Malware- Lenovo- 20230629

Discussion in 'Malware Help (A Specialist Will Reply)' started by manilka835, Jun 29, 2023.

  1. manilka835

    manilka835 Specialist

    Another laptop computer has been received for usage.

    I have run READ & RUN ME FIRST- Malware Removal Guide to make sure there are no Malware. The relevant logs are attached.


    Dr. K.D.J.H. Manilka Jayawardena,
    Medical Officer of Health,
    Katana.
    Proud to be a Sri Lankan!
     

    Attached Files:

    manilka835, Jun 29, 2023
    #1
  2. Oh My!

    Oh My! Malware Expert Staff Member

    Greetings.

    Please run a FRST Scan like you did on the other topic and post the reports.
     
    Oh My!, Jun 29, 2023
    #2
  3. manilka835

    manilka835 Specialist

    FRST.txt & Addition.txt logs are uploaded as the message exceeds 40000 characters and hence an error is reported.

     

    Attached Files:

    manilka835, Jun 29, 2023
    #3
  4. Oh My!

    Oh My! Malware Expert Staff Member

    Greetings.

    Although I see no evidence of malicious software I am assuming you would like to streamline this machine as well.

    I am recommending removing both Comodo and Avast (and Smart Defrag) then you can reinstall one of the antivirus programs once we are done, if you would like.

    Please consider and do this.

    ===================================================

    Uninstalling Programs Using Revo Uninstaller Free Portable

    --------------------

    • Download Revo Uninstaller Free Portable and save it to your Desktop
    • Right click on the folder and select Extract All..., then click Extract
    • Double click on the RevoUninstaller-Portable folder
    • Right click on RevoUPort and select Run as administrator
    • Click OK on the License Agreement
    • From the list of programs double click on the listed program(s), or anything similar, to remove it (if it exists)
    Code:
    Avast Free Antivirus
COMODO Firewall
Internet Security Essentials
Smart Defrag 8
    • If the program's uninstaller appears work through the steps to remove the program(s)
    • Be sure the Advanced option is selected then click Scan
    • For each window that may appear identifying leftover items click Select All, Delete, then confirm the deletion
    • Once done click Finish
    • Reboot your computer
    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST will do it for you
    Code:
    Start::
CreateRestorePoint:
CloseProcesses:
S3 MpKsl002b68cd; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1FCA4DD1-E88F-4A16-8865-45BE23758ED1}\MpKslDrv.sys [X] 
S3 MpKsl1406ecdf; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1FCA4DD1-E88F-4A16-8865-45BE23758ED1}\MpKslDrv.sys [X] 
S3 MpKsl24a90b0c; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1FCA4DD1-E88F-4A16-8865-45BE23758ED1}\MpKslDrv.sys [X] 
S3 MpKsl9d138be5; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1FCA4DD1-E88F-4A16-8865-45BE23758ED1}\MpKslDrv.sys [X] 
S3 MpKslcc5d5319; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1FCA4DD1-E88F-4A16-8865-45BE23758ED1}\MpKslDrv.sys [X] 
S3 MpKslda8cf445; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1FCA4DD1-E88F-4A16-8865-45BE23758ED1}\MpKslDrv.sys [X] 
HKLM-x32\...\Run: [DataCardMonitor] => C:\Program Files (x86)\T-Mobile\InternetManager_H\DataCardMonitor.exe*AppData\LoñÜ**óD**8*,*è*,*am Files (x86)\T-Mobile\InternetManager_H\DataCardMonitor.exe***è*,*À*,*****óD**è*,*À*,*øÜ**õD**ÿÿÿÿÿÿÿÿ (the data entry has 56 more characters). (No File) 
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File 
HKLM-x32\...\Run: [DataCardMonitor] => C:\Program Files (x86)\T-Mobile\InternetManager_H\DataCardMonitor.exe*AppData\LoñÜ**óD**8*,*è*,*am Files (x86)\T-Mobile\InternetManager_H\DataCardMonitor.exe***è*,*À*,*****óD**è*,*À*,*øÜ**õD**ÿÿÿÿÿÿÿÿ (the data entry has 56 more characters). (No File) 
U1 aswbdisk; no ImagePath 
FF HKLM-x32\...\Firefox\Extensions: [ff-bmboc@bytemobile.com] - C:\Program Files\T-Mobile\InternetManager_H\OCx64\addon => not found 
GroupPolicy: Restriction - Chrome <==== ATTENTION 
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION 
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION 
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION 
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [136] 
AlternateDataStreams: C:\Users\USER\Desktop\FRST64.exe:MBAM.Zone.Identifier [193] 
HKU\S-1-5-21-1065632034-2401704988-3883178100-1001\...\MountPoints2: {16f83c4d-6e4f-11e7-8622-08d40c5f4a0f} - "G:\AutoRun.exe"
HKU\S-1-5-21-1065632034-2401704988-3883178100-1001\...\MountPoints2: {64c0338a-f8fd-11eb-9c17-08d40c5f4a0f} - "G:\AutoRun.exe"
HKU\S-1-5-21-1065632034-2401704988-3883178100-1001\...\MountPoints2: {64c03424-f8fd-11eb-9c17-08d40c5f4a0f} - "G:\AutoRun.exe"
HKU\S-1-5-21-1065632034-2401704988-3883178100-1001\...\MountPoints2: {64c03aac-f8fd-11eb-9c17-08d40c5f4a0f} - "G:\AutoRun.exe"
HKU\S-1-5-21-1065632034-2401704988-3883178100-1001\...\MountPoints2: {c7ef4c3b-72f7-11e7-9bca-08d40c5f4a0f} - "G:\AutoRun.exe"
HKU\S-1-5-21-1065632034-2401704988-3883178100-1001\...\MountPoints2: {cac56c11-98ff-11eb-9c0c-08d40c5f4a0f} - "G:\AutoRun.exe"
cmd: netsh winsock reset catalog
cmd: netsh int ip reset resetlog.txt
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state ON
cmd: bitsadmin /reset /allusers
cmd: ipconfig /flushdns
Removeproxy:
hosts:
cmd: sfc /scannow
cmd: DISM /Online /Cleanup-Image /CheckHealth
Emptytemp:
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    • Note: This step resets your Firewall settings and you may be asked later to grant permission for legitimate programs to pass through the Firewall. If you recognize the program agree to the request.
    • Note: The Emptytemp: command will remove cookies and may result in some websites (like banking) indicating they do not recognize your computer. It may be necessary to receive and apply a verification code.
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
    • Programs uninstall?
    • Fixlog
     
    Oh My!, Jun 29, 2023
    #4
  5. manilka835

    manilka835 Specialist

    Thank You and Greetings!

    The following were uninstalled:
    • Avast Free Antivirus
    • COMODO Firewall
    • Internet Security Essentials
    • Smart Defrag 8
    Fixlog information
    Fix result of Farbar Recovery Scan Tool (x64) Version: 28-06-2023
    Ran by USER (30-06-2023 16:56:05) Run:1
    Running from C:\Users\USER\Desktop
    Loaded Profiles: USER
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    Start::
    CreateRestorePoint:
    CloseProcesses:
    S3 MpKsl002b68cd; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1FCA4DD1-E88F-4A16-8865-45BE23758ED1}\MpKslDrv.sys [X]
    S3 MpKsl1406ecdf; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1FCA4DD1-E88F-4A16-8865-45BE23758ED1}\MpKslDrv.sys [X]
    S3 MpKsl24a90b0c; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1FCA4DD1-E88F-4A16-8865-45BE23758ED1}\MpKslDrv.sys [X]
    S3 MpKsl9d138be5; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1FCA4DD1-E88F-4A16-8865-45BE23758ED1}\MpKslDrv.sys [X]
    S3 MpKslcc5d5319; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1FCA4DD1-E88F-4A16-8865-45BE23758ED1}\MpKslDrv.sys [X]
    S3 MpKslda8cf445; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1FCA4DD1-E88F-4A16-8865-45BE23758ED1}\MpKslDrv.sys [X]
    HKLM-x32\...\Run: [DataCardMonitor] => C:\Program Files (x86)\T-Mobile\InternetManager_H\DataCardMonitor.exe*AppData\LoñÜ**óD**8*,*è*,*am Files (x86)\T-Mobile\InternetManager_H\DataCardMonitor.exe***è*,*À*,*****óD**è*,*À*,*øÜ**õD**ÿÿÿÿÿÿÿÿ (the data entry has 56 more characters). (No File)
    ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
    HKLM-x32\...\Run: [DataCardMonitor] => C:\Program Files (x86)\T-Mobile\InternetManager_H\DataCardMonitor.exe*AppData\LoñÜ**óD**8*,*è*,*am Files (x86)\T-Mobile\InternetManager_H\DataCardMonitor.exe***è*,*À*,*****óD**è*,*À*,*øÜ**õD**ÿÿÿÿÿÿÿÿ (the data entry has 56 more characters). (No File)
    U1 aswbdisk; no ImagePath
    FF HKLM-x32\...\Firefox\Extensions: [ff-bmboc@bytemobile.com] - C:\Program Files\T-Mobile\InternetManager_H\OCx64\addon => not found
    GroupPolicy: Restriction - Chrome <==== ATTENTION
    Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
    HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
    HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
    AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [136]
    AlternateDataStreams: C:\Users\USER\Desktop\FRST64.exe:MBAM.Zone.Identifier [193]
    HKU\S-1-5-21-1065632034-2401704988-3883178100-1001\...\MountPoints2: {16f83c4d-6e4f-11e7-8622-08d40c5f4a0f} - "G:\AutoRun.exe"
    HKU\S-1-5-21-1065632034-2401704988-3883178100-1001\...\MountPoints2: {64c0338a-f8fd-11eb-9c17-08d40c5f4a0f} - "G:\AutoRun.exe"
    HKU\S-1-5-21-1065632034-2401704988-3883178100-1001\...\MountPoints2: {64c03424-f8fd-11eb-9c17-08d40c5f4a0f} - "G:\AutoRun.exe"
    HKU\S-1-5-21-1065632034-2401704988-3883178100-1001\...\MountPoints2: {64c03aac-f8fd-11eb-9c17-08d40c5f4a0f} - "G:\AutoRun.exe"
    HKU\S-1-5-21-1065632034-2401704988-3883178100-1001\...\MountPoints2: {c7ef4c3b-72f7-11e7-9bca-08d40c5f4a0f} - "G:\AutoRun.exe"
    HKU\S-1-5-21-1065632034-2401704988-3883178100-1001\...\MountPoints2: {cac56c11-98ff-11eb-9c0c-08d40c5f4a0f} - "G:\AutoRun.exe"
    cmd: netsh winsock reset catalog
    cmd: netsh int ip reset resetlog.txt
    cmd: netsh advfirewall reset
    cmd: netsh advfirewall set allprofiles state ON
    cmd: bitsadmin /reset /allusers
    cmd: ipconfig /flushdns
    Removeproxy:
    hosts:
    cmd: sfc /scannow
    cmd: DISM /Online /Cleanup-Image /CheckHealth
    Emptytemp:
    End::
    *****************

    Restore point was successfully created.
    Processes closed successfully.
    MpKsl002b68cd => service not found.
    MpKsl1406ecdf => service not found.
    MpKsl24a90b0c => service not found.
    MpKsl9d138be5 => service not found.
    MpKslcc5d5319 => service not found.
    MpKslda8cf445 => service not found.
    "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\DataCardMonitor" => removed successfully
    HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui => removed successfully
    "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\DataCardMonitor" => not found
    HKLM\System\CurrentControlSet\Services\aswbdisk => removed successfully
    aswbdisk => service removed successfully
    "HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\ff-bmboc@bytemobile.com" => removed successfully
    C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
    C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
    C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => moved successfully
    C:\ProgramData\NTUSER.pol => moved successfully
    HKLM\SOFTWARE\Policies\Mozilla => removed successfully
    HKLM\SOFTWARE\Policies\Google => removed successfully
    C:\ProgramData\TEMP => ":5C321E34" ADS removed successfully
    C:\Users\USER\Desktop\FRST64.exe => ":MBAM.Zone.Identifier" ADS removed successfully
    HKU\S-1-5-21-1065632034-2401704988-3883178100-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16f83c4d-6e4f-11e7-8622-08d40c5f4a0f} => removed successfully
    HKU\S-1-5-21-1065632034-2401704988-3883178100-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{64c0338a-f8fd-11eb-9c17-08d40c5f4a0f} => removed successfully
    HKU\S-1-5-21-1065632034-2401704988-3883178100-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{64c03424-f8fd-11eb-9c17-08d40c5f4a0f} => removed successfully
    HKU\S-1-5-21-1065632034-2401704988-3883178100-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{64c03aac-f8fd-11eb-9c17-08d40c5f4a0f} => removed successfully
    HKU\S-1-5-21-1065632034-2401704988-3883178100-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c7ef4c3b-72f7-11e7-9bca-08d40c5f4a0f} => removed successfully
    HKU\S-1-5-21-1065632034-2401704988-3883178100-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cac56c11-98ff-11eb-9c0c-08d40c5f4a0f} => removed successfully

    ========= netsh winsock reset catalog =========


    Sucessfully reset the Winsock Catalog.
    You must restart the computer in order to complete the reset.



    ========= End of CMD: =========


    ========= netsh int ip reset resetlog.txt =========

    Resetting Compartment Forwarding, OK!
    Resetting Compartment, OK!
    Resetting Control Protocol, OK!
    Resetting Echo Sequence Request, OK!
    Resetting Global, OK!
    Resetting Interface, OK!
    Resetting Anycast Address, OK!
    Resetting Multicast Address, OK!
    Resetting Unicast Address, OK!
    Resetting Neighbor, OK!
    Resetting Path, OK!
    Resetting Potential, OK!
    Resetting Prefix Policy, OK!
    Resetting Proxy Neighbor, OK!
    Resetting Route, OK!
    Resetting Site Prefix, OK!
    Resetting Subinterface, OK!
    Resetting Wakeup Pattern, OK!
    Resetting Resolve Neighbor, OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , failed.
    Access is denied.

    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Resetting , OK!
    Restart the computer to complete this action.



    ========= End of CMD: =========


    ========= netsh advfirewall reset =========

    Ok.



    ========= End of CMD: =========


    ========= netsh advfirewall set allprofiles state ON =========

    Ok.



    ========= End of CMD: =========


    ========= bitsadmin /reset /allusers =========


    BITSADMIN version 3.0
    BITS administration utility.
    (C) Copyright 2000-2006 Microsoft Corp.

    BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
    Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

    {8D3EC0EC-88BD-457D-9C1B-28A4982D9B20} canceled.
    1 out of 1 jobs canceled.


    ========= End of CMD: =========


    ========= ipconfig /flushdns =========


    Windows IP Configuration

    Successfully flushed the DNS Resolver Cache.


    ========= End of CMD: =========


    ========= RemoveProxy: =========

    "HKU\S-1-5-21-1065632034-2401704988-3883178100-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
    "HKU\S-1-5-21-1065632034-2401704988-3883178100-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => removed successfully


    ========= End of RemoveProxy: =========

    C:\Windows\System32\Drivers\etc\hosts => moved successfully
    Hosts restored successfully.

    ========= sfc /scannow =========



    Beginning system scan. This process will take some time.



    Beginning verification phase of system scan.

    Verification 0% complete.Verification 1% complete.Verification 1% complete.Verification 2% complete.Verification 2% complete.Verification 3% complete.Verification 3% complete.Verification 4% complete.Verification 4% complete.Verification 5% complete.Verification 5% complete.Verification 6% complete.Verification 7% complete.Verification 7% complete.Verification 8% complete.Verification 8% complete.Verification 9% complete.Verification 9% complete.Verification 10% complete.Verification 10% complete.Verification 11% complete.Verification 11% complete.Verification 12% complete.Verification 13% complete.Verification 13% complete.Verification 14% complete.Verification 14% complete.Verification 15% complete.Verification 15% complete.Verification 16% complete.Verification 16% complete.Verification 17% complete.Verification 17% complete.Verification 18% complete.Verification 18% complete.Verification 19% complete.Verification 20% complete.Verification 20% complete.Verification 21% complete.Verification 21% complete.Verification 22% complete.Verification 22% complete.Verification 23% complete.Verification 23% complete.Verification 24% complete.Verification 24% complete.Verification 25% complete.Verification 26% complete.Verification 26% complete.Verification 27% complete.Verification 27% complete.Verification 28% complete.Verification 28% complete.Verification 29% complete.Verification 29% complete.Verification 30% complete.Verification 30% complete.Verification 31% complete.Verification 31% complete.Verification 32% complete.Verification 33% complete.Verification 33% complete.Verification 34% complete.Verification 34% complete.Verification 35% complete.Verification 35% complete.Verification 36% complete.Verification 36% complete.Verification 37% complete.Verification 37% complete.Verification 38% complete.Verification 39% complete.Verification 39% complete.Verification 40% complete.Verification 40% complete.Verification 41% complete.Verification 41% complete.Verification 42% complete.Verification 42% complete.Verification 43% complete.Verification 43% complete.Verification 44% complete.Verification 44% complete.Verification 45% complete.Verification 46% complete.Verification 46% complete.Verification 47% complete.Verification 47% complete.Verification 48% complete.Verification 48% complete.Verification 49% complete.Verification 49% complete.Verification 50% complete.Verification 50% complete.Verification 51% complete.Verification 52% complete.Verification 52% complete.Verification 53% complete.Verification 53% complete.Verification 54% complete.Verification 54% complete.Verification 55% complete.Verification 55% complete.Verification 56% complete.Verification 56% complete.Verification 57% complete.Verification 58% complete.Verification 58% complete.Verification 59% complete.Verification 59% complete.Verification 60% complete.Verification 60% complete.Verification 61% complete.Verification 61% complete.Verification 62% complete.Verification 62% complete.Verification 63% complete.Verification 63% complete.Verification 64% complete.Verification 65% complete.Verification 65% complete.Verification 66% complete.Verification 66% complete.Verification 67% complete.Verification 67% complete.Verification 68% complete.Verification 68% complete.Verification 69% complete.Verification 69% complete.Verification 70% complete.Verification 71% complete.Verification 71% complete.Verification 72% complete.Verification 72% complete.Verification 73% complete.Verification 73% complete.Verification 74% complete.Verification 74% complete.Verification 75% complete.Verification 75% complete.Verification 76% complete.Verification 76% complete.Verification 77% complete.Verification 78% complete.Verification 78% complete.Verification 79% complete.Verification 79% complete.Verification 80% complete.Verification 80% complete.Verification 81% complete.Verification 81% complete.Verification 82% complete.Verification 82% complete.Verification 83% complete.Verification 84% complete.Verification 84% complete.Verification 85% complete.Verification 85% complete.Verification 86% complete.Verification 86% complete.Verification 87% complete.Verification 87% complete.Verification 88% complete.Verification 88% complete.Verification 89% complete.Verification 89% complete.Verification 90% complete.Verification 91% complete.Verification 91% complete.Verification 92% complete.Verification 92% complete.Verification 93% complete.Verification 93% complete.Verification 94% complete.Verification 94% complete.Verification 95% complete.Verification 95% complete.Verification 96% complete.Verification 97% complete.Verification 97% complete.Verification 98% complete.Verification 98% complete.Verification 99% complete.Verification 99% complete.Verification 100% complete.


    Windows Resource Protection did not find any integrity violations.



    ========= End of CMD: =========


    ========= DISM /Online /Cleanup-Image /CheckHealth =========


    Deployment Image Servicing and Management tool
    Version: 10.0.15063.0

    Image Version: 10.0.15063.0

    No component store corruption detected.
    The operation completed successfully.


    ========= End of CMD: =========


    =========== EmptyTemp: ==========

    FlushDNS => completed
    BITS transfer queue => 0 B
    DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 136205139 B
    Java, Discord, Steam htmlcache, WinHttpAutoProxySvc/winhttp *.cache => 3328 B
    Windows/system/drivers => 731918918 B
    Edge => 6066167 B
    Chrome => 3440949 B
    Firefox => 62246714 B
    Opera => 0 B

    Temp, IE cache, history, cookies, recent:
    Default => 0 B
    ProgramData => 0 B
    Public => 0 B
    systemprofile => 0 B
    systemprofile32 => 0 B
    LocalService => 2572 B
    NetworkService => 144028728 B
    USER => 422631598 B

    RecycleBin => 366166465 B
    EmptyTemp: => 1.7 GB temporary data Removed.

    ================================


    The system needed a reboot.

    ==== End of Fixlog 17:26:12 ====
     

    Attached Files:

    manilka835, Jun 30, 2023
    #5
  6. Oh My!

    Oh My! Malware Expert Staff Member

    Thanks for the detailed reply.

    Things are looking quite nice. Are you experiencing any issues?
     
    Oh My!, Jun 30, 2023
    #6
  7. manilka835

    manilka835 Specialist

    The computer
    • No Malware found
    Issue
    Windows Updates
    Update status
    "There were some problems installing updates, but we'll try again later. If you keep seeing this and want to search the web or contact for information, this may help: (0X80070422)"

    0X80070422 did not fix the issue.
     
    manilka835, Jun 30, 2023
    #7
  8. Oh My!

    Oh My! Malware Expert Staff Member

    Let's see what we can do about Windows Update. Please do this.

    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST will do it for you
    Code:
    Start::
Zip: C:\Windows\Logs\CBS
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    • The tool will create a zipped folder in the same location from where FRST was run with today's date, example: 06.11.2016_13.24.50.zip. Upload the file to GoFile or the file hosting site of your choice and post the download link in your reply.
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
    • Fixlog
    • Download link
     
    Oh My!, Jun 30, 2023
    #8
  9. manilka835

    manilka835 Specialist

    Fixlog information

    Fix result of Farbar Recovery Scan Tool (x64) Version: 28-06-2023
    Ran by USER (01-07-2023 12:24:43) Run:2
    Running from C:\Users\USER\Desktop
    Loaded Profiles: USER
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    Start::
    Zip: C:\Windows\Logs\CBS
    End::
    *****************

    ================== Zip: ===================
    C:\Windows\Logs\CBS -> copied successfully to C:\Users\USER\Desktop\01.07.2023_12.24.43.zip
    =========== Zip: End ===========

    ==== End of Fixlog 12:24:46 ====


    Download link to 01.07.2023_12.24.43 File: https://gofile.io/d/OHFIqm
     

    Attached Files:

    manilka835, Jul 1, 2023
    #9
  10. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you for the reports.

    Please run this.

    ===================================================

    Farbar Service Scanner

    --------------------

    • Please note: Any security warning you may receive is a false positive detection
    • Please download Farbar Service Scanner and save it to your Desktop
    • Right click on FSS.exe and select Run as administrator
    • Make sure the following options are checked:
    Internet Services
    Windows Firewall
    System Restore
    Security Center/Action Center
    Windows Update
    Windows Defender
    Other Services
    • Press Scan
    • Please copy and paste the contents of the FSS.txt report in your reply.
    ===================================================

    Windows Update Troubleshooter - Windows 10

    --------------------

    • Click Start, type Troubleshooter and hit Enter
    • Click Additional (or Other) troubleshooters
    • Select Windows Update
    • Report the results
    • Check Windows Update. If you receive an error message report the error information in your reply
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
    • FSS.txt
    • Windows Update troubleshooter results
     
    Oh My!, Jul 1, 2023
    #10
  11. manilka835

    manilka835 Specialist

    FSS.txt log information
    Farbar Service Scanner Version: 30-04-2023
    Ran by USER (administrator) on 02-07-2023 at 09:40:37
    Running from "C:\Users\USER\Desktop"
    Microsoft Windows 10 Pro (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============


    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============


    Firewall Disabled Policy:
    ==================


    System Restore:
    ============


    System Restore Policy:
    ========================


    Windows Security:
    ============


    Windows Update:
    ============
    wuauserv Service is not running. Error while attempting to start wuauserv:
    System error 1058 has occurred.

    The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

    Checking service configuration:
    The start type of wuauserv service is set to Disabled. The default start type, depending on the OS, is either Auto or Demand.
    The ImagePath of wuauserv service is OK (ImagePath=%systemroot%\system32\svchost.exe -k netsvcs).
    The ServiceDll of wuauserv service is OK.
    WaaSMedicSvc Service is not running. Error while attempting to start WaaSMedicSvc:
    The service name is invalid.

    More help is available by typing NET HELPMSG 2185.

    Checking service configuration:
    Checking Start type of WaaSMedicSvc: ATTENTION!=====> Unable to open WaaSMedicSvc registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open WaaSMedicSvc registry key. The service key does not exist.
    Checking ServiceDll of WaaSMedicSvc: ATTENTION!=====> Unable to open WaaSMedicSvc registry key. The service key does not exist.
    dosvc Service is not running. Checking service configuration:
    The start type of dosvc service is OK (Start=Auto).
    The ImagePath of dosvc: "%systemroot%\system32\svchost.exe -k netsvcs".
    The ServiceDll of dosvc service is OK.


    Windows Autoupdate Disabled Policy:
    ============================
    ATTENTION!=====> policy restriction on WindowsUpdate: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend: ""%ProgramFiles%\Windows Defender\MsMpEng.exe"".


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => File is digitally signed
    C:\Windows\System32\Drivers\nsiproxy.sys => File is digitally signed
    C:\Windows\System32\Drivers\netbt.sys => File is digitally signed
    C:\Windows\System32\Drivers\tdx.sys => File is digitally signed
    C:\Windows\System32\Drivers\afd.sys => File is digitally signed
    C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
    C:\Windows\System32\dnsrslvr.dll => File is digitally signed
    C:\Windows\System32\dnsapi.dll => File is digitally signed
    C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
    C:\Windows\System32\mpssvc.dll => File is digitally signed
    C:\Windows\System32\bfe.dll => File is digitally signed
    C:\Windows\System32\Drivers\mpsdrv.sys => File is digitally signed
    C:\Windows\System32\SDRSVC.dll => File is digitally signed
    C:\Windows\System32\vssvc.exe => File is digitally signed
    C:\Windows\System32\SecurityHealthService.exe => File is digitally signed
    C:\Windows\System32\wscsvc.dll => File is digitally signed
    C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
    C:\Windows\System32\wuaueng.dll => File is digitally signed
    C:\Windows\System32\qmgr.dll => File is digitally signed
    C:\Windows\System32\es.dll => File is digitally signed
    C:\Windows\System32\cryptsvc.dll => File is digitally signed

    ATTENTION!=====> C:\Windows\System32\usosvc.dll FILE IS MISSING.


    ATTENTION!=====> C:\Windows\System32\WaaSMedicSvc.dll FILE IS MISSING.

    C:\Windows\System32\dosvc.dll => File is digitally signed
    C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
    C:\Windows\System32\ipnathlp.dll => File is digitally signed
    C:\Windows\System32\iphlpsvc.dll => File is digitally signed
    C:\Windows\System32\svchost.exe => File is digitally signed
    C:\Windows\System32\rpcss.dll => File is digitally signed


    **** End of log ****


    Windows Update troubleshooter results
    Windows Update Troubleshooter - Windows 10 was initiated as follows:

    "Start > Settings > Update & Security > Troubleshoot >Windows Update > Run the Troubleshooter > Try troubleshooter as an administrator >

    Download and install pending updates
    Did you know that there are pending updates for this machine? Choose the "Apply this fix"option below to start the update process in the background immediately.

    Apply this fix

    Trouble shooting has completed
    The troubleshooter made some changes to your system. Try attempting the task you were trying to do before problem found

    Check for pending updates: fixed"

    The following error message on Windows Update still appears.

    "Update status
    There were some problems installing updates, but we'll try again later. If you keep seeing this and want to search the web or contact for information, this may help: (0X80070422)"
     
    manilka835, Jul 2, 2023
    #11
  12. Oh My!

    Oh My! Malware Expert Staff Member

    I apologize but in light of the changes made by Windows Update Troubleshooter can you run Farbar Service Scanner for me again?
     
    Oh My!, Jul 2, 2023
    #12
  13. manilka835

    manilka835 Specialist

    FSS.txt log information

    Farbar Service Scanner Version: 30-04-2023
    Ran by USER (administrator) on 03-07-2023 at 10:29:52
    Running from "C:\Users\USER\Desktop"
    Microsoft Windows 10 Pro (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============


    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Attempt to access Yahoo.com returned error: Yahoo.com is unreachable


    Windows Firewall:
    =============


    Firewall Disabled Policy:
    ==================


    System Restore:
    ============


    System Restore Policy:
    ========================


    Windows Security:
    ============


    Windows Update:
    ============
    wuauserv Service is not running. Error while attempting to start wuauserv:
    System error 1058 has occurred.

    The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

    Checking service configuration:
    The start type of wuauserv service is set to Disabled. The default start type, depending on the OS, is either Auto or Demand.
    The ImagePath of wuauserv service is OK (ImagePath=%systemroot%\system32\svchost.exe -k netsvcs).
    The ServiceDll of wuauserv service is OK.
    WaaSMedicSvc Service is not running. Error while attempting to start WaaSMedicSvc:
    The service name is invalid.

    More help is available by typing NET HELPMSG 2185.

    Checking service configuration:
    Checking Start type of WaaSMedicSvc: ATTENTION!=====> Unable to open WaaSMedicSvc registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open WaaSMedicSvc registry key. The service key does not exist.
    Checking ServiceDll of WaaSMedicSvc: ATTENTION!=====> Unable to open WaaSMedicSvc registry key. The service key does not exist.
    dosvc Service is not running. Checking service configuration:
    The start type of dosvc service is OK (Start=Auto).
    The ImagePath of dosvc: "%systemroot%\system32\svchost.exe -k netsvcs".
    The ServiceDll of dosvc service is OK.


    Windows Autoupdate Disabled Policy:
    ============================
    ATTENTION!=====> policy restriction on WindowsUpdate: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend: ""%ProgramFiles%\Windows Defender\MsMpEng.exe"".


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => File is digitally signed
    C:\Windows\System32\Drivers\nsiproxy.sys => File is digitally signed
    C:\Windows\System32\Drivers\netbt.sys => File is digitally signed
    C:\Windows\System32\Drivers\tdx.sys => File is digitally signed
    C:\Windows\System32\Drivers\afd.sys => File is digitally signed
    C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
    C:\Windows\System32\dnsrslvr.dll => File is digitally signed
    C:\Windows\System32\dnsapi.dll => File is digitally signed
    C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
    C:\Windows\System32\mpssvc.dll => File is digitally signed
    C:\Windows\System32\bfe.dll => File is digitally signed
    C:\Windows\System32\Drivers\mpsdrv.sys => File is digitally signed
    C:\Windows\System32\SDRSVC.dll => File is digitally signed
    C:\Windows\System32\vssvc.exe => File is digitally signed
    C:\Windows\System32\SecurityHealthService.exe => File is digitally signed
    C:\Windows\System32\wscsvc.dll => File is digitally signed
    C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
    C:\Windows\System32\wuaueng.dll => File is digitally signed
    C:\Windows\System32\qmgr.dll => File is digitally signed
    C:\Windows\System32\es.dll => File is digitally signed
    C:\Windows\System32\cryptsvc.dll => File is digitally signed

    ATTENTION!=====> C:\Windows\System32\usosvc.dll FILE IS MISSING.


    ATTENTION!=====> C:\Windows\System32\WaaSMedicSvc.dll FILE IS MISSING.

    C:\Windows\System32\dosvc.dll => File is digitally signed
    C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
    C:\Windows\System32\ipnathlp.dll => File is digitally signed
    C:\Windows\System32\iphlpsvc.dll => File is digitally signed
    C:\Windows\System32\svchost.exe => File is digitally signed
    C:\Windows\System32\rpcss.dll => File is digitally signed


    **** End of log ****
     
    manilka835, Jul 3, 2023
    #13
  14. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you.

    Please run this.

    ===================================================

    Farbar Recovery Scan Tool Search

    --------------------
    • Launch FRST
    • Type the following in the Search: box
    Code:
    usosvc.dll;WaaSMedicSvc.dll
    • Click Search Files button
    • When completed click OK and a Search.txt document will open on your desktop
    • Copy and paste the contents of that document your reply
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
    • Search.txt
     
    Oh My!, Jul 3, 2023
    #14
  15. manilka835

    manilka835 Specialist

    Search.txt log information

    Farbar Recovery Scan Tool (x64) Version: 28-06-2023
    Ran by USER (04-07-2023 08:26:13)
    Running from C:\Users\USER\Desktop
    Boot Mode: Normal

    ================== Search Files: "usosvc.dll;WaaSMedicSvc.dll" =============


    ====== End of Search ======
     
    manilka835, Jul 3, 2023
    #15
  16. Oh My!

    Oh My! Malware Expert Staff Member

    I am still doing some research but please do this.

    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST will do it for you
    Code:
    Start::
ExportKey: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION
ExportKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
ExportKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windefend
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
    • Fixlog
     
    Oh My!, Jul 4, 2023
    #16
  17. manilka835

    manilka835 Specialist

    Fixlog information

    Fix result of Farbar Recovery Scan Tool (x64) Version: 28-06-2023
    Ran by USER (05-07-2023 13:48:02) Run:3
    Running from C:\Users\USER\Desktop
    Loaded Profiles: USER
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    Start::
    ExportKey: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
    HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION
    ExportKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
    ExportKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windefend
    End::
    *****************

    ================== ExportKey: ===================

    [HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
    [HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
    "NoAutoRebootWithLoggedOnUsers"="0"

    === End of ExportKey ===
    HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate => removed successfully
    ================== ExportKey: ===================

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
    "SvcHostSplitDisable"="1"
    "SvcMemHardLimitInMB"="246"
    "SvcMemMidLimitInMB"="167"
    "SvcMemSoftLimitInMB"="88"
    "DisplayName"="Windows Update"
    "ErrorControl"="1"
    "ImagePath"="%systemroot%\system32\svchost.exe -k netsvcs"
    "Start"="4"
    "Type"="32"
    "Description"="@%systemroot%\system32\wuaueng.dll,-106"
    "DependOnService"="rpcss"
    "ObjectName"="LocalSystem"
    "ServiceSidType"="1"
    "RequiredPrivileges"="SeAuditPrivilege*SeCreateGlobalPrivilege*SeCreatePageFilePrivilege*SeTcbPrivilege*SeAssignPrimaryTokenPrivilege*SeImpersonatePrivilege*SeIncreaseQuotaPrivilege*SeShutdownPrivilege*SeDebugPrivilege"
    "FailureActions"="80510100000000000000000003000000140000000100000060ea000000000000000000000000000000000000"
    [HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters]
    "ServiceDll"="%systemroot%\system32\wuaueng.dll"
    "ServiceDllUnloadOnStop"="1"
    "ServiceMain"="WUServiceMain"
    [HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Security]
    "Security"="010014807800000084000000140000003000000002001c000100000002801400ff000f000101000000000001000000000200480003000000000014009d00020001010000000000050b00000000001800ff010f0001020000000000052000000020020000 (the data entry has 88 more characters)."
    [HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\TriggerInfo]
    [HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\TriggerInfo\0]
    "Type"="5"
    "Action"="1"
    "Guid"="e6ca9f65db5ba94db1ffca2a178d46e0"
    [HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\TriggerInfo\1]
    "Type"="5"
    "Action"="1"
    "Guid"="c846fb5489f04c46b1fd59d1b62c3b50"

    === End of ExportKey ===
    ================== ExportKey: ===================

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windefend]
    "DisplayName"="@%ProgramFiles%\Windows Defender\MpAsDesc.dll,-310"
    "ErrorControl"="1"
    "ImagePath"=""%ProgramFiles%\Windows Defender\MsMpEng.exe""
    "Start"="3"
    "Type"="16"
    "Description"="@%ProgramFiles%\Windows Defender\MpAsDesc.dll,-240"
    "DependOnService"="RpcSs"
    "ObjectName"="LocalSystem"
    "ServiceSidType"="1"
    "RequiredPrivileges"="SeImpersonatePrivilege*SeBackupPrivilege*SeRestorePrivilege*SeDebugPrivilege*SeChangeNotifyPrivilege*SeLoadDriverPrivilege*SeSecurityPrivilege*SeShutdownPrivilege*SeIncreaseQuotaPrivilege*SeAssignPrim (the data entry has 118 more characters)."
    "FailureActions"="8051010000000000010000000300000014000000030000006400000000000000640000000000000064000000"
    "LaunchProtected"="3"
    "FailureCommand"="C:\WINDOWS\system32\mrt.exe /EHB /ServiceFailure "CAMP=4.11.15063.447;approximate-> Engine=1.1.19100.5;AVSIG=1.363.716.0;ASSIG=1.363.716.0" /StartService /Defender /q"
    [HKLM\SYSTEM\CurrentControlSet\Services\windefend\Security]
    "Security"="01001480f400000000010000140000003000000002001c000100000002801400ff010f000101000000000001000000000200c40007000000000018009d01020001020000000000052000000021020000000014009d010200010100000000000512000000 (the data entry has 336 more characters)."

    === End of ExportKey ===

    ==== End of Fixlog 13:48:02 ====
     

    Attached Files:

    manilka835, Jul 5, 2023
    #17
  18. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you for the information.

    Please do this.

    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST will do it for you
    Code:
    Start::

DeleteKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv

StartRegedit:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
"SvcHostSplitDisable"="1"
"SvcMemHardLimitInMB"="246"
"SvcMemMidLimitInMB"="167"
"SvcMemSoftLimitInMB"="88"
"DisplayName"="Windows Update"
"ErrorControl"="1"
"ImagePath"="%systemroot%\system32\svchost.exe -k netsvcs"
"Start"="4"
"Type"="32"
"Description"="@%systemroot%\system32\wuaueng.dll,-106"
"DependOnService"="rpcss"
"ObjectName"="LocalSystem"
"ServiceSidType"="1"
"RequiredPrivileges"="SeAuditPrivilege*SeCreateGlobalPrivilege*SeCreatePageFilePrivilege*SeTcbPrivilege*SeAssignPrimaryTokenPrivilege*SeImpersonatePrivilege*SeIncreaseQuotaPrivilege*SeShutdownPrivilege*SeDebugPrivilege"
"FailureActions"="80510100000000000000000003000000140000000100000060ea000000000000000000000000000000000000"
[HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters]
"ServiceDll"="%systemroot%\system32\wuaueng.dll"
"ServiceDllUnloadOnStop"="1"
"ServiceMain"="WUServiceMain"
[HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Security]
"Security"="010014807800000084000000140000003000000002001c000100000002801400ff000f000101000000000001000000000200480003000000000014009d00020001010000000000050b00000000001800ff010f0001020000000000052000000020020000 (the data entry has 88 more characters)."
[HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\TriggerInfo]
[HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\TriggerInfo\0]
"Type"="5"
"Action"="1"
"Guid"="e6ca9f65db5ba94db1ffca2a178d46e0"
[HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\TriggerInfo\1]
"Type"="5"
"Action"="1"
"Guid"="c846fb5489f04c46b1fd59d1b62c3b50"

EndRegedit:

ExportKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
Reboot:
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    • Upon reboot check Windows Update
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
    • Fixlog
    • Windows Update?
     
    Oh My!, Jul 5, 2023
    #18
  19. manilka835

    manilka835 Specialist

    Fixlog information

    Fix result of Farbar Recovery Scan Tool (x64) Version: 28-06-2023
    Ran by USER (06-07-2023 09:32:25) Run:4
    Running from C:\Users\USER\Desktop
    Loaded Profiles: USER
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    Start::

    DeleteKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv

    StartRegedit:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
    "SvcHostSplitDisable"="1"
    "SvcMemHardLimitInMB"="246"
    "SvcMemMidLimitInMB"="167"
    "SvcMemSoftLimitInMB"="88"
    "DisplayName"="Windows Update"
    "ErrorControl"="1"
    "ImagePath"="%systemroot%\system32\svchost.exe -k netsvcs"
    "Start"="4"
    "Type"="32"
    "Description"="@%systemroot%\system32\wuaueng.dll,-106"
    "DependOnService"="rpcss"
    "ObjectName"="LocalSystem"
    "ServiceSidType"="1"
    "RequiredPrivileges"="SeAuditPrivilege*SeCreateGlobalPrivilege*SeCreatePageFilePrivilege*SeTcbPrivilege*SeAssignPrimaryTokenPrivilege*SeImpersonatePrivilege*SeIncreaseQuotaPrivilege*SeShutdownPrivilege*SeDebugPrivilege"
    "FailureActions"="80510100000000000000000003000000140000000100000060ea000000000000000000000000000000000000"
    [HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters]
    "ServiceDll"="%systemroot%\system32\wuaueng.dll"
    "ServiceDllUnloadOnStop"="1"
    "ServiceMain"="WUServiceMain"
    [HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Security]
    "Security"="010014807800000084000000140000003000000002001c000100000002801400ff000f000101000000000001000000000200480003000000000014009d00020001010000000000050b00000000001800ff010f0001020000000000052000000020020000 (the data entry has 88 more characters)."
    [HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\TriggerInfo]
    [HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\TriggerInfo\0]
    "Type"="5"
    "Action"="1"
    "Guid"="e6ca9f65db5ba94db1ffca2a178d46e0"
    [HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\TriggerInfo\1]
    "Type"="5"
    "Action"="1"
    "Guid"="c846fb5489f04c46b1fd59d1b62c3b50"

    EndRegedit:

    ExportKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
    Reboot:
    End::
    *****************

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv => removed successfully
    Registry ====> The operation completed successfully.

    ================== ExportKey: ===================

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
    "SvcHostSplitDisable"="1"
    "SvcMemHardLimitInMB"="246"
    "SvcMemMidLimitInMB"="167"
    "SvcMemSoftLimitInMB"="88"
    "DisplayName"="Windows Update"
    "ErrorControl"="1"
    "Start"="4"
    "Type"="32"
    "DependOnService"="rpcss"
    "ObjectName"="LocalSystem"
    "ServiceSidType"="1"
    "RequiredPrivileges"="SeAuditPrivilege*SeCreateGlobalPrivilege*SeCreatePageFilePrivilege*SeTcbPrivilege*SeAssignPrimaryTokenPrivilege*SeImpersonatePrivilege*SeIncreaseQuotaPrivilege*SeShutdownPrivilege*SeDebugPrivilege"
    "FailureActions"="80510100000000000000000003000000140000000100000060ea000000000000000000000000000000000000"

    === End of ExportKey ===


    The system needed a reboot.

    ==== End of Fixlog 09:32:25 ====


    Windows Update

    I am afraid that the following message still appears:

    "Update status
    There were some problems installing updates, but we'll try again later. If you keep seeing this and want to search the web or contact for information, this may help: (0X80070422)

    Your device is at risk because it's out of date and missing important security and qaulity updates. Let's get you back on track so Windows can run more securely. Select this button to start: Retry"

    After clicking Retry, the above message still appears.
     
    manilka835, Jul 6, 2023
    #19
  20. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you for the information.

    Please do this. Upon completion check Windows Update.

    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST will do it for you
    Code:
    Start::

DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv|Start

StartRegedit:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
"Start"="2"
EndRegedit:

ExportKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv

Reboot:

End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
    • Fixlog
    • Windows Update?
     
    Oh My!, Jul 6, 2023
    #20
  21. manilka835

    manilka835 Specialist

    Fixlog information

    Fix result of Farbar Recovery Scan Tool (x64) Version: 05-07-2023
    Ran by USER (06-07-2023 20:13:43) Run:5
    Running from C:\Users\USER\Desktop
    Loaded Profiles: USER
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    Start::

    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv|Start

    StartRegedit:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
    "Start"="2"
    EndRegedit:

    ExportKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv

    Reboot:

    End::
    *****************

    "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Start" => removed successfully
    Registry ====> The operation completed successfully.

    ================== ExportKey: ===================

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
    "SvcHostSplitDisable"="1"
    "SvcMemHardLimitInMB"="246"
    "SvcMemMidLimitInMB"="167"
    "SvcMemSoftLimitInMB"="88"
    "DisplayName"="Windows Update"
    "ErrorControl"="1"
    "Type"="32"
    "DependOnService"="rpcss"
    "ObjectName"="LocalSystem"
    "ServiceSidType"="1"
    "RequiredPrivileges"="SeAuditPrivilege*SeCreateGlobalPrivilege*SeCreatePageFilePrivilege*SeTcbPrivilege*SeAssignPrimaryTokenPrivilege*SeImpersonatePrivilege*SeIncreaseQuotaPrivilege*SeShutdownPrivilege*SeDebugPrivilege"
    "FailureActions"="80510100000000000000000003000000140000000100000060ea000000000000000000000000000000000000"

    === End of ExportKey ===


    The system needed a reboot.

    ==== End of Fixlog 20:13:43 ====


    Windows Update

    I am afraid that the following message still appears:

    "Update status
    There were some problems installing updates, but we'll try again later. If you keep seeing this and want to search the web or contact for information, this may help: (0X80070422)

    Your device is at risk because it's out of date and missing important security and qaulity updates. Let's get you back on track so Windows can run more securely. Select this button to start: Retry"

    After clicking Retry, the above message still appears.
     

    Attached Files:

    manilka835, Jul 6, 2023
    #21
  22. Oh My!

    Oh My! Malware Expert Staff Member

    It doesn't look like all of the Fixlist worked.

    Let's try it manually. Please do this.

    ===================================================

    Manually Modifying Registry Value Information

    --------------------

    Warning: Carefully follow the below instructions. Modifying the Registry improperly can result in significant negative consequences.

    • Press the Windows Key + R at the same time
    • Type regedit and hit Enter
    • Delete the information below File that starts with Computer\ then copy and paste the below in that line
    Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
    • Hit Enter
    • Right click in the right hand window and select New, then String Value
    • Under Name type Start then hit Enter
    • Right click on Start, then select Modify
    • Under Value data: type 2 then click OK
    • Close the Registry Editor window and Restart your computer
    • Attempt Windows Update and report the results
    ===================================================

    Things I would like to see in your next reply.
    • Results?
     
    Oh My!, Jul 6, 2023
    #22
  23. manilka835

    manilka835 Specialist

    Windows Update

    I am afraid that the following message still appears:

    "Update status
    There were some problems installing updates, but we'll try again later. If you keep seeing this and want to search the web or contact for information, this may help: (0X80070422)

    Your device is at risk because it's out of date and missing important security and quality updates. Let's get you back on track so Windows can run more securely. Select this button to start: Retry"

    After clicking Retry, the above message still appears.
     
    manilka835, Jul 6, 2023
    #23
  24. Oh My!

    Oh My! Malware Expert Staff Member

    I would recommend performing an In-Place Upgrade.

    Please consider and do this.

    ===================================================

    Windows 10 In-Place Upgrade Using Windows Media Creation Tool

    --------------

    Note: Though this process should not affect your files I highly recommend backing up your data files (documents, photos, music, etc.) prior to starting the process. This process will take some time to complete.
    • Navigate to Microsoft's Download Windows 10 page
    • Click Update now
    • Click Save File and save it to your Desktop
    • Right click on the Windows10Upgrade icon and select Run as administrator
    • Click Accept on the license terms screen
    • Select Upgrade this PC now and click Next
    • Once the process completes click Accept
    • On the Ready to install screen confirm Install Widows 10 and Keep personal files and apps are checked. If not click Change what to keep and include those 2 <<<Important<<<
    • Click Install
    • Once completed you will be greeted with a Welcome Back message. Close the browser window and you should be back at your Desktop as it was prior to the process
    • Report the results in your reply
    ===================================================

    Things I would like to see in your next reply.
    • Results?
     
    Oh My!, Jul 6, 2023
    #24
  25. manilka835

    manilka835 Specialist

    Windows 10 Update Assistant did the trick.

    Windows Update

    You're Up to date
     
    manilka835, Jul 7, 2023
    #25
  26. Oh My!

    Oh My! Malware Expert Staff Member

    Great, it just didn't seem worth it to do anything short of that.

    Any remaining issues with this one?
     
    Oh My!, Jul 7, 2023
    #26
  27. manilka835

    manilka835 Specialist

    No other issues. Laptop seems to be working fine.
     
    manilka835, Jul 8, 2023
    #27
  28. Oh My!

    Oh My! Malware Expert Staff Member

    Glad to hear that.

    Here is our final step and some additional information to consider.

    ===================================================

    KpRm by Kernel-panik

    --------------
    • Download KpRm and save it to your Desktop (see here if you must use Chrome)
    • Note: If the file is detected as malware it is not and it is safe to download. The detection is a false positive.
    • Right click on the icon and select Run as administrator
    • Click Yes on the Disclaimer
    • Place a check mark in Delete Tools, Create Restore Point, and Delete in 7 days
    • Click Run
    • Click OK on All operations are completed
    • KpRm will delete itself from you Desktop and you can either save or remove the report that is generated
    • You are free to remove any other tools/reports still remaining
    ===================================================

    All Clean!

    --------------

    Your computer is now clean. Please consider this going forward.

    ===================================================

    Please take the time to read below on how to secure the machine and take the necessary steps to keep it clean.

     
    Oh My!, Jul 8, 2023
    #28
  29. manilka835

    manilka835 Specialist

    I guess this wraps things up.
    Thank You so much for your time and effort.

    Till I receive another machine for streamlining, this is yours truly signing off.
     
    manilka835, Jul 8, 2023
    #29

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds