Interesting....
Please download the Farbar Service Scanner from
http://www.bleepingcomputer.com/download/farbar-service-scanner/
Right-click on the saved file and select 'Run as Administrator', and tick all the options, then click on the Scan button - copy and paste the report to your response.
here you go. Are we getting anything useful from all this so far?
Code:Farbar Service Scanner Version: 17-08-2013 Ran by Admin (administrator) on 17-08-2013 at 16:04:05 Running from "C:\Users\Admin\Downloads" Microsoft Windows 7 Professional Service Pack 1 (X64) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo.com is accessible. Windows Firewall: ============= Firewall Disabled Policy: ================== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall"=DWORD:0 System Restore: ============ System Restore Disabled Policy: ======================== Action Center: ============ Windows Update: ============ Windows Autoupdate Disabled Policy: ============================ Windows Defender: ============== WinDefend Service is not running. Checking service configuration: The start type of WinDefend service is OK. The ImagePath of WinDefend service is OK. The ServiceDll of WinDefend service is OK. Other Services: ============== File Check: ======== C:\Windows\System32\nsisvc.dll => MD5 is legit C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit C:\Windows\System32\dhcpcore.dll => MD5 is legit C:\Windows\System32\drivers\afd.sys => MD5 is legit C:\Windows\System32\drivers\tdx.sys => MD5 is legit C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit C:\Windows\System32\dnsrslvr.dll => MD5 is legit C:\Windows\System32\mpssvc.dll => MD5 is legit C:\Windows\System32\bfe.dll => MD5 is legit C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit C:\Windows\System32\SDRSVC.dll => MD5 is legit C:\Windows\System32\vssvc.exe => MD5 is legit C:\Windows\System32\wscsvc.dll => MD5 is legit C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit C:\Windows\System32\wuaueng.dll => MD5 is legit C:\Windows\System32\qmgr.dll => MD5 is legit C:\Windows\System32\es.dll => MD5 is legit C:\Windows\System32\cryptsvc.dll => MD5 is legit C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit C:\Windows\System32\ipnathlp.dll => MD5 is legit C:\Windows\System32\iphlpsvc.dll => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\rpcss.dll => MD5 is legit **** End of log ****
Bother - that shows nothing, but I'm not sure that it covers the normal Event services anyhow, so we'll have to check them manually.
Please open an Elevated Command Prompt, and run the following commands...
SC QC EVENTLOG
SC QUERYEX EVENTLOG
SC QC wecsvc
SC QUERYEX wecsvc
SC QC EVENTSYSTEM
SC QUERYEX EVENTSYSTEM
Post the results...
Here are some instructions to make life easier :)
1) To open an Elevated Command Prompt Window (the ECP window), click on Start, All Programs, Accessories – then right-click on Command Prompt, and select Run as Administrator. Accept the UAC prompt.
2) To run the commands easier, highlight the block of commands, and right-click on the highlight – select Copy. In the CP Window, click on the black/white icon at top left – select Paste. The commands will run but may not complete the last command, so hit the Enter Key once.
3) To copy the results... click on the Black/White icon in the top left, and select Edit... 'Select All', and hit the Enter key - then use Ctrl+V or r-click+Paste to paste it into your response.
Code:Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>SC QC EVENTLOG [SC] QueryServiceConfig SUCCESS SERVICE_NAME: EVENTLOG TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Windows\System32\svchost.exe -k LocalServiceNetw orkRestricted LOAD_ORDER_GROUP : Event Log TAG : 0 DISPLAY_NAME : Windows Event Log DEPENDENCIES : SERVICE_START_NAME : NT AUTHORITY\LocalService C:\Windows\system32>SC QUERYEX EVENTLOG SERVICE_NAME: EVENTLOG TYPE : 20 WIN32_SHARE_PROCESS STATE : 1 STOPPED WIN32_EXIT_CODE : 5 (0x5) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 0 FLAGS : C:\Windows\system32>SC QC wecsvc [SC] QueryServiceConfig SUCCESS SERVICE_NAME: wecsvc TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k NetworkService LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Windows Event Collector DEPENDENCIES : HTTP : Eventlog SERVICE_START_NAME : NT AUTHORITY\NetworkService C:\Windows\system32>SC QUERYEX wecsvc SERVICE_NAME: wecsvc TYPE : 20 WIN32_SHARE_PROCESS STATE : 1 STOPPED WIN32_EXIT_CODE : 1077 (0x435) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 0 FLAGS : C:\Windows\system32>SC QC EVENTSYSTEM [SC] QueryServiceConfig SUCCESS SERVICE_NAME: EVENTSYSTEM TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k LocalService LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : COM+ Event System DEPENDENCIES : rpcss SERVICE_START_NAME : NT AUTHORITY\LocalService C:\Windows\system32>SC QUERYEX EVENTSYSTEM SERVICE_NAME: EVENTSYSTEM TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 456 FLAGS : C:\Windows\system32>
You appear to be getting an Access Denied error on attempting to start the Eventlog service, for some reason.
I'll do some hunting and see if I can track down a test regime - shout if you haven't heard by Wednesday!
Noel,
I decided to format since I need to have the computer ready by tomorrow afternoon.
Thanks for all the help.
Quote