Issues in event log

[John A]

Unusual events in the Event Log

Computer behaves normally and Malwarebytes scan reports no issues.

MiniToolbox report attached

Result.txt

[AdvancedSetup]

Please visit this link and see if you can download and apply this hotfix or not.  Let me know if it allows you to install or if it says it's already installed.

 

http://support.microsoft.com/kb/977589/EN-US

[John A]

Downloaded and ran it. It says "This update is not applicable to your computer".

[AdvancedSetup]

Okay that's fine.  We'll try some other updates.

 

Please visit the following site and run the fix for Windows Search

http://support.microsoft.com/mats/windows_search/

 

Then try the following one

http://support.microsoft.com/mats/Malware_Prevention/

 

The restart the computer and run a new FRST scan with the Addition file as well and post back again.

[John A]

The first one reset Windows search

Second one prevented remote registry access

FRST scans files attached

Addition.txt

FRST.txt

[AdvancedSetup]

There are a couple events still shown and one of them says you can safely ignore the error but if it can be fixed I don't like to ignore errors if possible.

Please review the following article and from an elevated admin command prompt run the following and see if the article can help you to resolve this issue.

 

vssadmin list writers

 

http://technet.microsoft.com/en-us/library/cc734235%28WS.10%29.aspx

 

 

[John A]

vssadmin command reports that all writers are operating without errors.

Microsoft Windows [Version 6.1.7601]

Copyright © 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>vssadmin list writers

vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool

© Copyright 2001-2005 Microsoft Corp.

Writer name: 'Task Scheduler Writer'

Writer Id: {d61d61c8-d73a-4eee-8cdd-f6f9786b7124}

Writer Instance Id: {1bddd48e-5052-49db-9b07-b96f96727e6b}

State: [1] Stable

Last error: No error

Writer name: 'VSS Metadata Store Writer'

Writer Id: {75dfb225-e2e4-4d39-9ac9-ffaff65ddf06}

Writer Instance Id: {088e7a7d-09a8-4cc6-a609-ad90e75ddc93}

State: [1] Stable

Last error: No error

Writer name: 'Performance Counters Writer'

Writer Id: {0bada1de-01a9-4625-8278-69e735f39dd2}

Writer Instance Id: {f0086dda-9efc-47c5-8eb6-a944c3d09381}

State: [1] Stable

Last error: No error

Writer name: 'System Writer'

Writer Id: {e8132975-6f93-4464-a53e-1050253ae220}

Writer Instance Id: {ac5386a3-c6d7-4d47-9e43-e8ae81c19d20}

State: [1] Stable

Last error: No error

Writer name: 'ASR Writer'

Writer Id: {be000cbe-11fe-4426-9c58-531aa6355fc4}

Writer Instance Id: {3cdb6842-148b-44e1-b129-b320a49e66e4}

State: [1] Stable

Last error: No error

Writer name: 'Registry Writer'

Writer Id: {afbab4a2-367d-4d15-a586-71dbb18f8485}

Writer Instance Id: {becc43ca-608b-47e2-b8a8-a204df2c049f}

State: [1] Stable

Last error: No error

Writer name: 'WMI Writer'

Writer Id: {a6ad56c2-b509-4e6c-bb19-49d8f43532f0}

Writer Instance Id: {bf3d5e4a-3bff-4477-87e4-bc8b3f7b25ca}

State: [1] Stable

Last error: No error

Writer name: 'Shadow Copy Optimization Writer'

Writer Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}

Writer Instance Id: {280b4b6d-7f27-4ec4-a16a-ee42ae190e8e}

State: [1] Stable

Last error: No error

Writer name: 'MSSearch Service Writer'

Writer Id: {cd3f2362-8bef-46c7-9181-d62844cdc0b2}

Writer Instance Id: {51d4cdbb-843f-492b-8d12-6f6d831dda21}

State: [1] Stable

Last error: No error

Writer name: 'COM+ REGDB Writer'

Writer Id: {542da469-d3e1-473c-9f4f-7847f01fc64f}

Writer Instance Id: {916913fb-f57a-47b3-b902-72744bc15c1a}

State: [1] Stable

Last error: No error

Writer name: 'BITS Writer'

Writer Id: {4969d978-be47-48b0-b100-f328f07ac1e0}

Writer Instance Id: {f19dd5f5-10bc-4b04-b16c-95db19c7980a}

State: [1] Stable

Last error: No error

C:\Windows\system32>

[AdvancedSetup]

Well that's good.  Perhaps that error was old and no longer valid.
 
Please RESTART the computer again and run these scans and post back the logs.
 
 
Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

• Flush DNS
• Report IE Proxy Settings
• Reset IE Proxy Settings
• Report FF Proxy Settings
• Reset FF Proxy Settings
• List content of Hosts
• List IP configuration
• List Winsock Entries
• List last 10 Event Viewer log
• List Installed Programs
• List Devices
• List Users, Partitions and Memory size.
• List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.
 
 
 
Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.

[John A]

MiniTB log attached, FSS log below

Farbar Service Scanner Version: 25-02-2014

Ran by John Marg (administrator) on 01-05-2014 at 09:59:51

Running from "C:\Users\John Marg\Desktop\Temp"

Microsoft Windows 7 Home Premium Service Pack 1 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo.com is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Action Center:

============

Windows Update:

============

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is set to Demand. The default start type is Auto.

The ImagePath of WinDefend service is OK.

The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:

==========================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware"=DWORD:1

Other Services:

==============

File Check:

========

C:\Windows\system32\nsisvc.dll => MD5 is legit

C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit

C:\Windows\system32\dhcpcore.dll => MD5 is legit

C:\Windows\system32\Drivers\afd.sys

[2013-10-09 05:32] - [2013-09-14 10:48] - 0338944 ____A (Microsoft Corporation) F81BB7E487EDCEAB630A7EE66CF23913

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit

C:\Windows\system32\Drivers\tcpip.sys

[2013-10-09 05:32] - [2013-09-08 12:07] - 1294272 ____A (Microsoft Corporation) CA59F7C570AF70BC174F477CFE2D9EE3

C:\Windows\system32\dnsrslvr.dll => MD5 is legit

C:\Windows\system32\mpssvc.dll => MD5 is legit

C:\Windows\system32\bfe.dll => MD5 is legit

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit

C:\Windows\system32\SDRSVC.dll => MD5 is legit

C:\Windows\system32\vssvc.exe => MD5 is legit

C:\Windows\system32\wscsvc.dll => MD5 is legit

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit

C:\Windows\system32\wuaueng.dll => MD5 is legit

C:\Windows\system32\qmgr.dll => MD5 is legit

C:\Windows\system32\es.dll => MD5 is legit

C:\Windows\system32\cryptsvc.dll

[2013-08-14 06:09] - [2013-07-09 14:46] - 0140288 ____A (Microsoft Corporation) 7CA1BECEA5DE2643ADDAD32670E7A4C9

C:\Program Files\Windows Defender\MpSvc.dll

[2013-07-10 07:13] - [2013-05-27 14:57] - 0680960 ____A (Microsoft Corporation) 082CF481F659FAE0DE51AD060881EB47

C:\Windows\system32\svchost.exe => MD5 is legit

C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

Result.txt

[AdvancedSetup]

Please try running the following and let me know if it finds any issues or not.

SFC /SCANNOW Command - System File Checker

 

[John A]

Microsoft Windows [Version 6.1.7601]

Copyright © 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>sfc /scannow

Beginning system scan. This process will take some time.

Beginning verification phase of system scan.

Verification 100% complete.

Windows Resource Protection did not find any integrity violations.

C:\Windows\system32>

[AdvancedSetup]

Okay, well overall things look pretty good now.  Unfortunately nothing really found that should be causing a disconnect or similar issue with resolving websites.

 

You can try uninstalling MBAE and MBAM for a day or so and see if the issue resolves itself and let me know but otherwise the computer seems okay now.

 

 

You can remove the tools we've used so far now.

 

Download Delfix from here and save it to your desktop. (you may already have this)

• Ensure Remove disinfection tools is checked.
• Click the Run button.
• Reboot

Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.

Note:
If you used FRST and can't delete the quarantine folder:
Download the fixlist.txt to the same folder as FRST.exe.
Run FRST.exe and click Fix only once and wait
That will delete the quarantine folder created by FRST.
The rest you can manually delete.
 

 

[John A]

Well it just happened again. This time with www.malwarebytes.org

I was looking at a malwarebytes forum using IE

I clicked on the link to www.malwarebytres.org - IE could not connect.

Typed in the address into the address bar - IE could not connect

Tried many other websites - no problems - all loaded fine

Restarted IE - same problem

Exited Malwarebytes Pro 2.0.2.1010

www.malwarebytres.org connected OK!

Restarted Malwarebytes Pro

Restarted IE

www.malwarebytres.org still connected OK

Very strange

[AdvancedSetup]

It could be the site was down temporarily doing backups as they're done late at night

[John A]

I doubt that was the cause because the symptom and fix were the same I had experienced before with google.com and some other web sites.

I will report any further instances of this problem.

[AdvancedSetup]

Try doing a TRACERT from an elevated admin command prompt the next time it happens and see what you get.

[John A]

I have already provided Tracert/Ping evidence which shows www.google.com failing, exited MBAM, www.google.com works

https://forums.malwarebytes.org/index.php?showtopic=147634&hl=

Here is the screenshot again showing at which point I exited MBAM

[AdvancedSetup]

Very odd - just trying to figure out why or what's going on there as we obviously don't block Google otherwise you'd never get to it. 

You might be able to install WireShark and run that during this issue and see what it finds

[John A]

Shall do

[John A]

Happened again with www.malwarebytes.org

Ran Wireshark during which I did the following:

- opened another web site successfully

- refresh attempts on www.malwarebytes.org - all failed

- Exited MBAM

- Closed IE

- opened IE and successfully connected to www.malwarebytes.org

Image of initial failure attached

Wireshark file attached

MBAM.zip

[John A]

And once again this time trying to access https://forums.malwarebytes.org/

All other web sites load no problems

Exited MBAM, restarted IE and https://forums.malwarebytes.org/ worked.

I won't run Wireshark again until the last log posted is looked at.

[John A]

And it just happened again, this time with www.tomtom.com IE & Firefox

Other web sites work fine

Exit MBAM and restart IE - connects fine

[John A]

Happened again with www.reuters.com using Firefox, also occurred when I tried it in IE. Decided to do another Wireshark run.

Ran Wireshark during which I did the following:

- attempted to open www.reuters.com - failed

- - Exited MBAM

- Closed Firefox

- opened Firefox and successfully connected to www.reuters.com

I then restarted MBAM and had no problems with the above web site

Wireshark file attached

Reuters.zip

[AdvancedSetup]

Let me have  you do the following again please.

1. Please uninstall your current version of MBAM and reinstall the latest version. MBAM Clean Removal Process 2x
2. If that does not correct the issue then please read the following and post back the requested logs. - Diagnostic Logs
3. NOTE: There is an FAQ section with valuable information located here: - Common Questions, Issues, and their Solutions
   

Thank You
 

[John A]

I have done 1 and will see if the issue occurs again