Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Repeated Intermittent Episodes of Runaway Disk Activity

Started by britechguy , Jan 31 2015 03:01 PM

Please log in to reply

#16
RKinner

Posted 01 February 2015 - 10:53 PM

Malware Expert

Expert
24,731 posts

I find it very peculiar that the results from VEW show date time stamps that are "into the future" from when it was actually run. Some of the dates are showing as 2/2/2015 and it's nowhere near to midnight here.

Times in the event log are GMT without the 5 hour EST offset.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Log: 'System' Date/Time: 02/02/2015 12:18:38 AM

Type: Error Category: 0

Event: 10016 Source: Microsoft-Windows-DistributedCOM

The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} and APPID {344ED43D-D086-4961-86A6-1106F4ACAD9B} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Log: 'System' Date/Time: 02/02/2015 12:18:33 AM

Type: Error Category: 0

Event: 10016 Source: Microsoft-Windows-DistributedCOM

The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} and APPID {344ED43D-D086-4961-86A6-1106F4ACAD9B} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

This error is covered here:

http://www.sevenforu...ions-error.html

Log: 'System' Date/Time: 02/02/2015 12:17:52 AM

Type: Error Category: 0

Event: 7034 Source: Service Control Manager

The Realtek DHCP Service service terminated unexpectedly. It has done this 1 time(s).

I would look for a new driver for your Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter

Log: 'System' Date/Time: 02/02/2015 12:17:37 AM

Type: Error Category: 0

Event: 4 Source: Microsoft-Windows-Time-Service

The time provider 'VMICTimeProvider' failed to start due to the following error: The specified module could not be found. (0x8007007E)

Are you running a virtual machine or Hyper-V ?

Log: 'System' Date/Time: 02/02/2015 12:17:23 AM

Type: Error Category: 0

Event: 7006 Source: Service Control Manager

The ScRegSetValueExW call failed for FailureActions with the following error: Access is denied.

Panda error see: http://support.panda...php?f=65&t=2402

Log: 'System' Date/Time: 02/02/2015 12:16:58 AM

Type: Error Category: 0

Event: 7000 Source: Service Control Manager

The Garmin Core Update Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

Probably because you have part of it turned off with msconfig.

Log: 'System' Date/Time: 02/02/2015 12:16:58 AM

Type: Error Category: 0

Event: 7009 Source: Service Control Manager

A timeout was reached (30000 milliseconds) while waiting for the Garmin Core Update Service service to connect.

Probably because you have part of it turned off with msconfig.

Log: 'System' Date/Time: 02/02/2015 12:17:58 AM

Type: Warning Category: 212

Event: 219 Source: Microsoft-Windows-Kernel-PnP

The driver \Driver\WUDFRd failed to load for the device WpdBusEnumRoot\UMB\2&37c186b&1&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_MULTIPLE&PROD_CARD_READER&REV_1.00#058F63666433&0#.

Usually caused by having a USB device plugged in when it start. Can be fixed by changing Windows Driver Foundation - User-mode Driver Framework service from Manual to Automatic

Log: 'System' Date/Time: 02/02/2015 12:16:53 AM

Type: Warning Category: 0

Event: 11 Source: Microsoft-Windows-Wininit

Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.

Without a FRST or OTL log I can't say what is doing this. Probably Panda.

We can look:

Copy the next 3 lines;

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs > \junk.txt

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs >> \|junk.txt

notepad \junk.txt

Start, All Programs, Accessories then right click on Command Prompt and Run As Admin. Right click and Paste or Edit then paste and the copied lines should appear. Hit Enter if notepad does not pop up. Copy and paste the text from notepad into a reply.

-----------------------------------------------------------------------------

VEW Application Log:

-----------------------------------------------------------------------------

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Log: 'Application' Date/Time: 01/02/2015 9:51:17 PM

Type: Error Category: 0

Event: 1 Source: Chrome

The event description cannot be found.

Not enough info.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

'Application' Log - Warning Type

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Log: 'Application' Date/Time: 01/02/2015 11:05:04 PM

Type: Warning Category: 0

Event: 1530 Source: Microsoft-Windows-User Profiles Service

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-3700817450-263443993-1340972289-1001_Classes:

Process 5952 (\Device\HarddiskVolume2\Program Files (x86)\Google\Update\GoogleUpdate.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001_CLASSES

Log: 'Application' Date/Time: 01/02/2015 11:05:02 PM

Type: Warning Category: 0

Event: 1530 Source: Microsoft-Windows-User Profiles Service

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 31 user registry handles leaked from \Registry\User\S-1-5-21-3700817450-263443993-1340972289-1001:

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001

Process 1360 (\Device\HarddiskVolume2\Windows\SysWOW64\Fast Boot\FastBootAgent.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\SmartCardRoot

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\SmartCardRoot

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\trust

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\trust

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\My

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\My

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\TrustedPeople

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\TrustedPeople

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\CA

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\CA

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Policies\Microsoft\SystemCertificates

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Policies\Microsoft\SystemCertificates

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Policies\Microsoft\SystemCertificates

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Policies\Microsoft\SystemCertificates

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Policies\Microsoft\SystemCertificates

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Policies\Microsoft\SystemCertificates

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Policies\Microsoft\SystemCertificates

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Policies\Microsoft\SystemCertificates

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\Root

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\Root

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\Disallowed

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\Disallowed

Most of these are from WIndows Live. Some From Fastboot which comes from Asus. Perhaps there is a newer version for Fastboot and Windows Live? These will slow down shutdown quite a bit.

Log: 'Application' Date/Time: 01/02/2015 10:44:18 PM

Type: Warning Category: 3

Event: 3036 Source: Microsoft-Windows-Search

The content source <iehistory://{S-1-5-18}/> cannot be accessed.

Context: Application, SystemIndex Catalog

Details:

(HRESULT : 0x80004005) (0x80004005)

Log: 'Application' Date/Time: 01/02/2015 10:44:14 PM

Type: Warning Category: 3

Event: 3036 Source: Microsoft-Windows-Search

The content source <iehistory://{S-1-5-21-3700817450-263443993-1340972289-1003}/> cannot be accessed.

Context: Application, SystemIndex Catalog

Details:

(HRESULT : 0x80004005) (0x80004005)

Log: 'Application' Date/Time: 01/02/2015 10:26:00 PM

Type: Warning Category: 3

Event: 3036 Source: Microsoft-Windows-Search

The content source <ONEINDEX14://{S-1-5-21-3700817450-263443993-1340972289-1001}/> cannot be accessed.

Context: Application, SystemIndex Catalog

Details:

(HRESULT : 0x80004005) (0x80004005)

Windows Search is still not happy. Supposedly setting it to the defaults will help here:

a.    Go to Start > Control Panel.
b.    Double click on the Indexing Options.
c.    Click on the Advanced button.
d.    Click on on Restore Defaults.

Clear the alarms and reboot and see if the alarms come back.

The Speccy Log"

Temps are running a bit hotter than we want. 57 C. I would run Speedfan:

http://www.filehippo...nload_speedfan/

Download, save and Install it (Win 7 or Vista right click and Run As Admin.) then run it.

It will tell you your temps in real time. If they climb much over 60 expect errors and a shortened life.

Your hard drive seems good tho I think it might have been dropped once.

I will run the memory test only if necessary after all of this is reviewed. I have no indications of issues with memory that I am familiar with.

Up to you. Just trying to rule out common problems.

#17
britechguy

Posted 02 February 2015 - 09:42 AM

Member

Topic Starter
Member
258 posts

My responses are embedded using this font and color. There's just too much background material that needs to be there for context in this reply for me to strip it out.

I find it very peculiar that the results from VEW show date time stamps that are "into the future" from when it was actually run. Some of the dates are showing as 2/2/2015 and it's nowhere near to midnight here.

Times in the event log are GMT without the 5 hour EST offset.

          OK.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Log: 'System' Date/Time: 02/02/2015 12:18:38 AM

Type: Error Category: 0

Event: 10016 Source: Microsoft-Windows-DistributedCOM

The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} and APPID {344ED43D-D086-4961-86A6-1106F4ACAD9B} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Log: 'System' Date/Time: 02/02/2015 12:18:33 AM

Type: Error Category: 0

Event: 10016 Source: Microsoft-Windows-DistributedCOM

The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} and APPID {344ED43D-D086-4961-86A6-1106F4ACAD9B} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

This error is covered here:

http://www.sevenforu...ions-error.html

                   I've managed to change ownership of that registry key to myself then gave administrators and myself full control. What I haven't been able to figure out is what I'm looking for in dcomcnfg to make the tweak on.

              As an interesting aside, I got my runaway disc activity last night and snagged two process explorer snapshots. It is immediately clear that a svchost process is running amok.

Log: 'System' Date/Time: 02/02/2015 12:17:52 AM

Type: Error Category: 0

Event: 7034 Source: Service Control Manager

The Realtek DHCP Service service terminated unexpectedly. It has done this 1 time(s).

I would look for a new driver for your Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter

               It's using one dated 10/30/2014, version 1027.1.902.2014, directly from Realtek. Searching for newer versions turns up nothing (at least so far).

Log: 'System' Date/Time: 02/02/2015 12:17:37 AM

Type: Error Category: 0

Event: 4 Source: Microsoft-Windows-Time-Service

The time provider 'VMICTimeProvider' failed to start due to the following error: The specified module could not be found. (0x8007007E)

Are you running a virtual machine or  Hyper-V ?

              No.

Log: 'System' Date/Time: 02/02/2015 12:17:23 AM

Type: Error Category: 0

Event: 7006 Source: Service Control Manager

The ScRegSetValueExW call failed for FailureActions with the following error: Access is denied.

Panda error see: http://support.panda...php?f=65&t=2402

            Thanks.   I'm ignoring this as they suggest.

Log: 'System' Date/Time: 02/02/2015 12:16:58 AM

Type: Error Category: 0

Event: 7000 Source: Service Control Manager

The Garmin Core Update Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

Probably because you have part of it turned off with msconfig.

               I've uninstalled Garmin Express this morning. I can always add it back later.

Log: 'System' Date/Time: 02/02/2015 12:16:58 AM

Type: Error Category: 0

Event: 7009 Source: Service Control Manager

A timeout was reached (30000 milliseconds) while waiting for the Garmin Core Update Service service to connect.

Probably because you have part of it turned off with msconfig.

Log: 'System' Date/Time: 02/02/2015 12:17:58 AM

Type: Warning Category: 212

Event: 219 Source: Microsoft-Windows-Kernel-PnP

The driver \Driver\WUDFRd failed to load for the device WpdBusEnumRoot\UMB\2&37c186b&1&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_MULTIPLE&PROD_CARD_READER&REV_1.00#058F63666433&0#.

Usually caused by having a USB device plugged in when it start. Can be fixed by changing Windows Driver Foundation - User-mode Driver Framework service from Manual to Automatic

              Is there a tutorial out there for the steps necessary to do this?   My Realtek network adapter is USB and always plugged in. I wanted Wireless N speeds and the built-in on this machine is Wireless G. I also sometimes have a printer/scanner plugged in.

Log: 'System' Date/Time: 02/02/2015 12:16:53 AM

Type: Warning Category: 0

Event: 11 Source: Microsoft-Windows-Wininit

Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.

Without a FRST or OTL log I can't say what is doing this. Probably Panda.

We can look:

Copy the next 3 lines;

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs > \junk.txt

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs >> \|junk.txt

notepad \junk.txt

Start, All Programs, Accessories then right click on Command Prompt and Run As Admin. Right click and Paste or Edit then paste and the copied lines should appear. Hit Enter if notepad does not pop up. Copy and paste the text from notepad into a reply.

           The first reg query command runs. The second comes back with "The system cannot find the path specified."

           Contents of junk.txt from the first command are:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_DLLs    REG_SZ

-----------------------------------------------------------------------------

VEW Application Log:

-----------------------------------------------------------------------------

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Log: 'Application' Date/Time: 01/02/2015 9:51:17 PM

Type: Error Category: 0

Event: 1 Source: Chrome

The event description cannot be found.

Not enough info.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

'Application' Log - Warning Type

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Log: 'Application' Date/Time: 01/02/2015 11:05:04 PM

Type: Warning Category: 0

Event: 1530 Source: Microsoft-Windows-User Profiles Service

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-3700817450-263443993-1340972289-1001_Classes:

Process 5952 (\Device\HarddiskVolume2\Program Files (x86)\Google\Update\GoogleUpdate.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001_CLASSES

Log: 'Application' Date/Time: 01/02/2015 11:05:02 PM

Type: Warning Category: 0

Event: 1530 Source: Microsoft-Windows-User Profiles Service

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 31 user registry handles leaked from \Registry\User\S-1-5-21-3700817450-263443993-1340972289-1001:

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001

Process 1360 (\Device\HarddiskVolume2\Windows\SysWOW64\Fast Boot\FastBootAgent.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\SmartCardRoot

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\SmartCardRoot

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\trust

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\trust

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\My

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\My

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\TrustedPeople

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\TrustedPeople

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\CA

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\CA

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Policies\Microsoft\SystemCertificates

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Policies\Microsoft\SystemCertificates

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Policies\Microsoft\SystemCertificates

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Policies\Microsoft\SystemCertificates

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Policies\Microsoft\SystemCertificates

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Policies\Microsoft\SystemCertificates

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Policies\Microsoft\SystemCertificates

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Policies\Microsoft\SystemCertificates

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\Root

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\Root

Process 372 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\Disallowed

Process 2336 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\Disallowed

Most of these are from WIndows Live. Some From Fastboot which comes from Asus. Perhaps there is a newer version for Fastboot and Windows Live? These will slow down shutdown quite a bit.

        My shutdowns are most often miserably slow if the machine has been running for any period of time.   I do not use Windows Live at all and have never (intentionally, anyway) installed it.   Although I've seen ASUS Fastboot showing up in process lists, neither it nor Windows Live show up in my "Programs and Features" control panel as something I can remove.

      These are the kinds of errors that almost enrage me. You know that something's wrong, but there is absolutely no easy way to determine what it is, and that's for someone like me who's not completely ignorant about these sorts of issues.   A typical user has no hope of ever resolving them. I probably have little hope of resolving them unless there is a way to update ASUS Fastboot & Windows Live or to safely remove both of them (which I'd do in a heartbeat if it is safe and I knew how).

Log: 'Application' Date/Time: 01/02/2015 10:44:18 PM

Type: Warning Category: 3

Event: 3036 Source: Microsoft-Windows-Search

The content source <iehistory://{S-1-5-18}/> cannot be accessed.

Context: Application, SystemIndex Catalog

Details:

(HRESULT : 0x80004005) (0x80004005)

Log: 'Application' Date/Time: 01/02/2015 10:44:14 PM

Type: Warning Category: 3

Event: 3036 Source: Microsoft-Windows-Search

The content source <iehistory://{S-1-5-21-3700817450-263443993-1340972289-1003}/> cannot be accessed.

Context: Application, SystemIndex Catalog

Details:

(HRESULT : 0x80004005) (0x80004005)

Log: 'Application' Date/Time: 01/02/2015 10:26:00 PM

Type: Warning Category: 3

Event: 3036 Source: Microsoft-Windows-Search

The content source <ONEINDEX14://{S-1-5-21-3700817450-263443993-1340972289-1001}/> cannot be accessed.

Context: Application, SystemIndex Catalog

Details:

(HRESULT : 0x80004005) (0x80004005)

Windows Search is still not happy. Supposedly setting it to the defaults will help here:

a.    Go to Start > Control Panel.
b.    Double click on the Indexing Options.
c.    Click on the Advanced button.
d.    Click on on Restore Defaults.

Clear the alarms and reboot and see if the alarms come back.

                 There is no "Restore Defaults" option showing up in the Advanced Dialog. I also elected to move the index file location when I rebuilt the index. The result on indexing is precisely the same as the original in terms of number of files indexed.   As far as using Windows Search whether for file names or file content I have not noticed anything amiss at all. I'm still getting exactly what I'd expect.

             I'm wondering if this could be secondary to something CCleaner did as far as registry cleaning is concerned.   In any case, I'm pretty much willing to write this one off since I can't see any problems at the "when I'm hunting for something it finds it" end of things.

The Speccy Log"

Temps are running a bit hotter than we want. 57 C. I would run Speedfan:

http://www.filehippo...nload_speedfan/

Download, save and Install it (Win 7 or Vista right click and Run As Admin.) then run it.

It will tell you your temps in real time. If they climb much over 60 expect errors and a shortened life.

                    Will look at this in a short while

Your hard drive seems good tho I think it might have been dropped once.

I will run the memory test only if necessary after all of this is reviewed. I have no indications of issues with memory that I am familiar with.

Up to you. Just trying to rule out common problems.

              Will end up having to look at memtest86. I tried the built in and it claims the file is missing or corrupt at system startup. Since memtest is a Windows System File and the SFC /scannow came back perfectly clean this is a bit of a mystery.

Brian

#18
RKinner

Posted 02 February 2015 - 10:06 AM

Malware Expert

Expert
24,731 posts

If you haven't rebooted since the episode then the svchost.exe process will still have the same PID so you can go back in to Process Explorer and look for the PID. Then hover over the svchost and it should tell you what services are running in it. That may give us a clue what is going on.

Log: 'System' Date/Time: 02/02/2015 12:16:53 AM

Type: Warning Category: 0

Event: 11 Source: Microsoft-Windows-Wininit

Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.

Since there is nothing found by the reg query then we can fix this with a simple tweak:

Download the attached wininit.zip file. Save it then right click and Extract All. That should give you winint.reg. Right click on it and Merge.

You get Windows Live with updates if you are not careful. Just like Silverlight and Windows Search Enhancements. Usually for Windows Live you can uninstall it with Windows Live Essentials. I have been trying for years to contact someone in Windows Live through the MVP program to complain about this registry screwup but no luck. If you can't find an uninstaller for it we can probably use FRST to pull it out by the roots but that will get me yelled at unless I get your post moved to the Malware forum first. I think I can get away with Minitoolkbox tho.

Please download MiniToolbox

http://www.bleepingc...oad/minitoolbox save it to your desktop and run it.

Checkmark the following checkboxes:

Flush DNS

Report IE Proxy Settings

Reset IE Proxy Settings

Report FF Proxy Settings

Reset FF Proxy Settings

List content of Hosts

List IP configuration

List Winsock Entries

List last 10 Event Viewer Errors

List Installed Programs

List Devices

List Users, Partitions and Memory size.

List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

I will ask the admin to move us to malware so I can use my really good tools.

#19
britechguy

Posted 02 February 2015 - 10:47 AM

Member

Topic Starter
Member
258 posts

OK,

I'm going to attach a number of files here. I did already run the Merge.

Moments after taking my last Process Explorer snapshot I got another BSOD. I will be attaching the snapshots from last night with the runaway svchost (files ending in 2 & 3) and the one from this morning (#4). In addition is the zipped version of the minidump from a few minutes ago. The system has been rebooted since the svchost stuff and I'm going to reboot again now due to the registry change.

I'll also attach the Results file from minitoolbox since the thing is huge (by text standards).

Attached Files

020215-32370-01.zip 26.05KB 281 downloads
System_Process_Snapshot2.TXT 12.77KB 320 downloads
System_Process_Snapshot3.TXT 12.81KB 313 downloads
System_Process_Snapshot4.TXT 12.43KB 343 downloads
Result.txt 45.83KB 342 downloads

#20
RKinner

Posted 02 February 2015 - 11:46 AM

Malware Expert

Expert
24,731 posts

OK. I don't know what svchost is up to but it should never use so much memory.

The minitoolbox says you have a Windows Live Essentials in your uninstall list that is not hidden. See if you can find it and uninstall it.

I'll see if I can get anything out of the dump but it will take a while. I recommend the memtest86+ for your memory test. The fact that the builtin test won't run may indicate that the memory doe have a problem so we need to rule it out.

We are now over in the malware forum so I'm allowed to use my heavy weapons.

Download : ADWCleaner to your desktop. Make sure you get the correct Download button. Sometimes the ads on BleepingComputer will mimic the real Download button which should say: Download Now @BleepingComputer

NOTE: If using Internet Explorer and you get an alert that stops the program downloading, click on the warning and allow the download to complete.

Close all programs, pause your anti-virus and run AdwCleaner (Vista or Win 7 => right click and Run As Administrator).

Click on Scan and follow the prompts. Let it run unhindered. When done, click on the Clean button, and follow the prompts. Allow the system to reboot. You will then be presented with the report. Copy & Paste this report on your next reply.

The report will be saved in the C:\AdwCleaner folder.

Junkware-Removal-Tool

Please download Junkware Removal Tool to your desktop. Make sure you get the correct Download button. Sometimes the ads on BleepingComputer will mimic the real Download button which should say: Download Now @Author's site

Pause your anti-virus. Close all browsers.

Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".

The tool will open and start scanning your system.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

Post the contents of JRT.txt into your next message.

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.

Press Scan button.

It will produce a log called FRST.txt in the same directory the tool is run from.

Please copy and paste log back here.

The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

Download OTL from

http://www.geekstogo...timers-list-it/

and Save it to your desktop.

Copy the text in the code box:

DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
rsvpsp.dll
pnrpnsp.dll 
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
services.exe
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
user32.dll
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%ProgramFiles%\WINDOWS NT\*.* /s
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT

Run OTL (Vista or Win 7 => right click and Run As Administrator)

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

Ron

#21
RKinner

Posted 02 February 2015 - 11:53 AM

Malware Expert

Expert
24,731 posts

In addition to the above: Appears that our friend ntoskrnl.exe is the supposed problem. Again this is the kind of error you get with bad memory or overheated PC.

#22
britechguy

Posted 02 February 2015 - 11:57 AM

Member

Topic Starter
Member
258 posts

In addition to the above: Appears that our friend ntoskrnl.exe is the supposed problem. Again this is the kind of error you get with bad memory or overheated PC.

Ron,

I will download and run all of the above utilities. I will tell you in advance, though, that I've been using Malwarebytes, Spywareblaster, and Spybot S&D on this machine regularly, and for years, so I'll be surprised if the others find much, if anything. I also, as you know, have Panda Cloud Antivirus (at the moment) but have, over the years, run AVG, ClamWin, and Avast! at different points as well.

I downloaded FanSpeed and the maximum temperature I've seen all day so far is 35 degrees. I really don't think the machine is overheating. I've had overheat failures in the past and they never resulted in BSODs, just instantaneous shutdowns, which I presume are mediated by hardware, not software.

I'll post the various results shortly after I've had time to get everything and install it.

#23
britechguy

Posted 02 February 2015 - 12:11 PM

Member

Topic Starter
Member
258 posts

Also, quickly, there is definitely no "Windows Live" anything shown in "Programs and Features" of the Control Panel. There is a "Windows Essentials 2012", but when I go to uninstall under that it only shows Photo Gallery and Movie Maker as installed. I've uninstalled those since I use neither.

#24
britechguy

Posted 02 February 2015 - 01:03 PM

Member

Topic Starter
Member
258 posts

There are actually two reports from AdwCleaner, one ending in [S0] (which is presented at reboot) and one ending in [R0]. What follows is the content of the S0 log:

---------------------------------------------------------------

# AdwCleaner v4.109 - Report created 02/02/2015 at 13:50:38
# Updated 24/01/2015 by Xplode
# Database : 2015-01-26.1 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : BPV - BPV-ASUS-LAPTOP
# Running from : D:\Docs_and_Settings\Public\BriTechGuy\Toolbox\Carry_With_Programs\AntiSpyware_Programs\AdWCleaner\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Users\BPV\AppData\Roaming\pdfforge
Folder Deleted : D:\Docs_and_Settings\Public\Tutorials
File Deleted : C:\Windows\Uninstall.exe

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [{FFB96CC1-7EB3-449D-B827-DB661701C6BB}]
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@checkpoint.com/FFApi
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{946FC9C3-6413-498A-A19B-065E409DFEB4}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZoneAlarm LTD Toolbar
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - <local>

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17496

-\\ Mozilla Firefox v35.0.1 (x86 en-US)

[7y2ify3z.default\prefs.js] - Line Deleted : user_pref("extensions.wrc.SearchRules.ask.com.style", ".WRCN {display:none} #yui-main .tsrc_vnru .title + .WRCN, #yui-main #teoma-results .title + .WRCN {display:inline !important; background: url(\"I[...]
[7y2ify3z.default\prefs.js] - Line Deleted : user_pref("extensions.wrc.SearchRules.ask.com.url", "^hxxp(s)?\\:\\/\\/(.+\\.)?ask\\.com\\/.*");

-\\ Google Chrome v40.0.2214.94

[C:\Users\JBH\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?query={searchTerms}
[C:\Users\JBH\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

-\\ Opera v27.0.1689.54

[C:\Users\JBH\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?query={searchTerms}
[C:\Users\JBH\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [2295 octets] - [02/02/2015 13:24:13]
AdwCleaner[S0].txt - [2435 octets] - [02/02/2015 13:50:38]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2495 octets] ##########

---------------------------------------------------------------

I find one of its quarantine choices quite peculiar. I have written a number of tutorials over time, and it decided those needed to be quarantined. It's just MS-Word documents and screen shots I took in programs like Paint, Gmail, etc. Weird.

#25
britechguy

Posted 02 February 2015 - 01:17 PM

Member

Topic Starter
Member
258 posts

JRT Log:

------------------------------------------------------------------------------

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.2 (02.02.2015:1)
OS: Windows 7 Home Premium x64
Ran by BPV on Mon 02/02/2015 at 14:05:11.63
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{3212DABE-674D-41A7-89F6-D59C1CA8A9AD}
Successfully deleted: [Registry Key - Orphan] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
Successfully deleted: [Registry Key - Orphan] HKEY_CLASSES_ROOT\CLSID\{53707962-6F74-2D53-2644-206D7942484F}
Successfully deleted: [Registry Key - Orphan] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
Successfully deleted: [Registry Key - Orphan] HKEY_CLASSES_ROOT\CLSID\{53707962-6F74-2D53-2644-206D7942484F}

~~~ Files

Successfully deleted: [File] "C:\Windows\wininit.ini"

~~~ Folders

~~~ FireFox

Emptied folder: C:\Users\BPV\AppData\Roaming\mozilla\firefox\profiles\xpk2876a.default-1376838705123\minidumps [95 files]

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 02/02/2015 at 14:12:40.48
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

------------------------------------------------------------------------------

Note on core temperatures: When the CPU usage is greater than 90% for an extended period (such as when running JRT) the core temperatures go up to the high 50s, occasionally spiking above 60 (only 61), but as soon as CPU usage goes back down to 50% or less the core temperatures promptly drop by 20 degrees. The core temperatures also spike at startup when CPU usage is high, which explains the 57 degrees seen during my Speccy run yesterday.

#26
britechguy

Posted 02 February 2015 - 01:26 PM

Member

Topic Starter
Member
258 posts

I'm attaching the two logs from FRST since they're quite large.

Attached Files

FRST.txt 41.94KB 346 downloads
Addition.txt 30.42KB 383 downloads

#27
britechguy

Posted 02 February 2015 - 01:57 PM

Member

Topic Starter
Member
258 posts

And, finally, the OTL logs are attached.

I await further instructions. I may try to reboot and start a run of memtest86+ to finish off the checks.

P.S. The CPU core temps exhibited exactly the same sort of behavior during the heavy activity portions of the OTL run as I mentioned earlier. Right now they're sitting at 36-38 degrees.

Attached Files

OTL.Txt 204.26KB 268 downloads
Extras.Txt 77.71KB 307 downloads

#28
RKinner

Posted 02 February 2015 - 02:19 PM

Malware Expert

Expert
24,731 posts

The temps don't normally vary that much. Is your fan running? It is quite common on laptops for the rather small heatsink fins to get clogged with dust. Depending on the maker, cleaning the fins is simple (Dell) or nearly impossible without major surgery (HP). As you expected I don't see anything evil in your FRST log tho you do have some dead wood we can clean up:

Download the attached fixlist.txt to the same location as FRST

Run FRST and press Fix

A fix log will be generated please post that.

I expect Spybot's immunize feature is causing the svchost to freak out. They had a good idea back in Windows 2000 but in Windows 7 it is really a drag on the system. What they do is put a bunch of bogus entries in the hosts file. These keep you from going to certain malware sites but the list is several years out of date and having so many entries causes Windows 7 networking to slow down. Don't know if Spybot can return the hosts file to normal but if they can't HostXpert can:

Download HostsXpert from http://www.majorgeek...hostsxpert.html Save the file then right click and Extract All. It will create a new folder in the same place. In the folder find HostsXpert.exe and right click on it and Run As Administrator.

It will take a few seconds to appear. If the top line in the left column says Make Writeable, click on it and it should change to Make Read Only? If it already says Make Read Only? that's OK just go on to the next step.

Now click on the left column entry that says: Restore MSHosts file. Click on the Make Read Only? entry then close HostXpert. Run FRST again with Addition checked and let's see if the hosts file is happy now.

I don't see windows live any more in either log so I guess you were able to uninstall it.

There is an entry for Fast Boot. Supposedly it came from ASUS so they may have a newer version for you. Don't really know what it does.

Let's clear the alarms, reboot and run VEW as before to see if we are making any progress in cleaning up the errors:

Right click on (My) Computer and select Manage (Continue) Then click on the arrow in front of Event Viewer. Next Click on the arrow in front of Windows Logs Right click on System and Clear Log, Clear. Repeat for Application.

Reboot.

2. Right-click VEW.exe and Run AS Administrator

3. Under 'Select log to query', select:

* System

4. Under 'Select type to list', select:

* Error

* Warning

Then use the 'Number of events' as follows:

1. Click the radio button for 'Number of events'

Type 20 in the 1 to 20 box

Then click the Run button.

Notepad will open with the output log.

Please post the Output log in your next reply then repeat but select Application.

#29
britechguy

Posted 02 February 2015 - 02:46 PM

Member

Topic Starter
Member
258 posts

Here's the FRST fix log:

-----------------------------------------------------------------

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 01-02-2015
Ran by BPV at 2015-02-02 15:43:22 Run:1
Running from D:\Docs_and_Settings\Public\BriTechGuy\Toolbox\Carry_With_Programs\Farbar_Recovery_Scan_Tool
Loaded Profiles: BPV (Available profiles: BPV & JBH)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
CHR HKU\S-1-5-21-3700817450-263443993-1340972289-1001\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - No Path
S3 Andbus; system32\DRIVERS\lgandbus64.sys [X]
S3 AndDiag; system32\DRIVERS\lganddiag64.sys [X]
S3 AndGps; system32\DRIVERS\lgandgps64.sys [X]
S3 ANDModem; system32\DRIVERS\lgandmodem64.sys [X]
S3 andnetadb; System32\Drivers\lgandnetadb.sys [X]
S3 androidusb; System32\Drivers\lgandadb.sys [X]
S3 DIRECTIO; \??\c:\BIT_TEMP\DirectIo.sys [X]
Task: {2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C} - \Microsoft\Windows\WindowsBackup\ConfigNotification No Task File <==== ATTENTION

*****************

"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKU\S-1-5-21-3700817450-263443993-1340972289-1001\SOFTWARE\Google\Chrome\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh" => Key deleted successfully.
Andbus => Service deleted successfully.
AndDiag => Service deleted successfully.
AndGps => Service deleted successfully.
ANDModem => Service deleted successfully.
andnetadb => Service deleted successfully.
androidusb => Service deleted successfully.
DIRECTIO => Service deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsBackup\ConfigNotification" => Key deleted successfully.

==== End of Fixlog 15:43:23 ====

-----------------------------------------------------------------

I have run the "Unimmunize" feature of Spybot. Have you looked at Spybot since they went to Release 2? This is a piece of software I know well and trust. If it's causing the svchost issue I guess I'll have to replace it, but that is really a last resort. I'd like to avoid it, if possible, but I really want to get rid of the occasional runaway disk that, for all practical intents and purposes, stops the computer from functioning.

#30
RKinner

Posted 02 February 2015 - 03:06 PM

Malware Expert

Expert
24,731 posts

I have nothing against spybot itself. Just don't like the immunize feature. Chrome has a similar list builtin which gets updated periodically. Also AdBlockPlus can also block malware sites if you tell it to.