
    2012-05-12 09:10:54--------d-----w-C:\Users\AgnesaBelegu\AppData\Local\ElevatedDiagnostics
    2012-05-09 08:51:111544704----a-w-C:\Windows\System32\DWrite.dll
    2012-05-09 08:51:091077248----a-w-C:\Windows\SysWow64\DWrite.dll
    2012-05-09 08:50:595559664----a-w-C:\Windows\System32\ntoskrnl.exe
    2012-05-09 08:50:573146240----a-w-C:\Windows\System32\win32k.sys
    2012-05-09 08:50:533968368----a-w-C:\Windows\SysWow64\ntkrnlpa.exe
    2012-05-09 08:50:513913072----a-w-C:\Windows\SysWow64\ntoskrnl.exe
    2012-05-09 08:49:3575120----a-w-C:\Windows\System32\drivers\partmgr.sys
    2012-05-09 08:48:481918320----a-w-C:\Windows\System32\drivers\tcpip.sys
    2012-05-09 08:48:421732096----a-w-C:\Program Files\Windows Journal\NBDoc.DLL
    2012-05-09 08:48:411367552----a-w-C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
    2012-05-09 08:48:40936960----a-w-C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll
    2012-05-09 08:48:391402880----a-w-C:\Program Files\Windows Journal\JNWDRV.dll
    2012-05-09 08:48:391393664----a-w-C:\Program Files\Windows Journal\JNTFiltr.dll
    .
    ==================== Find3M ====================
    .
    2012-06-06 15:30:10687560----a-w-C:\Windows\SysWow64\deployJava1.dll
    2012-04-19 10:44:08419840----a-w-C:\Windows\System32\systemcpl.dll
    2012-04-19 10:44:0814848----a-w-C:\Windows\System32\slwga.dll
    2012-04-19 10:44:0813824----a-w-C:\Windows\SysWow64\slwga.dll
    2012-04-19 10:44:07833024----a-w-C:\Windows\SysWow64\user32.dll
    2012-04-19 10:44:071008640----a-w-C:\Windows\System32\user32.dll
    2012-04-16 19:44:05175616----a-w-C:\Windows\System32\msclmd.dll
    2012-04-16 19:44:05152576----a-w-C:\Windows\SysWow64\msclmd.dll
    2012-04-11 12:48:41750488----a-w-C:\Windows\System32\npdeployJava1.dll
    2012-04-11 12:48:41660368----a-w-C:\Windows\System32\deployJava1.dll
    2012-04-10 16:10:43216064----a-w-C:\Windows\iun3405.exe
    2012-04-10 14:10:57283200----a-w-C:\Windows\System32\drivers\dtsoftbus01.sys
    2012-04-08 22:40:3679360----a-w-C:\Windows\SysWow64\ff_vfw.dll
    2012-03-12 18:56:40947472----a-w-C:\Windows\SysWow64\msjava.dll
    .
    ============= FINISH: 21:49:24.53 ===============
     
  7. abelegu2

    abelegu2 TS Rookie Topic Starter

    Attach.txt:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume1
    Install Date: 4/10/2012 11:02:50 PM
    System Uptime: 6/6/2012 9:04:49 PM (0 hours ago)
    .
    Motherboard: Dell Inc. | | 0FXK2Y
    Processor: Intel(R) Core(TM) i5-2430M CPU @ 2.40GHz | CPU 1 | 1176/100mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 464 GiB total, 258.625 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {e0cbf06c-cd8b-4647-bb8a-263b43f0f974}
    Description: Generic Bluetooth Adapter
    Device ID: USB\VID_0CF3&PID_3002\6&58952F4&0&4
    Manufacturer: GenericAdapter
    Name: Generic Bluetooth Adapter
    PNP Device ID: USB\VID_0CF3&PID_3002\6&58952F4&0&4
    Service: BTHUSB
    .
    ==== System Restore Points ===================
    .
    RP76: 6/5/2012 3:40:19 PM - Installed Max Payne 3
    RP77: 6/6/2012 5:29:17 PM - Installed Java(TM) 7 Update 4
    RP78: 6/6/2012 9:10:44 PM - Removed LogMeIn Hamachi
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    Adobe AIR
    Adobe Dreamweaver CS6
    Adobe Help Manager
    Adobe Reader X (10.1.3)
    Adobe Widget Browser
    Android SDK Tools
    Auto Shutdown
    Cisco Packet Tracer 5.3
    DAEMON Tools Lite
    Dell WLAN and Bluetooth Client Installation
    Electronics Workbench V5.12
    Facebook Video Calling 1.2.0.159
    Fallout 3
    ffdshow v1.2.4422 [2012-04-09]
    Fraps (remove only)
    Google Chrome
    iMessage
    Intel(R) Management Engine Components
    Intel(R) Processor Graphics
    Java Auto Updater
    Java(TM) 6 Update 31
    Java(TM) 7 Update 4
    Malwarebytes Anti-Malware version 1.61.0.1400
    ManyCam 3.0.68 (remove only)
    Mass Effect
    Mass Effect 2
    Max Payne 3
    Microsoft Chart Controls for Microsoft .NET Framework 3.5 (KB2500170)
    Microsoft Games for Windows - LIVE
    Microsoft Games for Windows - LIVE Redistributable
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Mindjet MindManager 9
    Notepad++
    NVIDIA PhysX
    NVIDIA Stereoscopic 3D Driver
    Realtek Ethernet Controller Driver
    Realtek USB 2.0 Card Reader
    Renesas Electronics USB 3.0 Host Controller Driver
    Rockstar Games Social Club
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
    Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
    Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
    Skype™ 5.8
    System Requirements Lab CYRI
    The Walking Dead (c) 3 version 1
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft .NET Framework 4 Extended (KB2468871)
    Update for Microsoft .NET Framework 4 Extended (KB2533523)
    Update for Microsoft .NET Framework 4 Extended (KB2600217)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2598290) 32-Bit Edition
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    VLC media player 2.0.1
    Xvid Video Codec
    .
    ==== Event Viewer Messages From Past Week ========
    .
    6/6/2012 9:06:03 PM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891
    6/6/2012 9:06:03 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891
    6/6/2012 9:05:31 PM, Error: Service Control Manager [7003] - The epfwwfpr service depends the following service: BFE. This service might not be installed.
    6/6/2012 9:05:17 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    6/6/2012 9:05:11 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    6/6/2012 9:05:11 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    6/5/2012 2:54:09 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR3.
    6/5/2012 10:51:00 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR2.
    6/4/2012 7:43:36 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
    5/31/2012 9:25:28 PM, Error: Microsoft-Windows-DistributedCOM [10001] - Unable to start a DCOM Server: {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83} as /. The error: "5" Happened while starting this command: C:\Windows\System32\slui.exe -Embedding
    .
    ==== End Of File ===========================
    And that's it... Nothing really changed.. I still get the notifications from Nod32 about more Trojans.. Serefef.EZ and AD were the new ones now.
    What else do I do?
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Troubleshooting Errors from the Event Viewer:

    1). You have 2 errors showing that could be pointing to hard drive failure:
    This could point to hard drive failure. Be sure you have backup anything of importance.
    Are you using any external hard drives?
    ------------------------------------
    2). 6/6/2012 9:06:03 PM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891

    1. Click Start> Search> type services.msc
    2. Look for Function Discovery Resource Publication> right-click> select properties.
    3. Set the service to start as “Automatic (Delayed)” as against the default “Automatic”
    Exit Services when finished.
    --------------------------------
    3). 6/6/2012 9:05:31 PM, Error: Service Control Manager [7003] - The epfwwfpr service depends the following service: BFE. This service might not be installed.

    Follow below to get current- it is for the Eset Firewall:>>> http://kb.eset.com/esetkb/index?page=content&id=SOLN2567
    ===================================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------

    • Download Combofix from HERE or HEREand save to the desktop
      • Double click combofix.exe [​IMG]& follow the prompts.
      • If prompted for Recovery Console, please allow.
      • Once installed, you should see a blue screen prompt that says:
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • Close any open browsers.
    • Before you run the Combofix scan, please disable any security software you have running.
      (If you need help with this, please see HERE)
    • Click on Yes, to continue scanning for malware
    • If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficultyand terminates prematurely, the connection can be manually restored by restarting your machine.
    =======================================================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

    You will need to stop the resident Nod32 to run the online scan.
    ==================================================
    Please leave logs for Combofix and Eset Online scan in your next reply.
    ===================================================
     
  9. abelegu2

    abelegu2 TS Rookie Topic Starter

    About the hard drive failure... that might have something to do with a 32GB USB I put into the computer yesterday, it was my friend's and it did come up with some errors. The date tells me that could be it... I really hope it isn't my hard drive it was referring to. Would that mean I would have to replace my hard drive entirely or is it something a complete system re-install would fix?

    Speaking of re-installs, if I re-install Windows 7 entirely on this computer, would everything get back to normal? Would the trojan be deleted and stop causing troubles, or is it something not even that can fix and I have to follow these steps? Because I've had troubles following these and if re-installing everything would make things easier, I could just do that and make sure the problem's gone forever.

    As for the steps you recommended... I have had troubles following them from the very first one.

    The first problem:

    I went here:

    http://kb.eset.com/esetkb/index?page=content&id=SOLN2567

    And I downloaded what I was told to, followed Part I. The file extracted, and when it ran, it said "The update is not applicable to your computer." and it closed.

    I didn't go further into Part II of that page since you made it pretty clear if anything fails I stop and tell you about it.

    The second problem:

    I downloaded Combofix from the link you sent me, and I ran it as instructed. It extracted everything - and when it was halfway through, Google Chrome would crash(I only had this forum page open), the extraction would briefly pause, then after Google would crash, the install continued and after it ended the program closed and nothing else happened. No pop up, absolutely nothing. What gives?

    After that problem, I didn't move forward to the other steps. What do I do?
     
  10. abelegu2

    abelegu2 TS Rookie Topic Starter

    Friend, thank you so much for your help, but I decided to completely format my computer. Something began to happen to my gpu and my games were running extremely slow, one even said I don't have the appropriate hardware when I had played that game for the past month! I was too scared it was ruining too much, and I had to format everything, re-install Windows 7 along with the drivers.

    I do need to know if that has cleared the problem. I downloaded the antivirus Microsoft Security Essentials although I don't know how reliable that is. Can I be sure everything's taken care of?
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    It always bothers me when someone decides to reformat/reinstall without first trying to find the problem and fix it- then wants a guarantee that all is well!

    I can't give you that guarantee. I don't know the extent of the malware infection, whether processes were corrupted or missing and need to be replaced, whether any of the problem was due to hardware, not software, whether the system was compromised and/or a Backdoor was left allowing access to the system.

    I would have tried to help you work through the problems with the scans. A reformat/reinstall should be the last resort, not the first, except in the case of a file infector like Virut or Ramnit.

    You call the infection "recurring." Has it occurred to you that if you save files and folders and any are infected with the malware and you introduce it back into the system after you reformat/reinstall, that you can reinfect the system again and the malware will "recur"!?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...