[shorthaul99]

 

 

 

 

 

Also check
Multimedia Class Scheduler Service

Is it running?

 

No, it's not running but it is set to start automatically.

 

 

 

FRST LOG:

 

 

 

Farbar Recovery Scan Tool (x64) Version: 19-11-2017
Ran by JB (21-11-2017 10:27:56)
Running from C:\Users\JB\Desktop
Boot Mode: Normal

================== Search Files: "iesysprep.dll" =============

C:\Windows\winsxs\x86_microsoft-windows-ie-sysprep_31bf3856ad364e35_8.0.7601.17514_none_3853caf38f4097bb\iesysprep.dll
[2010-11-20 21:25][2010-11-20 21:25] 000114688 _____ (Microsoft Corporation) 3F0C0726F7C24E852D1590ABE721877D [File is digitally signed]

C:\Windows\winsxs\wow64_microsoft-windows-ie-sysprep_31bf3856ad364e35_11.2.9600.16428_none_083dd731036b79d4\iesysprep.dll
[2016-12-16 19:13][2016-02-18 13:49] 000105984 _____ (Microsoft Corporation) 0FBEBD36FEFFEE5AF25FDAEE5E35EE99 [File is digitally signed]

C:\Windows\winsxs\amd64_microsoft-windows-ie-sysprep_31bf3856ad364e35_8.0.7600.16385_none_924152af4aaf8557\iesysprep.dll
[2009-07-13 17:58][2009-07-13 19:41] 000138240 _____ (Microsoft Corporation) 601967E0B6C921E1077CBCC18CE46B5F [File is digitally signed]

C:\Windows\winsxs\amd64_microsoft-windows-ie-sysprep_31bf3856ad364e35_11.2.9600.16428_none_fde92cdecf0ab7d9\iesysprep.dll
[2016-12-10 21:04][2016-02-18 13:49] 000105984 _____ (Microsoft Corporation) 0FBEBD36FEFFEE5AF25FDAEE5E35EE99 [File is digitally signed]

C:\Windows\SysWOW64\iesysprep.dll
[2013-12-03 19:01][2016-02-18 13:49] 000086016 _____ (Microsoft Corporation) 83F49FD1BC0A999B006D564C540C7258 [File is digitally signed]

C:\Windows\System32\iesysprep.dll
[2013-12-03 19:01][2016-02-18 13:49] 000105984 _____ (Microsoft Corporation) 0FBEBD36FEFFEE5AF25FDAEE5E35EE99 [File is digitally signed]

C:\SFCFix\Backups\C\windows\winsxs\wow64_microsoft-windows-ie-sysprep_31bf3856ad364e35_11.2.9600.16428_none_083dd731036b79d4\iesysprep.dll
[2017-11-17 23:52][2016-02-18 13:49] 000105984 _____ (Microsoft Corporation) 0FBEBD36FEFFEE5AF25FDAEE5E35EE99 [File is digitally signed]

====== End of Search ======

 

 

 

See if the procedure on

 

https://technet.micr...2(v=ws.10).aspx

 

works.

 

 

 

Microsoft Windows [Version 6.1.7601]
Copyright © 2009 Microsoft Corporation.  All rights reserved.

C:\windows\system32>net accounts
Force user logoff how long after time expires?:       Never
Minimum password age (days):                          0
Maximum password age (days):                          42
Minimum password length:                              0
Length of password history maintained:                None
Lockout threshold:                                    Never
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        WORKSTATION
The command completed successfully.

C:\windows\system32>

 

 

 

 

Log: 'System' Date/Time: 18/11/2017 6:35:21 AM
Type: Error Category: 0
Event: 7023 Source: Service Control Manager
The IPsec Policy Agent service terminated with the following error:  The authentication service is unknown.

 

Try this:

 

http://www.howtonetw...ebuildipsec.htm

 

 

There was nothing in the registry of the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\IPsec\Policy\Local

so I went to Click Start, click Run, type regsvr32 polstore.dll, and then click OK and got this error

 

 

 

 

 

 

OK REBOOTING AND POSTING NOW SO I DON'T LOOSE MY WORK SO FAR. VEW logs coming after reboot...

 

 

 

[Advertisements]

Also check
Multimedia Class Scheduler Service

Is it running?

 

No, it's not running but it is set to start automatically.

 

 

Will it start if you tell it to?  Does it give you an error?

[RKinner]

Also check
Multimedia Class Scheduler Service

Is it running?

 

No, it's not running but it is set to start automatically.

 

 

Will it start if you tell it to?  Does it give you an error?

[shorthaul99]

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 21/11/2017 11:01:09 AM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 21/11/2017 4:59:47 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   24 user registry handles leaked from \Registry\User\S-1-5-21-2577112198-3913129868-2286876578-1000:
Process 6436 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 6436 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000
Process 6436 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\trust
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\trust
Process 6436 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\My
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\My
Process 6436 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\CA
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\CA
Process 6436 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 6436 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Root
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Root
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\TrustedPeople
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 6436 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 6436 (\Device\HarddiskVolume3\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Policies\Microsoft\SystemCertificates
Process 1952 (\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2577112198-3913129868-2286876578-1000\Software\Microsoft\SystemCertificates\Disallowed

 

 

 

 

 

 

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 21/11/2017 11:03:03 AM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 21/11/2017 4:59:48 PM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

 

 

[shorthaul99]

 

Also check
Multimedia Class Scheduler Service

Is it running?

 

No, it's not running but it is set to start automatically.

 

 

Will it start if you tell it to?  Does it give you an error?

 

 

I just checked services and after the reboot, it's now up and running.

[RKinner]

Looks better.  Now if only Kaspersky would get their act together.  Assume you do have the latest version?  Have you asked on their forum about the registry key problem?

[shorthaul99]

No sir. I was only following your advise to the tee until further notice. I try not to have too many irons in the fire and undermine any progress we make together. I will post it on their forum now.

[RKinner]

Try your QB again and if it fails, make new VEW logs.

[shorthaul99]

Email from Kaspersky:

 

 

 

Hello ,

Thank you for contacting Kaspersky Lab Support.

My name is Syrene and I will be your Support today.


I apologize for the inconvenience that you have been having with your Kaspersky products, rest assured that I will do my best to help you get this resolved as quickly as possible.

To further investigate the issue and for us to be able to provide you to correct troubleshooting step to resolve this concern, please provide us a screenshot with the exact registry error message.

Can you show me what you see with a screenshot? For more details, here are instructions on how to take a screenshot: http://support.kaspersky.com/us/492?cid=pe

Thank you and have a great day!


Having trouble with the steps we provided? We want to help! Please contact us right away using one of our live support options (available every day from 5:00am – 11:00pm Eastern Time): http://supportkaspersky.com/us/b2c#region and reference your incident ID so we can better assist you.

If your issue has been resolved, please let us know. If you do not reply we will automatically resolve your request in 7 day(s).

Best regards,
Syrene R | Technical Support | Kaspersky Lab

Confidentiality Notice
This email message, and any attachments hereto, are for the sole use of the intended recipients, and may contain confidential and proprietary information. Any unauthorized use, disclosure or distribution of this email message or its attachments is prohibited. If you are not the intended recipient, please notify the sender by reply email and permanently delete this message and its attachments.

 

 

I have no idea what she is wanting me to screen shot. I already sent them the error results from the application log from VEW.

 

Please advise.

[RKinner]

The guy's an idiot but if he wants a screenshot give him this:

 

Right click on My Computer and select Manage Then click on the arrow in front of Event Viewer. Next Click on the arrow in front of Windows Logs click on Application.

 

Then at the top of the list click on Level.  This will sort the errors so that all of the errors are either at the top or bottom of the list.  Move to the Warning errored section and click on
Event: 1530 Source: Microsoft-Windows-User Profiles Service.  This should show the details in the bottom pane.  Take a screen shot of that and send it to him.  Emphasize that there is no popup - just Kaspersky caused errors in the event log.

[shorthaul99]

I'm on the fourth email string with Kaspersky and here is the latest response and hopefully we will hear back soon...

 

 

Hello ,

We do appreciate your patience. By the way, my name is Murphy and I'm one of the technicians. We were able to receive the attachment from you. I will escalate this case and we will notify you once we get any update from our escalation team.

 

 

Best regards,
Murphy M | Technical Support | Kaspersky Lab

[RKinner]

Even if they fix the problem I doubt it will have any effect on QB.

 

Try catching QB again with Process Monitor.  Even if it won't fail we will then know what programs and registry entries are important to it.

[shorthaul99]

I just finished QB and tried to email and it crashed...I saved the process file and here is the link.

 

(By the way, HOLY CRAP!! That's a butt load of info in 7 seconds!)

 

 

https://www.dropbox....ogfile.PML?dl=0

[RKinner]

Can you catch it once when it worked so I can compare?

 

So far the only thing that seems odd is a reference to Office Click to Run.  Doesn't seem like it should be there but it's probably just a leftover from the OEM install.

 

I can see where things start to fall apart at 8:05:06.9668707

 

Result:    PATH NOT FOUND
Path:    C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\INTUIT\QUICKBOOKS 2018\FileLocations.ini
TID:    6940
 

I expect this is not the problem, just part of the minidmp creation process.  It's common for Windows to check several locations before finding what it wants.

 

Could you find the file:

 

 C:\ProgramData\Intuit\QuickBooks 2018\Components\Messages\LEDCLSConfig.XML

 

zip it up and attach it

 

[shorthaul99]

Here is the requested zip file

 

 LEDCLSConfig.zip   362bytes   186 downloads

[RKinner]

OK.  It is trying to talk to:

 

https://led.qbdt.int...neLoggerServlet

 

If I paste that into the URL box on my browser and hit Enter it tells me

HTTP Status 405 - Method Not Allowed

 

Is that what you get?  Any luck capturing a process monitor of when it worked?