Review log files?

[NiallMitch10]

Hi, I've been advised to create a post here from a user on reddit (Tekkie_Boy) who's looking into an error for updating my version of Windows 10 from 1909 to 20H2:

https://www.reddit.com/r/Windows10/comments/mvcx17

From this thread, he has asked me to run AdwCleaner and the Farbar Recovery Scan tool. He would like yourselves (virus and malware experts) to run over the log files from these scans and provide feedback below if possible?

Here are the results of the scans:

AdwCleaner: AdwCleaner[C00].txt
Farbar Recovery Scan:Addition.txt and 2 more files

Thanks

 

[DR M]

Hello, NiallMitch10.

Welcome to Sysnative Forums.

I will be assisting you regarding your computer's issues. Here, we will check your computer for malware. If malware is found in the computer, we will clean it. If the update problem persists after that, you may ask for help from the proper section of this Forum (Windows Update). But first, let's check for malware.

Please, adhere to the guidelines below, and then carefully follow, with the same order, all the instructions after:

1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

4. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.

5. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.


=================================

Please attach the files instead of uploading to WeTransfer.

Press the Attach files button below the reply area, find FRST.txt, Addition.txt and AdwCleaner logs, and attach them in your next reply.

 

[NiallMitch10]

Apologies Dr M. Here's the files attached:

 

[DR M]

Thank you.

I will review your logs and be back to you as soon as I am ready.

 

[DR M]

Hello.

I have reviewed your logs and these are my first comments/instructions:

1. FRST from Downloads to Desktop

Please move the FRST tool from your Downloads folder on to the Desktop. Just drag it from the Downloads folder on to the Desktop.

2. P2P programs

You have μΤorrent installed in your computer. This is a P2P program. P2P programs form a direct conduit on to a computer. They have always been a target of malware writers and are increasingly so of late. P2P security measures are easily circumvented and if your P2P program is not configured correctly, you may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program. If you don't uninstall it, your computer will probably get infected again, as soon as you use it again. But it is your computer and of course your decision.

• If you decide to keep it, DON'T use it during the cleaning procedure.
• If you decide to uninstall it, uninstall it along with the unwanted programs in Step 3 below.

3. Uninstall programs

You have many questionable programs installed.

3.1. Chrome Remote Desktop Host

Do you need it? If not, I recommend you to uninstall it.

3.2. Driver Booster 8

We do not recommend registry cleaners, system optimizers, driver boosters and the like. With these programs, the potential is ever present to cause more problems than they claim to fix. It is your computer and certainly your choice.

3.3. Java

Having Java installed consists a risk at its own. The risk becomes greater in case you use outdated versions. The following versions of Java are the outdated versions of Java installed in your computer.

Java(TM) SE Development Kit 11.0.2
Java(TM) SE Development Kit 12
Java(TM) SE Development Kit 12.0.1
Java(TM) SE Development Kit 12.0.2

You have also Java 8 Update 291 installed. This is the latest version. Keep it only if you really need it. Otherwise, uninstall it too.

More about Java: Java, The Never-Ending Saga

3.4. Wise Auto Shutdown

Are you aware of this program installed in your computer? It is usually installed with Wise Cleaner which is an optimizers (See step 3.2. above). If that is the case, consider to uninstall it.

3.5. Rivet Networks

I noticed in the AdwCleaner log that you have already uninstalled Rivet Networks which came preinstalled in your computer when you bought it. In this case, please consider to uninstall this:

AR8171 Driver Installation

There is also a hidden entry regarding this, and I will make it visible for you to remove it.

AR8171 Drivers


To uninstall any of the above programs, as well as any other program you do not use/need, please do the following:

• Press the Windows Key + R.
• Type appwiz.cpl in the Run box and click OK.
• The Add/Remove Programs list will open. Locate the following programs in the list:

Chrome Remote Desktop Host
Driver Booster 8
Java(TM) SE Development Kit 11.0.2
Java(TM) SE Development Kit 12
Java(TM) SE Development Kit 12.0.1
Java(TM) SE Development Kit 12.0.2
Java 8 Update 291
AR8171 Driver Installations
Wise Auto Shutdown
μTorrent

• Select the programs you decided to uninstall, one by one, and click Uninstall.
• Restart the computer.

4. Uninstall Chrome extensions

In case you decided to uninstall Chrome Remote Desktop please do the following:

• Open Chrome.
• At the top right choose More (the three vertical dots) > More Tools > Extensions
• Find Chrome Remote Desktop (perhaps more than one entry), and remove it, clicking on Remove.
• Confirm the action by clicking Remove once again.
• Repeat for unity - Where does Google Chrome put ...

5. Fresh FRST logs

After uninstalling any of the above, I would like to see fresh FRST logs.

• Double-click on the FRST icon to run it, as you did before. When the tool opens click Yes to disclaimer.
• Press Scan button and wait for a while.
• The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
• Please attach these two logs in your next reply.

In your next reply please post:

1. What programs have you uninstalled?
2. The fresh FRST logs, FRST.txt and Addition.txt

 

[NiallMitch10]

Thanks for your reply:

I've deleted the above suggestions:
Chrome Remote Desktop Host (and extensions)
Driver Booster 8
Java(TM) SE Development Kit 11.0.2
Java(TM) SE Development Kit 12
Java(TM) SE Development Kit 12.0.1
Java(TM) SE Development Kit 12.0.2
Java 8 Update 291
AR8171 Driver Installations

As for uTorrent, I'll not use it during the process (I rarely use it anyways) and I am aware I have wise auto shutdown installed. I use it when my computer is left on doing work some nights to shut down by itself when the work is complete.

Here are the updated logs (ran from desktop this time):

 

[DR M]

Hi, NiallMitch10.

A couple of notes/thoughts:

• You didn't uninstall Java 291. I assumed that you kept it purposely. If this isn't the case, please uninstall it.
• CCleaner is included in the "registry cleaners, system optimizers, driver boosters and the like" I mentioned in my previous post (step 3.2.). I missed it then. If you use it, do not use the registry cleaning option. Messing with the registry is dangerous, and may turn the computer into an "unbootable box".

Let's move on:

1. FRST fix

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
CreateRestorePoint:
CloseProcesses:
Shortcut: C:\Users\Niall Shannon\Games\DAT Texture Wizard - v5.5 (x64)\Installers\shortcuts\xp\DAT Texture Wizard.lnk -> C:\Users\Niall Shannon\SendTo\OverwriterRedirection.bat (No File)
Shortcut: C:\Users\Niall Shannon\Games\DAT Texture Wizard - v5.5 (x64)\Installers\shortcuts\xp\PNG to-from TPL Converter.lnk -> C:\Users\Niall Shannon\SendTo\ConverterRedirection.bat (No File)
Shortcut: C:\Users\Niall Shannon\Games\DAT Texture Wizard - v5.5 (x64)\Installers\shortcuts\7\DAT Texture Wizard.lnk -> C:\Users\Niall Shannon\AppData\Roaming\Microsoft\Windows\SendTo\OverwriterRedirection.bat (No File)
Shortcut: C:\Users\Niall Shannon\Games\DAT Texture Wizard - v5.5 (x64)\Installers\shortcuts\7\PNG to-from TPL Converter.lnk -> C:\Users\Danny\AppData\Roaming\Microsoft\Windows\SendTo\ConverterRedirection.bat (No File)
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
HKU\S-1-5-21-3989751972-3391896285-3022956930-1003\...\StartupApproved\Run: => "AceStream"
HKU\S-1-5-21-3989751972-3391896285-3022956930-1003\...\Run: [AceStream] => C:\Users\Niall Shannon\AppData\Roaming\ACEStream\engine\ace_engine.exe
AppInit_DLLs: prio.dll => No File
AppInit_DLLs-x32: prio32.dll => No File
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
FF HKU\S-1-5-21-3989751972-3391896285-3022956930-1003\...\Firefox\Extensions: [acewebextension_unlisted@acestream.org] - C:\Users\Niall Shannon\AppData\Roaming\ACEStream\extensions\awe\firefox\acewebextension_unlisted.xpi => not found
FF Plugin HKU\S-1-5-21-3989751972-3391896285-3022956930-1003: @acestream.net/acestreamplugin,version=3.1.32 -> C:\Users\Niall Shannon\AppData\Roaming\ACEStream\player\npace_plugin.dll [No File]
CHR HKU\S-1-5-21-3989751972-3391896285-3022956930-1003\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mjbepbhonbojpoaenhckjocchgfiaofo]
CHR HKLM-x32\...\Chrome\Extension: [mfhcmdonhekjhfbjmeacdjbhlfgpjabp]
S1 EneTechIo; \??\C:\WINDOWS\system32\drivers\ene.sys [X]
S3 MpKsl86e14708; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{017ED0ED-AC02-47F8-8628-0C7176653C56}\MpKslDrv.sys [X]
S3 WINIO; \??\C:\Program Files (x86)\MSI\Dragon Center\winio64.sys [X]
C:\Users\Niall Shannon\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngabclgnakbppihgjiobcacocdklajio
C:\WINDOWS\SysWOW64\winsevr.dat
C:\WINDOWS\SysWOW64\AbBakConfig.dat
C:\ProgramData\Aomei
C:\ProgramData\AomeiBR
C:\WINDOWS\system32\amwrtdrv.sys
C:\WINDOWS\system32\ambakdrv.sys
C:\WINDOWS\system32\ammntdrv.sys
C:\Users\Niall Shannon\AppData\Roaming\ACEStream
EmptyTemp:
End::

• Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.[/*]
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt on your Desktop.
• Please post the log in your next reply.

2. Unity extension

What happened with this extension? I still see it in the logs.


3. Run Malwarebytes (Scan mode)

• Open Malwarebytes you already have installed in your computer.
• Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
  

  Under the title Scan Options, all the options are checked.
  Under the title Windows Security Center (Premium only) the option is NOT CHECKED.
  Under the title Potentially unwanted items all options are set to Always.

• Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
• When finished, you will see the Threat Scan Summary window open.

If threats are not found, click View Report and proceed to the two last steps below.

If threats are found, make sure that all threats are not selected, close the program and proceed to the next steps below.

• Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
• Find the report with the most recent date and double click on it.
• Click on Export and then Copy to Clipboard.
• Paste its content here, in your next reply.

In your next reply, please post:

1. The fixlog.txt
2. What happened with Unity Chrome extension
3. The Malwarebytes report

 

[NiallMitch10]

Hello,

I've uninstalled CCleaner and you're right, I am keeping Java 8 for some Java projects I worked on at University etc.

Here is the fixlog.txt.

As for the Unity extension, I'm afraid I don't know what you mean as when I search the extensions on Chrome, I don't have any results for a unity extension at all. Although I do see it in the logs. Would deleting it from AppData via the file system accomplish this?

And here is the report from Malwarebytes (no detections):

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 4/22/21
Scan Time: 9:32 PM
Log File: d04d3a22-a3a9-11eb-a597-4ccc6ae0d175.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1130
Update Package Version: 1.0.39715
License: Free

-System Information-
OS: Windows 10 (Build 18362.1500)
CPU: x64
File System: NTFS
User: MSI\Niall Shannon

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 417156
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 15 min, 36 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

 

[NiallMitch10]

UPDATE: From scanning again, that unity extension isn't present anymore in the log files. I couldn't find it in Chrome or touched it in the AppData directory. It seems to be gone now

 

[DR M]

UPDATE: From scanning again, that unity extension isn't present anymore in the log files. I couldn't find it in Chrome or touched it in the AppData directory. It seems to be gone now

Yes, the fix removed it.

Just to ensure that the computer is clean:

1. ESET Online Scanner

Download ESET Online Scanner and save it to your desktop.

• Right-click on esetonlinescanner_enu.exe and select Run as Administrator.
• When the tool opens, click Get Started.
• Read and accept the license agreement.
• At the Welcome to ESET Online Scanner window, click Get Started.
• Select whether you would like to send anonymous data to ESET.
• Note: if you see the "Welcome Back to ESET Online Scanner" screen, click Computer Scan > Full Scan.
• Click on the Full Scan option.
• Select Enable ESET to detect and remove potentially unwanted applications, then click Start scan.
• ESET will now begin scanning your computer. This may take some time, perhaps a couple of hours.
• When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop as eset.txt. Click on Continue.
• ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue.
• On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback.
• Open the scan log on your desktop (eset.txt) and copy and paste its contents into your next reply.

2. FRST logs

• Double-click on the FRST icon to run it, as you did before. When the tool opens click Yes to disclaimer.
• Press Scan button and wait for a while.
• The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
• Please attach the content of these two logs in your next reply.

In your next reply please post:

1. The eset.txt
2. The fresh FRST logs (Addition.txt and FRST.txt)

 

[NiallMitch10]

Hi, got the scan done (over 3 hours). It only detected 12 files which were updates related to utorrent.

Here's the eset.txt log and the frst and addition text files:

23/04/2021 12:40:48
Files scanned: 1322901
Detected files: 12
Cleaned files: 12
Total scan time 03:52:47
Scan status: Finished


C:\Users\Niall Shannon\AppData\Roaming\uTorrent\updates\3.5.5_45146.exe    a variant of Win32/uTorrent.C potentially unwanted application    cleaned by deleting
C:\Users\Niall Shannon\AppData\Roaming\uTorrent\updates\3.5.5_45225.exe    a variant of Win32/uTorrent.C potentially unwanted application    cleaned by deleting
C:\Users\Niall Shannon\AppData\Roaming\uTorrent\updates\3.5.5_45271.exe    a variant of Win32/uTorrent.C potentially unwanted application    cleaned by deleting
C:\Users\Niall Shannon\AppData\Roaming\uTorrent\updates\3.5.5_45311.exe    a variant of Win32/uTorrent.C potentially unwanted application    cleaned by deleting
C:\Users\Niall Shannon\AppData\Roaming\uTorrent\updates\3.5.5_45341.exe    a variant of Win32/uTorrent.C potentially unwanted application    cleaned by deleting
C:\Users\Niall Shannon\AppData\Roaming\uTorrent\updates\3.5.5_45395.exe    a variant of Win32/uTorrent.C potentially unwanted application    cleaned by deleting
C:\Users\Niall Shannon\AppData\Roaming\uTorrent\updates\3.5.5_45505.exe    a variant of Win32/uTorrent.C potentially unwanted application    cleaned by deleting
C:\Users\Niall Shannon\AppData\Roaming\uTorrent\updates\3.5.5_45608.exe    a variant of Win32/uTorrent.C potentially unwanted application    cleaned by deleting
C:\Users\Niall Shannon\AppData\Roaming\uTorrent\updates\3.5.5_45628.exe    a variant of Win32/uTorrent.C potentially unwanted application    cleaned by deleting
C:\Users\Niall Shannon\AppData\Roaming\uTorrent\updates\3.5.5_45672.exe    a variant of Win32/uTorrent.C potentially unwanted application    cleaned by deleting
C:\Users\Niall Shannon\AppData\Roaming\uTorrent\updates\3.5.5_45776.exe    a variant of Win32/uTorrent.C potentially unwanted application    cleaned by deleting
C:\Users\Niall Shannon\AppData\Roaming\uTorrent\updates\3.5.5_45790.exe    a variant of Win32/uTorrent.C potentially unwanted application    cleaned by deleting

 

[DR M]

Hi, NiellMitch10.

Do you want Google Drive Sync to be enabled at Start-up? With this enabled, many temporary files are created in the Temp folder every time you log in Windows. This is fine if you don't have a disk space problem. Tell me if you would like to disable it.

1. FRST fix

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
CreateRestorePoint:
CloseProcesses:
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
EmptyTemp:
End::

• Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt on your Desktop.
• Please post the log in your next reply.

2. Check Services

• Please download Farbar Service Scanner and save it on your Desktop.
• Make sure all the options are checked.
• Click on the Scan button.
• It will create a log (FSS.txt) on your Desktop.
• Copy and paste the log's content to your next reply.

 

[NiallMitch10]

Hi here's the fixlog.txt and the contents of FSS.txt:

Farbar Service Scanner Version: 23-12-2020
Ran by Niall Shannon (administrator) on 23-04-2021 at 15:04:10
Running from "C:\Users\Niall Shannon\Desktop"
Microsoft Windows 10 Home  (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Policy:
========================


Windows Security:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc: "%SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted -p".
The ServiceDll of wscsvc service is OK.


Windows Update:
============
BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS: "%SystemRoot%\System32\svchost.exe -k netsvcs -p".
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
RpcSs Service is not running. Checking service configuration:
The start type of RpcSs service is OK.
The ImagePath of RpcSs: "%SystemRoot%\system32\svchost.exe -k rpcss -p".


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\Drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\Drivers\afd.sys => File is digitally signed
C:\Windows\System32\Drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\Drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\SecurityHealthService.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****

 

[NiallMitch10]

Also I'm happy to leave Google Drive on at startup - I have no disk space issues

 

[DR M]

It's fine about Google Drive Sync.

We are going to restore some missing services now.


1. Restart in Safe mode

• Press the Windows icon on the keyboard together with the letter I, to get into the Settings.
• Choose Update and Security.
• From the menu at the left, choose Recovery.
• Under the title Advanced startup at the right, choose Restart now.
• From the window that will appear choose Troubleshoot and then Advanced options.
• Choose Startup Settings and then Restart.
• Press number 5, for choosing Safe mode with networking.
• You will know that you are in Safe mode, if the background is black and Safe mode is written at the four corners of the screen.

2. Restore missing services

• Download Microsoft_Defender_Antivirus_Service.reg and save it to your Desktop.
• Double-click on the file, allow the information to be merged (Yes) and restart the computer.
• Repeat the same two steps above for Windows_Security_Service.reg and Background_Intelligent_Transfer_Service.reg.

3. Run FSS again

• Restart in normal mode.
• Right click on the tool icon and run it as administrator, as you did before.
• Make sure all the options are checked.
• Click on the Scan button.
• It will create a log (FSS.txt) on your Desktop.
• Copy and paste the log's content to your next reply.

 

[NiallMitch10]

Here's the new log:

Farbar Service Scanner Version: 23-12-2020
Ran by Niall Shannon (administrator) on 23-04-2021 at 15:47:48
Running from "C:\Users\Niall Shannon\Desktop"
Microsoft Windows 10 Home  (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Policy:
========================


Windows Security:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc: "%SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted -p".
The ServiceDll of wscsvc service is OK.


Windows Update:
============
BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
RpcSs Service is not running. Checking service configuration:
The start type of RpcSs service is OK.
The ImagePath of RpcSs: "%SystemRoot%\system32\svchost.exe -k rpcss -p".


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\Drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\Drivers\afd.sys => File is digitally signed
C:\Windows\System32\Drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\Drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\SecurityHealthService.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****

 

[DR M]

Hi, NiellMitch.

It was my fault the result is still not good. Apologies.

Please do this:

1. Restart in Safe mode

• Press the Windows icon on the keyboard together with the letter I, to get into the Settings.
• Choose Update and Security.
• From the menu at the left, choose Recovery.
• Under the title Advanced startup at the right, choose Restart now.
• From the window that will appear choose Troubleshoot and then Advanced options.
• Choose Startup Settings and then Restart.
• Press number 5, for choosing Safe mode with networking.
• You will know that you are in Safe mode, if the background is black and Safe mode is written at the four corners of the screen.

2. Restore missing services

• Download Security_Center.reg and save it to your Desktop.
• Double-click on the file, allow the information to be merged (Yes) and restart the computer.
• Repeat the same two steps above for Remote_Procedure_Call_(RPC).reg

3. Enable BITS Service

• Go to the Search area, type Services and press Enter.
• From the Services list find Background Intelligence Transfer Service.
• Right click and check if there is an option you can choose to enable it and make it run again (Start, Restart, Resume, Refresh).
• Please report back what happened.

4. Run FSS again

• Restart in normal mode.
• Right click on the tool icon and run it as administrator, as you did before.
• Make sure all the options are checked.
• Click on the Scan button.
• It will create a log (FSS.txt) on your Desktop.
• Copy and paste the log's content to your next reply.

 

[NiallMitch10]

Hi, when merging Remote_Procedure_Call.reg it says it cannot import - Not all data was successfully written to the registry. Some keys are open by the system or other processes, or you have insufficient privileges to perform this operation.

As for Background Intelligence System. It was set to manual in services and not running. I've set this to automatic and started the service again

 

[DR M]

You tried to do it in Safe mode, right?

Can I see the new FSS.txt log please?

 

[NiallMitch10]

Yes tried in safe mode.

Here's the new log:

Farbar Service Scanner Version: 23-12-2020
Ran by Niall Shannon (administrator) on 23-04-2021 at 17:25:54
Running from "C:\Users\Niall Shannon\Desktop"
Microsoft Windows 10 Home  (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Policy:
========================


Windows Security:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
RpcSs Service is not running. Checking service configuration:
The start type of RpcSs service is OK.
The ImagePath of RpcSs: "%SystemRoot%\system32\svchost.exe -k rpcss -p".


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\Drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\Drivers\afd.sys => File is digitally signed
C:\Windows\System32\Drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\Drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\SecurityHealthService.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****