This speciefied service does not exist as an installed service

[AllanGay]

I have a Toshiba laptop that all of a sudden is not connecting to the network. On the wireless network connection it says The specified service does not exist as an installed service. I'm also getting this message when looking at event viewer, control panel, trying to install new programs, etc.... Computer seems unusable. I tried a system restore, but did not have a restore point.

The problem started when my mcafee anti virus removed ZEROACCESS trojans from my system.

After the scan was completed, my system rebooted and I lost control of all Administrator permissions.

I can open user files but cannot access any of the Windows system functions. Whenever I try to execute a program with a shield icon (run as administrator) I get the message "The specified service does not exist as an installed service."

I tried the system file scan in safe mode but it didn't show any errors. The message it returned was "Windows Resource protection did not find any integrity violations." I tried system restore in safe mode but there were no restore points.

I also ran anti virus scan one more time (with newly updated protection files) but there were no viruses reported.

Can only run programs in safe mode with networking, have tried running "fsc" also "msconfig" to disable all startup items, but unable to do so.

I am running the following:

Windows Edition

Windows Vista Home Premium

Service pack 2

System

Manufacturer: TOSHIBA

Model: Satellite A205

Intel® Pentium® Dual CPU T2330 @ 1.60GHz 1.60 GHz

2.0 GB (RAM)

32-bit OS

.

DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26

Run by Morgan at 9:01:31 on 2013-02-08

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.1447 [GMT -5:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\mfevtps.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Windows\explorer.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uSearch Page = hxxp://www.google.com

uStart Page = hxxp://www.google.com/

uSearch Bar = hxxp://www.google.com/ie

uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart

mStart Page = hxxp://www.yahoo.com

mDefault_Page_URL = hxxp://www.yahoo.com

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll

mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll

mWinlogon: Userinit=userinit.exe,

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120511101658.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"

TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll

TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [EasyTether] "c:\program files\mobile stream\easytether\easytthr.exe"

uRun: [Google] rundll32.exe "c:\users\morgan\appdata\local\installer4896\google\plxwjuaeh.dll",DllRegisterServer

mRun: [igfxTray] DOWS\SYSTEM32\IGFXTRAY.EXE

mRun: [HotKeysCmds] DOWS\SYSTEM32\HKCMD.EXE

mRun: [Persistence] DOWS\SYSTEM32\IGFXPERS.EXE

mRun: [TPwrMain] .EXE

mRun: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe

mRun: [RtHDVCpl] RtHDVCpl.exe

mRun: [synTPStart] TPSTART.EXE

mRun: [NDSTray.exe] DSTRAY.EXE

mRun: [Windows Mobile-based device management] C.EXE

mRun: [sSBkgdUpdate] G -BOOT

mRun: [OpwareSE4] IPAGESE4\OPWARESE4.EXE"

mRun: [sunJavaUpdateSched] FILES\JAVA\JAVA UPDATE\JUSCHED.EXE"

mRun: [skytel] Skytel.exe

mRun: [mcui_exe] KEY

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] FILES\ADOBE\ARM\1.0\ADOBEARM.EXE"

mRun: [QuickTime Task] DOWS\SYSTEM32\QTTASK.EXE" -ATBOOTTIME

mRun: [synTPEnh] H.EXE

mRun: [PAP7501_Monitor] DOWS\PIXART\PAP7501\GUCI_AVS.EXE

mRun: [Malwarebytes' Anti-Malware] TI-MALWARE\MBAMGUI.EXE" /STARTTRAY

mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

StartupFolder: c:\users\morgan\appdata\roaming\micros~1\windows\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe

uPolicies-explorer: HideSCAHealth = 1 (0x1)

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

LSP: mswsock.dll

Trusted Zone: army.mil\www.us

Trusted Zone: skillport.com\usarmy

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

TCP: DhcpNameServer = 209.18.47.61 209.18.47.62

TCP: Interfaces\{2DF5FBE4-6F55-487A-BF89-15C11808A577} : DhcpNameServer = 8.8.8.8 8.8.4.4

TCP: Interfaces\{93D83984-3E93-4E80-9188-4ED7B5CCE2EF} : DhcpNameServer = 209.18.47.61 209.18.47.62

TCP: Interfaces\{E6F7788F-B0B5-47D0-B97D-343CC00A8EE5} : DhcpNameServer = 192.168.1.254

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\morgan\appdata\roaming\mozilla\firefox\profiles\en3x5wim.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - component: c:\program files\mozilla firefox\components\Scriptff.dll

FF - component: c:\program files\mozilla firefox\distribution\bundles\{d19ca586-dd6c-4a0a-96f8-14644f340d60}\components\scriptff.dll

FF - component: c:\users\morgan\appdata\roaming\mozilla\firefox\profiles\en3x5wim.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCore.dll

FF - component: c:\users\morgan\appdata\roaming\mozilla\firefox\profiles\en3x5wim.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCoreGecko19.dll

FF - component: c:\users\morgan\appdata\roaming\mozilla\firefox\profiles\en3x5wim.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll

FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll

FF - plugin: c:\program files\ace mega codecs pack\systems\realmedia\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\ace mega codecs pack\systems\realmedia\browser\plugins\nprpjplug.dll

FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll

FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll

FF - plugin: c:\users\morgan\appdata\roaming\mozilla\firefox\profiles\en3x5wim.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}

FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com

FF - Ext: Newgrounds Classic: NG_Classic@snakehole.net - %profile%\extensions\NG_Classic@snakehole.net

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: XUL Cache: {cd2baad2-2b51-42b4-ae74-9ea78ecdc130} - %profile%\extensions\{cd2baad2-2b51-42b4-ae74-9ea78ecdc130}

FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com

FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}

FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: XULRunner: {BE5EAB9A-E159-4D63-8F52-368D9585CB5A} - c:\users\morgan\appdata\local\{BE5EAB9A-E159-4D63-8F52-368D9585CB5A}

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-7-10 464304]

R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2011-7-10 64912]

R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-7-10 169608]

R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-7-10 214904]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-7-10 161632]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-7-10 151880]

R3 easytether;easytether;c:\windows\system32\drivers\easytthr.sys [2011-9-27 17296]

R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2007-11-6 7168]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-7-10 340920]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate1c9872b7d755da3;Google Update Service (gupdate1c9872b7d755da3);c:\program files\google\update\GoogleUpdate.exe [2009-2-4 133104]

S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-6 654408]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-4-7 210216]

S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-7-10 214904]

S2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-7-10 214904]

S2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-7-10 166288]

S2 napagent32;Network Access Protection Agent ;c:\windows\system32\ddraw32.exe --> c:\windows\system32\ddraw32.exe [?]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-30 257696]

S3 ATTRcAppSvc;AT&T RcAppSvc;"c:\program files\at&t\communication manager\rcappsvc.exe" /n "attrcappsvc" --> c:\program files\at&t\communication manager\RcAppSvc.exe [?]

S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-4-1 183560]

S3 CAATT;AT&T Con App Svc;"c:\program files\at&t\communication manager\conappssvc.exe" /n "caatt" --> c:\program files\at&t\communication manager\ConAppsSvc.exe [?]

S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-7-10 57600]

S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2011-7-11 39272]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2011-5-13 1492840]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-2-4 133104]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-6 22344]

S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-9-13 180848]

S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-7-10 59456]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-7-10 87656]

S3 NMgamingmsFltr;USB Optical Mouse;c:\windows\system32\drivers\NMgamingms.sys [2009-7-24 9472]

S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [2007-6-27 101248]

S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [2007-6-27 73856]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]

.

=============== Created Last 30 ================

.

.

==================== Find3M ====================

.

2008-12-13 13:17:12 51622242 ----a-w- c:\program files\ACEMCP603PRO.exe

.

============= FINISH: 9:03:47.60 ===============

mbam log here

Malwarebytes Anti-Malware (Trial) 1.60.0.1800

www.malwarebytes.org

Database version: v2012.01.06.06

Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)

Internet Explorer 9.0.8112.16421

Morgan :: NONPAREIL [administrator]

Protection: Disabled

1/6/2012 11:10:58 PM

mbam-log-2012-01-06 (23-10-58).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 172845

Time elapsed: 7 minute(s), 51 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 4

HKCR\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\8DDYX0ZBPZ (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\KYQ8ZBOAXR (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Registry Values Detected: 3

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Brugazix (Trojan.Agent.U) -> Data: rundll32.exe "C:\Users\Morgan\AppData\Local\MDUInp.dll",Startup -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|8DDYX0ZBPZ (Trojan.FakeAlert.SA) -> Data: C:\Users\Morgan\AppData\Local\Temp\Osj.exe -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Cmerizoqosihol (Trojan.Agent.U) -> Data: rundll32.exe "C:\Users\Morgan\AppData\Local\iqeheraf.dll",Startup -> Quarantined and deleted successfully.

Registry Data Items Detected: 3

HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Morgan\AppData\Local\yul.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Morgan\AppData\Local\yul.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Morgan\AppData\Local\yul.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and repaired successfully.

Folders Detected: 0

(No malicious items detected)

Files Detected: 6

C:\Users\Morgan\Local Settings\Temporary Internet Files\Content.IE5\O697Z68X\DownloadSetup (83).exe (Affiliate.Downloader) -> Quarantined and deleted successfully.

C:\Users\Morgan\AppData\Local\Temp\0.5963984703985021.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.

C:\Users\Morgan\AppData\Local\Temp\thpm676305875545563196.tmp (Exploit.Drop.3) -> Quarantined and deleted successfully.

C:\Users\Morgan\AppData\Local\Temp\kna0.8584019923714843.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.

C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.

(end)

RogueKiller V8.4.4 [Feb 5 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Safe mode with network support

User : Morgan [Admin rights]

Mode : Scan -- Date : 02/08/2013 09:17:20

| ARK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 7 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : Google (rundll32.exe "C:\Users\Morgan\AppData\Local\Installer4896\Google\plxwjuaeh.dll",DllRegisterServer) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-3491141242-3501480684-3681704926-1000[...]\Run : Google (rundll32.exe "C:\Users\Morgan\AppData\Local\Installer4896\Google\plxwjuaeh.dll",DllRegisterServer) -> FOUND

[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : C:\Users\Morgan\AppData\Local\{e0ffb675-b0f6-443d-a7bb-1c5851ce6f3c}\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\Users\Morgan\AppData\Local\{e0ffb675-b0f6-443d-a7bb-1c5851ce6f3c}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\Users\Morgan\AppData\Local\{e0ffb675-b0f6-443d-a7bb-1c5851ce6f3c}\L --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

ÿþ1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++

--- User ---

[MBR] a6471346488279ab26a76220e7507f9d

[bSP] 1484d177a6412ee8722ddffc19149bb5 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 189278 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: +++++

--- User ---

[MBR] 6dc5f56d08af8f94027aee24403e80bd

[bSP] 67234e89aa53c1c4ef852fdf8d2b4b06 : MBR Code unknown

Partition table:

0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 8064 | Size: 3820 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1]_S_02082013_02d0917.txt >>

RKreport[1]_S_02082013_02d0917.txt</dot></at>

[kevinf80]

The system is still infected with ZeroAccess, see if yu can do the following:

Please download Farbar Recovery Scan Tool and save it to a flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Plug the flash drive into the infected PC.

If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt Here: http://www.bleepingcomputer.com/tutorials/windows-8-recovery-environment-command-prompt/ to enter System Recovery Command prompt.

If you are using Vista or Windows 7 enter System Recovery Options.

Plug the flashdrive into the infected PC.

Enter System Recovery Options I give two methods, use whichever is convenient for you.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select Your Country as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.
  

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select Your Country as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.
  

On the System Recovery Options menu you will get the following options:

Startup Repair

System Restore

Windows Complete PC Restore

Windows Memory Diagnostic Tool

Command Prompt

• Select Command Prompt
  
• In the command window type in notepad and press Enter.
  
• The notepad opens. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
  
• In the command window type e:\frst64 or e:\frst depending on your version. Press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  
• The tool will start to run.
  
• When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
  

Kevin...

[AllanGay]

Thank you. Unfortunately there are no restore points found, to do a system restore.

Farbar Service Scanner Version: 19-06-2012 01

Ran by Morgan (administrator) on 08-02-2013 at 10:49:42

Running from "C:\Users\Morgan\Desktop"

Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)

Boot Mode: Nerwork

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Attempt to access Google.com returned error: Other errors

Yahoo IP is accessible.

Attempt to access Yahoo.com returned error: Other errors

Windows Firewall:

=============

MpsSvc Service is not running. Checking service configuration:

The start type of MpsSvc service is OK.

The ImagePath of MpsSvc service is OK.

The ServiceDll of MpsSvc service is OK.

bfe Service is not running. Checking service configuration:

The start type of bfe service is OK.

The ImagePath of bfe service is OK.

The ServiceDll of bfe service is OK.

Firewall Disabled Policy:

==================

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall"=DWORD:0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall"=DWORD:0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"EnableFirewall"=DWORD:0

System Restore:

============

SDRSVC Service is not running. Checking service configuration:

The start type of SDRSVC service is OK.

The ImagePath of SDRSVC service is OK.

The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:

The start type of VSS service is OK.

The ImagePath of VSS service is OK.

System Restore Disabled Policy:

========================

Security Center:

============

wscsvc Service is not running. Checking service configuration:

The start type of wscsvc service is OK.

The ImagePath of wscsvc service is OK.

The ServiceDll of wscsvc service is OK.

Windows Update:

============

wuauserv Service is not running. Checking service configuration:

The start type of wuauserv service is OK.

The ImagePath of wuauserv service is OK.

The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:

The start type of BITS service is OK.

The ImagePath of BITS service is OK.

The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:

The start type of EventSystem service is OK.

The ImagePath of EventSystem service is OK.

The ServiceDll of EventSystem service is OK.

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is set to Demand. The default start type is Auto.

The ImagePath of WinDefend service is OK.

The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:

==========================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware"=DWORD:1

PlugPlay Service is not running. Checking service configuration:

Checking Start type: ATTENTION!=====> Unable to open PlugPlay registry key. The service key does not exist.

Checking ImagePath: ATTENTION!=====> Unable to open PlugPlay registry key. The service key does not exist.

File Check:

========

C:\Windows\system32\nsisvc.dll => MD5 is legit

C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit

C:\Windows\system32\dhcpcsvc.dll => MD5 is legit

C:\Windows\system32\Drivers\afd.sys => MD5 is legit

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit

C:\Windows\system32\Drivers\tcpip.sys

[2012-05-11 22:05] - [2012-03-30 07:39] - 0905600 ____A (Microsoft Corporation) 27D470DABC77BC60D0A3B0E4DEB6CB91

C:\Windows\system32\dnsrslvr.dll => MD5 is legit

C:\Windows\system32\mpssvc.dll => MD5 is legit

C:\Windows\system32\bfe.dll => MD5 is legit

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit

C:\Windows\system32\SDRSVC.dll => MD5 is legit

C:\Windows\system32\vssvc.exe => MD5 is legit

C:\Windows\system32\wscsvc.dll => MD5 is legit

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit

C:\Windows\system32\wuaueng.dll => MD5 is legit

C:\Windows\system32\qmgr.dll => MD5 is legit

C:\Windows\system32\es.dll => MD5 is legit

C:\Windows\system32\cryptsvc.dll => MD5 is legit

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\Windows\system32\svchost.exe => MD5 is legit

C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

[kevinf80]

Why have you posted a log from Farbar Service Scanner, I give instructions for a log from Farbar Recovery Scan Tool......

[AllanGay]

I'm sorry. Attention to detail, i will do that now.

[kevinf80]

Ok, also is internet connection working

[AllanGay]

FRST

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 06-02-2013

Ran by Morgan at 08-02-2013 16:30:55

Running from E:\logs

Service Pack 2 (X86) OS Language: English(US)

Attention: Could not load system hive.

ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.

==================== One Month Created Files and Folders ========

2013-02-08 15:30 - 2012-05-15 14:51 - 02045440 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-02-08 15:22 - 2013-02-08 15:16 - 19937144 ____A (IObit ) C:\Users\Morgan\Desktop\asc-setup-v6.exe

2013-02-08 15:22 - 2013-02-08 14:20 - 81314888 ____A (Microsoft Corporation) C:\Users\Morgan\Desktop\msert.exe

2013-02-08 13:53 - 2013-02-08 13:53 - 00000000 ____D C:\Users\Morgan\Desktop\reports

2013-02-08 11:13 - 2013-02-08 11:06 - 00006336 ____A C:\Users\Morgan\Desktop\WinDefend.reg

2013-02-08 09:16 - 2013-02-08 11:17 - 00000000 ____D C:\Users\Morgan\Desktop\RK_Quarantine

2013-02-08 09:16 - 2013-02-08 09:10 - 00778240 ____A C:\Users\Morgan\Desktop\RogueKiller.exe

==================== One Month Modified Files and Folders ========

2013-02-08 16:30 - 2013-02-08 16:30 - 00000000 ____D C:\FRST

2013-02-08 16:14 - 2008-03-14 19:25 - 00001356 ____A C:\Users\Morgan\AppData\Local\d3d9caps.dat

2013-02-08 15:56 - 2006-11-02 05:33 - 00005510 ____A C:\Windows\System32\PerfStringBackup.INI

2013-02-08 15:50 - 2006-11-02 07:47 - 01740896 ____A C:\Windows\System32\FNTCACHE.DAT

2013-02-08 15:46 - 2007-12-26 20:16 - 01383780 ____A C:\Windows\WindowsUpdate.log

2013-02-08 15:46 - 2006-11-02 08:01 - 00032598 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2013-02-08 15:46 - 2006-11-02 08:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-02-08 15:46 - 2006-11-02 07:47 - 00003568 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

2013-02-08 15:46 - 2006-11-02 07:47 - 00003568 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

2013-02-08 15:31 - 2012-03-30 20:42 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-02-08 15:25 - 2009-06-29 19:36 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-02-08 15:16 - 2013-02-08 15:22 - 19937144 ____A (IObit ) C:\Users\Morgan\Desktop\asc-setup-v6.exe

2013-02-08 14:20 - 2013-02-08 15:22 - 81314888 ____A (Microsoft Corporation) C:\Users\Morgan\Desktop\msert.exe

2013-02-08 13:53 - 2013-02-08 13:53 - 00000000 ____D C:\Users\Morgan\Desktop\reports

2013-02-08 12:54 - 2008-02-16 06:37 - 00055296 ____A C:\Users\Morgan\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

2013-02-08 11:20 - 2012-06-21 07:22 - 00000406 ____A C:\rkill.log

2013-02-08 11:19 - 2012-06-21 07:33 - 00000802 ____A C:\Users\Morgan\Desktop\unhide.txt

2013-02-08 11:17 - 2013-02-08 09:16 - 00000000 ____D C:\Users\Morgan\Desktop\RK_Quarantine

2013-02-08 11:06 - 2013-02-08 11:13 - 00006336 ____A C:\Users\Morgan\Desktop\WinDefend.reg

2013-02-08 10:49 - 2012-06-21 12:12 - 00004699 ____A C:\Users\Morgan\Desktop\FSS.txt

2013-02-08 10:39 - 2012-06-21 15:08 - 00163416 ____A C:\Users\Morgan\Desktop\OTL.Txt

2013-02-08 09:43 - 2012-01-11 09:30 - 00000000 __SHD C:\Users\Morgan\AppData\Local\{e0ffb675-b0f6-443d-a7bb-1c5851ce6f3c}

2013-02-08 09:43 - 2008-02-16 04:26 - 00000000 ____D C:\Program Files\Mozilla Firefox

2013-02-08 09:10 - 2013-02-08 09:16 - 00778240 ____A C:\Users\Morgan\Desktop\RogueKiller.exe

2013-02-08 07:51 - 2012-06-21 11:59 - 00000000 ____D C:\Windows\ERDNT

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Memory info ===========================

Percentage of memory in use: 37%

Total physical RAM: 2037.69 MB

Available physical RAM: 1278.09 MB

Total Pagefile: 4340.63 MB

Available Pagefile: 3808.6 MB

Total Virtual: 2047.88 MB

Available Virtual: 1954.9 MB

==================== Partitions =============================

1 Drive c: (SQ004585V03) (Fixed) (Total:184.84 GB) (Free:24.73 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

3 Drive e: (AL'S) (Removable) (Total:3.73 GB) (Free:1.19 GB) FAT32

See the System Event Log for more information.

Last Boot: 2013-02-08 15:56

==================== End Of Log ============================

[AllanGay]

internet service does not connect. i am using second laptop, flash drive and an unhide.exe to reveal USB ports

[kevinf80]

You have ran FRST incorrectly, please read the instructions fully and give another try.

Regarding plug and play, yes that reg key is missing, several other services use that key and are dependant, one for sure is WWan auto config... that is needed for wireless network.

I`ve attached reg key in zip file plugplay.zip Unzip that file to your Desktop, should now be plugplay.reg. Double click or right click run as Administrator, accept any alerts, re-boot and Check connection...

[kevinf80]

OOOPs I miss off file, I attach now...

PlugPlay.zip

[AllanGay]

ok i'm going back and reread the Frst instructions and will repost then move to the next steps.

[kevinf80]

Ok...

[AllanGay]

This the the Frst.txt file i received after running Farbar Recovery scan Tool from the system restore cmmd prompt.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 06-02-2013

Ran by SYSTEM at 08-02-2013 19:55:56

Running from F:\

Windows Vista Home Premium (X86) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [igfxTray] DOWS\SYSTEM32\IGFXTRAY.EXE [x]

HKLM\...\Run: [HotKeysCmds] DOWS\SYSTEM32\HKCMD.EXE [x]

HKLM\...\Run: [Persistence] DOWS\SYSTEM32\IGFXPERS.EXE [x]

HKLM\...\Run: [TPwrMain] .EXE [x]

HKLM\...\Run: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [448080 2007-06-15] (TOSHIBA Corporation)

HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]

HKLM\...\Run: [synTPStart] TPSTART.EXE [x]

HKLM\...\Run: [NDSTray.exe] DSTRAY.EXE [x]

HKLM\...\Run: [Windows Mobile-based device management] C.EXE [x]

HKLM\...\Run: [sSBkgdUpdate] G -BOOT [x]

HKLM\...\Run: [OpwareSE4] IPAGESE4\OPWARESE4.EXE" [x]

HKLM\...\Run: [sunJavaUpdateSched] FILES\JAVA\JAVA UPDATE\JUSCHED.EXE" [x]

HKLM\...\Run: [skytel] Skytel.exe [x]

HKLM\...\Run: [mcui_exe] KEY [x]

HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [40368 2011-08-30] (Adobe Systems Incorporated)

HKLM\...\Run: [Adobe ARM] FILES\ADOBE\ARM\1.0\ADOBEARM.EXE" [x]

HKLM\...\Run: [QuickTime Task] DOWS\SYSTEM32\QTTASK.EXE" -ATBOOTTIME [x]

HKLM\...\Run: [synTPEnh] H.EXE [x]

HKLM\...\Run: [PAP7501_Monitor] DOWS\PIXART\PAP7501\GUCI_AVS.EXE [x]

HKLM\...\Run: [Malwarebytes' Anti-Malware] TI-MALWARE\MBAMGUI.EXE" /STARTTRAY [x]

HKU\Morgan\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)

HKU\Morgan\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [68856 2008-05-13] (Google Inc.)

HKU\Morgan\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet [5248312 2010-03-19] (Yahoo! Inc.)

HKU\Morgan\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [8704 2006-11-02] (Microsoft Corporation)

HKU\Morgan\...\Run: [EasyTether] "C:\Program Files\Mobile Stream\EasyTether\easytthr.exe" [48648 2011-05-22] (Mobile Stream)

HKU\Morgan\...\Run: [Advanced SystemCare 6] "C:\Program Files\IObit\Advanced SystemCare 6\ASCTray.exe" /AutoStart [490880 2012-09-24] (IObit)

HKLM\...\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [462408 2012-04-04] (Malwarebytes Corporation)

Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62

Startup: C:\Users\Morgan\Start Menu\Programs\Startup\Yahoo! Widgets.lnk

ShortcutTarget: Yahoo! Widgets.lnk -> C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe (Yahoo! Inc.)

==================== Services (Whitelisted) ===================

2 AdvancedSystemCareService6; C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe [464256 2012-10-31] (IObit)

2 gupdate1c9872b7d755da3; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [133104 2009-02-04] (Google Inc.)

3 LiveUpdate; "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE" [3093872 2008-06-30] (Symantec Corporation)

2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [654408 2012-04-04] (Malwarebytes Corporation)

2 McAfee SiteAdvisor Service; "C:\Program Files\McAfee\SiteAdvisor\McSACore.exe" [210216 2009-02-11] ()

2 McMPFSvc; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)

2 mcmscsvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)

2 McNaiAnn; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)

2 McNASvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)

3 McODS; "C:\Program Files\McAfee\VirusScan\mcods.exe" [361976 2012-03-22] (McAfee, Inc.)

2 McProxy; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)

2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [166288 2012-03-20] (McAfee, Inc.)

2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [161632 2012-03-20] (McAfee, Inc.)

2 mfevtp; "C:\Windows\system32\mfevtps.exe" [151880 2012-03-20] (McAfee, Inc.)

2 pinger; C:\TOSHIBA\IVP\ISM\pinger.exe [136816 2007-01-25] ()

2 TosCoSrv; "C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe" [427576 2007-03-29] (TOSHIBA Corporation)

2 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [49152 2006-08-23] (Ulead Systems, Inc.)

2 WebClient; C:\Windows\System32\svchost.exe -k LocalService [21504 2008-01-18] (Microsoft Corporation)

2 WPDBusEnum; C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [21504 2008-01-18] (Microsoft Corporation)

3 ATTRcAppSvc; "C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe" /n "ATTRcAppSvc" [x]

3 CAATT; "C:\Program Files\AT&T\Communication Manager\ConAppsSvc.exe" /n "CAATT" [x]

2 napagent32; C:\Windows\system32\ddraw32.exe [x]

==================== Drivers (Whitelisted) ====================

3 cfwids; C:\Windows\System32\drivers\cfwids.sys [57600 2012-02-22] (McAfee, Inc.)

3 easytether; C:\Windows\System32\DRIVERS\easytthr.sys [17296 2011-05-22] (Mobile Stream)

3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22344 2012-04-04] (Malwarebytes Corporation)

3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [121544 2012-02-22] (McAfee, Inc.)

3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [180848 2012-02-22] (McAfee, Inc.)

3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [59456 2012-02-22] (McAfee, Inc.)

3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [340920 2012-02-22] (McAfee, Inc.)

0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [464304 2012-02-22] (McAfee, Inc.)

1 mfenlfk; C:\Windows\System32\DRIVERS\mfenlfk.sys [64912 2012-02-22] (McAfee, Inc.)

3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [87656 2012-02-22] (McAfee, Inc.)

1 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [169608 2012-02-22] (McAfee, Inc.)

3 MFE_RR; \??\C:\Users\Morgan\AppData\Local\Temp\mfe_rr.sys [16488 2013-02-08] (McAfee, Inc.)

3 NMgamingmsFltr; C:\Windows\System32\drivers\NMgamingms.sys [9472 2009-07-24] (Primax Ltd)

3 swmsflt; C:\Windows\System32\drivers\swmsflt.sys [874496 2006-11-02] (Microsoft Corporation)

3 SWNC8U56; C:\Windows\System32\DRIVERS\swnc8u56.sys [101248 2007-06-27] (Sierra Wireless Inc.)

3 SWUMX56; C:\Windows\System32\DRIVERS\swumx56.sys [73856 2007-06-27] (Sierra Wireless Inc.)

3 usbbus; C:\Windows\System32\DRIVERS\lgusbbus.sys [13056 2008-11-11] (LG Electronics Inc.)

3 UsbDiag; C:\Windows\System32\DRIVERS\lgusbdiag.sys [19968 2008-11-11] (LG Electronics Inc.)

3 USBModem; C:\Windows\System32\DRIVERS\lgusbmodem.sys [24832 2008-11-11] (LG Electronics Inc.)

4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]

3 catchme; \??\C:\Users\Morgan\AppData\Local\Temp\catchme.sys [x]

2 CWMonitor; \??\C:\Program Files\Common Files\Symantec Shared\coShared\CW\1.5\CO_Mon.sys [x]

3 EagleNT; \??\C:\Windows\system32\drivers\EagleNT.sys [x]

3 GEARAspiWDM; C:\Windows\System32\Drivers\GEARAspiWDM.sys [x]

3 IO_Memory; \??\C:\WINDOWS\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]

3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]

3 lvpopflt; C:\Windows\System32\DRIVERS\lvpopflt.sys [x]

3 LVUSBSta; C:\Windows\System32\drivers\LVUSBSta.sys [x]

3 LVUVC; C:\Windows\System32\DRIVERS\lvuvc.sys [x]

2 MCSTRM; [x]

3 mfeavfk01; [x]

3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]

3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

3 PCTINDIS5; \??\C:\Windows\system32\PCTINDIS5.SYS [x]

3 SVRPEDRV; \??\C:\Windows\System32\sysprep\UP_date\PEDrv.sys [x]

3 tosporte; C:\Windows\System32\DRIVERS\tosporte.sys [x]

3 Tosrfcom; C:\Windows\System32\Drivers\tosrfcom.sys [x]

3 USBAAPL; C:\Windows\System32\Drivers\usbaapl.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-02-08 16:42 - 2013-02-08 16:42 - 00000000 ____D C:\Users\Morgan\Desktop\PlugPlay

2013-02-08 16:41 - 2013-02-08 16:35 - 00001044 ____A C:\Users\Morgan\Desktop\PlugPlay.zip

2013-02-08 16:12 - 2013-02-08 16:13 - 00000000 ____D C:\Users\All Users\IObit

2013-02-08 16:12 - 2013-02-08 16:12 - 00001076 ____A C:\Users\Public\Desktop\Uninstaller.lnk

2013-02-08 16:12 - 2013-02-08 16:12 - 00001025 ____A C:\Users\Public\Desktop\Advanced SystemCare 6.lnk

2013-02-08 16:12 - 2013-02-08 16:12 - 00000000 ____D C:\Users\Morgan\AppData\Roaming\IObit

2013-02-08 16:12 - 2013-02-08 16:12 - 00000000 ____D C:\Program Files\IObit

2013-02-08 13:30 - 2013-02-08 13:30 - 00000000 ____D C:\FRST

2013-02-08 12:30 - 2012-05-15 11:51 - 02045440 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-02-08 12:22 - 2013-02-08 12:16 - 19937144 ____A (IObit ) C:\Users\Morgan\Desktop\asc-setup-v6.exe

2013-02-08 12:22 - 2013-02-08 11:20 - 81314888 ____A (Microsoft Corporation) C:\Users\Morgan\Desktop\msert.exe

2013-02-08 10:53 - 2013-02-08 10:53 - 00000000 ____D C:\Users\Morgan\Desktop\reports

2013-02-08 08:13 - 2013-02-08 08:06 - 00006336 ____A C:\Users\Morgan\Desktop\WinDefend.reg

2013-02-08 06:16 - 2013-02-08 08:17 - 00000000 ____D C:\Users\Morgan\Desktop\RK_Quarantine

2013-02-08 06:16 - 2013-02-08 06:10 - 00778240 ____A C:\Users\Morgan\Desktop\RogueKiller.exe

==================== One Month Modified Files and Folders ========

2013-02-08 16:47 - 2006-11-02 04:47 - 00003568 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

2013-02-08 16:47 - 2006-11-02 04:47 - 00003568 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

2013-02-08 16:46 - 2006-11-02 05:01 - 00032598 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2013-02-08 16:46 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-02-08 16:45 - 2009-06-29 16:36 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-02-08 16:42 - 2013-02-08 16:42 - 00000000 ____D C:\Users\Morgan\Desktop\PlugPlay

2013-02-08 16:36 - 2007-12-26 17:16 - 01385798 ____A C:\Windows\WindowsUpdate.log

2013-02-08 16:36 - 2006-11-02 02:33 - 00005510 ____A C:\Windows\System32\PerfStringBackup.INI

2013-02-08 16:35 - 2013-02-08 16:41 - 00001044 ____A C:\Users\Morgan\Desktop\PlugPlay.zip

2013-02-08 16:13 - 2013-02-08 16:12 - 00000000 ____D C:\Users\All Users\IObit

2013-02-08 16:13 - 2008-02-16 01:26 - 00000000 ____D C:\Program Files\Mozilla Firefox

2013-02-08 16:12 - 2013-02-08 16:12 - 00001076 ____A C:\Users\Public\Desktop\Uninstaller.lnk

2013-02-08 16:12 - 2013-02-08 16:12 - 00001025 ____A C:\Users\Public\Desktop\Advanced SystemCare 6.lnk

2013-02-08 16:12 - 2013-02-08 16:12 - 00000000 ____D C:\Users\Morgan\AppData\Roaming\IObit

2013-02-08 16:12 - 2013-02-08 16:12 - 00000000 ____D C:\Program Files\IObit

2013-02-08 15:52 - 2008-03-14 16:25 - 00001356 ____A C:\Users\Morgan\AppData\Local\d3d9caps.dat

2013-02-08 13:30 - 2013-02-08 13:30 - 00000000 ____D C:\FRST

2013-02-08 12:50 - 2006-11-02 04:47 - 01740896 ____A C:\Windows\System32\FNTCACHE.DAT

2013-02-08 12:31 - 2012-03-30 17:42 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-02-08 12:16 - 2013-02-08 12:22 - 19937144 ____A (IObit ) C:\Users\Morgan\Desktop\asc-setup-v6.exe

2013-02-08 11:20 - 2013-02-08 12:22 - 81314888 ____A (Microsoft Corporation) C:\Users\Morgan\Desktop\msert.exe

2013-02-08 10:53 - 2013-02-08 10:53 - 00000000 ____D C:\Users\Morgan\Desktop\reports

2013-02-08 09:54 - 2008-02-16 03:37 - 00055296 ____A C:\Users\Morgan\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

2013-02-08 08:20 - 2012-06-21 04:22 - 00000406 ____A C:\rkill.log

2013-02-08 08:19 - 2012-06-21 04:33 - 00000802 ____A C:\Users\Morgan\Desktop\unhide.txt

2013-02-08 08:17 - 2013-02-08 06:16 - 00000000 ____D C:\Users\Morgan\Desktop\RK_Quarantine

2013-02-08 08:06 - 2013-02-08 08:13 - 00006336 ____A C:\Users\Morgan\Desktop\WinDefend.reg

2013-02-08 07:49 - 2012-06-21 09:12 - 00004699 ____A C:\Users\Morgan\Desktop\FSS.txt

2013-02-08 07:39 - 2012-06-21 12:08 - 00163416 ____A C:\Users\Morgan\Desktop\OTL.Txt

2013-02-08 06:43 - 2012-01-11 06:30 - 00000000 __SHD C:\Users\Morgan\AppData\Local\{e0ffb675-b0f6-443d-a7bb-1c5851ce6f3c}

2013-02-08 06:10 - 2013-02-08 06:16 - 00778240 ____A C:\Users\Morgan\Desktop\RogueKiller.exe

2013-02-08 04:51 - 2012-06-21 08:59 - 00000000 ____D C:\Windows\ERDNT

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

==================== Memory info ===========================

Percentage of memory in use: 17%

Total physical RAM: 2037.81 MB

Available physical RAM: 1671.91 MB

Total Pagefile: 1866.29 MB

Available Pagefile: 1741.31 MB

Total Virtual: 2047.88 MB

Available Virtual: 1982.33 MB

==================== Partitions =============================

1 Drive c: (SQ004585V03) (Fixed) (Total:184.84 GB) (Free:25.4 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

3 Drive e: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.33 GB) NTFS

4 Drive f: (AL'S) (Removable) (Total:3.73 GB) (Free:1.19 GB) FAT32

5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ---------- ------- ------- --- ---

Disk 0 Online 186 GB 3257 KB

Disk 1 Online 3824 MB 0 B

Partitions of Disk 0:

===============

ACTIVE - Mark the selected basic partition as active.

ADD - Add a mirror to a simple volume.

ASSIGN - Assign a drive letter or mount point to the selected volume.

ATTRIBUTES - Manipulate volume attributes.

AUTOMOUNT - Enable and disable automatic mounting of basic volumes.

BREAK - Break a mirror set.

CLEAN - Clear the configuration information, or all information, off the

disk.

CONVERT - Convert between different disk formats.

CREATE - Create a volume or partition.

DELETE - Delete an object.

DETAIL - Provide details about an object.

EXIT - Exit DiskPart.

EXTEND - Extend a volume.

FILESYSTEMS - Display current and supported file systems on the volume.

FORMAT - Format the volume or partition.

GPT - Assign attributes to the selected GPT partition.

HELP - Display a list of commands.

IMPORT - Import a disk group.

INACTIVE - Mark the selected basic partition as inactive.

LIST - Display a list of objects.

ONLINE - Online a disk that is currently marked as offline.

REM - Does nothing. This is used to comment scripts.

REMOVE - Remove a drive letter or mount point assignment.

REPAIR - Repair a RAID-5 volume with a failed member.

RESCAN - Rescan the computer looking for disks and volumes.

RETAIN - Place a retained partition under a simple volume.

SELECT - Shift the focus to an object.

SETID - Change the partition type.

SHRINK - Reduce the size of the selected volume.

=========================================================

Partitions of Disk 1:

===============

ACTIVE - Mark the selected basic partition as active.

ADD - Add a mirror to a simple volume.

ASSIGN - Assign a drive letter or mount point to the selected volume.

ATTRIBUTES - Manipulate volume attributes.

AUTOMOUNT - Enable and disable automatic mounting of basic volumes.

BREAK - Break a mirror set.

CLEAN - Clear the configuration information, or all information, off the

disk.

CONVERT - Convert between different disk formats.

CREATE - Create a volume or partition.

DELETE - Delete an object.

DETAIL - Provide details about an object.

EXIT - Exit DiskPart.

EXTEND - Extend a volume.

FILESYSTEMS - Display current and supported file systems on the volume.

FORMAT - Format the volume or partition.

GPT - Assign attributes to the selected GPT partition.

HELP - Display a list of commands.

IMPORT - Import a disk group.

INACTIVE - Mark the selected basic partition as inactive.

LIST - Display a list of objects.

ONLINE - Online a disk that is currently marked as offline.

REM - Does nothing. This is used to comment scripts.

REMOVE - Remove a drive letter or mount point assignment.

REPAIR - Repair a RAID-5 volume with a failed member.

RESCAN - Rescan the computer looking for disks and volumes.

RETAIN - Place a retained partition under a simple volume.

SELECT - Shift the focus to an object.

SETID - Change the partition type.

SHRINK - Reduce the size of the selected volume.

=========================================================

Last Boot: 2013-02-08 16:14

==================== End Of Log ============================

[kevinf80]

ZeroAccess does not show in FRST log although it was present in the previous logs you posted, did you run any type fix before you ran FRST?

Did you merge the reg key I attached last reply, is internet connection working.. Run the following:

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

• Ensure that Combofix is saved directly to the Desktop <--- Very important
  
• Disable all security programs as they will have a negative effect on Combofix, instructions available here http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
  
• Close any open browsers and any other programs you might have running
  
• Double click the icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  
• Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
  
• If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  
• When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review
  

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here http://thespykiller.co.uk/index.php?page=20 why disabling autoruns is recommended.

*EXTRA NOTES*

• If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  
• If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  
• If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)
  

Post the log in next reply please...

Kevin

[AllanGay]

ok. i have done a lot of randomn things on my own, before you and when first started talking with me. i have logs of everything. i did merge the file you gave me however, the internet still does not work. Combofix is giving me a warning stating that Mcafee antivirus and antispyware realtime scanner is active and needs to be disabled before continuing. when i try to disble RTS on Mcafee it says its already off. when i click turn on RTS it turns on then immediately off. i double clicked it then a Full scan began. Below is a list of Program i have run and in the order i ran them.i also have logs of each result.

ERUNT

rkill.exe*

unhide.exe*

mbam*

dds*

RogueKiller*

RogueKiller*

RogueKiller* Deleted Registry

RogueKiller*

OTL*

WinDefend.reg

wscsvc.reg

BFE.reg

Dnscache.reg

MpsSvc.reg

Microsoft safety scanner

Mcfee RootkitRemover*

RogueKiller*

Farbar Service Scan*

Tdsskiller

Advance System Care

Farbar Recory Scan Tool*

PlugPlay zip

Combofix just now

McAfee Full Scan in progress

[kevinf80]

If you are running scans and fixes without letting me know there will be some confusion, I see a specific infection present in logs, I want to run FRST to prepare to remove the infection, unfortunately it is already gone, nothing shows in FRST logs, a waste of time really.

If McAfee is active Combofix will not want to run, there will be major issues if that happens. The following are what I have used to stop McAfee running:

McAfee interferes with many of our tools. We'll need to disable McAfee.

• Please open McAfee Security Centre
  
• Under Common Tasks click on Home
  
• Click Computer Files
  
• Click Configure
  
• Make sure the following are disabled by ticking the "Off" button.
  Virus protection
  Spyware protection
  System Guards Protection
  
• Script Scanning Protection (you may have to scroll down to see it) Next, select never for "When to re-enable real time scanning"
  
• and click OK.
  

Further info on disabling and re-enabling McAfee available here: http://help.aol.com/...ternalID=222820 if required.

If that does not work, please uninstall McAfee. (If you have the CD's, or use McAfee Support, you can re-install it once we have verified that the computer is clean.)

If CF now runs post the log.

If there is still no Internet connection also run Farbar Service Scanner and post a fresh log:

Download Farbar Service Scanner from here: http://www.bleepingc...-scanner/dl/62/ and run it on the computer with the issue.

Make sure the following options are checked:

• Internet Services
  
• Windows Firewall
  
• System Restore
  
• Security Center/Action Center
  
• Windows Update
  
• Windows Defender
  

• Press "Scan".
  
• It will create a log (FSS.txt) in the same directory the tool is run.
  
• Please copy and paste the log to your reply.
  

[AllanGay]

this is what happens with McAfee. i right click the McAfee icon in the system tray. the menu reads

Open McAfee AntiVirus Plus

Check for Updates

Scan

Change Settings

Verify Subcription

View My Accoount

Get Help

When i open McAfee it says:

McAfee AntiVirus Plus

!Your computer is at risk

Firewall is Off

[Turn on] [ignore] [Dismiss]

Features

Virus and Spyware Protection

Web and Email Protection

PC and Home Network Tools

In the upper right hand corner it says

Home

Navigation

About

Help

When I searched for Security center from the search on start menu, all the items the populated with the word Security were duplicating and when i clicked the McAfee Security Center it took me to the above example. so i tried to uninstall it but i can not loacate the add remove program application

[AllanGay]

the search just stopped. and the files are not duplicating there are 200 to 300 copies of each.

[kevinf80]

Go here: http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe and download the McAfee removal tool, save it to your Desktop. Double click the tool to run it, Vista or Windows 7 users right click and select "Run as Administrator" re-boot when requested to complete the task.

When McAfee is gone run Combofix, post that log. let me know what issues/concerns remain...

[AllanGay]

You are infected with Rootkit.ZeroAccess! it has inserted itself into the tcp/ip stack. this is a particularly difficult infectiom.

If for any reason that you're unable to connect to the internet after running ComboFix, reboot once and see if that resolves this

[OK]

then it says

ROOTKIT

Rootkit is detected

Be patient as this may take some moments

[OK]

[AllanGay]

well ComboFix needed to reboot the laptop. when it rebooted i pressed f8 to send it back to safemode with networking. combofix did not continue and there is no log and internet does not connect

[kevinf80]

OK, thanks for the update, if CF is dealing with a rootkit it may take an extended period, post log when finished...

[kevinf80]

mm we cross posted there, why are you running from Safemode with NW, I`m not sure what you are doing here.... Navgate C:\Combofix.txt is that present?

[AllanGay]

in normal mode none of the above listed programs work. they all have a windows shield on the icon. when i double click or run as administrator any of the programs with the shield icon it says " The specified service does not exist as an installed service."

[kevinf80]

Ok is Combofix log present C:\Combofix.txt