[SOLVED] How to fix rpcnetp issues. i read it is caused by computrace or so

Status
Not open for further replies.

lawbitss

Member
Joined
Oct 22, 2023
Posts
7
whenever i connect to the internet the screen freezes and says blocked. i use a surface pro please any held will be appreciated. i tried blocking the application with windows defender but not much of a success.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 06-10-2023
Ran by Lawbitss (administrator) on DESKTOP-UAVRUKD (Microsoft Corporation Surface Pro) (22-10-2023 06:06:29)
Running from C:\Users\Lawbitss\Downloads\FRST64.exe
Loaded Profiles: Lawbitss
Platform: Microsoft Windows 10 Pro Version 20H2 19042.631 (X64) Language: English (United States)
Default browser: Edge
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Google Inc -> Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe <8>
(Google Inc -> Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler.exe
(Google Inc -> Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler64.exe
(services.exe ->) (Intel Corporation -> Intel Corporation) C:\Windows\System32\Intel\DPTF\esif_uf.exe
(services.exe ->) (Intel(R) pGFX 2020 -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\64kb8682.inf_amd64_170ccd25b9699b84\IntelCpHDCPSvc.exe
(services.exe ->) (Intel(R) pGFX 2020 -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\64kb8682.inf_amd64_170ccd25b9699b84\IntelCpHeciSvc.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(services.exe ->) (Microsoft Windows Publisher -> Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(services.exe ->) (Microsoft Windows Publisher -> Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe <2>
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\SppExtComObj.Exe
(svchost.exe ->) (Skype Software Sarl -> ) C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe
(svchost.exe ->) (Skype Software Sarl -> Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{8A69D345-D564-463c-AFF1-A69D9E530F96}] -> C:\Program Files (x86)\Google\Chrome\Application\66.0.3359.181\Installer\chrmstp.exe [2023-10-21] (Google Inc -> Google Inc.)

==================== Scheduled Tasks (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {D87E5EB4-ACC7-4506-9427-2E3908B505E6} - System32\Tasks\CreateExplorerShellUnelevatedTask => C:\Windows\Explorer.exe [4651032 2020-11-18] (Microsoft Windows -> Microsoft Corporation)
Task: {D1043206-1B00-42F0-A330-B512E1BC62FF} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [153168 2023-10-21] (Google Inc -> Google Inc.)
Task: {AB607F1F-8610-4273-9221-E89D9CA131F3} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [153168 2023-10-21] (Google Inc -> Google Inc.)
Task: {4624C1FE-1AAC-4D71-922B-0DB37E570544} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [5967976 2015-08-16] (Microsoft Corporation -> Microsoft Corporation)
Task: {7AD49054-8A7B-42BC-9248-6AA3A564E85D} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [5967976 2015-08-16] (Microsoft Corporation -> Microsoft Corporation)
Task: {D981553F-D4D4-4019-BD2E-7F71475E7F06} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack2016 => C:\Program Files\Microsoft Office\root\Office16\msoia.exe [418384 2023-10-21] (Microsoft Corporation -> Microsoft Corporation)
Task: {176925E8-F45E-459E-8E64-093C313A7879} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn2016 => C:\Program Files\Microsoft Office\root\Office16\msoia.exe [418384 2023-10-21] (Microsoft Corporation -> Microsoft Corporation)
Task: {683067CE-DD30-4743-9BF7-2F39473681DC} - System32\Tasks\R@1n-KMS\Office365ProPlus => C:\Windows\System32\Wbem\wmic.exe [526848 2019-12-07] (Microsoft Windows -> Microsoft Corporation) -> path SoftwareLicensingProduct where (ID="d450596f-894d-49e0-966a-fd39ed4c4c64") call Activate

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.207.187
Tcpip\..\Interfaces\{efa46f2b-35fd-4701-b41e-21d03c34b087}: [DhcpNameServer] 192.168.207.187

Edge:
=======
Edge DefaultProfile: Default
Edge Profile: C:\Users\Lawbitss\AppData\Local\Microsoft\Edge\User Data\Default [2023-10-22]

FireFox:
========
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL [2023-10-21] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=3.0.19 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2023-10-07] (VideoLAN -> VideoLAN)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2023-10-21] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL [2023-10-21] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2023-10-21] (Google Inc -> Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2023-10-21] (Google Inc -> Google Inc.)

Chrome:
=======
CHR Profile: C:\Users\Lawbitss\AppData\Local\Google\Chrome\User Data\Default [2023-10-22]
CHR Extension: (Docs) - C:\Users\Lawbitss\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2023-10-22]
CHR Extension: (Google Drive) - C:\Users\Lawbitss\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2023-10-22]
CHR Extension: (YouTube) - C:\Users\Lawbitss\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2023-10-22]
CHR Extension: (Google Docs Offline) - C:\Users\Lawbitss\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2023-10-22]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Lawbitss\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2023-10-22]
CHR Extension: (Gmail) - C:\Users\Lawbitss\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2023-10-22]

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2776664 2015-08-16] (Microsoft Corporation -> Microsoft Corporation)
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [5101992 2020-11-18] (Microsoft Windows Publisher -> Microsoft Corporation)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [3004048 2019-12-07] (Microsoft Windows Publisher -> Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103384 2019-12-07] (Microsoft Windows Publisher -> Microsoft Corporation)

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 BthA2dp; C:\Windows\System32\drivers\BthA2dp.sys [279040 2019-12-07] (Microsoft Corporation) [File not signed]
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [46688 2019-12-07] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [350136 2019-12-07] (Microsoft Windows -> Microsoft Corporation)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [54200 2019-12-07] (Microsoft Windows -> Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One month (created) (Whitelisted) =========

(If an entry is included in the fixlist, the file/folder will be moved.)

2023-10-22 06:06 - 2023-10-22 06:07 - 000009269 _____ C:\Users\Lawbitss\Downloads\FRST.txt
2023-10-22 06:04 - 2023-10-22 06:06 - 000000000 ____D C:\FRST
2023-10-22 06:04 - 2023-10-22 06:04 - 002383360 _____ (Farbar) C:\Users\Lawbitss\Downloads\FRST64.exe
2023-10-22 06:03 - 2023-10-22 06:03 - 002084352 _____ (Farbar) C:\Users\Lawbitss\Downloads\FRST.exe
2023-10-22 05:42 - 2023-10-22 05:42 - 000003662 _____ C:\Windows\system32\Tasks\CreateExplorerShellUnelevatedTask
2023-10-22 05:42 - 2023-10-22 05:42 - 000001962 _____ C:\Users\Lawbitss\Desktop\kprm-20231022054207.txt
2023-10-22 05:42 - 2023-10-22 05:42 - 000000000 ____D C:\KPRM
2023-10-22 04:52 - 2023-10-22 04:52 - 000022932 ____N C:\Windows\SysWOW64\rpcnetp.exe
2023-10-22 04:52 - 2023-10-22 04:52 - 000022932 _____ C:\Windows\SysWOW64\rpcnetp.dll
2023-10-22 04:52 - 2023-10-22 04:52 - 000022932 _____ C:\Windows\system32\tik.exe
2023-10-21 19:42 - 2023-10-21 19:42 - 000000748 _____ C:\Users\Lawbitss\Desktop\Videos - Shortcut.lnk
2023-10-21 19:23 - 2023-10-21 19:23 - 000000000 ____D C:\Windows\system32\Tasks\Agent Activation Runtime
2023-10-21 18:58 - 2023-10-21 19:23 - 000000000 ____D C:\Users\Lawbitss\AppData\Local\D3DSCache
2023-10-21 17:23 - 2023-10-21 16:25 - 000000000 ____D C:\Windows\Panther
2023-10-21 17:21 - 2023-10-21 19:23 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\vlc
2023-10-21 17:05 - 2023-10-21 17:05 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Microsoft\UProof
2023-10-21 17:05 - 2023-10-21 17:05 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Microsoft\Proof
2023-10-21 17:04 - 2023-10-21 17:05 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Microsoft\Office
2023-10-21 17:04 - 2023-10-21 17:04 - 000003416 _____ C:\Windows\system32\Tasks\GoogleUpdateTaskMachineUA
2023-10-21 17:04 - 2023-10-21 17:04 - 000003292 _____ C:\Windows\system32\Tasks\GoogleUpdateTaskMachineCore
2023-10-21 17:04 - 2023-10-21 17:04 - 000002373 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2023-10-21 17:04 - 2023-10-21 17:04 - 000002332 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2023-10-21 17:04 - 2023-10-21 17:04 - 000000916 _____ C:\Users\Public\Desktop\VLC media player.lnk
2023-10-21 17:04 - 2023-10-21 17:04 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Microsoft\Word
2023-10-21 17:04 - 2023-10-21 17:04 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Microsoft\Document Building Blocks
2023-10-21 17:04 - 2023-10-21 17:04 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Microsoft\Bibliography
2023-10-21 17:04 - 2023-10-21 17:04 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Microsoft\AddIns
2023-10-21 17:04 - 2023-10-21 17:04 - 000000000 ____D C:\Users\Lawbitss\AppData\Local\Google
2023-10-21 17:04 - 2023-10-21 17:04 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
2023-10-21 17:04 - 2023-10-21 17:04 - 000000000 ____D C:\Program Files (x86)\Google
2023-10-21 17:03 - 2023-10-21 17:03 - 000002451 _____ C:\Users\Lawbitss\Desktop\Word 2016.lnk
2023-10-21 17:03 - 2023-10-21 17:03 - 000002450 _____ C:\Users\Lawbitss\Desktop\PowerPoint 2016.lnk
2023-10-21 17:03 - 2023-10-21 17:03 - 000002413 _____ C:\Users\Lawbitss\Desktop\Excel 2016.lnk
2023-10-21 17:03 - 2023-10-21 17:03 - 000000000 ____D C:\Program Files\VideoLAN
2023-10-21 17:02 - 2023-10-21 17:02 - 000003584 _____ C:\Windows\KMS-QADhook.dll
2023-10-21 17:02 - 2023-10-21 17:02 - 000000000 ____D C:\Windows\system32\Tasks\R@1n-KMS
2023-10-21 17:02 - 2023-10-21 17:02 - 000000000 ____D C:\Users\Lawbitss\AppData\Local\PeerDistRepub
2023-10-21 17:02 - 2023-10-21 17:02 - 000000000 ____D C:\Users\Lawbitss\AppData\Local\mpress
2023-10-21 17:00 - 2023-10-21 17:00 - 000000000 ____D C:\Program Files\Common Files\DESIGNER
2023-10-21 16:52 - 2023-10-21 16:52 - 000002492 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneDrive for Business.lnk
2023-10-21 16:52 - 2023-10-21 16:52 - 000002456 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype for Business 2016.lnk
2023-10-21 16:52 - 2023-10-21 16:52 - 000002451 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word 2016.lnk
2023-10-21 16:52 - 2023-10-21 16:52 - 000002450 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint 2016.lnk
2023-10-21 16:52 - 2023-10-21 16:52 - 000002414 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Access 2016.lnk
2023-10-21 16:52 - 2023-10-21 16:52 - 000002413 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel 2016.lnk
2023-10-21 16:52 - 2023-10-21 16:52 - 000002407 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outlook 2016.lnk
2023-10-21 16:52 - 2023-10-21 16:52 - 000002401 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Publisher 2016.lnk
2023-10-21 16:52 - 2023-10-21 16:52 - 000002393 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneNote 2016.lnk
2023-10-21 16:52 - 2023-10-21 16:52 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016 Tools
2023-10-21 16:50 - 2023-10-21 16:52 - 000000000 ____D C:\Program Files\Microsoft Office
2023-10-21 16:50 - 2023-10-21 16:50 - 000000000 ____D C:\Program Files\Microsoft Office 15
2023-10-21 16:49 - 2023-10-21 16:49 - 000000000 ____D C:\Users\Lawbitss\AppData\Local\Comms
2023-10-21 16:40 - 2023-10-21 16:40 - 000000000 ____D C:\Users\Lawbitss\AppData\LocalLow\Intel
2023-10-21 16:39 - 2023-10-21 16:39 - 000000000 ____D C:\Windows\system32\Intel
2023-10-21 16:38 - 2023-10-21 16:47 - 000000000 ____D C:\ProgramData\Intel
2023-10-21 16:38 - 2023-10-21 16:38 - 000000000 ____D C:\Windows\LastGood.Tmp
2023-10-21 16:38 - 2023-10-21 16:38 - 000000000 ____D C:\Program Files\Intel
2023-10-21 16:38 - 2023-10-21 16:38 - 000000000 _____ C:\Windows\system32\GfxValDisplayLog.bin
2023-10-21 16:36 - 2023-10-21 16:36 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Microsoft\MMC
2023-10-21 16:36 - 2023-10-21 16:36 - 000000000 ____D C:\Program Files\Reference Assemblies
2023-10-21 16:36 - 2023-10-21 16:36 - 000000000 ____D C:\Program Files\MSBuild
2023-10-21 16:36 - 2023-10-21 16:36 - 000000000 ____D C:\Program Files (x86)\Reference Assemblies
2023-10-21 16:36 - 2023-10-21 16:36 - 000000000 ____D C:\Program Files (x86)\MSBuild
2023-10-21 16:35 - 2023-10-21 16:35 - 000003382 _____ C:\Windows\system32\Tasks\OneDrive Standalone Update Task-S-1-5-21-4272348530-104420464-272258208-1001
2023-10-21 16:35 - 2023-10-21 16:35 - 000001074 _____ C:\Users\Lawbitss\Desktop\WinRAR.lnk
2023-10-21 16:35 - 2023-10-21 16:35 - 000000000 ___RD C:\Users\Lawbitss\OneDrive
2023-10-21 16:35 - 2023-10-21 16:35 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2023-10-21 16:35 - 2023-10-21 16:35 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2023-10-21 16:35 - 2023-10-21 16:35 - 000000000 ____D C:\Program Files (x86)\WinRAR
2023-10-21 16:32 - 2023-10-21 16:48 - 000000000 ____D C:\Users\Lawbitss\AppData\Local\Packages
2023-10-21 16:32 - 2023-10-21 16:35 - 000002372 _____ C:\Users\Lawbitss\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2023-10-21 16:32 - 2023-10-21 16:35 - 000000000 ____D C:\Users\Lawbitss
2023-10-21 16:32 - 2023-10-21 16:32 - 000000020 ___SH C:\Users\Lawbitss\ntuser.ini
2023-10-21 16:32 - 2023-10-21 16:32 - 000000000 ___SD C:\Users\Lawbitss\AppData\Roaming\Microsoft\SystemCertificates
2023-10-21 16:32 - 2023-10-21 16:32 - 000000000 ___SD C:\Users\Lawbitss\AppData\Roaming\Microsoft\Protect
2023-10-21 16:32 - 2023-10-21 16:32 - 000000000 ___SD C:\Users\Lawbitss\AppData\Roaming\Microsoft\Crypto
2023-10-21 16:32 - 2023-10-21 16:32 - 000000000 ___SD C:\Users\Lawbitss\AppData\Roaming\Microsoft\Credentials
2023-10-21 16:32 - 2023-10-21 16:32 - 000000000 ___RD C:\Users\Lawbitss\3D Objects
2023-10-21 16:32 - 2023-10-21 16:32 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Microsoft\Windows
2023-10-21 16:32 - 2023-10-21 16:32 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Microsoft\Vault
2023-10-21 16:32 - 2023-10-21 16:32 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Microsoft\Spelling
2023-10-21 16:32 - 2023-10-21 16:32 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Microsoft\Network
2023-10-21 16:32 - 2023-10-21 16:32 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Adobe
2023-10-21 16:32 - 2023-10-21 16:32 - 000000000 ____D C:\Users\Lawbitss\AppData\Local\VirtualStore
2023-10-21 16:32 - 2023-10-21 16:32 - 000000000 ____D C:\Users\Lawbitss\AppData\Local\Publishers
2023-10-21 16:32 - 2023-10-21 16:32 - 000000000 ____D C:\Users\Lawbitss\AppData\Local\ConnectedDevicesPlatform
2023-10-21 16:28 - 2023-10-21 16:28 - 000000000 ____D C:\Windows\CSC
2023-10-21 16:24 - 2023-10-21 16:24 - 000002850 _____ C:\Windows\system32\Tasks\OneDrive Standalone Update Task-S-1-5-21-4272348530-104420464-272258208-500
2023-10-21 16:24 - 2023-10-21 16:24 - 000000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_11_00.Wdf
2023-10-21 16:23 - 2023-10-22 04:52 - 000034160 _____ C:\Windows\system32\wpbbin.exe
2023-10-21 02:56 - 2023-10-21 02:56 - 000000000 ___HD C:\$WinREAgent
2023-10-20 10:31 - 2023-10-20 10:31 - 044432408 _____ C:\Users\Lawbitss\Downloads\vlc-3.0.19-win64.exe
2023-10-20 10:20 - 2023-10-20 10:20 - 001373744 _____ (Google LLC) C:\Users\Lawbitss\Downloads\ChromeSetup.exe

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2023-10-22 05:42 - 2019-12-07 02:14 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2023-10-22 04:57 - 2020-11-19 00:54 - 000840838 _____ C:\Windows\system32\PerfStringBackup.INI
2023-10-22 04:57 - 2019-12-07 02:13 - 000000000 ____D C:\Windows\INF
2023-10-22 04:52 - 2023-03-25 17:20 - 000008192 ___SH C:\DumpStack.log.tmp
2023-10-22 04:52 - 2020-11-19 00:43 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2023-10-22 04:52 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\ServiceState
2023-10-22 04:52 - 2019-12-07 02:03 - 000262144 _____ C:\Windows\system32\config\BBI
2023-10-22 04:51 - 2020-11-19 00:43 - 000000000 ____D C:\Windows\system32\SleepStudy
2023-10-21 19:26 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\LiveKernelReports
2023-10-21 17:23 - 2019-12-07 02:14 - 000028672 _____ C:\Windows\system32\config\BCD-Template
2023-10-21 17:20 - 2020-11-19 00:43 - 000435248 _____ C:\Windows\system32\FNTCACHE.DAT
2023-10-21 17:01 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\system32\WinBioPlugIns
2023-10-21 17:01 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\system32\WinBioDatabase
2023-10-21 17:00 - 2019-12-07 02:14 - 000000000 ____D C:\Program Files\Common Files\microsoft shared
2023-10-21 16:58 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\AppReadiness
2023-10-21 16:48 - 2019-12-07 02:14 - 000000000 ___HD C:\Program Files\WindowsApps
2023-10-21 16:36 - 2019-12-07 02:03 - 000000000 ____D C:\Windows\CbsTemp
2023-10-21 16:33 - 2019-12-07 02:14 - 000000000 ____D C:\ProgramData\USOPrivate
2023-10-21 16:32 - 2020-11-19 00:48 - 000000000 __RHD C:\Users\Public\AccountPictures
2023-10-21 16:28 - 2019-12-07 02:51 - 000000000 ____D C:\Windows\system32\FxsTmp
2023-10-21 16:26 - 2020-11-19 00:46 - 000002438 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk
2023-10-21 16:26 - 2020-11-19 00:46 - 000002276 _____ C:\Users\Public\Desktop\Microsoft Edge.lnk
2023-10-21 16:24 - 2020-11-19 00:46 - 000003406 _____ C:\Windows\system32\Tasks\MicrosoftEdgeUpdateTaskMachineUA
2023-10-21 16:24 - 2020-11-19 00:46 - 000003182 _____ C:\Windows\system32\Tasks\MicrosoftEdgeUpdateTaskMachineCore
2023-10-21 16:24 - 2019-12-07 02:14 - 000000000 ___RD C:\Windows\PrintDialog
2023-10-21 16:24 - 2019-12-07 02:14 - 000000000 ___RD C:\Windows\ImmersiveControlPanel

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)

==================== End of FRST.txt ========================


Additional scan result of Farbar Recovery Scan Tool (x64) Version: 06-10-2023
Ran by Lawbitss (22-10-2023 06:08:35)
Running from C:\Users\Lawbitss\Downloads
Microsoft Windows 10 Pro Version 20H2 19042.631 (X64) (2023-10-21 23:26:37)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================


(If an entry is included in the fixlist, it will be removed.)

Administrator (S-1-5-21-4272348530-104420464-272258208-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-4272348530-104420464-272258208-503 - Limited - Disabled)
Guest (S-1-5-21-4272348530-104420464-272258208-501 - Limited - Disabled)
Lawbitss (S-1-5-21-4272348530-104420464-272258208-1001 - Administrator - Enabled) => C:\Users\Lawbitss
WDAGUtilityAccount (S-1-5-21-4272348530-104420464-272258208-504 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Google Chrome (HKLM-x32\...\Google Chrome) (Version: 66.0.3359.181 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
Microsoft Edge (HKLM-x32\...\Microsoft Edge) (Version: 84.0.522.52 - Microsoft Corporation)
Microsoft Office Professional Plus 2016 - en-us (HKLM\...\ProPlusRetail - en-us) (Version: 16.0.4266.1003 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-4272348530-104420464-272258208-1001\...\OneDriveSetup.exe) (Version: 19.043.0304.0013 - Microsoft Corporation)
Office 16 Click-to-Run Extensibility Component (HKLM\...\{90160000-008C-0000-1000-0000000FF1CE}) (Version: 16.0.4266.1003 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-007E-0000-1000-0000000FF1CE}) (Version: 16.0.4266.1003 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (HKLM\...\{90160000-008C-0409-1000-0000000FF1CE}) (Version: 16.0.4266.1003 - Microsoft Corporation) Hidden
VLC media player (HKLM\...\VLC media player) (Version: 3.0.19 - VideoLAN)
WinRAR archiver (HKLM-x32\...\WinRAR archiver) (Version: - )

Packages:
=========
Cortana -> C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe [2019-12-07] (Microsoft Corporation)
Mail and Calendar -> C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe [2019-12-07] (Microsoft Corporation) [MS Ad]
Microsoft Advertising SDK for XAML -> C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe [2019-12-07] (Microsoft Corporation) [MS Ad]
Microsoft Solitaire Collection -> C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe [2019-12-07] (Microsoft Studios) [MS Ad]
MSN Weather -> C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe [2019-12-07] (Microsoft Corporation) [MS Ad]
Skype -> C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c [2019-12-07] (Skype)

==================== Custom CLSID (Whitelisted): ==============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext64.dll [2005-06-07] () [File not signed]
ContextMenuHandlers4: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext64.dll [2005-06-07] () [File not signed]
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext64.dll [2005-06-07] () [File not signed]

==================== Codecs (Whitelisted) ====================

==================== Shortcuts & WMI ========================

==================== Loaded Modules (Whitelisted) =============

==================== Alternate Data Streams (Whitelisted) ========

==================== Safe Mode (Whitelisted) ==================

==================== Association (Whitelisted) =================

==================== Internet Explorer (Whitelisted) ==========

BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\root\Office16\OCHelper.dll [2023-10-21] (Microsoft Corporation -> Microsoft Corporation)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\root\Office16\GROOVEEX.DLL [2023-10-21] (Microsoft Corporation -> Microsoft Corporation)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll [2023-10-21] (Microsoft Corporation -> Microsoft Corporation)
BHO-x32: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\GROOVEEX.DLL [2023-10-21] (Microsoft Corporation -> Microsoft Corporation)
Handler: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2023-10-21] (Microsoft Corporation -> Microsoft Corporation)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2023-10-21] (Microsoft Corporation -> Microsoft Corporation)
Handler: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2023-10-21] (Microsoft Corporation -> Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2023-10-21] (Microsoft Corporation -> Microsoft Corporation)
Handler: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2023-10-21] (Microsoft Corporation -> Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2023-10-21] (Microsoft Corporation -> Microsoft Corporation)
Handler: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2023-10-21] (Microsoft Corporation -> Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2023-10-21] (Microsoft Corporation -> Microsoft Corporation)

==================== Hosts content: =========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2019-12-07 02:14 - 2019-12-07 02:12 - 000000824 _____ C:\Windows\system32\drivers\etc\hosts

==================== Other Areas ===========================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-4272348530-104420464-272258208-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 192.168.207.187
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost => (EnableWebContentEvaluation: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

==================== FirewallRules (Whitelisted) ================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{2AB06CB3-B524-499E-AA2A-5A28EB25D06D}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\outlook.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{64346849-97E3-45A8-8390-A35882A8E427}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\Lync.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{507DACFF-C760-4274-B66A-AB98622D0FDA}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\Lync.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{1ECEF98B-034B-44C1-BA55-92E3831208F0}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\UcMapi.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{AA733E6A-2817-4E1C-89C4-DE760E8B2AF0}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\UcMapi.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{D157B4AB-E317-4D29-A598-51F4FEF6177D}] => (Allow) C:\Windows\KMS-R@1n.exe => No File
FirewallRules: [{A8859971-0D9D-474F-8341-555F169B9E8B}] => (Allow) C:\Windows\KMS-R@1n.exe => No File
FirewallRules: [{085CF7DB-CD22-4ED2-9B2E-2F4664FBBE71}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc -> Google Inc.)
FirewallRules: [{76FCAFF4-B587-4017-94DC-40EFBB56D363}] => (Block) %SystemRoot%\System32\rpcnetp.exe => No File

==================== Restore Points =========================

22-10-2023 05:42:16 KpRm

==================== Faulty Device Manager Devices ============


==================== Event log errors: ========================

Application errors:
==================
Error: (10/22/2023 05:42:20 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddWin32ServiceFiles: Unable to back up image of service rpcnetp since QueryServiceConfig API failed

System Error:
The system cannot find the file specified.
.

Error: (10/22/2023 04:59:58 AM) (Source: CertEnroll) (EventID: 86) (User: NT AUTHORITY)
Description: SCEP Certificate enrollment initialization for WORKGROUP\DESKTOP-UAVRUKD$ via https://ntc-keyid-1591d4b6eaf98d0104864b6903a48dd0026077d3.microsoftaik.azure.net/templates/Aik/scep failed:

GetCACaps

Method: GET(0ms)
Stage: GetCACaps
The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)

Error: (10/22/2023 04:53:13 AM) (Source: CertEnroll) (EventID: 86) (User: NT AUTHORITY)
Description: SCEP Certificate enrollment initialization for WORKGROUP\DESKTOP-UAVRUKD$ via https://ntc-keyid-1591d4b6eaf98d0104864b6903a48dd0026077d3.microsoftaik.azure.net/templates/Aik/scep failed:

GetCACaps

Method: GET(15ms)
Stage: GetCACaps
The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)

Error: (10/22/2023 04:53:11 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x80072EE7
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=613d217f-7f13-4268-9907-1662339531cd;NotificationInterval=1440;Trigger=UserLogon;SessionId=1

Error: (10/22/2023 04:53:11 AM) (Source: Software Protection Platform Service) (EventID: 1014) (User: )
Description: Acquisition of End User License failed. hr=0x80072EE7
Sku Id=613d217f-7f13-4268-9907-1662339531cd

Error: (10/22/2023 04:53:11 AM) (Source: Software Protection Platform Service) (EventID: 8200) (User: )
Description: License acquisition failure details.
hr=0x80072EE7

Error: (10/22/2023 04:52:20 AM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x8007045b, A system shutdown is in progress.
.

Error: (10/22/2023 04:52:20 AM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started. [0x8007045b, A system shutdown is in progress.
]


System errors:
=============
Error: (10/22/2023 05:00:08 AM) (Source: SCardSvr) (EventID: 610) (User: )
Description: Smart Card Reader 'Microsoft UICC ISO Reader 0c44320e 1' rejected IOCTL POWER: The data area passed to a system call is too small. If this error persists, your smart card or reader may not be functioning correctly.

Command Header: 00 00 00 00

Error: (10/22/2023 04:59:58 AM) (Source: SCardSvr) (EventID: 610) (User: )
Description: Smart Card Reader 'Microsoft UICC ISO Reader 0c44320e 1' rejected IOCTL TRANSMIT: Access is denied. If this error persists, your smart card or reader may not be functioning correctly.

Command Header: 00 a4 04 00

Error: (10/22/2023 04:59:58 AM) (Source: SCardSvr) (EventID: 610) (User: )
Description: Smart Card Reader 'Microsoft UICC ISO Reader 0c44320e 1' rejected IOCTL TRANSMIT: Access is denied. If this error persists, your smart card or reader may not be functioning correctly.

Command Header: 00 a4 04 00

Error: (10/22/2023 04:59:58 AM) (Source: SCardSvr) (EventID: 610) (User: )
Description: Smart Card Reader 'Microsoft UICC ISO Reader 0c44320e 1' rejected IOCTL TRANSMIT: The parameter is incorrect. If this error persists, your smart card or reader may not be functioning correctly.

Command Header: 00 ca 7f 68

Error: (10/22/2023 04:59:58 AM) (Source: SCardSvr) (EventID: 610) (User: )
Description: Smart Card Reader 'Microsoft UICC ISO Reader 0c44320e 1' rejected IOCTL TRANSMIT: Access is denied. If this error persists, your smart card or reader may not be functioning correctly.

Command Header: 00 a4 04 00

Error: (10/22/2023 04:53:23 AM) (Source: SCardSvr) (EventID: 610) (User: )
Description: Smart Card Reader 'Microsoft UICC ISO Reader 0c44320e 1' rejected IOCTL POWER: The data area passed to a system call is too small. If this error persists, your smart card or reader may not be functioning correctly.

Command Header: 00 00 00 00

Error: (10/22/2023 04:53:13 AM) (Source: SCardSvr) (EventID: 610) (User: )
Description: Smart Card Reader 'Microsoft UICC ISO Reader 0c44320e 1' rejected IOCTL TRANSMIT: Access is denied. If this error persists, your smart card or reader may not be functioning correctly.

Command Header: 00 a4 04 00

Error: (10/22/2023 04:53:13 AM) (Source: SCardSvr) (EventID: 610) (User: )
Description: Smart Card Reader 'Microsoft UICC ISO Reader 0c44320e 1' rejected IOCTL TRANSMIT: Access is denied. If this error persists, your smart card or reader may not be functioning correctly.

Command Header: 00 a4 04 00


Windows Defender:
================
Date: 2023-10-22 06:07:47
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?li...in32/AutoKMS&threatid=2147685180&enterprise=0
Name: HackTool:Win32/AutoKMS
Severity: High
Category: Tool
Path: file:_C:\Windows\KMS-QADhook.dll
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Users\Lawbitss\Downloads\FRST64.exe
Security intelligence Version: AV: 1.303.25.0, AS: 1.303.25.0, NIS: 1.303.25.0
Engine Version: AM: 1.1.16400.2, NIS: 1.1.16400.2

Date: 2023-10-21 17:21:15
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?li...toKMS.SA!MSR&threatid=2147741757&enterprise=0
Name: HackTool:Win32/AutoKMS.SA!MSR
Severity: High
Category: Tool
Path: file:_C:\Windows\KMS-R@1n.exe; process:_pid:4648,ProcessStart:133424076397329510; service:_KMS-R@1n
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Windows\KMS-R@1n.exe
Security intelligence Version: AV: 1.303.25.0, AS: 1.303.25.0, NIS: 1.303.25.0
Engine Version: AM: 1.1.16400.2, NIS: 1.1.16400.2

Date: 2023-10-21 17:21:00
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?li...toKMS.SA!MSR&threatid=2147741757&enterprise=0
Name: HackTool:Win32/AutoKMS.SA!MSR
Severity: High
Category: Tool
Path: file:_C:\Windows\KMS-R@1n.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Windows\System32\svchost.exe
Security intelligence Version: AV: 1.303.25.0, AS: 1.303.25.0, NIS: 1.303.25.0
Engine Version: AM: 1.1.16400.2, NIS: 1.1.16400.2

Date: 2023-10-21 17:05:17
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?li...MSIL/AutoKMS&threatid=2147711767&enterprise=0
Name: HackTool:MSIL/AutoKMS
Severity: High
Category: Tool
Path: file:_C:\Windows\KMS-R@1nhook.exe; imagefileexecoptions:_HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\OSppSvc.exe; imagefileexecoptions:_HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SppExtComObj.exe; imagefileexecoptions:_HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\OSppSvc.exe; imagefileexecoptions:_HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SppExtComObj.exe; regkey:_HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\OSppSvc.exe; regkey:_HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SppExtComObj.exe; regkey:_HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\OSppSvc.exe; regkey:_HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SppExtComObj.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Windows\System32\svchost.exe
Security intelligence Version: AV: 1.303.25.0, AS: 1.303.25.0, NIS: 1.303.25.0
Engine Version: AM: 1.1.16400.2, NIS: 1.1.16400.2

Date: 2023-10-21 17:05:01
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?li...MSIL/AutoKMS&threatid=2147711767&enterprise=0
Name: HackTool:MSIL/AutoKMS
Severity: High
Category: Tool
Path: file:_C:\Windows\KMS-R@1nhook.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Windows\System32\svchost.exe
Security intelligence Version: AV: 1.303.25.0, AS: 1.303.25.0, NIS: 1.303.25.0
Engine Version: AM: 1.1.16400.2, NIS: 1.1.16400.2
Event[0]:

Date: 2023-10-22 05:03:03
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.303.25.0
Update Source: Microsoft Malware Protection Center
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.16400.2
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

Date: 2023-10-22 05:03:03
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.303.25.0
Update Source: Microsoft Malware Protection Center
Security intelligence Type: AntiSpyware
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.16400.2
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

Date: 2023-10-22 05:03:03
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.303.25.0
Update Source: Microsoft Malware Protection Center
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.16400.2
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

Date: 2023-10-22 05:03:03
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.303.25.0
Update Source: Microsoft Malware Protection Center
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.16400.2
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

Date: 2023-10-22 05:03:03
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.303.25.0
Update Source: Microsoft Malware Protection Center
Security intelligence Type: AntiSpyware
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.16400.2
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

==================== Memory info ===========================

BIOS: Microsoft Corporation 238.167.768 05.07.2014
Motherboard: Microsoft Corporation Surface Pro
Processor: Intel(R) Core(TM) i5-7300U CPU @ 2.60GHz
Percentage of memory in use: 43%
Total physical RAM: 8108.95 MB
Available physical RAM: 4580.68 MB
Total Virtual: 10028.95 MB
Available Virtual: 6319.8 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:237.86 GB) (Free:208.45 GB) (Model: INTEL SSDPEBKF256G7) NTFS

\\?\Volume{d7940109-31e6-4c8a-9359-8d6863bad120}\ () (Fixed) (Total:0.5 GB) (Free:0.08 GB) NTFS
\\?\Volume{00561e41-b66e-4d06-bb80-26392ad91ca2}\ () (Fixed) (Total:0.09 GB) (Free:0.07 GB) FAT32

==================== MBR & Partition Table ====================

==========================================================
Disk: 0 (Size: 238.5 GB) (Disk ID: 5A54E111)

Partition: GPT.

==================== End of Addition.txt =======================
 
Hello, lawbitss.

Welcome to Sysnative Forums.

I reviewed your logs, and there is evidence that your system is having activation issues. In addition, you are using KMS service, which is used to illegally activate Microsoft's products, such as Windows or Office.

If your Office is activated with the use of KMS service, I'll ask you to uninstall it, and my fixes will include KMS removal.

If your operating system is activated with the use of KMS service, then, unfortunately, I can't help you, until you activate Windows with a genuine license. You see, having a system activated with KMS makes you extremely vulnerable to any kind of malware, and creates a lot of issues. Even if we clean it, it is a matter of time to get infected again.

Let me know about your thoughts.
 
Hello, lawbitss.

Welcome to Sysnative Forums.

I reviewed your logs, and there is evidence that your system is having activation issues. In addition, you are using KMS service, which is used to illegally activate Microsoft's products, such as Windows or Office.

If your Office is activated with the use of KMS service, I'll ask you to uninstall it, and my fixes will include KMS removal.

If your operating system is activated with the use of KMS service, then, unfortunately, I can't help you, until you activate Windows with a genuine license. You see, having a system activated with KMS makes you extremely vulnerable to any kind of malware, and creates a lot of issues. Even if we clean it, it is a matter of time to get infected again.

Let me know about your thoughts.
THANK YOU SO MUCH. I AM NOT SO MUCH into tech so i guess the person who did the installations of the os for me after the freezing of the screen must have activated with the KMS u spoke about. I will get the genuine OS installed and revert. thank you again.
 
I will get the genuine OS installed and revert. thank you again.

Before you do that, we can check if the operating system is legally activated or not.
  • Press Windows icon on your Desktop, together with the letter R.
  • Type cmd, and press Ctrl + Shift + Enter to run Command Prompt as administrator.
  • Copy and paste the following command and press Enter:[/*]
Code:
slmgr /dli
  • After running the command, you will get a report. Please take a screenshot of what you got and attach it in your next reply. Here is an article where you can see how do you take a screenshot with the snipping tool, in case you need it.
 
Before you do that, we can check if the operating system is legally activated or not.
  • Press Windows icon on your Desktop, together with the letter R.
  • Type cmd, and press Ctrl + Shift + Enter to run Command Prompt as administrator.
  • Copy and paste the following command and press Enter:[/*]
Code:
slmgr /dli
  • After running the command, you will get a report. Please take a screenshot of what you got and attach it in your next reply. Here is an article where you can see how do you take a screenshot with the snipping tool, in case you need it.
thank you. i am really learning alot from you. Find attached the snip you requested. thank you for your time.
 

Attachments

  • Annotation 2023-10-24 000713.png
    Annotation 2023-10-24 000713.png
    190.3 KB · Views: 3
Hi! I'm glad you are back.

Your operating system seems licensed with an OEM key. So, the issue is possibly with Microsoft Office Professional Plus 2016 - en-us. My recommendation is to uninstall it, since by removing the KMS service ti will lose its activation.
As a really good alternative you can use free Microsoft Office Online, or any other free Office platform, like Libre Office or Free Office.

To sum up, if you want to continue with me, cleaning the system:

1. Uninstall Microsoft Office Professional Plus 2016
2. Run FRST tool once more (please move it on to your Desktop first), and attach for me fresh logs, Addition and FRST.
 
MS office Professional Plus 2016 uninstalled. find below the report of the scan.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 06-10-2023
Ran by Lawbitss (administrator) on DESKTOP-UAVRUKD (Microsoft Corporation Surface Pro) (24-10-2023 09:11:12)
Running from C:\Users\Lawbitss\Desktop\FRST64.exe
Loaded Profiles: Lawbitss
Platform: Microsoft Windows 10 Pro Version 20H2 19042.631 (X64) Language: English (United States)
Default browser: Chrome
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(C:\Program Files\Google\Drive File Stream\82.0.1.0\GoogleDriveFS.exe ->) (Google LLC -> ) C:\Program Files\Google\Drive File Stream\82.0.1.0\crashpad_handler.exe
(explorer.exe ->) (Google LLC -> Google LLC) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe <12>
(explorer.exe ->) (Google LLC -> Google, Inc.) C:\Program Files\Google\Drive File Stream\82.0.1.0\GoogleDriveFS.exe <7>
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Windows\Temp\ose00000.exe
(RuntimeBroker.exe ->) (Skype Software Sarl -> Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe
(services.exe ->) (Intel Corporation -> Intel Corporation) C:\Windows\System32\Intel\DPTF\esif_uf.exe
(services.exe ->) (Intel(R) pGFX 2020 -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\64kb8682.inf_amd64_170ccd25b9699b84\IntelCpHDCPSvc.exe
(services.exe ->) (Intel(R) pGFX 2020 -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\64kb8682.inf_amd64_170ccd25b9699b84\IntelCpHeciSvc.exe
(services.exe ->) (Microsoft Corporation -> Microsoft) C:\Program Files\WindowsApps\Microsoft.SurfaceHub_61.23090.124.0_x64__8wekyb3d8bbwe\Services\SurfaceBroker.exe
(services.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\msiexec.exe
(services.exe ->) (Microsoft Windows Publisher -> Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(services.exe ->) (Microsoft Windows Publisher -> Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(svchost.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\SppExtComObj.Exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\wbem\WMIC.exe
(svchost.exe ->) (Skype Software Sarl -> ) C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe
(svchost.exe ->) (Skype Software Sarl -> Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKU\S-1-5-19\...\Run: [GoogleDriveFS] => C:\Program Files\Google\Drive File Stream\82.0.1.0\GoogleDriveFS.exe [55189280 2023-10-22] (Google LLC -> Google, Inc.)
HKU\S-1-5-20\...\Run: [GoogleDriveFS] => C:\Program Files\Google\Drive File Stream\82.0.1.0\GoogleDriveFS.exe [55189280 2023-10-22] (Google LLC -> Google, Inc.)
HKU\S-1-5-21-4272348530-104420464-272258208-1001\...\Run: [GoogleDriveFS] => C:\Program Files\Google\Drive File Stream\82.0.1.0\GoogleDriveFS.exe [55189280 2023-10-22] (Google LLC -> Google, Inc.)
HKU\S-1-5-21-4272348530-104420464-272258208-1001\...\Run: [Microsoft Edge Update] => C:\Users\Lawbitss\AppData\Local\Microsoft\EdgeUpdate\1.3.177.11\MicrosoftEdgeUpdateCore.exe [263648 2023-10-24] (Microsoft Corporation -> Microsoft Corporation)
HKU\S-1-5-18\...\Run: [GoogleDriveFS] => C:\Program Files\Google\Drive File Stream\82.0.1.0\GoogleDriveFS.exe [55189280 2023-10-22] (Google LLC -> Google, Inc.)
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{8A69D345-D564-463c-AFF1-A69D9E530F96}] -> C:\Program Files (x86)\Google\Chrome\Application\118.0.5993.89\Installer\chrmstp.exe [2023-10-22] (Google LLC -> Google LLC)

==================== Scheduled Tasks (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {D87E5EB4-ACC7-4506-9427-2E3908B505E6} - System32\Tasks\CreateExplorerShellUnelevatedTask => C:\Windows\Explorer.exe [4651032 2020-11-18] (Microsoft Windows -> Microsoft Corporation)
Task: {D1043206-1B00-42F0-A330-B512E1BC62FF} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [153168 2023-10-21] (Google Inc -> Google Inc.)
Task: {AB607F1F-8610-4273-9221-E89D9CA131F3} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [153168 2023-10-21] (Google Inc -> Google Inc.)
Task: {891B7266-05C3-413B-85AB-D92515545A36} - System32\Tasks\MicrosoftEdgeUpdateTaskUserS-1-5-21-4272348530-104420464-272258208-1001Core{E83EC3D3-CE0E-4831-9B3D-C78DE17CF83C} => C:\Users\Lawbitss\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe [206288 2023-10-24] (Microsoft Corporation -> Microsoft Corporation)
Task: {F9496076-EE30-4C0B-B32B-79C0C93B142F} - System32\Tasks\MicrosoftEdgeUpdateTaskUserS-1-5-21-4272348530-104420464-272258208-1001UA{03EE7845-CA0E-4524-ABEE-5DD88717BBD4} => C:\Users\Lawbitss\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe [206288 2023-10-24] (Microsoft Corporation -> Microsoft Corporation)
Task: {683067CE-DD30-4743-9BF7-2F39473681DC} - System32\Tasks\R@1n-KMS\Office365ProPlus => C:\Windows\System32\Wbem\wmic.exe [526848 2019-12-07] (Microsoft Windows -> Microsoft Corporation) -> path SoftwareLicensingProduct where (ID="d450596f-894d-49e0-966a-fd39ed4c4c64") call Activate

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.207.187
Tcpip\..\Interfaces\{efa46f2b-35fd-4701-b41e-21d03c34b087}: [DhcpNameServer] 192.168.207.187

Edge:
=======
Edge DefaultProfile: Default
Edge Profile: C:\Users\Lawbitss\AppData\Local\Microsoft\Edge\User Data\Default [2023-10-24]

FireFox:
========
FF Plugin: @videolan.org/vlc,version=3.0.19 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2023-10-07] (VideoLAN -> VideoLAN)

Chrome:
=======
CHR Profile: C:\Users\Lawbitss\AppData\Local\Google\Chrome\User Data\Default [2023-10-24]
CHR Extension: (Docs) - C:\Users\Lawbitss\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2023-10-22]
CHR Extension: (Google Drive) - C:\Users\Lawbitss\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2023-10-22]
CHR Extension: (Google Docs Offline) - C:\Users\Lawbitss\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2023-10-22]
CHR Extension: (Application Launcher For Drive (by Google)) - C:\Users\Lawbitss\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh [2023-10-22]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Lawbitss\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2023-10-22]
CHR Extension: (Gmail) - C:\Users\Lawbitss\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2023-10-22]
CHR HKU\S-1-5-21-4272348530-104420464-272258208-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh]

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [5101992 2020-11-18] (Microsoft Windows Publisher -> Microsoft Corporation)
R2 SurfaceExperienceService-61.23090.124; C:\Program Files\WindowsApps\Microsoft.SurfaceHub_61.23090.124.0_x64__8wekyb3d8bbwe\Services\SurfaceBroker.exe [8742336 2023-10-23] (Microsoft Corporation -> Microsoft)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [3004048 2019-12-07] (Microsoft Windows Publisher -> Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103384 2019-12-07] (Microsoft Windows Publisher -> Microsoft Corporation)

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 BthA2dp; C:\Windows\System32\drivers\BthA2dp.sys [279040 2019-12-07] (Microsoft Corporation) [File not signed]
R1 googledrivefs31092; C:\Windows\System32\DRIVERS\googledrivefs31092.sys [384600 2023-10-22] (Microsoft Windows Hardware Compatibility Publisher -> Google, Inc.)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [46688 2019-12-07] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [350136 2019-12-07] (Microsoft Windows -> Microsoft Corporation)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [54200 2019-12-07] (Microsoft Windows -> Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One month (created) (Whitelisted) =========

(If an entry is included in the fixlist, the file/folder will be moved.)

2023-10-24 09:11 - 2023-10-24 09:11 - 000010184 _____ C:\Users\Lawbitss\Desktop\FRST.txt
2023-10-24 09:10 - 2023-10-22 06:04 - 002383360 _____ (Farbar) C:\Users\Lawbitss\Desktop\FRST64.exe
2023-10-24 00:01 - 2023-10-24 00:01 - 000003874 _____ C:\Windows\system32\Tasks\MicrosoftEdgeUpdateTaskUserS-1-5-21-4272348530-104420464-272258208-1001UA{03EE7845-CA0E-4524-ABEE-5DD88717BBD4}
2023-10-24 00:01 - 2023-10-24 00:01 - 000003816 _____ C:\Windows\system32\Tasks\MicrosoftEdgeUpdateTaskUserS-1-5-21-4272348530-104420464-272258208-1001Core{E83EC3D3-CE0E-4831-9B3D-C78DE17CF83C}
2023-10-23 23:31 - 2023-10-23 23:31 - 000000000 ____D C:\ProgramData\SurfaceExperienceService
2023-10-22 18:27 - 2023-10-22 18:27 - 000000000 ____D C:\Users\Lawbitss\AppData\Local\OfficeBSCache-OD-stsokwa@gmail.com
2023-10-22 18:27 - 2023-10-22 18:27 - 000000000 ____D C:\Users\Lawbitss\AppData\Local\OfficeBSCache-MyComputer
2023-10-22 18:22 - 2023-10-22 18:22 - 000000000 ____D C:\Users\Lawbitss\AppData\Local\CEF
2023-10-22 18:20 - 2023-10-22 18:20 - 000002238 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Drive.lnk
2023-10-22 18:20 - 2023-10-22 18:20 - 000002044 _____ C:\Users\Lawbitss\Desktop\Google Drive.lnk
2023-10-22 18:20 - 2023-10-22 18:20 - 000000000 ____D C:\Program Files\Google
2023-10-22 18:17 - 2023-10-22 18:18 - 161774368 _____ (Google, Inc.) C:\Users\Lawbitss\Downloads\GoogleDriveSetup.exe
2023-10-22 09:09 - 2023-10-24 00:01 - 000003584 _____ C:\Windows\system32\Tasks\OneDrive Reporting Task-S-1-5-21-4272348530-104420464-272258208-1001
2023-10-22 09:09 - 2023-10-22 09:09 - 000000000 ___HD C:\OneDriveTemp
2023-10-22 08:01 - 2023-10-22 08:01 - 000000000 ____D C:\Users\Lawbitss\AppData\Local\OneDrive
2023-10-22 07:48 - 2023-10-24 00:01 - 000000000 ____D C:\Users\Lawbitss\AppData\Local\PlaceholderTileLogoFolder
2023-10-22 07:48 - 2023-10-22 07:48 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Microsoft\InputMethod
2023-10-22 06:24 - 2023-10-22 06:24 - 000000000 ____D C:\Program Files (x86)\Crashpad
2023-10-22 06:23 - 2023-10-22 06:23 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Microsoft\QuickStyles
2023-10-22 06:08 - 2023-10-22 06:09 - 000022894 _____ C:\Users\Lawbitss\Downloads\Addition.txt
2023-10-22 06:06 - 2023-10-22 06:09 - 000021533 _____ C:\Users\Lawbitss\Downloads\FRST.txt
2023-10-22 06:04 - 2023-10-24 09:11 - 000000000 ____D C:\FRST
2023-10-22 06:04 - 2023-10-22 06:04 - 002383360 _____ (Farbar) C:\Users\Lawbitss\Downloads\FRST64.exe
2023-10-22 06:03 - 2023-10-22 06:03 - 002084352 _____ (Farbar) C:\Users\Lawbitss\Downloads\FRST.exe
2023-10-22 05:42 - 2023-10-22 05:42 - 000003662 _____ C:\Windows\system32\Tasks\CreateExplorerShellUnelevatedTask
2023-10-22 05:42 - 2023-10-22 05:42 - 000001962 _____ C:\Users\Lawbitss\Desktop\kprm-20231022054207.txt
2023-10-22 05:42 - 2023-10-22 05:42 - 000000000 ____D C:\KPRM
2023-10-22 04:52 - 2023-10-22 04:52 - 000022932 ____N C:\Windows\SysWOW64\rpcnetp.exe
2023-10-22 04:52 - 2023-10-22 04:52 - 000022932 _____ C:\Windows\SysWOW64\rpcnetp.dll
2023-10-22 04:52 - 2023-10-22 04:52 - 000022932 _____ C:\Windows\system32\tik.exe
2023-10-21 19:42 - 2023-10-21 19:42 - 000000748 _____ C:\Users\Lawbitss\Desktop\Videos - Shortcut.lnk
2023-10-21 19:23 - 2023-10-21 19:23 - 000000000 ____D C:\Windows\system32\Tasks\Agent Activation Runtime
2023-10-21 18:58 - 2023-10-24 00:03 - 000000000 ____D C:\Users\Lawbitss\AppData\Local\D3DSCache
2023-10-21 17:23 - 2023-10-23 23:51 - 000000000 ____D C:\Windows\Panther
2023-10-21 17:21 - 2023-10-21 19:23 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\vlc
2023-10-21 17:05 - 2023-10-21 17:05 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Microsoft\UProof
2023-10-21 17:05 - 2023-10-21 17:05 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Microsoft\Proof
2023-10-21 17:04 - 2023-10-24 09:03 - 000000000 ____D C:\Program Files (x86)\Google
2023-10-21 17:04 - 2023-10-22 18:22 - 000000000 ____D C:\Users\Lawbitss\AppData\Local\Google
2023-10-21 17:04 - 2023-10-22 08:00 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Microsoft\Office
2023-10-21 17:04 - 2023-10-22 06:24 - 000002301 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2023-10-21 17:04 - 2023-10-22 06:24 - 000002260 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2023-10-21 17:04 - 2023-10-22 06:23 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Microsoft\Word
2023-10-21 17:04 - 2023-10-22 06:17 - 000003714 _____ C:\Windows\system32\Tasks\GoogleUpdateTaskMachineUA
2023-10-21 17:04 - 2023-10-22 06:17 - 000003590 _____ C:\Windows\system32\Tasks\GoogleUpdateTaskMachineCore
2023-10-21 17:04 - 2023-10-21 17:04 - 000000916 _____ C:\Users\Public\Desktop\VLC media player.lnk
2023-10-21 17:04 - 2023-10-21 17:04 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Microsoft\Document Building Blocks
2023-10-21 17:04 - 2023-10-21 17:04 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Microsoft\Bibliography
2023-10-21 17:04 - 2023-10-21 17:04 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Microsoft\AddIns
2023-10-21 17:04 - 2023-10-21 17:04 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
2023-10-21 17:03 - 2023-10-21 17:03 - 000000000 ____D C:\Program Files\VideoLAN
2023-10-21 17:02 - 2023-10-21 17:02 - 000000000 ____D C:\Windows\system32\Tasks\R@1n-KMS
2023-10-21 17:02 - 2023-10-21 17:02 - 000000000 ____D C:\Users\Lawbitss\AppData\Local\PeerDistRepub
2023-10-21 17:02 - 2023-10-21 17:02 - 000000000 ____D C:\Users\Lawbitss\AppData\Local\mpress
2023-10-21 16:50 - 2023-10-24 09:07 - 000000000 ____D C:\Program Files\Microsoft Office
2023-10-21 16:49 - 2023-10-21 16:49 - 000000000 ____D C:\Users\Lawbitss\AppData\Local\Comms
2023-10-21 16:40 - 2023-10-21 16:40 - 000000000 ____D C:\Users\Lawbitss\AppData\LocalLow\Intel
2023-10-21 16:39 - 2023-10-21 16:39 - 000000000 ____D C:\Windows\system32\Intel
2023-10-21 16:38 - 2023-10-21 16:47 - 000000000 ____D C:\ProgramData\Intel
2023-10-21 16:38 - 2023-10-21 16:38 - 000000000 ____D C:\Program Files\Intel
2023-10-21 16:38 - 2023-10-21 16:38 - 000000000 _____ C:\Windows\system32\GfxValDisplayLog.bin
2023-10-21 16:36 - 2023-10-21 16:36 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Microsoft\MMC
2023-10-21 16:36 - 2023-10-21 16:36 - 000000000 ____D C:\Program Files\Reference Assemblies
2023-10-21 16:36 - 2023-10-21 16:36 - 000000000 ____D C:\Program Files\MSBuild
2023-10-21 16:36 - 2023-10-21 16:36 - 000000000 ____D C:\Program Files (x86)\Reference Assemblies
2023-10-21 16:36 - 2023-10-21 16:36 - 000000000 ____D C:\Program Files (x86)\MSBuild
2023-10-21 16:35 - 2023-10-24 07:00 - 000000000 ___RD C:\Users\Lawbitss\OneDrive
2023-10-21 16:35 - 2023-10-24 00:01 - 000003382 _____ C:\Windows\system32\Tasks\OneDrive Standalone Update Task-S-1-5-21-4272348530-104420464-272258208-1001
2023-10-21 16:35 - 2023-10-21 16:35 - 000001074 _____ C:\Users\Lawbitss\Desktop\WinRAR.lnk
2023-10-21 16:35 - 2023-10-21 16:35 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2023-10-21 16:35 - 2023-10-21 16:35 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2023-10-21 16:35 - 2023-10-21 16:35 - 000000000 ____D C:\Program Files (x86)\WinRAR
2023-10-21 16:32 - 2023-10-24 09:05 - 000000000 ___SD C:\Users\Lawbitss\AppData\Roaming\Microsoft\Credentials
2023-10-21 16:32 - 2023-10-24 00:01 - 000002388 _____ C:\Users\Lawbitss\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2023-10-21 16:32 - 2023-10-24 00:01 - 000000000 ____D C:\Users\Lawbitss\AppData\Local\Packages
2023-10-21 16:32 - 2023-10-22 09:08 - 000000000 ____D C:\Users\Lawbitss\AppData\Local\ConnectedDevicesPlatform
2023-10-21 16:32 - 2023-10-21 16:35 - 000000000 ____D C:\Users\Lawbitss
2023-10-21 16:32 - 2023-10-21 16:32 - 000000020 ___SH C:\Users\Lawbitss\ntuser.ini
2023-10-21 16:32 - 2023-10-21 16:32 - 000000000 ___SD C:\Users\Lawbitss\AppData\Roaming\Microsoft\SystemCertificates
2023-10-21 16:32 - 2023-10-21 16:32 - 000000000 ___SD C:\Users\Lawbitss\AppData\Roaming\Microsoft\Protect
2023-10-21 16:32 - 2023-10-21 16:32 - 000000000 ___SD C:\Users\Lawbitss\AppData\Roaming\Microsoft\Crypto
2023-10-21 16:32 - 2023-10-21 16:32 - 000000000 ___RD C:\Users\Lawbitss\3D Objects
2023-10-21 16:32 - 2023-10-21 16:32 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Microsoft\Windows
2023-10-21 16:32 - 2023-10-21 16:32 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Microsoft\Vault
2023-10-21 16:32 - 2023-10-21 16:32 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Microsoft\Spelling
2023-10-21 16:32 - 2023-10-21 16:32 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Microsoft\Network
2023-10-21 16:32 - 2023-10-21 16:32 - 000000000 ____D C:\Users\Lawbitss\AppData\Roaming\Adobe
2023-10-21 16:32 - 2023-10-21 16:32 - 000000000 ____D C:\Users\Lawbitss\AppData\Local\VirtualStore
2023-10-21 16:32 - 2023-10-21 16:32 - 000000000 ____D C:\Users\Lawbitss\AppData\Local\Publishers
2023-10-21 16:28 - 2023-10-21 16:28 - 000000000 ____D C:\Windows\CSC
2023-10-21 16:24 - 2023-10-21 16:24 - 000002850 _____ C:\Windows\system32\Tasks\OneDrive Standalone Update Task-S-1-5-21-4272348530-104420464-272258208-500
2023-10-21 16:24 - 2023-10-21 16:24 - 000000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_11_00.Wdf
2023-10-21 16:23 - 2023-10-22 04:52 - 000034160 _____ C:\Windows\system32\wpbbin.exe
2023-10-21 02:56 - 2023-10-21 02:56 - 000000000 ___HD C:\$WinREAgent
2023-10-20 10:31 - 2023-10-20 10:31 - 044432408 _____ C:\Users\Lawbitss\Downloads\vlc-3.0.19-win64.exe
2023-10-20 10:20 - 2023-10-20 10:20 - 001373744 _____ (Google LLC) C:\Users\Lawbitss\Downloads\ChromeSetup.exe

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2023-10-24 09:07 - 2019-12-07 02:14 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2023-10-24 09:07 - 2019-12-07 02:14 - 000000000 ____D C:\Program Files\Common Files\microsoft shared
2023-10-24 09:03 - 2020-11-19 00:43 - 000000000 ____D C:\Windows\system32\SleepStudy
2023-10-24 07:01 - 2020-11-19 00:54 - 000840838 _____ C:\Windows\system32\PerfStringBackup.INI
2023-10-24 07:01 - 2019-12-07 02:13 - 000000000 ____D C:\Windows\INF
2023-10-24 06:59 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\AppReadiness
2023-10-24 00:10 - 2019-12-07 02:14 - 000000000 ___HD C:\Program Files\WindowsApps
2023-10-24 00:01 - 2020-11-19 00:48 - 000000000 ____D C:\ProgramData\Packages
2023-10-23 23:31 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\ServiceState
2023-10-23 23:21 - 2019-12-07 02:03 - 000000000 ____D C:\Windows\CbsTemp
2023-10-22 18:18 - 2020-11-19 00:46 - 000003536 _____ C:\Windows\system32\Tasks\MicrosoftEdgeUpdateTaskMachineUA
2023-10-22 18:18 - 2020-11-19 00:46 - 000003412 _____ C:\Windows\system32\Tasks\MicrosoftEdgeUpdateTaskMachineCore
2023-10-22 07:48 - 2020-11-19 00:48 - 000000000 __RHD C:\Users\Public\AccountPictures
2023-10-22 04:52 - 2023-03-25 17:20 - 000008192 ___SH C:\DumpStack.log.tmp
2023-10-22 04:52 - 2020-11-19 00:43 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2023-10-22 04:52 - 2019-12-07 02:03 - 000524288 _____ C:\Windows\system32\config\BBI
2023-10-21 19:26 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\LiveKernelReports
2023-10-21 17:23 - 2019-12-07 02:14 - 000028672 _____ C:\Windows\system32\config\BCD-Template
2023-10-21 17:20 - 2020-11-19 00:43 - 000435248 _____ C:\Windows\system32\FNTCACHE.DAT
2023-10-21 17:01 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\system32\WinBioPlugIns
2023-10-21 17:01 - 2019-12-07 02:14 - 000000000 ____D C:\Windows\system32\WinBioDatabase
2023-10-21 16:33 - 2019-12-07 02:14 - 000000000 ____D C:\ProgramData\USOPrivate
2023-10-21 16:28 - 2019-12-07 02:51 - 000000000 ____D C:\Windows\system32\FxsTmp
2023-10-21 16:26 - 2020-11-19 00:46 - 000002438 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk
2023-10-21 16:26 - 2020-11-19 00:46 - 000002276 _____ C:\Users\Public\Desktop\Microsoft Edge.lnk
2023-10-21 16:24 - 2019-12-07 02:14 - 000000000 ___RD C:\Windows\PrintDialog
2023-10-21 16:24 - 2019-12-07 02:14 - 000000000 ___RD C:\Windows\ImmersiveControlPanel

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)

==================== End of FRST.txt ========================


Additional scan result of Farbar Recovery Scan Tool (x64) Version: 06-10-2023
Ran by Lawbitss (24-10-2023 09:13:31)
Running from C:\Users\Lawbitss\Desktop
Microsoft Windows 10 Pro Version 20H2 19042.631 (X64) (2023-10-21 23:26:37)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================


(If an entry is included in the fixlist, it will be removed.)

Administrator (S-1-5-21-4272348530-104420464-272258208-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-4272348530-104420464-272258208-503 - Limited - Disabled)
Guest (S-1-5-21-4272348530-104420464-272258208-501 - Limited - Disabled)
Lawbitss (S-1-5-21-4272348530-104420464-272258208-1001 - Administrator - Enabled) => C:\Users\Lawbitss
WDAGUtilityAccount (S-1-5-21-4272348530-104420464-272258208-504 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Google Chrome (HKLM-x32\...\Google Chrome) (Version: 118.0.5993.89 - Google LLC)
Google Drive (HKLM\...\{6BBAE539-2232-434A-A4E5-9A33560C6283}) (Version: 82.0.1.0 - Google LLC)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
Microsoft Edge (HKLM-x32\...\Microsoft Edge) (Version: 84.0.522.52 - Microsoft Corporation)
Microsoft Edge WebView2 Runtime (HKU\S-1-5-21-4272348530-104420464-272258208-1001\...\Microsoft EdgeWebView) (Version: 118.0.2088.61 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-4272348530-104420464-272258208-1001\...\OneDriveSetup.exe) (Version: 23.199.0924.0001 - Microsoft Corporation)
VLC media player (HKLM\...\VLC media player) (Version: 3.0.19 - VideoLAN)
WinRAR archiver (HKLM-x32\...\WinRAR archiver) (Version: - )

Packages:
=========
Cortana -> C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe [2019-12-07] (Microsoft Corporation)
Mail and Calendar -> C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe [2019-12-07] (Microsoft Corporation) [MS Ad]
Microsoft Advertising SDK for XAML -> C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe [2019-12-07] (Microsoft Corporation) [MS Ad]
Microsoft Solitaire Collection -> C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe [2019-12-07] (Microsoft Studios) [MS Ad]
Microsoft Whiteboard -> C:\Program Files\WindowsApps\Microsoft.Whiteboard_53.10829.535.0_x64__8wekyb3d8bbwe [2023-10-24] (Microsoft Corporation)
MSN Weather -> C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe [2019-12-07] (Microsoft Corporation) [MS Ad]
Skype -> C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c [2019-12-07] (Skype)
Surface -> C:\Program Files\WindowsApps\Microsoft.SurfaceHub_61.23090.124.0_x64__8wekyb3d8bbwe [2023-10-23] (Microsoft Corporation)

==================== Custom CLSID (Whitelisted): ==============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-4272348530-104420464-272258208-1001_Classes\CLSID\{5EA43877-C6D8-4885-B77A-C0BB27E94372}\InprocServer32 -> C:\Users\Lawbitss\AppData\Local\Microsoft\EdgeUpdate\1.3.177.11\psuser_64.dll (Microsoft Corporation -> Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-4272348530-104420464-272258208-1001_Classes\CLSID\{64C6EFB9-8F79-4106-B975-067448DC768F}\InprocServer32 -> C:\Users\Lawbitss\AppData\Local\Microsoft\EdgeUpdate\1.3.177.11\psuser_64.dll (Microsoft Corporation -> Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-4272348530-104420464-272258208-1001_Classes\CLSID\{81093D63-7825-417B-BFC8-ADC63FA4E53D}\InprocServer32 -> C:\Users\Lawbitss\AppData\Local\Microsoft\EdgeUpdate\1.3.177.11\psuser_64.dll (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [ GoogleDriveCloudOverlayIconHandler] -> {A8E52322-8734-481D-A7E2-27B309EF8D56} => C:\Program Files\Google\Drive File Stream\82.0.1.0\drivefsext.dll [2023-10-22] (Google LLC -> Google, Inc.)
ShellIconOverlayIdentifiers: [ GoogleDriveMirrorBlacklistedOverlayIconHandler] -> {51EF1569-67EE-4AD6-9646-E726C3FFC8A2} => C:\Program Files\Google\Drive File Stream\82.0.1.0\drivefsext.dll [2023-10-22] (Google LLC -> Google, Inc.)
ShellIconOverlayIdentifiers: [ GoogleDrivePinnedOverlayIconHandler] -> {CFE8B367-77A7-41D7-9C90-75D16D7DC6B6} => C:\Program Files\Google\Drive File Stream\82.0.1.0\drivefsext.dll [2023-10-22] (Google LLC -> Google, Inc.)
ShellIconOverlayIdentifiers: [ GoogleDriveProgressOverlayIconHandler] -> {C973DA94-CBDF-4E77-81D1-E5B794FBD146} => C:\Program Files\Google\Drive File Stream\82.0.1.0\drivefsext.dll [2023-10-22] (Google LLC -> Google, Inc.)
ContextMenuHandlers1: [DriveFS 28 or later] -> {EE15C2BD-CECB-49F8-A113-CA1BFC528F5B} => C:\Program Files\Google\Drive File Stream\82.0.1.0\drivefsext.dll [2023-10-22] (Google LLC -> Google, Inc.)
ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext64.dll [2005-06-07] () [File not signed]
ContextMenuHandlers4: [DriveFS 28 or later] -> {EE15C2BD-CECB-49F8-A113-CA1BFC528F5B} => C:\Program Files\Google\Drive File Stream\82.0.1.0\drivefsext.dll [2023-10-22] (Google LLC -> Google, Inc.)
ContextMenuHandlers4: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext64.dll [2005-06-07] () [File not signed]
ContextMenuHandlers5: [DriveFS 28 or later] -> {EE15C2BD-CECB-49F8-A113-CA1BFC528F5B} => C:\Program Files\Google\Drive File Stream\82.0.1.0\drivefsext.dll [2023-10-22] (Google LLC -> Google, Inc.)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext64.dll [2005-06-07] () [File not signed]

==================== Codecs (Whitelisted) ====================

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)

Shortcut: C:\Users\Lawbitss\Desktop\Google Drive.lnk -> C:\Program Files\Google\Drive File Stream\launch.bat ()

==================== Loaded Modules (Whitelisted) =============

2023-10-21 16:35 - 2005-06-07 12:26 - 000043008 _____ () [File not signed] C:\Program Files (x86)\WinRAR\rarext64.dll

==================== Alternate Data Streams (Whitelisted) ========

==================== Safe Mode (Whitelisted) ==================

==================== Association (Whitelisted) =================

==================== Internet Explorer (Whitelisted) ==========


==================== Hosts content: =========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2019-12-07 02:14 - 2019-12-07 02:12 - 000000824 _____ C:\Windows\system32\drivers\etc\hosts

==================== Other Areas ===========================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-4272348530-104420464-272258208-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 192.168.207.187
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost => (EnableWebContentEvaluation: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

==================== FirewallRules (Whitelisted) ================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{64346849-97E3-45A8-8390-A35882A8E427}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\Lync.exe => No File
FirewallRules: [{1ECEF98B-034B-44C1-BA55-92E3831208F0}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\UcMapi.exe => No File
FirewallRules: [{D157B4AB-E317-4D29-A598-51F4FEF6177D}] => (Allow) C:\Windows\KMS-R@1n.exe => No File
FirewallRules: [{A8859971-0D9D-474F-8341-555F169B9E8B}] => (Allow) C:\Windows\KMS-R@1n.exe => No File
FirewallRules: [{76FCAFF4-B587-4017-94DC-40EFBB56D363}] => (Block) %SystemRoot%\System32\rpcnetp.exe => No File
FirewallRules: [{2A4BD41A-C167-45FB-8827-FCA27A1E5E5B}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google LLC -> Google LLC)

==================== Restore Points =========================


==================== Faulty Device Manager Devices ============


==================== Event log errors: ========================

Application errors:
==================
Error: (10/24/2023 09:04:39 AM) (Source: SurfaceTconHAL) (EventID: 32767) (User: )
Description: Event-ID 32767

Error: (10/24/2023 09:04:38 AM) (Source: SurfaceTconHAL) (EventID: 32767) (User: )
Description: Event-ID 32767

Error: (10/24/2023 07:19:15 AM) (Source: SurfaceTconHAL) (EventID: 32767) (User: )
Description: Event-ID 32767

Error: (10/24/2023 07:19:14 AM) (Source: SurfaceTconHAL) (EventID: 32767) (User: )
Description: Event-ID 32767

Error: (10/24/2023 07:05:30 AM) (Source: SurfaceTconHAL) (EventID: 32767) (User: )
Description: Event-ID 32767

Error: (10/24/2023 07:05:29 AM) (Source: SurfaceTconHAL) (EventID: 32767) (User: )
Description: Event-ID 32767

Error: (10/23/2023 11:52:27 PM) (Source: SurfaceTconHAL) (EventID: 32767) (User: )
Description: Event-ID 32767

Error: (10/23/2023 11:52:26 PM) (Source: SurfaceTconHAL) (EventID: 32767) (User: )
Description: Event-ID 32767


System errors:
=============
Error: (10/24/2023 07:19:15 AM) (Source: SurfaceTconDriver) (EventID: 12) (User: )
Description: Surface Tcon Driver TP Write fails, Status = 0xc0000186

Error: (10/24/2023 07:19:15 AM) (Source: SurfaceTconDriver) (EventID: 13) (User: )
Description: Surface Tcon Driver TP Read fails, Status = 0xc0000186

Error: (10/24/2023 07:19:14 AM) (Source: SurfaceTconDriver) (EventID: 13) (User: )
Description: Surface Tcon Driver TP Read fails, Status = 0xc0000186

Error: (10/24/2023 07:05:30 AM) (Source: SurfaceTconDriver) (EventID: 12) (User: )
Description: Surface Tcon Driver TP Write fails, Status = 0xc0000186

Error: (10/24/2023 07:05:30 AM) (Source: SurfaceTconDriver) (EventID: 13) (User: )
Description: Surface Tcon Driver TP Read fails, Status = 0xc0000186

Error: (10/24/2023 07:05:29 AM) (Source: SurfaceTconDriver) (EventID: 13) (User: )
Description: Surface Tcon Driver TP Read fails, Status = 0xc0000186

Error: (10/24/2023 06:59:45 AM) (Source: SCardSvr) (EventID: 610) (User: )
Description: Smart Card Reader 'Microsoft UICC ISO Reader 0c44320e 1' rejected IOCTL POWER: The data area passed to a system call is too small. If this error persists, your smart card or reader may not be functioning correctly.

Command Header: 00 00 00 00

Error: (10/24/2023 06:59:35 AM) (Source: SCardSvr) (EventID: 610) (User: )
Description: Smart Card Reader 'Microsoft UICC ISO Reader 0c44320e 1' rejected IOCTL TRANSMIT: Access is denied. If this error persists, your smart card or reader may not be functioning correctly.

Command Header: 00 a4 04 00


Windows Defender:
================
Date: 2023-10-23 23:52:29
Description:
Microsoft Defender Antivirus scan has been stopped before completion.
Scan Type: Antimalware
Scan Parameters: Quick Scan

Date: 2023-10-23 23:51:13
Description:
Microsoft Defender Antivirus scan has been stopped before completion.
Scan Type: Antimalware
Scan Parameters: Quick Scan

Date: 2023-10-22 06:07:47
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
HackTool:Win32/AutoKMS threat description - Microsoft Security Intelligence
Name: HackTool:Win32/AutoKMS
Severity: High
Category: Tool
Path: file:_C:\Windows\KMS-QADhook.dll
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Users\Lawbitss\Downloads\FRST64.exe
Security intelligence Version: AV: 1.303.25.0, AS: 1.303.25.0, NIS: 1.303.25.0
Engine Version: AM: 1.1.16400.2, NIS: 1.1.16400.2

Date: 2023-10-21 17:21:15
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
HackTool:Win32/AutoKMS.SA!MSR threat description - Microsoft Security Intelligence
Name: HackTool:Win32/AutoKMS.SA!MSR
Severity: High
Category: Tool
Path: file:_C:\Windows\KMS-R@1n.exe; process:_pid:4648,ProcessStart:133424076397329510; service:_KMS-R@1n
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Windows\KMS-R@1n.exe
Security intelligence Version: AV: 1.303.25.0, AS: 1.303.25.0, NIS: 1.303.25.0
Engine Version: AM: 1.1.16400.2, NIS: 1.1.16400.2

Date: 2023-10-21 17:21:00
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
HackTool:Win32/AutoKMS.SA!MSR threat description - Microsoft Security Intelligence
Name: HackTool:Win32/AutoKMS.SA!MSR
Severity: High
Category: Tool
Path: file:_C:\Windows\KMS-R@1n.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Windows\System32\svchost.exe
Security intelligence Version: AV: 1.303.25.0, AS: 1.303.25.0, NIS: 1.303.25.0
Engine Version: AM: 1.1.16400.2, NIS: 1.1.16400.2
Event[0]:

Date: 2023-10-22 05:03:03
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.303.25.0
Update Source: Microsoft Malware Protection Center
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.16400.2
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

Date: 2023-10-22 05:03:03
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.303.25.0
Update Source: Microsoft Malware Protection Center
Security intelligence Type: AntiSpyware
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.16400.2
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

Date: 2023-10-22 05:03:03
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.303.25.0
Update Source: Microsoft Malware Protection Center
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.16400.2
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

Date: 2023-10-22 05:03:03
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.303.25.0
Update Source: Microsoft Malware Protection Center
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.16400.2
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

Date: 2023-10-22 05:03:03
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.303.25.0
Update Source: Microsoft Malware Protection Center
Security intelligence Type: AntiSpyware
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.16400.2
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

==================== Memory info ===========================

BIOS: Microsoft Corporation 238.167.768 05.07.2014
Motherboard: Microsoft Corporation Surface Pro
Processor: Intel(R) Core(TM) i5-7300U CPU @ 2.60GHz
Percentage of memory in use: 54%
Total physical RAM: 8108.95 MB
Available physical RAM: 3650.88 MB
Total Virtual: 10028.95 MB
Available Virtual: 4895.18 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:237.86 GB) (Free:209.3 GB) (Model: INTEL SSDPEBKF256G7) NTFS
Drive g: (Google Drive) (Fixed) (Total:100 GB) (Free:85.36 GB) (Model: INTEL SSDPEBKF256G7) FAT32

\\?\Volume{d7940109-31e6-4c8a-9359-8d6863bad120}\ () (Fixed) (Total:0.5 GB) (Free:0.08 GB) NTFS
\\?\Volume{00561e41-b66e-4d06-bb80-26392ad91ca2}\ () (Fixed) (Total:0.09 GB) (Free:0.07 GB) FAT32

==================== MBR & Partition Table ====================

==========================================================
Disk: 0 (Size: 238.5 GB) (Disk ID: 5A54E111)

Partition: GPT.

==================== End of Addition.txt =======================
 
Hi! Great job and wise move to remove the pirated software! (y)

Now we can proceed to the cleaning procedure.

These are the basic guidelines I would like you to have in mind until we finish:

1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. Cracked or pirated programs are not only illegal, but also can make your computer a malware target. Having such programs installed, is the easiest way to get infected. Thus, no need to clean the computer, since, soon or later, it will get infected again. If you have such programs, please uninstall them now, before we start the cleaning procedure.

4. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

5. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.

6. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.


=====================

Let's begin!

1. FRST fix

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Code:
Start::
CreateRestorePoint:
CloseProcesses:
Task: {683067CE-DD30-4743-9BF7-2F39473681DC} - System32\Tasks\R@1n-KMS\Office365ProPlus => C:\Windows\System32\Wbem\wmic.exe [526848 2019-12-07] (Microsoft Windows -> Microsoft Corporation) -> path SoftwareLicensingProduct where (ID="d450596f-894d-49e0-966a-fd39ed4c4c64") call Activate
FirewallRules: [{64346849-97E3-45A8-8390-A35882A8E427}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\Lync.exe => No File
FirewallRules: [{1ECEF98B-034B-44C1-BA55-92E3831208F0}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\UcMapi.exe => No File
FirewallRules: [{D157B4AB-E317-4D29-A598-51F4FEF6177D}] => (Allow) C:\Windows\KMS-R@1n.exe => No File
FirewallRules: [{A8859971-0D9D-474F-8341-555F169B9E8B}] => (Allow) C:\Windows\KMS-R@1n.exe => No File
FirewallRules: [{76FCAFF4-B587-4017-94DC-40EFBB56D363}] => (Block) %SystemRoot%\System32\rpcnetp.exe => No File
2023-10-22 04:52 - 2023-10-22 04:52 - 000022932 ____N C:\Windows\SysWOW64\rpcnetp.exe
2023-10-22 04:52 - 2023-10-22 04:52 - 000022932 _____ C:\Windows\SysWOW64\rpcnetp.dll
2023-10-22 04:52 - 2023-10-22 04:52 - 000022932 _____ C:\Windows\system32\tik.exe
2023-10-21 17:02 - 2023-10-21 17:02 - 000003584 _____ C:\Windows\KMS-QADhook.dll
2023-10-21 17:02 - 2023-10-21 17:02 - 000000000 ____D C:\Windows\system32\Tasks\R@1n-KMS
2023-10-21 17:02 - 2023-10-21 17:02 - 000000000 ____D C:\Users\Lawbitss\AppData\Local\PeerDistRepub
2023-10-21 17:02 - 2023-10-21 17:02 - 000000000 ____D C:\Users\Lawbitss\AppData\Local\mpress
C:\Windows\KMS-R@1n.exe
C:\Windows\KMS-R@1nhook.exe
Powershell: wevtutil el | Foreach-Object {wevtutil cl "$_"}
EmptyTemp:
End::
  • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Post the log in your next reply.


2. Eset Online scan

Download ESET Online Scanner and save it to your desktop.
  • Right-click on esetonlinescanner_enu.exe and select Run as Administrator.
  • When the tool opens, click Get Started.
  • Read and accept the license agreement.
  • At the Welcome to ESET Online Scanner window, click Get Started.
  • Select whether you would like to send anonymous data to ESET.
  • Note: if you see the "Welcome Back to ESET Online Scanner" screen, click Computer Scan > Full Scan.
  • Click on the Full Scan option.
  • Select Enable ESET to detect and remove potentially unwanted applications, then click Start scan.
  • ESET will now begin scanning your computer. This may take some time.
  • When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop as eset.txt. Click on Continue.
  • ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue.
  • On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback.
  • Open the scan log on your desktop (eset.txt) and copy and paste its contents into your next reply.


In your next reply please post:
  1. The fixlog.txt
  2. The eset.txt
 
Thanks for your reply. I have read the points to note I totally accept them and I shall comply appropriately.
 
Perfect!

Have in mind that Eset scan will take some time.
 
So I had completed the FRST fix with the fixlog on my desktop, I downloaded the eset , followed the procedure and the system was scanning when suddenly the same issue came back again.

a white screen as seen in the first attachment with an icon of a keyboard at the lower right angle of the screen,
when I click on the small keyboard ICON, the numeric lock thingy shows up., and I can no longer do anything. when is shut down using the power button and reboot., the desktop flashes, and the white screen immediately comes up.


This was exactly why I began looking for solutions. Note: the system is a used system purchased from a dealer. I have had it for just about 3 weeks.

Thanks.
 

Attachments

  • 20231025_083358.jpg
    20231025_083358.jpg
    64.1 KB · Views: 2
  • 20231025_083422.jpg
    20231025_083422.jpg
    57.9 KB · Views: 2
Hi, lawbitss.

My first thought was to clean the computer first and then try to deactivate Computrace. It seems that we need to work differently.

Let's try to deactivate Computrace from the BIOS.

Step 1: Turn Your Laptop Off
The first step to deactivate Computrace from your system is to turn it off by pressing the “Power” button on the PC’s tower or the upper keyboard bezel.

Step 2: Turn On Your Laptop and get into the BIOS Menu
Here, you must turn on your computer again and hold for the manufacturer’s logo to show on its monitor. When it displays, click the BIOS access key on the monitor immediately to put it into the menu.

BIOS keys differ for every computer manufacturer, but clicking the “DEL” or “F2” key often brings up the BIOS menu.

Step 3: Go To the “Security” tab in BIOS main menu
Click the “Security” tab on the BIOS main menu with the aid of the arrow keys (as the computer can’t work for that). Search for Computrace.

Step 4: Select Disable Option For Computrace and hit “Enter”
Click the “Disable” option and select “Enter” on your keyboard to disable Computrace on your laptop altogether. You won’t be able to put on the Computrace module anymore as soon as it is disabled.

Click the “Enter” key again to authenticate the “Disable” selection.

Step 5: Press the “F10” key to save the new settings, and your laptop will reboot into the computer’s OS.


Let me know how it went.
 
Thank you for your response. so far, I was able to get into the bios menu (I think). but when I navigated to the security tab,
I couldn't find Computrace or anywhere to search for it. I took pictures of the screen and the different options under each tab to better
demonstrate. Thank you.
 

Attachments

  • 20231026_155418.jpg
    20231026_155418.jpg
    56.3 KB · Views: 5
  • 20231026_155653.jpg
    20231026_155653.jpg
    62.5 KB · Views: 5
  • 20231026_155721.jpg
    20231026_155721.jpg
    59.5 KB · Views: 4
  • 20231026_155732.jpg
    20231026_155732.jpg
    71.3 KB · Views: 4
  • 20231026_155746.jpg
    20231026_155746.jpg
    50 KB · Views: 4
  • 20231026_155810.jpg
    20231026_155810.jpg
    55.1 KB · Views: 5
Hi.

I searched and found this topic related to your issue: Disabling Absolute in UEFI

Check the second post. It says that:

Through our partnership with computer manufacturers, the Absolute persistence module is embedded into the firmware of computer, tablet, and smartphone devices at the factory.
Once the Computrace agent is installed and activated our customers enjoy a level of persistence that is virtually tamper-proof, providing them with a trusted lifeline to each device in their deployment.
The Absolute persistence module is built to detect when the Computrace and/or Absolute Manage software agents have been removed, ensuring they are automatically reinstalled, even if the firmware is flashed, the device is re-imaged, the hard drive is replaced, or if a tablet or smartphone is wiped clean to factory settings.
Absolute persistence technology is built into the BIOS or firmware of a device during the manufacturing process. Once activated, customers who purchase these devices benefit from an extra level of security. View a list of devices that support Absolute persistence.

If that is the case, then I recommend you to contact the seller and return the computer. He didn't tell you anything about unlocking the computer, he used KMS service installing illegal software... This is my recommendation. However, I'll ask my colleagues to also take a look here. Perhaps someone can give another idea.
 
Hi, again.

It seems that my colleagues agree that you should return the computer.

Possibly, it has been acquired from a business that hasn't removed the device from their management system.
 
Since there is an obvious reason for the computer's issues and we can't do anything about this, I'll mark the topic as Solved and close it.
 
Status
Not open for further replies.

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top