Jump to content
Jared_jaz

Keep loosing admin on Windows after multiple re-installs

Recommended Posts

Hi,

I am trying to turn on Bitlocker but i cannot see a option in my settings, after looking online it seems that i need to create an admin account to do it however i cannot create another user at all.

 

 

Share this post


Link to post
Share on other sites

Let's not worry about BitLocker just yet.

Let me please get a new set of FRST logs including the Additions.txt file please.

 

Share this post


Link to post
Share on other sites

Please stop installing things on the computer. You're here complaining that the system is under attack. Installing Chrome and these add-ons before ensure the system is 100% secure is not helping.

iCloud Bookmarks ?

Chrome Remote Desktop - ?? I'm not saying it's not secure but opening ports and programs to the Internet before the system is fully updated and checked for security is not wise

Your "Killer Network" card installed services that I'm not sure benefit you or not.
https://www.cloudbees.com/

S2 xTendSoftAPService; C:\Windows\System32\drivers\RivetNetworks\Killer\xTendSoftAPService.exe [72808 2019-03-08] (Rivet Networks LLC -> CloudBees, Inc.)
R2 xTendUtilityService; C:\Windows\System32\drivers\RivetNetworks\Killer\xTendUtilityService.exe [72816 2019-03-08] (Rivet Networks LLC -> CloudBees, Inc.)

On the surface the xTendUtilityService sounds good but for someone that is concerned about exploit and attack I probably would not enable it.

https://hothardware.com/news/killer-wireless-xtend

 

You have a driver for Kaspersky installed but I see you have Cylance and Malwarebytes installed so not sure where that came from. Did I ask you to run a Kaspersky antivirus scanner ? If so then perhaps that is where it came from?

R0 E2A444E1; C:\Windows\System32\drivers\E2A444E1.sys [478392 2020-03-27] (Kaspersky Lab -> Kaspersky Lab ZAO)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\E2A444E1.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\E2A444E1.sys => ""="Driver"
 

You have the following errors that need to be reviewed and addressed. In some cases it may just be a note and nothing to worry about for other items it may be an issue that needs to be addressed. Depending on how aggressive Cylance security is it might be the one blocking some of this, unknown at this time.

Application errors:
==================
Error: (03/30/2020 06:05:57 AM) (Source: SecurityCenter) (EventID: 17) (User: )
Description: Security Center failed to validate caller with error %1.

Error: (03/29/2020 04:57:12 PM) (Source: SecurityCenter) (EventID: 17) (User: )
Description: Security Center failed to validate caller with error %1.

Error: (03/29/2020 06:40:15 AM) (Source: Microsoft-Windows-AppModel-State) (EventID: 10) (User: JAZZA)
Description: Microsoft.VCLibs.140.00_8wekyb3d8bbwe-2147024893

Error: (03/29/2020 06:40:15 AM) (Source: Microsoft-Windows-AppModel-State) (EventID: 10) (User: JAZZA)
Description: Microsoft.VCLibs.140.00.UWPDesktop_8wekyb3d8bbwe-2147024893

Error: (03/29/2020 06:40:15 AM) (Source: Microsoft-Windows-AppModel-State) (EventID: 10) (User: JAZZA)
Description: Microsoft.UI.Xaml.2.3_8wekyb3d8bbwe-2147024893

Error: (03/29/2020 06:40:15 AM) (Source: Microsoft-Windows-AppModel-State) (EventID: 10) (User: JAZZA)
Description: Microsoft.UI.Xaml.2.2_8wekyb3d8bbwe-2147024893

Error: (03/29/2020 06:40:15 AM) (Source: Microsoft-Windows-AppModel-State) (EventID: 10) (User: JAZZA)
Description: Microsoft.UI.Xaml.2.1_8wekyb3d8bbwe-2147024893

Error: (03/29/2020 06:40:15 AM) (Source: Microsoft-Windows-AppModel-State) (EventID: 10) (User: JAZZA)
Description: Microsoft.UI.Xaml.2.0_8wekyb3d8bbwe-2147024893


System errors:
=============
Error: (03/30/2020 06:05:53 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID 
Windows.SecurityCenter.WscBrokerManager
 and APPID 
Unavailable
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (03/30/2020 06:05:53 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID 
Windows.SecurityCenter.SecurityAppBroker
 and APPID 
Unavailable
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (03/30/2020 06:04:15 AM) (Source: DCOM) (EventID: 10016) (User: JAZZA)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{2593F8B9-4EAF-457C-B68A-50F6B8EA6B54}
 and APPID 
{15C20B67-12E7-4BB6-92BB-7AFF07997402}
 to the user JAZZA\Jazza SID (S-1-5-21-2322789878-4126112276-3318352490-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (03/30/2020 06:01:02 AM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "1115" attempting to start the service SecurityHealthService with arguments "Unavailable" in order to run the server:
{2D15188C-D298-4E10-83B2-64666CCBEBBD}

Error: (03/30/2020 06:01:02 AM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "1115" attempting to start the service SecurityHealthService with arguments "Unavailable" in order to run the server:
{2D15188C-D298-4E10-83B2-64666CCBEBBD}

Error: (03/30/2020 06:01:02 AM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "1115" attempting to start the service SecurityHealthService with arguments "Unavailable" in order to run the server:
{2D15188C-D298-4E10-83B2-64666CCBEBBD}

Error: (03/30/2020 06:01:01 AM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "1115" attempting to start the service SecurityHealthService with arguments "Unavailable" in order to run the server:
{2D15188C-D298-4E10-83B2-64666CCBEBBD}

Error: (03/30/2020 06:00:59 AM) (Source: DCOM) (EventID: 10010) (User: JAZZA)
Description: The server {9AA46009-3CE0-458A-A354-715610A075E6} did not register with DCOM within the required timeout.

 

 

Share this post


Link to post
Share on other sites

Hi,

Yes i understand your point, sorry i logged into google chrome and because i already have these extensions it auto adds them when you sign in on a new device.

I have removed the Icloudbook marks and the chrome remote desktop.

Killer Network - These are suggested drivers from running the Dell driver managment tool, im happy to  remove the driver if you think that is best.

NT AUTHORITY - I shouldnt be part of anny windows server.

Ok so i need to address these errors. can you suggest what steps i should take next?

Thank you for your help this far, you have been great and i really appreciate it.

Share this post


Link to post
Share on other sites

And that right there is one way computers get infected and stay infected. Google gladly copies malware or threats from computer-1 to computer-2 to computer-3 and there you go. In a matter of seconds all 3 computers are infected.

Please do yourself a favor and take security more seriously and stop falling for the IT'S SO EASY junk like SYNC from Google or Mozilla

Go disable, delete, destroy your Google Sync settings and never sign up or use them again. I'm sorry but those features are for people that can't be bothered with security

 

Chrome

 

Reset Chrome back to defaults to completely clear out issues with Chrome.

  • Open Chrome and at the top right, click ellipse.png.2829aeeb2aea006bc956de077091and then More tools and then Extensions
  • Write down the list of Extensions installed.
  • Next, go to >> Google Sync << and sign into your account. Make sure you know your password as this will clear it from the browser.
  • Scroll down until you see the  reset_chrome_sync.png "reset sync" button to clear your data from the server and remove your passphrase.
  • Now, close all Chrome windows. Chrome cannot be running for the next step. If needed, print this information or use another browser to read the information.
  • Press the Windows key + R at the same time, to bring up the run dialog box.
     
    • run_command.png
       
  • Type in (or copy/paste) the following and press Enter:     %localappdata%\Google\Chrome\User Data\Default\
  1. Press Ctrl + A to select all the files and folders.
  2. Hold down Ctrl + A and click once on the files "Bookmarks" and "Bookmarks.bak". This will unselect them.
  3. With all the files selected (except for your Bookmarks), press the Delete key and click Yes to delete the files and folders.
  4. Example of all files and folders selected, except Bookmarks

chrome_files_folders.png.00938ead26fa2bd

 

 

Do the same on every other computer you have. If you have a SmartPhone then go disable and delete sync there as well

 

Share this post


Link to post
Share on other sites

Okay, let's go ahead then and run all 3 steps one more time so we can see where we're at now.

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed click on the View Report button, then the Export button and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, please click Clean & Repair.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a checkmark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Share this post


Link to post
Share on other sites

Please run the following.

Fix problems that block programs from being installed or removed
https://support.microsoft.com/en-us/help/17588/windows-fix-problems-that-block-programs-being-installed-or-removed

 

Next, please try disabling Cylance and Malwarebytes both and see if you can get Windows Defender to update and operate properly.

Windows Defender:
===================================
Date: 2020-03-27 09:20:21.845
Description: 
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.273.933.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.15100.1
Error code: 0x80072ee7
Error description: The server name or address could not be resolved 

Notice the bottom:  The server name or address could not be resolved.

Something is / was preventing normal DNS lookup to find the Microsoft website for Defender updates

 

Share this post


Link to post
Share on other sites

Okay, please run the following fix. Then post back the log on your next reply.

 

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Once that's done then do the following.

Click on Start and type in PowerShell and when it starts to show on the menu, right click and select "Run as administrator"

Then type in the following and press the Enter key

Update-MpSignature

Post back any errors.

Next, type in the following command in PowerShell and press the Enter key

Get-MpComputerStatus

Post back the results

 

Share this post


Link to post
Share on other sites

 

Update-MpSignature

 

Update-MpSignature : Virus and spyware definitions update was completed with errors.
At line:1 char:1
+ Update-MpSignature
+ ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (MSFT_MpSignature:ROOT\Microsoft\...SFT_MpSignature) [Update-MpSignature],
    CimException
    + FullyQualifiedErrorId : HRESULT 0x800106ba,Update-MpSignature

 

Get-MpComputerStatus

Get-MpComputerStatus : A general error occurred that is not covered by a more specific error code.
At line:1 char:1
+ Get-MpComputerStatus
+ ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (MSFT_MpComputerStatus:ROOT\Microsoft\...pComputerStatus) [Get-MpComputerS
   tatus], CimException
    + FullyQualifiedErrorId : HRESULT 0x800106ba,Get-MpComputerStatus

Share this post


Link to post
Share on other sites

Please uninstall Cylance and Malwarebytes both.

Then reboot the computer.

Then manually open Windows Defender and Check for Updates. Then run a Quick Scan and post back a screenshot of what it found

image.png

 

Share this post


Link to post
Share on other sites

Great, okay.

Please run FRST one more time now that Cylance and Malwarebytes have been removed.

Get new FRST and ADDITIONS.TXT logs please.

Thank you

 

Share this post


Link to post
Share on other sites

Looking for new logs from this process please. If I don't check back tonight I'll check back in the mornig

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please make sure you check this box and attach it to your reply as well.

Thank you

 

 

Share this post


Link to post
Share on other sites

Thanks

Download the Malwarebytes Support Tool

Then close all open program and run the tool with Admin rights.

DO NOT click the Start Repair button.  Click on the Advanced panel. Then select all items as shown and click the Repair System button

image.png

Then restart the computer one more time and post back new, fresh FRST logs.

I'll check back on  you again tomorrow.

Let it go ahead and reinstall Malwarebytes for you when requested

 

Share this post


Link to post
Share on other sites

Great, overall the logs look pretty good now. Some issues I'd rather not see but they're normal and expected.

For testing purposes only. Please open an elevated Admin command prompt and let's create a new user from the command line. Once we're done we can either remove the account or you can go change the password to the account if you want to keep the account.

In the command prompt window type in the following and press the Enter key

 

net user Fixer  My$NewPassword2  /add

Next, type in the following to add that new user account to the local Administrator's group.

net localgroup administrators Fixer /add

 

You should now be able to log out or restart the computer and log into that Fixer account now.

If there are any issues or errors please let me know. Then either remove the account or at a minimum go change the password or use your own in the first place instead of my example. We just want to verify that the account creates without an issue.

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.