I have done that but the result I get when clicking on Properties Details is
Really slow laptop
Started by
BobScott49
, Dec 23 2019 02:14 PM
#62
Posted 03 January 2020 - 05:58 PM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
Click on the little down arrow to the right of Device Description and a drop down menu will appear. Select Hardware Ids. Then you should see some new info.
Mine says:
UEFI\RES_{7039436b-6acf-433b-86a1-368ec2ef7e1f}&REV_C
UEFI\RES_{7039436b-6acf-433b-86a1-368ec2ef7e1f}
#63
Posted 04 January 2020 - 06:06 AM
BobScott49
- Topic Starter
-
- Member
-
- 65 posts
Member
I should have seen that
UEFI\RES_{ce07a014-23aa-4ae5-a7ad-021849fec1bb}&REV_F110000
#64
Posted 04 January 2020 - 01:57 PM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
I have the same driver on my travel laptop but with a newer rev.
Looking at the HP driver support page
https://support.hp.c.../model/22757794
the only one that has anything to do with UEFI is
HP PC Hardware Diagnostics UEFI 7.4.0.0 Rev.A 41.1 MB Sep 4, 2019
Look under Diagnostic(3)
See if that fixes the flagged Firmware entry.
Also
go into regedit.exe
navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GuardWareProxy
Right click and Export to your desktop, call it GWP. Then close the registry editor and right click on GWP.reg and Edit. This should open it in notepad. Edit, Select All, Edit Copy now go to a reply and Ctrl + v to paste it.
#65
Posted 04 January 2020 - 03:16 PM
BobScott49
- Topic Starter
-
- Member
-
- 65 posts
Member
installed the update but still getting the same
UEFI\RES_{ce07a014-23aa-4ae5-a7ad-021849fec1bb}&REV_F110000
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GuardWareProxy]
"DisplayName"="GuardWareProxy"
"WOW64"=dword:0000014c
"Description"="GuardWareProxy's Redirector service"
"FailureActions"=hex:e0,a5,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
00,01,00,00,00,c8,00,00,00,00,00,00,00,c8,00,00,00,00,00,00,00,c8,00,00,00
"DelayedAutoStart"=dword:00000000
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,\
6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,20,00,28,00,78,00,38,00,36,00,29,\
00,5c,00,47,00,75,00,61,00,72,00,64,00,77,00,61,00,72,00,65,00,5c,00,49,00,\
6e,00,74,00,65,00,67,00,72,00,69,00,74,00,79,00,20,00,4d,00,61,00,6e,00,61,\
00,67,00,65,00,6d,00,65,00,6e,00,74,00,5c,00,47,00,57,00,50,00,72,00,6f,00,\
78,00,79,00,2e,00,65,00,78,00,65,00,22,00,00,00
"DependOnService"=hex(7):52,00,50,00,43,00,53,00,53,00,00,00,00,00
"ObjectName"="LocalSystem"
"AutorunsDisabled"=dword:00000002
#66
Posted 04 January 2020 - 03:39 PM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
Try right clicking on the yellow flagged device. Then Update. See if windows can find an update for you.
Can you search for
services.msc
then hit Enter
Now find
GuardWareProxy
and right click and select Properties. Then go to the Recovery tab and make a screen shot.
#67
Posted 04 January 2020 - 04:17 PM
BobScott49
- Topic Starter
-
- Member
-
- 65 posts
Member
I tried that and it said I was using the most up to date driver
Attached Thumbnails
#68
Posted 05 January 2020 - 09:07 AM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
Can you search for
services.msc
then hit Enter
Now find
GuardWareProxy
and right click and select Properties. Then change the Startup Type: to Automatic ( Delayed Start) then Apply? Does it accept the change? (you may need to check the driver in Autoruns and MSCONFIG first.)
Go back into Device Manager and right click on the yellow tagged HP Firmware then Properties then the Details. Change Property to Inf Name. Report the file name. Mine is c_firmware.inf what is yours?
Then go to regedit again and navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UEFI
Right click and Export to your desktop call it UEFI.
Close regedit and then right click on UEFI.reg on your desktop and Edit then Edit, Select All then Edit Copy then move to a reply and Paste.
#69
Posted 05 January 2020 - 12:22 PM
BobScott49
- Topic Starter
-
- Member
-
- 65 posts
Member
GuardwareProxy accepted the change in Services
In Device Manager the filename on the firmware is oem8.inf
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UEFI]
"ImagePath"=hex(2):5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,72,\
00,69,00,76,00,65,00,72,00,53,00,74,00,6f,00,72,00,65,00,5c,00,46,00,69,00,\
6c,00,65,00,52,00,65,00,70,00,6f,00,73,00,69,00,74,00,6f,00,72,00,79,00,5c,\
00,75,00,65,00,66,00,69,00,2e,00,69,00,6e,00,66,00,5f,00,61,00,6d,00,64,00,\
36,00,34,00,5f,00,34,00,66,00,63,00,61,00,66,00,30,00,66,00,63,00,36,00,65,\
00,61,00,66,00,37,00,35,00,33,00,33,00,5c,00,55,00,45,00,46,00,49,00,2e,00,\
73,00,79,00,73,00,00,00
"Type"=dword:00000001
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"DisplayName"="@uefi.inf,%UEFI.SvcDesc%;Microsoft UEFI Driver"
"Owners"=hex(7):75,00,65,00,66,00,69,00,2e,00,69,00,6e,00,66,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UEFI\Enum]
"0"="ACPI_HAL\\UEFI\\0"
"Count"=dword:00000001
"NextInstance"=dword:00000001
#70
Posted 05 January 2020 - 10:34 PM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
Now Export:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\UEFI
Also look in C:\Windows\INF
Do you have a file c_firmware.inf ?
Can you double click on it and when it opens in notepad, Edit, Select All, Edit, Copy then Ctrl +v to a Reply?
May be hidden. To unhide:
http://www.howtogeek...-windows-vista/
Go back into Autoruns and check anything we unchecked. There were several items where Autoruns said there was no file. These can be unchecked.
Also go into msconfig and check anything we unchecked. Reboot and wait about 5 minutes then run Process Explorer and let's see what the log looks like now.
Also run VEW for System and Application
Did your new RAM come in yet?
#71
Posted 06 January 2020 - 08:59 AM
BobScott49
- Topic Starter
-
- Member
-
- 65 posts
Member
RAM installed
I'm probably being stupid again, but what is VEW?
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\UEFI]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\UEFI\RES_{ce07a014-23aa-4ae5-a7ad-021849fec1bb}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\UEFI\RES_{ce07a014-23aa-4ae5-a7ad-021849fec1bb}\0]
"Capabilities"=dword:00000070
"ConfigFlags"=dword:00000000
"ContainerID"="{00000000-0000-0000-ffff-ffffffffffff}"
"HardwareID"=hex(7):55,00,45,00,46,00,49,00,5c,00,52,00,45,00,53,00,5f,00,7b,\
00,63,00,65,00,30,00,37,00,61,00,30,00,31,00,34,00,2d,00,32,00,33,00,61,00,\
61,00,2d,00,34,00,61,00,65,00,35,00,2d,00,61,00,37,00,61,00,64,00,2d,00,30,\
00,32,00,31,00,38,00,34,00,39,00,66,00,65,00,63,00,31,00,62,00,62,00,7d,00,\
26,00,52,00,45,00,56,00,5f,00,46,00,31,00,31,00,30,00,30,00,30,00,30,00,00,\
00,55,00,45,00,46,00,49,00,5c,00,52,00,45,00,53,00,5f,00,7b,00,63,00,65,00,\
30,00,37,00,61,00,30,00,31,00,34,00,2d,00,32,00,33,00,61,00,61,00,2d,00,34,\
00,61,00,65,00,35,00,2d,00,61,00,37,00,61,00,64,00,2d,00,30,00,32,00,31,00,\
38,00,34,00,39,00,66,00,65,00,63,00,31,00,62,00,62,00,7d,00,00,00,00,00
"CompatibleIDs"=hex(7):55,00,45,00,46,00,49,00,5c,00,43,00,43,00,5f,00,30,00,\
30,00,30,00,31,00,30,00,30,00,30,00,31,00,00,00,47,00,65,00,6e,00,46,00,69,\
00,72,00,6d,00,77,00,61,00,72,00,65,00,52,00,65,00,73,00,6f,00,75,00,72,00,\
63,00,65,00,00,00,00,00
"ClassGUID"="{f2e7dd72-6468-4e36-b6f1-6488f42c1b52}"
"DeviceDesc"="@oem8.inf,%firmwaredesc%;System Firmware"
"Driver"="{f2e7dd72-6468-4e36-b6f1-6488f42c1b52}\\0000"
"Mfg"="@oem8.inf,%mfgname%;HP Inc."
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\UEFI\RES_{ce07a014-23aa-4ae5-a7ad-021849fec1bb}\0\Device Parameters]
"FirmwareVersion"=dword:0f210000
"FirmwareId"="{CE07A014-23AA-4ae5-A7AD-021849FEC1BB}"
"FirmwareFilename"="InsydeSystemFirmware.bin"
"FirmwareStatus"=dword:c0000058
[Version]
Signature = "$WINDOWS NT$"
Class = Firmware
ClassGuid = {f2e7dd72-6468-4e36-b6f1-6488f42c1b52}
Provider = %MSFT%
DriverVer = 06/21/2006,10.0.18362.1
[ClassInstall32]
AddReg = ClassInstall_AddReg
AddReg = FirmwareInstall_AddReg
[ClassInstall_AddReg]
HKR,,,,"%ClassDesc%"
HKR,,NoInstallClass,,1
HKR,,IconPath,%REG_MULTI_SZ%,"%%SystemRoot%%\System32\setupapi.dll,-159"
HKR,,"Default Service",,""
HKR,,BootCritical,,1
[FirmwareInstall_AddReg]
HKR,,FirmwareMaxRetryCount,%REG_DWORD%,2
[ControlFlags]
ExcludeFromSelect = *
[Manufacturer]
%MSFT% = Microsoft,NTamd64
[Microsoft.NTamd64]
%FirmwareResourceDesc% = FirmwareResource,,GenFirmwareResource
%SystemFirmwareDesc% = FirmwareResource,,UEFI\CC_00010001,GenSystemFirmware
%DeviceFirmwareDesc% = FirmwareResource,,UEFI\CC_00010002,GenDeviceFirmware
%FirmwareDriverDesc% = FirmwareResource,,UEFI\CC_00010003
[FirmwareResource.NT]
; Nothing
[FirmwareResource.NT.Hw]
AddReg = FirmwareResource_AddReg
[FirmwareResource_AddReg]
HKR,,FirmwareVersion,%REG_DWORD%,0
[Strings]
; localizable strings
MSFT = "Microsoft"
ClassDesc = "Firmware"
FirmwareResourceDesc = "Firmware Resource"
SystemFirmwareDesc = "System Firmware"
DeviceFirmwareDesc = "Device Firmware"
FirmwareDriverDesc = "Firmware Driver"
; non-localizable strings
REG_MULTI_SZ = 0x00010000
REG_DWORD = 0x00010001
Process CPU Private Bytes Working Set PID Description Company Name Verified Signer
WmiPrvSE.exe 30.73 6,492 K 14,584 K 6100 WMI Provider Host Microsoft Corporation (Verified) Microsoft Windows
System Idle Process 20.57 60 K 8 K 0
SDXHelper.exe 13.88 4,944 K 16,072 K 8232 Microsoft Office SDX Helper Microsoft Corporation (Verified) Microsoft Corporation
procexp64.exe 11.93 35,268 K 69,152 K 5852 Sysinternals Process Explorer Sysinternals - www.sysinternals.com (Verified) Microsoft Corporation
SDXHelper.exe 6.85 6,380 K 21,200 K 9656 Microsoft Office SDX Helper Microsoft Corporation (Verified) Microsoft Corporation
System 4.08 228 K 14,004 K 4
csrss.exe 1.53 3,424 K 5,524 K 428 Client Server Runtime Process Microsoft Corporation (Verified) Microsoft Windows Publisher
aswidsagent.exe 1.35 24,720 K 38,100 K 5440 Avast Behavior Shield AVAST Software (Verified) AVAST Software s.r.o.
AvastSvc.exe 1.28 118,840 K 40,432 K 3308 Avast Antivirus Service AVAST Software (Verified) AVAST Software s.r.o.
Interrupts 1.24 0 K 0 K n/a Hardware Interrupts and DPCs
dwm.exe 1.01 97,176 K 68,320 K 11944 Desktop Window Manager Microsoft Corporation (Verified) Microsoft Windows
GWW.exe 0.84 47,496 K 47,912 K 10584 e-Safe Compliance Client Application Guardware Ltd. (Verified) Guardware Ltd.
svchost.exe 0.59 13,268 K 30,852 K 60 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
express.exe 0.58 47,040 K 89,616 K 11652 Garmin Express Garmin Ltd. or its subsidiaries (Verified) Garmin International, Inc.
OfficeClickToRun.exe 0.55 27,880 K 50,900 K 4392 Microsoft Office Click-to-Run (SxS) Microsoft Corporation (Verified) Microsoft Corporation
lsass.exe 0.34 8,360 K 22,216 K 788 Local Security Authority Process Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 0.32 8,720 K 16,420 K 544 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 0.32 3,924 K 9,904 K 2496 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
explorer.exe 0.29 61,956 K 133,504 K 10844 Windows Explorer Microsoft Corporation (Verified) Microsoft Windows
AvastUI.exe 0.26 26,104 K 43,268 K 512 Avast Antivirus AVAST Software (Verified) AVAST Software s.r.o.
svchost.exe 0.24 14,572 K 26,736 K 3800 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 0.22 2,496 K 7,992 K 3108 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
amddvr.exe 0.17 171,776 K 10,088 K 10052 AMD ReLive: Host Application Advanced Micro Devices, Inc. (Verified) Advanced Micro Devices, Inc.
ctfmon.exe 0.15 4,564 K 15,672 K 5564 CTF Loader Microsoft Corporation (Verified) Microsoft Windows
EOS Utility.exe 0.09 28,008 K 32,364 K 11468 EOS Utility Canon INC. (Verified) Canon Inc.
services.exe 0.08 5,976 K 10,520 K 772 Services and Controller app Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 0.07 5,292 K 9,368 K 1880 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
AGMService.exe 0.06 3,952 K 13,496 K 4216 Adobe Genuine Software Service Adobe Systems, Incorporated (Verified) Adobe Inc.
csrss.exe 0.06 2,500 K 6,264 K 608 Client Server Runtime Process Microsoft Corporation (Verified) Microsoft Windows Publisher
SearchIndexer.exe 0.06 29,800 K 33,876 K 6424 Microsoft Windows Search Indexer Microsoft Corporation (Verified) Microsoft Windows
svchost.exe 0.05 1,400 K 5,456 K 4152 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 0.04 2,520 K 7,752 K 2024 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
taskhostw.exe 0.04 6,304 K 15,224 K 4388 Host Process for Windows Tasks Microsoft Corporation (Verified) Microsoft Windows
atieclxx.exe 0.03 2,608 K 10,508 K 5628 AMD External Events Client Module AMD (Verified) Advanced Micro Devices, Inc.
svchost.exe 0.02 1,400 K 5,864 K 2668 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
psi_tray.exe 0.02 1,476 K 6,888 K 5900 Secunia PSI Tray Secunia (Verified) Secunia
EOSUPNPSV.exe 0.02 3,876 K 10,228 K 7792 Canon EOS UPNP Detector CANON INC. (Verified) Canon Inc.
AGSService.exe 0.01 3,408 K 14,108 K 4116 Adobe Genuine Software Integrity Service Adobe Systems, Incorporated (Verified) Adobe Inc.
GWClient.exe 0.01 6,308 K 18,700 K 3816 e-Safe Compliance Client Service Guardware Ltd (Verified) Guardware Ltd.
firefox.exe 0.01 182,004 K 271,576 K 5788 Firefox Mozilla Corporation (Verified) Mozilla Corporation
svchost.exe < 0.01 6,268 K 17,268 K 4184 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
SynTPEnh.exe < 0.01 8,192 K 20,932 K 584 Synaptics TouchPad 64-bit Enhancements Synaptics Incorporated (Verified) Synaptics Incorporated
HPMSGSVC.exe < 0.01 3,372 K 12,380 K 11148 HP Message Service HP Inc. (Verified) HP Inc.
HPWMISVC.exe < 0.01 3,172 K 11,544 K 3940 HP WMI Service HP Inc. (Verified) HP Inc.
Memory Compression < 0.01 216 K 66,488 K 2736
svchost.exe < 0.01 3,308 K 8,360 K 2428 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe < 0.01 3,104 K 14,744 K 3240 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
RadeonSettings.exe < 0.01 160,816 K 38,268 K 11460 Radeon Settings: Host Application Advanced Micro Devices, Inc. (Verified) Advanced Micro Devices, Inc.
RuntimeBroker.exe < 0.01 1,664 K 6,928 K 10780 Runtime Broker Microsoft Corporation (Verified) Microsoft Windows
RAVBg64.exe < 0.01 6,508 K 15,968 K 10928 HD Audio Background Process Realtek Semiconductor (Verified) Realtek Semiconductor Corp.
firefox.exe < 0.01 70,504 K 111,324 K 9872 Firefox Mozilla Corporation (Verified) Mozilla Corporation
svchost.exe < 0.01 3,756 K 13,092 K 4472 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
YourPhone.exe Suspended 13,896 K 35,380 K 5816 (No signature was present in the subject)
wsc_proxy.exe 2,444 K 9,568 K 2620 Avast Antivirus remediation exe AVAST Software (Verified) AVAST Software s.r.o.
WmiPrvSE.exe 3,032 K 9,616 K 9628 WMI Provider Host Microsoft Corporation (Verified) Microsoft Windows
wlanext.exe 2,164 K 8,312 K 6996 Windows Wireless LAN 802.11 Extensibility Framework Microsoft Corporation (Verified) Microsoft Windows
winlogon.exe 2,916 K 12,356 K 12108 Windows Log-on Application Microsoft Corporation (Verified) Microsoft Windows
wininit.exe 1,612 K 7,236 K 708 Windows Start-Up Application Microsoft Corporation (Verified) Microsoft Windows Publisher
WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe 15,348 K 44,072 K 7748 WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe Microsoft Corporation (Verified) Microsoft Windows
vidnotifier.exe 5,764 K 21,204 K 7160 Video Notifier Digital Wave Ltd (Verified) Digital Wave Ltd
unsecapp.exe 1,436 K 6,592 K 6988 Sink to receive asynchronous callbacks for WMI client application Microsoft Corporation (Verified) Microsoft Windows
unsecapp.exe 1,588 K 7,016 K 7208 Sink to receive asynchronous callbacks for WMI client application Microsoft Corporation (Verified) Microsoft Windows
SynTPHelper.exe 2,356 K 6,704 K 8628 Synaptics Pointing Device Helper Synaptics Incorporated (Verified) Synaptics Incorporated
SynTPEnhService.exe 3,476 K 10,148 K 2212 64-bit Synaptics Pointing Enhance Service Synaptics Incorporated (Verified) Synaptics Incorporated
svchost.exe 2,052 K 8,052 K 3660 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 46,856 K 51,672 K 2644 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 2,544 K 7,892 K 7420 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 2,752 K 8,624 K 612 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 17,124 K 20,280 K 1496 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 4,364 K 23,968 K 6692 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 5,552 K 13,820 K 1928 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 6,136 K 22,128 K 6372 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 4,592 K 16,400 K 7504 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 6,732 K 15,668 K 1292 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 10,940 K 20,108 K 3596 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 4,120 K 19,748 K 1096 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 3,100 K 10,164 K 1404 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 5,072 K 12,828 K 2200 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 22,608 K 30,772 K 3760 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 2,132 K 7,212 K 3916 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 3,988 K 13,904 K 2964 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 1,560 K 6,012 K 1420 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 2,164 K 7,720 K 2632 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 6,636 K 10,584 K 7580 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 4,096 K 13,660 K 3744 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 5,288 K 14,176 K 4816 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 1,772 K 7,212 K 12164 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 1,920 K 7,300 K 6276 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 2,160 K 11,684 K 1524 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 6,304 K 19,504 K 3176 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 4,968 K 21,224 K 4076 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 2,028 K 6,836 K 2900 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 5,648 K 25,700 K 8208 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 3,236 K 10,072 K 2908 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 2,940 K 13,592 K 2248 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 2,812 K 10,840 K 1276 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 2,536 K 8,688 K 468 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 2,672 K 10,228 K 7576 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 7,080 K 30,180 K 2264 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 2,184 K 8,308 K 11436 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 3,052 K 10,348 K 2004 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 8,684 K 26,524 K 6900 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 2,212 K 9,924 K 1940 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 2,996 K 11,072 K 1444 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 4,176 K 17,724 K 9852 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 1,532 K 5,760 K 5168 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 2,928 K 12,184 K 1316 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 2,332 K 8,736 K 4444 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 2,016 K 7,660 K 2356 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 3,824 K 9,024 K 5404 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 1,904 K 9,044 K 6464 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 1,992 K 8,368 K 1428 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 2,012 K 7,852 K 2800 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 6,436 K 23,544 K 7292 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 2,888 K 8,040 K 3808 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 3,040 K 11,800 K 10068 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 2,092 K 8,188 K 3972 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 1,572 K 6,576 K 2156 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 2,140 K 8,484 K 2756 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 2,124 K 12,084 K 5500 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 1,716 K 6,976 K 4040 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 2,252 K 8,368 K 9052 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 1,860 K 7,828 K 1120 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 2,092 K 8,264 K 3708 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 2,288 K 8,888 K 1452 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 2,072 K 12,240 K 1436 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 2,140 K 9,436 K 1984 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 2,020 K 6,980 K 11268 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 1,640 K 6,648 K 3524 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 1,564 K 7,152 K 1892 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 1,368 K 5,640 K 4012 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 972 K 3,892 K 964 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
StartMenuExperienceHost.exe 34,660 K 78,216 K 7412 (Verified) Microsoft Windows
spoolsv.exe 6,136 K 16,616 K 3560 Spooler SubSystem App Microsoft Corporation (Verified) Microsoft Windows
smss.exe 1,156 K 1,152 K 412 Windows Session Manager Microsoft Corporation (Verified) Microsoft Windows Publisher
smartscreen.exe 8,552 K 23,428 K 10652 Windows Defender SmartScreen Microsoft Corporation (Verified) Microsoft Windows
sihost.exe 6,952 K 28,312 K 11556 Shell Infrastructure Host Microsoft Corporation (Verified) Microsoft Windows
ShellExperienceHost.exe Suspended 13,228 K 52,204 K 10672 Windows Shell Experience Host Microsoft Corporation (Verified) Microsoft Windows
SgrmBroker.exe 3,196 K 6,244 K 8732 System Guard Runtime Monitor Broker Service Microsoft Corporation (Verified) Microsoft Windows Publisher
SettingSyncHost.exe 2,776 K 5,204 K 10176 Host Process for Setting Synchronization Microsoft Corporation (Verified) Microsoft Windows
SecurityHealthService.exe 3,788 K 14,728 K 2992 Windows Security Health Service Microsoft Corporation (Verified) Microsoft Windows Publisher
SearchUI.exe Suspended 97,244 K 166,460 K 10224 Search and Cortana application Microsoft Corporation (Verified) Microsoft Windows
RuntimeBroker.exe 5,684 K 18,728 K 9620 Runtime Broker Microsoft Corporation (Verified) Microsoft Windows
RuntimeBroker.exe 13,428 K 39,608 K 3492 Runtime Broker Microsoft Corporation (Verified) Microsoft Windows
RuntimeBroker.exe 2,680 K 12,832 K 9980 Runtime Broker Microsoft Corporation (Verified) Microsoft Windows
RuntimeBroker.exe 6,456 K 24,324 K 8640 Runtime Broker Microsoft Corporation (Verified) Microsoft Windows
RuntimeBroker.exe 4,596 K 26,660 K 980 Runtime Broker Microsoft Corporation (Verified) Microsoft Windows
RtlS5Wake.exe 4,548 K 14,176 K 9048 Realtek WOWL Utility Realtek (Verified) Realtek Semiconductor Corp.
RtkNGUI64.exe 4,780 K 15,032 K 972 Realtek HD Audio Manager Realtek Semiconductor (Verified) Realtek Semiconductor Corp.
RtkBtManServ.exe 1,728 K 7,520 K 3124 Realtek Bluetooth BTDevManager Service Application Realtek Semiconductor Corp. (Verified) Microsoft Windows Hardware Compatibility Publisher
RtkAudioService64.exe 1,932 K 8,228 K 3028 Realtek Audio Service Realtek Semiconductor (Verified) Realtek Semiconductor Corp.
RemindersServer.exe Suspended 7,628 K 21,468 K 8528 Reminders WinRT OOP Server Microsoft Corporation (Verified) Microsoft Windows
Registry 11,920 K 32,904 K 88
procexp.exe 5,400 K 11,188 K 9080 Sysinternals Process Explorer Sysinternals - www.sysinternals.com (Verified) Microsoft Corporation
nlssrv32.exe 2,108 K 8,124 K 3904 This service enables products that use the Nalpeiron Licensing System Nalpeiron Ltd. (Certificate expired) Nalpeiron Ltd.
mDNSResponder.exe 2,048 K 6,824 K 3732 Bonjour Service Apple Inc. (Verified) Apple Inc.
ijplmsvc.exe 1,688 K 7,636 K 588 Inkjet Printer/Scanner/Fax Extended Survey Program Service (Verified) Canon Inc.
HxTsr.exe Suspended 11,120 K 43,940 K 11028 Microsoft Outlook Communications Microsoft Corporation (No signature was present in the subject) Microsoft Corporation
HxOutlook.exe Suspended 83,500 K 132,600 K 10144 Microsoft Outlook Microsoft Corporation (No signature was present in the subject) Microsoft Corporation
fontdrvhost.exe 1,568 K 3,436 K 956 Usermode Font Driver Host Microsoft Corporation (Verified) Microsoft Windows
fontdrvhost.exe 5,216 K 12,292 K 8516 Usermode Font Driver Host Microsoft Corporation (Verified) Microsoft Windows
firefox.exe 131,004 K 169,312 K 11988 Firefox Mozilla Corporation (Verified) Mozilla Corporation
firefox.exe 39,924 K 50,008 K 9296 Firefox Mozilla Corporation (Verified) Mozilla Corporation
firefox.exe 38,844 K 48,268 K 10024 Firefox Mozilla Corporation (Verified) Mozilla Corporation
dllhost.exe 3,920 K 11,128 K 6292 COM Surrogate Microsoft Corporation (Verified) Microsoft Windows
dllhost.exe 3,620 K 11,464 K 1576 COM Surrogate Microsoft Corporation (Verified) Microsoft Windows
dllhost.exe 2,140 K 12,200 K 7692 COM Surrogate Microsoft Corporation (Verified) Microsoft Windows
dllhost.exe 1,636 K 6,908 K 8000 COM Surrogate Microsoft Corporation (Verified) Microsoft Windows
conhost.exe 6,636 K 11,056 K 10180 Console Window Host Microsoft Corporation (Verified) Microsoft Windows
conhost.exe 6,436 K 10,608 K 7016 Console Window Host Microsoft Corporation (Verified) Microsoft Windows
CastSrv.exe 4,068 K 3,616 K 5656 Casting protocol connection listener Microsoft Corporation (Verified) Microsoft Windows
BTDevMgr.exe 1,704 K 7,484 K 3880 Realtek Bluetooth BTDevManager Service Application Realtek Semiconductor Corp. (Verified) Microsoft Windows Hardware Compatibility Publisher
audiodg.exe 11,848 K 21,852 K 11576 Windows Audio Device Graph Isolation Microsoft Corporation (Verified) Microsoft Windows
atiesrxx.exe 1,400 K 6,136 K 2296 AMD External Events Service Module AMD (Verified) Advanced Micro Devices, Inc.
armsvc.exe 1,412 K 6,864 K 4048 Adobe Acrobat Update Service Adobe Systems (Verified) Adobe Inc.
ApplicationFrameHost.exe 10,468 K 30,668 K 5672 Application Frame Host Microsoft Corporation (Verified) Microsoft Windows
app_updater.exe 6,800 K 12,940 K 3964 Digital Wave Update Service Digital Wave Ltd (Verified) Digital Wave Ltd
amdow.exe 2,268 K 7,908 K 9352 AMD ReLive: Desktop Overlay Advanced Micro Devices, Inc. (Verified) Advanced Micro Devices, Inc.
#72
Posted 06 January 2020 - 09:19 AM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
Can I see oem8.inf, the same way you posted c_firmware.inf? Should be in C:\Windows\INF
Also go to Device Manager and rightclick on the yellow tagged entry and Uninstall then reboot. Does it come back?
Does it seem to boot faster with the extra RAM?
Have we rechecked everything for the Guardware?
Process Explorer is showing that Office is getting an update. That's these two:
SDXHelper.exe 13.88 4,944 K 16,072 K 8232 Microsoft Office SDX Helper Microsoft Corporation (Verified) Microsoft Corporation
SDXHelper.exe 6.85 6,380 K 21,200 K 9656 Microsoft Office SDX Helper Microsoft Corporation (Verified) Microsoft Corporation
As you can see they take up over 20% of the CPU. Hopefully the update will finish soon and they will go away.
WMI is still looking ugly. Let's run Rogue Killer to make sure there is no infection in WMI:
Rogue Killer
http://www.adlice.co...iller/#download
Portable 64 bits
Download and Save.
Right click on the downloaded file (RogueKillerX64.exe or RogueKiller.exe) and Run As admin
Start Scan
Start Scan
Will take about 20 minutes to complete.
Open Report
Export TXT (save it to your desktop as rk) Save
Do not let Rogue Killer remove anything until you hear from me. Leave Rogue Killer up (but minimized) so you won't have to rescan.
Open rk.txt and copy and paste it to your next Reply.
VEW:
1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:
* System
4. Under 'Select type to list', select:
* Error
* Warning
Then use the 'Number of events' as follows:
1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.
Please post the Output log in your next reply then repeat but select Application. (Each time you run VEW it overwrites the log so copy the first one to a Reply or rename it before running it a second time.)
#73
Posted 07 January 2020 - 03:20 AM
BobScott49
- Topic Starter
-
- Member
-
- 65 posts
Member
After uninstalling the yellow tagged item and rebooting, it came back
Everything is rechecked for Guardware
I don't see any appreciable difference with the extra RAM. If anything it feels a bit slower rebooting but that may be my imagination.
[Version]
Signature = "$WINDOWS NT$"
Provider = %Provider%
Class = Firmware
ClassGuid = {f2e7dd72-6468-4e36-b6f1-6488f42c1b52}
DriverVer = 08/30/2019,15.21.0.0
CatalogFile = delta.cat
PnpLockdown = 1
[Manufacturer]
%MfgName% = Firmware,NTx86,NTamd64,NTarm
[Firmware.NTx86]
%FirmwareDesc% = Firmware_Install,UEFI\RES_{%RES_GUID%}
[Firmware.NTamd64]
%FirmwareDesc% = Firmware_Install,UEFI\RES_{%RES_GUID%}
[Firmware.NTarm]
%FirmwareDesc% = Firmware_Install,UEFI\RES_{%RES_GUID%}
[Firmware_Install.NT]
CopyFiles = Firmware_CopyFiles
[Firmware_CopyFiles]
InsydeSystemFirmware.bin
[Firmware_Install.NT.Hw]
AddReg = Firmware_AddReg
[Firmware_AddReg]
HKR,,FirmwareId,,"{"%RES_GUID%"}"
HKR,,FirmwareVersion,%REG_DWORD%,%BIOS_VER%
HKR,,FirmwareFilename,,InsydeSystemFirmware.bin
[SourceDisksNames]
1 = %DiskName%
[SourceDisksFiles]
InsydeSystemFirmware.bin = 1
[DestinationDirs]
DefaultDestDir = %DIRID_WINDOWS%,Firmware ; %SystemRoot%\Firmware
[Strings]
; localizable
Provider = "HP Inc."
MfgName = "HP Inc."
FirmwareDesc = "System Firmware"
DiskName = "Firmware Update"
; non-localizable
DIRID_WINDOWS = 10
REG_DWORD = 0x00010001
RES_GUID = CE07A014-23AA-4ae5-A7AD-021849FEC1BB
BIOS_VER = 0x0F210000
RogueKiller Anti-Malware V14.0.4.0 (x64) [Jan 6 2020] (Free) by Adlice Software
mail : https://adlice.com/contact/
Website : https://adlice.com/d...ad/roguekiller/
Operating System : Windows 10 (10.0.18362) 64 bits
Started in : Normal mode
User : Bob Scott [Administrator]
Started from : C:\Users\Bob Scott\Downloads\RogueKiller_portable64.exe
Signatures : 20200106_122727, Driver : Loaded
Mode : Standard Scan, Scan -- Date : 2020/01/06 21:23:35 (Duration : 01:48:34)
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Process Modules ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Services ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Tasks ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[Suspicious.Path (Potentially Malicious)] \{4883A0DE-9902-705E-B636-6DDF05F40033}\gorika -- C:\Users\BOBSCO~1\AppData\Local\4883A0~1\gorika.exe [/Kesasilar] -> Found
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Registry ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ WMI ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Hosts File ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Files ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Web browsers ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
Vino's Event Viewer v01c run on Windows 7 in English
Report run at 07/01/2020 08:57:06
Note: All dates below are in the format dd/mm/yyyy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 06/01/2020 21:15:57
Type: Warning Category: 7
Event: 37 Source: Microsoft-Windows-Kernel-Processor-Power
The speed of processor 0 in group 0 is being limited by system firmware. The processor has been in this reduced performance state for 48 seconds since the last report.
Log: 'System' Date/Time: 06/01/2020 21:14:25
Type: Warning Category: 0
Event: 10016 Source: Microsoft-Windows-DistributedCOM
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Log: 'System' Date/Time: 06/01/2020 21:14:25
Type: Warning Category: 0
Event: 10016 Source: Microsoft-Windows-DistributedCOM
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Log: 'System' Date/Time: 06/01/2020 21:13:41
Type: Warning Category: 0
Event: 34 Source: BTHUSB
The local adapter does not support an important Low Energy controller state to support peripheral mode. The minimum required supported state mask is 0x2491f7fffff; got 0xffffffff. Low Energy peripheral role functionality will not be available.
Log: 'System' Date/Time: 06/01/2020 21:12:49
Type: Warning Category: 0
Event: 10002 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN Extensibility Module has stopped. Module Path: C:\WINDOWS\system32\Rtlihvs.dll
Log: 'System' Date/Time: 06/01/2020 20:56:45
Type: Warning Category: 0
Event: 10016 Source: Microsoft-Windows-DistributedCOM
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {0358B920-0AC7-461F-98F4-58E32CD89148} and APPID {3EB3C877-1F16-487C-9050-104DBCD66683} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Log: 'System' Date/Time: 06/01/2020 20:56:44
Type: Warning Category: 0
Event: 10016 Source: Microsoft-Windows-DistributedCOM
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {0358B920-0AC7-461F-98F4-58E32CD89148} and APPID {3EB3C877-1F16-487C-9050-104DBCD66683} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Log: 'System' Date/Time: 06/01/2020 20:56:42
Type: Warning Category: 0
Event: 10016 Source: Microsoft-Windows-DistributedCOM
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {0358B920-0AC7-461F-98F4-58E32CD89148} and APPID {3EB3C877-1F16-487C-9050-104DBCD66683} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Log: 'System' Date/Time: 06/01/2020 20:55:59
Type: Warning Category: 0
Event: 134 Source: Microsoft-Windows-Time-Service
NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
Log: 'System' Date/Time: 06/01/2020 20:55:58
Type: Warning Category: 0
Event: 34 Source: BTHUSB
The local adapter does not support an important Low Energy controller state to support peripheral mode. The minimum required supported state mask is 0x2491f7fffff; got 0xffffffff. Low Energy peripheral role functionality will not be available.
Log: 'System' Date/Time: 06/01/2020 20:55:58
Type: Warning Category: 0
Event: 134 Source: Microsoft-Windows-Time-Service
NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
Log: 'System' Date/Time: 06/01/2020 14:48:09
Type: Warning Category: 7
Event: 37 Source: Microsoft-Windows-Kernel-Processor-Power
The speed of processor 0 in group 0 is being limited by system firmware. The processor has been in this reduced performance state for 7 seconds since the last report.
Log: 'System' Date/Time: 06/01/2020 14:33:59
Type: Warning Category: 0
Event: 10016 Source: Microsoft-Windows-DistributedCOM
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Log: 'System' Date/Time: 06/01/2020 14:33:58
Type: Warning Category: 0
Event: 10016 Source: Microsoft-Windows-DistributedCOM
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Log: 'System' Date/Time: 06/01/2020 14:33:38
Type: Warning Category: 0
Event: 34 Source: BTHUSB
The local adapter does not support an important Low Energy controller state to support peripheral mode. The minimum required supported state mask is 0x2491f7fffff; got 0xffffffff. Low Energy peripheral role functionality will not be available.
Log: 'System' Date/Time: 06/01/2020 14:21:41
Type: Warning Category: 0
Event: 34 Source: BTHUSB
The local adapter does not support an important Low Energy controller state to support peripheral mode. The minimum required supported state mask is 0x2491f7fffff; got 0xffffffff. Low Energy peripheral role functionality will not be available.
Log: 'System' Date/Time: 06/01/2020 14:11:01
Type: Warning Category: 0
Event: 34 Source: BTHUSB
The local adapter does not support an important Low Energy controller state to support peripheral mode. The minimum required supported state mask is 0x2491f7fffff; got 0xffffffff. Low Energy peripheral role functionality will not be available.
Log: 'System' Date/Time: 06/01/2020 13:43:44
Type: Warning Category: 0
Event: 10016 Source: Microsoft-Windows-DistributedCOM
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Log: 'System' Date/Time: 06/01/2020 13:43:44
Type: Warning Category: 0
Event: 10016 Source: Microsoft-Windows-DistributedCOM
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Vino's Event Viewer v01c run on Windows 7 in English
Report run at 07/01/2020 09:14:07
Note: All dates below are in the format dd/mm/yyyy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 07/01/2020 08:20:08
Type: Error Category: 3
Event: 455 Source: ESENT
svchost (4596,R,98) TILEREPOSITORYS-1-5-18: Error -1023 (0xfffffc01) occurred while opening logfile C:\WINDOWS\system32\config\systemprofile\AppData\Local\TileDataLayer\Database\EDB.log.
Log: 'Application' Date/Time: 07/01/2020 07:23:58
Type: Error Category: 3
Event: 455 Source: ESENT
svchost (580,R,98) TILEREPOSITORYS-1-5-18: Error -1023 (0xfffffc01) occurred while opening logfile C:\WINDOWS\system32\config\systemprofile\AppData\Local\TileDataLayer\Database\EDB.log.
Log: 'Application' Date/Time: 07/01/2020 06:34:01
Type: Error Category: 3
Event: 455 Source: ESENT
svchost (10348,R,98) TILEREPOSITORYS-1-5-18: Error -1023 (0xfffffc01) occurred while opening logfile C:\WINDOWS\system32\config\systemprofile\AppData\Local\TileDataLayer\Database\EDB.log.
Log: 'Application' Date/Time: 07/01/2020 02:34:01
Type: Error Category: 3
Event: 455 Source: ESENT
svchost (5116,R,98) TILEREPOSITORYS-1-5-18: Error -1023 (0xfffffc01) occurred while opening logfile C:\WINDOWS\system32\config\systemprofile\AppData\Local\TileDataLayer\Database\EDB.log.
Log: 'Application' Date/Time: 06/01/2020 21:38:33
Type: Error Category: 3
Event: 455 Source: ESENT
svchost (6072,R,98) TILEREPOSITORYS-1-5-18: Error -1023 (0xfffffc01) occurred while opening logfile C:\WINDOWS\system32\config\systemprofile\AppData\Local\TileDataLayer\Database\EDB.log.
Log: 'Application' Date/Time: 06/01/2020 21:27:58
Type: Error Category: 3
Event: 455 Source: ESENT
svchost (2872,R,98) TILEREPOSITORYS-1-5-18: Error -1023 (0xfffffc01) occurred while opening logfile C:\WINDOWS\system32\config\systemprofile\AppData\Local\TileDataLayer\Database\EDB.log.
Log: 'Application' Date/Time: 06/01/2020 21:12:33
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: svchost.exe_cbdhsvc, version: 10.0.18362.1, time stamp: 0x32d6c210 Faulting module name: ntdll.dll, version: 10.0.18362.418, time stamp: 0x99ca0526 Exception code: 0xc0000409 Fault offset: 0x00000000000a4238 Faulting process ID: 0x1a24 Faulting application start time: 0x01d5c49e9abb7c8e Faulting application path: C:\WINDOWS\system32\svchost.exe Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll Report ID: 3005e78d-3e73-4b8f-9cca-fa60bc9cf696 Faulting package full name: Faulting package-relative application ID:
Log: 'Application' Date/Time: 06/01/2020 21:06:42
Type: Error Category: 3
Event: 455 Source: ESENT
svchost (8288,R,98) TILEREPOSITORYS-1-5-18: Error -1023 (0xfffffc01) occurred while opening logfile C:\WINDOWS\system32\config\systemprofile\AppData\Local\TileDataLayer\Database\EDB.log.
Log: 'Application' Date/Time: 06/01/2020 20:56:56
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: HPWMISVC.exe, version: 1.4.25.0, time stamp: 0x5964d21e Faulting module name: combase.dll, version: 10.0.18362.449, time stamp: 0x9401d250 Exception code: 0xc0000005 Fault offset: 0x000fc40d Faulting process ID: 0xf64 Faulting application start time: 0x01d5c49740c0d830 Faulting application path: C:\Program Files (x86)\HP\HP System Event\HPWMISVC.exe Faulting module path: C:\WINDOWS\System32\combase.dll Report ID: 1b59a8c8-6561-4ac6-bfc1-46a4cc80a4ec Faulting package full name: Faulting package-relative application ID:
Log: 'Application' Date/Time: 06/01/2020 20:56:31
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: HPWMISVC.exe, version: 1.4.25.0, time stamp: 0x5964d21e Faulting module name: wbemprox.dll_unloaded, version: 10.0.18362.1, time stamp: 0x4d13028a Exception code: 0xc00001a5 Fault offset: 0x00003dfb Faulting process ID: 0xf64 Faulting application start time: 0x01d5c49740c0d830 Faulting application path: C:\Program Files (x86)\HP\HP System Event\HPWMISVC.exe Faulting module path: wbemprox.dll Report ID: c752e3b3-9df9-4053-b091-a4fde6f2bf5a Faulting package full name: Faulting package-relative application ID:
Log: 'Application' Date/Time: 06/01/2020 14:52:34
Type: Error Category: 3
Event: 455 Source: ESENT
svchost (11436,R,98) TILEREPOSITORYS-1-5-18: Error -1023 (0xfffffc01) occurred while opening logfile C:\WINDOWS\system32\config\systemprofile\AppData\Local\TileDataLayer\Database\EDB.log.
Log: 'Application' Date/Time: 06/01/2020 14:43:56
Type: Error Category: 3
Event: 455 Source: ESENT
svchost (7488,R,98) TILEREPOSITORYS-1-5-18: Error -1023 (0xfffffc01) occurred while opening logfile C:\WINDOWS\system32\config\systemprofile\AppData\Local\TileDataLayer\Database\EDB.log.
Log: 'Application' Date/Time: 06/01/2020 14:35:01
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: backgroundTaskHost.exe, version: 10.0.18362.1, time stamp: 0x533f8404 Faulting module name: twinapi.appcore.dll, version: 10.0.18362.1, time stamp: 0x42f071ca Exception code: 0xc000027b Fault offset: 0x00000000000d5cc8 Faulting process ID: 0x77c Faulting application start time: 0x01d5c49e6adf8d39 Faulting application path: C:\WINDOWS\system32\backgroundTaskHost.exe Faulting module path: C:\Windows\System32\twinapi.appcore.dll Report ID: 520e3101-b0a8-45e7-b5e8-e4fd3f752b26 Faulting package full name: Microsoft.Windows.Cortana_1.13.0.18362_neutral_neutral_cw5n1h2txyewy Faulting package-relative application ID: CortanaUI
Log: 'Application' Date/Time: 06/01/2020 14:33:58
Type: Error Category: 0
Event: 100 Source: Bonjour Service
Local Hostname RS-140429774-01.local already in use; will try RS-140429774-2.local instead
Log: 'Application' Date/Time: 06/01/2020 14:33:58
Type: Error Category: 0
Event: 100 Source: Bonjour Service
mDNSCoreReceiveResponse: ProbeCount 2; will deregister 4 RS-140429774-01.local. Addr 192.168.0.3
Log: 'Application' Date/Time: 06/01/2020 14:33:58
Type: Error Category: 0
Event: 100 Source: Bonjour Service
mDNSCoreReceiveResponse: Received from 192.168.0.3:5353 16 RS-140429774-01.local. AAAA 2A02:0C7D:5651:6200:69A6:BEC5:B7B9:076A
Log: 'Application' Date/Time: 06/01/2020 14:33:58
Type: Error Category: 0
Event: 100 Source: Bonjour Service
mDNSCoreReceiveResponse: Resetting to Probing: 16 RS-140429774-01.local. AAAA FE80:0000:0000:0000:69A6:BEC5:B7B9:076A
Log: 'Application' Date/Time: 06/01/2020 14:33:58
Type: Error Category: 0
Event: 100 Source: Bonjour Service
mDNSCoreReceiveResponse: Received from 192.168.0.3:5353 16 RS-140429774-01.local. AAAA 2A02:0C7D:5651:6200:69A6:BEC5:B7B9:076A
Log: 'Application' Date/Time: 06/01/2020 14:33:58
Type: Error Category: 0
Event: 100 Source: Bonjour Service
mDNSCoreReceiveResponse: Resetting to Probing: 4 RS-140429774-01.local. Addr 192.168.0.3
Log: 'Application' Date/Time: 06/01/2020 14:33:58
Type: Error Category: 0
Event: 100 Source: Bonjour Service
mDNSCoreReceiveResponse: Received from 192.168.0.3:5353 16 RS-140429774-01.local. AAAA 2A02:0C7D:5651:6200:69A6:BEC5:B7B9:076A
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 03/01/2020 19:03:39
Type: Warning Category: 3
Event: 472 Source: ESENT
taskhostw (4776,R,98) WebCacheLocal: The shadow header page of file C:\Users\Bob Scott\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat was damaged. The primary header page (32768 bytes) was used instead.
Log: 'Application' Date/Time: 03/01/2020 14:34:58
Type: Warning Category: 7
Event: 508 Source: ESENT
svchost (5512,D,0) Unistore: A request to write to the file "C:\Users\Bob Scott\AppData\Local\Comms\UnistoreDB\store.vol" at offset 6225920 (0x00000000005f0000) for 4096 (0x00001000) bytes succeeded, but took an abnormally long time (22 seconds) to be serviced by the OS. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.
Log: 'Application' Date/Time: 03/01/2020 12:59:26
Type: Warning Category: 3
Event: 472 Source: ESENT
taskhostw (2548,R,98) WebCacheLocal: The shadow header page of file C:\Users\Bob Scott\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat was damaged. The primary header page (32768 bytes) was used instead.
Log: 'Application' Date/Time: 02/01/2020 22:35:19
Type: Warning Category: 2
Event: 328 Source: DbxSvc
The event description cannot be found.
Log: 'Application' Date/Time: 30/12/2019 22:16:22
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, DMWmiBridgeProv1, has been registered in the Windows Management Instrumentation namespace root\cimv2\mdm\dmmap to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: 'Application' Date/Time: 30/12/2019 22:16:22
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, DMWmiBridgeProv1, has been registered in the Windows Management Instrumentation namespace root\cimv2\mdm\dmmap to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: 'Application' Date/Time: 30/12/2019 22:16:22
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, DMWmiBridgeProv1, has been registered in the Windows Management Instrumentation namespace root\cimv2\mdm\dmmap to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: 'Application' Date/Time: 30/12/2019 22:16:22
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, DMWmiBridgeProv, has been registered in the Windows Management Instrumentation namespace root\cimv2\mdm\dmmap to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: 'Application' Date/Time: 30/12/2019 22:16:22
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, DMWmiBridgeProv, has been registered in the Windows Management Instrumentation namespace root\cimv2\mdm\dmmap to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: 'Application' Date/Time: 30/12/2019 22:16:22
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, DMWmiBridgeProv, has been registered in the Windows Management Instrumentation namespace root\cimv2\mdm\dmmap to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: 'Application' Date/Time: 30/12/2019 22:15:50
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, MDMSettingsProv, has been registered in the Windows Management Instrumentation namespace root\cimv2\mdm to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: 'Application' Date/Time: 30/12/2019 22:15:50
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, MDMSettingsProv, has been registered in the Windows Management Instrumentation namespace root\cimv2\mdm to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: 'Application' Date/Time: 30/12/2019 22:15:50
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, MDMSettingsProv, has been registered in the Windows Management Instrumentation namespace root\cimv2\mdm to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: 'Application' Date/Time: 30/12/2019 22:15:48
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, DSCCoreProviders, has been registered in the Windows Management Instrumentation namespace root\Microsoft\Windows\DesiredStateConfiguration to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: 'Application' Date/Time: 30/12/2019 22:15:48
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, DSCCoreProviders, has been registered in the Windows Management Instrumentation namespace root\Microsoft\Windows\DesiredStateConfiguration to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: 'Application' Date/Time: 30/12/2019 22:15:48
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, DSCCoreProviders, has been registered in the Windows Management Instrumentation namespace root\Microsoft\Windows\DesiredStateConfiguration to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: 'Application' Date/Time: 30/12/2019 22:15:48
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, DMWmiBridgeProv1, has been registered in the Windows Management Instrumentation namespace root\cimv2\mdm\dmmap to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: 'Application' Date/Time: 30/12/2019 22:15:48
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, DMWmiBridgeProv1, has been registered in the Windows Management Instrumentation namespace root\cimv2\mdm\dmmap to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: 'Application' Date/Time: 30/12/2019 22:15:48
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, DMWmiBridgeProv1, has been registered in the Windows Management Instrumentation namespace root\cimv2\mdm\dmmap to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: 'Application' Date/Time: 30/12/2019 22:15:47
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, DMWmiBridgeProv, has been registered in the Windows Management Instrumentation namespace root\cimv2\mdm\dmmap to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
#74
Posted 07 January 2020 - 05:43 AM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
Go ahead and let Rogue Killer delete
[Suspicious.Path (Potentially Malicious)] \{4883A0DE-9902-705E-B636-6DDF05F40033}\gorika -- C:\Users\BOBSCO~1\AppData\Local\4883A0~1\gorika.exe [/Kesasilar] -> Found
I'll get back to you in a few minutes on the rest.
#75
Posted 07 January 2020 - 08:31 AM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
Uninstall:
Bonjour (this is a program to detect Apple products on your local net. You probably do not need it and it's causing errors. If you think you need it you can get a new copy by installing itunes.)
These are bloatware and I think are causing errors.
HP JumpStart Bridge (HKLM-x32\...\{3FC961DB-BD36-4D8D-B276-0C456A2BB638}) (Version: 1.4.0.441 - HP Inc.)
HP JumpStart Launch (HKLM-x32\...\{F213102E-FD30-4E22-AF73-4C682D65FFEE}) (Version: 1.4.441.0 - HP Inc.)
- Click on the Start menu and select Settings.
- Click on Accounts.
- Select Sync Your Settings from the left pane.
- Turn off sync settings.
Get WebCacheKiller from
https://download.cne...4-76641320.html
Download Save and Run As admin. Then once it installs. Search for
webcache. The top find should be WebCacheKiller. Right click on it and Run As Admin. OK OK to close the two popups. Then click on Delete Web CacheV01 File.
Uninstall WebCacheKiller.
Search for
services.msc
hit Enter.
STOP the following services:
Contact Data_some number
Sync Host_some number
User Data Access_Some Number
User Data Storage_SomeNumber
I've got a fixlist for you to fix a couple of other errors. I am assuming you do not use Groove or Zune music if you do then don't run the fixlist. Tell me and I'll make a different fixlist.
Download the attached fixlist.txt to the same location as FRST
fixlist.txt 1.07KB
127 downloads
Run FRST and press Fix
A fix log will be generated please post that
Reboot if the fix doesn't reboot it for you
Run FRST again as before. Make sure Addition.txt is checked and hit Scan. Post both logs.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
