Just reset my computer, could someone take a look at my logs?

[uhoh-hotdog]

Hi, I posted a thread a few days ago with some suspicious behavior. I ended up doing a full reset of Windows, clearing out personal data and settings.

Eventually I noticed that windows defender and malwarebytes scans weren't completing and decided something must be wrong.

Could someone take a look at my latest logs and let me know if everything looks good? I appreciate it!

FRST.txt Addition.txt

[AdvancedSetup]

Hello @uhoh-hotdog

 

The Event Logs are showing a few errors. Not malware, but error you should review.

One being the Malwarebytes program is crashing. It may just need a clean removal and reinstall, but it could be that your Norton antivirus might be stepping on it and need exclusions setup in both programs.

 

System errors:
=============
Error: (03/20/2021 11:32:58 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The ACCSvc service failed to start due to the following error:
The system cannot find the file specified.

Error: (03/20/2021 11:32:57 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 11:12:30 PM on ‎3/‎20/‎2021 was unexpected.

Error: (03/20/2021 11:32:51 PM) (Source: Microsoft-Windows-Kernel-Boot) (EventID: 29) (User: NT AUTHORITY)
Description: 3221225684A fatal error occurred processing the restoration data.

Error: (03/20/2021 08:01:11 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The ACCSvc service failed to start due to the following error:
The system cannot find the file specified.

Error: (03/20/2021 08:00:48 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has stopped unexpectedly.

Module Path: C:\WINDOWS\system32\IntelIHVRouter08.dll

Error: (03/20/2021 08:00:48 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has stopped unexpectedly.

Module Path: C:\WINDOWS\system32\IntelIHVRouter08.dll

Error: (03/20/2021 08:00:43 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has stopped unexpectedly.

Module Path: C:\WINDOWS\system32\IntelIHVRouter08.dll

Error: (03/20/2021 08:00:43 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has stopped unexpectedly.

Module Path: C:\WINDOWS\system32\IntelIHVRouter08.dll

==================
Error: (03/21/2021 10:47:49 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbamtray.exe, version: 4.0.0.918, time stamp: 0x60418179
Faulting module name: Qt5Core.dll, version: 5.14.1.0, time stamp: 0x603971ce
Exception code: 0xc0000005
Fault offset: 0x0000000000219dc5
Faulting process id: 0x22f4
Faulting application start time: 0x01d71e0b478cd375
Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
Faulting module path: C:\Program Files\Malwarebytes\Anti-Malware\Qt5Core.dll
Report Id: c72036de-77fc-40ba-9f72-8bf1c15030a8
Faulting package full name:
Faulting package-relative application ID:

Error: (03/21/2021 09:02:44 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IGCCTray.exe, version: 1.100.3282.0, time stamp: 0x5fddbc1f
Faulting module name: KERNELBASE.dll, version: 10.0.19041.804, time stamp: 0x0e9c5eae
Exception code: 0xe0434352
Fault offset: 0x000000000002d759
Faulting process id: 0x1738
Faulting application start time: 0x01d71e5add06ec5c
Faulting application path: C:\Program Files\WindowsApps\AppUp.IntelGraphicsExperience_1.100.3282.0_x64__8j3eq9eme6ctt\GCP.ML.BackgroundSysTray\IGCCTray.exe
Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll
Report Id: c0fb02ce-6a96-4a9d-af99-5dc6f57ce699
Faulting package full name: AppUp.IntelGraphicsExperience_1.100.3282.0_x64__8j3eq9eme6ctt
Faulting package-relative application ID: App

Error: (03/21/2021 09:02:43 AM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: IGCCTray.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.UnauthorizedAccessException
   at System.IO.__Error.WinIOError(Int32, System.String)
   at System.IO.Pipes.NamedPipeServerStream.Create(System.String, System.IO.Pipes.PipeDirection, Int32, System.IO.Pipes.PipeTransmissionMode, System.IO.Pipes.PipeOptions, Int32, Int32, System.IO.Pipes.PipeAccessRights, SECURITY_ATTRIBUTES)
   at System.IO.Pipes.NamedPipeServerStream..ctor(System.String, System.IO.Pipes.PipeDirection, Int32, System.IO.Pipes.PipeTransmissionMode, System.IO.Pipes.PipeOptions, Int32, Int32, System.IO.Pipes.PipeSecurity, System.IO.HandleInheritability, System.IO.Pipes.PipeAccessRights)
   at System.IO.Pipes.NamedPipeServerStream..ctor(System.String, System.IO.Pipes.PipeDirection, Int32, System.IO.Pipes.PipeTransmissionMode, System.IO.Pipes.PipeOptions, Int32, Int32, System.IO.Pipes.PipeSecurity)
   at GCP.ML.BackgroundSysTray.SingleInstanceApp.NamedPipeServerCreateServer()
   at GCP.ML.BackgroundSysTray.SingleInstanceApp.Initialize()
   at GCP.ML.BackgroundSysTray.Program.Main()

Error: (03/20/2021 08:00:47 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x8007045b, A system shutdown is in progress.
.

Error: (03/20/2021 08:00:47 PM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started. [0x8007045b, A system shutdown is in progress.
]

 

System errors:
=============
Error: (03/20/2021 11:32:58 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The ACCSvc service failed to start due to the following error:
The system cannot find the file specified.

Error: (03/20/2021 11:32:57 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 11:12:30 PM on ‎3/‎20/‎2021 was unexpected.

Error: (03/20/2021 11:32:51 PM) (Source: Microsoft-Windows-Kernel-Boot) (EventID: 29) (User: NT AUTHORITY)
Description: 3221225684A fatal error occurred processing the restoration data.

Error: (03/20/2021 08:01:11 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The ACCSvc service failed to start due to the following error:
The system cannot find the file specified.

Error: (03/20/2021 08:00:48 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has stopped unexpectedly.

Module Path: C:\WINDOWS\system32\IntelIHVRouter08.dll

Error: (03/20/2021 08:00:48 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has stopped unexpectedly.

Module Path: C:\WINDOWS\system32\IntelIHVRouter08.dll

Error: (03/20/2021 08:00:43 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has stopped unexpectedly.

Module Path: C:\WINDOWS\system32\IntelIHVRouter08.dll

Error: (03/20/2021 08:00:43 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has stopped unexpectedly.

Module Path: C:\WINDOWS\system32\IntelIHVRouter08.dll

 

 

You also have Scheduled Tasks without an XML file - these are not valid scheduled tasks and if you need them you should review and correct them

Task: {105D676A-D551-4274-81E7-97AC52E4FD87} - \Microsoft\Windows\Speech\HeadsetButtonPress -> No File <==== ATTENTION
Task: {1949073A-8FDA-4EA4-8E59-407CDB02440F} - \Microsoft\Windows\WindowsUpdate\sihpostreboot -> No File <==== ATTENTION
Task: {45E6BEE7-B8AC-494E-863A-62CC0E06AEBB} - \Software Update Application -> No File <==== ATTENTION
Task: {588F1408-92C0-43EC-B231-1E89335369B6} - \OneDrive Standalone Update Task-S-1-5-21-2279613132-4225236067-1800502826-500 -> No File <==== ATTENTION
Task: {A7691146-CD5F-456F-983C-7AE91463EECD} - \ACC -> No File <==== ATTENTION
Task: {CBFB6BE6-9828-4121-A91C-8ADE8B6B1C36} - \Microsoft\Windows\Management\Provisioning\PostResetBoot -> No File <==== ATTENTION
 

 

 

I would suggest you open an Elevated Admin Command Prompt and type in or copy / paste the following and press the Enter key to run them one-by-one.

ECHO Y|CHKDSK C: /F

Then restart the computer and run the following.

SFC /SCANNOW

Then run the following

DISM.exe /Online /Cleanup-image /Restorehealth

 

Then review your Event Logs and see if you're still getting new errors or not and let me know.

 

 

 

 

 

[uhoh-hotdog]

Huh, I wouldn't think that a full reset would have so many issues.

As soon as Windows finished reinstalling, I uninstalled Norton and as many other preinstalled programs as I could, then ran adwcleaner to clean up the rest. I'm guessing it left some remnants. How would I clean up the scheduled tasks? In the past I just used ccleaner but I've heard that software has been compromised.

19 hours ago, AdvancedSetup said:

You also have Scheduled Tasks without an XML file - these are not valid scheduled tasks and if you need them you should review and correct them

Task: {105D676A-D551-4274-81E7-97AC52E4FD87} - \Microsoft\Windows\Speech\HeadsetButtonPress -> No File <==== ATTENTION
Task: {1949073A-8FDA-4EA4-8E59-407CDB02440F} - \Microsoft\Windows\WindowsUpdate\sihpostreboot -> No File <==== ATTENTION
Task: {45E6BEE7-B8AC-494E-863A-62CC0E06AEBB} - \Software Update Application -> No File <==== ATTENTION
Task: {588F1408-92C0-43EC-B231-1E89335369B6} - \OneDrive Standalone Update Task-S-1-5-21-2279613132-4225236067-1800502826-500 -> No File <==== ATTENTION
Task: {A7691146-CD5F-456F-983C-7AE91463EECD} - \ACC -> No File <==== ATTENTION
Task: {CBFB6BE6-9828-4121-A91C-8ADE8B6B1C36} - \Microsoft\Windows\Management\Provisioning\PostResetBoot -> No File <==== ATTENTION

I also ran the commands you specified today. I haven't seen malwarebytes crash, but I'm a little concerned about some newer errors involving windows defender:

Date: 2021-03-21 19:47:31
Description:
Microsoft Defender Antivirus scan has been stopped before completion.
Scan Type: Antimalware
Scan Parameters: Quick Scan

I've implemented the exclusions specified in this thread: https://forums.malwarebytes.com/topic/200162-exclusions-for-windows-defender-users/ so I'll see if that helps.

Thanks for helping me out!

 

[AdvancedSetup]

Yes, depending on how or what vendor is doing the restore it can have issues.

Please download and run the Norton Removal Tool. Don't allow it to reinstall Norton

https://support.norton.com/sp/en/us/home/current/solutions/v60392881?abproduct=home&abversion=current&pvid=f-home

After the restart then run the FRST program one more time and click on the Scan button and post back both new log files and we'll review to see if we still need to remove or fix anything.

Thanks @uhoh-hotdog

 

 

[uhoh-hotdog]

Unfortunately it looks like Malwarebytes is still crashing, this morning it crashed right as I was trying to run a threat scan with it.

Error: (03/24/2021 11:37:58 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbamtray.exe, version: 4.0.0.918, time stamp: 0x60418179
Faulting module name: Qt5Core.dll, version: 5.14.1.0, time stamp: 0x603971ce
Exception code: 0xc0000005
Fault offset: 0x0000000000219dc5
Faulting process id: 0x1848
Faulting application start time: 0x01d71fdf88fa8064
Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
Faulting module path: C:\Program Files\Malwarebytes\Anti-Malware\Qt5Core.dll
Report Id: 26484cda-2472-4034-9df1-ce245c006f58
Faulting package full name:
Faulting package-relative application ID:

 

And Windows Defender is still having issues.

Date: 2021-03-24 11:25:19
Description:
Microsoft Defender Antivirus scan has been stopped before completion.
Scan Type: Antimalware
Scan Parameters: Full Scan

mbytesscan.txt Addition.txt FRST.txt

[AdvancedSetup]

Not sure I understand why you're using a Google IP address in your hosts file to reference many different Google sites. Can you please explain the reasoning behind this?

216.239.38.120 google.com
216.239.38.120 www.google.com
216.239.38.120 google.ad www.google.ad
216.239.38.120 google.ae www.google.ae
216.239.38.120 google.com.af www.google.com.af
216.239.38.120 google.com.ag www.google.com.ag
216.239.38.120 google.com.ai www.google.com.ai
216.239.38.120 google.al www.google.al
216.239.38.120 google.am www.google.am
216.239.38.120 google.co.ao www.google.co.ao
216.239.38.120 google.com.ar www.google.com.ar
216.239.38.120 google.as www.google.as
216.239.38.120 google.at www.google.at
216.239.38.120 google.com.au www.google.com.au
216.239.38.120 google.az www.google.az
216.239.38.120 google.ba www.google.ba
216.239.38.120 google.com.bd www.google.com.bd
216.239.38.120 google.be www.google.be
216.239.38.120 google.bf www.google.bf
216.239.38.120 google.bg www.google.bg
216.239.38.120 google.com.bh www.google.com.bh
216.239.38.120 google.bi www.google.bi
216.239.38.120 google.bj www.google.bj
216.239.38.120 google.com.bn www.google.com.bn
216.239.38.120 google.com.bo www.google.com.bo
216.239.38.120 google.com.br www.google.com.br
216.239.38.120 google.bs www.google.bs
216.239.38.120 google.bt www.google.bt
216.239.38.120 google.co.bw www.google.co.bw

 

Please use the following MBST tool to do a clean removal of Malwarebytes. For now though when it asks to reinstall Malwarebytes, decline and do not allow it to reinstall Malwarebytes

Uninstall and reinstall Malwarebytes using the Malwarebytes Support Tool

After the removal of Malwarebytes and a computer restart please run the following fix.

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real time antivirus or security software before running this script. Once completed make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Flash Player cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

 

Then once the FRST64 fix has completed and restarted the computer run FRST again and click on SCAN and make sure there is a check mark in the Addition.txt check box and post back both new logs as an attachment along with the FIXLOG.txt file.

Thanks

 

[uhoh-hotdog]

I set up a custom hosts file to force "safe search" on the most popular search engines. There are a lot of regional variants of google's site. I know that's not exactly standard.

Also, should I try reinstalling malwarebytes after performing the above tasks? Or would you want to see the new logs first?

 

Thanks again!

 

[AdvancedSetup]

No, I want to keep Malwarebytes off of the computer for now until we iron out any left-over Event Log errors

Thanks

 

[AdvancedSetup]

2 minutes ago, uhoh-hotdog said:

I set up a custom hosts file to force "safe search" on the most popular search engines. There are a lot of regional variants of google's site. I know that's not exactly standard.

 

Interesting. Did you see that posted on some blog or other website? First time I've seen this in a log is all.

 

[uhoh-hotdog]

2 hours ago, AdvancedSetup said:

Interesting. Did you see that posted on some blog or other website? First time I've seen this in a log is all.

The google part of it I did, I've added a few myself.

And attached are the logs:

Fixlog.txt Addition.txt FRST.txt

[AdvancedSetup]

Thank you for the logs

Please click on Start and type in PowerShell and when it shows on the menu right-click and select "Run as administrator"

Then copy / paste the following into the windows and press the Enter key.

Get-WinEvent -MaxEvents 100 -FilterHashtable @{
 LogName = "System" 
 StartTime = $date
} | Out-File c:\events.txt

When done please find the file c:\events.txt and post that back

 

[uhoh-hotdog]

Looks like my system didn't like that command very much

 

[AdvancedSetup]

Okay, thanks

 

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

• Flush DNS
• Report IE Proxy Settings
• Reset IE Proxy Settings
• Report FF Proxy Settings
• Reset FF Proxy Settings
• List content of Hosts
• List IP configuration
• List Winsock Entries
• List last 10 Event Viewer log
• List Installed Programs
• List Devices
• List Users, Partitions and Memory size.
• List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.

 

[AdvancedSetup]

Please open an elevated Admin command prompt and copy / paste the following one-by-one and press the Enter key after each line.

Look and see if you see any accounts or issues not expected. Do not post the results just check and let me know if you see anything odd.

wmic sysaccount
net localgroup administrators
wmic netlogin list

 

[AdvancedSetup]

I believe I've found the issue with the PowerShell command. Please try the following

$date = (get-date).AddDays(-1)
 
Get-WinEvent -MaxEvents 20 -FilterHashtable @{
  LogName = "System"
  StartTime = $date
}  | Out-File c:\events.txt 

 

[uhoh-hotdog]

Attached are the two logs. I think everything looked okay account wise.

Thanks!

 

MTB.txt events.txt

[AdvancedSetup]

Your Intel Graphics Control Panel or Intel Graphics Command Center application has also crashed. Reinstalling it may correct that issue, or you can try a couple of reboots and make sure no new Events show up for that error anymore
 

https://www.intel.com/content/www/us/en/support/articles/000056552/graphics.html

 

Please restart the computer one more time and then run FRST again and click on SCAN and post back both new logs

Thanks

 

[uhoh-hotdog]

Uninstalled command center, rebooted, reinstalled, tried a couple of reboots and a shutdown aferwards.

FRST.txt Addition.txt

[uhoh-hotdog]

Actually it crashed again.

It looks like if both the admin and the standard account are logged in at the same time something goes wrong.

If I run a windows defender quick scan with just one account logged in, it will say it scanned ~44,000 files, with both logged in it will stop at around 20,000.

Addition.txt FRST.txt

[AdvancedSetup]

I would try to go in and uninstall it. Go to Settings -> Apps and locate and uninstall it.

 

This error keeps coming back too. It is from your Acer Care Center. Unless you really think you need it we can probably remove that service. Otherwise you may need to download an update from Acer to reinstall it.

S2 ACCSvc; "C:\Program Files (x86)\Acer\Care Center\ACCSvc.exe" [X]

 

System errors:
=============
Error: (03/25/2021 04:03:24 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The ACCSvc service failed to start due to the following error:
The system cannot find the file specified.

 

 

[uhoh-hotdog]

Uninstalled the command center.

Acer care center was one of the preinstalled apps I uninstalled, somehow that service survived.

Thanks!

[AdvancedSetup]

Do you need help with removing the Acer service ?

 

 

[AdvancedSetup]

Have you visited the Acer support page for your computer and verified that the Network, BIOS, and other drivers are all up to date?

 

[uhoh-hotdog]

5 minutes ago, AdvancedSetup said:

Do you need help with removing the Acer service ?

Yeah, I'm not sure how to remove it. Thanks!

4 minutes ago, AdvancedSetup said:

Have you visited the Acer support page for your computer and verified that the Network, BIOS, and other drivers are all up to date?

They just have the original drivers that came preinstalled on their support page, I did update the firmware and a few other drivers through windows update though.

[AdvancedSetup]

Should be pretty easy to remove the service.

Please open an Elevated Admin command prompt as before.

Then type in the following.

SC DELETE ACCSvc 

Let me know what the message says

 

Okay, yeah, some computers don't get a lot of manufacturer updates