Group policy, developer mode, random file chabges and denied access. Prevented from doing a fresh install and my pc boot drive is a server

Status
Not open for further replies.

Juggernaut123

New Member
Thread author
Jan 21, 2021
7
I am not able to view gpedit.exe, my access is denied to really making any changes to my pc and I'm stuck in an old version of windows even though I'm installing directly from a CD.


Quick overview:
All devices seem to be infected on network. My pc discovers devices and I assume plants malware on them. I DID NOT have a level incident. Mine is strictly a compromised pc, network and devices on network. I have replaced routers, but with still having pc infected its worthless.


My pc shows it's connected to a server. In task manager there are a ton of server related programs (server hosting ect).


Using cmd command "systeminfo" my login device is a drive that I don't have (/device/diskfirst/).


When using windows disk I access cmd (shift + F10) at installation prompt to access x:. It shows I am a different pc than my systeminfo (WM followed by #)..


Files constant change file paths.


I have a ntuser multiple NTUSER files when I unhide files in file explorer. When I drop them in virustotal they comeback as malicious. I have tons of desktop.ioi files as well.


When I try to reinstall window 10 a windows screen briefly loads then disappears them my windows screen loads.


I have tried to use diskpart to delete/clean disks/vol/partitions but I am unable to get rid of c: eventhough my os is loaded to d:. I am denied access to "documents & settings" so I grant permission and nothing terribly interesting appears...


I tried sfc /scan and bootrec /fix now but they aren't recognized.


When I connect to the internet I am able to download malwarebytes which seems to restore my system to a visible windows 10 vs a previous out-of date version.


Currently pc is turned off and unplugged from internet to preserve it as is after a fresh install earlier.


I have taken it to computer savvy people but they state nothing is wrong... or they say it's all fix. Once I log on things begin to modify once I login the internet. it's very frustrating.


When I try to do a normal boot (aka just turn on) my computer will fail to boot. Meaning it won't be able to find OS or drive. I can access uefi and the only drives available to boot from are my cd drive, yet in my boot menu it shows both my hard drives plus an additional mistory hard drive. When I ha e tried to delete this in previous attempts regardless of OS location I am not able to.


Previous situations and discoveries:
Over the past month and a half I ha e had this issue. I have tested files in virus total, I get constant blocked ddos pop-ups, my vpn shows "on" but my ip address on what's my ip and on the bottom of Google show my location accurately. I have tried reinstalling OS, formating drives, etc. My after a fresh install show that they were created as far back as 2015, but I also have files that have the current date. I have more access to my pc when I install and am connected to the internet, but I decided to isolate this pc to preserve its contents, because there are tasks in task scheduler that show modification scheduled that I can not change. Also very weird I must say... I am able to boot when I remove my hard drives... I ha e all my files and everything operates as if I have my hard drives connected.
Windows defender sometimes... when it does work and it finds something, it quickly is removed by the system? (Disappears and I can't remove it)and defender options disappear.

I have used tron script, malwarebytes, tsskiller, Iexplore, roguekiller, Kas, spyhunter 5. Spy hunter 5 whitelists over 750+ files or reg entries but doesn't allow me to remove them or correct them. I started going one by one and using Google to see what they should be and fixing, but after a reboot they return to what they were.

My firewall settings are all messed up and same thing happens when I correct them as well.


Thank you for your time and assistance,


Jugg
 
  • Wow
Reactions: ForgottenSeer 85179

nasdaq

Moderator
Verified
Staff Member
Nov 5, 2019
1,425
Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

I can certainly remove any traces of malware or restrictions set by it.
I will see what I can do.
===

Download the suggested Farbar Recovery program from a Good computer or your Phone.
Copy the file to the Desktop of the compromised PC.

Run the programs in Normal Mode and post the logs for my review.
Preferably you should use Normal Mode, if no joy run the program in Safe Mode,

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Ensure that you are in an Administrator Account
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
[img=[URL]http://deeprybka.trojaner-board.de/eset/eng/attachlogs.png[/URL]]

Attach the file(s). A 2 Steps process.
Reply to this topic.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach. <- Step 1.
Click Attach this file. <- Step 2.
Click the Add reply button.

Please post the logs for my review.

Wait for further instructions

p.s.
The Farbar program is updated often.
If it's identified as suspicious by your Anti-Virus program trust it if Downloaded from the link I provided.
You should restore the program from the Quarantine folder.
====
 
  • Like
Reactions: Andy Ful

Juggernaut123

New Member
Thread author
Jan 21, 2021
7
Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

I can certainly remove any traces of malware or restrictions set by it.
I will see what I can do.
===

Download the suggested Farbar Recovery program from a Good computer or your Phone.
Copy the file to the Desktop of the compromised PC.

Run the programs in Normal Mode and post the logs for my review.
Preferably you should use Normal Mode, if no joy run the program in Safe Mode,

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Ensure that you are in an Administrator Account
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
[img=[URL]http://deeprybka.trojaner-board.de/eset/eng/attachlogs.png[/URL]]

Attach the file(s). A 2 Steps process.
Reply to this topic.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach. <- Step 1.
Click Attach this file. <- Step 2.
Click the Add reply button.

Please post the logs for my review.

Wait for further instructions

p.s.
The Farbar program is updated often.
If it's identified as suspicious by your Anti-Virus program trust it if Downloaded from the link I provided.
You should restore the program from the Quarantine folder.
====

Thank you for your reply! I will send results when this weekend.

V/R

Jugg
 

Juggernaut123

New Member
Thread author
Jan 21, 2021
7
The infection symptoms mentioned by you are probably related to the network infection. I am afraid that the problem is too complex for finding a solution online. I would recommend you to find a specialist who could investigate the problem locally. There are several possible scenarios, for example:
  1. Someone is hacking your wireless connection, so the infection will happen soon after connecting to the router.
  2. Another device in the network is still infected and reinfects your computer (it may be a router, another computer, NAS disk, etc.). You have to isolate all devices and check/remove the malware from all devices without connecting any device with other devices. It is hard to do in practice.
  3. The infection somehow survived your disinfection procedure and the new system installation.
Agreed. My desktop discovers other devices on my network (on different sunets (probably vlan hopping, using Metasploit)) and shows they are attacked to my pc physically. I believe my PC has multiple malware and is used for attacks against other computer or networks. :(.

I appreciate your reply

V/R

Jugg
 
  • Like
Reactions: Andy Ful

nasdaq

Moderator
Verified
Staff Member
Nov 5, 2019
1,425
Hi,
Well unless I can review the logs from running the Farbar program there is nothing I can suggest.
My expertise is with malware and what you are describing in not my forte.
 
  • Like
Reactions: harlan4096

Juggernaut123

New Member
Thread author
Jan 21, 2021
7
Hi,
Well unless I can review the logs from running the Farbar program there is nothing I can suggest.
My expertise is with malware and what you are describing in not my forte.
I am having difficulty booting my pc. When I do boot I have to use the windows 10 installation disk... I removed my ssd and I reinstalled windows on the previous D drive. I reformatted it and I was able to boot this morning. The issues with svchost running 70+ time still persistent in task manager. I also was able to get into service manager where I found every service running to include remote connect keylog and various other services with a dedicated local host login name or networkservice login with a password. I disabled what I could. I will connect followup with the logs you requested this evening. Sorry for the delay.

Also I downloaded a clashbot / boostbot in 2015 which ran on memu emulator. Reading up on the suspected malware/Trojans associated with that reflects on the issues I am having. When I introduced that program in or around 10/2015, there are files showing 10/2015 on my pc still. If that helps for a direction. It's related to a mining malware BTW


V/R

Jugg
 

nasdaq

Moderator
Verified
Staff Member
Nov 5, 2019
1,425
Good news.

Please post the 2 Farbar logs for my review.
 

Juggernaut123

New Member
Thread author
Jan 21, 2021
7
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 24-01-2021 01 Ran by Colin (administrator) on DESKTOP-5G638NT (26-01-2021 20:47:12) Running from C:\Users\Colin\Desktop Loaded Profiles: Colin Platform: Windows 10 Home Version 2004 19041.264 (X64) Language: English (United States) Default browser: Edge Boot Mode: Normal ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Microsoft Corporation -> Microsoft Corporation) C:\Users\Colin\AppData\Local\Microsoft\OneDrive\OneDrive.exe (Microsoft Corporation -> Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe (Microsoft Windows -> ) C:\Windows\System32\Windows.WARP.JITService.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\browser_broker.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe <2> (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\MicrosoftEdgeCP.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\MicrosoftEdgeSH.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\oobe\UserOOBEBroker.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\smartscreen.exe (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\WWAHost.exe (Microsoft Windows Publisher -> Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Windows Publisher -> Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe (Skype) C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe ==================== Registry (Whitelisted) =================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) ==================== Scheduled Tasks (Whitelisted) ============ (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Tcpip\Parameters: [DhcpNameServer] 192.168.140.10 Tcpip\..\Interfaces\{d04a5bd1-d8cf-4bc0-97b5-8897672be62a}: [DhcpNameServer] 192.168.140.10 ==================== Services (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [3004048 2019-12-07] (Microsoft Windows Publisher -> Microsoft Corporation) R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103384 2019-12-07] (Microsoft Windows Publisher -> Microsoft Corporation) ===================== Drivers (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S3 t6sta; C:\Windows\System32\Drivers\t6sta.sys [161608 2020-06-01] (Magic Control Technology Corp. -> Magic Control Technology Corporation) S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [46688 2019-12-07] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation) R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [350136 2019-12-07] (Microsoft Windows -> Microsoft Corporation) R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [54200 2019-12-07] (Microsoft Windows -> Microsoft Corporation) ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One month (created) (Whitelisted) ========= (If an entry is included in the fixlist, the file/folder will be moved.) 2021-01-26 23:08 - 2021-01-26 23:08 - 000003378 _____ C:\Windows\system32\Tasks\OneDrive Standalone Update Task-S-1-5-21-781059500-3429141292-3968168903-1001 2021-01-26 23:08 - 2021-01-26 23:08 - 000000000 ___RD C:\Users\Colin\OneDrive 2021-01-26 23:07 - 2021-01-26 23:07 - 000001446 _____ C:\Users\Colin\Desktop\Microsoft Edge.lnk 2021-01-26 23:07 - 2021-01-26 23:07 - 000000000 ____D C:\Users\Colin\AppData\Local\MicrosoftEdge 2021-01-26 23:07 - 2021-01-26 23:07 - 000000000 ____D C:\ProgramData\Microsoft OneDrive 2021-01-26 23:06 - 2021-01-26 23:06 - 000000000 __RHD C:\Users\Public\AccountPictures 2021-01-26 23:06 - 2021-01-26 23:06 - 000000000 ___RD C:\Users\Colin\3D Objects 2021-01-26 23:06 - 2021-01-26 23:06 - 000000000 ____D C:\Users\Colin\AppData\Roaming\Adobe 2021-01-26 23:06 - 2021-01-26 23:06 - 000000000 ____D C:\Users\Colin\AppData\Local\Publishers 2021-01-26 23:06 - 2021-01-26 20:45 - 000000000 ____D C:\ProgramData\Packages 2021-01-26 23:05 - 2021-01-26 23:08 - 000002363 _____ C:\Users\Colin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk 2021-01-26 23:05 - 2021-01-26 23:06 - 000000000 ____D C:\Users\Colin\AppData\Local\ConnectedDevicesPlatform 2021-01-26 23:05 - 2021-01-26 23:05 - 000000020 ___SH C:\Users\Colin\ntuser.ini 2021-01-26 23:05 - 2021-01-26 23:05 - 000000000 ____D C:\Users\Colin\AppData\Local\VirtualStore 2021-01-26 23:05 - 2021-01-26 20:45 - 000000000 ____D C:\Users\Colin\AppData\Local\Packages 2021-01-26 23:05 - 2021-01-26 20:20 - 000000000 ____D C:\Users\Colin 2021-01-26 23:04 - 2021-01-26 20:46 - 000795738 _____ C:\Windows\system32\PerfStringBackup.INI 2021-01-26 23:00 - 2021-01-26 23:00 - 000000000 _SHDL C:\Documents and Settings 2021-01-26 22:54 - 2021-01-26 22:54 - 000257824 _____ C:\Windows\system32\FNTCACHE.DAT 2021-01-26 22:54 - 2021-01-26 22:54 - 000000000 ____D C:\Windows\system32\Drivers\wd 2021-01-26 22:54 - 2021-01-26 22:54 - 000000000 ____D C:\Windows\ServiceProfiles 2021-01-26 22:54 - 2021-01-26 20:41 - 000008192 ___SH C:\DumpStack.log.tmp 2021-01-26 22:54 - 2021-01-26 20:41 - 000000006 ____H C:\Windows\Tasks\SA.DAT 2021-01-26 22:54 - 2021-01-26 20:41 - 000000000 ____D C:\Windows\system32\SleepStudy 2021-01-26 22:53 - 2021-01-26 22:58 - 000000000 ____D C:\Windows\Panther 2021-01-26 20:42 - 2021-01-26 20:42 - 000000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_11_00.Wdf 2021-01-26 20:24 - 2021-01-26 20:48 - 000004101 _____ C:\Users\Colin\Desktop\FRST.txt 2021-01-26 20:23 - 2021-01-26 20:47 - 000000000 ____D C:\FRST 2021-01-26 20:22 - 2021-01-26 20:22 - 002297344 _____ (Farbar) C:\Users\Colin\Desktop\FRST64.exe 2021-01-26 20:21 - 2020-06-30 07:38 - 001265728 _____ (Magic Control Technology Corp.) C:\Windows\system32\t6indisp.dll 2021-01-26 20:21 - 2020-06-01 06:47 - 000161608 _____ (Magic Control Technology Corporation) C:\Windows\system32\Drivers\t6sta.sys 2021-01-26 20:20 - 2021-01-26 20:20 - 000000000 ___HD C:\Users\Colin\MicrosoftEdgeBackups 2021-01-26 20:20 - 2021-01-26 20:20 - 000000000 ____D C:\Users\Colin\AppData\Local\PlaceholderTileLogoFolder ==================== One month (modified) ================== (If an entry is included in the fixlist, the file/folder will be moved.) 2021-01-26 23:05 - 2019-12-07 01:14 - 000000000 ____D C:\Windows\system32\WinBioDatabase 2021-01-26 23:05 - 2019-12-07 01:03 - 000000000 ____D C:\Windows\CbsTemp 2021-01-26 23:02 - 2019-12-07 01:50 - 000000000 ____D C:\Windows\system32\FxsTmp 2021-01-26 23:02 - 2019-12-07 01:14 - 000000000 ____D C:\Windows\system32\spool 2021-01-26 22:59 - 2019-12-07 01:03 - 000262144 _____ C:\Windows\system32\config\BBI 2021-01-26 22:56 - 2019-12-07 01:14 - 000000000 ___RD C:\Windows\PrintDialog 2021-01-26 22:56 - 2019-12-07 01:14 - 000000000 ___RD C:\Windows\ImmersiveControlPanel 2021-01-26 22:55 - 2019-12-07 01:03 - 000032768 _____ C:\Windows\system32\config\ELAM 2021-01-26 22:53 - 2019-12-07 01:14 - 000028672 _____ C:\Windows\system32\config\BCD-Template 2021-01-26 20:46 - 2019-12-07 01:13 - 000000000 ____D C:\Windows\INF 2021-01-26 20:45 - 2019-12-07 01:14 - 000000000 ___HD C:\Program Files\WindowsApps 2021-01-26 20:45 - 2019-12-07 01:14 - 000000000 ____D C:\Windows\AppReadiness 2021-01-26 20:44 - 2019-12-07 01:14 - 000000000 ____D C:\Windows\ServiceState 2021-01-26 20:42 - 2019-12-07 01:14 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft 2021-01-26 20:22 - 2019-12-07 01:14 - 000000000 ____D C:\ProgramData\USOPrivate ==================== SigCheck ============================ (There is no automatic fix for files that do not pass verification.) ==================== End of FRST.txt ========================
 

Juggernaut123

New Member
Thread author
Jan 21, 2021
7
Good news.

Please post the 2 Farbar logs for my review.
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 24-01-2021 01 Ran by Colin (26-01-2021 20:50:48) Running from C:\Users\Colin\Desktop Windows 10 Home Version 2004 19041.264 (X64) (2021-01-27 07:01:10) Boot Mode: Normal ========================================================== ==================== Accounts: ============================= Administrator (S-1-5-21-781059500-3429141292-3968168903-500 - Administrator - Disabled) Colin (S-1-5-21-781059500-3429141292-3968168903-1001 - Administrator - Enabled) => C:\Users\Colin DefaultAccount (S-1-5-21-781059500-3429141292-3968168903-503 - Limited - Disabled) Guest (S-1-5-21-781059500-3429141292-3968168903-501 - Limited - Disabled) WDAGUtilityAccount (S-1-5-21-781059500-3429141292-3968168903-504 - Limited - Disabled) ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} ==================== Installed Programs ====================== (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) Microsoft OneDrive (HKU\S-1-5-21-781059500-3429141292-3968168903-1001\...\OneDriveSetup.exe) (Version: 19.043.0304.0013 - Microsoft Corporation) Packages: ========= Cortana -> C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe [2019-12-07] (Microsoft Corporation) Mail and Calendar -> C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe [2019-12-07] (Microsoft Corporation) [MS Ad] Microsoft Advertising SDK for XAML -> C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe [2019-12-07] (Microsoft Corporation) [MS Ad] Microsoft Solitaire Collection -> C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe [2019-12-07] (Microsoft Studios) [MS Ad] MSN Weather -> C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe [2019-12-07] (Microsoft Corporation) [MS Ad] Skype -> C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c [2019-12-07] (Skype) Your Phone -> C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe [2019-12-07] (Microsoft Corporation) ==================== Custom CLSID (Whitelisted): ============== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== Codecs (Whitelisted) ==================== ==================== Shortcuts & WMI ======================== ==================== Loaded Modules (Whitelisted) ============= ==================== Alternate Data Streams (Whitelisted) ======== ==================== Safe Mode (Whitelisted) ================== ==================== Association (Whitelisted) ================= ==================== Internet Explorer (Whitelisted) ========== ==================== Hosts content: ========================= (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2019-12-07 01:14 - 2019-12-07 01:12 - 000000824 _____ C:\Windows\system32\drivers\etc\hosts ==================== Other Areas =========================== (Currently there is no automatic fix for this section.) HKU\S-1-5-21-781059500-3429141292-3968168903-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg DNS Servers: Media is not connected to internet. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: ) Windows Firewall is enabled. ==================== MSCONFIG/TASK MANAGER disabled items == ==================== FirewallRules (Whitelisted) ================ (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== Restore Points ========================= 26-01-2021 20:20:56 Windows Update ==================== Faulty Device Manager Devices ============ Name: PCI Simple Communications Controller Description: PCI Simple Communications Controller Class Guid: Manufacturer: Service: Problem: : The drivers for this device are not installed. (Code 28) Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard. ==================== Event log errors: ======================== Application errors: ================== Error: (01/26/2021 08:42:01 PM) (Source: ESENT) (EventID: 454) (User: ) Description: svchost (2852,R,98) SRUJet: Database recovery/restore failed with unexpected error -543. Error: (01/26/2021 08:42:01 PM) (Source: ESENT) (EventID: 453) (User: ) Description: svchost (2852,R,98) SRUJet: Database C:\Windows\system32\SRU\SRUDB.dat requires logfiles 6-12 (C:\Windows\system32\SRU\SRU00006.log - C:\Windows\system32\SRU\SRU.log) in order to recover successfully. Recovery could only locate logfiles up to 10 (C:\Windows\system32\SRU\SRU0000A.log). Error: (01/26/2021 08:25:19 PM) (Source: VSS) (EventID: 8193) (User: ) Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x8007045b, A system shutdown is in progress. . Error: (01/26/2021 08:25:19 PM) (Source: VSS) (EventID: 13) (User: ) Description: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started. [0x8007045b, A system shutdown is in progress. ] Error: (01/26/2021 08:24:53 PM) (Source: Application Hang) (EventID: 1002) (User: ) Description: The program MicrosoftEdgeCP.exe version 11.0.19041.1 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel. Process ID: 205c Start Time: 01d6f463befcee13 Termination Time: 4294967295 Application Path: C:\Windows\System32\MicrosoftEdgeCP.exe Report Id: d3a445d8-a616-489f-8569-18c0422a58ee Faulting package full name: Microsoft.MicrosoftEdge_44.19041.1.0_neutral__8wekyb3d8bbwe Faulting package-relative application ID: MicrosoftEdge Hang type: Unknown Error: (01/26/2021 11:20:01 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: ) Description: License Activation (slui.exe) failed with the following error code: hr=0x800704CF Command-line arguments: RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=NetworkAvailable Error: (01/26/2021 11:07:48 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: ) Description: License Activation (slui.exe) failed with the following error code: hr=0x800704CF Command-line arguments: RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=UserLogon;SessionId=2 Error: (01/26/2021 11:06:16 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: ) Description: License Activation (slui.exe) failed with the following error code: hr=0x800704CF Command-line arguments: RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=TimerEvent System errors: ============= Error: (01/26/2021 08:43:07 PM) (Source: DCOM) (EventID: 10001) (User: DESKTOP-5G638NT) Description: Unable to start a DCOM Server: Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe!App.AppXwzrz54cs8gbnfgve6ctx6ht4bjw97w0y.mca as Unavailable/Unavailable. The error: "2147958016" Happened while starting this command: "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX4325622ft6437f3xfywcfxgbedfvpn0x.mca Error: (01/26/2021 10:58:44 PM) (Source: Service Control Manager) (EventID: 7023) (User: ) Description: The Network List Service service terminated with the following error: The device is not ready. Error: (01/26/2021 10:58:43 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY) Description: The server {A47979D2-C419-11D9-A5B4-001185AD2B89} did not register with DCOM within the required timeout. Error: (01/26/2021 10:58:11 PM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Connected Devices Platform Service service depends on the Network Connection Broker service which failed to start because of the following error: After starting, the service hung in a start-pending state. Error: (01/26/2021 10:58:11 PM) (Source: Service Control Manager) (EventID: 7022) (User: ) Description: The Network Connection Broker service hung on starting. Error: (01/26/2021 10:57:10 PM) (Source: Service Control Manager) (EventID: 7030) (User: ) Description: The Printer Extensions and Notifications service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly. Error: (01/26/2021 10:56:43 PM) (Source: Service Control Manager) (EventID: 7023) (User: ) Description: The Network List Service service terminated with the following error: The device is not ready. Error: (01/26/2021 10:56:43 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY) Description: The server {A47979D2-C419-11D9-A5B4-001185AD2B89} did not register with DCOM within the required timeout. ==================== Memory info =========================== BIOS: American Megatrends Inc. 4801 07/25/2014 Motherboard: ASUSTeK COMPUTER INC. SABERTOOTH X79 Processor: Intel® Core™ i7-4820K CPU @ 3.70GHz Percentage of memory in use: 4% Total physical RAM: 65471.84 MB Available physical RAM: 62585.8 MB Total Virtual: 75199.84 MB Available Virtual: 72532.02 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:139.41 GB) (Free:85.02 GB) NTFS Drive d: (WINDOWS 10) (CDROM) (Total:3.86 GB) (Free:0 GB) UDF Drive e: () (Removable) (Total:116.04 GB) (Free:115.94 GB) FAT32 \\?\Volume{d9df1d4a-25a1-455e-9fc2-6d4f11f97b6a}\ () (Fixed) (Total:0.09 GB) (Free:0.07 GB) FAT32 ==================== MBR & Partition Table ==================== ========================================================== Disk: 0 (Size: 465.8 GB) (Disk ID: E178BD0F) Partition: GPT. ========================================================== Disk: 1 (Size: 139.7 GB) (Disk ID: 040C11DA) Partition: GPT. ========================================================== Disk: 2 (MBR Code: Windows 7/8/10) (Size: 465.8 GB) (Disk ID: 040C11DC) ========================================================== Disk: 3 (Size: 116.1 GB) (Disk ID: 0161D677) Partition 1: (Active) - (Size=116.1 GB) - (Type=0B) ==================== End of Addition.txt ======================= Reply Report
 

nasdaq

Moderator
Verified
Staff Member
Nov 5, 2019
1,425
Hi,

If you use notepad to create these logs make sure the Word Wrap is set.
You will find the setting under the Formal Menu.

I cannot read these logs as submitted.

You may have to run the Scan with the Farbar program again.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top