Sirefef.AB, Sirefef.P Desktop.ini

[battleconvention]

I successfully removed half of this trojan, specifically the part residing in C:/Windows/Installer/, but two pesky files keep coming back every reboot:

C:/Windows/assembly/GAC_32/Desktop.ini

C:/Windows/assembly/GAC_64/Desktop.ini

MalwareBytes can't find anything malicious:

============================================

Malwarebytes Anti-Malware (Trial) 1.61.0.1400

www.malwarebytes.org

Database version: v2012.06.07.05

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Administrator :: VALHALLA [administrator]

Protection: Disabled

6/7/2012 5:23:42 PM

mbam-log-2012-06-07 (17-23-42).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 224521

Time elapsed: 20 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

======================================

Avira finds the two files every reboot, seems like it can't delete them:

==========================

Avira Free Antivirus

Report file date: Wednesday, June 06, 2012 22:24

Scanning for 3802583 virus strains and unwanted programs.

The program is running as an unrestricted full version.

Online services are available.

Licensee : Avira AntiVir Personal - Free Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows 7 Ultimate

Windows version : (Service Pack 1) [6.1.7601]

Boot mode : Normally booted

Username : Administrator

Computer name : VALHALLA

Version information:

BUILD.DAT : 12.0.0.1125 41829 Bytes 5/2/2012 17:40:00

AVSCAN.EXE : 12.3.0.15 466896 Bytes 5/2/2012 04:48:51

AVSCAN.DLL : 12.3.0.15 54736 Bytes 5/2/2012 19:31:39

LUKE.DLL : 12.3.0.15 68304 Bytes 5/2/2012 05:31:47

AVSCPLR.DLL : 12.3.0.14 97032 Bytes 5/2/2012 04:13:36

AVREG.DLL : 12.3.0.17 232200 Bytes 6/7/2012 00:14:08

VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 00:18:34

VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 05:23:21

VBASE002.VDF : 7.11.19.170 14374912 Bytes 12/20/2011 05:32:24

VBASE003.VDF : 7.11.21.238 4472832 Bytes 2/1/2012 15:58:50

VBASE004.VDF : 7.11.26.44 4329472 Bytes 3/28/2012 16:43:53

VBASE005.VDF : 7.11.29.136 2166272 Bytes 5/10/2012 00:13:52

VBASE006.VDF : 7.11.29.137 2048 Bytes 5/10/2012 00:13:52

VBASE007.VDF : 7.11.29.138 2048 Bytes 5/10/2012 00:13:53

VBASE008.VDF : 7.11.29.139 2048 Bytes 5/10/2012 00:13:53

VBASE009.VDF : 7.11.29.140 2048 Bytes 5/10/2012 00:13:53

VBASE010.VDF : 7.11.29.141 2048 Bytes 5/10/2012 00:13:53

VBASE011.VDF : 7.11.29.142 2048 Bytes 5/10/2012 00:13:53

VBASE012.VDF : 7.11.29.143 2048 Bytes 5/10/2012 00:13:53

VBASE013.VDF : 7.11.29.144 2048 Bytes 5/10/2012 00:13:53

VBASE014.VDF : 7.11.30.3 198144 Bytes 5/14/2012 00:13:54

VBASE015.VDF : 7.11.30.69 186368 Bytes 5/17/2012 00:13:54

VBASE016.VDF : 7.11.30.143 223744 Bytes 5/21/2012 00:13:55

VBASE017.VDF : 7.11.30.207 287744 Bytes 5/23/2012 00:13:55

VBASE018.VDF : 7.11.31.57 188416 Bytes 5/28/2012 00:13:55

VBASE019.VDF : 7.11.31.111 214528 Bytes 5/30/2012 00:13:56

VBASE020.VDF : 7.11.31.151 116736 Bytes 5/31/2012 00:13:56

VBASE021.VDF : 7.11.31.205 134144 Bytes 6/3/2012 00:13:56

VBASE022.VDF : 7.11.32.9 169472 Bytes 6/5/2012 00:13:58

VBASE023.VDF : 7.11.32.10 2048 Bytes 6/5/2012 00:13:58

VBASE024.VDF : 7.11.32.11 2048 Bytes 6/5/2012 00:13:58

VBASE025.VDF : 7.11.32.12 2048 Bytes 6/5/2012 00:13:58

VBASE026.VDF : 7.11.32.13 2048 Bytes 6/5/2012 00:13:58

VBASE027.VDF : 7.11.32.14 2048 Bytes 6/5/2012 00:13:58

VBASE028.VDF : 7.11.32.15 2048 Bytes 6/5/2012 00:13:58

VBASE029.VDF : 7.11.32.16 2048 Bytes 6/5/2012 00:13:58

VBASE030.VDF : 7.11.32.17 2048 Bytes 6/5/2012 00:13:58

VBASE031.VDF : 7.11.32.42 66048 Bytes 6/6/2012 00:13:59

Engine version : 8.2.10.80

AEVDF.DLL : 8.1.2.8 106867 Bytes 6/7/2012 00:14:07

AESCRIPT.DLL : 8.1.4.24 450939 Bytes 6/7/2012 00:14:07

AESCN.DLL : 8.1.8.2 131444 Bytes 2/16/2012 22:11:36

AESBX.DLL : 8.2.5.10 606580 Bytes 6/7/2012 00:14:07

AERDL.DLL : 8.1.9.15 639348 Bytes 1/21/2012 05:22:40

AEPACK.DLL : 8.2.16.16 807288 Bytes 6/7/2012 00:14:06

AEOFFICE.DLL : 8.1.2.28 201082 Bytes 4/26/2012 22:41:32

AEHEUR.DLL : 8.1.4.36 4874615 Bytes 6/7/2012 00:14:04

AEHELP.DLL : 8.1.21.0 254326 Bytes 6/7/2012 00:14:01

AEGEN.DLL : 8.1.5.28 422260 Bytes 4/26/2012 22:41:31

AEEXP.DLL : 8.1.0.44 82293 Bytes 6/7/2012 00:14:08

AEEMU.DLL : 8.1.3.0 393589 Bytes 1/21/2012 05:22:36

AECORE.DLL : 8.1.25.10 201080 Bytes 6/7/2012 00:14:01

AEBB.DLL : 8.1.1.0 53618 Bytes 1/21/2012 05:22:35

AVWINLL.DLL : 12.3.0.15 27344 Bytes 5/2/2012 04:59:21

AVPREF.DLL : 12.3.0.15 51920 Bytes 5/2/2012 04:44:31

AVREP.DLL : 12.3.0.15 179208 Bytes 5/2/2012 04:13:35

AVARKT.DLL : 12.3.0.15 211408 Bytes 5/2/2012 04:21:32

AVEVTLOG.DLL : 12.3.0.15 169168 Bytes 5/2/2012 04:28:49

SQLITE3.DLL : 3.7.0.1 398288 Bytes 4/17/2012 03:11:02

AVSMTP.DLL : 12.3.0.15 63440 Bytes 5/2/2012 04:51:35

NETNT.DLL : 12.3.0.15 17104 Bytes 5/2/2012 05:33:29

RCIMAGE.DLL : 12.3.0.15 4450000 Bytes 5/2/2012 06:03:52

RCTEXT.DLL : 12.3.0.15 96720 Bytes 5/2/2012 19:40:44

Configuration settings for the scan:

Jobname.............................: Quick system scan

Configuration file..................: C:\program files (x86)\avira\antivir desktop\quicksysscan.avp

Logging.............................: default

Primary action......................: Interactive

Secondary action....................: Ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: off

Integrity checking of system files..: off

Scan all files......................: Intelligent file selection

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: extended

Start of the scan: Wednesday, June 06, 2012 22:24

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'daemonu.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'VCDDaemon.exe' - '1' Module(s) have been scanned

Scan process 'RtWlan.exe' - '1' Module(s) have been scanned

Scan process 'RtlService.exe' - '1' Module(s) have been scanned

Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'nvSCPAPISvr.exe' - '1' Module(s) have been scanned

Starting to scan executable files (registry).

C:\Program Files (x86)\VirtualCloneDrive\vcd-uninst.exe

[WARNING] Invalid compressed data

The registry was scanned ( '1539' files ).

Starting the file scan:

Begin scan in 'C:\Users\Administrator'

C:\Users\Administrator\AppData\Local\Runic Games\b57cf3980b0a950fe29402e835a37ad35ea6fe3a.patchmanifest

[WARNING] The file is password protected

C:\Users\Administrator\AppData\Local\Runic Games\downloader.bundle

[WARNING] The file is password protected

C:\Users\Administrator\AppData\Local\Runic Games\ebcc9bf2230ce2822f7d305b5b4eca2a07a8ee0a.patchmanifest

[WARNING] The file is password protected

C:\Users\Administrator\AppData\Local\Runic Games\launcher.bundle

[WARNING] The file is password protected

C:\Users\Administrator\AppData\Local\Runic Games\patcher.bundle

[WARNING] The file is password protected

C:\Users\Administrator\Documents\asc.asc

[WARNING] The archive is password protected

Begin scan in 'C:\Windows'

C:\Windows\assembly\GAC_32\Desktop.ini

[DETECTION] Is the TR/ATRAPS.Gen2 Trojan

C:\Windows\assembly\GAC_64\Desktop.ini

[DETECTION] Is the TR/ATRAPS.Gen2 Trojan

Begin scan in 'C:\Users\'

C:\Users\Administrator\AppData\Local\Runic Games\b57cf3980b0a950fe29402e835a37ad35ea6fe3a.patchmanifest

[WARNING] The file is password protected

C:\Users\Administrator\AppData\Local\Runic Games\downloader.bundle

[WARNING] The file is password protected

C:\Users\Administrator\AppData\Local\Runic Games\ebcc9bf2230ce2822f7d305b5b4eca2a07a8ee0a.patchmanifest

[WARNING] The file is password protected

C:\Users\Administrator\AppData\Local\Runic Games\launcher.bundle

[WARNING] The file is password protected

C:\Users\Administrator\AppData\Local\Runic Games\patcher.bundle

[WARNING] The file is password protected

C:\Users\Administrator\Documents\asc.asc

[WARNING] The archive is password protected

Begin scan in 'C:\Program Files (x86)'

C:\Program Files (x86)\VirtualCloneDrive\vcd-uninst.exe

[WARNING] Invalid compressed data

Beginning disinfection:

C:\Windows\assembly\GAC_64\Desktop.ini

[DETECTION] Is the TR/ATRAPS.Gen2 Trojan

[WARNING] The file could not be copied to quarantine!

[WARNING] The file could not be deleted!

[NOTE] For the final repair, a restart of the computer is instigated.

[NOTE] The file is scheduled for deleting after reboot.

[NOTE] For the final repair, a restart of the computer is instigated.

C:\Windows\assembly\GAC_32\Desktop.ini

[DETECTION] Is the TR/ATRAPS.Gen2 Trojan

[WARNING] The file could not be copied to quarantine!

[WARNING] The file could not be deleted!

[NOTE] For the final repair, a restart of the computer is instigated.

[NOTE] The file is scheduled for deleting after reboot.

[NOTE] For the final repair, a restart of the computer is instigated.

[battleconvention]

DDS.txt

===============

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.4.0

Run by Administrator at 17:30:56 on 2012-06-07

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8175.6485 [GMT -4:00]

.

AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\Explorer.EXE

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Windows\SysWOW64\PnkBstrA.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files (x86)\Realtek\11n USB Wireless LAN Utility\RtlService.exe

C:\Program Files (x86)\Realtek\11n USB Wireless LAN Utility\RtWlan.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files (x86)\VirtualCloneDrive\VCDDaemon.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe

C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MIF5BA~1\Office14\GROOVEEX.DLL

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\SDK\Java\jre7\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\SDK\Java\jre7\bin\jp2ssv.dll

BHO: Microsoft Web Test Recorder 10.0 Helper: {dda57003-0068-4ed2-9d32-4d1ec707d94d} - C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll

mRun: [VirtualCloneDrive] "C:\Program Files (x86)\VirtualCloneDrive\VCDDaemon.exe" /s

mRun: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices

mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - C:\PROGRA~2\MIF5BA~1\Office14\ONBttnIE.dll/105

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

LSP: mswsock.dll

TCP: DhcpNameServer = 75.75.75.75 75.75.76.76

TCP: Interfaces\{1C0CDC4B-6030-44ED-AFDD-E1642EF5B5DB} : DhcpNameServer = 192.168.137.1

TCP: Interfaces\{24449817-EC1D-43A2-8048-1FD7B8FF55A5} : DhcpNameServer = 75.75.75.75 75.75.76.76

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MIF5BA~1\Office14\GROOVEEX.DLL

BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MIF5BA~1\Office14\GROOVEEX.DLL

BHO-X64: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\SDK\Java\jre7\bin\ssv.dll

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL

BHO-X64: URLRedirectionBHO - No File

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\SDK\Java\jre7\bin\jp2ssv.dll

BHO-X64: Microsoft Web Test Recorder 10.0 Helper: {DDA57003-0068-4ed2-9D32-4D1EC707D94D} - C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll

mRun-x64: [VirtualCloneDrive] "C:\Program Files (x86)\VirtualCloneDrive\VCDDaemon.exe" /s

mRun-x64: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices

mRunOnce-x64: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MIF5BA~1\Office14\GROOVEEX.DLL

.

============= SERVICES / DRIVERS ===============

.

R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]

R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]

R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-4-6 1262400]

R2 Realtek11nSU;Realtek11nSU;C:\Program Files (x86)\Realtek\11n USB Wireless LAN Utility\RtlService.exe [2012-2-2 36864]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-5-8 382272]

R3 MEIx64;Intel® Management Engine Interface ;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]

R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;C:\Windows\system32\DRIVERS\RTL8192su.sys --> C:\Windows\system32\DRIVERS\RTL8192su.sys [?]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]

S1 cwicqzyc;cwicqzyc;\??\C:\Windows\system32\drivers\cwicqzyc.sys --> C:\Windows\system32\drivers\cwicqzyc.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-6-12 31125880]

S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]

S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]

S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 VSPerfDrv100;Performance Tools Driver 10.0;C:\Program Files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2011-1-18 68440]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

SUnknown szibgdku;szibgdku; [x]

.

=============== Created Last 30 ================

.

2012-06-07 21:14:01 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-06-07 21:14:01 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-06-07 21:11:36 50000 ----a-w- C:\Windows\System32\drivers\cwicqzyc.sys

2012-06-07 21:10:53 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{AA0849C3-4A69-42D6-91E9-7297C3D012D9}\offreg.dll

2012-06-07 21:10:46 8955792 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{AA0849C3-4A69-42D6-91E9-7297C3D012D9}\mpengine.dll

2012-06-07 21:10:23 -------- d-sh--w- C:\$RECYCLE.BIN

2012-06-07 17:16:47 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll

2012-06-07 17:16:46 8955792 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5B20673A-1486-488B-9F35-AE442B51D755}\mpengine.dll

2012-06-07 01:26:00 98816 ----a-w- C:\Windows\sed.exe

2012-06-07 01:26:00 518144 ----a-w- C:\Windows\SWREG.exe

2012-06-07 01:26:00 256000 ----a-w- C:\Windows\PEV.exe

2012-06-07 01:26:00 208896 ----a-w- C:\Windows\MBR.exe

2012-06-06 22:30:23 -------- d-----w- C:\Program Files (x86)\ESET

2012-06-06 22:10:25 -------- d-----w- C:\Users\Administrator\AppData\Roaming\Malwarebytes

2012-06-06 22:10:06 -------- d-----w- C:\ProgramData\Malwarebytes

2012-06-06 21:56:06 -------- d-----w- C:\Users\Administrator\AppData\Roaming\Bitcoin

2012-06-06 21:29:43 927800 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{FC46EB50-1D19-4B67-8E0E-7655C1A9195A}\gapaengine.dll

2012-06-06 21:28:46 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client

2012-06-06 21:28:45 -------- d-----w- C:\Program Files\Microsoft Security Client

2012-06-06 21:11:53 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%

2012-06-04 16:22:46 -------- d-----w- C:\Users\Administrator\AppData\Local\Chromium

2012-06-04 16:20:42 -------- d-----w- C:\Program Files (x86)\Rockstar Games

2012-05-30 22:00:49 -------- d-----w- C:\Users\Administrator\android-sdks

2012-05-30 22:00:28 -------- d-----w- C:\Users\Administrator\.android

2012-05-20 01:13:36 -------- d-----w- C:\Users\Administrator\AppData\Roaming\.doomseeker

2012-05-19 23:59:53 772504 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll

2012-05-19 23:59:53 687504 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2012-05-19 15:07:47 -------- d-----w- C:\Users\Administrator\AppData\Local\ArmA 2 OA

2012-05-19 00:50:48 -------- d-----w- C:\Users\Administrator\AppData\Local\ArmA 2

2012-05-16 16:35:33 -------- d-----w- C:\Users\Administrator\AppData\Roaming\NVIDIA

2012-05-15 22:18:29 -------- d-----w- C:\Users\Administrator\AppData\Roaming\Mumble

2012-05-15 22:18:29 -------- d-----w- C:\Users\Administrator\AppData\Local\Mumble

2012-05-15 22:18:10 -------- d-----w- C:\Program Files (x86)\Mumble

2012-05-14 23:21:39 -------- d-----w- C:\ProgramData\VS

2012-05-14 03:02:11 -------- d-----w- C:\Users\Administrator\AppData\Roaming\xpce

2012-05-13 01:11:44 -------- d-----w- C:\Users\Administrator\AppData\Local\Runic Games

2012-05-10 12:46:14 902656 ----a-w- C:\Windows\System32\d2d1.dll

2012-05-10 12:46:14 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll

2012-05-10 12:46:14 1139200 ----a-w- C:\Windows\System32\FntCache.dll

2012-05-10 02:20:02 2871808 ----a-w- C:\Windows\explorer.exe

2012-05-10 02:20:02 2616320 ----a-w- C:\Windows\SysWow64\explorer.exe

2012-05-10 02:20:00 509952 ----a-w- C:\Windows\System32\ntshrui.dll

2012-05-10 02:20:00 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll

2012-05-10 00:31:29 -------- d-----w- C:\Program Files (x86)\Microsoft Visual Studio 8

2012-05-10 00:31:11 -------- d-----w- C:\Program Files (x86)\Microsoft Analysis Services

2012-05-10 00:30:57 -------- d-----w- C:\Users\Administrator\AppData\Local\Microsoft Help

2012-05-09 19:15:09 -------- d-----w- C:\Users\Administrator\.idlerc

2012-05-09 00:26:20 423744 ----a-w- C:\Windows\SysWow64\nvStreaming.exe

.

==================== Find3M ====================

.

2012-05-30 21:36:05 750488 ----a-w- C:\Windows\System32\npdeployJava1.dll

2012-05-30 21:36:05 660368 ----a-w- C:\Windows\System32\deployJava1.dll

2012-05-12 15:02:23 283304 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr

2012-05-12 15:02:23 283304 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe

2012-05-12 14:58:51 282864 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0

2012-05-09 03:54:41 889664 ----a-w- C:\Windows\System32\nvvsvc.exe

2012-05-09 03:54:35 63296 ----a-w- C:\Windows\System32\nvshext.dll

2012-05-09 03:54:35 2561856 ----a-w- C:\Windows\System32\nvsvcr.dll

2012-05-09 03:54:35 118080 ----a-w- C:\Windows\System32\nvmctray.dll

2012-05-09 03:54:30 2619385 ----a-w- C:\Windows\System32\nvcoproc.bin

2012-05-09 03:54:02 3149632 ----a-w- C:\Windows\System32\nvsvc64.dll

2012-05-09 03:41:06 6151488 ----a-w- C:\Windows\System32\nvcpl.dll

2012-04-18 17:08:08 31040 ----a-w- C:\Windows\System32\nvhdap64.dll

2012-04-18 17:08:03 188736 ----a-w- C:\Windows\System32\drivers\nvhda64v.sys

2012-04-18 17:08:02 1451840 ----a-w- C:\Windows\System32\nvhdagenco6420103.dll

2012-04-11 03:24:50 2987520 ----a-w- C:\Windows\System32\python27.dll

2012-03-31 06:05:57 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe

2012-03-31 04:39:37 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2012-03-31 04:39:37 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2012-03-31 03:10:03 3146240 ----a-w- C:\Windows\System32\win32k.sys

2012-03-30 11:35:47 1918320 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2012-03-21 00:44:12 98688 ----a-w- C:\Windows\System32\drivers\NisDrvWFP.sys

2012-03-21 00:44:12 203888 ----a-w- C:\Windows\System32\drivers\MpFilter.sys

2012-03-17 07:58:57 75120 ----a-w- C:\Windows\System32\drivers\partmgr.sys

.

============= FINISH: 17:31:06.49 ===============

[battleconvention]

Attach.txt

============================

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Ultimate

Boot Device: \Device\HarddiskVolume1

Install Date: 1/14/2012 7:19:21 PM

System Uptime: 6/7/2012 5:10:16 PM (0 hours ago)

.

Motherboard: Gigabyte Technology Co., Ltd. | | Z68X-UD5-B3

Processor: Intel® Core i5-2500K CPU @ 3.30GHz | Socket 1155 | 3292/100mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 119 GiB total, 54.191 GiB free.

D: is FIXED (NTFS) - 931 GiB total, 670.863 GiB free.

E: is CDROM ()

G: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID:

Description: SM Bus Controller

Device ID: PCI\VEN_8086&DEV_1C22&SUBSYS_50011458&REV_05\3&13C0B0C5&0&FB

Manufacturer:

Name: SM Bus Controller

PNP Device ID: PCI\VEN_8086&DEV_1C22&SUBSYS_50011458&REV_05\3&13C0B0C5&0&FB

Service:

.

Class GUID:

Description: Universal Serial Bus (USB) Controller

Device ID: PCI\VEN_1033&DEV_0194&SUBSYS_50071458&REV_03\4&18803EC9&0&00E4

Manufacturer:

Name: Universal Serial Bus (USB) Controller

PNP Device ID: PCI\VEN_1033&DEV_0194&SUBSYS_50071458&REV_03\4&18803EC9&0&00E4

Service:

.

==== System Restore Points ===================

.

RP124: 6/6/2012 10:42:22 PM - Installed GiPo@MoveOnBoot 1.9.5

RP125: 6/6/2012 11:20:59 PM - Removed GiPo@MoveOnBoot 1.9.5

.

==== Installed Programs ======================

.

.

ARMA 2 Operation Arrowhead Uninstall

ArmA 2 Uninstall

Battlefield 3™

BattlEye Uninstall

Call of Pripyat Complete v1.0.2

Cisco EAP-FAST Module

Cisco LEAP Module

Cisco PEAP Module

Counter-Strike: Source

Crystal Reports for Visual Studio

Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition

Deus Ex: Human Revolution - The Missing Link

Diablo III

Driver Sweeper version 3.2.0

Endless Space

ESET Online Scanner v3

ESN Sonar

Google Chrome

Grand Theft Auto IV

Hotfix for Microsoft Visual Studio 2010 Ultimate - ENU (KB2522890)

Hotfix for Microsoft Visual Studio 2010 Ultimate - ENU (KB2529927)

Hotfix for Microsoft Visual Studio 2010 Ultimate - ENU (KB2542054)

Hotfix for Microsoft Visual Studio 2010 Ultimate - ENU (KB2548139)

Hotfix for Microsoft Visual Studio 2010 Ultimate - ENU (KB2549864)

Hotfix for Microsoft Visual Studio 2010 Ultimate - ENU (KB2635973)

Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2280741)

Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2284668)

Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2295689)

Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2420513)

Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2452649)

Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2455033)

Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2485545)

Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB982517)

Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB982721)

Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB983233)

Java Auto Updater

Java 7 Update 4

Left 4 Dead 2

Malwarebytes Anti-Malware version 1.61.0.1400

Max Payne 2: The Fall of Max Payne

Microsoft .NET Framework 4 Multi-Targeting Pack

Microsoft Application Error Reporting

Microsoft ASP.NET MVC 2

Microsoft ASP.NET MVC 2 - Visual Studio 2010 Tools

Microsoft Games for Windows - LIVE Redistributable

Microsoft Office 2010 Service Pack 1 (SP1)

Microsoft Office Access MUI (English) 2010

Microsoft Office Access Setup Metadata MUI (English) 2010

Microsoft Office Excel MUI (English) 2010

Microsoft Office Groove MUI (English) 2010

Microsoft Office InfoPath MUI (English) 2010

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office Professional Plus 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Word MUI (English) 2010

Microsoft Silverlight 3 SDK

Microsoft Silverlight 4 SDK

Microsoft SQL Server 2008 R2 Data-Tier Application Framework

Microsoft SQL Server 2008 R2 Data-Tier Application Project

Microsoft SQL Server 2008 R2 Management Objects

Microsoft SQL Server 2008 R2 Transact-SQL Language Service

Microsoft SQL Server Compact 3.5 SP2 ENU

Microsoft SQL Server Database Publishing Wizard 1.4

Microsoft SQL Server System CLR Types

Microsoft Sync Framework SDK v1.0 SP1

Microsoft Visual C++ Compilers 2010 Standard - enu - x86

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Microsoft Visual C++ 2010 x86 Runtime - 10.0.40219

Microsoft Visual F# 2.0 Runtime

Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools

Microsoft Visual Studio 2010 Service Pack 1

Microsoft Visual Studio 2010 Ultimate - ENU

Microsoft Visual Studio Macro Tools

Morrowind AnimKit 2.1 (remove only)

Mumble 1.2.3

Notepad++

NVIDIA PhysX

NVIDIA Stereoscopic 3D Driver

Origin

Planescape Torment

Python Tools for Visual Studio

Realtek Ethernet Controller Driver

Realtek High Definition Audio Driver

REALTEK Wireless LAN Driver and Utility

Rockstar Games Social Club

S.T.A.L.K.E.R.: Call of Pripyat

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Security Update for Microsoft Excel 2010 (KB2597166) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2553091)

Security Update for Microsoft Office 2010 (KB2553096)

Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition

Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition

Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)

Security Update for Microsoft Visio Viewer 2010 (KB2597981) 32-Bit Edition

Security Update for Microsoft Visual Studio 2010 Ultimate - ENU (KB2644980)

Security Update for Microsoft Visual Studio 2010 Ultimate - ENU (KB2645410)

Security Update for Microsoft Visual Studio Macro Tools (KB2669970)

Serious Sam 3: BFE

Steam

Team Fortress 2

TeamSpeak 3 Client

The Elder Scrolls III: Morrowind

The Elder Scrolls V: Skyrim

The Witcher 2

The Witcher: Enhanced Edition

Thief Gold

Torchlight

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

Update for Microsoft Office 2010 (KB2553065)

Update for Microsoft Office 2010 (KB2553092)

Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition

Update for Microsoft Office 2010 (KB2566458)

Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition

Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition

Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition

Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition

VirtualCloneDrive

Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU

VLC media player 2.0.1

WCF RIA Services V1.0 SP1

.

==== Event Viewer Messages From Past Week ========

.

6/7/2012 5:07:18 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

6/7/2012 5:07:06 PM, Error: Application Popup [1060] - \??\C:\Combo-Fix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

6/7/2012 4:42:50 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

6/7/2012 4:40:33 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.

6/7/2012 4:40:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

6/7/2012 4:40:29 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

6/7/2012 4:40:29 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

6/7/2012 4:40:23 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

6/7/2012 4:40:22 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache ElbyCDIO MpFilter spldr Wanarpv6

6/7/2012 4:31:41 PM, Error: Microsoft-Windows-DNS-Client [1012] - There was an error while attempting to read the local hosts file.

6/7/2012 4:18:10 PM, Error: Service Control Manager [7034] - The NVIDIA Stereoscopic 3D Driver Service service terminated unexpectedly. It has done this 1 time(s).

6/6/2012 9:29:21 PM, Error: Service Control Manager [7023] - The Microsoft Antimalware Service service terminated with the following error: %%-2147023878

6/6/2012 9:29:20 PM, Error: Service Control Manager [7023] - The Windows Defender service terminated with the following error: The specified module could not be found.

6/6/2012 9:27:54 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.

6/6/2012 9:27:52 PM, Error: Application Popup [1060] - \??\C:\Users\ADMINI~1\AppData\Local\Temp\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

6/6/2012 9:26:54 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Application Experience service, but this action failed with the following error: An instance of the service is already running.

6/6/2012 9:26:27 PM, Error: Service Control Manager [7005] - The LoadUserProfile call failed with the following error: The RPC server is unavailable.

6/6/2012 9:25:53 PM, Error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

6/6/2012 9:25:53 PM, Error: Service Control Manager [7031] - The User Profile Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

6/6/2012 9:25:53 PM, Error: Service Control Manager [7031] - The Themes service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

6/6/2012 9:25:53 PM, Error: Service Control Manager [7031] - The Task Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

6/6/2012 9:25:53 PM, Error: Service Control Manager [7031] - The System Event Notification Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

6/6/2012 9:25:53 PM, Error: Service Control Manager [7031] - The Shell Hardware Detection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

6/6/2012 9:25:53 PM, Error: Service Control Manager [7031] - The Server service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

6/6/2012 9:25:53 PM, Error: Service Control Manager [7031] - The Secondary Logon service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

6/6/2012 9:25:53 PM, Error: Service Control Manager [7031] - The Multimedia Class Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

6/6/2012 9:25:53 PM, Error: Service Control Manager [7031] - The IP Helper service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

6/6/2012 9:25:53 PM, Error: Service Control Manager [7031] - The Group Policy Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

6/6/2012 9:25:53 PM, Error: Service Control Manager [7031] - The Extensible Authentication Protocol service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

6/6/2012 9:25:53 PM, Error: Service Control Manager [7031] - The Application Experience service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

6/6/2012 9:24:28 PM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891

6/6/2012 9:24:28 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891

6/6/2012 9:24:22 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

6/6/2012 9:24:21 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.

6/6/2012 9:24:21 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.

6/6/2012 9:22:16 PM, Error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).

6/6/2012 8:03:29 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Multimedia Class Scheduler service, but this action failed with the following error: An instance of the service is already running.

6/6/2012 8:02:29 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Shell Hardware Detection service, but this action failed with the following error: An instance of the service is already running.

6/6/2012 8:01:43 PM, Error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.

6/6/2012 8:01:43 PM, Error: Service Control Manager [7031] - The Application Experience service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

6/6/2012 8:01:29 PM, Error: Service Control Manager [7034] - The Application Information service terminated unexpectedly. It has done this 1 time(s).

6/6/2012 8:01:29 PM, Error: Service Control Manager [7031] - The Windows Update service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

6/6/2012 8:01:29 PM, Error: Service Control Manager [7031] - The Background Intelligent Transfer Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

6/6/2012 7:56:25 PM, Error: Service Control Manager [7034] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 3 time(s).

6/6/2012 7:56:25 PM, Error: Service Control Manager [7031] - The User Profile Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.

6/6/2012 7:56:25 PM, Error: Service Control Manager [7031] - The Extensible Authentication Protocol service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

6/6/2012 7:55:37 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}

.

==== End Of File ===========================

[Maurice Naggar]

Hello battleconvention.

Serifef is also known as Zero Access. This is a severe infection. Some of the aliases are

Backdoor/Win32.ZAccess (AhnLab)

BackDoor.Maxplus.90 (Dr.Web)

Win32/Sirefef.DL trojan (ESET)

Backdoor.Win32.ZAccess (Ikarus)

Backdoor.Win32.ZAccess.aug (Kaspersky)

Mal/Sirefef-AA (Sophos)

BKDR_ZACCESS.FP (Trend Micro)

This system had some serious backdoor trojans, spyware, and likely, a rookit.

This is a point where you need to decide about whether to make a clean start.

According to the information provided in logs, one or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information, and download and execute files.

You are strongly advised to do the following immediately.

1. Contact your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.

3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.

* Take any other steps you think appropriate for an attempted identity theft.

You should also understand that once a system has been compromised by a Trojan backdoor, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows fresh. While we usually can successfully remove malware like this, we cannot guarantee that it is totally gone, and that your system is completely safe to use for future financial information and/or transactions. I would recommend that you do a full reformat and reinstall of Windows rather than clean the system.

I suggest that you backup important files and reinstall everything from scratch. There are so many changes that could have been done if that backdoor was used.

Here is some additional information: What Is A Backdoor Trojan? http://www.geekstogo.com/2007/10/03/what-is-a-backdoor-trojan

Danger: Remote Access Trojans http://www.microsoft.com/technet/security/alerts/info/virusrat.mspx

Consumers – Identity Theft http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/index.html

When should I re-format? How should I reinstall? http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451

Rootkits: The Obscure Hacker Attack http://www.microsoft.com/technet/community/columns/sectip/st1005.mspx

Help: I Got Hacked. Now What Do I Do? http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

Help: I Got Hacked. Now What Do I Do? Part II http://www.microsoft.com/technet/community/columns/secmgmt/sm0704.mspx

Microsoft Says Recovery from Malware Becoming Impossible http://www.eweek.com/article2/0,1895,1945808,00.asp

Let me know what you decide.

[battleconvention]

Thanks Maurice, I think I will just play it safe and nuke from orbit. Cheers.

[Maurice Naggar]

You have to do a complete wipe and do a new Windows install. That is the safest.

To do a clean (new) Windows Install:

Before you do that, make sure you have at hand the Windows DVD and also, a fresh new copy of your antivirus that is downloaded from a clean pc and saved on transportable-media (CD-DVD or clean thumb drive).

When you are at point of re-installing o.s., I'd recommend you have the pc disconnected from internet until after the o.s. is installed, plus the antivirus is fully setup and running.

You will loose your documents so if you have some to save, offload them to a separate offline media. And later on insure you do a full scan of them by running your antivirus.

NOTE: If Windows is from a pc manufacturer, and they bundled an AV like McAfee or Norton/Symantec trial versions, immediately de-install those, since they will be outdated & of no use. Install your antvirus immediately after.

Other security references at Microsoft

4 steps to protect your computer

How to boost your malware defense and protect your PC

Good luck and stay safe.

Safety tips & safer practices

• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.
  
• Check in at Windows Update and install any Critical Updates offered.
  
• Make certain that Automatic Updates is enabled.
  How to configure and use Automatic Updates in Windows
  http://support.microsoft.com/kb/306525
  
• Check on other update issues as well, visit Secunia Online Software Inspector (OSI)
  See How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector
  
• Download, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html (all Protections should be enabled at all times)
  
• I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm
  See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm
  That would help to keep your browser away from known spyware/malware sites.
  
• Make regular backups of your system to removable media: DVD, USB external hard drive, etc.
  Having a total image backup of your system stored on DVD/CD is highly important.
  Get and make use of imaging-backup utilities and save them to offline media. That way you have something to fall back to if another disaster hits.
  Examples of image backup software: Acronis True Image, or the free (for personal use) Macrium Reflect http://www.macrium.com/reflectfree.asp
  or Paragon Backup & Recovery http://www.paragon-software.com/home/br-free/download.html
  
• Consider using Web of Trust WOT add-on for your browser(s)
  http://www.mywot.com/en/download
  http://www.mywot.com/en/faq/add-on
  On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:
  ESET Online Scanner
  Panda ActiveScan
  Trend Micro Housecall
  F-Secure Online Scanner
  
• See Six tips to help you stay safer online
  
• Never, ever download free games, free tools, videos, mutli-media files or anything free unless you can be absolutely sure the source is safe !
  

We are finished here. Best regards.

Edited June 7, 2012 by Maurice Naggar