[SOLVED] Failed update KB5040427 several times

[Maxstar]

It seems your system is infected with malware, so please follow these instructions: Malware Removal Posting Instructions

Start a new thread into the Security Arena.

 

[Rusty T]

It seems your system is infected with malware, so please follow these instructions: Malware Removal Posting Instructions

Start a new thread into the Security Arena.

Thanks, can you expand on that pls? Any files or processes you found?

 

[Maxstar]

"AarSvc_2d0813" => service could not be unlocked. <==== ATTENTION
HKLM\SYSTEM\ControlSet001\Services\AarSvc_2d0813 => C:\Windows\system32\svchost.exe [57528 2024-05-15] (Microsoft Windows Publisher -> Microsoft Corporation) <==== ATTENTION (Rootkit!/Locked Service)

There are a number of Services I don't trust and it could be an injected shadow process, so please follow the Malware Removal Posting Instructions and start a new thread in that section.

 

[Rusty T]

"AarSvc_2d0813" => service could not be unlocked. <==== ATTENTION
HKLM\SYSTEM\ControlSet001\Services\AarSvc_2d0813 => C:\Windows\system32\svchost.exe [57528 2024-05-15] (Microsoft Windows Publisher -> Microsoft Corporation) <==== ATTENTION (Rootkit!/Locked Service)

There are a number of Services I don't trust and it could be an injected shadow process, so please follow the Malware Removal Posting Instructions and start a new thread in that section.

Thanks for heads up, I checked SHA 256 of dll files AarSvc.dll in these location syswow64 and system32 - both came clean on virus total but, seems that are 18 of Aarsvc.dll on my system.



I will start a new thread as you advised.

Thank You very much for your help.

 

[Maxstar]

Hi,

You're welcome. Many malware is able to hide their malicious code with obfuscation techniques etc. I will follow your other thread as well....

And the number of AarSvc.dll files is nothing to worry about, they are just different versions.

 

[Rusty T]

Hi,

You're welcome. Many malware is able to hide their malicious code with obfuscation techniques etc. I will follow your other thread as well....

And the number of AarSvc.dll files is nothing to worry about, they are just different versions.

Yes is true, back in time on Win 7, usually the first corrupted services use to be Cryptographic SVC and WMI svc along with help from direct disk access trough corrupted windows explorer.
More often on my systems found that legit services and files was used to propagate further OS corruption. That's why disabled some services nu minimize the vulnerabilities.

I use to have Malwarebytes Premium and that is dependent on WMI service to work properly.

On LTSC 2019 even that dberr.txt looked good I found like 5-6 times a third folder in catroot and catorot2 which I deleted manually and than reset cryptographic service and than restart.

 

[Rusty T]

There are a number of Services I don't trust and it could be an injected shadow process, so please follow the Malware Removal Posting Instructions and start a new thread in that section.

Can you pls point out the services you seen in the logs and you don't trust?

Thanks

 

[Maxstar]

Hi,

I would start with unlocking system services / folders etc. Personally I'll never recommend such tweaks..

 

[Rusty T]

Hi,

I would start with unlocking system services / folders etc. Personally I'll never recommend such tweaks..

Cryptographic Service was corrupted from the first minutes of installation, was not ok before me touching any settings in windows. On the other hand Cryptographic Service does not depend on any of the services I disabled.


And here is the proof of Cryptographic Service being corrupted right at the start.

 

[Maxstar]

Please run the following commands in an elevated prompt and attach CryptSvc.txt to your next post.

sc query cryptSvc > "%userprofile%\desktop\CryptSvc.txt"
sc qc cryptSvc >> "%userprofile%\desktop\CryptSvc.txt"
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cryptSvc" /s >> "%userprofile%\desktop\CryptSvc.txt"

 

[Rusty T]

Here it is

 

[Maxstar]

This looks good, there's nothing wrong with the CryptSvc service. And there are no issues with the Catalog Database either.

The only thing which could be an issue is the lack of free space on your systemdrive, I would definitely free up more disk space, at least 50 GB.

Error: (07/21/2024 09:57:32 AM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x8007045b, A system shutdown is in progress..

Error: (07/21/2024 09:57:32 AM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started. [0x8007045b, A system shutdown is in progress.]

ATTENTION: System Restore is disabled (Total:464.9 GB) (Free:26.57 GB) (6%)

Drive c: () (Fixed) (Total:464.9 GB) (Free:26.57 GB) (Model: Samsung SSD 970 EVO Plus 500GB) NTFS

 

[Rusty T]

No worries about space is 71 GB now and system restore point was created.
System restore was off because ESET. And yes can be a double edge sword, malware can make use of it.
However now is on.

 

[Maxstar]

Ok, I see no further problems, and would not worry about the dberr log entry's if everything works well.

 

[Rusty T]

After resetting Cryptographic Service always looks like this(pls see attached) on all Windows 10 I worked on, about 6 different ones: Win 10 Pro, Pro N and Home.

That's why I worry.

 

[Maxstar]

I don't see any real issues and esentutil didn't show any issues either. So verything looks fine to me.

 

[Rusty T]

I don't see any real issues and esentutil didn't show any issues either. So verything looks fine to me.

Thanks for your help. I consider it solved.