This speciefied service does not exist as an installed service

Maurice Naggar · February 22, 2013

Topic re-opened per request.

AllanGay · February 22, 2013

Ok i ran the program from Tweaking.com as instructed above. however, there was no file named c:\tweaking.com_windows_repair_logs. I did find these logs in the log folder in the tweaking.com folder:

Windows_repair_hkey_local_machine_3_log.txt

WARNING HKEY_LOCAL_MACHINE\SOFTWARE\Classes\* : registry key is skipped (contains wildcard)

WARNING HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\mk\* : registry key is skipped (contains wildcard)

WARNING HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore\AllowedDomains\* : registry key is skipped (contains wildcard)

WARNING HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore\AllowedDomains\* : registry key is skipped (contains wildcard)

WARNING HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\Dlwin.exe\* : registry key is skipped (contains wildcard)

WARNING HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\MSWIN.EXE\* : registry key is skipped (contains wildcard)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009 - RegSetKeySecurity Error : 6 The handle is invalid.

WARNING HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBCINST.INI\* : registry key is skipped (contains wildcard)

WARNING HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0004\Ndi\Params\* : registry key is skipped (contains wildcard)

WARNING HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008\Ndi\params\* : registry key is skipped (contains wildcard)

WARNING HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CriticalDeviceDatabase\* : registry key is skipped (contains wildcard)

WARNING HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\* : registry key is skipped (contains wildcard)

WARNING HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{cac88484-7515-4c03-82e6-71a87abac361}\* : registry key is skipped (contains wildcard)

WARNING HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\* : registry key is skipped (contains wildcard)

WARNING HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0004\Ndi\Params\* : registry key is skipped (contains wildcard)

WARNING HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008\Ndi\params\* : registry key is skipped (contains wildcard)

WARNING HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\CriticalDeviceDatabase\* : registry key is skipped (contains wildcard)

WARNING HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\* : registry key is skipped (contains wildcard)

WARNING HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\DeviceClasses\{cac88484-7515-4c03-82e6-71a87abac361}\* : registry key is skipped (contains wildcard)

WARNING HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\* : registry key is skipped (contains wildcard)

WARNING HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0004\Ndi\Params\* : registry key is skipped (contains wildcard)

WARNING HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008\Ndi\params\* : registry key is skipped (contains wildcard)

WARNING HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\* : registry key is skipped (contains wildcard)

WARNING HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\* : registry key is skipped (contains wildcard)

WARNING HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{cac88484-7515-4c03-82e6-71a87abac361}\* : registry key is skipped (contains wildcard)

WARNING HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\* : registry key is skipped (contains wildcard)

kevinf80 · February 22, 2013

This file should have been in the Tweaking.com folder _Windows_Repair_Log that is the log from the final step of the process where all of the system repairs are carried out. Do you not have that log?

What is the current status of the system, what issues/concerns are still present...

AllanGay · February 25, 2013

ok Kevin there has been much progress. There are some things still unresolved also. Originally in normal mode the following items returned the response, The specified service does not exist as an installed service:

The Local Internet Connection/Connect to a network

Volume Control

USB ports

Any files ending .exe

McAfee anti virus

Malwarebytes Anti-Malware

Pictures

Videos

Now, at this point the Volume Control, USB ports, Pictures and Videos have returned in normal mode. Some funtionality to the Network Connection has returned but not all. if you hover over the computer icon in the system tray it says " the specified service...." If you click the icon, you are able to open the connect to network window, which populates with active networks, this was not possible before. when i select my network and click connect, it says "windows cannot connect to ATT001" When i click "diagnose the problem" it says:

"Windows is not set to automatically connect to ATT01.

You need t select a wireless network and connect to it.

->View available wireless networks

You can select a network and connect to it and save it on the preferred network list.

[Cancel]"

When i click View available wireless networks, the process starts all over again. I even went so far as to try to set up a new router access point or connect to network but, there was a windows shield icon on the [Next] button and the next page would not open. I am still ipressed because non of these actions were possible before.

Files ending with .exe .scr .dat anything other than .txt return the response "The specified service..."

McAfee is uninstalled, Malwarebytes, FSS, Tweaking.com, ComboFix, RogueKiller all have the windows shield icon, and cannot be run as administrator the all return the response, "The specified service..."

Just because,... i clicked unhide.exe I had been using to gain access to my USB ports, some files in my system 32 folder appear and something inside my recycle bin appears then rehides itself, everytime i click unhide it does that. then a window pops up that says my recycle bin is corrupted. This only happens in safe mode, however the unhide.exe/.scr does not work in Normal mode.

Thats everything i have.

AllanGay · February 25, 2013

Also, there is no tweaking.com_windows_repair_log. It never appeared to fully run. because apon system restart it would not work in normal mode and if I pressed f8 it still never cntinued any further actions maybe that is why there is not a log.

AllanGay · February 25, 2013

OK, there were missing registry keys that need to be replaced, You attached the following zip files:

legacy_mpssvc.zip

legacy_bfe.zip

legacy_sdrsvc.zip

legacy_bits.zip

I unzipped those files and saved to the Desktop, They were renamed:

legacy_mpssvc.reg

legacy_bfe.reg

legacy_sdrsvc.reg

legacy_bits.reg

Next I did the following:

Windows key+R), type regedit and clicked OK.

Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root

Right-Click Root and selected Permissions...

Clicked Advanced.

Under Owner tab selected the entry starting with my user name, example: Farbar(Farbar-PC\Farbar)

Put a check mark next to Replace owner on subcontainers and objects and clicked Apply.

The response was:

"Owner

Registry Editor could not set owner on the key currently selected, or some of its subkeys.

[OK]"

Under Security type while Everyone was selected I put a check mark in the box under Allow next to Full Control.

Click Apply and OK.

It was accepted.

I went to the Desktop right clicked the .reg files and selected merge and all files were succesfully merged.

I ran RogueKiller and got a hit.

RogueKiller V8.5.0 [Feb 9 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Safe mode with network support

User : Morgan [Admin rights]

Mode : Scan -- Date : 02/25/2013 12:44:37

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤

[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

ÿþ1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++

--- User ---

[MBR] a6471346488279ab26a76220e7507f9d

[bSP] 1484d177a6412ee8722ddffc19149bb5 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 189278 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_02252013_02d1244.txt >>

RKreport[1]_S_02252013_02d1244.txt

AllanGay · February 25, 2013

Next i selected the Registry tab and deleted the following:

HJPOL HKCU Software\Micrsoft\Windows\CurrentVersion\Policies\System Disableregistrytools

RogueKiller V8.5.0 [Feb 9 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Safe mode with network support

User : Morgan [Admin rights]

Mode : Remove -- Date : 02/25/2013 13:04:21

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤

[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> DELETED

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

ÿþ1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++

--- User ---

[MBR] a6471346488279ab26a76220e7507f9d

[bSP] 1484d177a6412ee8722ddffc19149bb5 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 189278 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[2]_D_02252013_02d1304.txt >>

RKreport[1]_S_02252013_02d1244.txt ; RKreport[2]_D_02252013_02d1304.txt

Next i selected the files tab it was clear.

AllanGay · February 25, 2013

I found these 2 registry entries, i think they are not helping

HKLM\Software\Polocies\Microsoft\Windows NT\SystemRestore - DisableSR

HKLM\Software\Polocies\Microsoft\Windows NT\SystemRestore - DisableConfig

kevinf80 · February 25, 2013

Run this please:

Please download exeHelper from here: http://www.raktor.net/exeHelper/exeHelper.com[/url ] save to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Next,

Can you run Farbar Service Scanner, I include full instruction:

Download Farbar Service Scanner from here: http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/ and run it on the computer with the issue.

Make sure the following options are checked:

AllanGay · February 25, 2013

workingg on those things now

AllanGay · February 25, 2013

exehelperlog.txt

exeHelper by Raktor

Build 20100414

Run at 17:58:26 on 02/25/13

Now searching...

Checking for numerical processes...

Checking for sysguard processes...

Checking for bad processes...

Checking for bad files...

Checking for bad registry entries...

Resetting filetype association for .exe

Resetting filetype association for .com

Resetting userinit and shell values...

Resetting policies...

--Finished--

FSSlog.txt

Farbar Service Scanner Version: 30-01-2013

Ran by Morgan (administrator) on 25-02-2013 at 18:00:48

Running from "C:\Users\Morgan\Desktop"

Windows Vista Home Premium Service Pack 2 (X86)

Boot Mode: Network

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Attempt to access Google IP returned error.

Attempt to access Google.com returned error: Other errors

Attempt to access Yahoo IP returned error.

Attempt to access Yahoo.com returned error: Other errors

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

SDRSVC Service is not running. Checking service configuration:

The start type of SDRSVC service is OK.

The ImagePath of SDRSVC service is OK.

The ServiceDll of SDRSVC service is OK.

Checking LEGACY_SDRSVC: ATTENTION!=====> Unable to open LEGACY_SDRSVC\0000 registry key. The key does not exist.

VSS Service is not running. Checking service configuration:

The start type of VSS service is OK.

The ImagePath of VSS service is OK.

System Restore Disabled Policy:

========================

Security Center:

============

wscsvc Service is not running. Checking service configuration:

The start type of wscsvc service is OK.

The ImagePath of wscsvc service is OK.

The ServiceDll of wscsvc service is OK.

Checking LEGACY_wscsvc: ATTENTION!=====> Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.

Windows Update:

============

wuauserv Service is not running. Checking service configuration:

The start type of wuauserv service is OK.

The ImagePath of wuauserv service is OK.

The ServiceDll of wuauserv: "C:\Windows\system32\wuaueng.dll".

BITS Service is not running. Checking service configuration:

The start type of BITS service is OK.

The ImagePath of BITS service is OK.

The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:

The start type of EventSystem service is OK.

The ImagePath of EventSystem service is OK.

The ServiceDll of EventSystem service is OK.

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is OK.

The ImagePath of WinDefend service is OK.

The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:

==========================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware"=DWORD:1

Other Services:

==============

File Check:

========

C:\Windows\system32\nsisvc.dll => MD5 is legit

C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit

C:\Windows\system32\dhcpcsvc.dll => MD5 is legit

C:\Windows\system32\Drivers\afd.sys => MD5 is legit

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit

C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit

C:\Windows\system32\dnsrslvr.dll => MD5 is legit

C:\Windows\system32\mpssvc.dll => MD5 is legit

C:\Windows\system32\bfe.dll => MD5 is legit

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit

C:\Windows\system32\SDRSVC.dll => MD5 is legit

C:\Windows\system32\vssvc.exe => MD5 is legit

C:\Windows\system32\wscsvc.dll => MD5 is legit

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit

C:\Windows\system32\wuaueng.dll => MD5 is legit

C:\Windows\system32\qmgr.dll => MD5 is legit

C:\Windows\system32\es.dll => MD5 is legit

C:\Windows\system32\cryptsvc.dll => MD5 is legit

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\Windows\system32\ipnathlp.dll => MD5 is legit

C:\Windows\system32\iphlpsvc.dll => MD5 is legit

C:\Windows\system32\svchost.exe => MD5 is legit

C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

AllanGay · February 25, 2013

RoguekillerReport

RogueKiller V8.5.0 [Feb 9 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Safe mode with network support

User : Morgan [Admin rights]

Mode : Scan -- Date : 02/25/2013 18:08:57

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤

[iFEO] HKLM\[...]\d3d9caps.dat : Debugger (IFEO_Dummy.exe) -> FOUND

[HJPOL] HKCU\[...]\System : DisableCMD (0) -> FOUND

[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJPOL] HKLM\[...]\System : DisableCMD (0) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

ÿþ1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK2035GSS ATA Device +++++

--- User ---

[MBR] a6471346488279ab26a76220e7507f9d

[bSP] 1484d177a6412ee8722ddffc19149bb5 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 189278 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[4]_S_02252013_02d1808.txt >>

RKreport[1]_S_02252013_02d1244.txt ; RKreport[2]_D_02252013_02d1304.txt ; RKreport[3]_S_02252013_02d1322.txt ; RKreport[4]_S_02252013_02d1808.txt

kevinf80 · February 25, 2013

Download Services Repair tool, available here - http://kb.eset.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe and Save it to your Desktop. Right click on it and select Run As Administrator, follow the prompts. It should reboot when it finishes. If not reboot it yourself.

Next,

Rerun FSS and post a fresh log....

AllanGay · February 25, 2013

After running ServicesRepairTool(SafeMode) this is the FFS.txt log

Farbar Service Scanner Version: 30-01-2013

Ran by Morgan (administrator) on 25-02-2013 at 18:37:46

Running from "C:\Users\Morgan\Desktop"

Windows Vista Home Premium Service Pack 2 (X86)

Boot Mode: Network

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Attempt to access Google IP returned error.

Attempt to access Google.com returned error: Other errors

Attempt to access Yahoo IP returned error.

Attempt to access Yahoo.com returned error: Other errors

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

SDRSVC Service is not running. Checking service configuration:

The start type of SDRSVC service is OK.

The ImagePath of SDRSVC service is OK.

The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:

The start type of VSS service is OK.

The ImagePath of VSS service is OK.

System Restore Disabled Policy:

========================

Security Center:

============

wscsvc Service is not running. Checking service configuration:

The start type of wscsvc service is OK.

The ImagePath of wscsvc service is OK.

The ServiceDll of wscsvc service is OK.

Checking LEGACY_wscsvc: ATTENTION!=====> Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.

Windows Update:

============

wuauserv Service is not running. Checking service configuration:

The start type of wuauserv service is OK.

The ImagePath of wuauserv service is OK.

The ServiceDll of wuauserv: "C:\Windows\system32\wuaueng.dll".

BITS Service is not running. Checking service configuration:

The start type of BITS service is OK.

The ImagePath of BITS service is OK.

The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:

The start type of EventSystem service is OK.

The ImagePath of EventSystem service is OK.

The ServiceDll of EventSystem service is OK.

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is OK.

The ImagePath of WinDefend service is OK.

The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:

==========================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware"=DWORD:1

Other Services:

==============

File Check:

========

C:\Windows\system32\nsisvc.dll => MD5 is legit

C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit

C:\Windows\system32\dhcpcsvc.dll => MD5 is legit

C:\Windows\system32\Drivers\afd.sys => MD5 is legit

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit

C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit

C:\Windows\system32\dnsrslvr.dll => MD5 is legit

C:\Windows\system32\mpssvc.dll => MD5 is legit

C:\Windows\system32\bfe.dll => MD5 is legit

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit

C:\Windows\system32\SDRSVC.dll => MD5 is legit

C:\Windows\system32\vssvc.exe => MD5 is legit

C:\Windows\system32\wscsvc.dll => MD5 is legit

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit

C:\Windows\system32\wuaueng.dll => MD5 is legit

C:\Windows\system32\qmgr.dll => MD5 is legit

C:\Windows\system32\es.dll => MD5 is legit

C:\Windows\system32\cryptsvc.dll => MD5 is legit

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\Windows\system32\ipnathlp.dll => MD5 is legit

C:\Windows\system32\iphlpsvc.dll => MD5 is legit

C:\Windows\system32\svchost.exe => MD5 is legit

C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

kevinf80 · February 26, 2013

I attach legacy_wscsvc.zip to this reply, unzip to your Desktop so you have legacy_wscsvc.reg leave it for now and continue:

Please go to Start=>Run (alternatively use Windows key+R), type regedit and click OK.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
Right-Click Root and select Permissions...
Click Advanced.
Under Owner tab select the entry starting with your user name, example: Farbar(Farbar-PC\Farbar)
Put a check mark next to Replace owner on subcontainers and objects and click Apply and OK.
Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.
Click Apply and OK.

Now double-click legacy_wscsvc.reg accept any merge alerts or prompts.

Please go back to the the Root key again while Everyone is selected remove check mark in the box under Allow next to Full Control and close the registry.

Re-boot the system and run FSS one more time..

legacy_wscsvc.zip

AllanGay · February 26, 2013

FSS.text

Farbar Service Scanner Version: 30-01-2013

Ran by Morgan (administrator) on 25-02-2013 at 19:56:24

Running from "C:\Users\Morgan\Desktop"

Windows Vista Home Premium Service Pack 2 (X86)

Boot Mode: Network

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Attempt to access Google IP returned error.

Attempt to access Google.com returned error: Other errors

Attempt to access Yahoo IP returned error.

Attempt to access Yahoo.com returned error: Other errors

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

SDRSVC Service is not running. Checking service configuration:

The start type of SDRSVC service is OK.

The ImagePath of SDRSVC service is OK.

The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:

The start type of VSS service is OK.

The ImagePath of VSS service is OK.

System Restore Disabled Policy:

========================

Security Center:

============

wscsvc Service is not running. Checking service configuration:

The start type of wscsvc service is OK.

The ImagePath of wscsvc service is OK.

The ServiceDll of wscsvc service is OK.

Windows Update:

============

wuauserv Service is not running. Checking service configuration:

The start type of wuauserv service is OK.

The ImagePath of wuauserv service is OK.

The ServiceDll of wuauserv: "C:\Windows\system32\wuaueng.dll".

BITS Service is not running. Checking service configuration:

The start type of BITS service is OK.

The ImagePath of BITS service is OK.

The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:

The start type of EventSystem service is OK.

The ImagePath of EventSystem service is OK.

The ServiceDll of EventSystem service is OK.

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is OK.

The ImagePath of WinDefend service is OK.

The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:

==========================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware"=DWORD:1

Other Services:

==============

File Check:

========

C:\Windows\system32\nsisvc.dll => MD5 is legit

C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit

C:\Windows\system32\dhcpcsvc.dll => MD5 is legit

C:\Windows\system32\Drivers\afd.sys => MD5 is legit

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit

C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit

C:\Windows\system32\dnsrslvr.dll => MD5 is legit

C:\Windows\system32\mpssvc.dll => MD5 is legit

C:\Windows\system32\bfe.dll => MD5 is legit

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit

C:\Windows\system32\SDRSVC.dll => MD5 is legit

C:\Windows\system32\vssvc.exe => MD5 is legit

C:\Windows\system32\wscsvc.dll => MD5 is legit

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit

C:\Windows\system32\wuaueng.dll => MD5 is legit

C:\Windows\system32\qmgr.dll => MD5 is legit

C:\Windows\system32\es.dll => MD5 is legit

C:\Windows\system32\cryptsvc.dll => MD5 is legit

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\Windows\system32\ipnathlp.dll => MD5 is legit

C:\Windows\system32\iphlpsvc.dll => MD5 is legit

C:\Windows\system32\svchost.exe => MD5 is legit

C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

kevinf80 · February 26, 2013

Will Combofix run OK now, I give full instruction:

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Ensure that Combofix is saved directly to the Desktop <--- Very important
Disable all security programs as they will have a negative effect on Combofix, instructions available here http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
Close any open browsers and any other programs you might have running
Double click the icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here http://thespykiller.co.uk/index.php?page=20 why disabling autoruns is recommended.

*EXTRA NOTES*

If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Kevin

AllanGay · February 26, 2013

i'm getting nowhere. everytime the system has to restart. nothing happens due to the fact that none of these programs work in normal mode. Combofix ran. it found rootkit.zeroaccess. it needed to reboot to remove the rootkit. it said if the internet services did not return to run Combofix one more time. nothing changed. so, i ran combo fix again, and, the same results happened twice. there was no log created. i went to c:\combofix to search for the text file. i did not find it. while in combo fix i double clicked on some of the .cmd and some of them ran, sme returned failed attempts due to not having administrator rights

kevinf80 · February 26, 2013

Yep I understand your frustration, Zeroaccess is very nasty infection, it will make many changes to system files etc... When we attempt to run specific tools from inside of Windows we have negative impact.

Probably we are at a stage where a re-install of the OS is the best way forward, that is an action I do not like to take, but occasionally is the only way ahead. Before we do that run Farbar Recovery Scan Tool one more time, see if we are missing anything obvious. I give full instruction again if needed..

Please download Farbar Recovery Scan Tool from here:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

save it to a flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Plug the flash drive into the infected PC.

If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt Here: http://www.bleepingcomputer.com/tutorials/windows-8-recovery-environment-command-prompt/ to enter System Recovery Command prompt.

If you are using Vista or Windows 7 enter System Recovery Options.

Plug the flashdrive into the infected PC.

Enter System Recovery Options I give two methods, use whichever is convenient for you.

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select Your Country as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select Your Country as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

Startup Repair

System Restore

Windows Complete PC Restore

Windows Memory Diagnostic Tool

Command Prompt

Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst64 or e:\frst depending on your version. Press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Next,

I want you to open Regedit and navigate to each of the following keys in turn, on the last entry right click on that folder and choose Export Save that reg key export to your Desktop.

Right click on each of the exported keys > select > send to > compressed (zipped) folder. Those zipped folders will be saved in same place. Attach each zip folder to your next reply

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore]

In reply post FRST log, also attach each zip file.

Thank you,

Kevin...

AllanGay · February 27, 2013

Frst.txt

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 06-02-2013 (ATTENTION: FRST version is 20 days old)

Ran by SYSTEM at 26-02-2013 19:08:52

Running from F:\

Windows Vista Home Premium (X86) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [igfxTray] DOWS\SYSTEM32\IGFXTRAY.EXE [x]

HKLM\...\Run: [HotKeysCmds] DOWS\SYSTEM32\HKCMD.EXE [x]

HKLM\...\Run: [Persistence] DOWS\SYSTEM32\IGFXPERS.EXE [x]

HKLM\...\Run: [TPwrMain] .EXE [x]

HKLM\...\Run: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [448080 2007-06-15] (TOSHIBA Corporation)

HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]

HKLM\...\Run: [synTPStart] TPSTART.EXE [x]

HKLM\...\Run: [NDSTray.exe] DSTRAY.EXE [x]

HKLM\...\Run: [Windows Mobile-based device management] C.EXE [x]

HKLM\...\Run: [sSBkgdUpdate] G -BOOT [x]

HKLM\...\Run: [OpwareSE4] IPAGESE4\OPWARESE4.EXE" [x]

HKLM\...\Run: [sunJavaUpdateSched] FILES\JAVA\JAVA UPDATE\JUSCHED.EXE" [x]

HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [40368 2011-08-30] (Adobe Systems Incorporated)

HKLM\...\Run: [Adobe ARM] FILES\ADOBE\ARM\1.0\ADOBEARM.EXE" [x]

HKLM\...\Run: [synTPEnh] H.EXE [x]

HKLM\...\Run: [PAP7501_Monitor] DOWS\PIXART\PAP7501\GUCI_AVS.EXE [x]

HKLM\...\Run: [Malwarebytes' Anti-Malware] TI-MALWARE\MBAMGUI.EXE" /STARTTRAY [x]

HKLM\...\Run: [QuickTime Task] "C:\Windows\System32\qttask.exe" -atboottime [98304 2013-02-25] (Apple Computer, Inc.)

HKU\Morgan\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)

HKU\Morgan\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [68856 2008-05-13] (Google Inc.)

HKU\Morgan\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet [5248312 2010-03-19] (Yahoo! Inc.)

HKU\Morgan\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [8704 2006-11-02] (Microsoft Corporation)

HKU\Morgan\...\Run: [EasyTether] "C:\Program Files\Mobile Stream\EasyTether\easytthr.exe" [48648 2011-05-22] (Mobile Stream)

HKU\Morgan\...\Run: [Advanced SystemCare 6] "C:\Program Files\IObit\Advanced SystemCare 6\ASCTray.exe" /AutoStart [490880 2012-09-24] (IObit)

HKLM\...\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [462408 2012-04-04] (Malwarebytes Corporation)

HKLM\...\Runonce: [GrpConv] grpconv -o [x]

Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62

Startup: C:\Users\Morgan\Start Menu\Programs\Startup\Yahoo! Widgets.lnk

ShortcutTarget: Yahoo! Widgets.lnk -> C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe (Yahoo! Inc.)

==================== Services (Whitelisted) ===================

2 AdvancedSystemCareService6; C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe [464256 2012-10-31] (IObit)

2 gupdate1c9872b7d755da3; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [133104 2009-02-04] (Google Inc.)

2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [106280 2013-02-26] (SurfRight B.V.)

2 KillZA; "C:\Users\Morgan\Desktop\killza\KillZA\KillZA.exe" /svc [834488 2012-10-16] (Foolish IT)

3 LiveUpdate; "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE" [3093872 2008-06-30] (Symantec Corporation)

2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [654408 2012-04-04] (Malwarebytes Corporation)

2 pinger; C:\TOSHIBA\IVP\ISM\pinger.exe [136816 2007-01-25] ()

3 PSEXESVC; C:\Windows\PSEXESVC.EXE [181064 2013-02-25] (Sysinternals)

2 TosCoSrv; "C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe" [427576 2007-03-29] (TOSHIBA Corporation)

2 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [49152 2006-08-23] (Ulead Systems, Inc.)

2 WebClient; C:\Windows\System32\svchost.exe -k LocalService [21504 2008-01-18] (Microsoft Corporation)

2 WPDBusEnum; C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [21504 2008-01-18] (Microsoft Corporation)

3 ATTRcAppSvc; "C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe" /n "ATTRcAppSvc" [x]

3 CAATT; "C:\Program Files\AT&T\Communication Manager\ConAppsSvc.exe" /n "CAATT" [x]

2 napagent32; C:\Windows\system32\ddraw32.exe [x]

==================== Drivers (Whitelisted) ====================

3 easytether; C:\Windows\System32\DRIVERS\easytthr.sys [17296 2011-05-22] (Mobile Stream)

3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22344 2012-04-04] (Malwarebytes Corporation)

3 NMgamingmsFltr; C:\Windows\System32\drivers\NMgamingms.sys [9472 2009-07-24] (Primax Ltd)

3 swmsflt; C:\Windows\System32\drivers\swmsflt.sys [874496 2006-11-02] (Microsoft Corporation)

3 SWNC8U56; C:\Windows\System32\DRIVERS\swnc8u56.sys [101248 2007-06-27] (Sierra Wireless Inc.)

3 SWUMX56; C:\Windows\System32\DRIVERS\swumx56.sys [73856 2007-06-27] (Sierra Wireless Inc.)

3 usbbus; C:\Windows\System32\DRIVERS\lgusbbus.sys [13056 2008-11-11] (LG Electronics Inc.)

3 UsbDiag; C:\Windows\System32\DRIVERS\lgusbdiag.sys [19968 2008-11-11] (LG Electronics Inc.)

3 USBModem; C:\Windows\System32\DRIVERS\lgusbmodem.sys [24832 2008-11-11] (LG Electronics Inc.)

4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]

3 catchme; \??\C:\Users\Morgan\AppData\Local\Temp\catchme.sys [x]

2 CWMonitor; \??\C:\Program Files\Common Files\Symantec Shared\coShared\CW\1.5\CO_Mon.sys [x]

3 EagleNT; \??\C:\Windows\system32\drivers\EagleNT.sys [x]

3 GEARAspiWDM; C:\Windows\System32\Drivers\GEARAspiWDM.sys [x]

3 IO_Memory; \??\C:\WINDOWS\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]

3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]

3 lvpopflt; C:\Windows\System32\DRIVERS\lvpopflt.sys [x]

3 LVUSBSta; C:\Windows\System32\drivers\LVUSBSta.sys [x]

3 LVUVC; C:\Windows\System32\DRIVERS\lvuvc.sys [x]

2 MCSTRM; [x]

3 MFE_RR; \??\C:\Users\Morgan\AppData\Local\Temp\mfe_rr.sys [x]

3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]

3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

3 PCTINDIS5; \??\C:\Windows\system32\PCTINDIS5.SYS [x]

3 SVRPEDRV; \??\C:\Windows\System32\sysprep\UP_date\PEDrv.sys [x]

3 tosporte; C:\Windows\System32\DRIVERS\tosporte.sys [x]

3 Tosrfcom; C:\Windows\System32\Drivers\tosrfcom.sys [x]

3 USBAAPL; C:\Windows\System32\Drivers\usbaapl.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-02-26 12:59 - 2013-02-26 12:59 - 00001715 ____A C:\Users\Morgan\Desktop\RKreport[1]_S_02262013_02d1559.txt

2013-02-26 11:34 - 2012-03-06 07:16 - 00131072 ____A (FoolishIT.com) C:\Windows\GooG.exe

2013-02-26 11:16 - 2013-02-26 11:16 - 00000000 ____D C:\Program Files\HitmanPro

2013-02-26 11:15 - 2013-02-26 11:15 - 00000000 ____D C:\Users\All Users\HitmanPro

2013-02-26 11:15 - 2013-02-26 11:15 - 00000000 ____D C:\Users\All Users\Application Data\HitmanPro

2013-02-26 08:59 - 2013-02-26 08:59 - 00000000 ____D C:\Windows\SoftwareDistribution.old

2013-02-25 18:18 - 2013-02-26 08:44 - 00000000 ____D C:\ComboFix

2013-02-25 17:50 - 2013-02-25 18:59 - 00000000 ____D C:\Windows\System32\CatRoot2.old

2013-02-25 16:47 - 2013-02-25 16:47 - 00000000 ____D C:\Users\Morgan\Desktop\legacy_wscsvc

2013-02-25 16:46 - 2013-02-25 16:40 - 00000486 ____A C:\Users\Morgan\Desktop\legacy_wscsvc.zip

2013-02-25 15:28 - 2013-02-25 15:28 - 00000000 ____D C:\Users\Public\Desktop\CC Support

2013-02-25 15:28 - 2013-02-25 15:17 - 04009167 ____A C:\Users\Morgan\Desktop\ServicesRepair.exe

2013-02-25 14:58 - 2013-02-25 14:51 - 00294400 ____A C:\Users\Morgan\Desktop\exeHelper.com

2013-02-25 14:22 - 2013-02-25 14:22 - 00000052 ____A C:\Windows\avmcoins.log

2013-02-25 14:20 - 2013-02-25 14:20 - 00000002 ____A C:\Windows\Twain001.Mtx

2013-02-25 14:18 - 2013-02-25 14:18 - 00000197 ____A C:\Windows\ODBCINST.INI

2013-02-22 11:02 - 2013-02-26 08:34 - 00000263 ____A C:\Windows\zerobyte_files_deleted.txt

2013-02-22 11:02 - 2013-02-26 08:34 - 00000261 ____A C:\Windows\System32\zerobyte_files_deleted.txt

2013-02-22 10:56 - 2012-07-30 07:14 - 00031616 ____A C:\Windows\System32\FoolishEventLogMsgHelper.dll

2013-02-22 10:40 - 2013-02-22 10:40 - 00000556 ____A C:\Users\Morgan\Desktop\D7.exe - Shortcut.lnk

2013-02-22 10:39 - 2013-02-22 10:39 - 00000628 ____A C:\Users\Morgan\Desktop\KillZA.exe - Shortcut.lnk

2013-02-22 10:37 - 2013-02-22 10:37 - 00053248 ____A C:\Windows\System32\zlib.dll

2013-02-22 10:35 - 2013-02-26 13:47 - 00000000 ____D C:\Support

2013-02-22 10:34 - 2013-02-22 10:35 - 00000000 ____D C:\Users\Morgan\Desktop\killza

2013-02-22 09:53 - 2013-02-22 09:54 - 00000000 ____D C:\Users\Morgan\Desktop\D7

2013-02-22 05:27 - 2013-02-22 05:27 - 00000207 ____A C:\Windows\tweaking.com-regbackup-NONPAREIL-Microsoft®-Windows-Vista™-Home-Premium-(32-bit).dat

2013-02-22 05:26 - 2013-02-22 05:26 - 00000000 ____D C:\RegBackup

2013-02-22 04:30 - 2013-02-22 04:30 - 00002079 ____A C:\Users\Public\Desktop\Tweaking.com - Windows Repair (All in One).lnk

2013-02-22 04:30 - 2013-02-22 04:30 - 00000000 ____D C:\Program Files\Tweaking.com

2013-02-22 04:06 - 2013-02-22 04:26 - 00000000 ____D C:\Users\Morgan\Desktop\M.W

2013-02-09 17:46 - 2013-02-25 12:53 - 00181064 ____A (Sysinternals) C:\Windows\PSEXESVC.EXE

2013-02-09 16:41 - 2013-02-26 12:58 - 00000000 ____D C:\Users\Morgan\Desktop\RK_Quarantine

2013-02-09 15:12 - 2013-02-09 15:12 - 00001306 ____A C:\Windows\setupact.log

2013-02-09 14:48 - 2013-02-09 14:48 - 00000000 ____D C:\Users\Morgan\Desktop\legacy_sdrsvc

2013-02-09 14:48 - 2013-02-09 14:48 - 00000000 ____D C:\Users\Morgan\Desktop\legacy_mpssvc

2013-02-09 14:48 - 2013-02-09 14:48 - 00000000 ____D C:\Users\Morgan\Desktop\legacy_bits

2013-02-09 14:48 - 2013-02-09 14:48 - 00000000 ____D C:\Users\Morgan\Desktop\legacy_bfe

2013-02-09 13:35 - 2013-02-09 13:29 - 00782848 ____A C:\Users\Morgan\Desktop\RogueKiller.exe

2013-02-09 12:16 - 2013-02-26 13:01 - 00027384 ____A C:\Windows\PFRO.log

2013-02-09 12:14 - 2013-02-09 12:14 - 00000000 ____D C:\Users\All Users\McAfee

2013-02-09 12:14 - 2013-02-09 12:14 - 00000000 ____D C:\Users\All Users\Application Data\McAfee

2013-02-09 12:09 - 2013-02-09 12:03 - 03177840 ____A (McAfee, Inc.) C:\Users\Morgan\Desktop\MCPR.exe

2013-02-09 10:45 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe

2013-02-09 10:45 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe

2013-02-09 10:45 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe

2013-02-09 10:45 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe

2013-02-09 10:45 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe

2013-02-09 10:45 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe

2013-02-09 10:45 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe

2013-02-09 10:45 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe

2013-02-09 10:37 - 2013-02-25 17:33 - 05034894 ___RA (Swearware) C:\Users\Morgan\Desktop\ComboFix.exe

2013-02-08 16:12 - 2013-02-08 16:13 - 00000000 ____D C:\Users\All Users\IObit

2013-02-08 16:12 - 2013-02-08 16:13 - 00000000 ____D C:\Users\All Users\Application Data\IObit

2013-02-08 16:12 - 2013-02-08 16:12 - 00000000 ____D C:\Users\Morgan\Application Data\IObit

2013-02-08 16:12 - 2013-02-08 16:12 - 00000000 ____D C:\Users\Morgan\AppData\Roaming\IObit

2013-02-08 16:12 - 2013-02-08 16:12 - 00000000 ____D C:\Program Files\IObit

2013-02-08 13:30 - 2013-02-08 13:30 - 00000000 ____D C:\FRST

2013-02-08 12:30 - 2012-05-15 11:51 - 02045440 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-02-08 10:53 - 2013-02-25 19:28 - 00000000 ____D C:\Users\Morgan\Desktop\reports

==================== One Month Modified Files and Folders ========

2013-02-26 15:53 - 2007-12-26 17:16 - 01465054 ____A C:\Windows\WindowsUpdate.log

2013-02-26 15:53 - 2006-11-02 05:01 - 00032598 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2013-02-26 15:53 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-02-26 15:53 - 2006-11-02 04:47 - 00003568 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

2013-02-26 15:53 - 2006-11-02 04:47 - 00003568 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

2013-02-26 15:31 - 2012-03-30 17:42 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-02-26 14:55 - 2009-06-29 16:36 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-02-26 13:47 - 2013-02-22 10:35 - 00000000 ____D C:\Support

2013-02-26 13:44 - 2009-06-29 16:36 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-02-26 13:02 - 2006-11-02 04:47 - 01740896 ____A C:\Windows\System32\FNTCACHE.DAT

2013-02-26 13:01 - 2013-02-09 12:16 - 00027384 ____A C:\Windows\PFRO.log

2013-02-26 12:59 - 2013-02-26 12:59 - 00001715 ____A C:\Users\Morgan\Desktop\RKreport[1]_S_02262013_02d1559.txt

2013-02-26 12:58 - 2013-02-09 16:41 - 00000000 ____D C:\Users\Morgan\Desktop\RK_Quarantine

2013-02-26 11:16 - 2013-02-26 11:16 - 00000000 ____D C:\Program Files\HitmanPro

2013-02-26 11:15 - 2013-02-26 11:15 - 00000000 ____D C:\Users\All Users\HitmanPro

2013-02-26 11:15 - 2013-02-26 11:15 - 00000000 ____D C:\Users\All Users\Application Data\HitmanPro

2013-02-26 11:15 - 2006-11-02 02:33 - 00005510 ____A C:\Windows\System32\PerfStringBackup.INI

2013-02-26 10:51 - 2009-02-06 14:20 - 00000000 ____D C:\Users\Morgan\Application Data\GARMIN

2013-02-26 10:51 - 2009-02-06 14:20 - 00000000 ____D C:\Users\Morgan\AppData\Roaming\GARMIN

2013-02-26 08:59 - 2013-02-26 08:59 - 00000000 ____D C:\Windows\SoftwareDistribution.old

2013-02-26 08:44 - 2013-02-25 18:18 - 00000000 ____D C:\ComboFix

2013-02-26 08:34 - 2013-02-22 11:02 - 00000263 ____A C:\Windows\zerobyte_files_deleted.txt

2013-02-26 08:34 - 2013-02-22 11:02 - 00000261 ____A C:\Windows\System32\zerobyte_files_deleted.txt

2013-02-26 08:34 - 2006-11-02 03:18 - 00000000 ____D C:\users\Default

2013-02-25 19:28 - 2013-02-08 10:53 - 00000000 ____D C:\Users\Morgan\Desktop\reports

2013-02-25 18:59 - 2013-02-25 17:50 - 00000000 ____D C:\Windows\System32\CatRoot2.old

2013-02-25 18:25 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\System32\spool

2013-02-25 17:33 - 2013-02-09 10:37 - 05034894 ___RA (Swearware) C:\Users\Morgan\Desktop\ComboFix.exe

2013-02-25 16:47 - 2013-02-25 16:47 - 00000000 ____D C:\Users\Morgan\Desktop\legacy_wscsvc

2013-02-25 16:40 - 2013-02-25 16:46 - 00000486 ____A C:\Users\Morgan\Desktop\legacy_wscsvc.zip

2013-02-25 15:28 - 2013-02-25 15:28 - 00000000 ____D C:\Users\Public\Desktop\CC Support

2013-02-25 15:17 - 2013-02-25 15:28 - 04009167 ____A C:\Users\Morgan\Desktop\ServicesRepair.exe

2013-02-25 15:03 - 2012-06-21 04:22 - 00000370 ____A C:\rkill.log

2013-02-25 14:51 - 2013-02-25 14:58 - 00294400 ____A C:\Users\Morgan\Desktop\exeHelper.com

2013-02-25 14:22 - 2013-02-25 14:22 - 00000052 ____A C:\Windows\avmcoins.log

2013-02-25 14:22 - 2011-07-11 09:13 - 00098304 ____A (Apple Computer, Inc.) C:\Windows\System32\qttask.exe

2013-02-25 14:20 - 2013-02-25 14:20 - 00000002 ____A C:\Windows\Twain001.Mtx

2013-02-25 14:18 - 2013-02-25 14:18 - 00000197 ____A C:\Windows\ODBCINST.INI

2013-02-25 12:53 - 2013-02-09 17:46 - 00181064 ____A (Sysinternals) C:\Windows\PSEXESVC.EXE

2013-02-22 12:08 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\Offline Web Pages

2013-02-22 11:59 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\Media

2013-02-22 11:58 - 2011-07-10 19:59 - 00000000 ____D C:\Users\Public\Libraries

2013-02-22 11:58 - 2011-07-10 19:57 - 00000000 ____D C:\Program Files (x86)

2013-02-22 11:58 - 2006-11-02 04:37 - 00000000 ____D C:\Users\Public\Recorded TV

2013-02-22 11:58 - 2006-11-02 03:18 - 00000000 ____D C:\users\Public

2013-02-22 11:57 - 2012-02-17 20:45 - 00000000 ____D C:\Users\Morgan\Documents\My Playstation Themes

2013-02-22 11:56 - 2011-07-10 23:13 - 00000000 ____D C:\Program Files\Skype

2013-02-22 11:11 - 2008-02-15 16:49 - 00000000 ____D C:\users\Morgan

2013-02-22 10:40 - 2013-02-22 10:40 - 00000556 ____A C:\Users\Morgan\Desktop\D7.exe - Shortcut.lnk

2013-02-22 10:39 - 2013-02-22 10:39 - 00000628 ____A C:\Users\Morgan\Desktop\KillZA.exe - Shortcut.lnk

2013-02-22 10:37 - 2013-02-22 10:37 - 00053248 ____A C:\Windows\System32\zlib.dll

2013-02-22 10:35 - 2013-02-22 10:34 - 00000000 ____D C:\Users\Morgan\Desktop\killza

2013-02-22 09:54 - 2013-02-22 09:53 - 00000000 ____D C:\Users\Morgan\Desktop\D7

2013-02-22 05:27 - 2013-02-22 05:27 - 00000207 ____A C:\Windows\tweaking.com-regbackup-NONPAREIL-Microsoft®-Windows-Vista™-Home-Premium-(32-bit).dat

2013-02-22 05:26 - 2013-02-22 05:26 - 00000000 ____D C:\RegBackup

2013-02-22 04:30 - 2013-02-22 04:30 - 00002079 ____A C:\Users\Public\Desktop\Tweaking.com - Windows Repair (All in One).lnk

2013-02-22 04:30 - 2013-02-22 04:30 - 00000000 ____D C:\Program Files\Tweaking.com

2013-02-22 04:26 - 2013-02-22 04:06 - 00000000 ____D C:\Users\Morgan\Desktop\M.W

2013-02-09 17:47 - 2008-02-16 01:26 - 00000000 ____D C:\Program Files\Mozilla Firefox

2013-02-09 15:12 - 2013-02-09 15:12 - 00001306 ____A C:\Windows\setupact.log

2013-02-09 14:48 - 2013-02-09 14:48 - 00000000 ____D C:\Users\Morgan\Desktop\legacy_sdrsvc

2013-02-09 14:48 - 2013-02-09 14:48 - 00000000 ____D C:\Users\Morgan\Desktop\legacy_mpssvc

2013-02-09 14:48 - 2013-02-09 14:48 - 00000000 ____D C:\Users\Morgan\Desktop\legacy_bits

2013-02-09 14:48 - 2013-02-09 14:48 - 00000000 ____D C:\Users\Morgan\Desktop\legacy_bfe

2013-02-09 13:48 - 2012-06-21 08:20 - 00352855 ____A (Farbar) C:\Users\Morgan\Desktop\FSS.exe

2013-02-09 13:29 - 2013-02-09 13:35 - 00782848 ____A C:\Users\Morgan\Desktop\RogueKiller.exe

2013-02-09 12:14 - 2013-02-09 12:14 - 00000000 ____D C:\Users\All Users\McAfee

2013-02-09 12:14 - 2013-02-09 12:14 - 00000000 ____D C:\Users\All Users\Application Data\McAfee

2013-02-09 12:11 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\System32\config\Journal

2013-02-09 12:03 - 2013-02-09 12:09 - 03177840 ____A (McAfee, Inc.) C:\Users\Morgan\Desktop\MCPR.exe

2013-02-08 16:13 - 2013-02-08 16:12 - 00000000 ____D C:\Users\All Users\IObit

2013-02-08 16:13 - 2013-02-08 16:12 - 00000000 ____D C:\Users\All Users\Application Data\IObit

2013-02-08 16:12 - 2013-02-08 16:12 - 00000000 ____D C:\Users\Morgan\Application Data\IObit

2013-02-08 16:12 - 2013-02-08 16:12 - 00000000 ____D C:\Users\Morgan\AppData\Roaming\IObit

2013-02-08 16:12 - 2013-02-08 16:12 - 00000000 ____D C:\Program Files\IObit

2013-02-08 13:30 - 2013-02-08 13:30 - 00000000 ____D C:\FRST

2013-02-08 04:51 - 2012-06-21 08:59 - 00000000 ____D C:\Windows\ERDNT

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

==================== Memory info ===========================

Percentage of memory in use: 18%

Total physical RAM: 2037.81 MB

Available physical RAM: 1666.92 MB

Total Pagefile: 1866.29 MB

Available Pagefile: 1735.39 MB

Total Virtual: 2047.88 MB

Available Virtual: 1975.72 MB

==================== Partitions =============================

1 Drive c: (SQ004585V03) (Fixed) (Total:184.84 GB) (Free:27.74 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

3 Drive e: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.33 GB) NTFS

4 Drive f: (AL'S) (Removable) (Total:3.73 GB) (Free:1 GB) FAT32

5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ---------- ------- ------- --- ---

Disk 0 Online 186 GB 3257 KB

Disk 1 Online 3824 MB 0 B

Partitions of Disk 0:

===============

ACTIVE - Mark the selected basic partition as active.

ADD - Add a mirror to a simple volume.

ASSIGN - Assign a drive letter or mount point to the selected volume.

ATTRIBUTES - Manipulate volume attributes.

AUTOMOUNT - Enable and disable automatic mounting of basic volumes.

BREAK - Break a mirror set.

CLEAN - Clear the configuration information, or all information, off the

disk.

CONVERT - Convert between different disk formats.

CREATE - Create a volume or partition.

DELETE - Delete an object.

DETAIL - Provide details about an object.

EXIT - Exit DiskPart.

EXTEND - Extend a volume.

FILESYSTEMS - Display current and supported file systems on the volume.

FORMAT - Format the volume or partition.

GPT - Assign attributes to the selected GPT partition.

HELP - Display a list of commands.

IMPORT - Import a disk group.

INACTIVE - Mark the selected basic partition as inactive.

LIST - Display a list of objects.

ONLINE - Online a disk that is currently marked as offline.

REM - Does nothing. This is used to comment scripts.

REMOVE - Remove a drive letter or mount point assignment.

REPAIR - Repair a RAID-5 volume with a failed member.

RESCAN - Rescan the computer looking for disks and volumes.

RETAIN - Place a retained partition under a simple volume.

SELECT - Shift the focus to an object.

SETID - Change the partition type.

SHRINK - Reduce the size of the selected volume.

=========================================================

Partitions of Disk 1:

===============

ACTIVE - Mark the selected basic partition as active.

ADD - Add a mirror to a simple volume.

ASSIGN - Assign a drive letter or mount point to the selected volume.

ATTRIBUTES - Manipulate volume attributes.

AUTOMOUNT - Enable and disable automatic mounting of basic volumes.

BREAK - Break a mirror set.

CLEAN - Clear the configuration information, or all information, off the

disk.

CONVERT - Convert between different disk formats.

CREATE - Create a volume or partition.

DELETE - Delete an object.

DETAIL - Provide details about an object.

EXIT - Exit DiskPart.

EXTEND - Extend a volume.

FILESYSTEMS - Display current and supported file systems on the volume.

FORMAT - Format the volume or partition.

GPT - Assign attributes to the selected GPT partition.

HELP - Display a list of commands.

IMPORT - Import a disk group.

INACTIVE - Mark the selected basic partition as inactive.

LIST - Display a list of objects.

ONLINE - Online a disk that is currently marked as offline.

REM - Does nothing. This is used to comment scripts.

REMOVE - Remove a drive letter or mount point assignment.

REPAIR - Repair a RAID-5 volume with a failed member.

RESCAN - Rescan the computer looking for disks and volumes.

RETAIN - Place a retained partition under a simple volume.

SELECT - Shift the focus to an object.

SETID - Change the partition type.

SHRINK - Reduce the size of the selected volume.

=========================================================

Last Boot: 2013-02-26 13:52

==================== End Of Log ============================

AllanGay · February 27, 2013

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 23-02-2013 01

Ran by SYSTEM at 27-02-2013 00:05:33