Help removing Zero Access Rootkit

Zero Access Rootkit Infected TCP/IP stack unable to connect to the internet and services are all disabled and more issue

Ran the following..

TDSSKiller and was unable to cure the file
hijackthis
GMER
OTL

 

Hi and welcome to Major Geeks, timmytheman2!

I need you to complete as much of this as possible: READ & RUN ME FIRST Malware Removal Guide

The logs you should be attaching are:

• log from MBAM
• log from SAS
• log from ComboFix
• log from RootRepeal
• MGlogs.zip from MGtools

 

Copy of windows is no longer activated -- Unable to login

log from MBAM -- Unable to Scan, Starts to Scan then closes
log from SAS -- Unable to Scan, Starts to Scan then closes
log from ComboFix -- Frezzes computer and says infected with ZeroAcess on TCP/IP
log from RootRepeal -- Start Scan then it closed
MGlogs.zip from MGtools -- Sucessful - uploaded

 

How did you get MGtools.exe to run if you weren't able to log in?

 

I was able to get it to run and restarted due to Freeze and not able too now

 

Does Safe Mode with Command Prompt log you off instantly too?
Can you try it? We may need to work from here first.

To try to boot into Safe Mode with Command Prompt, follow these steps:

1. Restart the computer.
2. When you see the black-and-white Starting Windows bar at the bottom of the screen, start tapping the F8 key.
3. When you get to the boot menu, use the arrow keys to select Safe mode with Command Prompt
4. Then Press Enter.
5. The computer restarts in Safe mode with Command Prompt. This can take several minutes.

You will be prompted with a DOS prompt window that takes up most of the screen.
Type in explorer and press ENTER
Explorer should launch and you should be able to see most of your desktop.
From here you can close the command prompt window by typing exit

Let me know if you were able to boot into this mode. You won't have internet access in this mode, sounds like the ZA infection already disabled that anyways so let me know from another PC or however you are currently doing it.

 

Same thing with Safe mode.

Any Safe mode options

Can't Activate over net because don't have any now and gives me options to over phone but not all the way sure what happens if i do

 

Do you have any blank CD-rs and another working computer (not sure, you could be typing from a smart phone...) you can use to make a bootable CD?

 

Yes i am using my new Win7 64x build since this hard drive crapped out on me

the infected harddrive is in the computer next to me

 

able to bypass activation by
http://www.gamerzneeds.net/forums/o...ow-access-unactivated-windows-xp-machine.html

But still might need to use live cd or something

it doesn't work the best to bypass it

 

Ok, so you are able to boot into Windows normal mode again? Or only Safe mode(s)?

 

just using a weblink to get into explore view after awhile it kicks me out
Normal windows

 

While you are using that method, can you download this from the working computer and transfer it over to the infected computer?

RemoveWGA
See the download links under this icon:
Then double-click removewga.exe to run.
Say yes you want it to run, then reboot. Try normal Mode first, see if this helped at all.

Note: this is not a hack or bypass for Windows activation. You will still need a valid product key. Some malware will retrigger the activation process.

 

Yes i can. FYI Computer Tech too but never see any Malware like this one
Ran the exe and it removed 2 files and rebooted
Copy of windows is still not activated
Still closing after awhile

 

Ok hang on while I prepare some instructions for a bootable CD.

 

have the iso and i can use deamontools?

 

Copy the attached Fix.txt file to a USB.

Download: http://oldtimer.geekstogo.com/OTLPEStd.exe -- 93.5MB

• Double click OTLPEStd.exe and this will then open imgburn to burn the file to CD
• Reboot your system using the boot CD you just created.
• Your system should now display a Reatogo desktop.
• Insert your USB drive with fix.txt on it
• Start OTLPE
• Drag and drop fix.txt into the box
  If you cannot drag and drop for some reason. Then press the Run Fix button and a dialogue box will pop up asking for the location - select the file on your USB drive
• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done to normal mode if possible
• When complete, Notepad will open.
• Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

 

System Requires a reboot to finish removing files?

Yes or no?

 

Yes.

 

Log File

 

Are you able to log in now?

That fix removed most of what needed to be removed.

 

Still getting Copy of windows is not activated.

try to activate over net?

 

If lan works, sure. You may need to resort to phone.

 

Nope Lan is not working

 

Can you check if this process is still running?

wpabaln.exe

It's in C:\WINDOWS\system32\wpabaln.exe. I don't want you to delete the file, but see if you can stop/end the process from Task Manager.

 

Don't see it in TaskManager

 

I want you to delete ComboFix.exe from the desktop and then empty it from Recycle Bin.
Once you have done that, redownload and attempt to run ComboFix from the desktop. -- Download Link

 

ComboFix is running but how long should it take?

640 GB hard Drive

I did say all my Services were disabled
and can't seem to start Dhcp due to errors

All Services were disabled -- started some unable to get Dhcp to start due to errors-- the dependency service does not exist or has been marked for deletion
TCP/IP Protcol Driver is one of the two Dependency and IPsec
IPsec -- a socket operation encountered a dead network
unable to connect to anything

 

From the working computer download ComboFix.exe, then transfer it to the infected computer. Then try to run ComboFix.exe on the infected computer.

 

ComboFix is running but how long should it take?

640 GB hard Drive


I let it sit for over 2 hrs before

 

This is common with this infection. I find it best to completely remove the infection first before trying to repair TCP/IP stack.

At least 10 minutes, with the type of infection you have probably closer to 30 minutes.

Was it progressing? What stage did it get to? As long as it doesn't take over 30 minutes to get to a new stage, I let it keep running.

 

Alright so did we remove the infection already? and i just need to wait for combofix to do its work and give me the log to post for you tomorrow

 

Never left the scanning for infected files, only had it pop a window open telling me it was ZeroAcess

 

This I won't know for sure until I receive new logs of OTL Mglogs.zip and ComboFix. OTL claims it removed many parts of it, and I think it did, but sometimes you will still see them present in the next set of logs. I definitely think we've weakened it. It's tied into so many drivers and files that it usually takes a while to completely remove it. ComboFix running is a good sign though.

If ComboFix works, please start trying to re-run MBAM, SAS, RootRepeal, c:\MGtools\GetLogs.bat, and OTL.
Let me know what problems you are still experiencing too.

 

I have faith in you to solve this issue

Just Combofix seems to never goes onto the first stage

AutoScan screen but i will wait

let me know when you think it should be done

 

Thanks
The completion of stages 1 and 2 typically is what takes the longest.

Give it a couple of hours, you have a very bad infection. As long as it doesn't close on its own or the HDD LED light stops blinking it is most likely still working.

 

Question:

I did have Daemon Tools installed but uninstalled it??

Might cause problems?

 

If you uninstalled it, no it should not cause problems. It's only when Emulation software is installed that it can cause some problems with detecting rootkits.

Read Step #6 here: http://forums.majorgeeks.com/showthread.php?t=35407

 

Alright, i did read that.. Alright well i let it run until i wake up i guess

Any certain time you be around? I be around all day tomorrow if you have some time out of your day.

Its 3 AM here now

 

Same here. I should be on throughout the day.

 

Still on the Scanning for infected files

 

Which stage is CF on?

 

Still Never go too a stage

 

K, just close ComboFix's window if possible.

We're going to do some other scans. The below TDSSKiller is a newer version than the one you have already run.

Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)

Please download OTL by Old Timer to your desktop.

• See the download links under this icon:
• Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
• When the window appears, underneath Output at the top-right, make sure Standard Output is selected.
• Select Scan All Users.
• Under the Extra Registry section, check Use SafeList.
• Check the boxes beside LOP Check and Purity Check.
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  netsvcs
  %systemdrive%\*.exe
  /md5start
  atapi.sys
  csrss.exe
  explorer.exe
  ipnat.sys
  ipsec.sys
  regedit.exe
  svchost.exe
  tcpip.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemroot%\*. /mp /s
  %windir%\assembly\tmp\L /s
  %windir%\assembly\tmp\U /s
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  hklm\software\clients\startmenuinternet|command /rs
  hklm\software\clients\startmenuinternet|command /64 /rs
  

• Now click the button.
• When the scan is complete, Notepad will open with the results of the OTL scan.
• Close Notepad.
• There will be two log files on your desktop entitled OTL.txt and Extras.txt.
• Attach both OTL.txt and Extras.txt to your next message. (How to attach items to your post)

After doing this, try rerunning MBAM. Let me know if it still closes on you or not.

 

Malwarebyes scan is running.. hasn't closed yet

Files

 

Good! Your OTL log looks much better as well. If this is right most of the infection is gone. After you attach your MBAM log. Complete the below:

Now we need to make use of OTL by Old Timer.

• Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
• When OTL opens, copy the text in the code box below and paste it into the text-field.
  
  Code:

  [COLOR="DarkRed"]:processes[/COLOR]
  killallprocesses
  [COLOR="DarkRed"]:otl[/COLOR]
  IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 17 9B D6 01 1B FE 59 40 9F 22 51 1B 1A 5A F2 1E  [binary data]
  IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 17 9B D6 01 1B FE 59 40 9F 22 51 1B 1A 5A F2 1E  [binary data]
  IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 17 9B D6 01 1B FE 59 40 9F 22 51 1B 1A 5A F2 1E  [binary data]
  IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 17 9B D6 01 1B FE 59 40 9F 22 51 1B 1A 5A F2 1E  [binary data]
  IE - HKU\S-1-5-21-1645522239-1606980848-682003330-1003\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
  FF - prefs.js..browser.search.defaultengine: "Ask.com"
  FF - prefs.js..browser.search.defaultenginename: "Ask.com"
  FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2233703&SearchSource=3&q={searchTerms}"
  FF - prefs.js..browser.search.order.1: "Ask.com"
  O3 - HKLM\..\Toolbar: (no name) -  - No CLSID value found.
  O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
  O3 - HKU\S-1-5-21-1645522239-1606980848-682003330-1003\..\Toolbar\WebBrowser: (no name) - {D3FBBA39-B2CD-4A1A-81B5-E940850BDF59} - No CLSID value found.
  O3 - HKU\S-1-5-21-1645522239-1606980848-682003330-1003\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
  [2011/09/24 03:46:18 | 000,000,000 | --SD | C] -- C:\ComboFix
  [2011/09/24 02:35:31 | 004,226,543 | R--- | C] (Swearware) -- C:\Documents and Settings\Travis\Desktop\ComboFix.exe
  [2 C:\Documents and Settings\Travis\*.tmp files -> C:\Documents and Settings\Travis\*.tmp -> ]
  [2010/05/17 12:27:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
  [2009/09/19 14:05:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
  [2009/05/09 22:15:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
  @Alternate Data Stream - 229 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E41EAF13
  @Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
  [COLOR="DarkRed"]:services [/COLOR]
  [COLOR="DarkRed"]:files[/COLOR]
  C:\WINDOWS\$NtUninstallKB18725$
  ping google.com /c
  ipconfig /all /c
  dir C:\WINDOWS\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb
  dir C:\Documents and Settings\Travis\Local Settings\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb
  [COLOR="DarkRed"]:reg[/COLOR]
  [COLOR="DarkRed"]:commands[/COLOR]
  [purity]
  [createrestorepoint]
  [emptytemp]
  [emptyflash]
  

• Now click the button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• When complete, Notepad will open.
• Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

• Now open OTL again and click the button
  Note: This automatically updates the OTL.txt log on your desktop.
• Attach OTL.txt to your next message. (How to attach items to your post)

Please download WinSock XP Fix by Fabio Pinto to your desktop.
See the download links under this icon:

• Double-click WinsockxpFix.exe to run.

• Click the Fix button.
  Note: You will hear a long beep -- This is normal.
• Reboot your PC
• Let me know if internet connection works.

Please download Win32kDiag to the root of your C:\ drive. It must be saved here or the below will not work!

• Now press and hold the Windows key on your keyboard, then press the letter r on your keyboard.
• This opens the Run dialog box.
• Then copy the below bold text and paste it into the Open: text-field and press ENTER.
  C:\win32kdiag.exe -f -r
  
• When it's finished, there will be a log called Win32kDiag.txt on your desktop.
• Attach this log to your next message. (How to attach items to your post)

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS​

 

Still no internet acess.

some services are still disabled and won't start

Some files are missed up Ex. Zip files they work but showing blank picture and some file security settings

 

More logs

Unable to turn on MS firewall due to service won't start

 

Copy the text in the code box below into Notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "All files" Once you have saved it double click it and allow it to merge with the registry.

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ALG]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AudioSrv]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cisvc]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COMSysApp]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DcomLaunch]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmadmin]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmserver]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dot3svc]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EapHost]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventSystem]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvc]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HidServ]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hkmsvc]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTPFilter]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ImapiService]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LmHosts]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmsrvc]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSDTC]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDEdsdm]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netman]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nla]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtLmSsp]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtmsSvc]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PlugPlay]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProtectedStorage]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSVP]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SamSs]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardSvr]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SENS]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ShellHWDetection]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srservice]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stisvc]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SwPrv]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TapiSrv]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPS]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winmgmt]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmi]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApSrv]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSVC]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov]
"Start"=dword:00000003

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now reboot your PC regardless if it was successful or not then complete the below:

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

 

Was sucesful but after reboot got the following error

Explorer.exe application error

Failed to intialize properly (0xc0000022)
Clicked ok and waiting for pc to come up