This speciefied service does not exist as an installed service

[AllanGay]

No, i checked in safe mode, it was not there. i restarted laptop in normal mode it is not there. the shield are still on the icons in normal mode. internet does not work in safe nor normal mode. also McAfee is uninstalled

[kevinf80]

OK see if you can run the following from Safemode, obviously it will have to be transferred to the sick laptop:

Please download RogueKiller from here http://tigzy.geeksto...RogueKiller.exe or here http://www.sur-la-to...RogueKiller.exe and save Direct to your Desktop.

• Quit all running programs
  
• Please disconnect any USB or external drives from the computer before you run this scan!
  
• For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  
• Wait until Prescan has finished...
  
• The following EULA will appear, please select accept
  
  
• Ensure MBR scan, Check faked and AntiRootkit are checked
  
• Select Scan
  
  
• When the scan completes select Report, copy and paste that to your reply.
  
  
• The log should be found in RKreport[?].txt on your Desktop
  
• Exit/Close RogueKiller
  

If this has been run before you may not get the EULA alert

[AllanGay]

RogueKiller worked here is the log

RogueKiller V8.5.0 [Feb 9 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Safe mode with network support

User : Morgan [Admin rights]

Mode : Scan -- Date : 02/09/2013 16:36:33

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤

[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

ÿþ1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK2035GSS ATA Device +++++

--- User ---

[MBR] a6471346488279ab26a76220e7507f9d

[bSP] 1484d177a6412ee8722ddffc19149bb5 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 189278 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_02092013_02d1636.txt >>

RKreport[1]_S_02092013_02d1636.txt

[kevinf80]

Well no sign of ZeroAccess in that log, if no internet connection can you run Farbar Service Scanner and post that log:

Download Farbar Service Scanner from here: http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/ and run it on the computer with the issue.

Make sure the following options are checked:

• Internet Services
  
• Windows Firewall
  
• System Restore
  
• Security Center/Action Center
  
• Windows Update
  
• Windows Defender
  

• Press "Scan".
  
• It will create a log (FSS.txt) in the same directory the tool is run.
  
• Please copy and paste the log to your reply.
  

[AllanGay]

FSS log

Farbar Service Scanner Version: 30-01-2013

Ran by Morgan (administrator) on 09-02-2013 at 16:54:50

Running from "C:\Users\Morgan\Desktop"

Windows Vista Home Premium Service Pack 2 (X86)

Boot Mode: Network

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Attempt to access Google IP returned error.

Attempt to access Google.com returned error: Other errors

Attempt to access Yahoo IP returned error.

Attempt to access Yahoo.com returned error: Other errors

Windows Firewall:

=============

MpsSvc Service is not running. Checking service configuration:

The start type of MpsSvc service is OK.

The ImagePath of MpsSvc service is OK.

The ServiceDll of MpsSvc service is OK.

Checking LEGACY_MpsSvc: ATTENTION!=====> Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.

bfe Service is not running. Checking service configuration:

The start type of bfe service is OK.

The ImagePath of bfe service is OK.

The ServiceDll of bfe service is OK.

Checking LEGACY_bfe: ATTENTION!=====> Unable to open LEGACY_bfe\0000 registry key. The key does not exist.

Firewall Disabled Policy:

==================

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall"=DWORD:0

System Restore:

============

SDRSVC Service is not running. Checking service configuration:

The start type of SDRSVC service is OK.

The ImagePath of SDRSVC service is OK.

The ServiceDll of SDRSVC service is OK.

Checking LEGACY_SDRSVC: ATTENTION!=====> Unable to open LEGACY_SDRSVC\0000 registry key. The key does not exist.

VSS Service is not running. Checking service configuration:

The start type of VSS service is OK.

The ImagePath of VSS service is OK.

System Restore Disabled Policy:

========================

Security Center:

============

wscsvc Service is not running. Checking service configuration:

The start type of wscsvc service is OK.

The ImagePath of wscsvc service is OK.

The ServiceDll of wscsvc service is OK.

Checking LEGACY_wscsvc: ATTENTION!=====> Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.

Windows Update:

============

wuauserv Service is not running. Checking service configuration:

The start type of wuauserv service is OK.

The ImagePath of wuauserv service is OK.

The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:

The start type of BITS service is set to Demand. The default start type is Auto.

The ImagePath of BITS service is OK.

The ServiceDll of BITS service is OK.

Checking LEGACY_BITS: ATTENTION!=====> Unable to open LEGACY_BITS\0000 registry key. The key does not exist.

EventSystem Service is not running. Checking service configuration:

The start type of EventSystem service is OK.

The ImagePath of EventSystem service is OK.

The ServiceDll of EventSystem service is OK.

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is set to Demand. The default start type is Auto.

The ImagePath of WinDefend service is OK.

The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:

==========================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware"=DWORD:1

Other Services:

==============

File Check:

========

C:\Windows\system32\nsisvc.dll => MD5 is legit

C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit

C:\Windows\system32\dhcpcsvc.dll => MD5 is legit

C:\Windows\system32\Drivers\afd.sys => MD5 is legit

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit

C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit

C:\Windows\system32\dnsrslvr.dll => MD5 is legit

C:\Windows\system32\mpssvc.dll => MD5 is legit

C:\Windows\system32\bfe.dll => MD5 is legit

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit

C:\Windows\system32\SDRSVC.dll => MD5 is legit

C:\Windows\system32\vssvc.exe => MD5 is legit

C:\Windows\system32\wscsvc.dll => MD5 is legit

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit

C:\Windows\system32\wuaueng.dll => MD5 is legit

C:\Windows\system32\qmgr.dll => MD5 is legit

C:\Windows\system32\es.dll => MD5 is legit

C:\Windows\system32\cryptsvc.dll => MD5 is legit

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\Windows\system32\svchost.exe => MD5 is legit

C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

[kevinf80]

OK, there are missing registry keys that must be replaced, I`ve attached the following zip files:

legacy_mpssvc.zip

legacy_bfe.zip

legacy_sdrsvc.zip

legacy_bits.zip

Unzip those files and save to the Desktop, They will now be named:

legacy_mpssvc.reg

legacy_bfe.reg

legacy_sdrsvc.reg

legacy_bits.reg

Leave those files as they are for now and do the following:

Please go to Start=>Run (alternatively use Windows key+R), type regedit and click OK.

Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root

Right-Click Root and select Permissions...

Click Advanced.

Under Owner tab select the entry starting with your user name, example: Farbar(Farbar-PC\Farbar)

Put a check mark next to Replace owner on subcontainers and objects and click Apply and OK.

Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.

Click Apply and OK.

Now double-click on each of the above .reg files, agree any alert and merges

Please go back to the the Root key again (as above) while Everyone is selected remove check mark in the box under Allow next to Full Control and close the registry.

Re-boot laptop, run FSS and post fresh log....

legacy_bfe.zip

legacy_bits.zip

legacy_mpssvc.zip

legacy_sdrsvc.zip

[AllanGay]

when i reboot, am i to start in safe mode or normal? i know i said nothing works in normal but, i want to be sure not to cause anymore confusion on my part

[kevinf80]

Try normal mode, see if FSS will run OK, if so post fresh log

[AllanGay]

when i selected my name then checked Replace owner on subcontainers and objects, when i clicked apply a box appeared it said

Owner

Registry Editor could not set owner on the key currently selected, or some of its subkeys.

[OK]

i've stopped here

[kevinf80]

This is not looking good, try from Safe mode

[AllanGay]

this is safe mode

[kevinf80]

Did you try from Normal mode?

[AllanGay]

no

[AllanGay]

in normal mode it says

C:\Windows\regedit.exe

The specified service does not exist as an installed service

[kevinf80]

Ok see if you can run Roguekiller again....

• Please disconnect any USB or external drives from the computer before you run this scan!
  
• For Vista or Windows 7, right-click and select "Run as Administrator" to start
  
• For Windows XP, double-click to start.
  
• Wait until Prescan has finished ...
  
• Then Click on "Scan" button
  
• Wait until the Status box shows "Scan Finished"
  
• click on "delete"
  
• Wait until the Status box shows "Deleting Finished"
  
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
  
• The log should be found in RKreport[?].txt on your Desktop
  
• Exit/Close RogueKiller
  

[AllanGay]

ok Kevin. I am doing so now. Thanks for your patience.

just out of curiosity, if i dont have ownership of that junction what does?

[AllanGay]

Also, in normal mode computer>C:>Windows>Prefetch

it says " You don't currently have permission to access this folder."

[kevinf80]

Malware/infection has altered permissions to bar access, makes life very difficult...

[AllanGay]

RKreport[2]copy

RogueKiller V8.5.0 [Feb 9 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Safe mode with network support

User : Morgan [Admin rights]

Mode : Remove -- Date : 02/09/2013 19:44:17

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤

[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> DELETED

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

ÿþ1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK2035GSS ATA Device +++++

--- User ---

[MBR] a6471346488279ab26a76220e7507f9d

[bSP] 1484d177a6412ee8722ddffc19149bb5 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 189278 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[2]_D_02092013_02d1944.txt >>

RKreport[1]_S_02092013_02d1943.txt ; RKreport[2]_D_02092013_02d1944.txt

[kevinf80]

Can you go back to reply #31, will that now work.

[AllanGay]

no didnt work

[kevinf80]

Ok see if the following will work,

Download PsExec.exe from here: http://live.sysinternals.com/psexec.exe save direct to your desktop (IMPORTANT!)

Go Start and in "Start search" type in:

cmd

Hold CTRL and SHIFT keys, press Enter.

Command prompt window will open.

Copy and paste following command:

"%userprofile%\desktop\psexec" -i -d -s c:\windows\regedit.exe

Press Enter.

Will Registry Editor now open, if so change permissions for any key should now be available, go back to reply #31, see if the legacy keys can be done after permissions are changed...

[AllanGay]

ok so, when i enter cmd into the search field in safemode it brings up the search menu and nothing populates.

i went back and copied the text that you wanted me to paste in the cmd box. i saved it as cmdprmpt(command prompt) on a flash drive. inserted it into E: drive, then copied the line. removed the flash from E: drive then typed cmd in search. the shortcut E:\cmdprmpt.txt showed up and repeated about 30 times. i treied to delete them, but it said the file no longer existed.

next i selected run from the start menu. i typed in cmd. the comman menue came up. the reply was this service is not available in safe mode.

next i restarted laptop and searched cmd in normal mode the command box was not a search result

next i selected run from the start menu and entered cmd the command menu popped up inserted flash drive copied text removed flash drive ( USB ports previously did not work but work now) and pasted text to cmd.exe

response

PsExec v1.98 - Execute process remotely

Copyright <C> 2001-2010 Mark Russinovich

Sysinternals - www.sysinternals.com

Couldn't install PsExec Service:

Access denied

[kevinf80]

We are not making any progress, see if you can run the following repair tool:

Please download Windows Repair (all in one) from one of the following:

http://www.tweaking....all_in_one.html

http://www.majorgeek...able_d7222.html

http://www.bleepingc...n-one-portable/

Unzip the contents into a newly created folder on your desktop.

Open the folder, run the tool by right click on Repair_Windows (icon with red briefcase) select "Run as Administrator"

From the main GUI do the following:

Select Tab 2 and allow it to run Disk check

Select Tab 3 and allow it to run SFC

Select Tab 4 and Create System Restore Point

Select Repairs tab => Click the Start

The repairs window will open, Check the boxes as indicated, also the "Restart" options, the select Start...

DON'T use the computer while each scan is in progress. (If any steps fail, move to the next one.)

Post the log that will be saved in this folder C:\Tweaking.com_windows_Repair_Logs named _Windows_Repair_Log

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!