Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware, maybe UnistackSvc Virus, still there after Multiple Reinstalls


  • This topic is locked This topic is locked
17 replies to this topic

#1 Beetamer

Beetamer

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 04 May 2017 - 02:49 PM

I downloaded a fake copy of Office stupidly and got a HORRIFIC virus, maybe worm? It then downloaded even more viruses. It was a Brand New laptop so I sent it back to manufacturer. They did something, but the virus remained. I've now had 2 other professionals try to fix it, each time it gets a bit better but I can see it's still there. The last guy reformatted the hard drive, so he was very confident he fixed it. However as soon as i connected it to the internet things were mysteriously downloading in the background.

When I tried to download a copy of Malbytes Malware antivirus, it loaded a dummy instead. I can tell it's not the real thing because the icon is completely different. This virus is so advanced, however it uses 2001 graphical icons which give it away. After the previous install the My Computer and Network icons were also dummies. This time they are normal, so it seems to morph with each reinstall.

I have to assume it's on the motherboard (if that's possible), or in an Intel Power/Realtek Audio driver available on the internet as that's where they were getting them I think. Or these "professionals" were transferring over something unknowingly.

I have doubles of some services running, controlled by UnistackSvcGroup. Also a suspicious service called TrustedInstaller, which i don't trust, as the folders and files that are suspicious are all controlled by Trusted Installer user group which won't allow me to access some things or change privileges, even with administrator rights.

Many folders are automatically shared also, and won't let me change. The folders C:\Windows\System32\en-US and C:\Windows\System32\INF are also mysteriously in Quick Access. 

There are also other suspicious folders called Infused Apps (can't access), and Panther, which I believe are virus folders. 

I believe it runs a virtual computer in the background, because after I had deleted a bunch of suspicious files earlier (before the last install) and tried to reinstall, I could see the regular Windows 10 install screen in the background, but a black rectangle with a fake install screen was in the foreground. PLEASE HELP! This laptop was only 2 weeks old when I got the virus, and I've now spent months and another $200 trying to fix it. I'm not working and need it to find a job. THANK YOU!

 

FRST TEXT:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 03-05-2017 01
Ran by User (administrator) on DESKTOP-U6MF66E (04-05-2017 11:44:56)
Running from D:\VIRUS
Loaded Profiles: User (Available Profiles: User)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_82119d956c80af5a\igfxCUIService.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_82119d956c80af5a\igfxEM.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-09-06] (Microsoft Corporation)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [14049536 2015-07-09] (Realtek Semiconductor)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254 75.153.171.122
Tcpip\..\Interfaces\{6cdced10-ab37-4f76-94a3-a50b8b399211}: [DhcpNameServer] 192.168.1.254 75.153.171.122
 
Internet Explorer:
==================
IE Session Restore: HKU\S-1-5-21-3042851203-1915811002-909599378-1001 -> is enabled.
 
FireFox:
========
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.3\npGoogleUpdate3.dll [2017-04-21] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.3\npGoogleUpdate3.dll [2017-04-21] (Google Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\User\AppData\Local\Google\Chrome\User Data\Default [2017-04-21]
CHR Extension: (Google Docs) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-04-21]
CHR Extension: (Chrome Web Store Payments) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-04-21]
CHR Extension: (Chrome Media Router) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-04-21]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 cphs; C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_82119d956c80af5a\IntelCpHeciSvc.exe [310256 2017-02-07] (Intel Corporation)
S3 cplspcon; C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_82119d956c80af5a\IntelCpHDCPSvc.exe [488944 2017-02-07] (Intel Corporation)
R2 igfxCUIService2.0.0.0; C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_82119d956c80af5a\igfxCUIService.exe [350704 2017-02-07] (Intel Corporation)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103712 2017-03-04] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 igfx; C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_82119d956c80af5a\igdkmd64.sys [11041776 2017-02-07] (Intel Corporation)
S3 NetAdapterCx; C:\Windows\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R3 Qcamain10x64; C:\Windows\System32\drivers\Qcamain10x64.sys [2336768 2016-07-16] (Qualcomm Atheros, Inc.)
R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [589824 2016-07-16] (Realtek                                            )
R3 RTSUER; C:\Windows\system32\Drivers\RtsUer.sys [410880 2015-08-19] (Realsil Semiconductor Corporation)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-05-04 11:44 - 2017-05-04 11:44 - 00000000 ____D C:\FRST
2017-04-21 11:42 - 2017-04-21 11:45 - 60107896 _____ (Malwarebytes ) C:\Users\User\Downloads\mb3-setup-consumer-3.0.6.1469-10103.exe
2017-04-21 11:40 - 2017-04-21 11:41 - 31426872 _____ (Malwarebytes ) C:\Users\User\Downloads\Unconfirmed 171793.crdownload
2017-04-21 11:40 - 2017-04-21 11:41 - 02478928 _____ (Malwarebytes ) C:\Users\User\Downloads\Unconfirmed 971173.crdownload
2017-04-21 11:37 - 2017-04-21 11:37 - 00004114 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{CC9C9993-1E2D-4A54-B7AA-87140D2E8FF9}
2017-04-21 11:35 - 2017-04-21 11:35 - 00002344 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-04-21 11:35 - 2017-04-21 11:35 - 00002332 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-04-21 11:34 - 2017-04-21 11:52 - 00000000 ____D C:\Users\User\AppData\Local\Google
2017-04-21 11:34 - 2017-04-21 11:40 - 00003416 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2017-04-21 11:34 - 2017-04-21 11:40 - 00003292 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2017-04-21 11:34 - 2017-04-21 11:34 - 00000000 ____D C:\Program Files (x86)\Google
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-05-04 10:47 - 2017-03-27 15:40 - 01030638 _____ C:\Windows\system32\PerfStringBackup.INI
2017-05-04 10:47 - 2017-03-27 15:31 - 00000000 ____D C:\Windows\system32\SleepStudy
2017-05-04 10:43 - 2017-03-27 15:38 - 00000000 __SHD C:\Users\User\IntelGraphicsProfiles
2017-05-04 10:43 - 2017-03-27 15:31 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-05-04 10:42 - 2016-07-15 23:04 - 00262144 _____ C:\Windows\system32\config\BBI
2017-05-04 10:38 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\AppReadiness
2017-04-21 11:46 - 2016-07-16 04:47 - 00000000 ___HD C:\Program Files\WindowsApps
2017-04-21 11:38 - 2017-03-27 16:54 - 00532136 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2017-04-13 13:25 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\rescache
2017-04-13 12:27 - 2016-07-16 04:45 - 00000000 ____D C:\Windows\INF
2017-04-13 11:55 - 2016-07-16 04:36 - 00000000 ____D C:\Windows\CbsTemp
 
==================== Files in the root of some directories =======
 
2017-03-27 15:39 - 2017-03-27 15:39 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-04-13 12:57
 
==================== End of FRST.txt ============================

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,682 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:50 AM

Posted 07 May 2017 - 08:33 AM

Greetings Beetamer and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

Your computer is clean so I don't know how much help I can offer you, especially given the work/reformats prior to posting here.

Can you describe your Internet setup. Are you using a separate modem and router or is it a combination modem/router? Are there other devices accessing the same network and if so are they experiencing any issues?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Beetamer

Beetamer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 08 May 2017 - 02:36 PM

Hi Gary,

 

Thanks for your assistance! :-)  My name is Jennifer. I am currently going to the library to post/reply to this, so please don't delete thread if I'm not quick in responding. I will make sure to notify you if I decide to quit it. 

 

It may show clean as I've only used the internet briefly since the latest install, in order to d/l Chrome and Malbytes Malware antivirus program. But I could see it starting to download something else in the background so quickly unplugged my modem. So it may not have had much chance yet to start running the viruses it did before.

I'm using a combination modem/router, and perhaps it is hiding there? Or is it possible to hide in the motherboard, or drivers, I suspect? My phone also has the virus now, which it got after I plugged it into the laptop. I can tell because suddenly things were downloading in the background and my data usage jumped about 100x normal, despite me doing nothing different. I am no longer connecting to wi-fi with my phone. 

 

I've attached some text logs that I found before my latest reinstall. In the "Inject_fr-ca.log", it shows "Loading Offline Registry Hive". I looked in my registry before and found that quite a few files had been loaded in my Registry, one being Inject_en-US. I noticed also it appeared there were many suspicious things referring to en-US, and currently there is a folder titled that which is in my Quick Access. Although I never put it in Quick Access. I think it could be hiding in a language download. I have done nothing AT ALL since latest reinstall, except dowloading Chrome and Malbytes - which i deleted as it looked like a dummy copy. Yet many folders are shared and I can't unshare them. Also Trusted Installer has control of many programs/folders, and won't allow me access. Why would that be??

These lines were also in the "Inject_fr-ca.log":

 DISM.EXE: Executing command line: DISM.exe  /image:C:\ /add-package /packagepath:C:\Windows\LP\fr-ca\lp.cab /scratchdir:C:\Windows\LP\LangTemp /LogPath:C:\windows\NAPP_Dism_Log\fr-ca\Inject_fr-ca.log /LogLevel:4

 

Copying from C:\Windows\System32\Msi.dll to C:\Windows\LP\LangTemp\CF433180-A163-4D3B-A3AD-EA302D6A2F09\Msi.dll - CMsiApi::Initialize

 

Loading Provider from location C:\Windows\LP\LangTemp\CF433180-A163-4D3B-A3AD-EA302D6A2F09\IntlProvider.dll - CDISMProviderStore::Internal_GetProvider

 

Further logs for driver related operations can be found in the target operating system at %WINDIR%\inf\setupapi.offline.log - CDriverManager::Initialize

 

 DISM.EXE: Executing command line: DISM.exe  /image:C:\ /add-package /packagepath:C:\Windows\LP\fr-ca\lp.cab /scratchdir:C:\Windows\LP\LangTemp /LogPath:C:\windows\NAPP_Dism_Log\fr-ca\Inject_fr-ca.log /LogLevel:4

 

DISM Provider Store: PID=2368 TID=2272 Provider has previously been initialized.  Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
[2368] [0x8007007b] FIOReadFileIntoBuffer:(1250): The filename, directory name, or volume label syntax is incorrect.

----------------------------------------------------------------------------------------------------------------------------------

 

I have attached 2 of the logs which I believe may show how it's being transferred. I will send the other logs with a second reply as they were too big

Please if you can check through them as I'm pretty sure they show at least some of the process it's taking.

 

Thanks again!!

 

Attached Files



#4 Beetamer

Beetamer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 08 May 2017 - 02:41 PM

Here are other suspicious logs attached.

Attached Files



#5 Beetamer

Beetamer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 08 May 2017 - 02:43 PM

I couldn't upload logs because of size. Here is the one titled DISM.log:

 

2015-09-25 01:29:21, Info                  DISM   PID=2816 TID=2820 Scratch directory set to 'C:\Users\Administrator\AppData\Local\Temp\'. - CDISMManager::put_ScratchDir
2015-09-25 01:29:21, Info                  DISM   PID=2816 TID=2820 DismCore.dll version: 10.0.10240.16384 - CDISMManager::FinalConstruct
2015-09-25 01:29:21, Info                  DISM   PID=2816 TID=2820 Successfully loaded the ImageSession at "C:\Windows\System32\Dism" - CDISMManager::LoadLocalImageSession
2015-09-25 01:29:21, Info                  DISM   DISM Provider Store: PID=2816 TID=2820 Found and Initialized the DISM Logger. - CDISMProviderStore::Internal_InitializeLogger
2015-09-25 01:29:21, Info                  DISM   DISM Provider Store: PID=2816 TID=2820 Failed to get and initialize the PE Provider.  Continuing by assuming that it is not a WinPE image. - CDISMProviderStore::Final_OnConnect
2015-09-25 01:29:21, Info                  DISM   DISM Provider Store: PID=2816 TID=2820 Finished initializing the Provider Map. - CDISMProviderStore::Final_OnConnect
2015-09-25 01:29:21, Info                  DISM   DISM Provider Store: PID=2816 TID=2820 Getting Provider DISMLogger - CDISMProviderStore::GetProvider
2015-09-25 01:29:21, Info                  DISM   DISM Provider Store: PID=2816 TID=2820 Provider has previously been initialized.  Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:21, Info                  DISM   DISM Provider Store: PID=2816 TID=2820 Getting Provider DISMLogger - CDISMProviderStore::GetProvider
2015-09-25 01:29:21, Info                  DISM   DISM Provider Store: PID=2816 TID=2820 Provider has previously been initialized.  Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:21, Info                  DISM   DISM Manager: PID=2816 TID=2820 Successfully created the local image session and provider store. - CDISMManager::CreateLocalImageSession
2015-09-25 01:29:21, Info                  DISM   DISM Provider Store: PID=2816 TID=2820 Getting Provider DISMLogger - CDISMProviderStore::GetProvider
2015-09-25 01:29:21, Info                  DISM   DISM Provider Store: PID=2816 TID=2820 Provider has previously been initialized.  Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:21, Info                  DISM   DISM.EXE: 
2015-09-25 01:29:21, Info                  DISM   DISM.EXE: <----- Starting Dism.exe session ----->
2015-09-25 01:29:21, Info                  DISM   DISM.EXE: 
2015-09-25 01:29:21, Info                  DISM   DISM.EXE: Host machine information: OS Version=10.0.10240, Running architecture=amd64, Number of processors=4
2015-09-25 01:29:21, Info                  DISM   DISM.EXE: Dism.exe version: 10.0.10240.16384
2015-09-25 01:29:21, Info                  DISM   DISM.EXE: Executing command line: Dism  /online /enable-feature /featurename:NetFx3 /All /Source:D:\Preload\sxs /LimitAccess
2015-09-25 01:29:21, Info                  DISM   DISM Provider Store: PID=2816 TID=2820 Getting Provider FolderManager - CDISMProviderStore::GetProvider
2015-09-25 01:29:21, Info                  DISM   DISM Provider Store: PID=2816 TID=2820 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:21, Info                  DISM   DISM Provider Store: PID=2816 TID=2820 Loading Provider from location C:\Windows\System32\Dism\FolderProvider.dll - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:21, Info                  DISM   DISM Provider Store: PID=2816 TID=2820 Connecting to the provider located at C:\Windows\System32\Dism\FolderProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2015-09-25 01:29:21, Info                  DISM   DISM Manager: PID=2816 TID=2820 physical location path: C:\ - CDISMManager::CreateImageSession
2015-09-25 01:29:21, Info                  DISM   DISM Manager: PID=2816 TID=2820 Event name for current DISM session is Global\{F758C353-274F-45B5-A0B0-B3DCCF3918E9} - CDISMManager::CheckSessionAndLock
2015-09-25 01:29:21, Info                  DISM   DISM Manager: PID=2816 TID=2820 Create session event 0x1a0 for current DISM session and event name is Global\{F758C353-274F-45B5-A0B0-B3DCCF3918E9}  - CDISMManager::CheckSessionAndLock
2015-09-25 01:29:21, Info                  DISM   DISM Manager: PID=2816 TID=2820 Copying DISM from "C:\Windows\System32\Dism" - CDISMManager::CreateImageSessionFromLocation
2015-09-25 01:29:23, Info                  DISM   DISM Manager: PID=2816 TID=2820 Successfully loaded the ImageSession at "C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27" - CDISMManager::LoadRemoteImageSession
2015-09-25 01:29:23, Info                  DISM   DISM Image Session: PID=1744 TID=2844 Instantiating the Provider Store. - CDISMImageSession::get_ProviderStore
2015-09-25 01:29:23, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Initializing a provider store for the IMAGE session type. - CDISMProviderStore::Final_OnConnect
2015-09-25 01:29:23, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:23, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Loading Provider from location C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\OSProvider.dll - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:23, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Connecting to the provider located at C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\OSProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2015-09-25 01:29:23, Info                  DISM   DISM OS Provider: PID=1744 TID=2844 Defaulting SystemPath to C:\ - CDISMOSServiceManager::Final_OnConnect
2015-09-25 01:29:23, Info                  DISM   DISM OS Provider: PID=1744 TID=2844 Defaulting Windows folder to C:\Windows - CDISMOSServiceManager::Final_OnConnect
2015-09-25 01:29:23, Info                  DISM   DISM OS Provider: PID=1744 TID=2844 Host OS verion is 10.0 - CDISMOSServiceManager::SetDllSearchPath
2015-09-25 01:29:23, Warning               DISM   DISM OS Provider: PID=1744 TID=2844 Unable to set the DLL search path to the servicing stack folder. C:\Windows may not point to a valid Windows folder. - CDISMOSServiceManager::Final_OnConnect
2015-09-25 01:29:23, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Attempting to initialize the logger from the Image Session. - CDISMProviderStore::Final_OnConnect
2015-09-25 01:29:23, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:23, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Loading Provider from location C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\LogProvider.dll - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:23, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Connecting to the provider located at C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\LogProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2015-09-25 01:29:23, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Found and Initialized the DISM Logger. - CDISMProviderStore::Internal_InitializeLogger
2015-09-25 01:29:23, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:23, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Loading Provider from location C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\PEProvider.dll - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:23, Warning               DISM   DISM Provider Store: PID=1744 TID=2844 Failed to Load the provider: C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\PEProvider.dll. - CDISMProviderStore::Internal_GetProvider(hr:0x8007007e)
2015-09-25 01:29:23, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Failed to get and initialize the PE Provider.  Continuing by assuming that it is not a WinPE image. - CDISMProviderStore::Final_OnConnect
2015-09-25 01:29:23, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Finished initializing the Provider Map. - CDISMProviderStore::Final_OnConnect
2015-09-25 01:29:23, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Getting Provider DISMLogger - CDISMProviderStore::GetProvider
2015-09-25 01:29:23, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Provider has previously been initialized.  Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:23, Info                  DISM   DISM Manager: PID=2816 TID=2820 Image session successfully loaded from the temporary location: C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27 - CDISMManager::CreateImageSession
2015-09-25 01:29:23, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Getting Provider OSServices - CDISMProviderStore::GetProvider
2015-09-25 01:29:23, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Provider has previously been initialized.  Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:23, Info                  DISM   DISM.EXE: Target image information: OS Version=10.0.10240.16384, Image architecture=amd64
2015-09-25 01:29:23, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Getting the collection of providers from an image provider store type. - CDISMProviderStore::GetProviderCollection
2015-09-25 01:29:23, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:23, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Loading Provider from location C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\CbsProvider.dll - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:23, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Connecting to the provider located at C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\CbsProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2015-09-25 01:29:23, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Encountered a servicing provider, performing additional servicing initializations. - CDISMProviderStore::Internal_LoadProvider
2015-09-25 01:29:24, Info                  DISM   DISM Package Manager: PID=1744 TID=2844 Finished initializing the CbsConUI Handler. - CCbsConUIHandler::Initialize
2015-09-25 01:29:24, Info                  DISM   DISM Package Manager: PID=1744 TID=2844 CBS is being initialized for online use. More information about CBS actions can be located at: %windir%\logs\cbs\cbs.log - CDISMPackageManager::Initialize
2015-09-25 01:29:24, Info                  DISM   DISM Package Manager: PID=1744 TID=2844 Loaded servicing stack for online use only. - CDISMPackageManager::RefreshInstanceAndLock
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Loading Provider from location C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\MsiProvider.dll - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Connecting to the provider located at C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\MsiProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Encountered a servicing provider, performing additional servicing initializations. - CDISMProviderStore::Internal_LoadProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Loading Provider from location C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\IntlProvider.dll - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Connecting to the provider located at C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\IntlProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Encountered a servicing provider, performing additional servicing initializations. - CDISMProviderStore::Internal_LoadProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Loading Provider from location C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\IBSProvider.dll - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Connecting to the provider located at C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\IBSProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Encountered a servicing provider, performing additional servicing initializations. - CDISMProviderStore::Internal_LoadProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Loading Provider from location C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\DmiProvider.dll - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Connecting to the provider located at C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\DmiProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Encountered a servicing provider, performing additional servicing initializations. - CDISMProviderStore::Internal_LoadProvider
2015-09-25 01:29:24, Info                  DISM   DISM OS Provider: PID=1744 TID=2844 Successfully loaded the hive. - CDISMOSServiceManager::DetermineBootDrive
2015-09-25 01:29:24, Info                  DISM   DISM Driver Manager: PID=1744 TID=2844 Further logs for driver related operations can be found in the target operating system at %WINDIR%\inf\setupapi.offline.log - CDriverManager::Initialize
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Loading Provider from location C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\UnattendProvider.dll - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Connecting to the provider located at C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\UnattendProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Encountered a servicing provider, performing additional servicing initializations. - CDISMProviderStore::Internal_LoadProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Loading Provider from location C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\Wow64provider.dll - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:24, Warning               DISM   DISM Provider Store: PID=1744 TID=2844 Failed to get the IDismObject Interface - CDISMProviderStore::Internal_LoadProvider(hr:0x80004002)
2015-09-25 01:29:24, Warning               DISM   DISM Provider Store: PID=1744 TID=2844 Failed to Load the provider: C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\Wow64provider.dll. - CDISMProviderStore::Internal_GetProvider(hr:0x80004002)
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Loading Provider from location C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\SmiProvider.dll - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Connecting to the provider located at C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\SmiProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Encountered a servicing provider, performing additional servicing initializations. - CDISMProviderStore::Internal_LoadProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Loading Provider from location C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\EmbeddedProvider.dll - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:24, Warning               DISM   DISM Provider Store: PID=1744 TID=2844 Failed to Load the provider: C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\EmbeddedProvider.dll. - CDISMProviderStore::Internal_GetProvider(hr:0x8007007e)
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Loading Provider from location C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\AppxProvider.dll - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Connecting to the provider located at C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\AppxProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Encountered a servicing provider, performing additional servicing initializations. - CDISMProviderStore::Internal_LoadProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Loading Provider from location C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\ProvProvider.dll - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Connecting to the provider located at C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\ProvProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Encountered a servicing provider, performing additional servicing initializations. - CDISMProviderStore::Internal_LoadProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Loading Provider from location C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\AssocProvider.dll - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Connecting to the provider located at C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\AssocProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Encountered a servicing provider, performing additional servicing initializations. - CDISMProviderStore::Internal_LoadProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Loading Provider from location C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\GenericProvider.dll - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Connecting to the provider located at C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\GenericProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Encountered a servicing provider, performing additional servicing initializations. - CDISMProviderStore::Internal_LoadProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Loading Provider from location C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\OfflineSetupProvider.dll - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Connecting to the provider located at C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\OfflineSetupProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Encountered a servicing provider, performing additional servicing initializations. - CDISMProviderStore::Internal_LoadProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Provider has not previously been encountered.  Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Loading Provider from location C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\TransmogProvider.dll - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Connecting to the provider located at C:\Users\Administrator\AppData\Local\Temp\18B7D60B-53DA-4766-B7EA-DDA7E4A39E27\TransmogProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Encountered a servicing provider, performing additional servicing initializations. - CDISMProviderStore::Internal_LoadProvider
2015-09-25 01:29:24, Info                  DISM   DISM Transmog Provider: PID=1744 TID=2844 Current image session is [ONLINE] - CTransmogManager::GetMode
2015-09-25 01:29:24, Info                  DISM   DISM Transmog Provider: PID=1744 TID=2844 Audit Mode: [Yes] - CTransmogManager::Initialize
2015-09-25 01:29:24, Info                  DISM   DISM Transmog Provider: PID=1744 TID=2844 GetProductType: ProductType = [WinNT] - CTransmogManager::GetProductType
2015-09-25 01:29:24, Info                  DISM   DISM Transmog Provider: PID=1744 TID=2844 Product Type: [WinNT] - CTransmogManager::Initialize
2015-09-25 01:29:24, Info                  DISM   DISM Transmog Provider: PID=1744 TID=2844 Product Type ServerNT : [No] - CTransmogManager::Initialize
2015-09-25 01:29:24, Info                  DISM   DISM.EXE: Got the collection of providers. Now enumerating them to build the command table.
2015-09-25 01:29:24, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: DISM Log Provider
2015-09-25 01:29:24, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: OSServices
2015-09-25 01:29:24, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: DISM Package Manager
2015-09-25 01:29:24, Info                  DISM   DISM.EXE: Succesfully registered commands for the provider: DISM Package Manager.
2015-09-25 01:29:24, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: MsiManager
2015-09-25 01:29:24, Info                  DISM   DISM.EXE: Succesfully registered commands for the provider: MsiManager.
2015-09-25 01:29:24, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: IntlManager
2015-09-25 01:29:24, Info                  DISM   DISM.EXE: Succesfully registered commands for the provider: IntlManager.
2015-09-25 01:29:24, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: IBSManager
2015-09-25 01:29:24, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: DriverManager
2015-09-25 01:29:24, Info                  DISM   DISM.EXE: Succesfully registered commands for the provider: DriverManager.
2015-09-25 01:29:24, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: DISM Unattend Manager
2015-09-25 01:29:24, Info                  DISM   DISM.EXE: Succesfully registered commands for the provider: DISM Unattend Manager.
2015-09-25 01:29:24, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: SmiManager
2015-09-25 01:29:24, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: AppxManager
2015-09-25 01:29:24, Info                  DISM   DISM.EXE: Succesfully registered commands for the provider: AppxManager.
2015-09-25 01:29:24, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: ProvManager
2015-09-25 01:29:24, Info                  DISM   DISM.EXE: Succesfully registered commands for the provider: ProvManager.
2015-09-25 01:29:24, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: AssocManager
2015-09-25 01:29:24, Info                  DISM   DISM.EXE: Succesfully registered commands for the provider: AssocManager.
2015-09-25 01:29:24, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: GenericManager
2015-09-25 01:29:24, Info                  DISM   DISM.EXE: Succesfully registered commands for the provider: GenericManager.
2015-09-25 01:29:24, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: OfflineSetupManager
2015-09-25 01:29:24, Info                  DISM   DISM.EXE: Attempting to add the commands from provider: Edition Manager
2015-09-25 01:29:24, Info                  DISM   DISM.EXE: Succesfully registered commands for the provider: Edition Manager.
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Getting Provider DISM Package Manager - CDISMProviderStore::GetProvider
2015-09-25 01:29:24, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Provider has previously been initialized.  Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
2015-09-25 01:29:24, Info                  DISM   DISM Package Manager: PID=1744 TID=2844 Processing the top level command token(enable-feature). - CPackageManagerCLIHandler::Private_ValidateCmdLine
2015-09-25 01:29:24, Info                  DISM   DISM Package Manager: PID=1744 TID=2844 Attempting to route to appropriate command handler. - CPackageManagerCLIHandler::ExecuteCmdLine
2015-09-25 01:29:24, Info                  DISM   DISM Package Manager: PID=1744 TID=2844 Routing the command... - CPackageManagerCLIHandler::ExecuteCmdLine
2015-09-25 01:29:24, Info                  DISM   DISM Package Manager: PID=1744 TID=2844 Encountered the option "featurename" with value "NetFx3" - CPackageManagerCLIHandler::Private_GetPackagesFromCommandLine
2015-09-25 01:29:24, Info                  DISM   DISM Package Manager: PID=1744 TID=2844 Encountered an unknown option "featurename" with value "NetFx3" - CPackageManagerCLIHandler::Private_GetPackagesFromCommandLine
2015-09-25 01:29:24, Info                  DISM   DISM Package Manager: PID=1744 TID=2844 Encountered the option "source" with value "D:\Preload\sxs" - CPackageManagerCLIHandler::Private_GetPackagesFromCommandLine
2015-09-25 01:29:24, Info                  DISM   DISM Package Manager: PID=1744 TID=2844 Encountered an unknown option "source" with value "D:\Preload\sxs" - CPackageManagerCLIHandler::Private_GetPackagesFromCommandLine
2015-09-25 01:29:30, Info                  DISM   DISM Package Manager: PID=1744 TID=2844 Initiating Changes on Package with values: 5, 7 - CDISMPackage::Internal_ChangePackageState
2015-09-25 01:29:31, Info                  DISM   DISM Package Manager: PID=1744 TID=2844 CBS session options=0x20100! - CDISMPackageManager::Internal_Finalize
2015-09-25 01:31:54, Info                  DISM   DISM Package Manager: PID=1744 TID=2844 DISM has detected a DISM component change. Requesting a shutdown. - CDISMPackageManager::Internal_Finalize
2015-09-25 01:31:54, Info                  DISM   DISM Image Session: PID=1744 TID=2844 The image session needs to be closed and re-opened before any servicing operations can be performed. - CDISMImageSession::put_ImageState
2015-09-25 01:31:54, Info                  DISM   DISM Package Manager: PID=1744 TID=2844 Loaded servicing stack for online use only. - CDISMPackageManager::RefreshInstanceAndLock
2015-09-25 01:31:54, Info                  DISM   DISM Package Manager: PID=1744 TID=2844 Feature NetFx3 with CBS state 7(CbsInstallStateInstalled) being mapped to dism state 7(DISM_INSTALL_STATE_INSTALLED) - CDISMPackageFeature::LogInstallStateMapping
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Found the OSServices.  Waiting to finalize it until all other providers are unloaded. - CDISMProviderStore::Final_OnDisconnect
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Found the OSServices.  Waiting to finalize it until all other providers are unloaded. - CDISMProviderStore::Final_OnDisconnect
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Found the PE Provider.  Waiting to finalize it until all other providers are unloaded. - CDISMProviderStore::Final_OnDisconnect
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Finalizing the servicing provider(DISM Package Manager) - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:54, Info                  DISM   DISM Package Manager: PID=1744 TID=2844 Finalizing CBS core. - CDISMPackageManager::Finalize
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Disconnecting Provider: DISM Package Manager - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Finalizing the servicing provider(MsiManager) - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Disconnecting Provider: MsiManager - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Finalizing the servicing provider(IntlManager) - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Disconnecting Provider: IntlManager - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Finalizing the servicing provider(IBSManager) - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Disconnecting Provider: IBSManager - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Finalizing the servicing provider(DriverManager) - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Disconnecting Provider: DriverManager - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Finalizing the servicing provider(DISM Unattend Manager) - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Disconnecting Provider: DISM Unattend Manager - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Finalizing the servicing provider(SmiManager) - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Disconnecting Provider: SmiManager - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Finalizing the servicing provider(AppxManager) - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Disconnecting Provider: AppxManager - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Finalizing the servicing provider(ProvManager) - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Disconnecting Provider: ProvManager - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Finalizing the servicing provider(AssocManager) - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Disconnecting Provider: AssocManager - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Finalizing the servicing provider(GenericManager) - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Disconnecting Provider: GenericManager - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Finalizing the servicing provider(OfflineSetupManager) - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Disconnecting Provider: OfflineSetupManager - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Finalizing the servicing provider(Edition Manager) - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Disconnecting Provider: Edition Manager - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Releasing the local reference to OSServices. - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Disconnecting Provider: OSServices - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:54, Info                  DISM   DISM Provider Store: PID=1744 TID=2844 Releasing the local reference to DISMLogger.  Stop logging. - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:55, Info                  DISM   DISM Manager: PID=2816 TID=2820 Closing session event handle 0x1a0 - CDISMManager::CloseImageSession
2015-09-25 01:31:55, Info                  DISM   DISM.EXE: Image session has been closed. Reboot required=no.
2015-09-25 01:31:55, Info                  DISM   DISM.EXE: 
2015-09-25 01:31:55, Info                  DISM   DISM.EXE: <----- Ending Dism.exe session ----->
2015-09-25 01:31:55, Info                  DISM   DISM.EXE: 
2015-09-25 01:31:55, Info                  DISM   DISM Provider Store: PID=2816 TID=2820 Found the OSServices.  Waiting to finalize it until all other providers are unloaded. - CDISMProviderStore::Final_OnDisconnect
2015-09-25 01:31:55, Info                  DISM   DISM Provider Store: PID=2816 TID=2820 Disconnecting Provider: FolderManager - CDISMProviderStore::Internal_DisconnectProvider
2015-09-25 01:31:55, Info                  DISM   DISM Provider Store: PID=2816 TID=2820 Releasing the local reference to DISMLogger.  Stop logging. - CDISMProviderStore::Internal_DisconnectProvider
 


#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,682 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:50 AM

Posted 08 May 2017 - 07:22 PM

Hi Jennifer.

Please do a factory reset of your modem/router. If you are unsure how to do it you can Google it, contact your Internet provider, or provide me with the model number.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 Beetamer

Beetamer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 09 May 2017 - 02:10 PM

Okay, I will get the model number tonight, google it tomorrow and perform, and respond when complete.

 

Thanks!



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,682 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:50 AM

Posted 09 May 2017 - 07:14 PM

:thumbsup2:
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 Beetamer

Beetamer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 11 May 2017 - 01:27 PM

Hi Gary,

 

So I reset the modem.... what's next?

 

Btw, I may not respond till monday as my car just broke down as well :-( 

 

Have a great weekend!



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,682 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:50 AM

Posted 11 May 2017 - 03:20 PM

You said your computer was clean so I wanted to reset your modem and have you use your computer to see if you experience the same issues. No problem on the delay. Sorry to hear about your trouble and when you can get to it on Monday that will be fine.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 Beetamer

Beetamer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 12 May 2017 - 01:28 PM

I don't actually think my computer is clean. I believe a background program is running. You said it was clean from my Farbar log in the original post. But I believe it runs under Windows program names to hide. I believe it may be the Trusted Installer rootkit. I found this topic https://www.bleepingcomputer.com/forums/t/340439/trusted-installer-rootkit/

Should I follow the instructions there?

 

Or now the modem is reset should I try and reinstall again? I was considering using an older version of windows because I have a backup of 8.1 I can use. 

 

Thanks and have a good weekend!



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,682 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:50 AM

Posted 12 May 2017 - 01:57 PM

Trusted Installer is legitimate. Do not follow those steps.

You can test your computer with or without reinstalling.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 Beetamer

Beetamer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 12 May 2017 - 03:04 PM

There is a malware rootkit that calls itself Trusted Installer. It's not the actual Windows Trusted Installer program.

If you google it you will see others with the same problem. That's what I'm trying to remove. 

 

How do I remove that? 



#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,682 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:50 AM

Posted 12 May 2017 - 03:39 PM

Can you show me evidence what you are referring to is malware?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,682 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:50 AM

Posted 15 May 2017 - 09:52 AM

Greetings,

===================================================

Do You Still Need Help?

It has been 3 days since my last post.
  • Do you still need help with this?
  • If you have not replied within 48 hours I will assume you have abandoned the Topic and it will be closed.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users