Jump to content

ADSs from Tools on Desktop Rootkit Suspected


Recommended Posts

Hi,

 

I've been having  ongoing issues with my PCs and network.

Despite me having an active Internet connection my ISPs Tech's are unable to connect using LMIR.

This problem has been ongoing now since approximately the middle of last year.

I'm running Windows 10 x64 (should be fully updated,) however, I'm using a Linux Shell (ESET SysRescue) disc to make this post.

I'm relatively familiar with malware removal, having assisted others many times on forums. I need fresh eyes to look at my problem please.

I've run AdwCleaner. I have also run: JRT, FRST64, MBAR 10, TDSSKiller, ESET Online Scan, ESET SysRescue, SVRT, plus quite a few more tools, all to no avail. I have a fully licensed version of Malwarebytes Installed & up to date.

I am unable to have GMER or ASWMbr complete a scan without ending up at a BSOD. Error is: IRQ Less than or not equal.

FRST64 scans show ADS coming from zipped tools on my Desktop. FRST64 will not update despite it advising that an update has been found. The Desktop is Shared to Public.

The first warning I received that something was amiss was a mass (hundreds) of WMI or WMIC warnings over a few seconds courtesy of Kaspersky Total Security.

I have re-partitioned and reformatted my drives (SSD+HDD) multiple times along with multiple re-installs of Windows.

Windows Defender updates show as downloading and installing, however, as you will see from The FRST logs they do not actually seem to be being applied.

Malwarebytes Active Protection intermittently disables itself and I am unable to restart it without a reboot.

I have also re-flashed the BIOS and updated the Firmware. The initial Spectre/Meltdown Patches have been applied. Still waiting for the latest patches.

I strongly suspect a Rootkit\Backdoor of some description, especially given the inability to scan fully with GMER and ASWMbr. (Note: The initial "Quick Scan on startup of GMER does complete.)

Other symptoms include:

  • Cursor movement with no local user interaction. Documents closing for no reason.
  • The HDD has vanished on several occasions, requiring me to re-partition and re-format it via Linux Shell.
  • Inability to obtain and maintain a VPN connection.
  • Several "Unknown User" accounts on some files when viewing the Security Tab in Windows.
  • What seem to be intermittent DDoS attacks.
  • Changes in Router Settings without any action by me (or any other local user.)
  • Evidence of an Apparent work around for DEP (possibly ASLR) by utilizing Compatibility Mode.
  • DLL Files located in various folders with the text reading Right to Left rather than Left to Right.
  • Presence of an inordinate number of Windows XP and Vista files.
  • On booting to Windows a text file opens from C:\Programdata\Startup called errorlog.txt which has always been blank.
  • Incredibly slow Internet connections on a very fast network.
  • Despite deliberately disabling OneDrive, connections being established to multiple OneDrive and SkyDrive accounts which are not known.
  • Files disappearing for no valid reason.
  • Anti-Virus appears to be working, however, on checking with Kaspersky following submitting diagnostics & receiving emails stating no problem was found, they tell me the submitted data was "Unreadable."
  • Complete loss of Internet functionality at times, for no apparent reason.
  • I have also found what appears to be a Ransomware Demand embedded in Fontcache when using Adlice PE Viewer. The payment amount was 0.37 Bitcoin. Also found in this file was the text string "This Dynasty."
  • When using TCPView, upon starting there may be many tens of connections that rapidly drop off after a few seconds.
  • Autoruns shows an IE Image Hijack.
  • The version of IE reported by most diagnostic software shows as 5.0.
  • Changes in location of the cursor whilst typing without palm interaction with the touchpad.

 

There are probably more pointers that I've forgotten.

I did locate the Malwarebytes reports, however, I am unable to attach them in their native *.json format. I've converted a JSON to TXT and attached that.

I also noted that in C:\programdata I have the subdirectories "Malwarebytes" and "Malwarebytes' Anti-Malware (Portable)"

 

Thanks in advance for your time. It's much appreciated!

 

Thanks,

 

 

Mal

 

 

FRST.txt

Addition.txt

Last_MWB_Scan_JSON_Renamed_TXT.txt

Link to post
Share on other sites
  • Replies 64
  • Created
  • Last Reply

Top Posters In This Topic

  • Root Admin

Hello @Mal_Affected and :welcome:

Based on your logs and your posted information I'd first look at doing a thorough hard disk test. Make sure it passes both SMART, Short Tests, and Long Tests (if provided) using a Manufacturer supplied hard drive diagnostic tool.

If that passes all tests, then let's do a hard reset of your router.

Please reveiw the following website and read it before continuing and then do a Hard Reset back to Factory Defaults for your router.
This information is only for resetting the router DO NOT erase, install, or update the firmware, just reset your router to factory defaults.

Reset And Reboot

Hard reset or 30/30/30

 

You currently have a lot of errors in the Event Logs and many of them are due to networking issues. Please run the above and once done post back your results and we'll go from there.

Thank you

Ron

 

Link to post
Share on other sites

Hi Ron,

 

Thanks for your prompt reply.

The Router, or, rather, Gateway is generally Factory Reset every few days as a matter of routine.

I'll test the discs and see how we go from there. Then I'll reset the Gateway again.

 

Best,

 

Mal

Link to post
Share on other sites

Hello again Ron,

 

Yes, I have run the KVRT. Will re-run it again though.

I'm just checking out what more I can do with the Gateway regarding a Factory Reset beyond the standard. 

It's a newish Gateway and doesn't support WRT.

Sagecomm F@st 5355 is the model. I only have newer ones available due to our delightful(?) NBN in Australia.

 

Cheers,

 

Mal

Link to post
Share on other sites
  • Root Admin

No problem Mal.

I did not ask you to run the KVRT though it's a good tool. I'd like to eliminate any hardware issues first.

For the router, it's okay. As long as you've reset it and you know for a fact it's secure then no issue there.

Please verify, confirm there are no hard drive issues.

 

Link to post
Share on other sites

That's very odd. 

I just noticed I'm getting cross thread notifications. Hence, you'll find a post I deleted as best as possible on another thread. Also explains my reference to KVRT which I will run again anyway.

Apols.

 

Mal

Link to post
Share on other sites

Hello Ron,

 

The manufacturer for my SSD (Samsung) provides very little in the way of functional tools for the drive. I've had to go with a 3rd party option, plus the limited output from Samsung.

The upshot is that the drives both check out fine.

I've checked the SSD using Samsung Magician. The results are good. It did highlight that the manufacturer didn't install the Samsung Driver. The installation of that improved the performance.

To check it more thoroughly I used a tool callled AS SSD Benchmark. That too checked fine.

Then to check the SSD and the HDD I used a tool called Diskovery. That shows the SMART data for the HDD to be fine. The SSD also checks out fine.

The Gateway has been factory reset to the maximum possible for the hardware. It was not possible to reset to the extent described in the 30-30-30 due to type.

I screenshot the results of the majority of the disc tests in case you wanted them, but would rather not post them publicly if avoidable.

If you need further information, please just ask.

 

Model Name    Samsung SSD 960 EVO 250GB
Byte Description Raw Data
0 Critical Warning 0
2:1 Temperature (K) 13a
3 Available Spare 64
4 Available Spare Threshold a
5 Percentage Used 1
47:32 Data Units Read 1b6dc8a
63:48 Data Units Written 69a5c6
79:64 Host Read Commands fc7351e
95:80 Host Write Commands 4724a2a
111:96 Controller Busy Time 2cd
127:112 Power Cycles 179
143:128 Power On Hours 1d4
159:144 Unsafe Shutdowns 4a
175:160 Media Errors 0
191:176 Number of Error Information Log Entries 2cc
195:192 Warning Composite Temperature Time 0
199:196 Critical Composite Temperature Time 0
201:200 Temperature Sensor 1 13a
203:202 Temperature Sensor 2 150
205:204 Temperature Sensor 3 0
207:206 Temperature Sensor 4 0
209:208 Temperature Sensor 5 0
211:210 Temperature Sensor 6 0
213:212 Temperature Sensor 7 0
215:214 Temperature Sensor 8 0
 
Model Name    WDC WD10JPVX-22JC3T0
ID Description Threshold Current Value Worst Value Raw Data Status
1 Raw Read Error Rate 51 200 200 1 OK
3 Spin Up Time 21 182 179 1900 OK
4 Start/Stop Count 0 90 90 10045 OK
5 Reallocated Sector Count 140 200 200 0 OK
7 Seek Error Rate 0 200 200 0 OK
9 Power-on Hours 0 99 99 819 OK
10 Spin Retry Count 0 100 100 0 OK
11 Drive Calibration Retry Count 0 100 100 0 OK
12 Power-on Count 0 100 100 509 OK
191 Mechanical Shock 0 96 96 4 OK
192 Power off Retract Cycle 0 200 200 159 OK
193 Load/Unload Cycle Count 0 196 196 13366 OK
194 Temperature 0 108 93 39 OK
196 Reallocation Event Count 0 200 200 0 OK
197 Current Pending Sector Count 0 200 200 0 OK
198 Off-Line Uncorrectable Sector Count 0 100 253 0 OK
199 CRC Error Count 0 200 200 0 OK
200 Write Error Rate 0 100 253 0 OK
 

 

I await your further instructions.

 

Thank you again.

 

Mal

 

 

Link to post
Share on other sites
  • Root Admin

No further information needed on the drives.

Now that you've had a few reboots and router reset, please run a new updated FRST scan and post back both logs as an attachment.

Let me have you also run the following.

 

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files


Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.

 

 

Link to post
Share on other sites
  • Root Admin

Can we temporarily have you uninstall your Kaspersky antivirus.

 

Then download and run this tool from Intel to find driver issues. One of the video drivers on the system is crashing and hopefully this utility will help you to get that issue corrected.

https://www.intel.com/content/www/us/en/support/detect.html

 

Please run MSCONFIG and set it back to NORMAL

Please read the following article concerning the use of MSCONFIG
Msconfig Is Not A Startup Manager

 

Until we're done here, is it possible to remove Glasswire and NordVPN to rule those out as contributing to your issue?

 

 

Link to post
Share on other sites

Thanks Ron.

 

Getting on to those details now.

The changes to MSCONFIG were courtesy of my ISP Tech Support. They disabled several services whilst trying to use LMIR.

Glasswire, NordVpn and Kaspersky are about to go too.

I'll run the Intel tool and see how we fare.

 

Thanks very much,

 

Mal

Link to post
Share on other sites

Hello again Ron,

 

I've done all you asked.

 

I have re-booted several times including once into safe mode. Whilst there I re-ran MBAR with no detections. Malwarebytes upgraded to Ver. 3.4.2 

I also ran a full custom scan with MWB, rootkit detection on and all drives selected. Null result there.

Then ran GMER. Initially it detected MWB and mbae as rootkits on the "startup scan." I proceeded to a full scan which eventually went to BSOD with the message "Driver IRQL Less Than Or Not Equal."

All that was done in Safe Mode.

I noted that MWB whilst performing the Custom Scan stalled for appproximately 3 minutes on one file. I have screenshot the file and will try to attach it. It did this in both Safe Mode and Standard.

Would you like me to re-run FRST and MiniToolBox?

 

Note: The 9kb Image(Top) is from Standard Mode MWB scan. The 12kb Image is from MWB Safe Mode Scan.

 

I really appreciate your assistance.

 

Thanks,

 

Mal

MWB Stalls at this FILE_4Mins_Plus_STD_MODE.PNG

MWB Stalls at this FILE_IN_SAFE_MODE.PNG

Edited by Mal_Affected
Link to post
Share on other sites

Hi Ron,

 

As I may be a little tied up during your hours of operation today I'll submit fresh logs after a fair amount of use.

 

I should also advise you that I have WiFi disabled at present due to problems with neighbouring networks. The same applies for the Gateway.

The machine is running in Aircraft Mode and connected to the Gateway via Cat 5 or 6 cable. The cable tests good with cable tester.

You will note in the logs I have labelled one of the faulting files as [GMER] to avoid confusion.

I'll also attach the details I could grab from GMER at crash when run from Windows normal mode, not Safe Mode.

All available Intel updates have been applied as requested. All software requested to be removed has been.

I noted firewall rules for Spotify. I have not and do not use this at any time. Just FYI.

I'll be back with you as soon as possible.

 

Thanks again for your help.

 

Mal

FRST.txt

Addition.txt

MTB.txt

GMER_CRASH_NO_BSOD_STD_MODE.txt

Edited by Mal_Affected
Link to post
Share on other sites
  • Root Admin

This is an odd error - that file name is not valid.

Error: (03/02/2018 08:04:54 PM) (Source: Perflib) (User: )
Description: BITSC:\Windows\System32\bitsperf.dll8

 

Can you verify if you can find that file

C:\Windows\System32\bitsperf.dll8

It should just be C:\Windows\System32\bitsperf.dll

Then review this web page and see if you can re-register the file and get it working without error.

https://partnersupport.microsoft.com/en-us/par_servplat/forum/par_winserv/top-issue-error-1008-from-perflib-open-procedure/2104e9f9-62c3-40e1-9bfe-a04027149f04

 

As for the GMER crash, not worried about that. It is very well known to cause many BSOD due to how it operates. Nothing odd or out of the normal shown there.

As for being connected to the "gateway" - what exactly do you mean by that? Problems with other wireless, what do you mean by that? A fully configured and setup Wireless with security should not be any type of known security issues.

Thanks again

Ron

 

Link to post
Share on other sites

Hello Ron,

 

Regarding being connected to the Gateway\Router, all I mean is that I am using a LAN cable to connect rather than WiFi. The main reason for this is that with our Australian NBN setup each Gateway\Router is shared to Public Wifi, either FON WiFi, Telstra Air or both. Admittedly, this is compartmentalized, however, when you can potentially have many Public Users accessing your connection it has a deleterious effect on performance. The only way to disable this is to disable WiFi.

 

As for the bitsperf.dll, that is turning out to be a tricky one. There is only a bitsperf.dll file in my C:\Windows\System32 folder, no "8" visible. (Size is 24.5kb)

There are several other iterations of the bitsperf.dll file in other folders (not unexpected.) For example:

C:\SysWow64\bitsperf.dll   20.5kb

C:\Windows\WinSxS\wow64_microsoft-windows-bits-perf_31bf3856ad364e35_10.0.16299.15_none_606571cfa62f4eed\bitsperf.dll   20.5kb

C:\Windows\WinSxS\amd64_microsoft-windows-bits-perf_31bf3856ad364e35_10.0.16299.15_none_5610c77d71ce8cf2\bitsperf.dll   24.5kb

 

I attempted both fixes from the URL you supplied. Both failed. I have attached a txt document with the commands and output.

This may be an aside, but I believe it's worth mentioning that I initially searched the Registry from the string in the article to locate the key. The result was null. However, when I manually navigated to it there it was. Not too sure what's going on there.

I have attached both the bitsctrs.ini and bitsctr.h files with the suffix __.txt to enable me to attach them.

 

I'm thinking I might run a SFC /Scannow followed by a DISM /Online /Cleanup-Image /Restorehealth and see if I'm able to run the fixes thereafter.

 

I have never seen a system behave as this one does and I've been working with them for 40+ years.

 

Any further thoughts will be gratefully received.

 

Thank you,

 

Mal

Attempted_Fixes_BITSPERF.DLL__.txt

bitsctrs.ini___.txt

bitsctr.h__.txt

Link to post
Share on other sites

I just dropped into an Admin Command Prompt and checked the BITS Service.

 

Here's the output:

 

Microsoft Windows [Version 10.0.16299.248]
(c) 2017 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>net stop bits
The Background Intelligent Transfer Service service is stopping..
The Background Intelligent Transfer Service service was stopped successfully.

C:\WINDOWS\system32>net start bits
The Background Intelligent Transfer Service service is starting.
The Background Intelligent Transfer Service service was started successfully.

C:\WINDOWS\system32>
Link to post
Share on other sites

Hello again Ron,

 

Thanks for sticking with this. It has me totally perplexed.

The Desktop is still shared to Public, as are all my libraries.

There are no items in Device Manager that are red or yellow. All seems to be ok there.

The SFC /SCANNOW apparently ran fine.

The DISM /Online /Cleanup-Image /Restorehealth also appeared to run without incident. I read back through the attached logs to a couple of earlier instances of DISM. Here I found what appear to me to be some anomalies. I do not proclaim to be an expert on Win 10 or DISM, however, the earlier logs do appear unusual. I have clearly delineated where I actually invoked the DISM /Online /Cleanup-Image /Restorehealth command in the attached log.

I have not yet attempted the fixes again as I've had a huge number of interruptions today. I will run them as soon as I get a minute. Hopefully now-ish.

Would you mind casting a somewhat more learned eye over the attached DISM log, giving attention not only to the session I invoked but the earlier sessions please? My session starts at marker: 2018-03-03 14:13:44

The Malwarebytes application again updated today to:

-Software Information-
Version: 3.4.3.2394
Components Version: 1.0.320
Update Package Version: 1.0.4184
License: Premium

 

Thank you yet again. I very much appreciate your patience, assistance and advice.

 

Best,

 

Mal

Relevant_DISM_LOG.txt

Edited by Mal_Affected
Link to post
Share on other sites

I just re-ran the Fixes. The same result for BITS I'm afraid.

I'd just flatten the system and start again but when I do so the installer does not seem to be referencing the install DVD, but rather an HDD based image.

This is despite the numerous re-partitionings and re-formattings.

I'm stumped!

Link to post
Share on other sites

2Hi Ron,

 

Yes, I do have limited access to other computers. It may take me a little time to get to them and return. What did you have in mind please?

 

I have re-run the BITS fixes following supposed full updating of the O/S back to 16299.248 and it completed - Method 2. However, thereafter, on attempting Method 1, step 2, I got an error.

https://partnersupport.microsoft.com/en-us/par_servplat/forum/par_winserv/top-issue-error-1008-from-perflib-open-procedure/2104e9f9-62c3-40e1-9bfe-a04027149f04

The Registry Key: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Performance  on this system is significantly different to the one shown as an example on the above link.

 

Update:

I downloaded the Microsoft Media Creation tool as I was thinking about attempting to burn another Windows Image. When I was on the Microsoft Website it advised me that my computer did not have the most recent major updates installed. I found this somewhat odd as I installed ALL updates.

I'm not completely sure what happened from there, but when I was trying to prepare to "burn" another image, I don't know if I hit the wrong button, or if the program made an executive decision. Anyway, I decided to let it continue. Windows began an update via the Media Creation Tool. When it completed, apparently with no errors, I was back to build 16299.125. That was effectively a downgrade. As I was at 16299.248.

I next inspected the root of the C:\ drive and found the following folders (I would need to refer to previous logs to check if C:\$Sysreset dir was present previously. I have a feeling it was:)

C:\$Sysreset

C:\Windows.~WS

C:\Windows.old

After reviewing (briefly) the install logs from the session, they are peppered with warnings and, toward the end of the process errors. It appears the install was downgraded at the end. I'm not sure if this is useful, my apologies if it is not. I'm happy to send you the full log via PM or email it's 99kb. The log below is from C:\$Windows.~WS\Sources\Panther\setupact.log. I'll attach setuperr.logfrom the same folder. The log may have absolutely no relevance. I did, however, find it unusual that Microsoft would report that my version of Windows required an update, only to end up with a downgrade.

Here are a few of the errors. Many are repeats, some with error number variations only. In some instances I included additional data:

 

2018-03-04 05:29:11, Error                 MOUPG  CInstallUI::GetDefaultLanguage(1785): Result = 0x80070002[gle=0x00000002]

2018-03-04 05:29:12, Warning               MOUPG  SetupHost: Unexpected scenario - defaulting postoobe/rollback commands!

2018-03-04 05:29:12, Warning               MOUPG  ConnectToSourceUrl: Unable to retrieve proxy info for URL -> [0x2f94].

2018-03-04 05:29:16, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x2002]

 

2018-03-04 05:29:31, Info                  MOUPG  ConnectToSourceUrl: Port: [443], Secure -> [TRUE]
2018-03-04 05:29:31, Info                  MOUPG  ConnectToSourceUrl: No IE proxy settings.
2018-03-04 05:29:31, Info                  MOUPG  ConnectToSourceUrl: Trying auto-detect...
2018-03-04 05:29:31, Warning               MOUPG  ConnectToSourceUrl: Unable to retrieve proxy info for URL -> [0x2f94].
 

 

2018-03-04 05:32:29, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x2004]
2018-03-04 05:32:29, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x2003]

2018-03-04 05:32:29, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x2002]

2018-03-04 05:33:02, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x2004]
2018-03-04 05:33:02, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x2003]
2018-03-04 05:33:02, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x2001]

2018-03-04 05:33:02, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x2004]
2018-03-04 05:33:02, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x2000]
2018-03-04 05:33:02, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x3000]

2018-03-04 05:33:02, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x1001]

2018-03-04 05:40:01, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x1005]
2018-03-04 05:40:01, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x1006]

2018-03-04 05:40:01, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x1003]
2018-03-04 05:40:01, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x1004]
2018-03-04 05:40:01, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x1007]
2018-03-04 05:40:01, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x1002]

2018-03-04 05:40:01, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x2002]

2018-03-04 05:40:11, Info                  MOUPG  RecoverCrypto: Successfully recovered the WIM file
2018-03-04 05:40:11, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x2101]
2018-03-04 05:40:11, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x2100]
2018-03-04 05:40:11, Info                  MOUPG  RecoverCrypto: Leaving Execute Method
2018-03-04 05:40:11, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x2004]
2018-03-04 05:40:11, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x2003]
2018-03-04 05:40:11, Info                  MOUPG  ProgressHandlerAction: Sending final progress message for action [0].

2018-03-04 05:40:11, Info                  MOUPG  Waiting for actions thread to exit.
2018-03-04 05:40:11, Info                  MOUPG  Actions thread has exited.
2018-03-04 05:40:11, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x2004]
2018-03-04 05:40:11, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x2000]
2018-03-04 05:40:11, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x3000]
2018-03-04 05:40:11, Info                  MOUPG  DlpTask: Leaving Execute Method

2018-03-04 05:40:11, Info                  MOUPG  ProgressHandlerAction: Sending initial progress message for action [0].
2018-03-04 05:40:11, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x2002]
2018-03-04 05:40:11, Info                  MOUPG  CInstallUI::OnActionChanged

2018-03-04 05:41:29, Info                  MOUPG  WimLayout: Attempting to delete file [C:\ESD\Download\installx64.esd]
2018-03-04 05:41:30, Info                  MOUPG  WimLayout: File deleted successfully.
2018-03-04 05:41:30, Info                  MOUPG  WimLayout: Leaving Execute Method
2018-03-04 05:41:30, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x2004]
2018-03-04 05:41:30, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x2003]
2018-03-04 05:41:30, Info                  MOUPG  ProgressHandlerAction: Sending final progress message for action [0].
2018-03-04 05:41:30, Info                  MOUPG  ProgressHandlerAction FinalUpdate: 0x0, 0x64 / 0x64, 0x5E
2018-03-04 05:41:30, Info                  MOUPG  Action: 100%, Delta: 78.52s, 100 ticks, Avg: 1.274 ticks/s
2018-03-04 05:41:30, Info                  MOUPG  Action progress: [100%]

2018-03-04 05:41:30, Info                  MOUPG  Waiting for actions thread to exit.
2018-03-04 05:41:30, Info                  MOUPG  Actions thread has exited.
2018-03-04 05:41:30, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x2004]
2018-03-04 05:41:30, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x2000]
2018-03-04 05:41:30, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x3000]
2018-03-04 05:41:30, Info                  MOUPG  DlpTask: Leaving Execute Method
2018-03-04 05:41:30, Info                  MOUPG  SetupManager: Successfully completed current mode
2018-03-04 05:41:30, Info                  MOUPG  CSetupUIManager: Showing exiting Setup
2018-03-04 05:41:30, Info                  MOUPG  CInstallUI::ShowExitingSetup: Posted MSG_INSTALLUI_SWITCH_TO_PROGRESS_PAGE

2018-03-04 05:41:30, Info                  MOUPG  CreateTask: Name = [Exit], WorkingPath = [C:\$Windows.~WS\Sources], TransportId = [00000000-0000-0000-0000-000000000000], Flags = [0x0]
2018-03-04 05:41:30, Info                  MOUPG  Finalize: Entering Prepare Method
2018-03-04 05:41:30, Info                  MOUPG  Finalize: Leaving Prepare Method
2018-03-04 05:41:30, Info                  MOUPG  DlpTask: Entering Execute Method
2018-03-04 05:41:30, Info                  MOUPG  DlpTask: Transport not set. Skipping download phase.
2018-03-04 05:41:30, Info                  MOUPG  DlpTask: Executing Actions...
2018-03-04 05:41:30, Info                  MOUPG  Action execution thread timeout period: [1000 ms]
2018-03-04 05:41:30, Error                 MOUPG  CSetupManager::GetDUSetupResults(5499): Result = 0x80070490
2018-03-04 05:41:30, Info                  MOUPG  InitializeRoutine: MOSETUP_ACTION_IMAGE_EXIT
2018-03-04 05:41:30, Info                  MOUPG  ImageExit: Initializing SetupResult: [0x0]
2018-03-04 05:41:30, Info                  MOUPG  ImageExit: Initializing Extended:    [0xb0003]
2018-03-04 05:41:30, Info                  MOUPG  ImageExit: Initializing Scenario:    [7]
2018-03-04 05:41:30, Info                  MOUPG  ImageExit: Initializing Mode:        [8]
2018-03-04 05:41:30, Info                  MOUPG  ImageExit: Initializing Target:      [C]
2018-03-04 05:41:30, Info                  MOUPG  ImageExit: Initializing SQM:         [FALSE]
2018-03-04 05:41:30, Info                  MOUPG  ImageExit: Initializing PostReboot:  [FALSE]
2018-03-04 05:41:30, Info                  MOUPG  CInstallUI::CInstallUIMessageWindow::SwitchToProgressPage
2018-03-04 05:41:30, Info                  MOUPG  CInstallUI::SwitchToProgressPage
2018-03-04 05:41:30, Info                  MOUPG  ProgressHandlerAction: Sending initial progress message for action [0].
2018-03-04 05:41:30, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x2002]
2018-03-04 05:41:30, Info                  MOUPG  CInstallUI::OnActionChanged
2018-03-04 05:41:30, Info                  MOUPG  CInstallUI::OnActionChanged: Exit is requested. Ignoring OnActionChanged
2018-03-04 05:41:30, Info                  MOUPG  Finalize: Entering Execute Method
2018-03-04 05:41:30, Info                  MOUPG  MoSetupPlatform: Loading Setup Platform...
2018-03-04 05:41:30, Info                  MOUPG  MoSetupPlatform: Determine if the expected version of Setup Platform has been loaded...
2018-03-04 05:41:30, Info                  MOUPG  MoSetupPlatform: Platform and Setup binaries match!
2018-03-04 05:41:30, Info                  MOUPG  MoSetupPlatform: Attempting resurrect of Setup Platform object...
2018-03-04 05:41:30, Info                  MOUPG  MoSetupPlatform: Creating Setup Platform object...
2018-03-04 05:41:30, Info                  MOUPG  MoSetupPlatform: Setup Platform object created!
2018-03-04 05:41:30, Info                  MOUPG  MoSetupPlatform: Enable diagnosis mode
2018-03-04 05:41:30, Info                  MOUPG  MoSetupPlatform: Setting Correlation vector
2018-03-04 05:41:30, Info                  MOUPG  MoSetupPlatform: Persisting telemetry data
2018-03-04 05:41:30, Info                  MOUPG  MoSetupPlatform: Restartable
2018-03-04 05:41:30, Info                  MOUPG  MoSetupPlatform: Not persisting telemetry data
2018-03-04 05:41:30, Info                  MOUPG  MoSetupPlatform: Resurrecting NewSystem object from [C:\$Windows.~BT\Sources]
2018-03-04 05:41:30, Warning               MOUPG  ImageExit: Unable to resurrect NewSystem object. hr=0x80070002
2018-03-04 05:41:30, Info                  MOUPG  CSetupDiagnostics: Tracing Data [STRING] -> [SetupBuildString]=[10.0.16299.15.x86fre.rs3_release.170928-1534] [ *EDIT TO REMOVE KEY VALUE - MAL* ][][][0x7]

2018-03-04 05:41:30, Info                  MOUPG  CSetupDiagnostics: Tracing Data [STRING] -> [HostOsInstallationType]=[Client] [*EDIT TO REMOVE KEY VALUE - MAL* ][][][0x7]
2018-03-04 05:41:30, Info                  MOUPG  CSetupDiagnostics: Tracing Data [STRING] -> [HostOsSkuName]=[Windows 10 Home] [*EDIT TO REMOVE KEY VALUE - MAL* ][][][0x7]
2018-03-04 05:41:30, Info                  MOUPG  CSetupDiagnostics: Tracing Data [STRING] -> [HostOsBranchName]=[rs3_release] [*EDIT TO REMOVE KEY VALUE - MAL* ][][][0x7]
2018-03-04 05:41:30, Info                  MOUPG  CSetupDiagnostics: Tracing Data [STRING] -> [SourceOsEditionId]=[Core] [*EDIT TO REMOVE KEY VALUE - MAL* ][][][0x7]
2018-03-04 05:41:30, Info                  MOUPG  CSetupDiagnostics: Tracing Data [STRING] -> [SourceOsLanguage]=[en-US] [*EDIT TO REMOVE KEY VALUE - MAL* ][][][0x7]
2018-03-04 05:41:30, Warning               MOUPG  Finalize: Compat instance not found.
2018-03-04 05:41:30, Info                  MOUPG  Finalize: Requesting ASIMOV upload.
2018-03-04 05:41:30, Info                  MOUPG  Finalize: Reporting result value: [0x0]
2018-03-04 05:41:30, Info                  MOUPG  CSetupDiagnostics: Tracing Data [DWORD] -> [Setup360MappedResult]=[0x0] [*EDIT TO REMOVE KEY VALUE - MAL* ][][][0x7]
2018-03-04 05:41:30, Info                  MOUPG  CSetupDiagnostics: Tracing Data [DWORD] -> [Setup360Result]=[0x0] [*EDIT TO REMOVE KEY VALUE - MAL* ][][][0x7]
2018-03-04 05:41:30, Info                  MOUPG  CSetupDiagnostics: Tracing Data [DWORD] -> [Setup360Extended]=[0xB0003] [*EDIT TO REMOVE KEY VALUE - MAL* ][][][0x7]
2018-03-04 05:41:30, Info                  MOUPG  CSetupDiagnostics: Tracing Data [CUSTOM] -> [WindowsUpdateExit] -> [Web360][*EDIT TO REMOVE KEY VALUE - MAL* ][][][0x7]
2018-03-04 05:41:30, Info                  MOUPG  CSetupDiagnostics: Tracing Data [CUSTOM] -> [UnexpectedEvent] -> [Web360][*EDIT TO REMOVE KEY VALUE - MAL* ][][*EDIT TO REMOVE KEY VALUE - MAL* ][][Succeeded][Windows 10 Home][16299][7][8][0x0][0xB0003][16299]
2018-03-04 05:41:30, Info                  MOUPG  Finalize: Retrieving downlevel ticks from registry...
2018-03-04 05:41:30, Info                  MOUPG  Finalize: Converting [147] downlevel ticks to seconds...
2018-03-04 05:41:30, Info                  MOUPG  Finalize: Reporting total downlevel time: [735 seconds]
2018-03-04 05:41:30, Info                  MOUPG  CSetupDiagnostics: Tracing Data [DWORD] -> [Setup360DownlevelTime]=[0x2DF] [*EDIT TO REMOVE KEY VALUE - MAL* ][][][0x7]
2018-03-04 05:41:30, Info                  MOUPG  MoSetupPlatform: SuspendAndReleasing Setup Platform object...
2018-03-04 05:41:32, Info                  MOUPG  MoSetupPlatform: Setup Platform object released!
2018-03-04 05:41:32, Info                  MOUPG  Finalize: Leaving Execute Method
2018-03-04 05:41:32, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x2004]
2018-03-04 05:41:32, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x2003]
2018-03-04 05:41:32, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x2001]
2018-03-04 05:41:32, Info                  MOUPG  ProgressHandlerAction: Sending final progress message for action [0].
2018-03-04 05:41:32, Info                  MOUPG  ProgressHandlerAction FinalUpdate: 0x0, 0x0 / 0x0, 0x0
2018-03-04 05:41:32, Info                  MOUPG  ProgressHandlerAction: Sending final progress message for action [0].
2018-03-04 05:41:32, Info                  MOUPG  ProgressHandlerAction FinalUpdate: 0x0, 0x0 / 0x0, 0x0
2018-03-04 05:41:32, Info                  MOUPG  Waiting for actions thread to exit.
2018-03-04 05:41:32, Info                  MOUPG  Actions thread has exited.
2018-03-04 05:41:32, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x2004]
2018-03-04 05:41:32, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x2000]
2018-03-04 05:41:32, Warning               MOUPG  CSetupDiagnostics::ReportData - Not reporting WINDLP data point [0x3000]
2018-03-04 05:41:32, Info                  MOUPG  DlpTask: Leaving Execute Method
2018-03-04 05:41:32, Info                  MOUPG  SetupManager: Launching setup.
2018-03-04 05:41:32, Info                  MOUPG  SetupMgr: Deleting environment variable SP_UPLOAD_ASIMOV.
2018-03-04 05:41:38, Info                  MOUPG  SetupManager: Requesting cleanup level [0x1] from parent process.
2018-03-04 05:41:38, Info                  MOUPG  SetupManager: Resetting WinDlp state for full cleanup...
2018-03-04 05:41:38, Error                 MOUPG  CDlpTask::Cancel(979): Result = 0xC1800104
2018-03-04 05:41:38, Error                 MOUPG  CDlpTask::Cancel(979): Result = 0xC1800104
2018-03-04 05:41:38, Error                 MOUPG  CDlpTask::Cancel(979): Result = 0xC1800104
2018-03-04 05:41:38, Error                 MOUPG  CDlpTask::Cancel(979): Result = 0xC1800104
2018-03-04 05:41:38, Info                  MOUPG  CInstallUI::Quit: Posted MSG_INSTALLUI_FORCE_QUIT
2018-03-04 05:41:38, Info                  MOUPG  CInstallUI::CInstallUIMessageWindow::ForceQuit
2018-03-04 05:41:38, Info                  MOUPG  Force ending Message pump
2018-03-04 05:41:38, Info                  MOUPG  CInstallUI::ExitInstance
2018-03-04 05:41:38, Info                  MOUPG  SetupUI: Calling PowerClearRequest with type [0x1]...
2018-03-04 05:41:38, Info                  MOUPG  SetupUI: Power request cleared!
2018-03-04 05:41:38, Info                  MOUPG  **************** SetupHost Logging End ****************

 

I'll be interested in your thoughts if any.

 

Thank you.

 

Mal

 


 

 

setuperr.log

Edited by Mal_Affected
Link to post
Share on other sites
  • Root Admin

Without a bit of research as to the numbers normally it's not a downgrade for Microsoft. They basically reinstall Windows and move the original install to C:\Windows.old

So, in theory even with all those errors you should have a reasonably new install of Windows (though it's not a clean install and does bring parts of the bad with it to this install) and I'd be curious to see, know what application issues you're now experiencing. Hopefully most thing work now as they should or close to as they should. I was actually going to suggest building a new installer USB disk and trying to do some repair work, but looks like Microsoft beat us to it. I would find it hard to believe there were too many critical errors, otherwise Microsoft would have aborted and rolled back to your previous install.

Please explore the current new version of Windows and let me know what issues you're still having if any.

Thanks

Ron

 

Link to post
Share on other sites

Hello Ron,

 

Thank you for your kind support, assistance and time. It's greatly appreciated!

I'll run with this config, as you suggested for a while and see how it goes.

I'm still a little puzzled at the alternate data streams coming from a number of the files on the desktop. I have no explanation for their existence. If you have any ideas please let me know. I'm tossing up putting together a "fixlist" to terminate them, but, as I don't know what I'm terminating I'm a little hesitant.

I also can't understand why the desktop is still shared to public either. I locked the desktop down with Defender, but that's a temporary fix only. I'm now getting warnings regarding changes to the folders %common_desktop% and %desktopdirectory% for any program that attempts to alter anything on the desktop whether it's permitted through the "exclusion" or not. I'll research that too.

I'm assuming you believe the computer to be "clean" now? Please advise if this is correct.

If you're aware of a decent "log parser" for FRST I'd be grateful if you would advise me please?

I'll let you know how things run over the next few days.

Thanks again & Take care.

 

Regards,

 

Mal

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.