Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

COM Error crashes computer when trying to email

Started by shorthaul99 , Oct 31 2017 04:21 PM

  • Please log in to reply

#16
RKinner
Posted 11 November 2017 - 09:58 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP

Kaspersky is a bit on the paranoid side.  I don't see why it is blocking Console Window Host (more or less the Command Prompt) and it doesn't seem to like MBAM either but I think the log doesn't show what it is blocking on the firewall.  Just turn it off for a trial and see if anything changes with QB.

 

https://help.kaspers...n-US/128210.htm


  • 0

Advertisements

#17
shorthaul99
Posted 13 November 2017 - 05:09 PM

shorthaul99

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 133 posts

For what it's worth, I was working in QB today and accidentally emailed an invoice and then knew it was going to crash but it didn't and responded like normal. I guess some adjustment we did a couple of days ago did the trick?


  • 0

#18
RKinner
Posted 13 November 2017 - 10:55 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP

Sounds good.  Hope it stays fixed.


  • 0

#19
shorthaul99
Posted 14 November 2017 - 11:24 PM

shorthaul99

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 133 posts

Of course it's back!! I am so frustrated at this point...how do you want to proceed boss man?


  • 0

#20
RKinner
Posted 15 November 2017 - 06:02 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP

Try turning off the Kaspersky firewall for a test.


  • 0

#21
shorthaul99
Posted 16 November 2017 - 09:03 PM

shorthaul99

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 133 posts

No dice. Still having the same issue even with firewall turned completely off.


  • 0

#22
RKinner
Posted 19 November 2017 - 11:59 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP

OK.  Try running Process Monitor:

 

download Process Monitor

http://live.sysinter...com/Procmon.exe

Save it to your desktop  Close as many programs as you can.  Run Process Monitor by right clicking and Run As Admin.

As soon as it starts, File, then uncheck Capture Events.  Edit, Clear Display, Then Start up QB and get it ready to send an email (or whatever is failing).  File, check Capture events then quickly have QB send the email.  As soon as it fails, File, then uncheck Capture Events.  (The logs get very big quickly so we try to limit logging to just the time period of the error.)

 

File, Save, All Events.  You can use the native format.  Give it a name you can find again.  Close Process Monitor then zip up the log you saved. 

 

You will need to use a file sharing service so you can upload the file, send me the link then I can download it.  (It will be too big for the forum to handle.)

 

Pick one of the free services unless you have one already.  http://www.freemake....-fast-and-safe/

 

Then post the link to the file.  (Make sure you have allowed other people to see the file - some of the services default to private mode unless you tell them otherwise.)


  • 0

#23
shorthaul99
Posted 20 November 2017 - 06:14 PM

shorthaul99

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 133 posts

As soon as I try to get it to capture, every single time it allows the password box to open up and never goes to Error...tried 3 more times by completely shutting down and back up and same thing but on the last shutdown, the computer froze on the start items screen and stayed there. I held down power button and reboot back into normal windows etc. and now every time I open up QB, it gives me the window of elevated command like "did I ask for this program to fire." It did that the last 2 times. I'm at a loss :smashcomp:      :ranting:


  • 0

#24
RKinner
Posted 20 November 2017 - 10:16 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP

I've never used the program so it's hard to know what it should do.

 

Let's see vew logs again and see if there is something new.

 

Also just for fun see if you can get Rogue Killer to work:

 

Rogue Killer

http://www.adlice.co...iller/#download

Portable 64 bits <== Use this one

Download and Save.



Right click on the downloaded file (RogueKillerX64.exe or RogueKiller.exe)  and Run As admin

Start Scan
Start Scan

Will take about 20 minutes to complete.

Open Report
Export TXT (save it to your desktop as rk) Save

Do not let Rogue Killer remove anything until you hear from me.  Leave Rogue Killer up (but minimized) so you won't have to rescan.

Open rk.txt and copy and paste it to your next Reply.
 


  • 0

#25
shorthaul99
Posted 21 November 2017 - 12:27 AM

shorthaul99

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 133 posts

RogueKiller V12.11.25.0 (x64) [Nov 20 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.co...ad/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : JB [Administrator]
Started from : C:\Users\JB\Desktop\RogueKiller_portable64.exe
Mode : Scan -- Date : 11/20/2017 23:48:11 (Duration : 00:33:55)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 58 ¤¤¤
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5A134DD5-9609-460B-876D-D6D240D948BF} | DhcpNameServer : 172.20.10.1 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{5A134DD5-9609-460B-876D-D6D240D948BF} | DhcpNameServer : 172.20.10.1 ([])  -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {07B06AB4-522B-4C4F-B99D-9DE5873EDB03} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS16D5\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {78A2AA77-A970-43C6-98D7-C6C6D5659933} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS16D5\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {9077B2AE-2F18-4FB7-B757-AE122B015C53} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS18B2\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {88571F9F-D999-4DEA-B108-F9DF772450A7} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS18B2\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {7A27F99D-B365-4AF9-A185-58ED93305AC1} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS2790\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {9E94AFF2-4632-42D9-8000-DCCE635A8EE7} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS2790\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {BC856DA0-34DF-48E9-9334-EDF9B9ED8258} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS27D8\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {A1038E70-2382-419D-9D8D-87CF1A1806A0} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS27D8\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {44A3F013-F920-4448-86CE-41B358FC2138} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS27A4\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {BADF1A0F-BBDF-4F91-895F-184DC93E6A3A} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS27A4\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {92652BF0-8A8A-49C6-A477-E349AD1C697F} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS2977\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {541920F7-9E3C-4240-93A5-2E9EB4EB3DDF} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS2977\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {88D60679-EACF-4B70-882A-330A9B3BB57A} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS3DD2\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {633FA523-67CC-4FA3-B869-D090138C3265} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS3DD2\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {405C44A0-E411-46C2-AAFC-CC1F60B57B9B} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS3DFC\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {832B3613-2108-46B5-921B-1036F32016C6} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS3DFC\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {9DB2E288-D457-4FB1-B9B0-1354E8C6D2BA} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS2E35\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D357794E-00DA-4B04-BE5F-AF1981ECB3B7} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS2E35\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {140573B5-1C0F-4732-972C-31FD0614CB10} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Users\JB\AppData\Local\Temp\7zS5EC7\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {96CC9EEC-1223-4FFE-B43F-7A0D4D402D58} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Users\JB\AppData\Local\Temp\7zS5EC7\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {CBEB0721-EE38-4D82-B7FB-4473BC65E689} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Users\JB\AppData\Local\Temp\7zS5EF4\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {1A69642B-024F-4E0A-963F-415262C257C4} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Users\JB\AppData\Local\Temp\7zS5EF4\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {A046F598-86DB-47E1-B726-E59DF19750A9} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Users\JB\AppData\Local\Temp\7zS6112\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {28C34809-E0DD-4A71-88F7-543778E3D5FF} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Users\JB\AppData\Local\Temp\7zS6112\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {07B06AB4-522B-4C4F-B99D-9DE5873EDB03} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS16D5\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {78A2AA77-A970-43C6-98D7-C6C6D5659933} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS16D5\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {9077B2AE-2F18-4FB7-B757-AE122B015C53} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS18B2\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {88571F9F-D999-4DEA-B108-F9DF772450A7} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS18B2\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {7A27F99D-B365-4AF9-A185-58ED93305AC1} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS2790\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {9E94AFF2-4632-42D9-8000-DCCE635A8EE7} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS2790\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {BC856DA0-34DF-48E9-9334-EDF9B9ED8258} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS27D8\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {A1038E70-2382-419D-9D8D-87CF1A1806A0} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS27D8\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {44A3F013-F920-4448-86CE-41B358FC2138} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS27A4\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {BADF1A0F-BBDF-4F91-895F-184DC93E6A3A} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS27A4\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {92652BF0-8A8A-49C6-A477-E349AD1C697F} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS2977\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {541920F7-9E3C-4240-93A5-2E9EB4EB3DDF} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS2977\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {88D60679-EACF-4B70-882A-330A9B3BB57A} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS3DD2\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {633FA523-67CC-4FA3-B869-D090138C3265} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS3DD2\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {405C44A0-E411-46C2-AAFC-CC1F60B57B9B} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS3DFC\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {832B3613-2108-46B5-921B-1036F32016C6} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS3DFC\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {9DB2E288-D457-4FB1-B9B0-1354E8C6D2BA} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS2E35\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D357794E-00DA-4B04-BE5F-AF1981ECB3B7} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS2E35\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {140573B5-1C0F-4732-972C-31FD0614CB10} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Users\JB\AppData\Local\Temp\7zS5EC7\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {96CC9EEC-1223-4FFE-B43F-7A0D4D402D58} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Users\JB\AppData\Local\Temp\7zS5EC7\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {CBEB0721-EE38-4D82-B7FB-4473BC65E689} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Users\JB\AppData\Local\Temp\7zS5EF4\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {1A69642B-024F-4E0A-963F-415262C257C4} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Users\JB\AppData\Local\Temp\7zS5EF4\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {A046F598-86DB-47E1-B726-E59DF19750A9} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Users\JB\AppData\Local\Temp\7zS6112\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {28C34809-E0DD-4A71-88F7-543778E3D5FF} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Users\JB\AppData\Local\Temp\7zS6112\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2577112198-3913129868-2286876578-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2577112198-3913129868-2286876578-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2577112198-3913129868-2286876578-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2577112198-3913129868-2286876578-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Samsung SSD 850 PRO 512G SCSI Disk Device +++++
--- User ---
[MBR] a0df6803bfd5f93786ffb521cdd4a3c7
[BSP] ef5444ce539a871217aac157ae0020e8 : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 100 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 206848 | Size: 128 MB
2 - Basic data partition | Offset (sectors): 468992 | Size: 488153 MB
User = LL1 ... OK
User = LL2 ... OK

 


  • 0

Advertisements

#26
shorthaul99
Posted 21 November 2017 - 12:33 AM

shorthaul99

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 133 posts

VEW Logs:

 

 

 

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 21/11/2017 12:29:35 AM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 21/11/2017 12:07:51 AM
Type: Error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks Desktop Pro 2018":
Host Start  failed

Log: 'Application' Date/Time: 21/11/2017 12:07:51 AM
Type: Error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks Desktop Pro 2018":
Runtime not yet initialized

Log: 'Application' Date/Time: 20/11/2017 11:57:30 PM
Type: Error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks Desktop Pro 2018":
Host Start  failed

Log: 'Application' Date/Time: 20/11/2017 11:57:30 PM
Type: Error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks Desktop Pro 2018":
Runtime not yet initialized

Log: 'Application' Date/Time: 20/11/2017 11:51:20 PM
Type: Error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks Desktop Pro 2018":
Host Start  failed

Log: 'Application' Date/Time: 20/11/2017 11:51:20 PM
Type: Error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks Desktop Pro 2018":
Runtime not yet initialized

Log: 'Application' Date/Time: 20/11/2017 2:25:10 PM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program IEXPLORE.EXE version 11.0.9600.18838 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.  Process ID: 1bf0  Start Time: 01d3620ac01a0614  Termination Time: 45  Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE  Report Id: 

Log: 'Application' Date/Time: 19/11/2017 1:07:36 AM
Type: Error Category: 0
Event: 100 Source: Bonjour Service
Task Scheduling Error: m->NextScheduledSPRetry 8595

Log: 'Application' Date/Time: 19/11/2017 1:07:36 AM
Type: Error Category: 0
Event: 100 Source: Bonjour Service
Task Scheduling Error: m->NextScheduledEvent 8595

Log: 'Application' Date/Time: 19/11/2017 1:07:36 AM
Type: Error Category: 0
Event: 100 Source: Bonjour Service
Task Scheduling Error: Continuously busy for more than a second

Log: 'Application' Date/Time: 18/11/2017 6:08:59 AM
Type: Error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks Desktop Pro 2018":
QuickBooks has experienced a problem and must be shut down, ErrorCode:2001267491.

Log: 'Application' Date/Time: 18/11/2017 6:08:19 AM
Type: Error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks Desktop Pro 2018":
DMError Information:-6069Additional Info:An Invalid Id or password was specified.

Log: 'Application' Date/Time: 18/11/2017 6:08:19 AM
Type: Error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks Desktop Pro 2018":
DBConnPool::HandleConnectionError errorCode:-6069, dbCode:-103 from file:'src\connpool.cpp' at line 1042 from function:'DBMgr::DBConnPool::init'

Log: 'Application' Date/Time: 18/11/2017 6:08:19 AM
Type: Error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks Desktop Pro 2018":
Connection String:CON=QBConnectionPool-Probe-QB_JB-HP_28;;DBF=C:\Users\Public\Documents\Intuit\QuickBooks\Company Files\Short Haul Concrete LLC.qbw;CommLinks="ShMem,tcpip(IP=192.168.1.91;TO=5;DOBROADCAST=NONE;port=55378)";ServerName=QB_JB-HP_28;DBN=d7c98d3e8f6b445e97bd1f293ae3d7af

Log: 'Application' Date/Time: 18/11/2017 6:08:19 AM
Type: Error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks Desktop Pro 2018":
Connection Error:Invalid user ID or password

Log: 'Application' Date/Time: 18/11/2017 6:08:18 AM
Type: Error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks Desktop Pro 2018":
DBConnPool::HandleConnectionError errorCode:-6069, dbCode:-103 from file:'src\connpool.cpp' at line 1042 from function:'DBMgr::DBConnPool::init'

Log: 'Application' Date/Time: 18/11/2017 6:08:18 AM
Type: Error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks Desktop Pro 2018":
Connection String:CON=QBConnectionPool-Probe-QB_JB-HP_28;;DBF=C:\Users\Public\Documents\Intuit\QuickBooks\Company Files\Short Haul Concrete LLC.qbw;CommLinks="ShMem,tcpip(IP=192.168.1.91;TO=5;DOBROADCAST=NONE;port=55378)";ServerName=QB_JB-HP_28;DBN=22b78cd1a04a48a8ab47312ea0761449

Log: 'Application' Date/Time: 18/11/2017 6:08:18 AM
Type: Error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks Desktop Pro 2018":
Connection Error:Invalid user ID or password

Log: 'Application' Date/Time: 18/11/2017 5:20:05 AM
Type: Error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks Desktop Pro 2018":
QuickBooks has experienced a problem and must be shut down, ErrorCode:2008738595.

Log: 'Application' Date/Time: 17/11/2017 10:01:41 PM
Type: Error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks Desktop Pro 2018":
V28.0D R3 (M=1066, L=335, C=249, V=0 (0))

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 21/11/2017 12:15:49 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   24 user registry handles leaked from \Registry\User\S-1-5-21-2577112198-3913129868-2286876578-1000:
Process 6992 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 6992 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 6992 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\trust
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\trust
Process 6992 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\My
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\My
Process 6992 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\CA
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\CA
Process 6992 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 6992 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Root
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Root
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\TrustedPeople
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 6992 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 6992 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Disallowed

Log: 'Application' Date/Time: 20/11/2017 11:59:00 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   9 user registry handles leaked from \Registry\User\S-1-5-21-2577112198-3913129868-2286876578-1000:
Process 6992 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 6992 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 6992 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\trust
Process 6992 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\My
Process 6992 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\CA
Process 6992 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 6992 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Root
Process 6992 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 6992 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates

Log: 'Application' Date/Time: 20/11/2017 11:53:05 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   8 user registry handles leaked from \Registry\User\S-1-5-21-2577112198-3913129868-2286876578-1000_Classes:
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000_CLASSES
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000_CLASSES
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000_CLASSES
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000_CLASSES
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000_CLASSES
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000_CLASSES
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000_CLASSES
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000_CLASSES

Log: 'Application' Date/Time: 20/11/2017 11:53:05 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   35 user registry handles leaked from \Registry\User\S-1-5-21-2577112198-3913129868-2286876578-1000:
Process 6452 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 3948 (\Device\HarddiskVolume3\Windows\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 6452 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\trust
Process 6452 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\trust
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\My
Process 6452 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\My
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\CA
Process 6452 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\CA
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 6452 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Root
Process 6452 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Root
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\TrustedPeople
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 6452 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 6452 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1848 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Disallowed

Log: 'Application' Date/Time: 20/11/2017 5:39:25 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   1 user registry handles leaked from \Registry\User\S-1-5-21-2577112198-3913129868-2286876578-1000_Classes:
Process 4236 (\Device\HarddiskVolume3\Windows\System32\rundll32.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000_CLASSES

Log: 'Application' Date/Time: 20/11/2017 5:39:25 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   24 user registry handles leaked from \Registry\User\S-1-5-21-2577112198-3913129868-2286876578-1000:
Process 4788 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 4788 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1908 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1908 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1908 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1908 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 4788 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\trust
Process 1908 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\trust
Process 1908 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\My
Process 4788 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\My
Process 4788 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\CA
Process 1908 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\CA
Process 4788 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 1908 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 4788 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Root
Process 1908 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Root
Process 1908 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\TrustedPeople
Process 4788 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 4788 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1908 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1908 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1908 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1908 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1908 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Disallowed

Log: 'Application' Date/Time: 19/11/2017 8:42:19 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   2 user registry handles leaked from \Registry\User\S-1-5-21-2577112198-3913129868-2286876578-1000_Classes:
Process 2972 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000_CLASSES
Process 10228 (\Device\HarddiskVolume3\Windows\winsxs\amd64_microsoft-windows-rundll32_31bf3856ad364e35_6.1.7601.23755_none_368a88b9dac77673\rundll32.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000_CLASSES

Log: 'Application' Date/Time: 19/11/2017 8:42:19 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   32 user registry handles leaked from \Registry\User\S-1-5-21-2577112198-3913129868-2286876578-1000:
Process 6616 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 6616 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 6616 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 6616 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 2972 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 10228 (\Device\HarddiskVolume3\Windows\winsxs\amd64_microsoft-windows-rundll32_31bf3856ad364e35_6.1.7601.23755_none_368a88b9dac77673\rundll32.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 6616 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\trust
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\trust
Process 6616 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\My
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\My
Process 6616 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\CA
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\CA
Process 6616 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 6616 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Root
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Root
Process 6616 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\TrustedPeople
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\TrustedPeople
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 6616 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 6616 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 6616 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 6616 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 6616 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Disallowed
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Disallowed

Log: 'Application' Date/Time: 18/11/2017 7:17:38 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   24 user registry handles leaked from \Registry\User\S-1-5-21-2577112198-3913129868-2286876578-1000:
Process 6340 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 6340 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 6340 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\trust
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\trust
Process 6340 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\My
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\My
Process 6340 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\CA
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\CA
Process 6340 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 6340 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Root
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Root
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\TrustedPeople
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 6340 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 6340 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Disallowed

Log: 'Application' Date/Time: 18/11/2017 6:34:11 AM
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.

Log: 'Application' Date/Time: 18/11/2017 6:34:11 AM
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.

Log: 'Application' Date/Time: 18/11/2017 6:24:10 AM
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.

Log: 'Application' Date/Time: 18/11/2017 6:23:18 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   9 user registry handles leaked from \Registry\User\S-1-5-21-2577112198-3913129868-2286876578-1000:
Process 6344 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 6344 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 6344 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\trust
Process 6344 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\My
Process 6344 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\CA
Process 6344 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 6344 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Root
Process 6344 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 6344 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates

Log: 'Application' Date/Time: 18/11/2017 6:16:34 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   24 user registry handles leaked from \Registry\User\S-1-5-21-2577112198-3913129868-2286876578-1000:
Process 6580 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 6580 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1940 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1940 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1940 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1940 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 6580 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\trust
Process 1940 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\trust
Process 1940 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\My
Process 6580 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\My
Process 6580 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\CA
Process 1940 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\CA
Process 6580 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 1940 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 6580 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Root
Process 1940 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Root
Process 1940 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\TrustedPeople
Process 1940 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1940 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1940 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1940 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 6580 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 6580 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1940 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Disallowed

Log: 'Application' Date/Time: 18/11/2017 5:54:22 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   24 user registry handles leaked from \Registry\User\S-1-5-21-2577112198-3913129868-2286876578-1000:
Process 7152 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 7152 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1948 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1948 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1948 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1948 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 7152 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\trust
Process 1948 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\trust
Process 7152 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\My
Process 1948 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\My
Process 7152 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\CA
Process 1948 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\CA
Process 7152 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 1948 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 7152 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Root
Process 1948 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Root
Process 1948 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\TrustedPeople
Process 1948 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1948 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1948 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1948 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 7152 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 7152 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1948 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Disallowed

Log: 'Application' Date/Time: 17/11/2017 8:31:07 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   24 user registry handles leaked from \Registry\User\S-1-5-21-2577112198-3913129868-2286876578-1000:
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 6764 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 6764 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\trust
Process 6764 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\trust
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\My
Process 6764 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\My
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\CA
Process 6764 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\CA
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 6764 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Root
Process 6764 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Root
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\TrustedPeople
Process 6764 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 6764 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1972 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Disallowed

Log: 'Application' Date/Time: 17/11/2017 3:42:28 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   9 user registry handles leaked from \Registry\User\S-1-5-21-2577112198-3913129868-2286876578-1000:
Process 6372 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 6372 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 6372 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\trust
Process 6372 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\My
Process 6372 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\CA
Process 6372 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 6372 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Root
Process 6372 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 6372 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates

Log: 'Application' Date/Time: 17/11/2017 3:03:27 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   24 user registry handles leaked from \Registry\User\S-1-5-21-2577112198-3913129868-2286876578-1000:
Process 6372 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 6372 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1960 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1960 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1960 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1960 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 6372 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\trust
Process 1960 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\trust
Process 6372 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\My
Process 1960 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\My
Process 6372 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\CA
Process 1960 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\CA
Process 6372 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 1960 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 6372 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Root
Process 1960 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Root
Process 1960 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\TrustedPeople
Process 1960 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1960 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1960 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1960 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 6372 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 6372 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1960 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Disallowed

Log: 'Application' Date/Time: 16/11/2017 8:59:31 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   9 user registry handles leaked from \Registry\User\S-1-5-21-2577112198-3913129868-2286876578-1000:
Process 6540 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 6540 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 6540 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\trust
Process 6540 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\My
Process 6540 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\CA
Process 6540 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 6540 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Root
Process 6540 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 6540 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates

Log: 'Application' Date/Time: 16/11/2017 2:40:19 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   15 user registry handles leaked from \Registry\User\S-1-5-21-2577112198-3913129868-2286876578-1000:
Process 1968 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1968 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1968 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1968 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1968 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\trust
Process 1968 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\My
Process 1968 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\CA
Process 1968 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 1968 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Root
Process 1968 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\TrustedPeople
Process 1968 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1968 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1968 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1968 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1968 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Disallowed

 

 

 

 

 

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 21/11/2017 12:31:22 AM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 21/11/2017 12:05:19 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

Log: 'System' Date/Time: 20/11/2017 2:18:17 PM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 21/11/2017 12:05:21 AM
Type: Error Category: 0
Event: 6008 Source: EventLog
The previous system shutdown at 6:04:16 PM on ?11/?20/?2017 was unexpected.

Log: 'System' Date/Time: 21/11/2017 12:04:04 AM
Type: Error Category: 0
Event: 7011 Source: Service Control Manager
A timeout (30000 milliseconds) was reached while waiting for a transaction response from the RtkAudioService service.

Log: 'System' Date/Time: 21/11/2017 12:03:34 AM
Type: Error Category: 0
Event: 7011 Source: Service Control Manager
A timeout (30000 milliseconds) was reached while waiting for a transaction response from the NlaSvc service.

Log: 'System' Date/Time: 21/11/2017 12:03:34 AM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Application Experience service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.

Log: 'System' Date/Time: 21/11/2017 12:03:34 AM
Type: Error Category: 0
Event: 7011 Source: Service Control Manager
A timeout (30000 milliseconds) was reached while waiting for a transaction response from the AeLookupSvc service.

Log: 'System' Date/Time: 21/11/2017 12:03:04 AM
Type: Error Category: 0
Event: 7011 Source: Service Control Manager
A timeout (30000 milliseconds) was reached while waiting for a transaction response from the MMCSS service.

Log: 'System' Date/Time: 21/11/2017 12:02:59 AM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Bluetooth Support Service service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.

Log: 'System' Date/Time: 21/11/2017 12:02:59 AM
Type: Error Category: 0
Event: 7009 Source: Service Control Manager
A timeout was reached (30000 milliseconds) while waiting for the Bluetooth Support Service service to connect.

Log: 'System' Date/Time: 20/11/2017 5:58:12 PM
Type: Error Category: 0
Event: 10016 Source: Microsoft-Windows-DistributedCOM
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID  {C97FCC79-E628-407D-AE68-A06AD6D8B4D1}  and APPID  {344ED43D-D086-4961-86A6-1106F4ACAD9B}  to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Log: 'System' Date/Time: 20/11/2017 5:57:39 PM
Type: Error Category: 0
Event: 10016 Source: Microsoft-Windows-DistributedCOM
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID  {C97FCC79-E628-407D-AE68-A06AD6D8B4D1}  and APPID  {344ED43D-D086-4961-86A6-1106F4ACAD9B}  to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Log: 'System' Date/Time: 20/11/2017 2:19:54 PM
Type: Error Category: 0
Event: 10016 Source: Microsoft-Windows-DistributedCOM
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID  {C97FCC79-E628-407D-AE68-A06AD6D8B4D1}  and APPID  {344ED43D-D086-4961-86A6-1106F4ACAD9B}  to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Log: 'System' Date/Time: 20/11/2017 2:19:22 PM
Type: Error Category: 0
Event: 10016 Source: Microsoft-Windows-DistributedCOM
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID  {C97FCC79-E628-407D-AE68-A06AD6D8B4D1}  and APPID  {344ED43D-D086-4961-86A6-1106F4ACAD9B}  to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Log: 'System' Date/Time: 20/11/2017 2:18:19 PM
Type: Error Category: 0
Event: 6008 Source: EventLog
The previous system shutdown at 8:17:16 AM on ?11/?20/?2017 was unexpected.

Log: 'System' Date/Time: 19/11/2017 8:28:47 PM
Type: Error Category: 0
Event: 36 Source: volsnap
The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

Log: 'System' Date/Time: 18/11/2017 11:46:16 PM
Type: Error Category: 0
Event: 10016 Source: Microsoft-Windows-DistributedCOM
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID  {C97FCC79-E628-407D-AE68-A06AD6D8B4D1}  and APPID  {344ED43D-D086-4961-86A6-1106F4ACAD9B}  to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Log: 'System' Date/Time: 18/11/2017 11:45:14 PM
Type: Error Category: 0
Event: 10016 Source: Microsoft-Windows-DistributedCOM
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID  {C97FCC79-E628-407D-AE68-A06AD6D8B4D1}  and APPID  {344ED43D-D086-4961-86A6-1106F4ACAD9B}  to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Log: 'System' Date/Time: 18/11/2017 6:36:56 AM
Type: Error Category: 0
Event: 10016 Source: Microsoft-Windows-DistributedCOM
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID  {C97FCC79-E628-407D-AE68-A06AD6D8B4D1}  and APPID  {344ED43D-D086-4961-86A6-1106F4ACAD9B}  to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Log: 'System' Date/Time: 18/11/2017 6:36:45 AM
Type: Error Category: 0
Event: 10016 Source: Microsoft-Windows-DistributedCOM
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID  {C97FCC79-E628-407D-AE68-A06AD6D8B4D1}  and APPID  {344ED43D-D086-4961-86A6-1106F4ACAD9B}  to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Log: 'System' Date/Time: 18/11/2017 6:35:21 AM
Type: Error Category: 0
Event: 12291 Source: Microsoft-Windows-Directory-Services-SAM
SAM failed to start the TCP/IP or SPX/IPX listening thread

Log: 'System' Date/Time: 18/11/2017 6:35:21 AM
Type: Error Category: 0
Event: 7023 Source: Service Control Manager
The IPsec Policy Agent service terminated with the following error:  The authentication service is unknown.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 21/11/2017 12:15:50 AM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

Log: 'System' Date/Time: 20/11/2017 11:59:01 PM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

Log: 'System' Date/Time: 20/11/2017 11:53:06 PM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

Log: 'System' Date/Time: 20/11/2017 11:45:54 PM
Type: Warning Category: 212
Event: 219 Source: Microsoft-Windows-Kernel-PnP
The driver \Driver\WUDFRd failed to load for the device WpdBusEnumRoot\UMB\2&37c186b&1&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_&PROD_USB_DISK_2.0&REV_PMAP#070B53D328489639&0#.

Log: 'System' Date/Time: 20/11/2017 11:08:44 PM
Type: Warning Category: 0
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name wpad.attlocal.net timed out after none of the configured DNS servers responded.

Log: 'System' Date/Time: 20/11/2017 7:26:19 PM
Type: Warning Category: 0
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name isatap.attlocal.net timed out after none of the configured DNS servers responded.

Log: 'System' Date/Time: 20/11/2017 5:39:26 PM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

Log: 'System' Date/Time: 19/11/2017 8:07:26 PM
Type: Warning Category: 0
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name isatap.attlocal.net timed out after none of the configured DNS servers responded.

Log: 'System' Date/Time: 18/11/2017 11:46:16 PM
Type: Warning Category: 212
Event: 219 Source: Microsoft-Windows-Kernel-PnP
The driver \Driver\WUDFRd failed to load for the device USB\VID_05AC&PID_12A8&MI_00\0.

Log: 'System' Date/Time: 18/11/2017 7:17:39 AM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

Log: 'System' Date/Time: 18/11/2017 6:35:22 AM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

Log: 'System' Date/Time: 18/11/2017 6:34:49 AM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

Log: 'System' Date/Time: 18/11/2017 6:23:59 AM
Type: Warning Category: 212
Event: 219 Source: Microsoft-Windows-Kernel-PnP
The driver \Driver\klhk failed to load for the device Root\SYSTEM\0001.

Log: 'System' Date/Time: 18/11/2017 6:23:20 AM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

Log: 'System' Date/Time: 18/11/2017 6:16:35 AM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

Log: 'System' Date/Time: 18/11/2017 5:54:23 AM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

Log: 'System' Date/Time: 18/11/2017 5:17:27 AM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

Log: 'System' Date/Time: 18/11/2017 12:53:38 AM
Type: Warning Category: 0
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name isatap.attlocal.net timed out after none of the configured DNS servers responded.

Log: 'System' Date/Time: 17/11/2017 3:42:30 AM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

Log: 'System' Date/Time: 17/11/2017 2:38:22 AM
Type: Warning Category: 212
Event: 219 Source: Microsoft-Windows-Kernel-PnP
The driver \Driver\WUDFRd failed to load for the device WpdBusEnumRoot\UMB\2&37c186b&1&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_&PROD_USB_DISK_2.0&REV_PMAP#070B53D328489639&0#.

 

 

 


  • 0

#27
RKinner
Posted 21 November 2017 - 07:24 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP

In Rogue Killer, check these and let it delete them:

 

[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found

 

[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2577112198-3913129868-2286876578-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2577112198-3913129868-2286876578-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2577112198-3913129868-2286876578-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2577112198-3913129868-2286876578-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found

 

 

RK objects to running HPDiagnosticCoreUI.exe (part of HP Print and Scan Doctor) from a temp file but it's not malware so I'd leave it.

 

The things it did find are minor so no help there.  Close RK.

 

In your event logs, QB is complaining about Host Start

 

Log: 'Application' Date/Time: 21/11/2017 12:07:51 AM
Type: Error Category: 2
Event: 4 Source: QuickBooks
An unexpected error has occured in "QuickBooks Desktop Pro 2018":
Host Start  failed

 

 

 

Don't know much about QB so not sure what Host Start is

Perhaps it has to do with one of the two services shown in FRST:

 

S3 QBFCService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [65536 2017-08-10] (Intuit Inc.) [File not signed]
R3 QuickBooksDB28; C:\Program Files (x86)\Intuit\QuickBooks 2018\QBDBMgrN.exe [467968 2017-08-10] (Intuit, Inc.) [File not signed]

 

 

 

It seems odd that QB would be using unsigned files.  There was a SHA-2 update that is required for newer signed files so perhaps you are missing it.

 

See if you have

KB3033929

 

https://www.microsof...s.aspx?id=46148

 

If you are not sure you can try to download and install it. 

 

I've got to walk the dog so will continues this later


  • 0

#28
shorthaul99
Posted 21 November 2017 - 08:14 AM

shorthaul99

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 133 posts

I got some errors when trying to remove the requested line items...not sure if it matters but here is the log: 

 

 

 

RogueKiller V12.11.25.0 (x64) [Nov 20 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.co...ad/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : JB [Administrator]
Started from : C:\Users\JB\Desktop\RogueKiller_portable64.exe
Mode : Delete -- Date : 11/20/2017 23:48:11 (Duration : 00:33:55)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 58 ¤¤¤
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Replaced (http://search.msn.com/spbasic.htm)
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Replaced (http://search.msn.com/spbasic.htm)
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5A134DD5-9609-460B-876D-D6D240D948BF} | DhcpNameServer : 172.20.10.1 ([])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{5A134DD5-9609-460B-876D-D6D240D948BF} | DhcpNameServer : 172.20.10.1 ([])  -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {07B06AB4-522B-4C4F-B99D-9DE5873EDB03} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS16D5\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {78A2AA77-A970-43C6-98D7-C6C6D5659933} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS16D5\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {9077B2AE-2F18-4FB7-B757-AE122B015C53} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS18B2\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {88571F9F-D999-4DEA-B108-F9DF772450A7} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS18B2\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {7A27F99D-B365-4AF9-A185-58ED93305AC1} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS2790\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {9E94AFF2-4632-42D9-8000-DCCE635A8EE7} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS2790\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {BC856DA0-34DF-48E9-9334-EDF9B9ED8258} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS27D8\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {A1038E70-2382-419D-9D8D-87CF1A1806A0} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS27D8\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {44A3F013-F920-4448-86CE-41B358FC2138} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS27A4\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {BADF1A0F-BBDF-4F91-895F-184DC93E6A3A} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS27A4\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {92652BF0-8A8A-49C6-A477-E349AD1C697F} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS2977\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {541920F7-9E3C-4240-93A5-2E9EB4EB3DDF} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS2977\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {88D60679-EACF-4B70-882A-330A9B3BB57A} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS3DD2\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {633FA523-67CC-4FA3-B869-D090138C3265} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS3DD2\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {405C44A0-E411-46C2-AAFC-CC1F60B57B9B} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS3DFC\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {832B3613-2108-46B5-921B-1036F32016C6} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS3DFC\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {9DB2E288-D457-4FB1-B9B0-1354E8C6D2BA} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS2E35\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D357794E-00DA-4B04-BE5F-AF1981ECB3B7} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS2E35\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {140573B5-1C0F-4732-972C-31FD0614CB10} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Users\JB\AppData\Local\Temp\7zS5EC7\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {96CC9EEC-1223-4FFE-B43F-7A0D4D402D58} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Users\JB\AppData\Local\Temp\7zS5EC7\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {CBEB0721-EE38-4D82-B7FB-4473BC65E689} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Users\JB\AppData\Local\Temp\7zS5EF4\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {1A69642B-024F-4E0A-963F-415262C257C4} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Users\JB\AppData\Local\Temp\7zS5EF4\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {A046F598-86DB-47E1-B726-E59DF19750A9} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Users\JB\AppData\Local\Temp\7zS6112\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {28C34809-E0DD-4A71-88F7-543778E3D5FF} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Users\JB\AppData\Local\Temp\7zS6112\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {07B06AB4-522B-4C4F-B99D-9DE5873EDB03} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS16D5\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {78A2AA77-A970-43C6-98D7-C6C6D5659933} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS16D5\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {9077B2AE-2F18-4FB7-B757-AE122B015C53} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS18B2\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {88571F9F-D999-4DEA-B108-F9DF772450A7} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS18B2\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {7A27F99D-B365-4AF9-A185-58ED93305AC1} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS2790\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {9E94AFF2-4632-42D9-8000-DCCE635A8EE7} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS2790\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {BC856DA0-34DF-48E9-9334-EDF9B9ED8258} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS27D8\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {A1038E70-2382-419D-9D8D-87CF1A1806A0} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS27D8\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {44A3F013-F920-4448-86CE-41B358FC2138} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS27A4\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {BADF1A0F-BBDF-4F91-895F-184DC93E6A3A} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS27A4\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {92652BF0-8A8A-49C6-A477-E349AD1C697F} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS2977\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {541920F7-9E3C-4240-93A5-2E9EB4EB3DDF} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS2977\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {88D60679-EACF-4B70-882A-330A9B3BB57A} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS3DD2\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {633FA523-67CC-4FA3-B869-D090138C3265} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS3DD2\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {405C44A0-E411-46C2-AAFC-CC1F60B57B9B} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS3DFC\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {832B3613-2108-46B5-921B-1036F32016C6} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS3DFC\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {9DB2E288-D457-4FB1-B9B0-1354E8C6D2BA} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS2E35\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D357794E-00DA-4B04-BE5F-AF1981ECB3B7} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\JB\AppData\Local\Temp\7zS2E35\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {140573B5-1C0F-4732-972C-31FD0614CB10} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Users\JB\AppData\Local\Temp\7zS5EC7\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {96CC9EEC-1223-4FFE-B43F-7A0D4D402D58} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Users\JB\AppData\Local\Temp\7zS5EC7\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {CBEB0721-EE38-4D82-B7FB-4473BC65E689} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Users\JB\AppData\Local\Temp\7zS5EF4\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {1A69642B-024F-4E0A-963F-415262C257C4} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Users\JB\AppData\Local\Temp\7zS5EF4\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {A046F598-86DB-47E1-B726-E59DF19750A9} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Users\JB\AppData\Local\Temp\7zS6112\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {28C34809-E0DD-4A71-88F7-543778E3D5FF} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Users\JB\AppData\Local\Temp\7zS6112\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Not selected
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Replaced (1)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Replaced (1)
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2577112198-3913129868-2286876578-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> ERROR [2]
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2577112198-3913129868-2286876578-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> ERROR [2]
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2577112198-3913129868-2286876578-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> ERROR [2]
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2577112198-3913129868-2286876578-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> ERROR [2]

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Samsung SSD 850 PRO 512G SCSI Disk Device +++++
--- User ---
[MBR] a0df6803bfd5f93786ffb521cdd4a3c7
[BSP] ef5444ce539a871217aac157ae0020e8 : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 100 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 206848 | Size: 128 MB
2 - Basic data partition | Offset (sectors): 468992 | Size: 488153 MB
User = LL1 ... OK
User = LL2 ... OK


  • 0

#29
shorthaul99
Posted 21 November 2017 - 08:21 AM

shorthaul99

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 133 posts

That security update patch has already been installed.


  • 0

#30
RKinner
Posted 21 November 2017 - 09:10 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP

I would complain to QB about the two files not being signed.

 

Search for

 

services.msc

 

hit Enter

 

This should bring up the services menu.

 

See if the two QuickBook services are started.

 

QBFCService

QuickBooksDB28

 

The display names will be different but they will start with Q.

 

While in Systems Window, find

 Windows Driver Foundation - User-mode Driver Framework

right click and select Properties then change Startup Type:  from Manual to Automatic.  OK.
That should fix

 

Event: 219 Source: Microsoft-Windows-Kernel-PnP
The driver \Driver\WUDFRd failed to load for the device WpdBusEnumRoot\UMB\2&37c186b&1&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_&PROD_USB_DISK_2.0&REV_PMAP#070B53D328489639&0#.

Log: 'System' Date/Time: 20/11/2017 11:08:44 PM
Type: Warning Category: 0

 

 

 

Also check
Multimedia Class Scheduler Service

Is it running?

 

 

Uninstall: Bonjour .  It's not working or Kaspersky is blocking it.

 

I see an IE error.  We saw a problem with IE in SFC so let's see what FRST says about the file:

Open FRST, put

iesysprep.dll

in the search box and hit Search Files.  You will eventually get a log.  Please post it.

 

  You are getting

 

Log: 'System' Date/Time: 18/11/2017 6:35:21 AM
Type: Error Category: 0
Event: 12291 Source: Microsoft-Windows-Directory-Services-SAM
SAM failed to start the TCP/IP or SPX/IPX listening thread

 

 

 

See if the procedure on

 

https://technet.micr...2(v=ws.10).aspx

 

works.

 

 

Log: 'System' Date/Time: 18/11/2017 6:35:21 AM
Type: Error Category: 0
Event: 7023 Source: Service Control Manager
The IPsec Policy Agent service terminated with the following error:  The authentication service is unknown.

 

Try this:

 

http://www.howtonetw...ebuildipsec.htm

 

When done,

 

Right click on (My) Computer and select Manage (Continue) Then click on the arrow in front of Event Viewer. Next Click on the arrow in front of Windows Logs Right click on System and Clear Log, Clear. Repeat for Application.

Reboot.

 

Run VEW and post both logs


  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP