Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Random Browser dropouts especially on startup & eventviewer proble


  • Please log in to reply

#31
phickspc

phickspc

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 448 posts

I recently disabled 'Remote' services to reduce odds of a Bluekeep attack which could exploit a vulnerability as reported here.

The Microsoft Answer solution discusses 'Remote' privileges. I don't know if this is enabling the same Remote service as above.

Will this re-expose the Blukeep exploitable vulnerability?

 

CD/DVD was already empty. The drive typically doesn't open, typically have to launch from My computer or press the eject button 2-3x before it does.

 

Will execute the fix then upload new FRST logs.


  • 0

Advertisements


#32
phickspc

phickspc

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 448 posts

Fixlogv1.txt


  • 0

#33
phickspc

phickspc

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 448 posts

FRSTv2

Additionv2


  • 0

#34
RKinner

RKinner

    Malware Expert

  • Expert
  • 22,034 posts
  • MVP

The only errors  left are MBAM related.  You have Malwarebytes Anti-Malware version 2.2.1.1043

The latest is version 4.something so I would uninstall it and download the latest version. 

https://www.malwarebytes.com/ 

Do not accept the 14 day trial.

 

If you are still having delays I would uninstall Peerblock or if you don't know how search for

msconfig

hit Enter

Under the Startup tab find Peerblock and uncheck then Apply.

 

There is still an acronis entry Acronis Scheduler2 Service.  Look under the Services Tab if you don't see it in Startup  Uncheck it then OK and reboot.

 

I can remove them both with another fixlist if you want.


  • 0

#35
phickspc

phickspc

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 448 posts

After the performing your fixlist, I had a slight issue with MBAM (hence the errors) and decided to reinstall it.

No MBAM errors since reinstalling. I don't like version 4.

Before posting this thread I uninstalled MBAM but the network issue persisted.

Disabled both Peerblock (which is Portable btw) & Acronis in startup.

Rebooted. Network issue still continued. Re-enabled Peerblock.

Ran FRST & Addition again, no new MBAM errors.

Just this error in addition:

Error: (11/20/2019 09:26:53 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}
 and APPID
{344ED43D-D086-4961-86A6-1106F4ACAD9B}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

 

P.S. I notice when logging in, the network issue not only shows the loading icon in system tray, it also keeps MSE's Real time protection off, and also freezes my pc if I right click/try to load Adaptor settings until the block naturally resolves itself 5mins later. Immediately after, MSE real time protection enables itself.


  • 0

#36
RKinner

RKinner

    Malware Expert

  • Expert
  • 22,034 posts
  • MVP

Right click on Computer and select Manage then Device Manager.  Find Network Adapters and click on the arrow in front of it.  Under it find your Realtek adapter.  Right click and select properties then click on the Details tab.  Change Property to Hardware IDs.  Click on the top one then right click and copy.  Paste that into a reply. 

 

Search for

 

msconfig

hit Enter

 

Under the Boot tab click on Boot Log then OK and reboot.

 

After the reboot find C:\Windows\ntbtlog.txt  copy and paste or attach.  You may need to tell Windows to let you see the file:

 

http://www.howtogeek...-windows-vista/


  • 0

#37
phickspc

phickspc

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 448 posts

Hardware ID:

PCI\VEN_10EC&DEV_8168&SUBSYS_82C61043&REV_02
 

ntbtlogv1.txt


Edited by phickspc, 20 November 2019 - 04:55 PM.

  • 0

#38
RKinner

RKinner

    Malware Expert

  • Expert
  • 22,034 posts
  • MVP

Forgot to ask you what is the date of the realtek driver?

If it's not 2019/10/25  then download:

 

https://www.realtek....5711280e640c21a

 

save, right click and run as admin.

 

The boot log doesn't show anything odd happening.  You can go back into msconfig and uncheck the boot log and OK.  No need to reboot.

 

If the new driver doesn't help then

 

download Process Monitor https://live.sysinte...com/Procmon.exe
Save it to your desktop

Run Process Monitor (right click and Run As Admin) then under Options, click Enable Boot Logging.  Close Process Monitor and reboot.

Open Process Monitor and it should tell you it has a boot log for you to look at.  Accept and then

File, Save, All Events, Format (default should save as .pml if I remember right.)  OK.  This file is very big so you will need to send it via Box.


  • 0

#39
phickspc

phickspc

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 448 posts

The driver I have is 28-08-18.

The realtek driver download page asks me to enter email. I enter my email and it shows this error "產品連結為空,請從下載中心的頁面找到該產品,點擊下載icon,才能正常下載" which google translates to

"The product link is empty, please find the product from the download center page, click download icon to download normally."


  • 0

#40
RKinner

RKinner

    Malware Expert

  • Expert
  • 22,034 posts
  • MVP

That's really stupid of realtek.  I can't find any other newer ones so go ahead and run the process monitor


  • 0

Advertisements


#41
phickspc

phickspc

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 448 posts

Can't find the process monitor boot log, where is it located?

Edit: Never mind, found it upon app's startup.

These are huge files, I'll have to zip.


Edited by phickspc, 21 November 2019 - 08:08 AM.

  • 0

#42
phickspc

phickspc

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 448 posts

PMLBootLogsv1Pt.1

PMLBootLogsv1Pt.2


  • 0

#43
RKinner

RKinner

    Malware Expert

  • Expert
  • 22,034 posts
  • MVP

Looks like either SWYH.exe or Thunderbird.exe spinning their wheels.  I'd search for

msconfig

hit Enter

 

then under Startup

uncheck SWYH

then OK and reboot and see if that helps.


  • 0

#44
phickspc

phickspc

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 448 posts

Disabled both under Startup. Rebooted. Stil no improvement.

Event viewer errors upon reboot in chronological order:

 

1.Warning - 1530 User Profile Service:

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.  
DETAIL -
0 user registry handles leaked from \Registry\User\S-1-5-21-1925592742-456944920-4000667399-1008_Classes:
 

2.Error - 3 Kernel-EventTracing:

Session "Microsoft Security Client OOBE" stopped due to the following error: 0xC000000D

 

3.Error - 7011 Service Control Manager:

A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Dnscache service.

 

4.Warning - 64 CertificateServicesClient-AutoEnrollment:

Certificate for local system with Thumbprint 70 04 3c 28 93 39 60 37 92 da 92 8f 73 f5 50 86 60 3f bf 27 is about to expire or already expired.

 

5.Error - 10016 DistributedCOM:

The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}
 and APPID
{344ED43D-D086-4961-86A6-1106F4ACAD9B}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.


  • 0

#45
RKinner

RKinner

    Malware Expert

  • Expert
  • 22,034 posts
  • MVP

3.Error - 7011 Service Control Manager:

A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Dnscache service.

 

 

This is the only one that could be important.  Let's check the files that are involved and make sure they are signed.

 

Open Frst and in the search box put (or copy and paste):

 

dnsapi.dll;dnsrslvr.dll;dnsext.dll;nsisvc.dll;nsiproxy.sys;tcpipcfg.dll

 

Then Search Files

 

You will get one file.  Please post.

 

 


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP