• Still running Windows 7 or earlier? Support for Windows 7 ended on January 14th 2020. Please review the thread here for more details.

loadlibrary error 126

J

jathuerk

Member
Joined
Sep 5, 2013
Posts
16
Hi I need help!

I am trying to run a game (rome II) and it will not run, whenever I try to launch it I get the error 'loadlibrary failed error 126'

I have looked around for a solution and I have tried a few and none work. No other programs cause this error to pop up all other games and programs I have ran lately have run fine.

I have tried this solution:

a. Go to the command prompt as described above. Run it as administrator.

b. Type in the following command:

C:\Windows\System32\ copy atio6axx.dll .dll



Does not fix the issue

I dug deeper and ran the system file checker tool. I have many errors in my registry that cannot be fixed by sfc. What do I do? Thanks in advance for any help folks are able to provide

Here is my SFC log

View attachment sfcdetails.txt
 
Please run a full CHKDSK and SFC scan....

Click on Start > All Programs > Accessories
Right-click on the Command Prompt entry
Select Run as Administrator and accept the UAC prompt - the Elevated Command Prompt window should pop up.

At the Command prompt, type

CHKDSK C: /R

and hit the Enter key.
You will be told that the drive is locked,
and the CHKDSK will run at he next boot - hit the Y key, press Enter, and then reboot.

The CHKDSK will take a few hours depending on the size of the drive, so be patient!

After the CHKDSK has run, Windows should boot normally (possibly after a second auto-reboot) -
then run the SFC.

SFC -System File Checker - Instructions
Click on Start > All Programs > Accessories
Right-click on the Command Prompt entry
Select Run as Administrator and accept the UAC prompt - the Elevated Command Prompt window should pop up.

At the Command prompt, type

SFC /SCANNOW

and hit the Enter key

Wait for the scan to finish - make a note of any error messages - and then reboot.


Copy the CBS.log file created (C:\Windows\Logs\CBS\CBS.log) to your desktop (you can't manipulate it directly) and then compress the copy and attach it to your reply

Please download and save the CheckSUR tool from System Update Readiness Tool fixes Windows Update errors in Windows 7, Windows Vista, Windows Server 2008 R2, and Windows Server 2008
(you'll need to look in the details for Windows 7, downloading from the Microsoft Download Center)

Run it - The tool can take anywhere from 5 mins to a couple of hours to run (or 'Install') depending on how much it has to do, and may exit silently - it may appear to freeze for most of that time, but be patient.
The result is logged in the C:\Windows\Logs\CBS\CheckSUR.log file - and an archive …\checksur.persist.log file

Then zip the CheckSUR.log and attach it to your reply.
 
Hi Noel,

Thanks so much for helping me out. Here is how it went.

Did the CHKDSK C: /R, took several hours but seemed to run fine.

I then ran the SFC /SCANNOW that seemed to run fine as well, here are the logs you requested

View attachment 5218

Also in there is a screen shot of an error message i received when I tried to run checkSUR tool from windows. error "0x80070424"

So checkSUR did not run at all. I looked online for a solution to this error, seems common but I did not perform any solution I'll wait to hear from you. I am in your hands

Thanks
 
The 424 error indicates at least one service has been effectively uninstalled....
Please download the Farbar Service Scanner from

Farbar Service Scanner Download

Right-click on the saved file and select 'Run as Administrator', and tick all the options, then click on the Scan button - copy and paste the report to your response.


The SFC scan repaired a couple of errors - but left three very minor errors alone. These errors are ones which IMHO should never have been part of the scan, but if not repaired, they will prevent you knowing in future if there are significant errors in any scans, so we need to fix them.
I'll post a fix protocol later.
 
ok I ran the FSS scan, here is the log.

Code: 
Farbar Service Scanner Version: 05-09-2013
Ran by Jeremy (administrator) on 08-09-2013 at 08:57:17
Running from "C:\Users\Jeremy\Downloads"
Windows Vista (TM) Home Premium Service Pack 2 (X64)
Boot Mode: Normal
****************************************************************


Internet Services:
============


Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.




Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.


MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking LEGACY_MpsSvc: ATTENTION!=====> Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.


bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking LEGACY_bfe: ATTENTION!=====> Unable to open LEGACY_bfe\0000 registry key. The key does not exist.




Firewall Disabled Policy: 
==================
"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" registry key does not exist.




System Restore:
============


System Restore Disabled Policy: 
========================




Security Center:
============


wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: ATTENTION!=====> Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Security Center Notification Icon =====> Unable to open HKLM\...\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC} key. The key does not exist.




Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.


BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking LEGACY_BITS: ATTENTION!=====> Unable to open LEGACY_BITS\0000 registry key. The key does not exist.




Windows Autoupdate Disabled Policy: 
============================




Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.




Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1




Other Services:
==============
Checking Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.


Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.
Checking FirewallRules of SharedAccess: ATTENTION!=====> Unable to open "SharedAccess\Defaults\FirewallPolicy\FirewallRules" registry key. The key does not exist.
Checking FirewallRules of SharedAccess: ATTENTION!=====> Unable to open "SharedAccess\Parameters\FirewallPolicy\FirewallRules" registry key. The key does not exist.






File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcsvc.dll
[2009-08-18 17:04] - [2009-04-11 00:11] - 0268288 ____A (Microsoft Corporation) 3ED0321127CE70ACDAABBF77E157C2A7


C:\Windows\System32\drivers\afd.sys
[2012-02-15 18:10] - [2012-01-03 07:25] - 0404992 ____A (Microsoft Corporation) C4F6CE6087760AD70960C9EB130E7943


C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2012-05-08 17:40] - [2012-03-30 05:45] - 1422720 ____A (Microsoft Corporation) AC8D5728E6AD6A7C4819D9A67008337A


C:\Windows\System32\dnsrslvr.dll
[2011-04-14 15:37] - [2011-03-02 09:12] - 0117760 ____A (Microsoft Corporation) 06230F1B721494A6DF8D47FD395BB1B0


C:\Windows\System32\mpssvc.dll
[2009-08-18 17:04] - [2009-04-11 00:11] - 0603136 ____A (Microsoft Corporation) 897E3BAF68BA406A61682AE39C83900C


C:\Windows\System32\bfe.dll
[2009-08-18 17:04] - [2009-04-11 00:11] - 0458240 ____A (Microsoft Corporation) FFB96C2589FFA60473EAD78B39FBDE29


C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe
[2009-08-18 17:05] - [2009-04-11 00:11] - 1433600 ____A (Microsoft Corporation) B75232DAD33BFD95BF6F0A3E6BFF51E1


C:\Windows\System32\wscsvc.dll
[2009-08-18 17:04] - [2009-04-11 00:11] - 0074752 ____A (Microsoft Corporation) 9EA3E6D0EF7A5C2B9181961052A4B01A


C:\Windows\System32\wbem\WMIsvc.dll
[2009-08-18 17:04] - [2009-04-11 00:11] - 0221696 ____A (Microsoft Corporation) D2E7296ED1BD26D8DB2799770C077A02


C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll
[2009-08-18 17:05] - [2009-04-11 00:11] - 1081856 ____A (Microsoft Corporation) 6D316F4859634071CC25C4FD4589AD2C


C:\Windows\System32\es.dll
[2009-08-18 17:05] - [2009-04-11 00:11] - 0361984 ____A (Microsoft Corporation) E12F22B73F153DECE721CD45EC05B4AF


C:\Windows\System32\cryptsvc.dll
[2009-08-18 17:04] - [2009-04-11 00:11] - 0166912 ____A (Microsoft Corporation) 18918613E63F387CDE4D95CA7D49DCF7


C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2009-08-18 17:05] - [2009-04-11 00:11] - 0719872 ____A (Microsoft Corporation) CF8B9A3A5E7DC57724A89D0C3E8CF9EF






**** End of log ****
Looking forward to more responses because from my layman's interpretation my registry files are a mess!

Thanks!
 
The files are OK - it's the registry that's the problem.
You appear to have had an infection from the Sirefef stable (aka ZeroAccess).
Hopefully the fix will be simple :)


Please download http://kb.eset-la.com/library/ESET/KB Team Only/Malware/ServicesRepair.exe and save it to your desktop.


Double-click ServicesRepair.exe


If security notifications appear, click


Continue or Run and then click Yes when asked if you want to proceed.


Once the tool has finished, you will be prompted to restart your
computer.


Click Yes to restart.


Run the Farbar scanner again, and post the new log
 
Hi Noel, thanks for quick reply hopefully we can go back and forth here while we are both awake!

I ran the service repair exe and then I rebooted and did the FSS scan again, here is the new log:

Code: 
Farbar Service Scanner Version: 05-09-2013
Ran by Jeremy (administrator) on 08-09-2013 at 11:23:34
Running from "C:\Users\Jeremy\Downloads"
Windows Vista (TM) Home Premium Service Pack 2 (X64)
Boot Mode: Normal
****************************************************************


Internet Services:
============


Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.




Windows Firewall:
=============


Firewall Disabled Policy: 
==================




System Restore:
============


System Restore Disabled Policy: 
========================




Security Center:
============


Security Center Notification Icon =====> Unable to open HKLM\...\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC} key. The key does not exist.




Windows Update:
============


Windows Autoupdate Disabled Policy: 
============================




Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.




Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1




Other Services:
==============




File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcsvc.dll
[2009-08-18 17:04] - [2009-04-11 00:11] - 0268288 ____A (Microsoft Corporation) 3ED0321127CE70ACDAABBF77E157C2A7


C:\Windows\System32\drivers\afd.sys
[2012-02-15 18:10] - [2012-01-03 07:25] - 0404992 ____A (Microsoft Corporation) C4F6CE6087760AD70960C9EB130E7943


C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2012-05-08 17:40] - [2012-03-30 05:45] - 1422720 ____A (Microsoft Corporation) AC8D5728E6AD6A7C4819D9A67008337A


C:\Windows\System32\dnsrslvr.dll
[2011-04-14 15:37] - [2011-03-02 09:12] - 0117760 ____A (Microsoft Corporation) 06230F1B721494A6DF8D47FD395BB1B0


C:\Windows\System32\mpssvc.dll
[2009-08-18 17:04] - [2009-04-11 00:11] - 0603136 ____A (Microsoft Corporation) 897E3BAF68BA406A61682AE39C83900C


C:\Windows\System32\bfe.dll
[2009-08-18 17:04] - [2009-04-11 00:11] - 0458240 ____A (Microsoft Corporation) FFB96C2589FFA60473EAD78B39FBDE29


C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe
[2009-08-18 17:05] - [2009-04-11 00:11] - 1433600 ____A (Microsoft Corporation) B75232DAD33BFD95BF6F0A3E6BFF51E1


C:\Windows\System32\wscsvc.dll
[2009-08-18 17:04] - [2009-04-11 00:11] - 0074752 ____A (Microsoft Corporation) 9EA3E6D0EF7A5C2B9181961052A4B01A


C:\Windows\System32\wbem\WMIsvc.dll
[2009-08-18 17:04] - [2009-04-11 00:11] - 0221696 ____A (Microsoft Corporation) D2E7296ED1BD26D8DB2799770C077A02


C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll
[2009-08-18 17:05] - [2009-04-11 00:11] - 1081856 ____A (Microsoft Corporation) 6D316F4859634071CC25C4FD4589AD2C


C:\Windows\System32\es.dll
[2009-08-18 17:05] - [2009-04-11 00:11] - 0361984 ____A (Microsoft Corporation) E12F22B73F153DECE721CD45EC05B4AF


C:\Windows\System32\cryptsvc.dll
[2009-08-18 17:04] - [2009-04-11 00:11] - 0166912 ____A (Microsoft Corporation) 18918613E63F387CDE4D95CA7D49DCF7


C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2009-08-18 17:05] - [2009-04-11 00:11] - 0719872 ____A (Microsoft Corporation) CF8B9A3A5E7DC57724A89D0C3E8CF9EF






**** End of log ****
 
Looks like the only remaining error is...
Code: 
Security Center Notification Icon =====> Unable to open HKLM\...\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC} key. The key does not exist.
Interestingly, that entry doesn't exist on my machines, either! (but the error doesn't show....)

Please run the following command, and post the results..

REG QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
REG QUERY HKLM\SYSTEM\CurrentControlSet\services\wscsvc /S
 
... also,
REG QUERY "HKEY_CLASSES_ROOT\CLSID\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}"
 
Here were the results, I may have put these commands in wrong, I used the elevated command prompt.

C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp
lorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
ERROR: The system was unable to find the specified registry key or value.

C:\Windows\system32>REG QUERY HKLM\SYSTEM\CurrentControlSet\services\wscsvc /S


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc
DisplayName REG_SZ @%SystemRoot%\System32\wscsvc.dll,-200
ErrorControl REG_DWORD 0x1
ImagePath REG_EXPAND_SZ %SystemRoot%\System32\svchost.exe -k LocalServ
iceNetworkRestricted
Start REG_DWORD 0x2
Type REG_DWORD 0x20
Description REG_SZ @%SystemRoot%\System32\wscsvc.dll,-201
DependOnService REG_MULTI_SZ RpcSs\0WinMgmt
ObjectName REG_SZ NT AUTHORITY\LocalService
ServiceSidType REG_DWORD 0x1
RequiredPrivileges REG_MULTI_SZ SeChangeNotifyPrivilege\0SeImpersonate
Privilege
DelayedAutoStart REG_DWORD 0x1
FailureActions REG_BINARY 80510100000000000000000003000000140000000100
0000C0D4010001000000E09304000000000000000000


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\Parameters
ServiceDllUnloadOnStop REG_DWORD 0x1
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\wscsvc.dll


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\Security
Security REG_BINARY 01001480C8000000D4000000140000003000000002001C0001
00000002801400FF010F00010100000000000100000000020098000600000000001400FD01020001
010000000000051200000000001800FF010F0001020000000000052000000020020000000014009D
010200010100000000000504000000000014008D0102000101000000000005060000000000140000
01000001010000000000050B000000000028001500000001060000000000055000000049599D7791
56E555DCF4E20EA78BEBCA7B421356010100000000000512000000010100000000000512000000


C:\Windows\system32>REG QUERY "HKEY_CLASSES_ROOT\CLSID\{FD6905CE-952F-41F1-9A6F-
135D9C6622CC}"


HKEY_CLASSES_ROOT\CLSID\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
(Default) REG_SZ WscNotify Class


HKEY_CLASSES_ROOT\CLSID\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}\Programmable
 
also after I ran that fixing tool from microsoft my computer started updating and it did 66 updates successfully (apparently its been broken since June last year), not sure if I should re do some of the logs or not after that. These results I just posted are AFTER all the updates went through
 
I highly recommend you run Malwarebytes scan, an ESET online scan and TDSSKILLER at this point...most viruses these days install other malware and virii!
 
(I agree with those sentiments!)
OK - so we just nee to delete the registry value..
Run the following in an Elevated Command Prompt, and post the results.
Then reboot andrun another Farbar scan and post those results
REG delete "HKEY_CLASSES_ROOT\CLSID\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}"
 
Command prompt results:

Code: 
Microsoft Windows [Version 6.0.6002]Copyright (c) 2006 Microsoft Corporation.  All rights reserved.


C:\Windows\system32>REG delete "HKEY_CLASSES_ROOT\CLSID\{FD6905CE-952F-41F1-9A6F
-135D9C6622CC}"
Permanently delete the registry key HKEY_CLASSES_ROOT\CLSID\{FD6905CE-952F-41F1-
9A6F-135D9C6622CC} (Yes/No)? y
The operation completed successfully.


C:\Windows\system32>


FSS scan results:

Code: 
Farbar Service Scanner Version: 05-09-2013Ran by Jeremy (administrator) on 10-09-2013 at 17:40:37
Running from "C:\Users\Jeremy\Downloads"
Windows Vista (TM) Home Premium Service Pack 2 (X64)
Boot Mode: Normal
****************************************************************


Internet Services:
============


Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.




Windows Firewall:
=============


Firewall Disabled Policy: 
==================




System Restore:
============


System Restore Disabled Policy: 
========================




Security Center:
============


wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Checking LEGACY_wscsvc: ATTENTION!=====> Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Security Center Notification Icon =====> Unable to open HKLM\...\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC} key. The key does not exist.




Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.




Windows Autoupdate Disabled Policy: 
============================




Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.




Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1




Other Services:
==============




File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcsvc.dll
[2009-08-18 17:04] - [2009-04-11 00:11] - 0268288 ____A (Microsoft Corporation) 3ED0321127CE70ACDAABBF77E157C2A7


C:\Windows\System32\drivers\afd.sys
[2012-02-15 18:10] - [2012-01-03 07:25] - 0404992 ____A (Microsoft Corporation) C4F6CE6087760AD70960C9EB130E7943


C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2013-09-08 11:40] - [2013-07-04 20:58] - 1417664 ____A (Microsoft Corporation) EA8623BDD511A1ACD18DA4883860ADDE


C:\Windows\System32\dnsrslvr.dll
[2011-04-14 15:37] - [2011-03-02 09:12] - 0117760 ____A (Microsoft Corporation) 06230F1B721494A6DF8D47FD395BB1B0


C:\Windows\System32\mpssvc.dll
[2009-08-18 17:04] - [2009-04-11 00:11] - 0603136 ____A (Microsoft Corporation) 897E3BAF68BA406A61682AE39C83900C


C:\Windows\System32\bfe.dll
[2009-08-18 17:04] - [2009-04-11 00:11] - 0458240 ____A (Microsoft Corporation) FFB96C2589FFA60473EAD78B39FBDE29


C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe
[2009-08-18 17:05] - [2009-04-11 00:11] - 1433600 ____A (Microsoft Corporation) B75232DAD33BFD95BF6F0A3E6BFF51E1


C:\Windows\System32\wscsvc.dll
[2009-08-18 17:04] - [2009-04-11 00:11] - 0074752 ____A (Microsoft Corporation) 9EA3E6D0EF7A5C2B9181961052A4B01A


C:\Windows\System32\wbem\WMIsvc.dll
[2009-08-18 17:04] - [2009-04-11 00:11] - 0221696 ____A (Microsoft Corporation) D2E7296ED1BD26D8DB2799770C077A02


C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll
[2009-08-18 17:05] - [2009-04-11 00:11] - 1081856 ____A (Microsoft Corporation) 6D316F4859634071CC25C4FD4589AD2C


C:\Windows\System32\es.dll
[2009-08-18 17:05] - [2009-04-11 00:11] - 0361984 ____A (Microsoft Corporation) E12F22B73F153DECE721CD45EC05B4AF


C:\Windows\System32\cryptsvc.dll
[2013-09-08 11:40] - [2013-07-07 21:12] - 0174592 ____A (Microsoft Corporation) 5AAC48EAF8EACF247DB44FB61B900D89


C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2009-08-18 17:05] - [2009-04-11 00:11] - 0719872 ____A (Microsoft Corporation) CF8B9A3A5E7DC57724A89D0C3E8CF9EF






**** End of log ****


Ran malwarebytes, found 1 trojan but no problem deleting it, didn't even need to restart. ESET scan was taking forever and I had to go to bed, will try to run it tonight
 
dont forget about tdsskiller, it is a quick one and will detect rootkits

set the "detect tlds file system" and the driver signature option, total scan time should only be a couple minutes.
 
Eurgh! - Sorry....
The penny finally dropped, that we are dealing with Vista here, rather than Win 7! :(

Hokay...
The Key we just deleted should in fact be present - but what's interesting is the new error that's been thrown up in the FSS report.
Removing that Key in my test rig does NOT produce that error

Obviously, something has hooked into your system to load a driver that's not part of the OS, end prevent the system loading the security center properly.
Please try this,

Open Device Manager
Click on View, and select 'Show hidden devices'
in the section 'Non Plug-and-Play Devices', look for an entry for
'wscsvc'

If it exists, right-click on it, and select Uninstall. - then reboot
Run another Farbar scan and post the results.
 
Hi Noel,

A little setback but I think we have made a lot of progress. My microsoft security essentials stopped working properly a long time ago but it is fixed now! I am sure we are on the right track.

OK here is the update. I ran the malwarebytes, ESET and TDSSKILLER scans. MB found 1 trojan, and ESET found another, TDS came back clean. I did not find the item in device manager that you were looking for me to uninstall, maybe ESET got it?
picture of device manager:
devicemngr.jpg

Latest FSS log:

Code: 
Farbar Service Scanner Version: 05-09-2013
Ran by Jeremy (administrator) on 11-09-2013 at 17:31:11
Running from "C:\Users\Jeremy\Downloads"
Windows Vista (TM) Home Premium Service Pack 2 (X64)
Boot Mode: Normal
****************************************************************


Internet Services:
============


Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.




Windows Firewall:
=============


Firewall Disabled Policy: 
==================




System Restore:
============


System Restore Disabled Policy: 
========================




Security Center:
============


Security Center Notification Icon =====> Unable to open HKLM\...\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC} key. The key does not exist.




Windows Update:
============


Windows Autoupdate Disabled Policy: 
============================




Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.




Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1




Other Services:
==============




File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcsvc.dll
[2009-08-18 17:04] - [2009-04-11 00:11] - 0268288 ____A (Microsoft Corporation) 3ED0321127CE70ACDAABBF77E157C2A7


C:\Windows\System32\drivers\afd.sys
[2012-02-15 18:10] - [2012-01-03 07:25] - 0404992 ____A (Microsoft Corporation) C4F6CE6087760AD70960C9EB130E7943


C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2013-09-08 11:40] - [2013-07-04 20:58] - 1417664 ____A (Microsoft Corporation) EA8623BDD511A1ACD18DA4883860ADDE


C:\Windows\System32\dnsrslvr.dll
[2011-04-14 15:37] - [2011-03-02 09:12] - 0117760 ____A (Microsoft Corporation) 06230F1B721494A6DF8D47FD395BB1B0


C:\Windows\System32\mpssvc.dll
[2009-08-18 17:04] - [2009-04-11 00:11] - 0603136 ____A (Microsoft Corporation) 897E3BAF68BA406A61682AE39C83900C


C:\Windows\System32\bfe.dll
[2009-08-18 17:04] - [2009-04-11 00:11] - 0458240 ____A (Microsoft Corporation) FFB96C2589FFA60473EAD78B39FBDE29


C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe
[2009-08-18 17:05] - [2009-04-11 00:11] - 1433600 ____A (Microsoft Corporation) B75232DAD33BFD95BF6F0A3E6BFF51E1


C:\Windows\System32\wscsvc.dll
[2009-08-18 17:04] - [2009-04-11 00:11] - 0074752 ____A (Microsoft Corporation) 9EA3E6D0EF7A5C2B9181961052A4B01A


C:\Windows\System32\wbem\WMIsvc.dll
[2009-08-18 17:04] - [2009-04-11 00:11] - 0221696 ____A (Microsoft Corporation) D2E7296ED1BD26D8DB2799770C077A02


C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll
[2009-08-18 17:05] - [2009-04-11 00:11] - 1081856 ____A (Microsoft Corporation) 6D316F4859634071CC25C4FD4589AD2C


C:\Windows\System32\es.dll
[2009-08-18 17:05] - [2009-04-11 00:11] - 0361984 ____A (Microsoft Corporation) E12F22B73F153DECE721CD45EC05B4AF


C:\Windows\System32\cryptsvc.dll
[2013-09-08 11:40] - [2013-07-07 21:12] - 0174592 ____A (Microsoft Corporation) 5AAC48EAF8EACF247DB44FB61B900D89


C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2009-08-18 17:05] - [2009-04-11 00:11] - 0719872 ____A (Microsoft Corporation) CF8B9A3A5E7DC57724A89D0C3E8CF9EF






**** End of log ****
 
FYI, when you run tdsskiller you must fo into "parameters" leave the top section alone, and select both options in the lower section.

These two options in the lower section will check for unsigned drivers and a common rootkit file system (TDLFS)

If it finds a rootkit file system, remove it (sometimes you have to remove it twice, not sure why)

It WILL find unsigned drivers, either post a screen cap or google each of them...anything you recognize is probably ok, for example, I see a lot of unsigned HP drives in there all the time. you can expand each entry to see the file name and path.
 
yeah Deek, I checked those boxes and it found several HP drives but nothing malicious. I know I have had rootkits in the past but I got help somewhere to remove those with combofix and hijackthis type stuff, maybe there is just some leftover garbage from that.
 
The Farbar scan is now only complaining about the removed registry entry, so we're nearly there :)

I've uploaded a file - scnot.zip - to my SkyDrive at Noel's SkyDrive


Please download and save it to your desktop.


Right-click on the saved file and select Extract all...


Save it to the default location


This should create a file scnot.reg





right-click on the file, and select Merge


Accept the warnings, - you should then get a 'Success' message.


Close all windows, and reboot.
Run another Farbar scan, and hopefully that will be error-free.
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top