Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help with FBI windowlock encrypt ransomware $300 virus


  • Please log in to reply

#16
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,025 posts
  • MVP

You might want to turn IPv6 off since it's causing errors and you don't need it:

 

Run the Disable IPv6 Fixit 

 

https://support.micr...2?wa=wsignin1.0

 

 

Run Process Explorer again.  Wait a full minute for things to settle down a bit then hit the Space bar.  (That will stop it jumping)  Highlight the svchost file that is the biggest user of CPU time:

 

On the last log it was:

 

svchost.exe    17.63    223,000 K    233,568 K    116    Host Process for Windows Services    Microsoft Corporation    

 

 

If you hover over it it should open a little window like this:

 

 

 

What services does it have?  You can do a print shot if you want:

 

 
Press the Alt + the Print Screen key on your keyboard. It may be labeled [PrtScn].
 
Open Microsoft Paint (All Programs, Accessories,Paint).
 
Go to the Edit menu and choose Paste (or just do Ctrl + v) and the image should appear.
 
 
Go to the File Menu and choose Save As.
 
Navigate to the folder where you want to save the image.  (Desktop)
 
Type a file name for the image: svc
 
Select a file type. jpeg 
 
Click the Save button.
 
Attach svc.jpg to your Reply.
 
(Start a Reply.  Click on the Browse button, point it at your desktop and click on svc.jpg then Open.  Now click on Attach this File)

 

 

 


  • 0

Advertisements


#17
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

Here is the txt file for speccyAttached File  PAVILIONELITE.txt   240.73KB   249 downloads

 

This program added Google Chrome icon to my taskbar and removed my Firefox icon, but that should be no problem

 

I hope this txt file was attached properlyAttached File  PAVILIONELITE.txt   240.73KB   249 downloadsAttached File  PAVILIONELITE.txt   240.73KB   249 downloads


  • 0

#18
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

I think I have completed all the scans you have given me so far.


  • 0

#19
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,025 posts
  • MVP

http://www.geekstogo...-2#entry2479817


  • 0

#20
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

Here is the processes svc.jpg

svc.jpg


  • 0

#21
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,025 posts
  • MVP

Looks like you might have created the first Process Explorer before things settled down.  This one looks clean.

 

Are you running  Internet Connection Sharing (ICS) service on this for some reason?

 

http://windows.micro...g#1TC=windows-7


  • 0

#22
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

I have (or did have before this malware attack) a nicely working home network.

I have an old windows xp which is not wireless but I want to use it.. I have an old non-wireless laser printer attached to this xp by cable.

I ran a ethernet cable from the modem through my router into the xp. As I recall, I used the xp as the host to set up the network.

I have this windows 7 PC we are working on which gets its internet connection directly from the router and it can see the xp and it's printer

I have a wireless color inkjet printer which gets a signal from the router and this windows 7 pc we are working on.

I also have a  wireless windows 7 laptop which also connects to the home network.

All of these devices are connected to the home network with shared files.

I made this setup myself and not being computer savvy, I have to study and read and follow instructions as best I can.

This setup was working great for me. I could print from either printer and transfer files from one computer to the other.

I have not noticed any problems with the xp computer, although I was afraid that some malware could migrate to other devices on the network.

 

Do you think this particular virus could  move around on my network??

I have not used the windows laptop since this malware attack.

I have not been into any of my banking, brokerage, paypal, etc, sites because I don't want to type in any passwords until we have done all we can to make the computer clean.

 

Before we did all this work, my Firefox Browser was out of control. I couldn't keep a homepage. When I tried to type a homepage in tools, the browser kept offering choices

of several  options, most of them financial websites and a website where I had downloaded roguekiller (Very wierd). That problem seems to be cleared up. I think I did that by myself. I think I removed all browser history and found something like a browser memory which I deleted. I can't remember exactly what I did, but the browser seems to working properly.

 

I do still see something on my Thunderbird email program, I had not seen before and it is still occuring. When I go to thunderbird to read mail, I am now getting the pop up message

"The account [email protected] is being processed. Please wait until processing is complete to get messages"     This only for a few seconds and then my new mail is downloaded.

 

Also this malware changed my desktop background. Just now I went to "change desktop background". One of the options was a group of pictures I had taken of my car

under C:/users/Rich/mypictures. There was supposed to be only 10 photos of my collector car in that folder but there a number 11 photo, a very inappropiate photo that I had never seen before. I went to my pictures in the library "my pictures"  and sent that picture to recycle.

 

I think most everything is back to normal until I may discover something else wierd.

I sure appreciate your help. I don't know anyone or any computer shop around here that I could trust to tackle this work like you have done.


  • 0

#23
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,025 posts
  • MVP
You should turn off ics. It's only used when one PC acts as a router. Since you have a separate router you do not need it. I am not now seeing any infection remnants. The one random named service or device had no file and let itself be removed so probably Kaspersky ate even if it didn't tell you. Clear the alarms again reboot and run view again.
  • 0

#24
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

I think I turned off ICS. When I went to networks, I saw 3 wireless connections. 1. Local area connection Realtec PCie family controller  

2. Wireless network connection Atheros 802.11 a/b/g/n Dualband   (shared)

3. Wireless network connection #2 not connected

 

I unshared the Atheros 802.11 connection.

I rebooted and here are the view files

 

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 15/02/2015 10:47:01 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 16/02/2015 3:01:15 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 16/02/2015 3:12:25 AM
Type: Error Category: 0
Event: 31004 Source: Microsoft-Windows-SharedAccess_NAT
The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.

Log: 'System' Date/Time: 16/02/2015 3:01:36 AM
Type: Error Category: 0
Event: 6008 Source: EventLog
The previous system shutdown at 9:59:14 PM on ?2/?15/?2015 was unexpected.

Log: 'System' Date/Time: 16/02/2015 2:55:13 AM
Type: Error Category: 0
Event: 10010 Source: Microsoft-Windows-DistributedCOM
The server {ED1D0FDF-4414-470A-A56D-CFB68623FC58} did not register with DCOM within the required timeout.

Log: 'System' Date/Time: 16/02/2015 1:46:34 AM
Type: Error Category: 0
Event: 31004 Source: Microsoft-Windows-SharedAccess_NAT
The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.

Log: 'System' Date/Time: 16/02/2015 1:42:20 AM
Type: Error Category: 0
Event: 31004 Source: Microsoft-Windows-SharedAccess_NAT
The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.

Log: 'System' Date/Time: 16/02/2015 1:39:44 AM
Type: Error Category: 0
Event: 31004 Source: Microsoft-Windows-SharedAccess_NAT
The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.

Log: 'System' Date/Time: 16/02/2015 1:39:19 AM
Type: Error Category: 0
Event: 31004 Source: Microsoft-Windows-SharedAccess_NAT
The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.

Log: 'System' Date/Time: 16/02/2015 1:39:04 AM
Type: Error Category: 0
Event: 31004 Source: Microsoft-Windows-SharedAccess_NAT
The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.

Log: 'System' Date/Time: 16/02/2015 1:38:32 AM
Type: Error Category: 0
Event: 31004 Source: Microsoft-Windows-SharedAccess_NAT
The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.

Log: 'System' Date/Time: 16/02/2015 1:37:55 AM
Type: Error Category: 0
Event: 31004 Source: Microsoft-Windows-SharedAccess_NAT
The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.

Log: 'System' Date/Time: 16/02/2015 1:37:34 AM
Type: Error Category: 0
Event: 31004 Source: Microsoft-Windows-SharedAccess_NAT
The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.

Log: 'System' Date/Time: 16/02/2015 1:37:30 AM
Type: Error Category: 0
Event: 31004 Source: Microsoft-Windows-SharedAccess_NAT
The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.

Log: 'System' Date/Time: 16/02/2015 1:17:22 AM
Type: Error Category: 0
Event: 31004 Source: Microsoft-Windows-SharedAccess_NAT
The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.

Log: 'System' Date/Time: 16/02/2015 1:11:49 AM
Type: Error Category: 0
Event: 31004 Source: Microsoft-Windows-SharedAccess_NAT
The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.

Log: 'System' Date/Time: 16/02/2015 1:03:46 AM
Type: Error Category: 0
Event: 31004 Source: Microsoft-Windows-SharedAccess_NAT
The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.

Log: 'System' Date/Time: 16/02/2015 12:00:46 AM
Type: Error Category: 0
Event: 31004 Source: Microsoft-Windows-SharedAccess_NAT
The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.

Log: 'System' Date/Time: 15/02/2015 11:31:33 PM
Type: Error Category: 0
Event: 31004 Source: Microsoft-Windows-SharedAccess_NAT
The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.

Log: 'System' Date/Time: 15/02/2015 10:16:24 PM
Type: Error Category: 0
Event: 31004 Source: Microsoft-Windows-SharedAccess_NAT
The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.

Log: 'System' Date/Time: 15/02/2015 9:19:06 PM
Type: Error Category: 0
Event: 30009 Source: Microsoft-Windows-SharedAccess_NAT
The DHCP allocator encountered a network error while attempting to reply on IP address 0.0.0.0 to a request from a client. The data is the error code.

Log: 'System' Date/Time: 15/02/2015 9:19:06 PM
Type: Error Category: 0
Event: 30005 Source: Microsoft-Windows-SharedAccess_NAT
The DHCP allocator has detected a DHCP server with IP address 192.168.1.1 on the same network as the interface with IP address 192.168.137.1. The allocator has disabled itself on the interface to avoid confusing DHCP clients.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 16/02/2015 3:44:20 AM
Type: Warning Category: 212
Event: 219 Source: Microsoft-Windows-Kernel-PnP
The driver \Driver\WUDFRd failed to load for the device WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_COMPACT_FLASH&REV_1.00#20060413092100000&0#.

Log: 'System' Date/Time: 16/02/2015 3:42:46 AM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

Log: 'System' Date/Time: 16/02/2015 3:02:43 AM
Type: Warning Category: 212
Event: 219 Source: Microsoft-Windows-Kernel-PnP
The driver \Driver\WUDFRd failed to load for the device WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_COMPACT_FLASH&REV_1.00#20060413092100000&0#.

Log: 'System' Date/Time: 16/02/2015 2:50:45 AM
Type: Warning Category: 0
Event: 4101 Source: Display
Display driver amdkmdap stopped responding and has successfully recovered.

Log: 'System' Date/Time: 15/02/2015 7:34:05 PM
Type: Warning Category: 212
Event: 219 Source: Microsoft-Windows-Kernel-PnP
The driver \Driver\WUDFRd failed to load for the device WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_COMPACT_FLASH&REV_1.00#20060413092100000&0#.

Log: 'System' Date/Time: 15/02/2015 7:32:00 PM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

Log: 'System' Date/Time: 15/02/2015 5:45:23 PM
Type: Warning Category: 0
Event: 129 Source: ahcix64s
Reset to device, \Device\RaidPort0, was issued.

Log: 'System' Date/Time: 15/02/2015 5:42:39 PM
Type: Warning Category: 0
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name omt.garmin.com timed out after none of the configured DNS servers responded.

Log: 'System' Date/Time: 15/02/2015 5:42:24 PM
Type: Warning Category: 0
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name login.norton.com timed out after none of the configured DNS servers responded.

Log: 'System' Date/Time: 15/02/2015 5:42:13 PM
Type: Warning Category: 0
Event: 34005 Source: Microsoft-Windows-SharedAccess_NAT
The ICS_IPV6 was unable to allocate bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.

Log: 'System' Date/Time: 15/02/2015 5:41:55 PM
Type: Warning Category: 212
Event: 219 Source: Microsoft-Windows-Kernel-PnP
The driver \Driver\WUDFRd failed to load for the device WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_COMPACT_FLASH&REV_1.00#20060413092100000&0#.

Log: 'System' Date/Time: 15/02/2015 5:40:15 PM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.
 

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 15/02/2015 11:05:20 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 16/02/2015 2:55:45 AM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program wmplayer.exe version 12.0.7601.18526 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.  Process ID: 2050  Start Time: 01d04993c9a734e4  Termination Time: 60000  Application Path: C:\Program Files (x86)\Windows Media Player\wmplayer.exe  Report Id: 1b5dfd7e-b587-11e4-b8e3-643150227862

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 16/02/2015 3:54:14 AM
Type: Warning Category: 1
Event: 100 Source: CVHSVC
Information only. C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE is trusted.

Log: 'Application' Date/Time: 16/02/2015 3:54:14 AM
Type: Warning Category: 1
Event: 100 Source: CVHSVC
Information only. CurrentSoftGridPrereq: Click2Run installation (version = 14.0.4763.1000) is found on the machine; skipping installation...

Log: 'Application' Date/Time: 16/02/2015 3:54:14 AM
Type: Warning Category: 1
Event: 100 Source: CVHSVC
Information only. C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE is trusted.

Log: 'Application' Date/Time: 16/02/2015 3:44:12 AM
Type: Warning Category: 6
Event: 3057 Source: Application Virtualization Client
{tid=EF8}
The Application Virtualization Client Core initialized correctly.  Installed Product:  Version: 4.6.2.22610 Install Path: C:\Program Files (x86)\Microsoft Application Virtualization Client Global Data Directory: C:\ProgramData\Microsoft\Application Virtualization Client\ Machine Name: PAVILIONELITE Operating System: Windows 7 64-bit Service Pack 1.0 Build 7601 OSD Command:

Log: 'Application' Date/Time: 16/02/2015 3:44:09 AM
Type: Warning Category: 3
Event: 3191 Source: Application Virtualization Client
{tid=EF8}
-------------------------------------------------------- Initialized client log (C:\ProgramData\Microsoft\Application Virtualization Client\sftlog.txt)

Log: 'Application' Date/Time: 16/02/2015 3:42:43 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   5 user registry handles leaked from \Registry\User\S-1-5-21-4215829332-950673753-2765580295-1001:
Process 604 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001
Process 604 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001
Process 604 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001\Software\Microsoft\SystemCertificates\My
Process 604 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001\Software\Microsoft\SystemCertificates\CA
Process 604 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001\Software\Microsoft\SystemCertificates\Disallowed


Log: 'Application' Date/Time: 16/02/2015 3:12:28 AM
Type: Warning Category: 1
Event: 100 Source: CVHSVC
Information only. C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE is trusted.

Log: 'Application' Date/Time: 16/02/2015 3:12:28 AM
Type: Warning Category: 1
Event: 100 Source: CVHSVC
Information only. CurrentSoftGridPrereq: Click2Run installation (version = 14.0.4763.1000) is found on the machine; skipping installation...

Log: 'Application' Date/Time: 16/02/2015 3:12:28 AM
Type: Warning Category: 1
Event: 100 Source: CVHSVC
Information only. C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE is trusted.

Log: 'Application' Date/Time: 16/02/2015 3:02:30 AM
Type: Warning Category: 1
Event: 100 Source: CVHSVC
Information only. Error: App Shutdown failed. [SoftGrid Error: 0x0000000000000421 in Module: Core, File: swapp.cpp:760] Type: 96::SoftGridApplicationFailure. Stopping task (Stream product id=0x0066) because of fatal error.

Log: 'Application' Date/Time: 16/02/2015 3:02:18 AM
Type: Warning Category: 6
Event: 3057 Source: Application Virtualization Client
{tid=F08}
The Application Virtualization Client Core initialized correctly.  Installed Product:  Version: 4.6.2.22610 Install Path: C:\Program Files (x86)\Microsoft Application Virtualization Client Global Data Directory: C:\ProgramData\Microsoft\Application Virtualization Client\ Machine Name: PAVILIONELITE Operating System: Windows 7 64-bit Service Pack 1.0 Build 7601 OSD Command:

Log: 'Application' Date/Time: 16/02/2015 3:02:11 AM
Type: Warning Category: 3
Event: 3191 Source: Application Virtualization Client
{tid=F08}
-------------------------------------------------------- Initialized client log (C:\ProgramData\Microsoft\Application Virtualization Client\sftlog.txt)

Log: 'Application' Date/Time: 15/02/2015 7:43:54 PM
Type: Warning Category: 1
Event: 100 Source: CVHSVC
Information only. C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE is trusted.

Log: 'Application' Date/Time: 15/02/2015 7:43:54 PM
Type: Warning Category: 1
Event: 100 Source: CVHSVC
Information only. CurrentSoftGridPrereq: Click2Run installation (version = 14.0.4763.1000) is found on the machine; skipping installation...

Log: 'Application' Date/Time: 15/02/2015 7:43:54 PM
Type: Warning Category: 1
Event: 100 Source: CVHSVC
Information only. C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE is trusted.

Log: 'Application' Date/Time: 15/02/2015 7:33:50 PM
Type: Warning Category: 6
Event: 3057 Source: Application Virtualization Client
{tid=998}
The Application Virtualization Client Core initialized correctly.  Installed Product:  Version: 4.6.2.22610 Install Path: C:\Program Files (x86)\Microsoft Application Virtualization Client Global Data Directory: C:\ProgramData\Microsoft\Application Virtualization Client\ Machine Name: PAVILIONELITE Operating System: Windows 7 64-bit Service Pack 1.0 Build 7601 OSD Command:

Log: 'Application' Date/Time: 15/02/2015 7:33:44 PM
Type: Warning Category: 3
Event: 3191 Source: Application Virtualization Client
{tid=998}
-------------------------------------------------------- Initialized client log (C:\ProgramData\Microsoft\Application Virtualization Client\sftlog.txt)

Log: 'Application' Date/Time: 15/02/2015 7:31:56 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   5 user registry handles leaked from \Registry\User\S-1-5-21-4215829332-950673753-2765580295-1001:
Process 620 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001
Process 620 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001
Process 620 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001\Software\Microsoft\SystemCertificates\My
Process 620 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001\Software\Microsoft\SystemCertificates\CA
Process 620 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001\Software\Microsoft\SystemCertificates\Disallowed


Log: 'Application' Date/Time: 15/02/2015 7:30:59 PM
Type: Warning Category: 0
Event: 12348 Source: VSS
Volume Shadow Copy Service warning: VSS was denied access to the root of volume \\?\Volume{48d7ed77-480d-11e0-abee-1a659da7f5ba}\. Denying administrators from accessing volume roots can cause many unexpected failures, and will prevent VSS from functioning properly.  Check security on the volume, and try the operation again.

Operation:
   Removing auto-release shadow copies
   Loading provider

Context:
   Execution Context: System Provider

Log: 'Application' Date/Time: 15/02/2015 5:51:47 PM
Type: Warning Category: 1
Event: 100 Source: CVHSVC
Information only. C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE is trusted.
 


  • 0

#25
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

here is the network after closing ics

 

network.jpg


  • 0

Advertisements


#26
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,025 posts
  • MVP

In the search box type:

 

services.msc

 

then hit enter.  The services window should open.  Scroll down in the right pane until you find Internet Connection Sharing.  Right click and select Properties.  Change the Startup Type to Disabled.  OK.

 

Then clear the alarms, reboot and run VEW as before.


  • 0

#27
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

I got the ICS disabled.

What do you mean clear the alarms?

How to do that?


  • 0

#28
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,025 posts
  • MVP
 
Right click on (My) Computer and select Manage (Continue) Then click on the arrow in front of Event Viewer. Next Click on the arrow in front of Windows Logs Right click on System and Clear Log, Clear. Repeat for Application.
 
Reboot. 
 
 
 
1. Please download the Event Viewer Tool by Vino Rosso
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:
 
* System
4. Under 'Select type to list', select:
* Error
* Warning
 
 
Then use the 'Number of events' as follows:
 
 
1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.
 
 
Please post the Output log in your next reply then repeat but select Application.
 
Ron

  • 0

#29
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

I got the system and application logs cleared

Rebooted

view system and application logs posted below

 

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 16/02/2015 1:27:57 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 16/02/2015 6:24:59 PM
Type: Warning Category: 212
Event: 219 Source: Microsoft-Windows-Kernel-PnP
The driver \Driver\WUDFRd failed to load for the device WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_COMPACT_FLASH&REV_1.00#20060413092100000&0#.

Log: 'System' Date/Time: 16/02/2015 6:23:28 PM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.
 

 

 

 

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 16/02/2015 1:54:38 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 16/02/2015 6:34:55 PM
Type: Warning Category: 1
Event: 100 Source: CVHSVC
Information only. C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE is trusted.

Log: 'Application' Date/Time: 16/02/2015 6:34:55 PM
Type: Warning Category: 1
Event: 100 Source: CVHSVC
Information only. CurrentSoftGridPrereq: Click2Run installation (version = 14.0.4763.1000) is found on the machine; skipping installation...

Log: 'Application' Date/Time: 16/02/2015 6:34:55 PM
Type: Warning Category: 1
Event: 100 Source: CVHSVC
Information only. C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE is trusted.

Log: 'Application' Date/Time: 16/02/2015 6:25:02 PM
Type: Warning Category: 1
Event: 100 Source: CVHSVC
Information only. Error: App Shutdown failed. [SoftGrid Error: 0x0000000000000421 in Module: Core, File: swapp.cpp:760] Type: 96::SoftGridApplicationFailure. Stopping task (Stream product id=0x0066) because of fatal error.

Log: 'Application' Date/Time: 16/02/2015 6:24:50 PM
Type: Warning Category: 6
Event: 3057 Source: Application Virtualization Client
{tid=E24}
The Application Virtualization Client Core initialized correctly.  Installed Product:  Version: 4.6.2.22610 Install Path: C:\Program Files (x86)\Microsoft Application Virtualization Client Global Data Directory: C:\ProgramData\Microsoft\Application Virtualization Client\ Machine Name: PAVILIONELITE Operating System: Windows 7 64-bit Service Pack 1.0 Build 7601 OSD Command:

Log: 'Application' Date/Time: 16/02/2015 6:24:45 PM
Type: Warning Category: 3
Event: 3191 Source: Application Virtualization Client
{tid=E24}
-------------------------------------------------------- Initialized client log (C:\ProgramData\Microsoft\Application Virtualization Client\sftlog.txt)
 


  • 0

#30
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,025 posts
  • MVP
Log: 'System' Date/Time: 16/02/2015 6:24:59 PM
Type: Warning Category: 212
Event: 219 Source: Microsoft-Windows-Kernel-PnP
The driver \Driver\WUDFRd failed to load for the device WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_COMPACT_FLASH&REV_1.00#20060413092100000&0#.

 

 

This one is a simple change to a service.  In the search box type:

 

services.msc

 

and hit Enter.  Find the 

Windows Driver Foundation – User-mode Driver Framework and right click and Properties.  Change Startup Type: from Manual to Automatic.  OK.

 

 

This one is just stupid:

 

Log: 'System' Date/Time: 16/02/2015 6:23:28 PM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

 

 Ignore it.

 

I'm thinking the Application errors are all related to  Microsoft Office Click to Run.    This probably came with your PC but you don't need it since you apparently have a real install of Office:

 

Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)

Microsoft Office Click-to-Run 2010 (HKLM-x32\...\Office14.Click2Run) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Starter 2010 - English (HKLM-x32\...\{90140011-0066-0409-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)

 

I would uninstall the one in bold unless you actually pay them to use Office click to run.

 

 

 

Right click on (My) Computer and select Manage (Continue) Then click on the arrow in front of Event Viewer. Next Click on the arrow in front of Windows Logs Right click on System and Clear Log, Clear. Repeat for Application.
 
Reboot. 
 
 
 
1. Please download the Event Viewer Tool by Vino Rosso
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:
 
* System
4. Under 'Select type to list', select:
* Error
* Warning
 
 
Then use the 'Number of events' as follows:
 
 
1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.
 
 
Please post the Output log in your next reply then repeat but select Application.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP