Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Found By ESET NOD32


  • Please log in to reply
6 replies to this topic

#1 Sreekumar14378

Sreekumar14378

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 16 August 2012 - 12:12 PM

A threat Win32/Sirefef.FC detected in file “C:\Windows\System32\Services.exe” by ESET NOD32 security shield....


I Tried Searching For solutions by none of them worked ...then i came upon the thread posted by @mrwigley ...here is the link http://www.bleepingcomputer.com/forums/topic460839.html


But solved the problem for windows xp only n m using win7 ... anyone could help me out please .....!!!!!!!!!!!!!

*Moderator Edit: Moved topic from Windows 7 to the more appropriate forum. ~ Queen-Evie*

Edited by Queen-Evie, 16 August 2012 - 02:33 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:36 AM

Posted 16 August 2012 - 07:41 PM

Hello, in the future it is really not good to follow another persons malware fix. There may be specific differences in the systems and that can be trouble.
So having run ComboFix we need to see that and a DDS log.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Skip the GMER step and instead post the ComboFix log you posted earlier.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Sreekumar14378

Sreekumar14378
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 17 August 2012 - 01:31 PM

yeah sure will try it out ..thanks for reply..:D

#4 Sreekumar14378

Sreekumar14378
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 17 August 2012 - 01:39 PM

Here is the DDS Log -




.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385
Run by sameer at 0:07:08 on 2012-08-18
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3062.2205 [GMT 5.5:30]
.
AV: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\ProgramData\DatacardService\HWDeviceService.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\ProgramData\DatacardService\DCSHelper.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BitTorrent\BitTorrent.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.in/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GR469A~1.DLL
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
uRun: [Facebook Update] "c:\users\sameer\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
TCP: Interfaces\{566eb82b-adc6-4c91-9f28-2471c4ba091a} : NameServer = 172.16.0.1 103.246.242.6
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GRA32A~1.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GR469A~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\sameer\appdata\roaming\mozilla\firefox\profiles\zq1rnoe7.default\
FF - prefs.js: browser.startup.homepage - www.google.in
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\magic video converter\codec\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\magic video converter\codec\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\users\sameer\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_400_252.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-6-2 242240]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-2-6 727720]
R2 HWDeviceService.exe;HWDeviceService.exe;c:\programdata\datacardservice\hwdeviceservice.exe -/service --> c:\programdata\datacardservice\HWDeviceService.exe -/service [?]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\skype\toolbars\skype c2c service\c2c_service.exe [2012-7-5 3048136]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [2012-5-20 73216]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-11 4231168]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-11 139776]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2009-2-6 92800]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [2012-5-20 102784]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-20 113120]
S4 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-3 160944]
.
=============== Created Last 30 ================
.
2012-08-17 18:21:19 -------- d-----w- c:\users\sameer\dwhelper
2012-08-17 18:13:18 -------- d-----w- c:\windows\system32\appmgmt
2012-08-17 18:06:05 -------- d-----w- c:\users\sameer\appdata\local\Macromedia
2012-08-17 17:21:47 -------- d-----w- c:\users\sameer\appdata\roaming\Youtube Downloader HD
2012-08-12 16:42:50 -------- d-----w- c:\program files\ZD Soft
2012-08-03 16:22:28 -------- d-----w- c:\program files\BitTorrent
2012-08-03 16:21:42 -------- d-----w- c:\users\sameer\appdata\roaming\BitTorrent
2012-07-27 13:07:48 -------- d-----w- C:\PVL PROJECT
2012-07-27 13:02:09 -------- d-----w- c:\program files\PVL FINANCE
2012-07-27 12:31:25 286720 ------w- c:\windows\Setup1.exe
2012-07-27 12:31:24 73216 ----a-w- c:\windows\ST6UNST.EXE
.
==================== Find3M ====================
.
2012-08-17 18:05:48 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-17 18:05:48 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-02 08:50:08 242240 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
.
============= FINISH: 0:08:04.33 ===============

#5 Sreekumar14378

Sreekumar14378
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 17 August 2012 - 01:40 PM

ATTACH LOG :




.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume4
Install Date: 5/20/2012 7:27:13 PM
System Uptime: 8/17/2012 11:44:17 PM (1 hours ago)
.
Motherboard: Quanta | | 30CC
Processor: Intel® Core™2 Duo CPU T5750 @ 2.00GHz | U2E1 | 1000/667mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 58 GiB total, 35.553 GiB free.
D: is FIXED (NTFS) - 78 GiB total, 2.99 GiB free.
E: is FIXED (NTFS) - 78 GiB total, 37.846 GiB free.
F: is CDROM ()
G: is CDROM (CDFS)
I: is FIXED (NTFS) - 83 GiB total, 68.963 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: Base System Device
Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_30CC103C&REV_12\4&1D9D6A4A&0&4BF0
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_30CC103C&REV_12\4&1D9D6A4A&0&4BF0
Service:
.
Class GUID:
Description: Base System Device
Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_30CC103C&REV_12\4&1D9D6A4A&0&4AF0
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_30CC103C&REV_12\4&1D9D6A4A&0&4AF0
Service:
.
Class GUID:
Description:
Device ID: ACPI\HPQ0007\4&EF0D0FE&0
Manufacturer:
Name:
PNP Device ID: ACPI\HPQ0007\4&EF0D0FE&0
Service:
.
Class GUID:
Description: Base System Device
Device ID: PCI\VEN_1180&DEV_0852&SUBSYS_30CC103C&REV_12\4&1D9D6A4A&0&4CF0
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_1180&DEV_0852&SUBSYS_30CC103C&REV_12\4&1D9D6A4A&0&4CF0
Service:
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: epfwwfpr
Device ID: ROOT\LEGACY_EPFWWFPR\0000
Manufacturer:
Name: epfwwfpr
PNP Device ID: ROOT\LEGACY_EPFWWFPR\0000
Service: epfwwfpr
.
Class GUID:
Description: Fingerprint Sensor
Device ID: USB\VID_08FF&PID_2580\5&27F8EAFF&0&1
Manufacturer:
Name: Fingerprint Sensor
PNP Device ID: USB\VID_08FF&PID_2580\5&27F8EAFF&0&1
Service:
.
==== System Restore Points ===================
.
RP28: 8/16/2012 9:13:05 PM - Scheduled Checkpoint
RP29: 8/17/2012 11:42:35 PM - Removed Java™ 7 Update 4
.
==== Installed Programs ======================
.
.
µTorrent
Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9
Adobe Shockwave Player 11.6
BitTorrent
DAEMON Tools Lite
ESET NOD32 Antivirus
Facebook Video Calling 1.2.0.159
ffdshow [rev 2975] [2009-05-28]
FIFA 07
GameRanger
GOM Player
IP Messenger for Win
JavaFX 2.1.0
Magic Video Converter 12.0.10.2132
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox 14.0.1 (x86 en-US)
Mozilla Maintenance Service
MPEG2 Codec(libmpeg2/mad)
Nero 8 Lite 8.2.8.0
NVIDIA Drivers
PVL & HELIOPOLIS
PVL & HELIOPOLIS (C:\Program Files\PVL FINANCE\)
QuickTime Alternative 2.8.0
Real Alternative 1.9.0
Shockwave
Skype Click to Call
Skype™ 5.10
swMSM
Tata Photon+
VLC media player 1.1.11
WinRAR archiver
.
==== Event Viewer Messages From Past Week ========
.
8/17/2012 11:45:49 PM, Error: Service Control Manager [7001] -
.
==== End Of File ===========================

#6 Sreekumar14378

Sreekumar14378
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 17 August 2012 - 02:33 PM

SIR I HAVE DONE IT ,STEPS 6 TO 9 .

SHOULD I ATTACH THE FILES ATTACH.TXT AND ARK.TXT FILES HERE ALSO ?

#7 Jimbob85

Jimbob85

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:VA, USA
  • Local time:12:36 AM

Posted 17 August 2012 - 02:39 PM

Hey Sreekumar14378, Since boopme is offline. Please refer to his post and post your logs in the virus removal form. The trojan you have is a nasty one and will need expert help to get rid of.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users