My Services.msc :(

[nasdaq]

Hi

Download Farbar's Service Scanner utility

Downloading Farbar Service Scanner

Downloading Farbar Service Scanner. Farbar Service Scanner allows you to diagnose network connectivity issues due to corrupted or missing Windows services.

www.bleepingcomputer.com

and Save to your Desktop.
If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are check marked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender

Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.
<<<>>>

 

[Gib]

Okey-dokey, here is the log:

 

[nasdaq]

Hi,

Nothing suspicious was found in these services.

Let's do some maintenance.

Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

 

[Gib]

Ok, so far things are looking good. Here are the logs and I will be keeping an eye on my Services.msc

 

[nasdaq]

Hi,

Looking better. Keep an eye on the services and let me know if the problem returns.

 

[Gib]

Whenever I try to disable the bluetooth user support service it would say, the parameter is incorrect.

 

[nasdaq]

Hi,

Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===


p.s.

Is this computer/Edge synced with other devices?

 

[Gib]

What happened is that I ran the fixlist and rebooted and checked the services.msc and the problem I'm having with BluetoothUserService_41b97 is still there. The service isn't running though. I doubt that my Microsoft Edge is in sync with the devices, but I prefer that it not be in sync.

 

[nasdaq]

Hi,

Let's check that problem key. which has not been reported.

Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===



Please post the Fixlog.txt and let me know what problem persists.

 

[Gib]

Ok, here is the log. Do you want me to see if I can now disable that service?

 

[nasdaq]

Hi,

All I want to see if this BluetoothUserService_41b97 key. If we can delete it your problem should be solved.

The new fixlist.txt was not attached to my last request.

Please create it by following these instructions.

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.

start::

Comment: For your security a new restore point will be created.
CreateRestorePoint:
Comment: We need to close all processes to complete the fix.
CloseProcesses:

ExportKey: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BluetoothUserService_41b97]

Comment: The system will restart.
Reboot:

End::

Save the file as fixlist.txt in the same folder where the Farbar tool is running from. (If the olf fixlist.txt is still there delete it before saving this.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

 

[Gib]

Ok, here is the fixlog.txt. I'm afraid I got some bad news, this hacker just doesn't know when to quit(Windows Updates turned back on). I also notice something distinctive in services.msc: the 41b97 number on many services has changed to 3d845.

 

[nasdaq]

Hi,

This may be caused by a rootkit.

How to use Malwarebytes Anti-Rootkit to remove rootkits
Open Malwarebytes Anti-Malware.

On the Settings tab > Protection Scroll to and make sure the following are selected: Scroll to and make sure the following are selected:
Scan for Rootkits
Scan within Archives

Scroll further to Potential Threat Protection make sure the following are set as follows:

Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)
Potentially Unwanted Modifications (PUM`s) set as :- Always detect PUM`s (recommended)

Click on the Scan make sure Threat Scan is selected,

A Threat Scan will begin.

When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab

If asked to restart your computer to complete the removal, please do so

When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.

Wait for the prompt to restart the computer to appear, then click on Yes.

After the restart once you are back at your desktop, open MBAM once more to retrieve the log.

To get the log from Malwarebytes do the following:

Click on the Reports tab > from main interface.
Double click on the Scan log which shows the Date and time of the scan just performed.
Click Export > From export you have two options: > From export you have two options:
Copy to Clipboard - if selected right click to your reply and select "Paste" log will be pasted to your reply
Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply.

 

[Gib]

Unfortunately, this was all that MBAM found.



Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 7/26/22
Scan Time: 11:23 AM
Log File: 412175a0-0cff-11ed-aedf-b05cdae5c746.json

-Software Information-
Version: 4.5.10.200
Components Version: 1.0.1709
Update Package Version: 1.0.57783
License: Free

-System Information-
OS: Windows 10 (Build 19044.1826)
CPU: x64
File System: NTFS
User: LAPTOP-3OT9TL6O\fcp

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 276133
Threats Detected: 1
Threats Quarantined: 1
Time Elapsed: 3 min, 43 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
Malware.AI.3632819065, C:\USERS\FCP\DESKTOP\FSS.EXE, Quarantined, 1000000, -662148231, 1.0.57783, BBC2062673DDC56ED8886B79, dds, 01875664, B8F6545CFE19CA23CA89F91518615BCD, EC93517D8F24E105CF8E7F1DC4CC5F3AAB6A3FB04031B83D04928E009394058A

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

 

[nasdaq]

Hi,

Fss is not an issue.

Do you need the Bluetooth service?

I do not see any Bluetooth service installed in your Additional.txt

You only have the Registry keys which may have been added at one time.

If you need help to remove them please let me know and I will give you a fix.

 

[Gib]

Ok, nvmd about the Bluetooth service, but I'm trying to turn off the Windows Update and keep it off and disabled. Right now, it is running again and it is set to Manual. The numbers at the end of many services have changed to 3d168.

 

[nasdaq]

Hi,

The numbers at the end of many services have changed to 3d168.

Are all the services tied to Bluetooth or other services?



Download Farbar's Service Scanner utility

Downloading Farbar Service Scanner

Downloading Farbar Service Scanner. Farbar Service Scanner allows you to diagnose network connectivity issues due to corrupted or missing Windows services.

www.bleepingcomputer.com

and Save to your Desktop.
If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are check marked:
Windows Update

Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.
<<<>>>

 

[Gib]

Hello nasdaq, it is these services distinction as follows:
AarSvc_3d168
BcastDVRUserService_3d168
BluetoothUserService_3d168
CaptureService_3d168
cbdhsvc_3d168
CDPUserSvc_3d168
ConsentUxUserService_3d168
CredentialEnrollmentManagerUserSvc_3d168
DeviceAssociationBrokerSvc_3d168
DevicePickerUserSvc_3d168
DevicesFlowUserSvc_3d168
MessagingService_3d168
OneSyncSvc_3d168
PimIndexMaintenanceSvc_3d168
PrintWorkflowUserSvc_3d168
UdkUserSvc_3d168
UnistoreUserSvc_3d168
UserDataSvc_3d168
WpnUserService_3d168
These services aren't that significant to me, but wuauserv is.

 

[nasdaq]

Hi,

This is something I have never seen.

If you only have issues with wuauserv it possibly mean that some program installed by you or not requires this to operate.

Let's see what this will report.

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 3 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe
rkill.com
rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

When completed it will create a log. Please post the content on your next reply.
===

 

[Gib]

Hold on, because I manually went into services.msc and changed Windows Update (turned it off again + disable), can I wait for the service to get turned back on and then go to the latest instructions?