Jump to content

Free help from tech experts
Welcome to Geeks to Go forums. Create an account now to gain access to all our features. Once registered and logged in, you will be able to create topics, post replies to existing topics, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. Best of all, registration and all assistance is 100% free! This message, and all ads will be removed once you have signed in.
Sign In Create Account

TRO/ROOT KIT?


  • Please log in to reply

#196
DAV2

DAV2

    Member

  • Member
  • PipPipPip
  • 140 posts
LOAD ERRORS

Edited by DAV2, 24 February 2012 - 09:21 AM.

  • 0

#197
DAV2

DAV2

    Member

  • Member
  • PipPipPip
  • 140 posts
After internet errors.

Edited by DAV2, 24 February 2012 - 09:24 AM.

  • 0

#198
DAV2

DAV2

    Member

  • Member
  • PipPipPip
  • 140 posts
OK It looks like Win will not let me upload the pictures of the 0 for 0 errors of new load not connected to the internet and the hundreds of errors after connect saying “The database engine detected multiple threads illegally using the same database” and search is crawling.
  • 0

#199
RKinner

RKinner

    Malware Expert

  • Expert
  • 12,783 posts
  • MVP
1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.

Ron
  • 0

#200
DAV2

DAV2

    Member

  • Member
  • PipPipPip
  • 140 posts
Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 26/02/2012 8:16:16 AM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 24/01/2012 12:04:15 AM
Type: Error Category: 0
Event: 7023 Source: Service Control Manager
The event description cannot be found.

Log: 'System' Date/Time: 24/01/2012 12:02:22 AM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The avast! Firewall service failed to start due to the following error: The system cannot find the path specified.

Log: 'System' Date/Time: 24/01/2012 12:02:22 AM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The avast! Antivirus service failed to start due to the following error: The system cannot find the path specified.

Log: 'System' Date/Time: 24/01/2012 12:02:17 AM
Type: Error Category: 0
Event: 7031 Source: Service Control Manager
The avast! Firewall service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

Log: 'System' Date/Time: 24/01/2012 12:02:16 AM
Type: Error Category: 0
Event: 7031 Source: Service Control Manager
The avast! Antivirus service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

Log: 'System' Date/Time: 22/01/2012 11:22:42 PM
Type: Error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: cdrom

Log: 'System' Date/Time: 23/01/2012 12:22:51 AM
Type: Error Category: 0
Event: 7023 Source: Service Control Manager
The Windows Update service terminated with the following error: %%-2147467243

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 24/02/2012 12:26:41 AM
Type: Warning Category: 0
Event: 134 Source: Microsoft-Windows-Time-Service
NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on ''. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The requested name is valid, but no data of the requested type was found. (0x80072AFC)

Log: 'System' Date/Time: 23/01/2012 11:12:06 PM
Type: Warning Category: 0
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name teredo.ipv6.microsoft.com timed out after none of the configured DNS servers responded.

Log: 'System' Date/Time: 23/01/2012 10:34:05 PM
Type: Warning Category: 0
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name teredo.ipv6.microsoft.com timed out after none of the configured DNS servers responded.

Log: 'System' Date/Time: 23/01/2012 9:45:08 PM
Type: Warning Category: 0
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name teredo.ipv6.microsoft.com timed out after none of the configured DNS servers responded.

Log: 'System' Date/Time: 23/01/2012 6:42:23 PM
Type: Warning Category: 0
Event: 134 Source: Microsoft-Windows-Time-Service
NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on ''. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The requested name is valid, but no data of the requested type was found. (0x80072AFC)

Log: 'System' Date/Time: 23/01/2012 6:42:11 PM
Type: Warning Category: 0
Event: 134 Source: Microsoft-Windows-Time-Service
NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on ''. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The requested name is valid, but no data of the requested type was found. (0x80072AFC)

Log: 'System' Date/Time: 23/01/2012 6:37:17 PM
Type: Warning Category: 0
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name teredo.ipv6.microsoft.com timed out after none of the configured DNS servers responded.

Ron, it looks like Win turns “mscorsvc” into malware when it is loaded into prefetch. Is there a way to stop Win from doing this? Win still makes contact with Akamai and MS even though I have all updates turned off for Win and state I do not want to participate in any sharing of information. Is there any way to stop Win from doing that so that I am the only one using my computer?
Win went from 0 errors before connect to the internet to over 500 errors after connect to the internet, including turning off all a/v and losing where it was. Is there a way to stop Win from doing that?

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 26/02/2012 8:21:23 AM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 25/02/2012 11:41:32 PM
Type: Error Category: 3
Event: 1019 Source: Microsoft-Windows-Search
Windows Search Service failed to process the list of included and excluded locations with the error <30, 0x80070002, "iehistory://{S-1-5-21-1597377118-1586821561-2157718051-1000}/">.


Log: 'Application' Date/Time: 25/02/2012 9:37:36 PM
Type: Error Category: 0
Event: 8194 Source: VSS
Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied. . This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {482308b6-b3f1-4d99-a695-fa7b3bf32565}

Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948

Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948

Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948

Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948

Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948

Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948

Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948

Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948

Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948

Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948

Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948

Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948

Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948

Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948

Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948

Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948

Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948

Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 25/02/2012 11:44:37 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 2 user registry handles leaked from \Registry\User\S-1-5-21-1597377118-1586821561-2157718051-1000_Classes:
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000_CLASSES
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000_CLASSES\Local Settings\MuiCache\12\52C64B7E


Log: 'Application' Date/Time: 25/02/2012 11:44:37 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 41 user registry handles leaked from \Registry\User\S-1-5-21-1597377118-1586821561-2157718051-1000:
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Internet Explorer\SQM
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\History
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Avast Software\WRC\RatingStorage\<|prefix|>http://go.microsoft....k/?LinkId=69157
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\PrivacIE:
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Internet Explorer\SQM\FreezeUploads
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{DBC80044-A445-435B-BC74-9C25C1C588A9}
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\AppDataLow\Software\Microsoft\RepService
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Process 3776 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Internet Explorer\International
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\Shell
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Avast Software\WRC\RatingStorage\<|prefix|>http://go.microsoft..../?LinkID=191282
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iedownload
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Avast Software\WRC\RatingStorage\go.microsoft.com
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\iecompat
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Avast Software\WRC\RatingStorage
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Content
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Avast Software\WRC\RatingStorage\<|prefix|>http://windows.micro...ts/ie-9/welcome
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Internet Explorer\PhishingFilter
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Avast Software\WRC\RatingStorage\msn.com
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Cookies
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EFE4106F-412D-4D02-9B88-3701C218814A}
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\feedplat
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Avast Software\WRC\RatingStorage\<|prefix|>http://www.msn.com/?ocid=iehp
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Avast Software\WRC\RatingStorage\windows.microsoft.com
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2


Log: 'Application' Date/Time: 25/02/2012 11:30:54 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 2 user registry handles leaked from \Registry\User\S-1-5-21-1597377118-1586821561-2157718051-1000_Classes:
Process 2560 (\Device\HarddiskVolume2\Program Files\AVAST Software\Avast\sfzone\SafeZoneBrowser.exe) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000_CLASSES
Process 2560 (\Device\HarddiskVolume2\Program Files\AVAST Software\Avast\sfzone\SafeZoneBrowser.exe) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000_CLASSES\Local Settings\MuiCache\12\52C64B7E


Log: 'Application' Date/Time: 25/02/2012 11:30:54 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 12 user registry handles leaked from \Registry\User\S-1-5-21-1597377118-1586821561-2157718051-1000:
Process 2404 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000
Process 2468 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld
Process 2404 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\CTF\TIP
Process 2468 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Process 2468 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat
Process 2468 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Process 2468 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
Process 2468 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache
Process 2468 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat
Process 2468 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Process 2404 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Run
Process 2560 (\Device\HarddiskVolume2\Program Files\AVAST Software\Avast\sfzone\SafeZoneBrowser.exe) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Keyboard Layout\Preload


Log: 'Application' Date/Time: 25/02/2012 9:37:56 PM
Type: Warning Category: 0
Event: 8230 Source: VSS
Volume Shadow Copy Service error: Failed resolving account SYSTEM with status 2226. Check connection to domain controller and VssAccessControl registry key.

Error-specific details:
Error: NetLocalGroupGetMemebers(SYSTEM), 0x800708b2, This operation is only allowed on the primary domain controller of the domain.

Log: 'Application' Date/Time: 24/02/2012 3:32:09 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-1597377118-1586821561-2157718051-1000_Classes:
Process 3856 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000_CLASSES\Local Settings\MuiCache\12\52C64B7E


Log: 'Application' Date/Time: 24/02/2012 2:19:16 PM
Type: Warning Category: 1
Event: 1008 Source: Microsoft-Windows-Search
The Windows Search Service is starting up and attempting to remove the old search index {Reason: Index Corruption}.


Log: 'Application' Date/Time: 24/02/2012 2:46:08 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 2 user registry handles leaked from \Registry\User\S-1-5-21-1597377118-1586821561-2157718051-1000_Classes:
Process 3200 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000_CLASSES
Process 3200 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000_CLASSES\Local Settings\MuiCache\10\52C64B7E


Log: 'Application' Date/Time: 24/02/2012 2:46:08 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 16 user registry handles leaked from \Registry\User\S-1-5-21-1597377118-1586821561-2157718051-1000:
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Process 1740 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Internet Explorer\International
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\Shell
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2


Log: 'Application' Date/Time: 24/02/2012 12:22:40 AM
Type: Warning Category: 0
Event: 4105 Source: Microsoft-Windows-Winlogon
Windows is in Notification period.

Log: 'Application' Date/Time: 24/01/2012 12:09:36 AM
Type: Warning Category: 0
Event: 10010 Source: Microsoft-Windows-RestartManager
Application 'C:\Windows\explorer.exe' (pid 3024) cannot be restarted - Application SID does not match Conductor SID..

Log: 'Application' Date/Time: 24/01/2012 12:09:36 AM
Type: Warning Category: 0
Event: 10010 Source: Microsoft-Windows-RestartManager
Application 'C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe' (pid 2320) cannot be restarted - Application SID does not match Conductor SID..

Log: 'Application' Date/Time: 24/01/2012 12:09:36 AM
Type: Warning Category: 0
Event: 10010 Source: Microsoft-Windows-RestartManager
Application 'C:\Program Files\AVAST Software\Avast\AvastUI.exe' (pid 2828) cannot be restarted - Application SID does not match Conductor SID..

Log: 'Application' Date/Time: 24/01/2012 12:04:27 AM
Type: Warning Category: 1
Event: 1008 Source: Microsoft-Windows-Search
The Windows Search Service is starting up and attempting to remove the old search index {Reason: Application Requested}.


Log: 'Application' Date/Time: 23/01/2012 10:30:57 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 6 user registry handles leaked from \Registry\User\S-1-5-21-1597377118-1586821561-2157718051-1000:
Process 2752 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\Shell
Process 2736 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Process 2736 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
Process 2736 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Process 2736 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Process 2736 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2


Log: 'Application' Date/Time: 23/01/2012 7:45:37 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 3 user registry handles leaked from \Registry\User\S-1-5-21-1597377118-1586821561-2157718051-1000_Classes:
Process 2396 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000_CLASSES
Process 1248 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Process 2396 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000_CLASSES\Local Settings\MuiCache\8\52C64B7E


Log: 'Application' Date/Time: 23/01/2012 7:45:37 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 13 user registry handles leaked from \Registry\User\S-1-5-21-1597377118-1586821561-2157718051-1000:
Process 1248 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000
Process 1248 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld
Process 1248 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Process 1248 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Process 1248 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
Process 1248 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Internet Explorer\TypedURLs
Process 1248 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
Process 1248 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache
Process 1248 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat
Process 1248 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Process 2844 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm
Process 1248 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012012012220120123
Process 1248 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap


Log: 'Application' Date/Time: 23/01/2012 2:42:33 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-1597377118-1586821561-2157718051-1000:
Process 2628 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Explorer


Log: 'Application' Date/Time: 22/01/2012 10:51:34 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-1597377118-1586821561-2157718051-1000:
Process 504 (\Device\HarddiskVolume2\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000


Log: 'Application' Date/Time: 22/01/2012 10:26:40 PM
Type: Warning Category: 1
Event: 1008 Source: Microsoft-Windows-Search
The Windows Search Service is starting up and attempting to remove the old search index {Reason: Full Index Reset}.
  • 0

#201
RKinner

RKinner

    Malware Expert

  • Expert
  • 12,783 posts
  • MVP
Run regedit and look at

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\avast! Antivirus

Then look at the ImagePath in the right pane. What does it say?

It should say something like:

"C:\Program Files\AVAST Software\Avast\AvastSvc.exe"

tho may be slightly different since yours is a 64 bit system.

Right click on Start and Open Windows Explorer. Is AvastSvc.exe still where it says?

Right click on AvastSvc.exe and select Properties then Security. Click on System. Does it have Full Control checked? Click on Administrators. Does it have Full Control Checked?



When you reinstalled Windows 7 did you give the login a unique password?
  • 0

#202
DAV2

DAV2

    Member

  • Member
  • PipPipPip
  • 140 posts
Ron, thanks. I re-installed Avast, so it is now where it sayes it is.
Full control is checked Gray.
I use the same PW so I can remember it.

Edited by DAV2, 26 February 2012 - 10:21 AM.

  • 0

#203
RKinner

RKinner

    Malware Expert

  • Expert
  • 12,783 posts
  • MVP
I think using the same password may be a mistake. If one of your other PCs is infected it could easily take over since it knows the password.
  • 0

#204
DAV2

DAV2

    Member

  • Member
  • PipPipPip
  • 140 posts
Thanks Ron, but I isolate the computers by setting them to not share files and I use different routers to isolate into groups that do not talk to each other. Are all the other facts normal for Win? Not showing files unless you try to write an exact named file, turning off the A/V and misplacing it, funny named drivers that fail to load, but are working just fine, just that you can not find them, search service that slows to a crawl and now a few days into this new load that was loaded after a low-level format, a “critical” error that caused a blue screen, that just happened today? And what about all the Akamai contact by the computer that Akamai responds to? I have Win and all programs except Avast set to not update or share anything.

Edited by DAV2, 26 February 2012 - 02:02 PM.

  • 0

#205
RKinner

RKinner

    Malware Expert

  • Expert
  • 12,783 posts
  • MVP
I don't think any of that is normal. Certainly losing the Anti-virus and firewall are not normal. I still don't like your using the same password on all your PCs.
  • 0

#206
DAV2

DAV2

    Member

  • Member
  • PipPipPip
  • 140 posts
Thanks Ron, I can write different passwords on pieces of paper and stick them on the monitors. I will be the only one seeing them unless the built in cameras on the computers read them also. Now, please tell me if you have equally simple solutions to all the other noticed Win behavior. It is starting to get to me. Small things did change with this last load before I connected to the internet. Like it takes only one click to start and restart CCE instead of the mandatory 2 clicks that it always took before and absolutely every pop up screen was by MS instead of unknown by unknown and I was very surprised to see files that were invisible on all the other computers.
  • 0

#207
DAV2

DAV2

    Member

  • Member
  • PipPipPip
  • 140 posts
Ron, I think Win turned off error reporting and when I attempt to restart all I get is access denied. I think this load is in need of reloading. Any advice to have the new load more stable than this last?
  • 0

#208
RKinner

RKinner

    Malware Expert

  • Expert
  • 12,783 posts
  • MVP
Use a different password. Don't load any other software and go straight to MS to get your updates.

I'm at a conference this week. Replies will be slow.
  • 0

#209
DAV2

DAV2

    Member

  • Member
  • PipPipPip
  • 140 posts
Ron, I am still a little confused with “Bootmgr”. I updated the bios over the internet. I low level formatted with “Hir...” and then partitioned and formatted with Win 7 load/boot disk.(Genuine Holographic). I loaded it with new never used before PW. I then without any connection to the internet and without loading the Asus MB disk, went to load the Genuine from MS 7.1 service pact disk. (non bootable) On that disk came up “Bootmgr” with a date later than the load/boot disk, so I assumed that it must be on the 7.1 service pact disk.(Ever though that disk had a later date setup file and was not bootable.) The setup file on the disk would not work. Win said it was corrupt. (This is the 7.1 disk I got from MS). I rebooted the computer and went to reload the 7.1 disk and “Bootmgr” was no longer visible on the 7.1 disk, but “setup” now was not corrupt and loaded. 0 errors in events after full 7.1 load not connected to internet.


Where did “Bootmgr” come from. 1) bios 2) hard disk 3) load disk with older date than the bootmgr file or 4) Genuine 7.1 disk from MS that is not bootable?

Edited by DAV2, 29 February 2012 - 08:08 PM.

  • 0

#210
DAV2

DAV2

    Member

  • Member
  • PipPipPip
  • 140 posts
Ron, what I have seen so far, is that the 2 Win load disks do about the same thing. If I start with a low level format by Hir..., then Killdisk says that there are illegal partitions on the disk and I presume removes. Then both Win load disks create 4 partitions on the hard disk during load.(Win only sees 2 of them in Management) The new load disk with 7.1 has a Trojan in page file at load and the old load disk after 7.1 servicing and connection to net after SFC, has a Trojan in Pagefile. Pagefile Trojans verify in Virustotal see pic. The funny/strange drivers do not start arriving until a day or so later. I am on my second load of the new 7.1 load disk, because load one was with too many accumulated errors in search and I wanted to fast clean strange drivers, before I loaded anything besides Win and A/V. Yes, both load disks turn off and lose A/V.

Edited by DAV2, 09 March 2012 - 07:05 AM.

  • 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured