Author Topic: [Resolved K] Windows services damaged after trojan removal  (Read 3093 times)

0 Members and 1 Guest are viewing this topic.

Offline Telenochek

  • Bronze Member
  • Posts: 49
[Resolved K] Windows services damaged after trojan removal
« on: January 09, 2013, 01:19:59 am »
Hi guys,

I originally had a couple of problems, such as NT kernel service consuming 50% of my CPU, my homegroup disappearing and losing the ability to uninstall programs through the remove programs in Control Panel. I found and removed it with microsoft emergency response tool and a few runs of several other tools. It appears that the services may be damaged.

When I run in Windows normal mode,
I get the message "specified service does not exist as an installed service" whenever I try to install new programs from an .exe file.

I'm not sure if I have other infections or not.
Any help will be highly appreciated.

DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 9.0.8112.16457  BrowserJavaVersion: 1.6.0_31
Run by Pavel at 23:06:50 on 2013-01-08
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.3582.3007 [GMT -8:00]
.
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\WmiPrvSE.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.com/
uProxyOverride = 127.0.0.1:9421;<local>
uURLSearchHooks: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: FGCatchUrl: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - c:\program files\flashget\jccatch.dll
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - <orphaned>
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FlashGet GetFlash Class: {F156768E-81EF-470C-9057-481BA8380DBA} - c:\program files\flashget\getflash.dll
uRun: [Akamai NetSession Interface] "c:\users\pavel\appdata\local\akamai\netsession_win.exe"
uRun: [BitTorrent] "c:\program files\bittorrent\BitTorrent.exe"  /MINIMIZED
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
uRun: [Advanced SystemCare 6] "c:\program files\iobit\advanced systemcare 6\ASCTray.exe" /AutoStart
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRunOnce: [GrpConv] grpconv -o
StartupFolder: c:\users\pavel\appdata\roaming\micros~1\windows\startm~1\programs\startup\autoho~1.lnk - c:\program files\autohotkey\AutoHotkey.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\intuit~1.lnk - c:\program files\common files\intuit\dataprotect\IntuitDataProtect.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~2.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\intuit\quickbooks 2011\QBW32.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: HideSCAHealth = dword:1
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: mcafee.com
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{02131942-BD17-406C-944A-B0926671F803} : DHCPNameServer = 192.168.0.1
Filter: application/x-mfe-ipt - <Clsid value has no data>
Handler: dssrequest - <Clsid value has no data>
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - c:\program files\intuit\quickbooks 2011\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -
Handler: sacore - <Clsid value has no data>
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\pavel\appdata\roaming\mozilla\firefox\profiles\j7o4iz70.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - http://www.igoogle.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPLV82Win32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nplv86win32.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\users\pavel\appdata\roaming\mozilla\firefox\profiles\j7o4iz70.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\users\pavel\appdata\roaming\mozilla\firefox\profiles\j7o4iz70.default\extensions\{b6ac5e3c-5ceb-4e72-b451-f0e1ba983c14}\plugins\np-mswmp.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_135.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll
.
============= SERVICES / DRIVERS ===============
.
R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\drivers\tdrpm258.sys [2010-6-12 911680]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2012-6-13 490088]
S0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\system32\drivers\nipbcfk.sys [2009-7-7 15448]
S1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2012-6-6 54776]
S2 AdvancedSystemCareService6;Advanced SystemCare Service 6;c:\program files\iobit\advanced systemcare 6\ASCService.exe [2013-1-8 464256]
S2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2010-6-12 2480048]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 FileOpenManagerSvc;FileOpen Manager Service;c:\program files\fileopen\services\FileOpenManagerSvc32.exe [2011-12-9 213888]
S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-9-10 398184]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-9-10 682344]
S2 mcpltsvc;McAfee Platform Services;"c:\program files\common files\mcafee\platform\mcsvchost\mcsvhost.exe" /mccoresvc --> c:\program files\common files\mcafee\platform\mcsvchost\McSvHost.exe [?]
S2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-4-13 229688]
S2 ni488enumsvc;NI-488.2 Enumeration Service;c:\windows\system32\nipalsm.exe [2008-8-21 12696]
S2 niLXIDiscovery;National Instruments LXI Discovery Service;c:\program files\ivi foundation\visa\winnt\nivisa\niLxiDiscovery.exe [2009-3-5 131704]
S2 nimDNSResponder;National Instruments mDNS Responder Service;c:\program files\national instruments\shared\mdns responder\nimdnsResponder.exe [2009-6-4 193648]
S2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmkl.sys [2009-7-7 11344]
S2 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [2009-6-21 11360]
S2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2010-12-2 1248256]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\skype\toolbars\skype c2c service\c2c_service.exe [2012-12-13 3290896]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-11-9 160944]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2012-10-2 382824]
S3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2010-6-12 160288]
S3 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2010-12-24 401920]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [2010-7-21 45616]
S3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2013-1-3 147472]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-8-22 21104]
S3 mfencbdc;McAfee Inc. mfencbdc;c:\windows\system32\drivers\mfencbdc.sys [2012-11-2 252200]
S3 mfencrk;McAfee Inc. mfencrk;c:\windows\system32\drivers\mfencrk.sys [2012-11-2 81456]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-12-2 25600]
S3 ni1006k;NI PXI-1006 Chassis Pilot;c:\windows\system32\drivers\ni1006k.sys [2009-4-1 26192]
S3 ni1045k;NI PXI-1045 Chassis Pilot;c:\windows\system32\drivers\ni1045kl.sys [2009-6-17 11344]
S3 ni1065k;NI PXIe-1065 Chassis Pilot;c:\windows\system32\drivers\ni1065k.sys [2009-4-1 22608]
S3 ni488lock;NI-488.2 Locking Service;c:\windows\system32\drivers\ni488lock.sys [2009-12-15 17480]
S3 nidimk;nidimk;c:\windows\system32\drivers\nidimkl.sys [2009-7-7 11360]
S3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [2009-10-30 11904]
S3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [2009-10-30 11896]
S3 nipxigpk;NI PXI Generic Chassis Pilot;c:\windows\system32\drivers\nipxigpk.sys [2008-6-25 20568]
S3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWKl.sys [2009-3-5 11384]
S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [2009-6-21 11360]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-5-23 15872]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-5-23 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-5 1343400]
S3 XilinxFirmwareLoader;XilinxFirmwareLoader;c:\windows\system32\drivers\xusbdfwu.sys [2011-5-29 17280]
.
=============== Created Last 30 ================
.
2013-01-09 07:02:35   --------   d-----w-   C:\466c6e99da8f25e1421e05305b216a
2013-01-09 06:31:57   --------   d-sh--w-   C:\$RECYCLE.BIN
2013-01-09 05:08:58   49152   ----a-w-   c:\windows\system32\taskhost.exe
2013-01-09 05:08:58   220160   ----a-w-   c:\windows\system32\ncrypt.dll
2013-01-08 21:48:19   --------   d-----w-   c:\programdata\IObit
2013-01-08 21:48:14   --------   d-----w-   c:\users\pavel\appdata\roaming\IObit
2013-01-08 21:48:12   --------   d-----w-   c:\program files\IObit
2013-01-07 09:31:13   --------   d-----w-   c:\users\pavel\appdata\local\temp
2013-01-07 07:52:19   53248   ----a-w-   c:\windows\system32\CSVer.dll
2013-01-07 07:33:52   --------   d-----w-   C:\zz_drive_clean
2013-01-07 06:11:45   --------   d-----w-   c:\users\pavel\appdata\local\Programs
2013-01-04 17:39:27   --------   d-----w-   c:\users\pavel\appdata\local\McAfee File Lock
2013-01-04 07:50:51   147472   ----a-w-   c:\windows\system32\drivers\HipShieldK.sys
2012-12-22 11:00:36   295424   ----a-w-   c:\windows\system32\atmfd.dll
2012-12-22 11:00:35   34304   ----a-w-   c:\windows\system32\atmlib.dll
2012-12-13 22:30:28   5955856   ----a-w-   c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
2012-12-12 14:51:38   376832   ----a-w-   c:\windows\system32\dpnet.dll
2012-12-12 14:50:53   2048   ----a-w-   c:\windows\system32\tzres.dll
.
==================== Find3M  ====================
.
2012-12-15 00:49:28   21104   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-12-11 22:54:28   73656   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-11 22:54:28   697272   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-12-07 12:26:17   308736   ----a-w-   c:\windows\system32\Wpc.dll
2012-12-07 12:20:43   2576384   ----a-w-   c:\windows\system32\gameux.dll
2012-11-30 04:53:34   169984   ----a-w-   c:\windows\system32\winsrv.dll
2012-11-30 04:47:45   293376   ----a-w-   c:\windows\system32\KernelBase.dll
2012-11-30 02:55:25   271360   ----a-w-   c:\windows\system32\conhost.exe
2012-11-30 02:38:59   6144   ---ha-w-   c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2012-11-30 02:38:59   4608   ---ha-w-   c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 02:38:59   3584   ---ha-w-   c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2012-11-30 02:38:59   3072   ---ha-w-   c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2012-11-23 02:56:23   2345984   ----a-w-   c:\windows\system32\win32k.sys
2012-11-22 04:45:03   626688   ----a-w-   c:\windows\system32\usp10.dll
2012-11-14 02:09:22   1800704   ----a-w-   c:\windows\system32\jscript9.dll
2012-11-14 01:58:15   1427968   ----a-w-   c:\windows\system32\inetcpl.cpl
2012-11-14 01:57:37   1129472   ----a-w-   c:\windows\system32\wininet.dll
2012-11-14 01:49:25   142848   ----a-w-   c:\windows\system32\ieUnatt.exe
2012-11-14 01:48:27   420864   ----a-w-   c:\windows\system32\vbscript.dll
2012-11-14 01:44:42   2382848   ----a-w-   c:\windows\system32\mshtml.tlb
2012-11-09 04:43:04   492032   ----a-w-   c:\windows\system32\win32spl.dll
2012-11-02 09:46:50   9744   ----a-w-   c:\windows\system32\drivers\mfeclnrk.sys
2012-11-02 09:46:50   81456   ----a-w-   c:\windows\system32\drivers\mfencrk.sys
2012-11-02 09:46:50   252200   ----a-w-   c:\windows\system32\drivers\mfencbdc.sys
2012-11-01 04:47:54   1389568   ----a-w-   c:\windows\system32\msxml6.dll
2012-10-16 07:39:52   561664   ----a-w-   c:\windows\apppatch\AcLayers.dll
2003-06-19 19:05:04   431888   --s-a-w-   c:\program files\common files\riched20.dll
.
============= FINISH: 23:08:00.66 ===============
« Last Edit: January 24, 2013, 05:31:19 am by kevinf80 »



Offline Telenochek

  • Bronze Member
  • Posts: 49
Re: [Resolved K] Windows services damaged after trojan removal
« Reply #1 on: January 09, 2013, 01:25:09 am »
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume2
Install Date: 6/5/2010 10:15:49 PM
System Uptime: 1/8/2013 10:57:04 PM (1 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. |  | P35-DS3L
Processor: Intel(R) Core(TM)2 Duo CPU     E8400  @ 3.00GHz | Socket 775 | 3000/333mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 596 GiB total, 488.515 GiB free.
D: is FIXED (NTFS) - 233 GiB total, 120.886 GiB free.
E: is CDROM ()
F: is FIXED (NTFS) - 233 GiB total, 35.405 GiB free.
G: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Description: Canon MX860 ser Network
Device ID: ROOT\CANON_IJ_NETWORK\0000
Manufacturer: Canon
Name: Canon MX860 ser Network
PNP Device ID: ROOT\CANON_IJ_NETWORK\0000
Service: StillCam
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: NIPALK
Device ID: ROOT\LEGACY_NIPALK\0000
Manufacturer:
Name: NIPALK
PNP Device ID: ROOT\LEGACY_NIPALK\0000
Service: NIPALK
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: Security Processor Loader Driver
Device ID: ROOT\LEGACY_SPLDR\0000
Manufacturer:
Name: Security Processor Loader Driver
PNP Device ID: ROOT\LEGACY_SPLDR\0000
Service: spldr
.
==== System Restore Points ===================
.
RP535: 1/8/2013 9:46:19 PM - Windows Update
.
==== Installed Programs ======================
.
 Update for Microsoft Office 2007 (KB2508958)
7-Zip 4.65
A-PDF Merger 3.1
Acrobat.com
Acronis True Image Home
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.4)
Advanced SystemCare 6
Akamai NetSession Interface
Akamai NetSession Interface Service
Alamoon Watermark v1.4
Amazon Games & Software Downloader
Amazon Kindle
Ansoft HFSS 12.1
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Software Update
Audacity 1.3.12 (Unicode)
AutoHotkey 1.0.48.05
Avidemux 2.5 (32-bit)
AWR Design Environment 2009 (9.0.4847.1)
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon MP Navigator EX 2.1
Canon MX860 series MP Drivers
Canon MX860 series User Registration
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
Chinese Simplified Fonts Support For Adobe Reader 9
ChipScope Pro 7.1i
CutePDF Writer 2.8
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
DHTML Editing Component
Diskeeper 2010 Professional
DivX Setup
EAGLE 4.16
eBay Auction Sniper and Auto Search 3.1
eBay Excel Add-in
ffdshow v1.1.4369 [2012-03-03]
FileOpen Client
FileZilla Client 3.5.3
FlashGet 1.9.0.1012
FLV Player 2.0 (build 25)
Foxit PDF Editor
GC-Prevue 19.1.2
GetData Graph Digitizer 2.24
Google Calendar Sync
Google Chrome
Google Update Helper
H&R Block Business 2010 (Remove Only)
H&R Block California 2009
H&R Block California 2010
H&R Block California 2011
H&R Block Deluxe + Efile + State 2009
H&R Block Deluxe + Efile + State 2011
H&R Block Deluxe + Efile + State 2012
H&R Block Premium + Efile + State 2010
Hotfix for Microsoft Visual C++ 2010 Express - ENU (KB2542054)
iLivid
ImportQIF
Japanese Fonts Support For Adobe Reader X
Java Auto Updater
Java(TM) 6 Update 31
Kindle PC Converter
LAME v3.98.3 for Audacity
Malwarebytes Anti-Malware version 1.70.0.1100
MATLAB R2008a
McAfee Online Backup
Media Add-ons for Acronis True Image Home 2010
Media Player Codec Pack 4.1.1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Application Error Reporting
Microsoft Corporation
Microsoft Help Viewer 1.0
Microsoft IntelliPoint 8.2
Microsoft IntelliType Pro 8.0
Microsoft LifeCam
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2007
Microsoft Office Excel MUI (English) 2010
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional 2010
Microsoft Office Project 2007 Service Pack 3 (SP3)
Microsoft Office Project 2007 Step by Step
Microsoft Office Project MUI (English) 2007
Microsoft Office Project Standard 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2007
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing (English) 2010
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office SharePoint Designer 2007
Microsoft Office SharePoint Designer 2007 Service Pack 3 (SP3)
Microsoft Office SharePoint Designer MUI (English) 2007
Microsoft Office Single Image 2010
Microsoft Office Ultimate 2007
Microsoft Office Visio 2007 Service Pack 3 (SP3)
Microsoft Office Visio MUI (English) 2007
Microsoft Office Visio Standard 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Word MUI (English) 2010
Microsoft Silverlight
Microsoft SQL Server Compact 3.5 SP2 ENU
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
Microsoft Visual C++ 2010 Express - ENU
Microsoft Visual Studio 2005 Tools for Office Runtime
Modernsoft Financial Genome
Mozilla Firefox 17.0.1 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Murata Chip S-Parameter & Impedance Library Ver3.17.0
National Instruments Software
NI-488.2 2.7.3
NI-488.2 Provider for MAX version 2.7.3
NI-APAL Error Files 1.5.1f1
NI-DIM 1.10.0f0
NI-MDBG 1.9.2f0
NI-MXDF 1.11.0f0
NI-ORB 1.9.3f0
NI-PAL 2.5.2f0
NI-RPC 4.1.1f0
NI-RPC 4.1.1f0 for Phar Lap ETS
NI-VISA 4.6
NI-VISA 4.6 MAX Provider
NI-VISA Runtime 4.6
NI Certificates Deployment Support
NI EULA Depot
NI LabVIEW Broker
NI LabVIEW Real-Time Error Dialog
NI LabVIEW Real-Time FIFO for Runtime
NI LabVIEW Real-Time NBFifo
NI LabVIEW Run-Time Engine 8.2.1
NI LabVIEW Run-Time Engine 8.6
NI LabVIEW Web Server for Run-Time Engine
NI LabVIEW Web Services Runtime
NI LabWindows/CVI 9.0 Run-Time Engine
NI Logos 5.0
NI Logos XT Support
NI LVBrokerAux 8.2.1
NI Math Kernel Libraries
NI MAX Remote Configuration Installer 4.6.2
NI MDF Support
NI mDNS Responder 1.1.0
NI Measurement & Automation Explorer 4.6.2
NI Measurement Studio Common .NET Assemblies for the .NET 3.5
NI Measurement Studio Common .NET Language Assemblies for the .NET Framework 2.0
NI Measurement Studio GPIB Support for VS2005
NI Measurement Studio GPIB Support for VS2008
NI MXS 4.6.0f0 for LabVIEW Real-Time
NI MXS 4.6.2
NI Portable Configuration 4.6.1
NI PXI Platform Framework 1.1.4
NI PXI Platform Services 2.5.2
NI PXI Platform Services 2.5.2 Configuration Support
NI PXI Platform Services 2.5.2 Expert
NI PXI SystemAPI Expert 2.5.2
NI Registration Wizard
NI Remote Provider for MAX 4.6.2
NI Remote PXI Provider for MAX 4.6.0
NI Service Locator
NI Software Provider for MAX 4.6.0
NI Spy 2.7.0
NI System API RT
NI System API Windows 32-bit
NI TDMS
NI Trace Engine
NI Uninstaller
NI VC2005MSMs x86
NI VC2008MSMs x86
NI Xalan Delay Load 1.10.1
NI Xerces Delay Load 2.7.1
NVIDIA 3D Vision Controller Driver
NVIDIA 3D Vision Controller Driver 280.19
NVIDIA 3D Vision Driver 306.97
NVIDIA Control Panel 306.97
NVIDIA Graphics Driver 306.97
NVIDIA Install Application
NVIDIA PhysX
NVIDIA PhysX System Software 9.10.0514
NVIDIA Stereoscopic 3D Driver
NVIDIA Update 1.10.8
NVIDIA Update Components
Octoshape add-in for Adobe Flash Player
OGA Notifier 2.0.0048.0
PDF To Excel Converter V3.0
PhotoScape
Plus Pack for Acronis True Image Home 2010
Professor Teaches QuickBooks 2011
PVSonyDll
QuickBooks
QuickBooks Premier Edition 2011
QuickTime
Realtek Ethernet Controller Driver
Realtek High Definition Audio Driver
Revo Uninstaller 1.94
Rhapsody
Salsa Rhythm Machine v3.0.2
Sansa Updater
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft Excel 2010 (KB2597126) 32-Bit Edition
Security Update for Microsoft InfoPath 2010 (KB2687417) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2597986) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687501) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition
Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
Security Update for Microsoft Visio Viewer 2010 (KB2598287) 32-Bit Edition
Security Update for Microsoft Visual C++ 2010 Express - ENU (KB2251489)
Security Update for Microsoft Word 2010 (KB2760410) 32-Bit Edition
Shared C Run-time for x86
SigmaPlot 11.0
Skype Click to Call
Skype™ 6.0
Smith  V3.10
Stamps.com
Stamps.com Application Support for Microsoft Outlook 2000-2010
Stamps.com Application Support for Microsoft Word 2000-2010
Stamps.com support for Microsoft Outlook 2000-2010
Stamps.com support for Microsoft Word 2000-2010
System Requirements Lab
Tableau Public 7.0
TaxCut Deluxe 2005
Turbo Lister 2
Tweaking.com - Windows Repair (All in One)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2760586) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Project 2007 Help (KB963668)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Sharepoint Designer 2007 Help (KB963675)
Update for Microsoft Office Visio 2007 Help (KB963666)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2687277) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
VC80CRTRedist - 8.0.50727.6195
VISA Shared Components
Visual Studio Tools for the Office system 3.0 Runtime
Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258)
VitalSource Bookshelf
VLC media player 1.1.11
Wealth-Lab Pro 6.4
WebEx
Windows Media Player Firefox Plugin
Windows Mobile Device Updater Component
Wondershare PDF Converter (Build 3.0.1)
Zune
Zune Language Pack (CHS)
Zune Language Pack (CHT)
Zune Language Pack (CSY)
Zune Language Pack (DAN)
Zune Language Pack (DEU)
Zune Language Pack (ELL)
Zune Language Pack (ESP)
Zune Language Pack (FIN)
Zune Language Pack (FRA)
Zune Language Pack (HUN)
Zune Language Pack (IND)
Zune Language Pack (ITA)
Zune Language Pack (JPN)
Zune Language Pack (KOR)
Zune Language Pack (MSL)
Zune Language Pack (NLD)
Zune Language Pack (NOR)
Zune Language Pack (PLK)
Zune Language Pack (PTB)
Zune Language Pack (PTG)
Zune Language Pack (RUS)
Zune Language Pack (SVE)
.
==== Event Viewer Messages From Past Week ========
.
1/8/2013 9:02:02 PM, Error: Microsoft-Windows-WMPNSS-Service [14333]  - Service 'WMPNetworkSvc' did not start correctly due to error '0x80070424'. Restart your computer, and then try to restart the service.
1/8/2013 12:54:29 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WatAdminSvc with arguments "" in order to run the server: {F02602C4-3C2A-473B-B35E-679A0076A4A5}
1/8/2013 12:48:50 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
1/8/2013 11:07:16 PM, Error: Service Control Manager [7001]  - The Computer Browser service depends on the Server service which failed to start because of the following error:  The dependency service or group failed to start.
1/8/2013 11:00:06 PM, Error: Service Control Manager [7000]  - The McAfee Platform Services service failed to start due to the following error:  The system cannot find the file specified.
1/8/2013 10:58:55 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
1/8/2013 10:58:55 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
1/8/2013 10:58:45 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/8/2013 10:58:37 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
1/8/2013 10:58:06 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  discache MOBKFilter NIPALK nipbcfk spldr Wanarpv6
1/8/2013 10:58:05 PM, Error: Service Control Manager [7003]  - The PNRP Machine Name Publication Service service depends the following service: PNRPSvc. This service might not be installed.
1/8/2013 10:58:05 PM, Error: Service Control Manager [7003]  - The Peer Networking Grouping service depends the following service: PNRPSvc. This service might not be installed.
1/8/2013 10:58:05 PM, Error: Service Control Manager [7003]  - The Net.Pipe Listener Adapter service depends the following service: was. This service might not be installed.
1/8/2013 10:58:05 PM, Error: Service Control Manager [7003]  - The Net.Msmq Listener Adapter service depends the following service: msmq. This service might not be installed.
1/8/2013 10:58:05 PM, Error: Service Control Manager [7001]  - The Net.Tcp Listener Adapter service depends on the Net.Tcp Port Sharing Service service which failed to start because of the following error:  The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
1/8/2013 10:45:08 PM, Error: Service Control Manager [7003]  - The Internet Connection Sharing (ICS) service depends the following service: Netman. This service might not be installed.
1/8/2013 10:31:02 PM, Error: Service Control Manager [7030]  - The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
1/8/2013 10:19:45 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service VSS with arguments "" in order to run the server: {E579AB5F-1CC4-44B4-BED9-DE0991FF0623}
1/8/2013 10:11:34 PM, Error: Service Control Manager [7038]  - The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error:  Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
1/8/2013 10:11:34 PM, Error: Service Control Manager [7000]  - The NVIDIA Update Service Daemon service failed to start due to the following error:  The service did not start due to a logon failure.
1/8/2013 10:09:33 PM, Error: Service Control Manager [7023]  - The Portable Device Enumerator Service service terminated with the following error:  The system cannot find the file specified.
1/8/2013 10:09:30 PM, Error: Service Control Manager [7023]  - The Remote Access Connection Manager service terminated with the following error:  The system cannot find the file specified.
1/8/2013 10:09:20 PM, Error: Service Control Manager [7023]  - The seclogon service terminated with the following error:  The specified procedure could not be found.
1/8/2013 1:48:23 PM, Error: Service Control Manager [7030]  - The Advanced SystemCare Service 6 service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
1/8/2013 1:41:04 PM, Error: Service Control Manager [7043]  - The Group Policy Client service did not shut down properly after receiving a preshutdown control.
1/8/2013 1:36:00 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service gupdate with arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}
1/7/2013 9:46:35 AM, Error: Service Control Manager [7043]  - The McAfee Anti-Malware Core service did not shut down properly after receiving a preshutdown control.
1/7/2013 9:46:05 AM, Error: Service Control Manager [7043]  - The Acronis Nonstop Backup service service did not shut down properly after receiving a preshutdown control.
1/7/2013 9:45:35 AM, Error: Service Control Manager [7043]  - The Acronis Scheduler2 Service service did not shut down properly after receiving a preshutdown control.
1/7/2013 8:46:12 AM, Error: Microsoft-Windows-WMPNSS-Service [14332]  - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80070420'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
1/7/2013 12:04:14 AM, Error: Microsoft-Windows-WMPNSS-Service [14332]  - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
1/7/2013 10:12:43 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
1/7/2013 10:12:43 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {C90134D2-4AE9-407A-919A-4A2EF09C6C51}
1/7/2013 1:17:32 AM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the McAfee Firewall Core Service service, but this action failed with the following error:  An instance of the service is already running.
1/7/2013 1:17:08 AM, Error: Service Control Manager [7034]  - The McAfee Validation Trust Protection Service service terminated unexpectedly.  It has done this 1 time(s).
1/7/2013 1:16:32 AM, Error: Service Control Manager [7031]  - The McAfee Firewall Core Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/7/2013 1:16:01 AM, Error: Service Control Manager [7031]  - The McAfee Platform Services service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/7/2013 1:16:01 AM, Error: Service Control Manager [7031]  - The McAfee Personal Firewall Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/6/2013 11:54:44 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {395633B1-EED9-4DFC-B67F-9788B51C9F06}
1/6/2013 11:48:31 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service McAfee SiteAdvisor Service with arguments "" in order to run the server: {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}
1/6/2013 11:29:16 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the lmhosts service.
1/6/2013 10:36:33 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001]  - The computer has rebooted from a bugcheck.  The bugcheck was: 0x000000f4 (0x00000003, 0x8789a020, 0x8789a18c, 0x83637e10). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 010613-28173-01.
.
==== End Of File ===========================

Offline Telenochek

  • Bronze Member
  • Posts: 49
Re: [Resolved K] Windows services damaged after trojan removal
« Reply #2 on: January 09, 2013, 01:26:27 am »
BTW, I did remove BitTorrent as requested.

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7283
Re: [Resolved K] Windows services damaged after trojan removal
« Reply #3 on: January 09, 2013, 02:41:05 am »
Hello Telenochek and welcome to SpywareHammer,

I'm kevinf80 and I will be helping with any malware issues you may have with your system.

  • Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
  • Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
  • Either print or Save to Notepad all instructions and please follow them carefully, if there's something you don't understand or that will not work please let me know and we will go through it together.
  • Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin. Go here http://support.microsoft.com/kb/971759 and follow the instructions specific for your operating system.
  • If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.
  • If you have any P2P applications installed such as BitTorrent, uTorrent, Limewire etc etc, please uninstall them before we begin.
  • If you are using Cracked or Illegal software your thread will be locked and all help will cease.

Please proceed as follows :-

Download Farbar Recovery Scan Tool on a clean PC (if possible) and save to a flash drive (memory stick). Use which ever of the folllowing is applicable to your system. (32 or 64 bit)

Download http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ <--- 64 bit version Save to USB flash drive

Download http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ <--- 32 bit version Save to USB Flash drive

Plug the flashdrive into the infected PC.

Enter System Recovery Options I give two methods, use whichever is convenient for  you.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt


  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type  e:\frst64 or e:\frst depending on your version. Press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Kevin


Offline Telenochek

  • Bronze Member
  • Posts: 49
Re: [Resolved K] Windows services damaged after trojan removal
« Reply #4 on: January 09, 2013, 11:22:27 am »
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 09-01-2013
Ran by SYSTEM at 09-01-2013 09:06:32
Running from G:\
Windows 7 Ultimate  Service Pack 1 (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [10959464 2012-01-15] (Realtek Semiconductor)
HKLM\...\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe" [135536 2010-12-13] (Microsoft Corporation)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKU\Pavel\...\Run: [Akamai NetSession Interface] "C:\Users\Pavel\AppData\Local\Akamai\netsession_win.exe" [4441920 2012-10-09] (Akamai Technologies, Inc.)
HKU\Pavel\...\Run: [BitTorrent] "C:\Program Files\BitTorrent\BitTorrent.exe"  /MINIMIZED

HKU\Pavel\...\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun [17877168 2012-11-09] (Skype Technologies S.A.)
HKU\Pavel\...\Run: [Advanced SystemCare 6] "C:\Program Files\IObit\Advanced SystemCare 6\ASCTray.exe" /AutoStart [490880 2012-09-24] (IObit)
HKU\UpdatusUser\...\Run: [SansaDispatch] C:\Users\UpdatusUser\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe

HKU\UpdatusUser\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [8704 2009-07-13] (Microsoft Corporation)
HKU\UpdatusUser\...\Run: [Akamai NetSession Interface] "C:\Users\Pavel\AppData\Local\Akamai\netsession_win.exe" [4441920 2012-10-09] (Akamai Technologies, Inc.)
HKLM\...\Runonce: [] 

HKLM\...\Runonce: [GrpConv] grpconv -o

Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Google Calendar Sync.lnk
ShortcutTarget: Google Calendar Sync.lnk -> C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe (Google)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Intuit Data Protect.lnk
ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit Inc.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk
ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files\Intuit\QuickBooks 2011\QBW32.EXE (Intuit Inc.)
Startup: C:\Users\Pavel\Start Menu\Programs\Startup\AutoHotkey.lnk
ShortcutTarget: AutoHotkey.lnk -> C:\Program Files\AutoHotkey\AutoHotkey.exe ()

==================== Services (Whitelisted) ===================

2 AcrSch2Svc; "C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe" [660664 2009-11-12] (Acronis)
2 AdvancedSystemCareService6; C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe [464256 2012-10-31] (IObit)
2 afcdpsrv; C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe [2480048 2010-06-12] (Acronis)
3 Amazon Download Agent; C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [401920 2009-10-23] (Amazon.com)
2 Diskeeper; "C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe" [1732960 2009-12-24] (Diskeeper Corporation)
3 FLEXnet Licensing Service; "C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe" [1044816 2012-05-12] (Flexera Software, Inc.)
2 LkCitadelServer; C:\Windows\system32\lkcitdl.exe [695136 2008-06-17] (National Instruments, Inc.)
2 lkClassAds; C:\Windows\system32\lkads.exe [40488 2008-06-17] (National Instruments Corporation)
2 lkTimeSync; C:\Windows\system32\lktsrv.exe [50736 2008-06-17] (National Instruments Corporation)
2 MBAMScheduler; "C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe" [398184 2012-12-14] (Malwarebytes Corporation)
2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [682344 2012-12-14] (Malwarebytes Corporation)
2 MOBKbackup; "C:\Program Files\McAfee Online Backup\MOBKbackup.exe" [229688 2010-04-13] (McAfee, Inc.)
2 mxssvr; "C:\Program Files\National Instruments\MAX\nimxs.exe" [12696 2009-10-20] (National Instruments Corporation)
2 ni488enumsvc; C:\Windows\System32\nipalsm.exe [12696 2008-08-21] (National Instruments Corporation)
2 NIDomainService; "C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe" [213552 2008-06-17] (National Instruments Corporation)
2 niLXIDiscovery; "C:\Program Files\IVI Foundation\VISA\WinNT\NIvisa\niLxiDiscovery.exe" [131704 2009-03-05] (National Instruments Corporation)
2 nimDNSResponder; "C:\Program Files\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe" [193648 2009-06-04] (National Instruments Corporation)
2 nipxirmu; C:\Windows\System32\nipalsm.exe [12696 2008-08-21] (National Instruments Corporation)
2 niSvcLoc; C:\Windows\system32\nisvcloc.exe -s [13896 2009-06-04] (National Instruments Corporation)
2 QBVSS; "C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe" [1248256 2011-12-21] (Intuit Inc.)
3 RasMan; C:\Windows\System32\svchost.exe -k netsvcs [20992 2009-07-13] (Microsoft Corporation)
3 SensrSvc; C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation [20992 2009-07-13] (Microsoft Corporation)
2 Skype C2C Service; "C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe" [3290896 2012-12-13] (Skype Technologies S.A.)
3 WebClient; C:\Windows\System32\svchost.exe -k LocalService [20992 2009-07-13] (Microsoft Corporation)
3 WPDBusEnum; C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
2 mcpltsvc; "C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc


==================== Drivers (Whitelisted) ====================

2 cvintdrv; C:\Windows\System32\Drivers\cvintdrv.sys [4096 2009-08-03] ()
3 DKRtWrt; C:\Windows\System32\DRIVERS\DKRtWrt.sys [45616 2009-12-10] (Diskeeper Corporation)
3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [147472 2012-05-28] (McAfee, Inc.)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [21104 2012-12-14] (Malwarebytes Corporation)
3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [252200 2012-11-02] (McAfee, Inc.)
3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [81456 2012-11-02] (McAfee, Inc.)
1 MOBKFilter; C:\Windows\System32\DRIVERS\MOBK.sys [54776 2010-04-13] (Mozy, Inc.)
3 ni1006k; \??\C:\Windows\system32\drivers\ni1006k.sys [26192 2009-04-01] (National Instruments Corporation)
3 ni1045k; \??\C:\Windows\system32\drivers\ni1045kl.sys [11344 2009-06-17] (National Instruments Corporation)
3 ni1065k; \??\C:\Windows\system32\drivers\ni1065k.sys [22608 2009-04-01] (National Instruments Corporation)
3 ni488lock; \??\C:\Windows\system32\drivers\ni488lock.sys [17480 2009-12-15] (National Instruments Corporation)
3 nidimk; \??\C:\Windows\system32\drivers\nidimkl.sys [11360 2009-07-07] (National Instruments Corporation)
3 nimdbgk; \??\C:\Windows\system32\drivers\nimdbgkl.sys [11360 2009-07-07] (National Instruments Corporation)
3 nimxdfk; \??\C:\Windows\system32\drivers\nimxdfkl.sys [11344 2009-07-07] (National Instruments Corporation)
3 niorbk; \??\C:\Windows\system32\drivers\niorbkl.sys [11344 2009-06-14] (National Instruments Corporation)
3 nipalfwedl; C:\Windows\System32\drivers\nipalfwedl.sys [11904 2009-10-30] (National Instruments Corporation)
0 NIPALK; C:\Windows\System32\drivers\nipalk.sys [597592 2009-10-30] (National Instruments Corporation)
3 nipalusbedl; C:\Windows\System32\drivers\nipalusbedl.sys [11896 2009-10-30] (National Instruments Corporation)
0 nipbcfk; C:\Windows\System32\drivers\nipbcfk.sys [15448 2009-07-07] (National Instruments Corporation)
3 nipxigpk; \??\C:\Windows\system32\drivers\nipxigpk.sys [20568 2008-06-25] (National Instruments Corporation)
2 nipxirmk; \??\C:\Windows\system32\drivers\nipxirmkl.sys [11344 2009-07-07] (National Instruments Corporation)
3 NiViFWK; C:\Windows\System32\drivers\NiViFWKl.sys [11384 2009-03-05] (National Instruments Corporation)
3 NiViPciK; C:\Windows\System32\drivers\NiViPciKl.sys [11360 2009-06-21] (National Instruments Corporation)
2 NiViPxiK; C:\Windows\System32\drivers\NiViPxiKl.sys [11360 2009-06-21] (National Instruments Corporation)
0 tdrpman258; C:\Windows\System32\DRIVERS\tdrpm258.sys [911680 2010-06-12] (Acronis)
3 WinDriver6; C:\Windows\System32\drivers\windrvr6.sys [195968 2011-02-03] (Jungo)
3 XilinxFirmwareLoader; C:\Windows\System32\Drivers\xusbdfwu.sys [17280 2011-02-03] (Xilinx, Inc.)
2 XilinxPC4Driver; C:\Windows\System32\drivers\xpc4drvr.sys [16000 2011-02-03] (Xilinx, Inc.)
3 catchme; \??\C:\Users\Pavel\AppData\Local\Temp\catchme.sys


==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-01-08 22:53 - 2013-01-08 23:08 - 00026569 ____A C:\Users\Pavel\Desktop\attach.txt
2013-01-08 22:53 - 2013-01-08 23:08 - 00016556 ____A C:\Users\Pavel\Desktop\dds.txt
2013-01-08 22:44 - 2013-01-08 22:44 - 00000546 ____A C:\Windows\PFRO.log
2013-01-08 22:32 - 2013-01-08 22:32 - 00013873 ____A C:\ComboFix.txt
2013-01-08 22:18 - 2013-01-08 23:02 - 00002243 ____A C:\Windows\epplauncher.mif
2013-01-08 21:09 - 2012-12-07 04:26 - 00308736 ____A (Microsoft Corporation) C:\Windows\System32\Wpc.dll
2013-01-08 21:09 - 2012-12-07 04:20 - 02576384 ____A (Microsoft Corporation) C:\Windows\System32\gameux.dll
2013-01-08 21:09 - 2012-12-07 02:46 - 00055296 ____A (Microsoft) C:\Windows\System32\cero.rs
2013-01-08 21:09 - 2012-12-07 02:46 - 00051712 ____A (Microsoft) C:\Windows\System32\esrb.rs
2013-01-08 21:09 - 2012-12-07 02:46 - 00046592 ____A (Microsoft) C:\Windows\System32\fpb.rs
2013-01-08 21:09 - 2012-12-07 02:46 - 00045568 ____A (Microsoft) C:\Windows\System32\oflc-nz.rs
2013-01-08 21:09 - 2012-12-07 02:46 - 00044544 ____A (Microsoft) C:\Windows\System32\pegibbfc.rs
2013-01-08 21:09 - 2012-12-07 02:46 - 00043520 ____A (Microsoft) C:\Windows\System32\csrr.rs
2013-01-08 21:09 - 2012-12-07 02:46 - 00040960 ____A (Microsoft) C:\Windows\System32\cob-au.rs
2013-01-08 21:09 - 2012-12-07 02:46 - 00030720 ____A (Microsoft) C:\Windows\System32\usk.rs
2013-01-08 21:09 - 2012-12-07 02:46 - 00023552 ____A (Microsoft) C:\Windows\System32\oflc.rs
2013-01-08 21:09 - 2012-12-07 02:46 - 00021504 ____A (Microsoft) C:\Windows\System32\grb.rs
2013-01-08 21:09 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-pt.rs
2013-01-08 21:09 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-fi.rs
2013-01-08 21:09 - 2012-12-07 02:46 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi.rs
2013-01-08 21:09 - 2012-12-07 02:46 - 00015360 ____A (Microsoft) C:\Windows\System32\djctq.rs
2013-01-08 21:09 - 2012-11-29 20:53 - 00169984 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2013-01-08 21:09 - 2012-11-29 20:47 - 00868352 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2013-01-08 21:09 - 2012-11-29 20:47 - 00293376 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
2013-01-08 21:09 - 2012-11-29 20:45 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
2013-01-08 21:09 - 2012-11-29 20:45 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
2013-01-08 21:09 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
2013-01-08 21:09 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
2013-01-08 21:09 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
2013-01-08 21:09 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
2013-01-08 21:09 - 2012-11-29 20:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
2013-01-08 21:09 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
2013-01-08 21:09 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
2013-01-08 21:09 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
2013-01-08 21:09 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
2013-01-08 21:09 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
2013-01-08 21:09 - 2012-11-29 20:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
2013-01-08 21:09 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
2013-01-08 21:09 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-01-08 21:09 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
2013-01-08 21:09 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
2013-01-08 21:09 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
2013-01-08 21:09 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
2013-01-08 21:09 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
2013-01-08 21:09 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
2013-01-08 21:09 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
2013-01-08 21:09 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
2013-01-08 21:09 - 2012-11-29 20:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
2013-01-08 21:09 - 2012-11-29 18:55 - 00271360 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe
2013-01-08 21:09 - 2012-11-29 18:38 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
2013-01-08 21:09 - 2012-11-29 18:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
2013-01-08 21:09 - 2012-11-29 18:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
2013-01-08 21:09 - 2012-11-29 18:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
2013-01-08 21:09 - 2012-11-29 15:17 - 00420064 ____A C:\Windows\System32\locale.nls
2013-01-08 21:09 - 2012-11-22 18:56 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-01-08 21:09 - 2012-11-21 20:45 - 00626688 ____A (Microsoft Corporation) C:\Windows\System32\usp10.dll
2013-01-08 21:09 - 2012-11-08 20:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-01-08 21:09 - 2012-10-31 20:47 - 01389568 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2013-01-08 21:08 - 2012-11-22 18:48 - 00049152 ____A (Microsoft Corporation) C:\Windows\System32\taskhost.exe
2013-01-08 21:08 - 2012-11-19 20:51 - 00220160 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2013-01-08 21:00 - 2013-01-08 22:08 - 00000112 ____A C:\Windows\setupact.log
2013-01-08 21:00 - 2013-01-08 21:00 - 00000000 ____A C:\Windows\setuperr.log
2013-01-08 13:48 - 2013-01-08 23:03 - 00000000 ____D C:\Users\Pavel\AppData\Roaming\IObit
2013-01-08 13:48 - 2013-01-08 13:48 - 00001230 ____A C:\Users\Public\Desktop\Uninstaller.lnk
2013-01-08 13:48 - 2013-01-08 13:48 - 00001179 ____A C:\Users\Public\Desktop\Advanced SystemCare 6.lnk
2013-01-08 13:48 - 2013-01-08 13:48 - 00000000 ____D C:\Users\All Users\IObit
2013-01-08 13:48 - 2013-01-08 13:48 - 00000000 ____D C:\Program Files\IObit
2013-01-07 01:14 - 2013-01-07 01:14 - 00003001 ____A C:\Users\Pavel\Desktop\RKreport[6]_D_01072013_02d0114.txt
2013-01-07 01:14 - 2013-01-07 01:14 - 00002973 ____A C:\Users\Pavel\Desktop\RKreport[7]_D_01072013_02d0114.txt
2013-01-07 01:13 - 2013-01-07 01:13 - 00002958 ____A C:\Users\Pavel\Desktop\RKreport[5]_S_01072013_02d0113.txt
2013-01-06 23:52 - 2013-01-06 23:52 - 00000000 ____D C:\Program Files\Intel
2013-01-06 23:52 - 2010-03-02 00:04 - 00053248 ____A (Windows XP Bundled build C-Centric Single User) C:\Windows\System32\CSVer.dll
2013-01-06 23:46 - 2013-01-06 23:46 - 00002858 ____A C:\Users\Pavel\Desktop\RKreport[4]_S_01062013_02d2346.txt
2013-01-06 23:46 - 2013-01-06 23:46 - 00002823 ____A C:\Users\Pavel\Desktop\RKreport[3]_D_01062013_02d2346.txt
2013-01-06 23:45 - 2013-01-06 23:45 - 00003643 ____A C:\Users\Pavel\Desktop\RKreport[1]_S_01062013_02d2345.txt
2013-01-06 23:45 - 2013-01-06 23:45 - 00003542 ____A C:\Users\Pavel\Desktop\RKreport[2]_D_01062013_02d2345.txt
2013-01-06 23:33 - 2013-01-07 01:08 - 00000000 ____D C:\zz_drive_clean
2013-01-06 22:50 - 2013-01-06 22:50 - 00000000 ____D C:\Users\Public\Desktop\CC Support
2013-01-06 14:10 - 2013-01-06 16:51 - 00000000 ____D C:\Users\Pavel\Downloads\Lord.of.the.rings-Return.of.the.King.DVDrip[vice]
2013-01-04 22:12 - 2013-01-04 22:13 - 00000000 ____D C:\Users\Pavel\Downloads\Lincoln.2012.DVDSCR.XViD.AC3-FooKaS
2013-01-04 22:00 - 2013-01-04 22:00 - 00000000 ____D C:\Users\Pavel\Downloads\Zero Dark Thirty
2013-01-04 09:39 - 2013-01-04 09:39 - 00000000 ____D C:\Users\Pavel\AppData\Local\McAfee File Lock
2013-01-03 23:50 - 2012-05-28 10:28 - 00147472 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\HipShieldK.sys
2012-12-25 14:27 - 2012-12-25 14:27 - 00000020 __ASH C:\Users\TEMP\ntuser.ini
2012-12-25 14:27 - 2012-08-23 00:58 - 00000000 ____D C:\Users\TEMP\AppData\Roaming\Macromedia
2012-12-25 14:27 - 2012-04-05 21:53 - 00120720 ____A C:\Users\TEMP\AppData\Local\GDIPFONTCACHEV1.DAT
2012-12-25 14:27 - 2012-04-05 21:53 - 00000000 ____D C:\Users\TEMP\Documents\Visual Studio 2010
2012-12-25 14:27 - 2010-06-06 17:04 - 00000000 ____D C:\Users\TEMP\AppData\Local\Microsoft Help
2012-12-22 03:00 - 2012-12-16 06:13 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2012-12-22 03:00 - 2012-12-16 06:13 - 00034304 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll
2012-12-14 05:23 - 2012-12-14 05:23 - 00262144 ____A C:\Windows\System32\config\ELAM
2012-12-13 03:07 - 2012-11-13 18:48 - 12320256 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-12-13 03:07 - 2012-11-13 18:14 - 09738240 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-12-13 03:07 - 2012-11-13 18:09 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-12-13 03:07 - 2012-11-13 17:58 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-12-13 03:07 - 2012-11-13 17:57 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-12-13 03:07 - 2012-11-13 17:57 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-12-13 03:07 - 2012-11-13 17:55 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-12-13 03:07 - 2012-11-13 17:51 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-12-13 03:07 - 2012-11-13 17:49 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-12-13 03:07 - 2012-11-13 17:49 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-12-13 03:07 - 2012-11-13 17:48 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-12-13 03:07 - 2012-11-13 17:47 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-12-13 03:07 - 2012-11-13 17:46 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-12-13 03:07 - 2012-11-13 17:45 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-12-13 03:07 - 2012-11-13 17:44 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-12-13 03:07 - 2012-11-13 17:41 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-12-12 06:51 - 2012-11-01 21:11 - 00376832 ____A (Microsoft Corporation) C:\Windows\System32\dpnet.dll
2012-12-12 06:50 - 2012-11-08 20:42 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll


==================== One Month Modified Files and Folders ========

2013-01-08 23:08 - 2013-01-08 22:53 - 00026569 ____A C:\Users\Pavel\Desktop\attach.txt
2013-01-08 23:08 - 2013-01-08 22:53 - 00016556 ____A C:\Users\Pavel\Desktop\dds.txt
2013-01-08 23:03 - 2013-01-08 13:48 - 00000000 ____D C:\Users\Pavel\AppData\Roaming\IObit
2013-01-08 23:02 - 2013-01-08 23:02 - 00000000 ____D C:\466c6e99da8f25e1421e05305b216a
2013-01-08 23:02 - 2013-01-08 22:18 - 00002243 ____A C:\Windows\epplauncher.mif
2013-01-08 22:44 - 2013-01-08 22:44 - 00000546 ____A C:\Windows\PFRO.log
2013-01-08 22:32 - 2013-01-08 22:32 - 00013873 ____A C:\ComboFix.txt
2013-01-08 22:32 - 2012-08-23 19:31 - 00000000 ____D C:\Qoobox
2013-01-08 22:31 - 2009-07-13 18:04 - 00000215 ____A C:\Windows\system.ini
2013-01-08 22:11 - 2010-06-06 10:05 - 00000000 ____D C:\Users\Pavel\AppData\Roaming\Skype
2013-01-08 22:11 - 2010-06-05 21:15 - 01772539 ____A C:\Windows\WindowsUpdate.log
2013-01-08 22:11 - 2009-07-13 20:34 - 00017168 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-01-08 22:11 - 2009-07-13 20:34 - 00017168 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-01-08 22:11 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET
2013-01-08 22:10 - 2011-04-10 22:51 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-01-08 22:09 - 2009-07-13 20:33 - 00447048 ____A C:\Windows\System32\FNTCACHE.DAT
2013-01-08 22:08 - 2013-01-08 21:00 - 00000112 ____A C:\Windows\setupact.log
2013-01-08 22:08 - 2010-06-05 21:40 - 00000000 ____D C:\Users\All Users\NVIDIA
2013-01-08 22:08 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-01-08 21:54 - 2012-04-13 19:07 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-01-08 21:54 - 2010-06-05 21:17 - 00776562 ____A C:\Windows\System32\PerfStringBackup.INI
2013-01-08 21:52 - 2010-06-05 21:45 - 00000000 ____D C:\Users\All Users\Microsoft Help
2013-01-08 21:46 - 2010-06-05 21:25 - 65273848 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-01-08 21:36 - 2011-04-10 22:51 - 00000884 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-01-08 21:32 - 2012-08-22 19:32 - 00000000 ____D C:\Users\Pavel\Desktop\new_installs
2013-01-08 21:02 - 2011-12-20 05:24 - 00000000 ____D C:\Users\All Users\McAfee
2013-01-08 21:00 - 2013-01-08 21:00 - 00000000 ____A C:\Windows\setuperr.log
2013-01-08 14:14 - 2012-08-29 23:18 - 00000000 ____D C:\FRST
2013-01-08 13:52 - 2010-10-24 08:19 - 00000000 ____D C:\Windows\Minidump
2013-01-08 13:48 - 2013-01-08 13:48 - 00001230 ____A C:\Users\Public\Desktop\Uninstaller.lnk
2013-01-08 13:48 - 2013-01-08 13:48 - 00001179 ____A C:\Users\Public\Desktop\Advanced SystemCare 6.lnk
2013-01-08 13:48 - 2013-01-08 13:48 - 00000000 ____D C:\Users\All Users\IObit
2013-01-08 13:48 - 2013-01-08 13:48 - 00000000 ____D C:\Program Files\IObit
2013-01-07 10:15 - 2012-06-06 21:03 - 00000000 __RSD C:\Users\Pavel\Documents\McAfee Vaults
2013-01-07 01:14 - 2013-01-07 01:14 - 00003001 ____A C:\Users\Pavel\Desktop\RKreport[6]_D_01072013_02d0114.txt
2013-01-07 01:14 - 2013-01-07 01:14 - 00002973 ____A C:\Users\Pavel\Desktop\RKreport[7]_D_01072013_02d0114.txt
2013-01-07 01:13 - 2013-01-07 01:13 - 00002958 ____A C:\Users\Pavel\Desktop\RKreport[5]_S_01072013_02d0113.txt
2013-01-07 01:08 - 2013-01-06 23:33 - 00000000 ____D C:\zz_drive_clean
2013-01-06 23:52 - 2013-01-06 23:52 - 00000000 ____D C:\Program Files\Intel
2013-01-06 23:52 - 2010-09-05 18:19 - 00000000 ____D C:\Program Files\Realtek
2013-01-06 23:52 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore
2013-01-06 23:46 - 2013-01-06 23:46 - 00002858 ____A C:\Users\Pavel\Desktop\RKreport[4]_S_01062013_02d2346.txt
2013-01-06 23:46 - 2013-01-06 23:46 - 00002823 ____A C:\Users\Pavel\Desktop\RKreport[3]_D_01062013_02d2346.txt
2013-01-06 23:45 - 2013-01-06 23:45 - 00003643 ____A C:\Users\Pavel\Desktop\RKreport[1]_S_01062013_02d2345.txt
2013-01-06 23:45 - 2013-01-06 23:45 - 00003542 ____A C:\Users\Pavel\Desktop\RKreport[2]_D_01062013_02d2345.txt
2013-01-06 22:50 - 2013-01-06 22:50 - 00000000 ____D C:\Users\Public\Desktop\CC Support
2013-01-06 22:11 - 2012-08-22 19:21 - 00001067 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-01-06 22:11 - 2012-08-22 19:21 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-01-06 16:57 - 2010-06-19 10:33 - 00000000 ____D C:\Users\Pavel\Desktop\pics
2013-01-06 16:53 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF
2013-01-06 16:51 - 2013-01-06 14:10 - 00000000 ____D C:\Users\Pavel\Downloads\Lord.of.the.rings-Return.of.the.King.DVDrip[vice]
2013-01-04 22:13 - 2013-01-04 22:12 - 00000000 ____D C:\Users\Pavel\Downloads\Lincoln.2012.DVDSCR.XViD.AC3-FooKaS
2013-01-04 22:00 - 2013-01-04 22:00 - 00000000 ____D C:\Users\Pavel\Downloads\Zero Dark Thirty
2013-01-04 09:39 - 2013-01-04 09:39 - 00000000 ____D C:\Users\Pavel\AppData\Local\McAfee File Lock
2013-01-01 21:41 - 2010-06-06 16:10 - 00000000 ____D C:\Users\Pavel\Documents\Turbo Lister Backup
2012-12-30 16:52 - 2010-07-17 07:47 - 00000000 ____D C:\Users\Pavel\AppData\Local\CutePDF Writer
2012-12-30 11:19 - 2006-12-26 16:51 - 00000000 ____D C:\PKLife
2012-12-25 14:27 - 2012-12-25 14:27 - 00000020 __ASH C:\Users\TEMP\ntuser.ini
2012-12-21 00:17 - 2012-05-15 20:41 - 00000000 ____D C:\Users\Pavel\Desktop\investment
2012-12-19 22:56 - 2010-06-06 10:04 - 00000000 ____D C:\Users\All Users\Skype
2012-12-16 06:13 - 2012-12-22 03:00 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2012-12-16 06:13 - 2012-12-22 03:00 - 00034304 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll
2012-12-14 16:49 - 2012-08-22 19:21 - 00021104 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-12-14 09:29 - 2011-11-10 08:36 - 00000036 ___AH C:\Windows\System32\f9t.dat
2012-12-14 05:23 - 2012-12-14 05:23 - 00262144 ____A C:\Windows\System32\config\ELAM
2012-12-13 14:14 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache
2012-12-13 01:47 - 2010-08-15 17:42 - 00000000 ____D C:\Users\Pavel\AppData\Roaming\FileZilla
2012-12-12 20:46 - 2009-07-13 20:53 - 00032592 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-12-11 14:54 - 2012-04-13 19:07 - 00697272 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-12-11 14:54 - 2011-08-28 08:40 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-01-08 21:46:29

==================== Memory info ===========================

Percentage of memory in use: 13%
Total physical RAM: 4094.49 MB
Available physical RAM: 3550.84 MB
Total Pagefile: 4092.78 MB
Available Pagefile: 3563.88 MB
Total Virtual: 2047.88 MB
Available Virtual: 1969.37 MB

==================== Partitions =============================

2 Drive c: () (Fixed) (Total:596.17 GB) (Free:488.16 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: () (Fixed) (Total:232.88 GB) (Free:120.89 GB) NTFS
4 Drive f: (GSP1RMCULFRER_EN_DVD) (CDROM) (Total:2.39 GB) (Free:0 GB) UDF
5 Drive g: () (Removable) (Total:7.45 GB) (Free:4.81 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: () (Fixed) (Total:232.88 GB) (Free:35.41 GB) NTFS

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          232 GB      0 B         
  Disk 1    Online          596 GB      0 B         
  Disk 2    Online          232 GB  1024 KB         
  Disk 3    Online         7633 MB      0 B         

Partitions of Disk 0:
===============

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            232 GB    31 KB

=========================================================

Disk: 0
Partition 1
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     Y                NTFS   Partition    232 GB  Healthy           

=========================================================

Partitions of Disk 1:
===============

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            596 GB    31 KB

=========================================================

Disk: 1
Partition 1
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C                NTFS   Partition    596 GB  Healthy           

=========================================================

Partitions of Disk 2:
===============

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            232 GB    31 KB

=========================================================

Disk: 2
Partition 1
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     E                NTFS   Partition    232 GB  Healthy           

=========================================================

Partitions of Disk 3:
===============

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           7633 MB    16 KB

=========================================================

Disk: 3
Partition 1
Type  : 0B
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4     G                FAT32  Removable   7633 MB  Healthy           

=========================================================

Last Boot: 2013-01-04 00:20

==================== End Of Log ============================

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7283
Re: [Resolved K] Windows services damaged after trojan removal
« Reply #5 on: January 09, 2013, 02:20:19 pm »
I see you have advanced system care IOBit I `d recommend that you remove that application, have a read here :-

http://news.softpedia.com/news/Malwarebytes-Accuses-IObit-Plays-Dead-126389.shtml

Next,

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

Code: [Select]
start
HKU\Pavel\...\Run: [BitTorrent] "C:\Program Files\BitTorrent\BitTorrent.exe"  /MINIMIZED
C:\Program Files\BitTorrent\BitTorrent.exe
end

Now please enter System Recovery Options as you did to get the log.

Run FRST64 or FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Next,

I see you`ve run Combofix, can you post the log that is here:

C:\ComboFix.txt

Next,

Download CKScanner from here

Important : Save it to your desktop.

  • Doubleclick CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify that the file is saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Offline Telenochek

  • Bronze Member
  • Posts: 49
Re: [Resolved K] Windows services damaged after trojan removal
« Reply #6 on: January 09, 2013, 03:23:20 pm »
Hi Kevin,

I'm keeping IOBit for right now, because my system does not allow me to uninstall anything through the windows Uninstall Programs. The IOBit uninstaller built into the system care is the only working uninstall option I have for right now.

Fix log is attached:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 09-01-2013
Ran by SYSTEM at 2013-01-09 13:18:22 Run:1
Running from G:\

==============================================

HKEY_USERS\Pavel\Software\Microsoft\Windows\CurrentVersion\Run\\BitTorrent Value deleted successfully.
C:\Program Files\BitTorrent\BitTorrent.exe not found.

==== End of Fixlog ====

Offline Telenochek

  • Bronze Member
  • Posts: 49
Re: [Resolved K] Windows services damaged after trojan removal
« Reply #7 on: January 09, 2013, 03:26:57 pm »
ComboFix 13-01-08.01 - Pavel 01/08/2013  22:20:12.7.2 - x86 NETWORK
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.3582.2924 [GMT -8:00]
Running from: c:\users\Pavel\Desktop\new_installs\zero_access\2\ComboFix.exe
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2012-12-09 to 2013-01-09  )))))))))))))))))))))))))))))))
.
.
2013-01-09 06:30 . 2013-01-09 06:30   --------   d-----w-   c:\users\UpdatusUser\AppData\Local\temp
2013-01-09 06:30 . 2013-01-09 06:30   --------   d-----w-   c:\users\Public\AppData\Local\temp
2013-01-09 06:30 . 2013-01-09 06:30   --------   d-----w-   c:\users\Default\AppData\Local\temp
2013-01-09 06:18 . 2013-01-09 06:18   --------   d-----w-   C:\106ea0c6387944d32c
2013-01-09 05:08 . 2012-11-23 02:48   49152   ----a-w-   c:\windows\system32\taskhost.exe
2013-01-09 05:08 . 2012-11-20 04:51   220160   ----a-w-   c:\windows\system32\ncrypt.dll
2013-01-08 21:48 . 2013-01-08 21:48   --------   d-----w-   c:\programdata\IObit
2013-01-08 21:48 . 2013-01-08 21:48   --------   d-----w-   c:\users\Pavel\AppData\Roaming\IObit
2013-01-08 21:48 . 2013-01-08 21:48   --------   d-----w-   c:\program files\IObit
2013-01-07 09:31 . 2013-01-09 06:30   --------   d-----w-   c:\users\Pavel\AppData\Local\temp
2013-01-07 07:52 . 2013-01-07 07:52   --------   d-----w-   c:\program files\Intel
2013-01-07 07:52 . 2010-03-02 08:04   53248   ----a-w-   c:\windows\system32\CSVer.dll
2013-01-07 07:33 . 2013-01-07 09:08   --------   d-----w-   C:\zz_drive_clean
2013-01-07 06:11 . 2013-01-07 06:11   --------   d-----w-   c:\users\Pavel\AppData\Local\Programs
2013-01-04 17:39 . 2013-01-04 17:39   --------   d-----w-   c:\users\Pavel\AppData\Local\McAfee File Lock
2013-01-04 07:50 . 2012-05-28 18:28   147472   ----a-w-   c:\windows\system32\drivers\HipShieldK.sys
2012-12-25 22:27 . 2012-12-30 20:46   --------   d-----w-   c:\users\TEMP
2012-12-22 11:00 . 2012-12-16 14:13   295424   ----a-w-   c:\windows\system32\atmfd.dll
2012-12-22 11:00 . 2012-12-16 14:13   34304   ----a-w-   c:\windows\system32\atmlib.dll
2012-12-13 22:30 . 2012-12-13 22:30   5955856   ----a-w-   c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2012-12-12 14:51 . 2012-11-02 05:11   376832   ----a-w-   c:\windows\system32\dpnet.dll
2012-12-12 14:50 . 2012-11-09 04:42   2048   ----a-w-   c:\windows\system32\tzres.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-15 00:49 . 2012-08-23 03:21   21104   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-12-11 22:54 . 2012-04-14 03:07   697272   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-12-11 22:54 . 2011-08-28 16:40   73656   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-02 09:46 . 2012-11-02 09:46   9744   ----a-w-   c:\windows\system32\drivers\mfeclnrk.sys
2012-11-02 09:46 . 2012-11-02 09:46   81456   ----a-w-   c:\windows\system32\drivers\mfencrk.sys
2012-11-02 09:46 . 2012-11-02 09:46   252200   ----a-w-   c:\windows\system32\drivers\mfencbdc.sys
2012-10-16 07:39 . 2012-11-28 15:12   561664   ----a-w-   c:\windows\apppatch\AcLayers.dll
2003-06-19 19:05 . 2003-06-19 19:05   431888   --s-a-w-   c:\program files\Common Files\riched20.dll
2007-02-08 17:48 . 2007-02-08 17:48   133920   ----a-w-   c:\program files\internet explorer\plugins\LV82ActiveXControl.dll
2008-06-26 05:51 . 2008-06-26 05:51   118784   ----a-w-   c:\program files\internet explorer\plugins\LV86ActiveXControl.dll
2012-12-05 10:13 . 2012-12-05 10:13   262112   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-14 03:11   2872120   ----a-w-   c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-14 03:11   2872120   ----a-w-   c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-14 03:11   2872120   ----a-w-   c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\users\Pavel\AppData\Local\Akamai\netsession_win.exe" [2012-10-09 4441920]
"BitTorrent"="c:\program files\BitTorrent\BitTorrent.exe" [2012-10-31 1398680]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-11-09 17877168]
"Advanced SystemCare 6"="c:\program files\IObit\Advanced SystemCare 6\ASCTray.exe" [2012-09-25 490880]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2012-01-16 10959464]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-12-13 135536]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
.
c:\users\Pavel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
AutoHotkey.lnk - c:\program files\AutoHotkey\AutoHotkey.exe [2009-9-25 245248]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]
Intuit Data Protect.lnk - c:\program files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe [2010-12-2 5923672]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.207\SSScheduler.exe [2011-6-17 272528]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-12-29 1156384]
QuickBooks_Standard_21.lnk - c:\program files\Intuit\QuickBooks 2011\QBW32.EXE [2010-12-29 1178400]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck aLE
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc]
@=""
.
R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\System32\drivers\nipbcfk.sys

R1 MOBKFilter;MOBKFilter;c:\windows\system32\DRIVERS\MOBK.sys

R2 AdvancedSystemCareService6;Advanced SystemCare Service 6;c:\program files\IObit\Advanced SystemCare 6\ASCService.exe

R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe

R2 FileOpenManagerSvc;FileOpen Manager Service;c:\program files\FileOpen\Services\FileOpenManagerSvc32.exe

R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe

R2 mcpltsvc;McAfee Platform Services;c:\program files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe

R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe

R2 ni488enumsvc;NI-488.2 Enumeration Service;c:\windows\system32\nipalsm.exe

R2 niLXIDiscovery;National Instruments LXI Discovery Service;c:\program files\IVI Foundation\VISA\WinNT\NIvisa\niLxiDiscovery.exe

R2 nimDNSResponder;National Instruments mDNS Responder Service;c:\program files\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe

R2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmkl.sys

R2 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys

R2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe

R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe

R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

R3 afcdp;afcdp;c:\windows\system32\DRIVERS\afcdp.sys

R3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe

R3 DKRtWrt;DKRtWrt;c:\windows\system32\DRIVERS\DKRtWrt.sys

R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys

R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.0.207\McCHSvc.exe

R3 mfencbdc;McAfee Inc. mfencbdc;c:\windows\system32\DRIVERS\mfencbdc.sys

R3 mfencrk;McAfee Inc. mfencrk;c:\windows\system32\DRIVERS\mfencrk.sys

R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\Drivers\nx6000.sys

R3 ni1006k;NI PXI-1006 Chassis Pilot;c:\windows\system32\drivers\ni1006k.sys

R3 ni1045k;NI PXI-1045 Chassis Pilot;c:\windows\system32\drivers\ni1045kl.sys

R3 ni1065k;NI PXIe-1065 Chassis Pilot;c:\windows\system32\drivers\ni1065k.sys

R3 ni488lock;NI-488.2 Locking Service;c:\windows\system32\drivers\ni488lock.sys

R3 nidimk;nidimk;c:\windows\system32\drivers\nidimkl.sys

R3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys

R3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys

R3 nipxigpk;NI PXI Generic Chassis Pilot;c:\windows\system32\drivers\nipxigpk.sys

R3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWKl.sys

R3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe

R3 XilinxFirmwareLoader;XilinxFirmwareLoader;c:\windows\system32\Drivers\xusbdfwu.sys

S0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\DRIVERS\tdrpm258.sys

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys

.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai   REG_MULTI_SZ      Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 22:54]
.
2013-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-11 06:51]
.
2013-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-11 06:51]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/
uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local>
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Pavel\AppData\Roaming\Mozilla\Firefox\Profiles\j7o4iz70.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - http://www.igoogle.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 4
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-mcpltui_exe - c:\program files\McAfee.com\Agent\mcagent.exe
HKLM-RunOnce-<NO NAME> - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3676253799-359572064-3209514894-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A71BB17B-2392-EB0B-AEAF-5E0B9E4A7E9B}*]
@Allowed: (Read) (RestrictedCode)
"hakjfcgbpionbkbg"=hex:6a,61,66,6e,6c,61,61,6f,67,6a,6a,61,63,67,65,6c,63,6c,
   6f,6e,00,00
"faakgefiedop"=hex:67,61,64,6b,65,6a,6e,66,70,6f,70,6c,68,6f,00,00
"iaakleminncnolcmdk"=hex:6a,61,66,6e,6c,61,61,6f,67,6a,6a,61,63,67,65,6c,63,6c,
   6f,6e,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(544)
c:\program files\McAfee Online Backup\MOBKshell.dll
.
Completion time: 2013-01-08  22:32:20
ComboFix-quarantined-files.txt  2013-01-09 06:32
ComboFix2.txt  2013-01-07 09:31
ComboFix3.txt  2013-01-07 07:08
ComboFix4.txt  2012-08-24 13:57
ComboFix5.txt  2013-01-09 06:19
.
Pre-Run: 524,309,684,224 bytes free
Post-Run: 524,401,098,752 bytes free
.
- - End Of File - - BB7E6B980F5F91D5A8D3DE7E9FCDB801

Offline Telenochek

  • Bronze Member
  • Posts: 49
Re: [Resolved K] Windows services damaged after trojan removal
« Reply #8 on: January 09, 2013, 03:51:45 pm »
Unfortunately I closed the CK report, I thought it would autosave it somewhere. But I looked at it - it only found a couple .css files for a saved .html website ( I bought some tickets and saved the confirmation).

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7283
Re: [Resolved K] Windows services damaged after trojan removal
« Reply #9 on: January 09, 2013, 04:06:00 pm »
Run CKScanner again and post the log

Offline Telenochek

  • Bronze Member
  • Posts: 49
Re: [Resolved K] Windows services damaged after trojan removal
« Reply #10 on: January 09, 2013, 10:46:13 pm »
CKScanner 2.1 - Additional Security Risks - These are not necessarily bad
c:\pkwork\business\ebay\operations\items_received\2011\20111212\nutcracker_tix.htm
c:\pkwork\business\ebay\operations\items_received\2011\20111212\nutcracker_tix_files\form.css
c:\pkwork\business\ebay\operations\items_received\2011\20111212\nutcracker_tix_files\ga.js
c:\pkwork\business\ebay\operations\items_received\2011\20111212\nutcracker_tix_files\layout.css
c:\pkwork\business\ebay\operations\items_received\2011\20111212\nutcracker_tix_files\table.css
c:\pkwork\business\ebay\operations\items_received\2011\20111212\nutcracker_tix_files\tickets.css
c:\pkwork\mba\learning\investment\investment\learning\commodities\[nymex] crack spread handbook.pdf
scanner sequence 3.FA.11.XDBBHM
 ----- EOF -----

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7283
Re: [Resolved K] Windows services damaged after trojan removal
« Reply #11 on: January 10, 2013, 03:45:07 am »
CKScanner log is not complete, log appears to have been altered?

Download Windows Repair tool from here http://majorgeeks.com/Tweaking.com_-_Windows_Repair_Portable_d7222.html by Tweaking.com and unzip the contents into a newly created folder on your desktop.

  • Now open Repair_Windows.exe in the folder.
  • Go to Step 2 Run Check Disk by selecting the Do it button, after completion run the Repair tool again. Next.
  • Go to Step 3 Run System File Check[/b] by selecting the Do it button, after completion run the Repair tool again, Next
  • Go to Step 4 and create a Restore Point  Next,
  • Go to Start repairs tab then select Start
  • In the Custom Mode window, select the following repair options:



       
  • Reset Registry Permissions
  • Reset File Permissions
  • Register System Files
  • Repair WMI
  • Repair Windows Firewall
  • Repair Internet Explorer
  • Repair Hosts File
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Repair Proxy Settings
  • Repair Windows Updates
  • Repair MSI (Windows Installer)
  • Click the Start button.


Be patient while the tool repairs the selected items.
If prompted reboot the computer for the changes to take affect, make sure other  tasks in the program are not still running before re-booting..

Let me see the log which will be found in this folder:

C:\Tweaking.com_windows_Repair_Logs

Offline Telenochek

  • Bronze Member
  • Posts: 49
Re: [Resolved K] Windows services damaged after trojan removal
« Reply #12 on: January 11, 2013, 01:58:07 am »
Hello Kevin,

I've worked through the list with partial success.
Going through the details line by line:

CKScanner was run two times, both times the same files were reported and the same log obtained.

I tried to follow the instruction to the tee, with partial success.

Step 2 was done with partial success. First of all, Repair_Windows.exe could not be run under normal Windows (that's one of the major problems I am having right now). So I had to run it under Safe Mode. Now the problem is that when the Repair_Windows.exe application runs in Safe Mode, it complains that in Safe Mode it may not work correctly - and indeed this appears to be the case. For Step 2, I think the application fails to schedule chkdsk /f on restart. So on restart, the chkdsk application was not activated. 

So I have decided to do Step 2 manually. I opened cmd prompt, and scheduled chkdsk /f and the chkdsk log is attached in the next message.

Step 3 appears to have done successfully.
Step 4 done.
Start repairs including all custom mode setting checked, and everything else unchecked was done.


Offline Telenochek

  • Bronze Member
  • Posts: 49
Re: [Resolved K] Windows services damaged after trojan removal
« Reply #13 on: January 11, 2013, 02:01:08 am »
Log Name:      Application
Source:        Microsoft-Windows-Wininit
Date:          1/10/2013 3:01:33 AM
Event ID:      1001
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      Deep-Blue
Description:


Checking file system on C:
The type of the file system is NTFS.


One of your disks needs to be checked for consistency. You
may cancel the disk check, but it is strongly recommended
that you continue.
Windows will now check the disk.                         

CHKDSK is verifying files (stage 1 of 3)...
  779008 file records processed.                                         File verification completed.
  754 large file records processed.                                     0 bad file records processed.                                       2 EA records processed.                                             91 reparse records processed.                                      CHKDSK is verifying indexes (stage 2 of 3)...
  905958 index entries processed.                                        Index verification completed.
  0 unindexed files scanned.                                          0 unindexed files recovered.                                      CHKDSK is verifying security descriptors (stage 3 of 3)...
  779008 file SDs/SIDs processed.                                        Cleaning up 3653 unused index entries from index $SII of file 0x9.
Cleaning up 3653 unused index entries from index $SDH of file 0x9.
Cleaning up 3653 unused security descriptors.
Security descriptor verification completed.
  63476 data files processed.                                           CHKDSK is verifying Usn Journal...
  35984896 USN bytes processed.                                            Usn Journal verification completed.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
Windows has made corrections to the file system.

 625129280 KB total disk space.
 112127336 KB in 530630 files.
    247892 KB in 63477 indexes.
         0 KB in bad sectors.
    902904 KB in use by the system.
     65536 KB occupied by the log file.
 511851148 KB available on disk.

      4096 bytes in each allocation unit.
 156282320 total allocation units on disk.
 127962787 allocation units available on disk.

Internal Info:
00 e3 0b 00 c6 10 09 00 d2 26 0f 00 00 00 00 00  .........&......
77 30 00 00 5b 00 00 00 00 00 00 00 00 00 00 00  w0..[...........
60 93 21 00 50 01 20 00 50 01 20 00 00 00 20 00  `.!.P. .P. ... .

Windows has finished checking your disk.
Please wait while your computer restarts.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
    <EventID Qualifiers="16384">1001</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-01-10T11:01:33.000000000Z" />
    <EventRecordID>63071</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>Deep-Blue</Computer>
    <Security />
  </System>
  <EventData>
    <Data>

Checking file system on C:
The type of the file system is NTFS.


One of your disks needs to be checked for consistency. You
may cancel the disk check, but it is strongly recommended
that you continue.
Windows will now check the disk.                         

CHKDSK is verifying files (stage 1 of 3)...
  779008 file records processed.                                         File verification completed.
  754 large file records processed.                                     0 bad file records processed.                                       2 EA records processed.                                             91 reparse records processed.                                      CHKDSK is verifying indexes (stage 2 of 3)...
  905958 index entries processed.                                        Index verification completed.
  0 unindexed files scanned.                                          0 unindexed files recovered.                                      CHKDSK is verifying security descriptors (stage 3 of 3)...
  779008 file SDs/SIDs processed.                                        Cleaning up 3653 unused index entries from index $SII of file 0x9.
Cleaning up 3653 unused index entries from index $SDH of file 0x9.
Cleaning up 3653 unused security descriptors.
Security descriptor verification completed.
  63476 data files processed.                                           CHKDSK is verifying Usn Journal...
  35984896 USN bytes processed.                                            Usn Journal verification completed.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
Windows has made corrections to the file system.

 625129280 KB total disk space.
 112127336 KB in 530630 files.
    247892 KB in 63477 indexes.
         0 KB in bad sectors.
    902904 KB in use by the system.
     65536 KB occupied by the log file.
 511851148 KB available on disk.

      4096 bytes in each allocation unit.
 156282320 total allocation units on disk.
 127962787 allocation units available on disk.

Internal Info:
00 e3 0b 00 c6 10 09 00 d2 26 0f 00 00 00 00 00  .........&amp;......
77 30 00 00 5b 00 00 00 00 00 00 00 00 00 00 00  w0..[...........
60 93 21 00 50 01 20 00 50 01 20 00 00 00 20 00  `.!.P. .P. ... .

Windows has finished checking your disk.
Please wait while your computer restarts.
</Data>
  </EventData>
</Event>

Offline Telenochek

  • Bronze Member
  • Posts: 49
Re: [Resolved K] Windows services damaged after trojan removal
« Reply #14 on: January 11, 2013, 02:03:48 am »
windows repair logs are attached as .zip
The files were up to 400kb, but only 18kB zipped.

Thank you!