Edited by DAV2, 24 February 2012 - 09:21 AM.
TRO/ROOT KIT?
#196
Posted 24 February 2012 - 09:06 AM
#197
Posted 24 February 2012 - 09:10 AM
Edited by DAV2, 24 February 2012 - 09:24 AM.
#198
Posted 24 February 2012 - 09:31 AM
#199
Posted 24 February 2012 - 11:04 AM
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:
* System
4. Under 'Select type to list', select:
* Error
* Warning
Then use the 'Number of events' as follows:
1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.
Please post the Output log in your next reply then repeat but select Application.
Ron
#200
Posted 26 February 2012 - 08:27 AM
Report run at 26/02/2012 8:16:16 AM
Note: All dates below are in the format dd/mm/yyyy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 24/01/2012 12:04:15 AM
Type: Error Category: 0
Event: 7023 Source: Service Control Manager
The event description cannot be found.
Log: 'System' Date/Time: 24/01/2012 12:02:22 AM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The avast! Firewall service failed to start due to the following error: The system cannot find the path specified.
Log: 'System' Date/Time: 24/01/2012 12:02:22 AM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The avast! Antivirus service failed to start due to the following error: The system cannot find the path specified.
Log: 'System' Date/Time: 24/01/2012 12:02:17 AM
Type: Error Category: 0
Event: 7031 Source: Service Control Manager
The avast! Firewall service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
Log: 'System' Date/Time: 24/01/2012 12:02:16 AM
Type: Error Category: 0
Event: 7031 Source: Service Control Manager
The avast! Antivirus service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
Log: 'System' Date/Time: 22/01/2012 11:22:42 PM
Type: Error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: cdrom
Log: 'System' Date/Time: 23/01/2012 12:22:51 AM
Type: Error Category: 0
Event: 7023 Source: Service Control Manager
The Windows Update service terminated with the following error: %%-2147467243
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 24/02/2012 12:26:41 AM
Type: Warning Category: 0
Event: 134 Source: Microsoft-Windows-Time-Service
NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on ''. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The requested name is valid, but no data of the requested type was found. (0x80072AFC)
Log: 'System' Date/Time: 23/01/2012 11:12:06 PM
Type: Warning Category: 0
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name teredo.ipv6.microsoft.com timed out after none of the configured DNS servers responded.
Log: 'System' Date/Time: 23/01/2012 10:34:05 PM
Type: Warning Category: 0
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name teredo.ipv6.microsoft.com timed out after none of the configured DNS servers responded.
Log: 'System' Date/Time: 23/01/2012 9:45:08 PM
Type: Warning Category: 0
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name teredo.ipv6.microsoft.com timed out after none of the configured DNS servers responded.
Log: 'System' Date/Time: 23/01/2012 6:42:23 PM
Type: Warning Category: 0
Event: 134 Source: Microsoft-Windows-Time-Service
NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on ''. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The requested name is valid, but no data of the requested type was found. (0x80072AFC)
Log: 'System' Date/Time: 23/01/2012 6:42:11 PM
Type: Warning Category: 0
Event: 134 Source: Microsoft-Windows-Time-Service
NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on ''. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The requested name is valid, but no data of the requested type was found. (0x80072AFC)
Log: 'System' Date/Time: 23/01/2012 6:37:17 PM
Type: Warning Category: 0
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name teredo.ipv6.microsoft.com timed out after none of the configured DNS servers responded.
Ron, it looks like Win turns “mscorsvc” into malware when it is loaded into prefetch. Is there a way to stop Win from doing this? Win still makes contact with Akamai and MS even though I have all updates turned off for Win and state I do not want to participate in any sharing of information. Is there any way to stop Win from doing that so that I am the only one using my computer?
Win went from 0 errors before connect to the internet to over 500 errors after connect to the internet, including turning off all a/v and losing where it was. Is there a way to stop Win from doing that?
Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 26/02/2012 8:21:23 AM
Note: All dates below are in the format dd/mm/yyyy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 25/02/2012 11:41:32 PM
Type: Error Category: 3
Event: 1019 Source: Microsoft-Windows-Search
Windows Search Service failed to process the list of included and excluded locations with the error <30, 0x80070002, "iehistory://{S-1-5-21-1597377118-1586821561-2157718051-1000}/">.
Log: 'Application' Date/Time: 25/02/2012 9:37:36 PM
Type: Error Category: 0
Event: 8194 Source: VSS
Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied. . This is often caused by incorrect security settings in either the writer or requestor process.
Operation:
Gathering Writer Data
Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {482308b6-b3f1-4d99-a695-fa7b3bf32565}
Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948
Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948
Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948
Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948
Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948
Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948
Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948
Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948
Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948
Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948
Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948
Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948
Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948
Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948
Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948
Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948
Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948
Log: 'Application' Date/Time: 24/02/2012 2:45:08 AM
Type: Error Category: 14
Event: 902 Source: ESENT
Windows (1180) Windows: The database engine detected multiple threads illegally using the same database session to perform database operations. SessionId: 0x0000000000F90EC0 Session-context: 0x00000000 Session-context ThreadId: 0x0000000000000928 Current ThreadId: 0x0000000000000948
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 25/02/2012 11:44:37 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 2 user registry handles leaked from \Registry\User\S-1-5-21-1597377118-1586821561-2157718051-1000_Classes:
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000_CLASSES
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000_CLASSES\Local Settings\MuiCache\12\52C64B7E
Log: 'Application' Date/Time: 25/02/2012 11:44:37 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 41 user registry handles leaked from \Registry\User\S-1-5-21-1597377118-1586821561-2157718051-1000:
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Internet Explorer\SQM
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\History
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Avast Software\WRC\RatingStorage\<|prefix|>http://go.microsoft....k/?LinkId=69157
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\PrivacIE:
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Internet Explorer\SQM\FreezeUploads
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{DBC80044-A445-435B-BC74-9C25C1C588A9}
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\AppDataLow\Software\Microsoft\RepService
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Process 3776 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Internet Explorer\International
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\Shell
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Avast Software\WRC\RatingStorage\<|prefix|>http://go.microsoft..../?LinkID=191282
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iedownload
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Avast Software\WRC\RatingStorage\go.microsoft.com
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\iecompat
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Avast Software\WRC\RatingStorage
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Content
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Avast Software\WRC\RatingStorage\<|prefix|>http://windows.micro...ts/ie-9/welcome
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Internet Explorer\PhishingFilter
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Avast Software\WRC\RatingStorage\msn.com
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Cookies
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EFE4106F-412D-4D02-9B88-3701C218814A}
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\feedplat
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Avast Software\WRC\RatingStorage\<|prefix|>http://www.msn.com/?ocid=iehp
Process 3228 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Avast Software\WRC\RatingStorage\windows.microsoft.com
Process 2036 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Log: 'Application' Date/Time: 25/02/2012 11:30:54 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 2 user registry handles leaked from \Registry\User\S-1-5-21-1597377118-1586821561-2157718051-1000_Classes:
Process 2560 (\Device\HarddiskVolume2\Program Files\AVAST Software\Avast\sfzone\SafeZoneBrowser.exe) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000_CLASSES
Process 2560 (\Device\HarddiskVolume2\Program Files\AVAST Software\Avast\sfzone\SafeZoneBrowser.exe) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000_CLASSES\Local Settings\MuiCache\12\52C64B7E
Log: 'Application' Date/Time: 25/02/2012 11:30:54 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 12 user registry handles leaked from \Registry\User\S-1-5-21-1597377118-1586821561-2157718051-1000:
Process 2404 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000
Process 2468 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld
Process 2404 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\CTF\TIP
Process 2468 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Process 2468 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat
Process 2468 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Process 2468 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
Process 2468 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache
Process 2468 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat
Process 2468 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Process 2404 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Run
Process 2560 (\Device\HarddiskVolume2\Program Files\AVAST Software\Avast\sfzone\SafeZoneBrowser.exe) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Keyboard Layout\Preload
Log: 'Application' Date/Time: 25/02/2012 9:37:56 PM
Type: Warning Category: 0
Event: 8230 Source: VSS
Volume Shadow Copy Service error: Failed resolving account SYSTEM with status 2226. Check connection to domain controller and VssAccessControl registry key.
Error-specific details:
Error: NetLocalGroupGetMemebers(SYSTEM), 0x800708b2, This operation is only allowed on the primary domain controller of the domain.
Log: 'Application' Date/Time: 24/02/2012 3:32:09 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-1597377118-1586821561-2157718051-1000_Classes:
Process 3856 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000_CLASSES\Local Settings\MuiCache\12\52C64B7E
Log: 'Application' Date/Time: 24/02/2012 2:19:16 PM
Type: Warning Category: 1
Event: 1008 Source: Microsoft-Windows-Search
The Windows Search Service is starting up and attempting to remove the old search index {Reason: Index Corruption}.
Log: 'Application' Date/Time: 24/02/2012 2:46:08 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 2 user registry handles leaked from \Registry\User\S-1-5-21-1597377118-1586821561-2157718051-1000_Classes:
Process 3200 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000_CLASSES
Process 3200 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000_CLASSES\Local Settings\MuiCache\10\52C64B7E
Log: 'Application' Date/Time: 24/02/2012 2:46:08 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 16 user registry handles leaked from \Registry\User\S-1-5-21-1597377118-1586821561-2157718051-1000:
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Process 1740 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Internet Explorer\International
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\Shell
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Process 3448 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Log: 'Application' Date/Time: 24/02/2012 12:22:40 AM
Type: Warning Category: 0
Event: 4105 Source: Microsoft-Windows-Winlogon
Windows is in Notification period.
Log: 'Application' Date/Time: 24/01/2012 12:09:36 AM
Type: Warning Category: 0
Event: 10010 Source: Microsoft-Windows-RestartManager
Application 'C:\Windows\explorer.exe' (pid 3024) cannot be restarted - Application SID does not match Conductor SID..
Log: 'Application' Date/Time: 24/01/2012 12:09:36 AM
Type: Warning Category: 0
Event: 10010 Source: Microsoft-Windows-RestartManager
Application 'C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe' (pid 2320) cannot be restarted - Application SID does not match Conductor SID..
Log: 'Application' Date/Time: 24/01/2012 12:09:36 AM
Type: Warning Category: 0
Event: 10010 Source: Microsoft-Windows-RestartManager
Application 'C:\Program Files\AVAST Software\Avast\AvastUI.exe' (pid 2828) cannot be restarted - Application SID does not match Conductor SID..
Log: 'Application' Date/Time: 24/01/2012 12:04:27 AM
Type: Warning Category: 1
Event: 1008 Source: Microsoft-Windows-Search
The Windows Search Service is starting up and attempting to remove the old search index {Reason: Application Requested}.
Log: 'Application' Date/Time: 23/01/2012 10:30:57 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 6 user registry handles leaked from \Registry\User\S-1-5-21-1597377118-1586821561-2157718051-1000:
Process 2752 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\Shell
Process 2736 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Process 2736 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
Process 2736 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Process 2736 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Process 2736 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Log: 'Application' Date/Time: 23/01/2012 7:45:37 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 3 user registry handles leaked from \Registry\User\S-1-5-21-1597377118-1586821561-2157718051-1000_Classes:
Process 2396 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000_CLASSES
Process 1248 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Process 2396 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000_CLASSES\Local Settings\MuiCache\8\52C64B7E
Log: 'Application' Date/Time: 23/01/2012 7:45:37 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 13 user registry handles leaked from \Registry\User\S-1-5-21-1597377118-1586821561-2157718051-1000:
Process 1248 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000
Process 1248 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld
Process 1248 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Process 1248 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Process 1248 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
Process 1248 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Internet Explorer\TypedURLs
Process 1248 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
Process 1248 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache
Process 1248 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat
Process 1248 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Process 2844 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm
Process 1248 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012012012220120123
Process 1248 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Log: 'Application' Date/Time: 23/01/2012 2:42:33 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-1597377118-1586821561-2157718051-1000:
Process 2628 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000\Software\Microsoft\Windows\CurrentVersion\Explorer
Log: 'Application' Date/Time: 22/01/2012 10:51:34 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-1597377118-1586821561-2157718051-1000:
Process 504 (\Device\HarddiskVolume2\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-1597377118-1586821561-2157718051-1000
Log: 'Application' Date/Time: 22/01/2012 10:26:40 PM
Type: Warning Category: 1
Event: 1008 Source: Microsoft-Windows-Search
The Windows Search Service is starting up and attempting to remove the old search index {Reason: Full Index Reset}.
#201
Posted 26 February 2012 - 09:54 AM
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\avast! Antivirus
Then look at the ImagePath in the right pane. What does it say?
It should say something like:
"C:\Program Files\AVAST Software\Avast\AvastSvc.exe"
tho may be slightly different since yours is a 64 bit system.
Right click on Start and Open Windows Explorer. Is AvastSvc.exe still where it says?
Right click on AvastSvc.exe and select Properties then Security. Click on System. Does it have Full Control checked? Click on Administrators. Does it have Full Control Checked?
When you reinstalled Windows 7 did you give the login a unique password?
#202
Posted 26 February 2012 - 10:19 AM
Full control is checked Gray.
I use the same PW so I can remember it.
Edited by DAV2, 26 February 2012 - 10:21 AM.
#203
Posted 26 February 2012 - 11:35 AM
#204
Posted 26 February 2012 - 01:57 PM
Edited by DAV2, 26 February 2012 - 02:02 PM.
#205
Posted 26 February 2012 - 02:31 PM
#206
Posted 26 February 2012 - 03:20 PM
#207
Posted 27 February 2012 - 09:43 AM
#208
Posted 27 February 2012 - 06:59 PM
I'm at a conference this week. Replies will be slow.
#209
Posted 29 February 2012 - 07:55 PM
Where did “Bootmgr” come from. 1) bios 2) hard disk 3) load disk with older date than the bootmgr file or 4) Genuine 7.1 disk from MS that is not bootable?
Edited by DAV2, 29 February 2012 - 08:08 PM.
#210
Posted 09 March 2012 - 07:03 AM
Edited by DAV2, 09 March 2012 - 07:05 AM.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users