asked on

Troubleshoot slow startup by looking at startup events

My Vaio laptop has gotten extremely slow to startup. I'm prepared for a long and tedious process of working out all that could be involved. I've already run a virus scan (McAfee) and an anti-spyware program (Ad-Aware SE) and found nothing. XP Home edition, v5.1, SP2, build 2600

I'm asking for someone who knows in detail the MS Windows XP home edition startup to look at the following startup logs and let me know what, if anything, is abnormal and how to clean them up. I'd also like a few questionable items explained even if they're normal.

I'm particularly concerned by the number of times the security event combo 528/576 (successful login / special privileges assigned) occurs. One recent startup ran through those 2 steps 13 times. For Network Service (5), Local Service (6), my user login "carol" (1), Network Service-Anonymous Login (1). I also wonder what the 515 events for trusted login processes CHAP and SECONDARY LOGIN SERVICE are. Immediately after the second of those my IPSec fails to initialize the IKE module.

My trusted login process KSecDD has to have 3 separate 515 events (registered with LSA) during a single startup sequence. Why would that be?

Why are there 3 distinct attempts to logon NT Authority/Anonymous User spaced 30 minutes apart at the very end of the process? It appears to me there are days when this logon attempt events 540/538)repeats about every 30 minutes the entire time my computer is on.

Why is there a per use audit policy refresh (event 806) followed by failed attempt to logon carol by the MS AUTHORIZATION PACKAGE, followed by the computer attempt to logon carol. Should the computer be attempting the carol login first by any chance?

The following details from my event log start with all the warnings and errors in Apps and System. Then it is followed by a detailed list of security event logs.

Thanks, Carol

Only Application Warning on startup:

Event Type:      Warning
Event Source:      Userenv
Event Category:      None
Event ID:      1517
Date:            10/20/2007
Time:            9:47:05 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DUSTYFOOT
Description:
Windows saved user DUSTYFOOT\carol registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

First Security Errors on startup:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            10/20/2007
Time:            9:53:42 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DUSTYFOOT
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: carol
Source Workstation: DUSTYFOOT
Error Code: 0xC000006A

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            10/20/2007
Time:            9:53:42 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DUSTYFOOT
Description:
Logon Failure:
     Reason:            Unknown user name or bad password
     User Name:      carol
     Domain:            DUSTYFOOT
     Logon Type:      2
     Logon Process:      Advapi
     Authentication Package:      Negotiate
     Workstation Name:      DUSTYFOOT

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Second Security Errors on startup:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Policy Change
Event ID:      615
Date:            10/20/2007
Time:            9:54:05 PM
User:            NT AUTHORITY\NETWORK SERVICE
Computer:      DUSTYFOOT
Description:
IPSec Services:       IPSec Services failed to initialize IKE module with error code: The attempted operation is not supported for the type of object referenced.
. IPSec Services could not be started.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Policy Change
Event ID:      615
Date:            10/20/2007
Time:            9:54:05 PM
User:            NT AUTHORITY\NETWORK SERVICE
Computer:      DUSTYFOOT
Description:
IPSec Services:       IPSec Services has experienced a critical failure and has shut down with error code: The network connection was aborted by the local system.
. Stopped IPSec Services can be a potential security hazard to the machine. Please contact your machine administrator to re-start the service.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Only System Error on startup:

Event Type:      Error
Event Source:      Service Control Manager
Event Category:      None
Event ID:      7023
Date:            10/20/2007
Time:            9:54:09 PM
User:            N/A
Computer:      DUSTYFOOT
Description:
The IPSEC Services service terminated with the following error:
The attempted operation is not supported for the type of object referenced.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

END WARNINGS AND ERRORS

START COMPLETE LISt of secuRITY INFORMATION EVENTS

First Security Success Audits:

Event Type:      Success Audit
Event Source:      Security
Event Category:      System Event
Event ID:      514
Date:            10/20/2007
Time:            9:53:36 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DUSTYFOOT
Description:
An authentication package has been loaded by the Local Security Authority. This authentication package will be used to authenticate logon attempts.
Authentication Package Name:      C:\WINDOWS\system32\LSASRV.dll : Negotiate

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Next Authentication Packages loaded by LSA:

Kerberos
NTLM
MS Unified Security Protocol Provider
Schannel
WDigest
MS Authentication Package V1.0

Then:

Event Type:      Success Audit
Event Source:      Security
Event Category:      System Event
Event ID:      515
Date:            10/20/2007
Time:            9:53:36 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DUSTYFOOT
Description:
A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.

Logon Process Name:      KSecDD

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Next Logon Processes registered by LSA:

Winlogon
Winlogon\MSGina

scecli (Notification Package loaded by SAM)
DCOMSCM (trusted logon processes)

*************************************************

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      528
Date:            10/20/2007
Time:            9:53:36 PM
User:            NT AUTHORITY\NETWORK SERVICE
Computer:      DUSTYFOOT
Description:
Successful Logon:
     User Name:      NETWORK SERVICE
     Domain:            NT AUTHORITY
     Logon ID:            (0x0,0x3E4)
     Logon Type:      5
     Logon Process:      Advapi
     Authentication Package:      Negotiate
     Workstation Name:
     Logon GUID:      {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Privilege Use
Event ID:      576
Date:            10/20/2007
Time:            9:53:36 PM
User:            NT AUTHORITY\NETWORK SERVICE
Computer:      DUSTYFOOT
Description:
Special privileges assigned to new logon:
     User Name:
     Domain:
     Logon ID:            (0x0,0x3E4)
     Privileges:            SeAuditPrivilege
                  SeAssignPrimaryTokenPrivilege
                  SeChangeNotifyPrivilege

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      528
Date:            10/20/2007
Time:            9:53:37 PM
User:            NT AUTHORITY\NETWORK SERVICE
Computer:      DUSTYFOOT
Description:
Successful Logon:
     User Name:      NETWORK SERVICE
     Domain:            NT AUTHORITY
     Logon ID:            (0x0,0x3E4)
     Logon Type:      5
     Logon Process:      Advapi
     Authentication Package:      Negotiate
     Workstation Name:
     Logon GUID:      {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Privilege Use
Event ID:      576
Date:            10/20/2007
Time:            9:53:37 PM
User:            NT AUTHORITY\NETWORK SERVICE
Computer:      DUSTYFOOT
Description:
Special privileges assigned to new logon:
     User Name:      NETWORK SERVICE
     Domain:            NT AUTHORITY
     Logon ID:            (0x0,0x3E4)
     Privileges:            SeAuditPrivilege
                  SeAssignPrimaryTokenPrivilege
                  SeChangeNotifyPrivilege

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      528
Date:            10/20/2007
Time:            9:53:37 PM
User:            NT AUTHORITY\LOCAL SERVICE
Computer:      DUSTYFOOT
Description:
Successful Logon:
     User Name:      LOCAL SERVICE
     Domain:            NT AUTHORITY
     Logon ID:            (0x0,0x3E5)
     Logon Type:      5
     Logon Process:      Advapi
     Authentication Package:      Negotiate
     Workstation Name:
     Logon GUID:      {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Privilege Use
Event ID:      576
Date:            10/20/2007
Time:            9:53:37 PM
User:            NT AUTHORITY\LOCAL SERVICE
Computer:      DUSTYFOOT
Description:
Special privileges assigned to new logon:
     User Name:
     Domain:
     Logon ID:            (0x0,0x3E5)
     Privileges:            SeAuditPrivilege
                  SeAssignPrimaryTokenPrivilege
                  SeChangeNotifyPrivilege

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

*********************************************************

Event Type:      Success Audit
Event Source:      Security
Event Category:      System Event
Event ID:      515
Date:            10/20/2007
Time:            9:53:38 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DUSTYFOOT
Description:
A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.

Logon Process Name:      CHAP

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

More trusted loglon processes:

LAN Manager Workstation Service
KSecDD

Event Type:      Success Audit
Event Source:      Security
Event Category:      Policy Change
Event ID:      806
Date:            10/20/2007
Time:            9:53:41 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DUSTYFOOT
Description:
Per User Audit Policy was refreshed.
     Number of elements:      0
     Policy ID:      (0x0,0x1104D)

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            10/20/2007
Time:            9:53:42 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DUSTYFOOT
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: carol
Source Workstation: DUSTYFOOT
Error Code: 0xC000006A

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            10/20/2007
Time:            9:53:42 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DUSTYFOOT
Description:
Logon Failure:
     Reason:            Unknown user name or bad password
     User Name:      carol
     Domain:            DUSTYFOOT
     Logon Type:      2
     Logon Process:      Advapi
     Authentication Package:      Negotiate
     Workstation Name:      DUSTYFOOT

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            10/20/2007
Time:            9:53:45 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DUSTYFOOT
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: carol
Source Workstation: DUSTYFOOT
Error Code: 0x0

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

*********************************************************

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      528
Date:            10/20/2007
Time:            9:53:45 PM
User:            DUSTYFOOT\carol
Computer:      DUSTYFOOT
Description:
Successful Logon:
     User Name:      carol
     Domain:            DUSTYFOOT
     Logon ID:            (0x0,0x11553)
     Logon Type:      2
     Logon Process:      User32
     Authentication Package:      Negotiate
     Workstation Name:      DUSTYFOOT
     Logon GUID:      {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Privilege Use
Event ID:      576
Date:            10/20/2007
Time:            9:53:45 PM
User:            DUSTYFOOT\carol
Computer:      DUSTYFOOT
Description:
Special privileges assigned to new logon:
     User Name:
     Domain:
     Logon ID:            (0x0,0x11553)
     Privileges:            SeChangeNotifyPrivilege
                  SeBackupPrivilege
                  SeRestorePrivilege
                  SeDebugPrivilege

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      528
Date:            10/20/2007
Time:            9:53:46 PM
User:            NT AUTHORITY\LOCAL SERVICE
Computer:      DUSTYFOOT
Description:
Successful Logon:
     User Name:      LOCAL SERVICE
     Domain:            NT AUTHORITY
     Logon ID:            (0x0,0x3E5)
     Logon Type:      5
     Logon Process:      Advapi
     Authentication Package:      Negotiate
     Workstation Name:
     Logon GUID:      {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Privilege Use
Event ID:      576
Date:            10/20/2007
Time:            9:53:46 PM
User:            NT AUTHORITY\LOCAL SERVICE
Computer:      DUSTYFOOT
Description:
Special privileges assigned to new logon:
     User Name:      LOCAL SERVICE
     Domain:            NT AUTHORITY
     Logon ID:            (0x0,0x3E5)
     Privileges:            SeAuditPrivilege
                  SeAssignPrimaryTokenPrivilege
                  SeChangeNotifyPrivilege

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      528
Date:            10/20/2007
Time:            9:53:46 PM
User:            NT AUTHORITY\LOCAL SERVICE
Computer:      DUSTYFOOT
Description:
Successful Logon:
     User Name:      LOCAL SERVICE
     Domain:            NT AUTHORITY
     Logon ID:            (0x0,0x3E5)
     Logon Type:      5
     Logon Process:      Advapi
     Authentication Package:      Negotiate
     Workstation Name:
     Logon GUID:      {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Privilege Use
Event ID:      576
Date:            10/20/2007
Time:            9:53:46 PM
User:            NT AUTHORITY\LOCAL SERVICE
Computer:      DUSTYFOOT
Description:
Special privileges assigned to new logon:
     User Name:      LOCAL SERVICE
     Domain:            NT AUTHORITY
     Logon ID:            (0x0,0x3E5)
     Privileges:            SeAuditPrivilege
                  SeAssignPrimaryTokenPrivilege
                  SeChangeNotifyPrivilege

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

*********************************************************

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      528
Date:            10/20/2007
Time:            9:53:46 PM
User:            NT AUTHORITY\NETWORK SERVICE
Computer:      DUSTYFOOT
Description:
Successful Logon:
     User Name:      NETWORK SERVICE
     Domain:            NT AUTHORITY
     Logon ID:            (0x0,0x3E4)
     Logon Type:      5
     Logon Process:      Advapi
     Authentication Package:      Negotiate
     Workstation Name:
     Logon GUID:      {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Privilege Use
Event ID:      576
Date:            10/20/2007
Time:            9:53:46 PM
User:            NT AUTHORITY\NETWORK SERVICE
Computer:      DUSTYFOOT
Description:
Special privileges assigned to new logon:
     User Name:      NETWORK SERVICE
     Domain:            NT AUTHORITY
     Logon ID:            (0x0,0x3E4)
     Privileges:            SeAuditPrivilege
                  SeAssignPrimaryTokenPrivilege
                  SeChangeNotifyPrivilege

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            10/20/2007
Time:            9:53:47 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      DUSTYFOOT
Description:
Successful Network Logon:
     User Name:
     Domain:
     Logon ID:            (0x0,0x16583)
     Logon Type:      3
     Logon Process:      NtLmSsp
     Authentication Package:      NTLM
     Workstation Name:
     Logon GUID:      {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      System Event
Event ID:      515
Date:            10/20/2007
Time:            9:54:01 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DUSTYFOOT
Description:
A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.

Logon Process Name:      Secondary Logon Service

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Policy Change
Event ID:      615
Date:            10/20/2007
Time:            9:54:05 PM
User:            NT AUTHORITY\NETWORK SERVICE
Computer:      DUSTYFOOT
Description:
IPSec Services:       IPSec Services failed to initialize IKE module with error code: The attempted operation is not supported for the type of object referenced.
. IPSec Services could not be started.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Policy Change
Event ID:      615
Date:            10/20/2007
Time:            9:54:05 PM
User:            NT AUTHORITY\NETWORK SERVICE
Computer:      DUSTYFOOT
Description:
IPSec Services:       IPSec Services failed to initialize IKE module with error code: The attempted operation is not supported for the type of object referenced.
. IPSec Services could not be started.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      528
Date:            10/20/2007
Time:            9:54:07 PM
User:            NT AUTHORITY\LOCAL SERVICE
Computer:      DUSTYFOOT
Description:
Successful Logon:
     User Name:      LOCAL SERVICE
     Domain:            NT AUTHORITY
     Logon ID:            (0x0,0x3E5)
     Logon Type:      5
     Logon Process:      Advapi
     Authentication Package:      Negotiate
     Workstation Name:
     Logon GUID:      {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Privilege Use
Event ID:      576
Date:            10/20/2007
Time:            9:54:07 PM
User:            NT AUTHORITY\LOCAL SERVICE
Computer:      DUSTYFOOT
Description:
Special privileges assigned to new logon:
     User Name:      LOCAL SERVICE
     Domain:            NT AUTHORITY
     Logon ID:            (0x0,0x3E5)
     Privileges:            SeAuditPrivilege
                  SeAssignPrimaryTokenPrivilege
                  SeChangeNotifyPrivilege

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Privilege Use
Event ID:      576
Date:            10/20/2007
Time:            9:54:07 PM
User:            NT AUTHORITY\LOCAL SERVICE
Computer:      DUSTYFOOT
Description:
Special privileges assigned to new logon:
     User Name:      LOCAL SERVICE
     Domain:            NT AUTHORITY
     Logon ID:            (0x0,0x3E5)
     Privileges:            SeAuditPrivilege
                  SeAssignPrimaryTokenPrivilege
                  SeChangeNotifyPrivilege

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Privilege Use
Event ID:      576
Date:            10/20/2007
Time:            9:55:01 PM
User:            NT AUTHORITY\LOCAL SERVICE
Computer:      DUSTYFOOT
Description:
Special privileges assigned to new logon:
     User Name:      LOCAL SERVICE
     Domain:            NT AUTHORITY
     Logon ID:            (0x0,0x3E5)
     Privileges:            SeAuditPrivilege
                  SeAssignPrimaryTokenPrivilege
                  SeChangeNotifyPrivilege

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      528
Date:            10/20/2007
Time:            9:55:02 PM
User:            NT AUTHORITY\LOCAL SERVICE
Computer:      DUSTYFOOT
Description:
Successful Logon:
     User Name:      LOCAL SERVICE
     Domain:            NT AUTHORITY
     Logon ID:            (0x0,0x3E5)
     Logon Type:      5
     Logon Process:      Advapi
     Authentication Package:      Negotiate
     Workstation Name:
     Logon GUID:      {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Privilege Use
Event ID:      576
Date:            10/20/2007
Time:            9:55:02 PM
User:            NT AUTHORITY\LOCAL SERVICE
Computer:      DUSTYFOOT
Description:
Special privileges assigned to new logon:
     User Name:      LOCAL SERVICE
     Domain:            NT AUTHORITY
     Logon ID:            (0x0,0x3E5)
     Privileges:            SeAuditPrivilege
                  SeAssignPrimaryTokenPrivilege

                  SeChangeNotifyPrivilege

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

*************************************************************

Event Type:      Success Audit
Event Source:      Security
Event Category:      System Event
Event ID:      515
Date:            10/20/2007
Time:            9:55:02 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DUSTYFOOT
Description:
A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.

Logon Process Name:      RASMAN

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

*****************************************************

Event Type:      Success Audit
Event Source:      Security
Event Category:      Policy Change
Event ID:      848
Date:            10/20/2007
Time:            9:55:05 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DUSTYFOOT
Description:
The following policy was active when the Windows Firewall started.

Group Policy applied: No
Profile used: Standard
Interface: All interfaces
Operational mode: Off
Services:
File and Printer Sharing: Enabled
Remote Desktop: Disabled
UPnP Framework: Enabled
Allow remote administration: Disabled
Allow unicast responses to multicast/broadcast traffic: Disabled
Security Logging:
Log dropped packets: Disabled
Log successful connections Disabled
ICMP:
Allow incoming echo request: Enabled
Allow incoming timestamp request: Disabled
Allow incoming mask request: Disabled
Allow incoming router request: Disabled
Allow outgoing destination unreachable: Disabled
Allow outgoing source quench: Disabled
Allow outgoing parameter problem: Disabled
Allow outgoing time exceeded: Disabled
Allow redirect: Disabled
Allow outgoing packet too big: Disabled

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Policy Change
Event ID:      849
Date:            10/20/2007
Time:            9:55:05 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DUSTYFOOT
Description:
An application was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Name: McAfee Network Agent
Path: C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
State: Enabled
Scope: All subnets

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

More apps listed as exception to windows firewall:

Windows Messenger
SV_HTTpd
UPnpFramework
Remote Assistance
Alohabob PC Relocator
Skype
TurboTax
TurboTax Update Manager
NETBIOS Name Service
NETBIOS Datagram Service
NETBIOS Session Service
SMP over TCP
SSDP Component of UPnP Framework
UPnP Framework over TCP
Remote Desktop

Event Type:      Success Audit
Event Source:      Security
Event Category:      Policy Change
Event ID:      848
Date:            10/20/2007
Time:            9:55:05 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DUSTYFOOT
Description:
The following policy was active when the Windows Firewall started.

Group Policy applied: -
Profile used: -
Interface: -
Operational mode: Off
Services:
File and Printer Sharing: -
Remote Desktop: -
UPnP Framework: -
Allow remote administration: -
Allow unicast responses to multicast/broadcast traffic: -
Security Logging:
Log dropped packets: -
Log successful connections -
ICMP:
Allow incoming echo request: Disabled
Allow incoming timestamp request: Disabled
Allow incoming mask request: Disabled
Allow incoming router request: Disabled
Allow outgoing destination unreachable: Disabled
Allow outgoing source quench: Disabled
Allow outgoing parameter problem: Disabled
Allow outgoing time exceeded: Disabled
Allow redirect: Disabled
Allow outgoing packet too big: Disabled

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

****************************************************

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      528
Date:            10/20/2007
Time:            9:55:13 PM
User:            NT AUTHORITY\NETWORK SERVICE
Computer:      DUSTYFOOT
Description:
Successful Logon:
     User Name:      NETWORK SERVICE
     Domain:            NT AUTHORITY
     Logon ID:            (0x0,0x3E4)
     Logon Type:      5
     Logon Process:      Advapi
     Authentication Package:      Negotiate
     Workstation Name:
     Logon GUID:      {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Privilege Use
Event ID:      576
Date:            10/20/2007
Time:            9:55:13 PM
User:            NT AUTHORITY\NETWORK SERVICE
Computer:      DUSTYFOOT
Description:
Special privileges assigned to new logon:
     User Name:      NETWORK SERVICE
     Domain:            NT AUTHORITY
     Logon ID:            (0x0,0x3E4)
     Privileges:            SeAuditPrivilege
                  SeAssignPrimaryTokenPrivilege
                  SeChangeNotifyPrivilege

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      528
Date:            10/20/2007
Time:            9:55:19 PM
User:            NT AUTHORITY\NETWORK SERVICE
Computer:      DUSTYFOOT
Description:
Successful Logon:
     User Name:      NETWORK SERVICE
     Domain:            NT AUTHORITY
     Logon ID:            (0x0,0x3E4)
     Logon Type:      5
     Logon Process:      Advapi
     Authentication Package:      Negotiate
     Workstation Name:
     Logon GUID:      {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Privilege Use
Event ID:      576
Date:            10/20/2007
Time:            9:55:19 PM
User:            NT AUTHORITY\NETWORK SERVICE
Computer:      DUSTYFOOT
Description:
Special privileges assigned to new logon:
     User Name:      NETWORK SERVICE
     Domain:            NT AUTHORITY
     Logon ID:            (0x0,0x3E4)
     Privileges:            SeAuditPrivilege
                  SeAssignPrimaryTokenPrivilege
                  SeChangeNotifyPrivilege

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      System Event
Event ID:      515
Date:            10/20/2007
Time:            9:55:22 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DUSTYFOOT
Description:
A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.

Logon Process Name:      KSecDD

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      528
Date:            10/20/2007
Time:            9:55:37 PM
User:            NT AUTHORITY\NETWORK SERVICE
Computer:      DUSTYFOOT
Description:
Successful Logon:
     User Name:      NETWORK SERVICE
     Domain:            NT AUTHORITY
     Logon ID:            (0x0,0x3E4)
     Logon Type:      5
     Logon Process:      Advapi
     Authentication Package:      Negotiate
     Workstation Name:
     Logon GUID:      {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Privilege Use
Event ID:      576
Date:            10/20/2007
Time:            9:55:37 PM
User:            NT AUTHORITY\NETWORK SERVICE
Computer:      DUSTYFOOT
Description:
Special privileges assigned to new logon:
     User Name:      NETWORK SERVICE
     Domain:            NT AUTHORITY
     Logon ID:            (0x0,0x3E4)
     Privileges:            SeAuditPrivilege
                  SeAssignPrimaryTokenPrivilege
                  SeChangeNotifyPrivilege

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            10/20/2007
Time:            10:23:39 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      DUSTYFOOT
Description:
Successful Network Logon:
     User Name:
     Domain:
     Logon ID:            (0x0,0xF8E02)
     Logon Type:      3
     Logon Process:      NtLmSsp
     Authentication Package:      NTLM
     Workstation Name:      VIVIEN
     Logon GUID:      {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            10/20/2007
Time:            10:23:49 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      DUSTYFOOT
Description:
User Logoff:
     User Name:      ANONYMOUS LOGON
     Domain:            NT AUTHORITY
     Logon ID:            (0x0,0xF8E02)
     Logon Type:      3

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            10/20/2007
Time:            10:55:40 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      DUSTYFOOT
Description:
Successful Network Logon:
     User Name:
     Domain:
     Logon ID:            (0x0,0x12B3F1)
     Logon Type:      3
     Logon Process:      NtLmSsp
     Authentication Package:      NTLM
     Workstation Name:      VIVIEN
     Logon GUID:      {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            10/20/2007
Time:            10:55:50 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      DUSTYFOOT
Description:
User Logoff:
     User Name:      ANONYMOUS LOGON
     Domain:            NT AUTHORITY
     Logon ID:            (0x0,0x12B3F1)
     Logon Type:      3

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

*****************************************************

bkellyboulderit

Curious, Are you running VPN client software on this box?

savvycarol

ASKER

Possibly, how can I confirm? I think I have it with my Venturi Client which allows me to connect to the Internet via my cell phone by plugging my cell phone into my laptop which a certain connector from Veriaon. I haven't used this in over a year.

I could also have something like that with the VAIO software that came with the product. I know there are options to let VAIO tech support get at my computer ... something I'd rather not have since I'd never call them at this point. I think I tried to remove this once with bad results.

I could also have something like that pertaining to access to my work network from home. All processed through MS Outlook. Don't know any more than that.

bkellyboulderit

It seems to me that you do have something like that running. IPSEC and IKE errors are specifically related to VPN activity. My first hunch, which hasn't really delved into this further, is that you have Mcafee and the firewall going, both probably intefering with a VPN client. Something is trying to start, and it is not happy.

My suggestion is to disable Mcafee from starting up, and try this again (reboot) to see what happens, you can re-enable to later. My concern is that McAfee is blocking the other program.

Then if it still behaves this way, turn off the window firewall, and try rebooting again.

Eliminate the variables. Then we can really figure out what program is causing this.

savvycarol

ASKER

Disabling McAfee removes the only Application Error on startup (Event 1517: Windows saved user DUSTYFOOT\carol registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.) It does not appear to affect anything else.

I still have a series of 13 528/576 event pairs. I still have the same Security Failure Audits. My KSecDD still registers with the LSA 3 times every startup. And I still have the only System Error on startup:

Event Type:      Error
Event Source:      Service Control Manager
Event Category:      None
Event ID:      7023
Date:            10/22/2007
Time:            10:26:27 PM
User:            N/A
Computer:      DUSTYFOOT
Description:
The IPSEC Services service terminated with the following error:
The attempted operation is not supported for the type of object referenced.

Carol

savvycarol

ASKER

My Windows Firewall is turned off and was turned off when I ran the above logs. Why then did I get an EID 848 "Policies active when windows firewall started" ?????

bkellyboulderit

Can you list the add remove programs entries? Maybe a post of the log from hijackthis would detail all the processes starting up.
http://www.majorgeeks.com/download5554.html

Thanks

savvycarol

ASKER

My startup list follows. FYI, I'm no longer using the following and tried uninstall at least to remove them from here: Skype, Musicmatch. ALSO, the "Find Fast" popup window starts up every time I start my computer, and this action began a few months ago, right around the time things seemed to start to slow down. I never thought I did anything to cause the "Find Fast" window to open at startup.
Carol

StartupList report, 10/23/2007, 2:42:01 PM
StartupList version: 1.52.2
Started from : D:\Program Files\HiJack This\HiJackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Quicken Online Backup\AgentSrv.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
D:\Program Files\iPod\Bin\iPodWatcher.exe
C:\Program Files\Venturi2\Configurator\ventcfg.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\SiteAdvisor\6021\SiteAdv.exe
D:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Apoint\Apntex.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Venturi2\Client\ventc.exe
D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
D:\Program Files\Microsoft Office\Office\FINDFAST.EXE
d:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\PerSono\perstray.exe
C:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe
D:\Program Files\iPod\Bin\iPodSrv.exe
D:\Program Files\Microsoft Office\Office\OSA.EXE
d:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Webshots.scr
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Program Files\HiJack This\HiJackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\carol\Start Menu\Programs\Startup]
Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe
Microsoft Find Fast.lnk = D:\Program Files\Microsoft Office\Office\FINDFAST.EXE
Office Startup.lnk = D:\Program Files\Microsoft Office\Office\OSA.EXE
Webshots.lnk = D:\Program Files\Webshots\Launcher.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Find Fast.lnk = D:\Program Files\Microsoft Office\Office\FINDFAST.EXE
Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
Perstray.lnk = ?
Quicken Online Backup TaskBar Icon.LNK = C:\Program Files\Quicken Online Backup\CBSysTray.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Apoint = C:\Program Files\Apoint\Apoint.exe
ATIModeChange = Ati2mdxx.exe
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Mouse Suite 98 Daemon = ICO.EXE
BluetoothAuthenticationAgent = rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
SonyPowerCfg = C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
HKSERV.EXE = C:\Program Files\Sony\HotKey Utility\HKserv.exe
ISBMgr.exe = C:\Program Files\Sony\ISB Utility\ISBMgr.exe
VAIO Update 2 = "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
ezShieldProtector for Px = C:\WINDOWS\System32\ezSP_Px.exe
VAIO Recovery = C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
Microsoft IntelliType Pro = "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
POINTER = point32.exe
ADUserMon = C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
HPDJ Taskbar Utility = C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
iPodWatcher = D:\Program Files\iPod\Bin\iPodWatcher.exe
MimBoot = d:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
Venturi Configurator = C:\Program Files\Venturi2\Configurator\ventcfg.exe
SSBkgdUpdate = C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
RCScheduleCheck = C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
SiteAdvisor = C:\Program Files\SiteAdvisor\6021\SiteAdv.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Skype = "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
swg = C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\Webshots.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll - {089FD14D-132B-48FC-8861-0048AE113215}
scriptproxy - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll - {7DB2D5A0-7241-4E79-B68D-6309F01C5231}
(no name) - c:\program files\google\googletoolbar3.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}

--------------------------------------------------

Enumerating Task Scheduler jobs:

McDefragTask.job
McQcTask.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\macromed\Director\SwDir.dll
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[Talisma NetAgent Customer ActiveX Control version 3]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\custappx3.dll
CODEBASE = https://quicken.ehosts.net/netagent/objects/custappx3.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Webshots Multiple Media Uploader - Container]
InProcServer32 = C:\WINDOWS\DOWNLO~1\WSAXCO~1.OCX
CODEBASE = http://community.webshots.com/html/atx/wsaxcontrol.cab

[CPlayFirstTriJinxControl Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55.dll
CODEBASE = http://download.games.yahoo.com/games/web_games/playfirst/trijinx/TriJinx.1.0.0.55.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc3.cab

[Jigsaw Genius Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\jigsaw.ocx
CODEBASE = http://www.worldwinner.com/games/v42/jigsaw/jigsaw.cab

[McAfee.com Operating System Class]
InProcServer32 = C:\WINDOWS\system32\mcinsctl.dll
CODEBASE = http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab

[Blockwerx Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\BLOCKW~1.OCX
CODEBASE = http://www.worldwinner.com/games/v47/blockwerx/blockwerx.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1112749910175

[Wwlaunch Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\wwlaunch.ocx
CODEBASE = http://www.worldwinner.com/games/shared/wwlaunch.cab

[Get_ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\HPGETD~1.OCX
CODEBASE = https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx

[SwapIt Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\swapit.ocx
CODEBASE = http://www.worldwinner.com/games/v61/swapit/swapit.cab

[Tile City Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\tilecity.ocx
CODEBASE = http://www.worldwinner.com/games/v41/tilecity/tilecity.cab

[DwnldGroupMgr Class]
InProcServer32 = C:\WINDOWS\system32\mcgdmgr.dll
CODEBASE = http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

[TikGames Online Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\gpcontrol.dll
CODEBASE = http://download.games.yahoo.com/games/web_games/tikgames/pandacraze/gpcontrol.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #4: C:\WINDOWS\system32\wshbth.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Connected Agent Service: C:\Program Files\Quicken Online Backup\AgentSrv.EXE -asv (autostart)
Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
McAfee HackerWatch Service: "C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe" (autostart)
McAfee Services: C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (autostart)
McAfee Network Agent: "c:\program files\common files\mcafee\mna\mcnasvc.exe" (autostart)
McAfee Scanner: C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe (autostart)
McAfee Protection Manager: C:\PROGRA~1\McAfee\MSC\mcpromgr.exe (autostart)
McAfee Redirector Service: c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe (autostart)
McAfee Real-time Scanner: C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (autostart)
mdmxsdk: System32\DRIVERS\mdmxsdk.sys (autostart)
McAfee Personal Firewall Service: "C:\Program Files\McAfee\MPF\MPFSrv.exe" (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SoundMAX Agent Service: C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Plantronics USB Audio Adapter EQ Filter Driver: System32\DRIVERS\uacflt.sys (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 17,380 bytes
Report generated in 0.211 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

ASKER CERTIFIED SOLUTION

bkellyboulderit

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

bkellyboulderit

You know, this doesn't look bad to me, I wouldn't be surprised if Findfast (installed by defult with Office 97) was the root of this.
I'll look at this some more.

savvycarol

ASKER

How do I kill Findfast?

bkellyboulderit

Go into the start menu, under programs, locate the folder that says startup and expand it. In there rt click and delete the two items that say Findfast and Osa

savvycarol

ASKER

Killing Findfast didn't seem to do much. The error messages I originally reported have NOT disappeared. The first app error (1517) is apparently a shutdown error, so I noticed it after the next reboot. The system error 7023 re IPSec serivces being terminated is also still there.

Ive narrowed down the time period in the startup process that seems to be the problem. On my 10/23/07 2:37:08 startup the important time frame was from 2:37:17 to 2:37:32. Then there are a series of Anonymous Logins Id like to understand. Finally, there is the shutdown error that says something is still holding onto Dustyfoot\carol. Here are the details:

ACTIVITY REPORTED 2:37:17 to 2:37:32.

2:37:17 -- There are 2 APP EID:0 events Hackerwatch and AgentSrv. At the same time a SEC EID: 540 shows ANONYMOUS login attempt.

2:37:22 -- FAILURE SEC AUDIT EID:680 System registers attempt by MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 to logon account carol. SEC EID 529: Logon failure reported for unknown user name or bad password for carol.

2:37:23 several things happen nearly simultaneously.

2:37:23 SECURITY EVENTS.
EID:515 Secondary Logon Service registered with LSA.
EID:528 user=NT AUTHORITY/LOCAL Service. UN(user name)=LOCAL SERVICE. DN(domain name)=NTAUTHORITY. LT(logon type)=5.
EID:576 -- user=NT AUTHORITY/LOCAL Service. UN=LOCAL SERVICE. DN=NTAUTHORITY.
EID:615 user:NT AUTHORITY\NETWORK SERVICE. IPSec Services failed to initialize IKE module with error code. IPSec could not be started.
EID:615 -- user:NT AUTHORITY\NETWORK SERVICE. IPSec Services experienced critical failure. The network connection was aborted by the local system.

2:37:23 APP EVENT EID:1800 Windows Security Center Service has started.

2:37:23 SYSTEM ERROR EID 7023: Computer Dustyfoot event, IPSEC Services terminated, not supported for the type of object referenced. (Dustyfoot is the laptop. Is there some setting somewhere in my network that says Dustyfoot shouldnt control IPSEC services & like perhaps my router should?)

After that things could very well be normal. Im a bit worried about the repeated logons by ANONYMOUS. Approximately every 30 minutes after startup there is a 540-538 paidr of SECURITY Success Audits. The times from the 10/23/07 2:37 startup period of being online were:

3:04, 3:36, 4:08, 4:40, 5:12, 5:44, 6:16, 6:48, 7:05, 7:20, 7:52, 8:24, 8:45, 9:28

Once during the same time period there was a Guest logon and logoff from VIVIEN, another computer on the network. Copy follows:

Event Type:      Success Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            10/23/2007
Time:            7:05:57 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DUSTYFOOT
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Guest
Source Workstation: VIVIEN
Error Code: 0x0

Event Type:      Success Audit
Event Source:      Security
Event Category:      Privilege Use
Event ID:      576
Date:            10/23/2007
Time:            7:05:57 PM
User:            DUSTYFOOT\Guest
Computer:      DUSTYFOOT
Description:
Special privileges assigned to new logon:
     User Name:
     Domain:
     Logon ID:            (0x0,0x6486BF)
     Privileges:            SeChangeNotifyPrivilege

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            10/23/2007
Time:            7:05:57 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      DUSTYFOOT
Description:
Successful Network Logon:
     User Name:
     Domain:
     Logon ID:            (0x0,0x648704)
     Logon Type:      3
     Logon Process:      NtLmSsp
     Authentication Package:      NTLM
     Workstation Name:      VIVIEN
     Logon GUID:      {00000000-0000-0000-0000-000000000000}

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            10/23/2007
Time:            7:05:57 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      DUSTYFOOT
Description:
Successful Network Logon:
     User Name:
     Domain:
     Logon ID:            (0x0,0x648704)
     Logon Type:      3
     Logon Process:      NtLmSsp
     Authentication Package:      NTLM
     Workstation Name:      VIVIEN
     Logon GUID:      {00000000-0000-0000-0000-000000000000}

The APP EID:1517 I thought was cleared up yesterday is still there. Its just its a shutdown error, but it does say some program has not let go of Dustyfoot\carol and I'd like to clear that up.

Event Type:      Warning
Event Source:      Userenv
Event Category:      None
Event ID:      1517
Date:            10/23/2007
Time:            9:35:10 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DUSTYFOOT
Description:
Windows saved user DUSTYFOOT\carol registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

What do you think?

Carol

bkellyboulderit

Well, at least we have less to cope with. Now, we should find more out.... However, I must admit I'm straining. I'm focusing not on the security events but on the system stuff. Logon events from other PC's don't seem as relevant to performance of you startup.....

Hmmm. I wonder if anyone will chime in, since it's late.

savvycarol

ASKER

I'm closing this because we never got any other bites. Killing Find Fast did help, so you get points for that. I ended up purchasing Fix-It and found there were lots of registry associations that had gotten de-linked. There's no way, really, that you should have know that. Thanks for trying.