Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

cgklwvnsvc.exe installing programs, unable to terminate internet slow.

Started by r55741 , Sep 17 2018 11:06 PM
malware rouge process frst log

  • Please log in to reply

#31
r55741
Posted 20 September 2018 - 02:08 PM

r55741

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts

wow i don't think ive ever ran anything like this. 

 

and correct windows defender is not working. unable to restart the service or open it. 

 

Vino's Event Viewer v01c run on Windows 7 in English
Report run at 20/09/2018 3:05:47 PM
 
Note: All dates below are in the format dd/mm/yyyy
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 20/09/2018 8:03:57 PM
Type: Error Category: 0
Event: 10010 Source: Microsoft-Windows-DistributedCOM
The server {9E175B68-F52A-11D8-B9A5-505054503030} did not register with DCOM within the required timeout.
 
Log: 'System' Date/Time: 20/09/2018 8:01:57 PM
Type: Error Category: 0
Event: 10010 Source: Microsoft-Windows-DistributedCOM
The server {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39} did not register with DCOM within the required timeout.
 
Log: 'System' Date/Time: 20/09/2018 7:59:57 PM
Type: Error Category: 0
Event: 10010 Source: Microsoft-Windows-DistributedCOM
The server {9E175B6D-F52A-11D8-B9A5-505054503030} did not register with DCOM within the required timeout.
 
Log: 'System' Date/Time: 20/09/2018 7:57:57 PM
Type: Error Category: 0
Event: 10010 Source: Microsoft-Windows-DistributedCOM
The server {9E175B6D-F52A-11D8-B9A5-505054503030} did not register with DCOM within the required timeout.
 
Log: 'System' Date/Time: 20/09/2018 7:55:57 PM
Type: Error Category: 0
Event: 10010 Source: Microsoft-Windows-DistributedCOM
The server {9E175B6D-F52A-11D8-B9A5-505054503030} did not register with DCOM within the required timeout.
 
Log: 'System' Date/Time: 20/09/2018 7:53:57 PM
Type: Error Category: 0
Event: 10010 Source: Microsoft-Windows-DistributedCOM
The server {9E175B6D-F52A-11D8-B9A5-505054503030} did not register with DCOM within the required timeout.
 
Log: 'System' Date/Time: 20/09/2018 7:51:57 PM
Type: Error Category: 0
Event: 10010 Source: Microsoft-Windows-DistributedCOM
The server {9E175B6D-F52A-11D8-B9A5-505054503030} did not register with DCOM within the required timeout.
 
Log: 'System' Date/Time: 20/09/2018 7:49:51 PM
Type: Error Category: 0
Event: 10010 Source: Microsoft-Windows-DistributedCOM
The server {9E175B6D-F52A-11D8-B9A5-505054503030} did not register with DCOM within the required timeout.
 
Log: 'System' Date/Time: 20/09/2018 7:47:51 PM
Type: Error Category: 0
Event: 10010 Source: Microsoft-Windows-DistributedCOM
The server {9E175B6D-F52A-11D8-B9A5-505054503030} did not register with DCOM within the required timeout.
 
Log: 'System' Date/Time: 20/09/2018 7:45:50 PM
Type: Error Category: 0
Event: 10010 Source: Microsoft-Windows-DistributedCOM
The server {9E175B6D-F52A-11D8-B9A5-505054503030} did not register with DCOM within the required timeout.
 
Log: 'System' Date/Time: 20/09/2018 7:44:47 PM
Type: Error Category: 0
Event: 7023 Source: Service Control Manager
The Connected Devices Platform Service service terminated with the following error:  Unspecified error
 
Log: 'System' Date/Time: 20/09/2018 7:43:50 PM
Type: Error Category: 0
Event: 10010 Source: Microsoft-Windows-DistributedCOM
The server {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39} did not register with DCOM within the required timeout.
 
Log: 'System' Date/Time: 20/09/2018 7:43:47 PM
Type: Error Category: 0
Event: 7023 Source: Service Control Manager
The Connected Devices Platform Service service terminated with the following error:  Unspecified error
 
Log: 'System' Date/Time: 20/09/2018 7:41:50 PM
Type: Error Category: 0
Event: 10010 Source: Microsoft-Windows-DistributedCOM
The server {B52D54BB-4818-4EB9-AA80-F9EACD371DF8} did not register with DCOM within the required timeout.
 
Log: 'System' Date/Time: 20/09/2018 7:41:48 PM
Type: Error Category: 0
Event: 7023 Source: Service Control Manager
The Connected Devices Platform Service service terminated with the following error:  Unspecified error
 
Log: 'System' Date/Time: 20/09/2018 7:39:46 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The luafv service failed to start due to the following error:  This driver has been blocked from loading
 
Log: 'System' Date/Time: 20/09/2018 7:39:40 PM
Type: Error Category: 0
Event: 56 Source: Application Popup
The event description cannot be found.
 
Log: 'System' Date/Time: 20/09/2018 7:39:24 PM
Type: Error Category: 0
Event: 10010 Source: Microsoft-Windows-DistributedCOM
The server {9E175B6D-F52A-11D8-B9A5-505054503030} did not register with DCOM within the required timeout.
 
Log: 'System' Date/Time: 20/09/2018 7:39:18 PM
Type: Error Category: 0
Event: 10010 Source: Microsoft-Windows-DistributedCOM
The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
 
Log: 'System' Date/Time: 20/09/2018 7:39:18 PM
Type: Error Category: 0
Event: 10010 Source: Microsoft-Windows-DistributedCOM
The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 20/09/2018 7:39:48 PM
Type: Warning Category: 0
Event: 27 Source: e1dexpress
Intel® Ethernet Connection (2) I219-V  Network link is disconnected. 
 
Log: 'System' Date/Time: 20/09/2018 7:39:47 PM
Type: Warning Category: 0
Event: 17 Source: Microsoft-Windows-WHEA-Logger
A corrected hardware error has occurred.  Component: PCI Express Root Port Error Source: Advanced Error Reporting (PCI Express)  Bus:Device:Function: 0x0:0x1C:0x0 Vendor ID:Device ID: 0x8086:0xA110 Class Code: 0x30400  The details view of this entry contains further information.
 
Log: 'System' Date/Time: 20/09/2018 11:15:38 AM
Type: Warning Category: 1014
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name tracker.publicbt.com timed out after none of the configured DNS servers responded.
 
Log: 'System' Date/Time: 20/09/2018 7:31:05 AM
Type: Warning Category: 1014
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name clients4.google.com timed out after none of the configured DNS servers responded.
 
Log: 'System' Date/Time: 20/09/2018 4:19:01 AM
Type: Warning Category: 1014
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name tracker.publicbt.com timed out after none of the configured DNS servers responded.
 
Log: 'System' Date/Time: 20/09/2018 1:06:47 AM
Type: Warning Category: 0
Event: 27 Source: e1dexpress
Intel® Ethernet Connection (2) I219-V  Network link is disconnected. 
 
 
 
 
 
 
 
Vino's Event Viewer v01c run on Windows 7 in English
Report run at 20/09/2018 3:07:36 PM
 
Note: All dates below are in the format dd/mm/yyyy
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 20/09/2018 7:41:12 PM
Type: Error Category: 0
Event: 8198 Source: Microsoft-Windows-Security-SPP
License Activation (slui.exe) failed with the following error code: hr=0xC004F074 Command-line arguments: RuleId=502ff3ba-669a-4674-bbb1-601f34a3b968;Action=AutoActivateSilent;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=a80b5abf-76ad-428b-b05d-a47d2dffeebf;NotificationInterval=1440;Trigger=NetworkAvailable
 
Log: 'Application' Date/Time: 20/09/2018 7:40:19 PM
Type: Error Category: 0
Event: 8198 Source: Microsoft-Windows-Security-SPP
License Activation (slui.exe) failed with the following error code: hr=0xC004F074 Command-line arguments: RuleId=502ff3ba-669a-4674-bbb1-601f34a3b968;Action=AutoActivateSilent;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=a80b5abf-76ad-428b-b05d-a47d2dffeebf;NotificationInterval=1440;Trigger=NetworkAvailable
 
Log: 'Application' Date/Time: 20/09/2018 7:40:13 PM
Type: Error Category: 0
Event: 8198 Source: Microsoft-Windows-Security-SPP
License Activation (slui.exe) failed with the following error code: hr=0xC004F074 Command-line arguments: RuleId=502ff3ba-669a-4674-bbb1-601f34a3b968;Action=AutoActivateSilent;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=a80b5abf-76ad-428b-b05d-a47d2dffeebf;NotificationInterval=1440;Trigger=UserLogon;SessionId=1
 
Log: 'Application' Date/Time: 20/09/2018 7:39:48 PM
Type: Error Category: 0
Event: 0 Source: PostgreSQL
Timed out waiting for server startup
 
 
Log: 'Application' Date/Time: 20/09/2018 7:39:47 PM
Type: Error Category: 0
Event: 0 Source: amdacpusrsvc
The event description cannot be found.
 
Log: 'Application' Date/Time: 20/09/2018 4:58:54 AM
Type: Error Category: 0
Event: 8198 Source: Microsoft-Windows-Security-SPP
License Activation (slui.exe) failed with the following error code: hr=0xC004F074 Command-line arguments: RuleId=502ff3ba-669a-4674-bbb1-601f34a3b968;Action=AutoActivateSilent;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=a80b5abf-76ad-428b-b05d-a47d2dffeebf;NotificationInterval=1440;Trigger=TimerEvent
 
Log: 'Application' Date/Time: 20/09/2018 3:08:10 AM
Type: Error Category: 0
Event: 8198 Source: Microsoft-Windows-Security-SPP
License Activation (slui.exe) failed with the following error code: hr=0xC004F074 Command-line arguments: RuleId=502ff3ba-669a-4674-bbb1-601f34a3b968;Action=AutoActivateSilent;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=a80b5abf-76ad-428b-b05d-a47d2dffeebf;NotificationInterval=1440;Trigger=TimerEvent
 
Log: 'Application' Date/Time: 20/09/2018 3:07:32 AM
Type: Error Category: 0
Event: 8198 Source: Microsoft-Windows-Security-SPP
License Activation (slui.exe) failed with the following error code: hr=0xC004F074 Command-line arguments: RuleId=502ff3ba-669a-4674-bbb1-601f34a3b968;Action=AutoActivateSilent;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=a80b5abf-76ad-428b-b05d-a47d2dffeebf;NotificationInterval=1440;Trigger=TimerEvent
 
Log: 'Application' Date/Time: 20/09/2018 1:08:11 AM
Type: Error Category: 0
Event: 8198 Source: Microsoft-Windows-Security-SPP
License Activation (slui.exe) failed with the following error code: hr=0xC004F074 Command-line arguments: RuleId=502ff3ba-669a-4674-bbb1-601f34a3b968;Action=AutoActivateSilent;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=a80b5abf-76ad-428b-b05d-a47d2dffeebf;NotificationInterval=1440;Trigger=NetworkAvailable
 
Log: 'Application' Date/Time: 20/09/2018 1:07:57 AM
Type: Error Category: 0
Event: 8198 Source: Microsoft-Windows-Security-SPP
License Activation (slui.exe) failed with the following error code: hr=0xC004F074 Command-line arguments: RuleId=502ff3ba-669a-4674-bbb1-601f34a3b968;Action=AutoActivateSilent;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=a80b5abf-76ad-428b-b05d-a47d2dffeebf;NotificationInterval=1440;Trigger=NetworkAvailable
 
Log: 'Application' Date/Time: 20/09/2018 1:07:07 AM
Type: Error Category: 0
Event: 8198 Source: Microsoft-Windows-Security-SPP
License Activation (slui.exe) failed with the following error code: hr=0xC004F074 Command-line arguments: RuleId=502ff3ba-669a-4674-bbb1-601f34a3b968;Action=AutoActivateSilent;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=a80b5abf-76ad-428b-b05d-a47d2dffeebf;NotificationInterval=1440;Trigger=UserLogon;SessionId=1
 
Log: 'Application' Date/Time: 20/09/2018 1:07:07 AM
Type: Error Category: 0
Event: 8198 Source: Microsoft-Windows-Security-SPP
License Activation (slui.exe) failed with the following error code: hr=0xC004F074 Command-line arguments: RuleId=502ff3ba-669a-4674-bbb1-601f34a3b968;Action=AutoActivateSilent;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=a80b5abf-76ad-428b-b05d-a47d2dffeebf;NotificationInterval=1440;Trigger=NetworkAvailable
 
Log: 'Application' Date/Time: 20/09/2018 1:06:48 AM
Type: Error Category: 0
Event: 0 Source: PostgreSQL
Timed out waiting for server startup
 
 
Log: 'Application' Date/Time: 20/09/2018 1:06:47 AM
Type: Error Category: 0
Event: 0 Source: amdacpusrsvc
The event description cannot be found.
 
Log: 'Application' Date/Time: 20/09/2018 12:22:36 AM
Type: Error Category: 0
Event: 8198 Source: Microsoft-Windows-Security-SPP
License Activation (slui.exe) failed with the following error code: hr=0xC004F074 Command-line arguments: RuleId=502ff3ba-669a-4674-bbb1-601f34a3b968;Action=AutoActivateSilent;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=a80b5abf-76ad-428b-b05d-a47d2dffeebf;NotificationInterval=1440;Trigger=TimerEvent
 
Log: 'Application' Date/Time: 19/09/2018 10:22:47 PM
Type: Error Category: 0
Event: 8198 Source: Microsoft-Windows-Security-SPP
License Activation (slui.exe) failed with the following error code: hr=0xC004F074 Command-line arguments: RuleId=502ff3ba-669a-4674-bbb1-601f34a3b968;Action=AutoActivateSilent;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=a80b5abf-76ad-428b-b05d-a47d2dffeebf;NotificationInterval=1440;Trigger=TimerEvent
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 20/09/2018 7:40:59 PM
Type: Warning Category: 0
Event: 8233 Source: Microsoft-Windows-Security-SPP
The rules engine reported a failed VL activation attempt. Reason:0xC004F074 AppId = 0ff1ce15-a989-479d-af46-f275c6370663, SkuId = d450596f-894d-49e0-966a-fd39ed4c4c64 Trigger=NetworkAvailable
 
Log: 'Application' Date/Time: 20/09/2018 7:40:06 PM
Type: Warning Category: 0
Event: 8233 Source: Microsoft-Windows-Security-SPP
The rules engine reported a failed VL activation attempt. Reason:0xC004F074 AppId = 0ff1ce15-a989-479d-af46-f275c6370663, SkuId = d450596f-894d-49e0-966a-fd39ed4c4c64 Trigger=UserLogon(1)
 
Log: 'Application' Date/Time: 20/09/2018 7:40:00 PM
Type: Warning Category: 0
Event: 8233 Source: Microsoft-Windows-Security-SPP
The rules engine reported a failed VL activation attempt. Reason:0xC004F074 AppId = 0ff1ce15-a989-479d-af46-f275c6370663, SkuId = d450596f-894d-49e0-966a-fd39ed4c4c64 Trigger=NetworkAvailable
 
Log: 'Application' Date/Time: 20/09/2018 7:07:57 PM
Type: Warning Category: 0
Event: 8233 Source: Microsoft-Windows-Security-SPP
The rules engine reported a failed VL activation attempt. Reason:0xC004F074 AppId = 0ff1ce15-a989-479d-af46-f275c6370663, SkuId = d450596f-894d-49e0-966a-fd39ed4c4c64 Trigger=TimerEvent
 
Log: 'Application' Date/Time: 20/09/2018 5:07:57 PM
Type: Warning Category: 0
Event: 8233 Source: Microsoft-Windows-Security-SPP
The rules engine reported a failed VL activation attempt. Reason:0xC004F074 AppId = 0ff1ce15-a989-479d-af46-f275c6370663, SkuId = d450596f-894d-49e0-966a-fd39ed4c4c64 Trigger=TimerEvent
 
Log: 'Application' Date/Time: 20/09/2018 3:07:57 PM
Type: Warning Category: 0
Event: 8233 Source: Microsoft-Windows-Security-SPP
The rules engine reported a failed VL activation attempt. Reason:0xC004F074 AppId = 0ff1ce15-a989-479d-af46-f275c6370663, SkuId = d450596f-894d-49e0-966a-fd39ed4c4c64 Trigger=TimerEvent
 
Log: 'Application' Date/Time: 20/09/2018 1:07:57 PM
Type: Warning Category: 0
Event: 8233 Source: Microsoft-Windows-Security-SPP
The rules engine reported a failed VL activation attempt. Reason:0xC004F074 AppId = 0ff1ce15-a989-479d-af46-f275c6370663, SkuId = d450596f-894d-49e0-966a-fd39ed4c4c64 Trigger=TimerEvent
 
Log: 'Application' Date/Time: 20/09/2018 11:07:57 AM
Type: Warning Category: 0
Event: 8233 Source: Microsoft-Windows-Security-SPP
The rules engine reported a failed VL activation attempt. Reason:0xC004F074 AppId = 0ff1ce15-a989-479d-af46-f275c6370663, SkuId = d450596f-894d-49e0-966a-fd39ed4c4c64 Trigger=TimerEvent
 
Log: 'Application' Date/Time: 20/09/2018 9:07:57 AM
Type: Warning Category: 0
Event: 8233 Source: Microsoft-Windows-Security-SPP
The rules engine reported a failed VL activation attempt. Reason:0xC004F074 AppId = 0ff1ce15-a989-479d-af46-f275c6370663, SkuId = d450596f-894d-49e0-966a-fd39ed4c4c64 Trigger=TimerEvent
 
Log: 'Application' Date/Time: 20/09/2018 7:07:57 AM
Type: Warning Category: 0
Event: 8233 Source: Microsoft-Windows-Security-SPP
The rules engine reported a failed VL activation attempt. Reason:0xC004F074 AppId = 0ff1ce15-a989-479d-af46-f275c6370663, SkuId = d450596f-894d-49e0-966a-fd39ed4c4c64 Trigger=TimerEvent
 
Log: 'Application' Date/Time: 20/09/2018 5:07:57 AM
Type: Warning Category: 0
Event: 8233 Source: Microsoft-Windows-Security-SPP
The rules engine reported a failed VL activation attempt. Reason:0xC004F074 AppId = 0ff1ce15-a989-479d-af46-f275c6370663, SkuId = d450596f-894d-49e0-966a-fd39ed4c4c64 Trigger=TimerEvent
 
Log: 'Application' Date/Time: 20/09/2018 3:07:57 AM
Type: Warning Category: 0
Event: 8233 Source: Microsoft-Windows-Security-SPP
The rules engine reported a failed VL activation attempt. Reason:0xC004F074 AppId = 0ff1ce15-a989-479d-af46-f275c6370663, SkuId = d450596f-894d-49e0-966a-fd39ed4c4c64 Trigger=TimerEvent
 
Log: 'Application' Date/Time: 20/09/2018 1:07:57 AM
Type: Warning Category: 0
Event: 8233 Source: Microsoft-Windows-Security-SPP
The rules engine reported a failed VL activation attempt. Reason:0xC004F074 AppId = 0ff1ce15-a989-479d-af46-f275c6370663, SkuId = d450596f-894d-49e0-966a-fd39ed4c4c64 Trigger=NetworkAvailable
 
Log: 'Application' Date/Time: 20/09/2018 1:07:42 AM
Type: Warning Category: 0
Event: 8233 Source: Microsoft-Windows-Security-SPP
The rules engine reported a failed VL activation attempt. Reason:0xC004F074 AppId = 0ff1ce15-a989-479d-af46-f275c6370663, SkuId = d450596f-894d-49e0-966a-fd39ed4c4c64 Trigger=NetworkAvailable
 
Log: 'Application' Date/Time: 20/09/2018 1:07:03 AM
Type: Warning Category: 0
Event: 8233 Source: Microsoft-Windows-Security-SPP
The rules engine reported a failed VL activation attempt. Reason:0xC004F074 AppId = 0ff1ce15-a989-479d-af46-f275c6370663, SkuId = d450596f-894d-49e0-966a-fd39ed4c4c64 Trigger=UserLogon(1)
 
Log: 'Application' Date/Time: 20/09/2018 1:06:58 AM
Type: Warning Category: 0
Event: 8233 Source: Microsoft-Windows-Security-SPP
The rules engine reported a failed VL activation attempt. Reason:0xC004F074 AppId = 0ff1ce15-a989-479d-af46-f275c6370663, SkuId = d450596f-894d-49e0-966a-fd39ed4c4c64 Trigger=NetworkAvailable
 
Log: 'Application' Date/Time: 20/09/2018 12:22:52 AM
Type: Warning Category: 0
Event: 8233 Source: Microsoft-Windows-Security-SPP
The rules engine reported a failed VL activation attempt. Reason:0xC004F074 AppId = 0ff1ce15-a989-479d-af46-f275c6370663, SkuId = d450596f-894d-49e0-966a-fd39ed4c4c64 Trigger=TimerEvent
 
Log: 'Application' Date/Time: 19/09/2018 10:22:52 PM
Type: Warning Category: 0
Event: 8233 Source: Microsoft-Windows-Security-SPP
The rules engine reported a failed VL activation attempt. Reason:0xC004F074 AppId = 0ff1ce15-a989-479d-af46-f275c6370663, SkuId = d450596f-894d-49e0-966a-fd39ed4c4c64 Trigger=TimerEvent
 

  • 0

Advertisements

#32
RKinner
Posted 20 September 2018 - 03:36 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Log: 'System' Date/Time: 20/09/2018 7:39:46 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The luafv service failed to start due to the following error:  This driver has been blocked from loading

 

Bring up FRST

Put

 

luafv.sys; MsMpEng.exe

 

in the Search Box.  Hit Search Files.  You will get one file.  Please copy and paste.


  • 0

#33
r55741
Posted 20 September 2018 - 09:20 PM

r55741

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Farbar Recovery Scan Tool (x64) Version: 15.09.2018
Ran by REEDEMER (20-09-2018 22:19:00)
Running from C:\Users\REEDEMER\Desktop
Boot Mode: Normal
 
================== Search Files: "luafv.sys; MsMpEng.exe" =============
 
C:\Windows.old\WINDOWS\WinSxS\amd64_windows-defender-service_31bf3856ad364e35_10.0.16299.15_none_e8924ec0c7f1071c\MsMpEng.exe
[2017-09-29 08:40][2017-09-29 08:40] 000105944 _____ (Microsoft Corporation) 2AD55CC8F96194854CF0CC89D4A41175 [File is digitally signed]
 
C:\Windows.old\WINDOWS\WinSxS\amd64_microsoft-windows-lua-filevirtualization_31bf3856ad364e35_10.0.16299.64_none_8ad82a3015b6f428\luafv.sys
[2018-03-14 21:10][2018-03-14 21:10] 000124928 _____ (Microsoft Corporation) 9A497169E145FCE2D8AA7DBC67377F64 [File not signed]
 
C:\Windows.old\WINDOWS\WinSxS\amd64_microsoft-windows-lua-filevirtualization_31bf3856ad364e35_10.0.16299.15_none_8acd50c615bf1e56\luafv.sys
[2017-09-29 08:41][2018-04-06 09:41] 000002111 _____ () ED15F97053E39506310185508B691C19 [File not signed]
 
C:\Windows.old\WINDOWS\System32\drivers\luafv.sys
[2018-03-14 21:10][2018-03-14 21:10] 000124928 _____ (Microsoft Corporation) 9A497169E145FCE2D8AA7DBC67377F64 [File not signed]
 
C:\Windows.old\WINDOWS\SoftwareDistribution\Download\a8fce144e2e8025cc8d5743afae1a48f\amd64_Microsoft-Windows-EditionPack-Enterprise-Package~~AMD64~~10.0.17134.1\amd64_windows-defender-service_31bf3856ad364e35_10.0.17134.1_none_ab26af25bff6f9dc\msmpeng.exe
[2018-07-25 14:40][2018-04-10 23:47] 000105344 _____ (Microsoft Corporation) E63F12EF98FCFE383593895EF917B9DD [File is digitally signed]
 
C:\Windows.old\WINDOWS\SoftwareDistribution\Download\a8fce144e2e8025cc8d5743afae1a48f\amd64_Microsoft-Windows-Client-Features-Package~~AMD64~~10.0.17134.1\amd64_microsoft-windows-lua-filevirtualization_31bf3856ad364e35_10.0.17134.1_none_4d61b12b0dc51116\luafv.sys
[][] 000000000 _____ () D41D8CD98F00B204E9800998ECF8427E [File is digitally signed]
 
C:\Windows.old\Program Files\Windows Defender\MsMpEng.exe
[2017-09-29 08:40][2017-09-29 08:40] 000105944 _____ (Microsoft Corporation) 2AD55CC8F96194854CF0CC89D4A41175 [File is digitally signed]
 
C:\Windows\WinSxS\amd64_windows-defender-service_31bf3856ad364e35_10.0.17134.228_none_a769143daccc6607\MsMpEng.exe
[2018-09-15 09:11][2018-08-02 22:46] 000106904 _____ (Microsoft Corporation) 3F95632920F681CB4AF0C40ED3BC2C34 [File is digitally signed]
 
C:\Windows\WinSxS\amd64_windows-defender-service_31bf3856ad364e35_10.0.17134.1_none_ab26af25bff6f9dc\MsMpEng.exe
[2018-04-11 18:33][2018-04-11 18:33] 000105344 _____ (Microsoft Corporation) E63F12EF98FCFE383593895EF917B9DD [File is digitally signed]
 
C:\Windows\WinSxS\amd64_windows-defender-service_31bf3856ad364e35_10.0.17134.191_none_a71660ddad0b7b16\MsMpEng.exe
[2018-09-14 02:19][2018-09-14 02:19] 000106920 _____ (Microsoft Corporation) 89A107DC16135FEC797F10B70AEECF27 [File is digitally signed]
 
C:\Windows\WinSxS\amd64_microsoft-windows-lua-filevirtualization_31bf3856ad364e35_10.0.17134.1_none_4d61b12b0dc51116\luafv.sys
[2018-04-11 18:34][2018-04-11 18:34] 000128000 _____ (Microsoft Corporation) E86400D7B6E095E89CF63667D94D3F50 [File is digitally signed]
 
C:\Windows\System32\drivers\luafv.sys
[2018-04-11 18:34][2018-04-11 18:34] 000128000 _____ (Microsoft Corporation) E86400D7B6E095E89CF63667D94D3F50 [File is digitally signed]
 
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1807.18075-0\MsMpEng.exe
[2018-07-31 14:01][2018-07-31 14:01] 000110944 _____ (Microsoft Corporation) CEDC4E5155D9D48F2922C21EC02419B7 [File is digitally signed]
 
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1806.18062-0\MsMpEng.exe
[2018-06-26 14:22][2018-06-26 14:22] 000100080 _____ (Microsoft Corporation) DD752ECFDEC95581A00D62A8B00591EC [File is digitally signed]
 
C:\Program Files\Windows Defender\MsMpEng.exe
[2018-09-15 09:11][2018-08-02 22:46] 000106904 _____ (Microsoft Corporation) 3F95632920F681CB4AF0C40ED3BC2C34 [File is digitally signed]
 
 
====== End of Search ======

  • 0

#34
RKinner
Posted 21 September 2018 - 04:54 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP

Files look good.  Let's let FRST look at the registry and check the permissions.

 

Attached File  fixlist.txt   1.92KB   194 downloads

 

Please post the fixlog.


  • 0

#35
r55741
Posted 21 September 2018 - 08:46 AM

r55741

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts

wow so should I just keep some kind of a image restore dvd in case this ever happens again?  any other ideas?

 

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 15.09.2018
Ran by REEDEMER (21-09-2018 09:45:13) Run:8
Running from C:\Users\REEDEMER\Desktop
Loaded Profiles: REEDEMER (Available Profiles: REEDEMER & postgres)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
REG: reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]"
REG: Reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\luafv" /s
REG: Reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend" /s
ListPermissions: C:\Windows\System32\drivers\luafv.sys
ListPermissions: C:\Program Files\Windows Defender\MsMpEng.exe
ListPermissions: C:\Program Files\Windows Defender\MpAsDesc.dll
Unlock: C:\Windows\System32\drivers\luafv.sys
Unlock: C:\Program Files\Windows Defender\MsMpEng.exe
Unlock: C:\Program Files\Windows Defender\MpAsDesc.dll
Unlock: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\luafv"
Unlock: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend"
Folder: C:\Program Files\Windows Defender
CMD: sc query luafv
CMD: sc query WinDefend
CMD: sc start luafv
CMD: sc start WinDefend
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
*****************
 
 
========= reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]" =========
 
ERROR: The system was unable to find the specified registry key or value.
 
 
========= End of Reg: =========
 
 
========= Reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\luafv" /s =========
 
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\luafv
    DependOnService    REG_MULTI_SZ    FltMgr
    Description    REG_SZ    @%systemroot%\system32\drivers\luafv.sys,-101
    DisplayName    REG_SZ    @%systemroot%\system32\drivers\luafv.sys,-100
    ErrorControl    REG_DWORD    0x1
    Group    REG_SZ    FSFilter Virtualization
    ImagePath    REG_EXPAND_SZ    \SystemRoot\system32\drivers\luafv.sys
    Start    REG_DWORD    0x2
    SupportedFeatures    REG_DWORD    0x7
    Type    REG_DWORD    0x2
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\luafv\Instances
    DefaultInstance    REG_SZ    luafv
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\luafv\Instances\luafv
    Altitude    REG_SZ    135000
    Flags    REG_DWORD    0x0
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\luafv\Parameters
    ProgramData    REG_SZ    C:\ProgramData
 
 
 
========= End of Reg: =========
 
 
========= Reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend" /s =========
 
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend
    DependOnService    REG_MULTI_SZ    RpcSs
    Description    REG_SZ    @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-240
    DisplayName    REG_SZ    @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-310
    ErrorControl    REG_DWORD    0x1
    FailureActions    REG_BINARY    8051010000000000010000000300000014000000030000006400000000000000640000000000000064000000
    ImagePath    REG_EXPAND_SZ    "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1807.18075-0\MsMpEng.exe"
    LaunchProtected    REG_DWORD    0x3
    ObjectName    REG_SZ    LocalSystem
    RequiredPrivileges    REG_MULTI_SZ    SeImpersonatePrivilege\0SeBackupPrivilege\0SeRestorePrivilege\0SeDebugPrivilege\0SeChangeNotifyPrivilege\0SeLoadDriverPrivilege\0SeSecurityPrivilege\0SeShutdownPrivilege\0SeIncreaseQuotaPrivilege\0SeAssignPrimaryTokenPrivilege\0SeTcbPrivilege\0SeIncreaseBasePriorityPrivilege\0SeSystemEnvironmentPrivilege\0SeTakeOwnershipPrivilege
    ServiceSidType    REG_DWORD    0x1
    Start    REG_DWORD    0x4
    Type    REG_DWORD    0x10
    FailureCommand    REG_SZ    C:\WINDOWS\system32\mrt.exe /EHB /ServiceFailure "CAMP=4.18.1807.18075;approximate-> Engine=1.1.15200.1;AVSIG=1.275.1349.0;ASSIG=1.275.1349.0" /StartService /Defender /q
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend\Security
    Security    REG_BINARY    01001480F400000000010000140000003000000002001C000100000002801400FF010F000101000000000001000000000200C40007000000000018009D01020001020000000000052000000021020000000014009D010200010100000000000512000000000018009D01020001020000000000052000000020020000000014009D010200010100000000000504000000000014009D01020001010000000000050600000000002800FF010F00010600000000000550000000B589FB381984C2CB5C6C236D5700776EC002648700002800FF010F00010600000000000550000000BF5508723BE028D089794BF891896E7C4025ECF4010100000000000512000000010100000000000512000000
 
 
 
========= End of Reg: =========
 
===================================
permissions of "C:\Windows\System32\drivers\luafv.sys":
 
Owner: NT SERVICE\TrustedInstaller
 
DACL(PAI):
 
NT SERVICE\TrustedInstaller ALLOW FULL (NI)
BUILTIN\Administrators ALLOW READ/EXECUTE (NI)
NT AUTHORITY\SYSTEM ALLOW READ/EXECUTE (NI)
BUILTIN\Users ALLOW READ/EXECUTE (NI)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES ALLOW READ/EXECUTE (NI)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES ALLOW READ/EXECUTE (NI)
 
===================================
===================================
permissions of "C:\Program Files\Windows Defender\MsMpEng.exe":
 
Owner: NT SERVICE\TrustedInstaller
 
DACL(PAI):
 
NT SERVICE\TrustedInstaller ALLOW FULL (NI)
BUILTIN\Administrators ALLOW READ/EXECUTE (NI)
NT AUTHORITY\SYSTEM ALLOW READ/EXECUTE (NI)
BUILTIN\Users ALLOW READ/EXECUTE (NI)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES ALLOW READ/EXECUTE (NI)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES ALLOW READ/EXECUTE (NI)
 
===================================
===================================
permissions of "C:\Program Files\Windows Defender\MpAsDesc.dll":
 
Owner: NT SERVICE\TrustedInstaller
 
DACL(PAI):
 
NT SERVICE\TrustedInstaller ALLOW FULL (NI)
BUILTIN\Administrators ALLOW READ/EXECUTE (NI)
NT AUTHORITY\SYSTEM ALLOW READ/EXECUTE (NI)
BUILTIN\Users ALLOW READ/EXECUTE (NI)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES ALLOW READ/EXECUTE (NI)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES ALLOW READ/EXECUTE (NI)
 
===================================
"C:\Windows\System32\drivers\luafv.sys" => was unlocked
"C:\Program Files\Windows Defender\MsMpEng.exe" => was unlocked
"C:\Program Files\Windows Defender\MpAsDesc.dll" => was unlocked
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\luafv" => was unlocked
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend" => was unlocked
 
========================= Folder: C:\Program Files\Windows Defender ========================
 
2018-04-11 18:33 - 2018-04-11 18:33 - 000009398 ____A [1FC6F870588FEF1B38BA900026BE8828] () C:\Program Files\Windows Defender\AmMonitoringInstall.mof
2018-04-11 18:33 - 2018-04-11 18:33 - 000198560 ____A [89E4F60F428C1CC6A806B28D1B77851A] (Microsoft Corporation) C:\Program Files\Windows Defender\AMMonitoringProvider.dll
2018-04-11 18:33 - 2018-04-11 18:33 - 000021004 ____A [EAA6FC46125F59D04BCBB6122817B41E] () C:\Program Files\Windows Defender\AmStatusInstall.mof
2018-04-11 18:33 - 2018-04-11 18:33 - 000002460 ____A [6FE3967E8035358D369C83FA72400006] () C:\Program Files\Windows Defender\ClientWMIInstall.mof
2018-04-11 18:33 - 2018-04-11 18:33 - 000315296 ____A [46C518D95E8754DBAF8A0E39AF92AC43] (Microsoft Corporation) C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe
2018-04-11 18:33 - 2018-04-11 18:33 - 000236440 ____A [80E1D5364660DEE82F678D1B5D8E99BA] (Microsoft Corporation) C:\Program Files\Windows Defender\DataLayer.dll
2018-04-11 18:33 - 2018-04-11 18:33 - 000086936 ____A [6C24D9C48891D757A595E6E7F77CD95A] (Microsoft Corporation) C:\Program Files\Windows Defender\DefenderCSP.dll
2018-04-11 18:33 - 2018-04-11 18:33 - 000000759 ____A [28E98ED0B6B08B7F1D163FFD184B28AF] () C:\Program Files\Windows Defender\Defendericon.png
2018-04-11 18:33 - 2018-04-11 18:33 - 000733080 ____A [ED2018C3E63223B3D0AACF3A1A79AC90] (Microsoft Corporation) C:\Program Files\Windows Defender\EppManifest.dll
2018-04-11 18:33 - 2018-04-11 18:33 - 000000361 ____A [CCE6F066104177A368EE528EBF94A170] () C:\Program Files\Windows Defender\FepUnregister.mof
2018-09-15 09:11 - 2018-08-02 22:46 - 000095128 ____A [66DF9534825045AE9AC8C21869488387] (Microsoft Corporation) C:\Program Files\Windows Defender\MpAsDesc.dll
2018-09-15 09:11 - 2018-08-02 22:47 - 002086304 ____A [062ED2D87C20A6067D1147F6C7919DA0] (Microsoft Corporation) C:\Program Files\Windows Defender\MpAzSubmit.dll
2018-09-15 09:11 - 2018-08-02 22:46 - 001034656 ____A [D90E32A29D399649E7472B03A2408CF8] (Microsoft Corporation) C:\Program Files\Windows Defender\MpClient.dll
2018-09-15 09:11 - 2018-08-02 22:46 - 000457216 ____A [C893FFC0E45B825C0DF848C1F8E69EFA] (Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
2018-09-15 09:11 - 2018-08-02 22:47 - 000392088 ____A [27BA24C497C09EEC3E209B44ABA685C6] (Microsoft Corporation) C:\Program Files\Windows Defender\MpCommu.dll
2018-04-11 18:33 - 2018-04-11 18:33 - 000125856 ____A [5FC662AC882F8D090D309A1365D18DC3] (Microsoft Corporation) C:\Program Files\Windows Defender\MpEvMsg.dll
2018-09-15 09:11 - 2018-08-02 22:46 - 000120216 ____A [898F176794BA43A97AD38182456916BA] (Microsoft Corporation) C:\Program Files\Windows Defender\MpOAV.dll
2018-04-11 18:33 - 2018-04-11 18:33 - 000187800 ____A [AB2A6A071C8858C5AF8AD35953F3A1A3] (Microsoft Corporation) C:\Program Files\Windows Defender\MpProvider.dll
2018-09-15 09:11 - 2018-08-02 22:47 - 000728984 ____A [7A6E37452338ACBD2834185804CE76D1] (Microsoft Corporation) C:\Program Files\Windows Defender\MpRtp.dll
2018-09-15 09:11 - 2018-08-02 22:47 - 003284888 ____A [053F637734EE8AA6C01559DF1DEE0741] (Microsoft Corporation) C:\Program Files\Windows Defender\MpSvc.dll
2018-04-11 18:33 - 2018-04-11 18:33 - 000021400 ____A [1B67A57EF335B5E2379AC2443B79FC3E] (Microsoft Corporation) C:\Program Files\Windows Defender\mpuxhostproxy.dll
2018-04-11 18:33 - 2018-04-11 18:33 - 000082328 ____A [77BDDA3D81515EF1C970DE0FE7D53F5C] (Microsoft Corporation) C:\Program Files\Windows Defender\MpUXSrv.exe
2018-04-11 18:33 - 2018-04-11 18:33 - 001283480 ____A [4077E019AEFB22D2D355659D5F80CBED] (Microsoft Corporation) C:\Program Files\Windows Defender\MSASCui.exe
2018-04-11 18:33 - 2018-04-11 18:33 - 000638872 ____A [4B2F964B945D3D00B9A09D2154D676EF] (Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
2018-09-15 09:11 - 2018-08-02 22:46 - 000087960 ____A [9D0663D151B51DCC5CE13E8A7AA6C251] (Microsoft Corporation) C:\Program Files\Windows Defender\MsMpCom.dll
2018-09-15 09:11 - 2018-08-02 22:46 - 000106904 ____A [3F95632920F681CB4AF0C40ED3BC2C34] (Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
2018-09-15 09:11 - 2018-08-02 22:46 - 000013208 ____A [28EA3323E38E10F9D89E53C90B38D033] (Microsoft Corporation) C:\Program Files\Windows Defender\MsMpLics.dll
2018-04-11 18:33 - 2018-04-11 18:33 - 000444832 ____A [1B2546C2D263A8912FD1B0BC866DA55A] (Microsoft Corporation) C:\Program Files\Windows Defender\MsMpRes.dll
2018-04-11 18:33 - 2018-04-11 18:33 - 000011160 ____A [7A01A854E06738E450D1B61399CECDEB] (Microsoft Corporation) C:\Program Files\Windows Defender\MsMpResL.dll
2018-04-11 18:33 - 2018-04-11 18:33 - 004451616 ____A [87F1EAEEF39CB09CE9FFCD9EE799E474] (Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
2018-04-11 18:33 - 2018-04-11 18:33 - 000569248 ____A [F8B5F16C6AB394982E2D8C5629D4F21A] (Microsoft Corporation) C:\Program Files\Windows Defender\ProtectionManagement.dll
2018-04-11 18:33 - 2018-04-11 18:33 - 000064340 ____A [9D86C57C23DA82822F843BD6AC547138] () C:\Program Files\Windows Defender\ProtectionManagement.mof
2018-04-11 18:33 - 2018-04-11 18:33 - 000002570 ____A [72D045707D108D55B76CD70AD9A84AD6] () C:\Program Files\Windows Defender\ProtectionManagement_Uninstall.mof
2018-04-11 18:33 - 2018-04-11 18:33 - 000331672 ____A [BBB68CCEA07D1479811C06639FC68A3D] (Microsoft Corporation) C:\Program Files\Windows Defender\shellext.dll
2018-04-11 18:33 - 2018-04-11 18:33 - 000001091 ____A [314CE81BED1547B8FA40F405F4C8B9FC] () C:\Program Files\Windows Defender\ThirdPartyNotices.txt
2018-04-12 04:15 - 2018-04-12 04:15 - 000000000 ____D [00000000000000000000000000000000] () C:\Program Files\Windows Defender\en-US
2018-04-12 04:15 - 2018-04-12 04:15 - 000002560 ____A [F3A6726B40287285016B3859BA406A81] (Microsoft Corporation) C:\Program Files\Windows Defender\en-US\EppManifest.dll.mui
2018-04-12 04:15 - 2018-04-12 04:15 - 000048128 ____A [2A79A7FE1EFCC7D54CC4DE06575D6B27] (Microsoft Corporation) C:\Program Files\Windows Defender\en-US\MpAsDesc.dll.mui
2018-04-12 04:15 - 2018-04-12 04:15 - 000038912 ____A [8F722776BE57CBC619F8B3FCFEA0C1FC] (Microsoft Corporation) C:\Program Files\Windows Defender\en-US\MpEvMsg.dll.mui
2018-04-12 04:15 - 2018-04-12 04:15 - 000088576 ____A [620C0D7B029D051B26462D77F20E3732] (Microsoft Corporation) C:\Program Files\Windows Defender\en-US\MsMpRes.dll.mui
2018-04-12 04:15 - 2018-04-12 04:15 - 000008704 ____A [5ABECF3221FF05232F223363279A68EE] (Microsoft Corporation) C:\Program Files\Windows Defender\en-US\MsMpResL.dll.mui
2018-04-12 04:15 - 2018-04-12 04:15 - 000007680 ____A [70BB9680981A70A113A07F0AC1AEA6B2] (Microsoft Corporation) C:\Program Files\Windows Defender\en-US\OfflineScannerShell.exe.mui
2018-04-12 04:15 - 2018-04-12 04:15 - 000034816 ____A [9C20CA29D29D211189F19D0406557D85] (Microsoft Corporation) C:\Program Files\Windows Defender\en-US\ProtectionManagement.dll.mui
2018-04-12 04:15 - 2018-04-12 04:15 - 000092574 ____A [CA8F3ABAD455E1DF7ABD85808E616F7E] () C:\Program Files\Windows Defender\en-US\ProtectionManagement.mfl
2018-04-12 04:15 - 2018-04-12 04:15 - 000001118 ____A [AFE6664D26D5D05B4568E329BE37D7DE] () C:\Program Files\Windows Defender\en-US\ProtectionManagement_Uninstall.mfl
2018-04-12 04:15 - 2018-04-12 04:15 - 000003072 ____A [24C0B90A61C24CCF427CD37656C0F044] (Microsoft Corporation) C:\Program Files\Windows Defender\en-US\shellext.dll.mui
2018-04-11 18:38 - 2018-09-17 16:19 - 000000000 ____D [00000000000000000000000000000000] () C:\Program Files\Windows Defender\Offline
2018-09-15 09:11 - 2018-08-02 22:47 - 000156064 ____A [D8A1CA96134A4526B5AE467C1A30D3B7] (Microsoft Corporation) C:\Program Files\Windows Defender\Offline\EppManifest.dll
2018-09-15 09:11 - 2018-08-02 22:47 - 000095136 ____A [2B71EA109F236C9054FFD991F054F726] (Microsoft Corporation) C:\Program Files\Windows Defender\Offline\MsMpCom.dll
2018-09-15 09:11 - 2018-08-02 22:47 - 000014232 ____A [A5395CB4027E8600665B39F2CD282194] (Microsoft Corporation) C:\Program Files\Windows Defender\Offline\MsMpLics.dll
2018-04-11 18:33 - 2018-04-11 18:33 - 000468888 ____A [B219E23DF542DB489AFB9BC4330098A7] (Microsoft Corporation) C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe
2018-09-13 23:29 - 2018-09-13 23:29 - 000000000 ____D [00000000000000000000000000000000] () C:\Program Files\Windows Defender\platform
 
====== End of Folder: ======
 
 
========= sc query luafv =========
 
 
SERVICE_NAME: luafv 
        TYPE               : 2  FILE_SYSTEM_DRIVER  
        STATE              : 1  STOPPED 
        WIN32_EXIT_CODE    : 1275  (0x4fb)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
========= End of CMD: =========
 
 
========= sc query WinDefend =========
 
 
SERVICE_NAME: WinDefend 
        TYPE               : 10  WIN32_OWN_PROCESS  
        STATE              : 1  STOPPED 
        WIN32_EXIT_CODE    : 1077  (0x435)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
========= End of CMD: =========
 
 
========= sc start luafv =========
 
[SC] StartService FAILED 1275:
 
This driver has been blocked from loading
 
 
========= End of CMD: =========
 
 
========= sc start WinDefend =========
 
[SC] StartService FAILED 1058:
 
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
 
 
========= End of CMD: =========
 
 
========= FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i" =========
 
Failed to clear log Microsoft-Windows-LiveId/Analytic. Access is denied.
Failed to clear log Microsoft-Windows-LiveId/Operational. Access is denied.
Failed to clear log Microsoft-Windows-USBVideo/Analytic. The instance name passed was not recognized as valid by a WMI data provider.
 
========= End of CMD: =========
 
 
==== End of Fixlog 09:45:26 ====

  • 0

#36
RKinner
Posted 21 September 2018 - 09:34 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP

Windows Defender has Startup Type set to Disabled.  Can you change it in services.msc to Automatic, Apply then try to Start the service?

 

The other difference I see is that it is trying to run from ProgramData which seems odd.   On mine it runs from C:\Windows\system32\drivers or it would if I allowed it to run.  I have it turned off because I have the free Avast. 

 

If changing to Automatic doesn't work I'll upload a registry export from mine and we will Merge it.

 

The luafv driver is a bit of a problem.  Can't see anything wrong with the registry or the file.  Open an Elevated Command Prompt and type:

 

sc start fltmgr

 

It should say:


C:\WINDOWS\system32>sc start fltmgr
[SC] StartService FAILED 1056:

An instance of the service is already running.

 

 

If not then we have to fix it first.

 

A good image backup is always wise.  I regularly clone my primary hard drive so that if something goes wrong I can just stick in the clone.


  • 0

#37
r55741
Posted 21 September 2018 - 10:31 AM

r55741

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts

Windows Defender has Startup Type set to Disabled.  Can you change it in services.msc to Automatic, Apply then try to Start the service?

was able to start and set to automatic "windows defender firewall"

the "wiindows defender antivirus service" is desabled and the drop down menu to set it to automatic is grayed out.  as well as the start service button

 

same for "windows defender antivirus network inspection service"

 

the "windows defender advanced threat protection service" was set to manual. I set it to automatic and upon starting it it gave the error:

the windows defender advanced threat protection service service on local computer started and then stopped. Some services stop automatically if they are not in use by anther service or programs. 

 

The other difference I see is that it is trying to run from ProgramData which seems odd.   On mine it runs from C:\Windows\system32\drivers or it would if I allowed it to run.  I have it turned off because I have the free Avast. 

 

If changing to Automatic doesn't work I'll upload a registry export from mine and we will Merge it.

 

The luafv driver is a bit of a problem.  Can't see anything wrong with the registry or the file.  Open an Elevated Command Prompt and type:

 

sc start fltmgr

 

It should say:


C:\WINDOWS\system32>sc start fltmgr
[SC] StartService FAILED 1056:

An instance of the service is already running.

 

 

If not then we have to fix it first.

I got:

C:\Users\REEDEMER>sc start fltmgr

[SC] StartService FAILED 1056:
 
An instance of the service is already running.

 

A good image backup is always wise.  I regularly clone my primary hard drive so that if something goes wrong I can just stick in the clone.

 

whats a good app for that?

 

 

also I am running office 2007 enterprise and I get a error message every 10 minutes that it is unable to autosave the file due to some permissions error. 

I think something is up with permissions. 


Edited by r55741, 21 September 2018 - 10:33 AM.

  • 0

#38
RKinner
Posted 21 September 2018 - 12:48 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP

Attached is:

 

Attached File  windefend.zip   1.32KB   192 downloads

 

Download, Save, then right click and Extract All, Extract.  Now right click on WinDefend.reg and MERGE.  Ignore the warning.  Do you get an error?

 

Any change to Windows Defender service?

 

If it's still grey we can try to remove the old registry info with a fixlist then try the Merge again.

 

Attached File  fixlist.txt   360bytes   175 downloads

 

Go into Control panel, User Accounts, Change User Account Settings.  The slider is normally at one notch below the top.  If it's there move it up a notch.  If it's not there then move it to one notch below the top.  OK, Yes.

 

Try the

 

sc start luafv

 

again.  Remember to use an Elevated (Admin) Command Prompt


  • 0

#39
r55741
Posted 21 September 2018 - 01:14 PM

r55741

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts

 

Download, Save, then right click and Extract All, Extract.  Now right click on WinDefend.reg and MERGE.  Ignore the warning.  Do you get an error?

registry keys where successfully added. 

Any change to Windows Defender service?

 

I am getting two different errors when attempting to start the different services: 

 

1. Windows defender advanced threat protection service and windows defender antivirus network inspection service.

 

error: The "service" on local computer started and then stopped. Some services stop automatically if they are not in use by other services or programs. 

 

2. windows defender antivirus service

error: 

 

windows could not start the windows defender antivirus service service on local computer. 

error 1058: The service cannot be started either because it is disabled or because it has no enabled devices associated with it. 

 

If it's still grey we can try to remove the old registry info with a fixlist then try the Merge again.

manual drop down box is grey

start button is not 

 

 

Go into Control panel, User Accounts, Change User Account Settings.  The slider is normally at one notch below the top.  If it's there move it up a notch.  If it's not there then move it to one notch below the top.  OK, Yes.

 

slider was all the way at the bottom. moved it to 1 down from the top. 

 

Try the

 

sc start luafv

 

again.  Remember to use an Elevated (Admin) Command Prompt

 

C:\Users\REEDEMER>sc start luafv

[SC] StartService FAILED 1275:
 
This driver has been blocked from loading

Edited by r55741, 21 September 2018 - 01:16 PM.

  • 0

#40
RKinner
Posted 21 September 2018 - 02:06 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP

I think I should have had you restart before  sc start luafv.  Pretty sure changes to UAC need a reboot to take effect.

 

Go ahead and run the fixlist then remerge the reg file.  See if that makes a difference to windows defender antivirus service.  I forgot to change the Start entry on mine so you will need to change the Startup Type to Automatic.

 

There is a program called Windows Repair All In One:

 

 

http://www.tweaking....all_in_one.html

Download it and save it then run it by right click and Run As Admin.

 

They have changed the interface since I last wrote up my instructions but once you get the repair window to come up (using one of the new pre-programmed options) You need to just make sure that only the following are checked:

 

Reset Registry Permissions
Reset File Permissions
Register System Files

Remove Policies Set By Infections

 

Let it do its thing then reboot if it doesn't do it for you.

 

See if you are able to save your files now.

 




 


  • 0

Advertisements

#41
r55741
Posted 21 September 2018 - 02:48 PM

r55741

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts

I think I should have had you restart before  sc start luafv.  Pretty sure changes to UAC need a reboot to take effect.

 

Go ahead and run the fixlist then remerge the reg file.  See if that makes a difference to windows defender antivirus service.  It does make a difference i can now see under windows defender security center that malwarebytes is installed as an antivirus provider. attemtpting to turn on periodic scanning does not work. 

 

I forgot to change the Start entry on mine so you will need to change the Startup Type to Automatic.

still get the same error when i try to start the service and the drop down menu is greyed out. 

 

There is a program called Windows Repair All In One:

 

 

http://www.tweaking....all_in_one.html

Download it and save it then run it by right click and Run As Admin.

 

They have changed the interface since I last wrote up my instructions but once you get the repair window to come up (using one of the new pre-programmed options) You need to just make sure that only the following are checked:

 

Reset Registry Permissions
Reset File Permissions
Register System Files

Remove Policies Set By Infections

ok all done rebooting now..brb

 

Let it do its thing then reboot if it doesn't do it for you.

 

See if you are able to save your files now.

 



 

Fix result of Farbar Recovery Scan Tool (x64) Version: 15.09.2018
Ran by REEDEMER (21-09-2018 15:39:54) Run:9
Running from C:\Users\REEDEMER\Desktop
Loaded Profiles: REEDEMER (Available Profiles: REEDEMER & postgres)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
DeleteKey: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend" 
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
 
 
*****************
 
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend" => removed successfully
 
========= FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i" =========
 
Failed to clear log Microsoft-Windows-LiveId/Analytic. Access is denied.
Failed to clear log Microsoft-Windows-LiveId/Operational. Access is denied.
Failed to clear log Microsoft-Windows-USBVideo/Analytic. The instance name passed was not recognized as valid by a WMI data provider.
 
========= End of CMD: =========
 
 
==== End of Fixlog 15:40:09 ====

  • 0

#42
RKinner
Posted 21 September 2018 - 03:08 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP

Did you try sc start luafv after a reboot?

 

Another fixlist. 

 

Attached File  fixlist.txt   372bytes   181 downloads

This one just looks at the WinDefend key to see if we made any changes to it.


  • 0

#43
r55741
Posted 21 September 2018 - 06:10 PM

r55741

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts

I think I should have had you restart before  sc start luafv.  Pretty sure changes to UAC need a reboot to take effect.

 

Go ahead and run the fixlist then remerge the reg file.  See if that makes a difference to windows defender antivirus service.  I forgot to change the Start entry on mine so you will need to change the Startup Type to Automatic.

 

There is a program called Windows Repair All In One:

 

 

http://www.tweaking....all_in_one.html

Download it and save it then run it by right click and Run As Admin.

 

They have changed the interface since I last wrote up my instructions but once you get the repair window to come up (using one of the new pre-programmed options) You need to just make sure that only the following are checked:

 

Reset Registry Permissions
Reset File Permissions
Register System Files

Remove Policies Set By Infections

 

Let it do its thing then reboot if it doesn't do it for you.

 

See if you are able to save your files now.

 



 

 

 

Windows defender is working now!

 

auto save in microsoft word still says "you cannto save while the file is in use by another process. Try saving the file with a new name."

 

Also I found out my checking account had multiple quick pay transactions to unknown recipients and filed a fraud complaint. 

 

Firefox had laspass installed and the account was set to stay logged in and remember passwords. 


  • 0

#44
r55741
Posted 21 September 2018 - 06:10 PM

r55741

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts

I think I should have had you restart before  sc start luafv.  Pretty sure changes to UAC need a reboot to take effect.

 

Go ahead and run the fixlist then remerge the reg file.  See if that makes a difference to windows defender antivirus service.  I forgot to change the Start entry on mine so you will need to change the Startup Type to Automatic.

 

There is a program called Windows Repair All In One:

 

 

http://www.tweaking....all_in_one.html

Download it and save it then run it by right click and Run As Admin.

 

They have changed the interface since I last wrote up my instructions but once you get the repair window to come up (using one of the new pre-programmed options) You need to just make sure that only the following are checked:

 

Reset Registry Permissions
Reset File Permissions
Register System Files

Remove Policies Set By Infections

 

Let it do its thing then reboot if it doesn't do it for you.

 

See if you are able to save your files now.

 


 

 

 

Windows defender is working now!

 

auto save in microsoft word still says "you cannto save while the file is in use by another process. Try saving the file with a new name."

 

Also I found out my checking account had multiple quick pay transactions to unknown recipients and filed a fraud complaint. 

 

Firefox had laspass installed and the account was set to stay logged in and remember passwords.  that was my bad. 


Edited by r55741, 21 September 2018 - 06:15 PM.

  • 0

#45
r55741
Posted 21 September 2018 - 07:16 PM

r55741

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts

Also I just ran malwarebytes and it found the following

 

 
 
 
 
Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 9/21/18
Scan Time: 8:11 PM
Log File: 665eb20e-be04-11e8-b22a-408d5c1d54bc.json
 
-Software Information-
Version: 3.6.1.2711
Components Version: 1.0.463
Update Package Version: 1.0.6955
License: Trial
 
-System Information-
OS: Windows 10 (Build 17134.228)
CPU: x64
File System: NTFS
User: DESKTOP-EQM0F1J\REEDEMER
 
-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 380398
Threats Detected: 1
Threats Quarantined: 1
Time Elapsed: 2 min, 19 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 1
PUP.Optional.Goobig, C:\USERS\REEDEMER\APPDATA\LOCAL\RTNDSIO\SVOIHDG.EXE, Quarantined, [14640], [562661],1.0.6955
 
Physical Sector: 0
(No malicious items detected)
 
WMI: 0
(No malicious items detected)
 
 
(end)

Edited by r55741, 21 September 2018 - 07:17 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics


Also tagged with one or more of these keywords: malware, rouge process, frst log

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP