Solved Security Centre can not be started (Plus other nasty things)

Security Centre can not be started (Plus other nasty things) (System restore Too)

Hello there,

Sorry to start a new thread next to one similar but i feel that my problem may be different to the one next door.... I also didn't want to hijack the other persons thread.

I too have been having this problem for a couple of days. I have tried all sorts of things to fix it including running as much antimailware as my machine will let me run.

Basically, my machine started flashing a notice about allowing windows to start a task which i think my little boy clicked yes to.
Then, my security centre wont start anymore, my firewall won't launch but not only that, it seems that i can't get on certain websites, mainly ones run by microsoft i think and some websites allowing you to download virus protection etc. I also seem to have the tag 'security centre, missing from the list in Services which many people tell oyu to check...

Please can anyone advise? It's driving me nuts. I've been loosing sleep trying to fix it

If you want me to give any reports or anything you will have to explane how to do this i'm afraid as i'm pretty stoopid when it comes to these machines

Thanks sooo much in anticipation. Ned

PS I have tried system restore about 8 times and this isn't working either!

Welcome
Sounds like your little one downloaded a virus or malware. Before using the computer much more, go back, with system restore, to a week before the problem and restore to that date.
http://www.vistax64.com/tutorials/76905-system-restore-how.html

Thanks but whether its a week or three it either gets stuck 'initializing' or re starting or wherever but crashes out and fails thanks anyway though

Download and run a full Scan with Malwarebytes.
If you cannot download it is most assuredly a virus problem
Try to run a full scan with your anti viirus
If you cannot, and you probably cant, go to eset online scanner and scan with that.
Sorry about your problems

calder,

Let's see if we can get to the root of the problem...

Please download RogueKiller:
Tlcharger RogueKiller (Site Officiel)

When you get to the website, go to where it says:
(Download link) Lien de téléchargement:

Select the version that applies to your system: x64.
Click the dark-blue button that applies.

Save to the Desktop

Close all windows and browsers
Right-click RogueKiller and select 'Run as Administrator'

Press: SCAN

When done, a report opens on the Desktop: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply.

(Please do not delete anything!)



Also, download Farbar Service Scanner:
Downloading Farbar Service Scanner
Save to the Desktop

Make sure the following options are checked:
Internet Services
Windows Firewall
System Restore
Security Center
Windows Update
Windows Defender

Press: Scan

When done, FSS creates a log, FSS.txt, on the Desktop.

Please provide the FSS.txt in your reply.

Thanks for the reply's. Sorry it's taken a while to get back, it's the kids holidays
anyway, ill get on with the requested actuions as soon as i can cottonballs. Hopefully in the next 12 hours!

Thanks again!

If it works, System Restore would be the easiest way to go. Good luck

cottonball said:

calder,

Let's see if we can get to the root of the problem...

Please download RogueKiller:
Tlcharger RogueKiller (Site Officiel)

When you get to the website, go to where it says:
(Download link) Lien de téléchargement:

Select the version that applies to your system: x64.
Click the dark-blue button that applies.

Save to the Desktop

Close all windows and browsers
Right-click RogueKiller and select 'Run as Administrator'

Press: SCAN

When done, a report opens on the Desktop: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply.

(Please do not delete anything!)



Also, download Farbar Service Scanner:
Downloading Farbar Service Scanner
Save to the Desktop

Make sure the following options are checked:
Internet Services
Windows Firewall
System Restore
Security Center
Windows Update
Windows Defender

Press: Scan

When done, FSS creates a log, FSS.txt, on the Desktop.

Please provide the FSS.txt in your reply.

Click to expand...

Hi there,
Unfortunatley the ?Fabar service scanner wouldn't run. It loaded and started then flashed up an error message saying it had encountered a problem and windows was going to close it...

The report from rogue killer is as follows. Thanks so much in anticipation of your time!

RogueKiller V8.5.1 [Feb 21 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : RogueKiller - Geeks to Go Forums
Website : Download RogueKiller (Official website)
Blog : http://tigzyrk.blogspot.com/
Operating System : Windows Vista (6.0.6001 Service Pack 1) 32 bits version
Started in : Normal mode
User : Ned [Admin rights]
Mode : Scan -- Date : 02/19/2013 17:02:31
| ARK || FAK || MBR |
¤¤¤ Bad processes : 2 ¤¤¤
[Rogue.FakeHDD] rstrui.exe -- C:\Windows\System32\rstrui.exe [7] -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe [x] -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe [x] -> KILLED [TermProc]
¤¤¤ Registry Entries : 9 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : EfbQdosf (C:\Users\Ned\AppData\Local\vyjesojo\efbqdosf.exe) [-] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3078567302-1939681645-132015575-1000[...]\Run : EfbQdosf (C:\Users\Ned\AppData\Local\vyjesojo\efbqdosf.exe) [-] -> FOUND
[SHELL][SUSP PATH] HKLM\[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe,,C:\Users\Ned\AppData\Local\vyjesojo\efbqdosf.exe) [-] -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[64] : NtCreateKey @ 0x8261EFA5 -> HOOKED (\??\C:\Users\Ned\AppData\Local\Temp\lqcxdllr.sys @ 0x9E5DA6AC)
SSDT[65] : NtCreateKeyTransacted @ 0x825B37FD -> HOOKED (\??\C:\Users\Ned\AppData\Local\Temp\lqcxdllr.sys @ 0x9E5DA708)
SSDT[189] : NtOpenKey @ 0x8264C526 -> HOOKED (\??\C:\Users\Ned\AppData\Local\Temp\lqcxdllr.sys @ 0x9E5DA562)
SSDT[190] : NtOpenKeyTransacted @ 0x825B37A2 -> HOOKED (\??\C:\Users\Ned\AppData\Local\Temp\lqcxdllr.sys @ 0x9E5DA604)
¤¤¤ Infection : Rogue.FakeHDD ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
127.0.0.1 localhost
::1 localhost

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: ST350063 0AS SCSI Disk Device +++++
--- User ---
[MBR] 08b8b275adc7d31e3dc5905e8f0eaf0d
[BSP] e223061d7b1f736c4877938e9af93bcf : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 129024 | Size: 10240 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 21100544 | Size: 466636 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[5]_S_02192013_02d1702.txt >>
RKreport[1]_S_02172013_02d1029.txt ; RKreport[2]_D_02172013_02d1035.txt ; RKreport[3]_S_02172013_02d1919.txt ; RKreport[4]_D_02172013_02d1925.txt ; RKreport[5]_S_02192013_02d1702.txt

calder,

Please run RogueKiller once again:

Close all windows and browsers
Right-click RogueKiller and select 'Run as Administrator'

Wait until the Prescan finishes
The Status box shows PreScan Finished
Press: Scan

When done, on the right, click: Delete
Wait until the Status box shows: Deleting Finished
Click on Report and provide the content of the new Rkreport (Mode: Remove) in your reply.

Restart the computer.


Try to run the Farbar Service Scanner once again.

If no-go, reomove it, download it once again, and try running it.
Let's see if we can now get a report.

Hi CB
I have tried what you said, report from rogue killer below. Unfortunatly i couldn't run Farbar service scanner as my computer will not let me log on to any pages which are bleeping computer.com hoasted.
I did manage to run spy bot too whilst i was trying to clear a way to download the other so ill tag this on at the end ibn case it's any help. Is there anything else we can try to get this report if we can't run said programme?
Thanks again for your advice and time!

RogueKiller V8.5.1 [Feb 21 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : RogueKiller - Geeks to Go Forums
Website : Download RogueKiller (Official website)
Blog : tigzy-RK

Operating System : Windows Vista (6.0.6001 Service Pack 1) 32 bits version
Started in : Normal mode
User : Ned [Admin rights]
Mode : Remove -- Date : 02/20/2013 09:40:49
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : EfbQdosf (C:\Users\Ned\AppData\Local\vyjesojo\efbqdosf.exe) [-] -> DELETED
[SHELL][SUSP PATH] HKLM\[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe,,C:\Users\Ned\AppData\Local\vyjesojo\efbqdosf.exe) [-] -> REPLACED (C:\Windows\system32\userinit.exe,)
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[64] : NtCreateKey @ 0x825F1FA5 -> HOOKED (\??\C:\Users\Ned\AppData\Local\Temp\lqcxdllr.sys @ 0x9E8DF6AC)
SSDT[65] : NtCreateKeyTransacted @ 0x825867FD -> HOOKED (\??\C:\Users\Ned\AppData\Local\Temp\lqcxdllr.sys @ 0x9E8DF708)
SSDT[189] : NtOpenKey @ 0x8261F526 -> HOOKED (\??\C:\Users\Ned\AppData\Local\Temp\lqcxdllr.sys @ 0x9E8DF562)
SSDT[190] : NtOpenKeyTransacted @ 0x825867A2 -> HOOKED (\??\C:\Users\Ned\AppData\Local\Temp\lqcxdllr.sys @ 0x9E8DF604)

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST350063 0AS SCSI Disk Device +++++
--- User ---
[MBR] 08b8b275adc7d31e3dc5905e8f0eaf0d
[BSP] e223061d7b1f736c4877938e9af93bcf : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 129024 | Size: 10240 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 21100544 | Size: 466636 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[7]_D_02202013_02d0940.txt >>
RKreport[1]_S_02172013_02d1029.txt ; RKreport[3]_S_02172013_02d1919.txt ; RKreport[4]_D_02172013_02d1925.txt ; RKreport[5]_S_02192013_02d1702.txt ; RKreport[6]_S_02202013_02d0940.txt ;
RKreport[7]_D_02202013_02d0940.txt

Search results from Spybot - Search & Destroy
20/02/2013 10:49:50
Scan took 00:15:00.
24 items found.
Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry Change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride
Microsoft.WindowsSecurityCenter.FirewallOverride: [SBI $0C94D702] Settings (Registry Change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride
MediaPlex: [SBI $8E73A7FB] Tracking cookie (Internet Explorer (User): Ned) (Browser: Cookie, nothing done)

DoubleClick: [SBI $8E73A7FB] Tracking cookie (Internet Explorer (User): Ned) (Browser: Cookie, nothing done)

CasaleMedia: [SBI $8E73A7FB] Tracking cookie (Internet Explorer (User): Ned) (Browser: Cookie, nothing done)

Right Media: [SBI $8E73A7FB] Tracking cookie (Internet Explorer (User): Ned) (Browser: Cookie, nothing done)

Statcounter: [SBI $8E73A7FB] Tracking cookie (Internet Explorer (User): Ned) (Browser: Cookie, nothing done)

Tradedoubler: [SBI $8E73A7FB] Tracking cookie (Internet Explorer (User): Ned) (Browser: Cookie, nothing done)

Adviva: [SBI $8E73A7FB] Tracking cookie (Internet Explorer (User): Ned) (Browser: Cookie, nothing done)

MediaPlex: [SBI $8E73A7FB] Tracking cookie (Internet Explorer (User): Ned) (Browser: Cookie, nothing done)

Log: [SBI $8E73A7FB] Activity: ntbtlog.txt (File, nothing done)
C:\Windows\ntbtlog.txt
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Internet Explorer: [SBI $FF589D0C] Download directory (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-3078567302-1939681645-132015575-1000\Software\Microsoft\Internet Explorer\Download Directory
MS Direct3D: [SBI $7FB7B83F] Most recent application (Registry Change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name
MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-3078567302-1939681645-132015575-1000\Software\Microsoft\Direct3D\MostRecentApplication\Name
MS DirectDraw: [SBI $EB49D5AF] Most recent application (Registry Change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name
MS DirectInput: [SBI $9A063C91] Most recent application (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-3078567302-1939681645-132015575-1000\Software\Microsoft\DirectInput\MostRecentApplication\Name
MS DirectInput: [SBI $7B184199] Most recent application ID (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-3078567302-1939681645-132015575-1000\Software\Microsoft\DirectInput\MostRecentApplication\Id
MS Office 10.0 (Word): [SBI $51FE086C] Recently used documents list (Registry Value, nothing done)
HKEY_USERS\S-1-5-21-3078567302-1939681645-132015575-1000\Software\Microsoft\Office\10.0\Word\Data\Settings
Windows: [SBI $1E4E2003] Drivers installation paths (Registry Change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources
Windows Explorer: [SBI $2026AFB6] User Assistant history IE (Registry Key, nothing done)
HKEY_USERS\S-1-5-21-3078567302-1939681645-132015575-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Windows Explorer: [SBI $6107D172] User Assistant history files (Registry Key, nothing done)
HKEY_USERS\S-1-5-21-3078567302-1939681645-132015575-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Cookie: [SBI $49804B54] Browser: Cookie (313) (Browser: Cookie, nothing done)

Cache: [SBI $49804B54] Browser: Cache (107) (Browser: Cache, nothing done)

History: [SBI $49804B54] Browser: History (6) (Browser: History, nothing done)


--- Spybot - Search & Destroy version: 2.0.12.131 DLL (build: 20121113) ---
2012-11-13 blindman.exe (2.0.12.151)
2012-11-13 explorer.exe (2.0.12.173)
2012-11-13 SDBootCD.exe (2.0.12.109)
2012-11-13 SDCleaner.exe (2.0.12.110)
2012-11-13 SDDelFile.exe (2.0.12.94)
2012-11-13 SDFiles.exe (2.0.12.135)
2012-11-13 SDFileScanHelper.exe (2.0.12.1)
2012-11-13 SDFSSvc.exe (2.0.12.205)
2012-11-13 SDImmunize.exe (2.0.12.130)
2012-11-13 SDLogReport.exe (2.0.12.107)
2012-11-13 SDPESetup.exe (2.0.12.3)
2012-11-13 SDPEStart.exe (2.0.12.86)
2012-11-13 SDPhoneScan.exe (2.0.12.27)
2012-11-13 SDPRE.exe (2.0.12.13)
2012-11-13 SDPrepPos.exe (2.0.12.10)
2012-11-13 SDQuarantine.exe (2.0.12.103)
2012-11-13 SDRootAlyzer.exe (2.0.12.116)
2012-11-13 SDSBIEdit.exe (2.0.12.39)
2012-11-13 SDScan.exe (2.0.12.173)
2012-11-13 SDScript.exe (2.0.12.53)
2012-11-13 SDSettings.exe (2.0.12.130)
2012-11-13 SDShred.exe (2.0.12.105)
2012-11-13 SDSysRepair.exe (2.0.12.101)
2012-11-13 SDTools.exe (2.0.12.150)
2012-11-13 SDTray.exe (2.0.12.127)
2012-11-13 SDUpdate.exe (2.0.12.89)
2012-11-13 SDUpdSvc.exe (2.0.12.76)
2012-11-13 SDWelcome.exe (2.0.12.126)
2012-11-13 SDWSCSvc.exe (2.0.12.2)
2013-02-17 unins000.exe (51.1052.0.0)
1999-12-02 xcacls.exe
2012-08-23 borlndmm.dll (10.0.2288.42451)
2012-09-05 DelZip190.dll (1.9.0.107)
2012-09-10 libeay32.dll (1.0.0.4)
2012-09-10 libssl32.dll (1.0.0.4)
2012-11-13 SDAdvancedCheckLibrary.dll (2.0.12.98)
2012-11-13 SDECon32.dll (2.0.12.113)
2012-11-13 SDEvents.dll (2.0.12.2)
2012-11-13 SDFileScanLibrary.dll (2.0.12.9)
2012-11-13 SDHelper.dll (2.0.12.88)
2012-11-13 SDImmunizeLibrary.dll (2.0.12.2)
2012-11-13 SDLists.dll (2.0.12.4)
2012-11-13 SDResources.dll (2.0.12.7)
2012-11-13 SDScanLibrary.dll (2.0.12.131)
2012-11-13 SDTasks.dll (2.0.12.15)
2012-11-13 SDWinLogon.dll (2.0.12.0)
2012-08-23 sqlite3.dll
2012-09-10 ssleay32.dll (1.0.0.4)
2012-11-13 Tools.dll (2.0.12.36)
2012-11-13 UninsSrv.dll (2.0.12.52)
2012-11-14 Includes\Adware.sbi (*)
2012-11-14 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2012-11-14 Includes\Dialer.sbi (*)
2012-11-14 Includes\DialerC.sbi (*)
2012-11-14 Includes\HeavyDuty.sbi (*)
2012-11-14 Includes\Hijackers.sbi (*)
2012-11-14 Includes\HijackersC.sbi (*)
2012-11-14 Includes\iPhone.sbi (*)
2012-11-14 Includes\Keyloggers.sbi (*)
2012-11-14 Includes\KeyloggersC.sbi (*)
2012-11-14 Includes\Malware.sbi (*)
2012-11-14 Includes\MalwareC.sbi (*)
2012-11-14 Includes\PUPS.sbi (*)
2012-11-14 Includes\PUPSC.sbi (*)
2012-11-14 Includes\Security.sbi (*)
2012-11-14 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2012-11-14 Includes\Spyware.sbi (*)
2012-11-14 Includes\SpywareC.sbi (*)
2011-06-07 Includes\Tracks.sbi (*)
2005-02-17 Includes\Tracks.uti (*)
2012-11-14 Includes\Trojans.sbi (*)
2012-11-14 Includes\TrojansC-02.sbi (*)
2012-11-14 Includes\TrojansC-03.sbi (*)
2012-11-14 Includes\TrojansC-04.sbi (*)
2012-11-14 Includes\TrojansC-05.sbi (*)
2012-11-14 Includes\TrojansC.sbi (*)

After seeing that log from RogueKiller I would consider the following...

Please download TDSSKiller

• Double click TDSSKiller.exe
• Press Start Scan but do nothing else as we are just looking for what is there.
• If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.
• Attach the log in your next reply
  • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Thanks, jeffce!

You beat me to it.

I managed to run FSS and got this! Will try the other though too

Farbar Service Scanner Version: 20-02-2013
Ran by Ned (administrator) on 21-02-2013 at 23:58:45
Running from "C:\Users\Ned\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\19QSCB5U"
Windows Vista (TM) Home Premium Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.
MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking LEGACY_MpsSvc: ATTENTION!=====> Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.

Firewall Disabled Policy:
==================

System Restore:
============
System Restore Disabled Policy:
========================

Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: ATTENTION!=====> Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Disabled. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\Windows\system32\wuaueng.dll".

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Disabled. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Other Services:
==============
Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2011-11-09 18:27] - [2011-04-21 13:16] - 0273408 ____A (Microsoft Corporation) 48EB99503533C27AC6135648E5474457
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2011-11-09 18:19] - [2010-06-16 15:59] - 0898952 ____A (Microsoft Corporation) 782568AB6A43160A159B6215B70BCCE9
C:\Windows\system32\dnsrslvr.dll
[2011-11-09 18:28] - [2011-03-02 14:49] - 0086528 ____A (Microsoft Corporation) 4805D9A6D281C7A7DEFD9094DEC6AF7D
C:\Windows\system32\mpssvc.dll
[2009-11-16 09:26] - [2008-01-19 07:34] - 0393216 ____A (Microsoft Corporation) D1639BA315B0D79DEC49A4B0E1FB929B
C:\Windows\system32\bfe.dll
[2009-11-16 09:26] - [2008-01-19 07:33] - 0328704 ____A (Microsoft Corporation) 8582E233C346AEFE759833E8A30DD697
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe
[2009-11-16 09:26] - [2008-01-19 07:33] - 1054720 ____A (Microsoft Corporation) D5FB73D19C46ADE183F968E13F186B23
C:\Windows\system32\wscsvc.dll
[2009-11-16 09:26] - [2008-01-19 07:37] - 0061440 ____A (Microsoft Corporation) 683DD16B590372F2C9661D277F35E49C
C:\Windows\system32\wbem\WMIsvc.dll
[2009-11-16 09:26] - [2008-01-19 07:36] - 0161792 ____A (Microsoft Corporation) 00B79A7C984678F24CF052E5BEB3A2F5
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll
[2009-11-16 09:26] - [2008-01-19 07:36] - 0758272 ____A (Microsoft Corporation) 02ED7B4DBC2A3232A389106DA7515C3D
C:\Windows\system32\es.dll
[2009-11-10 08:40] - [2009-11-10 08:40] - 0269312 ____A (Microsoft Corporation) 3CB3343D720168B575133A0A20DC2465
C:\Windows\system32\cryptsvc.dll
[2009-11-16 09:25] - [2008-01-19 07:34] - 0128000 ____A (Microsoft Corporation) 6DE363F9F99334514C46AEC02D3E3678
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll
[2009-10-17 23:25] - [2009-10-17 23:25] - 0551424 ____A (Microsoft Corporation) 301AE00E12408650BADDC04DBC832830

**** End of log ****

TDSKiller found nothing. I have been running Advanced system care and one or two other bits of anti malware software in some hope of helping so p[erhaps things have gone into hiding. The McAfee seems to be working again and told me it removed 4 trijans too... I havn't really done anything since the FSS report so i'd suggest that that one is live... Thanks again!

cottonball said:

Thanks, jeffce!

You beat me to it.

Click to expand...

Sorry, managed to post a FSS report finally!

calder,

I managed to run FSS ...

Click to expand...

Good news, as there is some work to do to recover from the damages.

My apology for the delay...it has been a very busy day.

Will get some instructions going for you and post them tomorrow. Have to call it quits for today.

Thanks for your patience.

cottonball said:

calder,



Good news, as there is some work to do to recover from the damages.

My apology for the delay...it has been a very busy day.

Will get some instructions going for you and post them tomorrow. Have to call it quits for today.

Thanks for your patience.

Click to expand...

Please don't apologice CB, it's fantastic of you to advise!

calder,

Thanks, once again, for your patience!


The steps we are undertaking involve Registry editing. Please create a backup of the Registry using ERUNT (Emergency Recovery Utility NT).

Download and Instructions:
Backing Up The Registry Using ERUNT - Geeks to Go Forums
Windows Vista may require for you to allow the installation if the User Account Control (UAC) prompt appears.

Next, please download the following Registry files:

http://download.bleepingcomputer.com/win-services/vista/wscsvc.reg
http://download.bleepingcomputer.com/win-services/vista/MpsSvc.reg
http://download.bleepingcomputer.com/win-services/vista/SharedAccess.reg

Save each one to the Desktop (easy to find)

Next, right-click each Registry file and select: Merge

Press the Windows and the R key on keyboard.
In the Run box above, type: notepad
Press: Enter

Copy the entire contents inside the following quote box, and paste the text to Notepad:

@Echo off
sc config mpssvc start= auto
sc config wscsvc start= delayed-auto
sc config wuauserv start= delayed-auto
sc config sharedaccess start= auto
sc start mpssvc
sc start wscsvc
sc start wuauserv
sc start sharedaccess
shutdown -r -t 1
del %0

Click to expand...

In Notepad, select File > Save as...
Press the Desktop button on the left side
In the File name box, type in: fixsvc.bat
Press: Save
Close Notepad.

Right-click fixsvc.bat on the Desktop, and select: Run as Administrator
Press Yes if prompted by the User Account Control.

After the batch commands are applied, Windows restarts.

~~~~
Run Farbar Service Scanner again, and provide the contents of FSS.txt in your reply.

cottonball said:

calder,

Thanks, once again, for your patience!


The steps we are undertaking involve Registry editing. Please create a backup of the Registry using ERUNT (Emergency Recovery Utility NT).

Download and Instructions:
Backing Up The Registry Using ERUNT - Geeks to Go Forums
Windows Vista may require for you to allow the installation if the User Account Control (UAC) prompt appears.

Next, please download the following Registry files:

http://download.bleepingcomputer.com/win-services/vista/wscsvc.reg
http://download.bleepingcomputer.com/win-services/vista/MpsSvc.reg
http://download.bleepingcomputer.com/win-services/vista/SharedAccess.reg

Save each one to the Desktop (easy to find)

Next, right-click each Registry file and select: Merge

Press the Windows and the R key on keyboard.
In the Run box above, type: notepad
Press: Enter

Copy the entire contents inside the following quote box, and paste the text to Notepad:



In Notepad, select File > Save as...
Press the Desktop button on the left side
In the File name box, type in: fixsvc.bat
Press: Save
Close Notepad.

Right-click fixsvc.bat on the Desktop, and select: Run as Administrator
Press Yes if prompted by the User Account Control.

After the batch commands are applied, Windows restarts.

~~~~
Run Farbar Service Scanner again, and provide the contents of FSS.txt in your reply.

Click to expand...

Farbar Service Scanner Version: 20-02-2013
Ran by Ned (administrator) on 22-02-2013 at 15:32:14
Running from "C:\Users\Ned\Desktop"
Windows Vista (TM) Home Premium Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.
Checking LEGACY_MpsSvc: ATTENTION!=====> Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.

Firewall Disabled Policy:
==================

System Restore:
============
System Restore Disabled Policy:
========================

Security Center:
============
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Disabled. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Other Services:
==============

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2011-11-09 18:27] - [2011-04-21 13:16] - 0273408 ____A (Microsoft Corporation) 48EB99503533C27AC6135648E5474457
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2011-11-09 18:19] - [2010-06-16 15:59] - 0898952 ____A (Microsoft Corporation) 782568AB6A43160A159B6215B70BCCE9
C:\Windows\system32\dnsrslvr.dll
[2011-11-09 18:28] - [2011-03-02 14:49] - 0086528 ____A (Microsoft Corporation) 4805D9A6D281C7A7DEFD9094DEC6AF7D
C:\Windows\system32\mpssvc.dll
[2009-11-16 09:26] - [2008-01-19 07:34] - 0393216 ____A (Microsoft Corporation) D1639BA315B0D79DEC49A4B0E1FB929B
C:\Windows\system32\bfe.dll
[2009-11-16 09:26] - [2008-01-19 07:33] - 0328704 ____A (Microsoft Corporation) 8582E233C346AEFE759833E8A30DD697
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe
[2009-11-16 09:26] - [2008-01-19 07:33] - 1054720 ____A (Microsoft Corporation) D5FB73D19C46ADE183F968E13F186B23
C:\Windows\system32\wscsvc.dll
[2009-11-16 09:26] - [2008-01-19 07:37] - 0061440 ____A (Microsoft Corporation) 683DD16B590372F2C9661D277F35E49C
C:\Windows\system32\wbem\WMIsvc.dll
[2009-11-16 09:26] - [2008-01-19 07:36] - 0161792 ____A (Microsoft Corporation) 00B79A7C984678F24CF052E5BEB3A2F5
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll
[2009-11-16 09:26] - [2008-01-19 07:36] - 0758272 ____A (Microsoft Corporation) 02ED7B4DBC2A3232A389106DA7515C3D
C:\Windows\system32\es.dll
[2009-11-10 08:40] - [2009-11-10 08:40] - 0269312 ____A (Microsoft Corporation) 3CB3343D720168B575133A0A20DC2465
C:\Windows\system32\cryptsvc.dll
[2009-11-16 09:25] - [2008-01-19 07:34] - 0128000 ____A (Microsoft Corporation) 6DE363F9F99334514C46AEC02D3E3678
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll
[2009-10-17 23:25] - [2009-10-17 23:25] - 0551424 ____A (Microsoft Corporation) 301AE00E12408650BADDC04DBC832830

**** End of log ****

Thanks!