savvycarol
asked on
Troubleshoot slow startup by looking at startup events
My Vaio laptop has gotten extremely slow to startup. I'm prepared for a long and tedious process of working out all that could be involved. I've already run a virus scan (McAfee) and an anti-spyware program (Ad-Aware SE) and found nothing. XP Home edition, v5.1, SP2, build 2600
I'm asking for someone who knows in detail the MS Windows XP home edition startup to look at the following startup logs and let me know what, if anything, is abnormal and how to clean them up. I'd also like a few questionable items explained even if they're normal.
I'm particularly concerned by the number of times the security event combo 528/576 (successful login / special privileges assigned) occurs. One recent startup ran through those 2 steps 13 times. For Network Service (5), Local Service (6), my user login "carol" (1), Network Service-Anonymous Login (1). I also wonder what the 515 events for trusted login processes CHAP and SECONDARY LOGIN SERVICE are. Immediately after the second of those my IPSec fails to initialize the IKE module.
My trusted login process KSecDD has to have 3 separate 515 events (registered with LSA) during a single startup sequence. Why would that be?
Why are there 3 distinct attempts to logon NT Authority/Anonymous User spaced 30 minutes apart at the very end of the process? It appears to me there are days when this logon attempt events 540/538)repeats about every 30 minutes the entire time my computer is on.
Why is there a per use audit policy refresh (event 806) followed by failed attempt to logon carol by the MS AUTHORIZATION PACKAGE, followed by the computer attempt to logon carol. Should the computer be attempting the carol login first by any chance?
The following details from my event log start with all the warnings and errors in Apps and System. Then it is followed by a detailed list of security event logs.
Thanks, Carol
Only Application Warning on startup:
Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1517
Date: 10/20/2007
Time: 9:47:05 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
Windows saved user DUSTYFOOT\carol registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.
This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
First Security Errors on startup:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 10/20/2007
Time: 9:53:42 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_P ACKAGE_V1_ 0
Logon account: carol
Source Workstation: DUSTYFOOT
Error Code: 0xC000006A
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 10/20/2007
Time: 9:53:42 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: carol
Domain: DUSTYFOOT
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: DUSTYFOOT
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Second Security Errors on startup:
Event Type: Failure Audit
Event Source: Security
Event Category: Policy Change
Event ID: 615
Date: 10/20/2007
Time: 9:54:05 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
IPSec Services: IPSec Services failed to initialize IKE module with error code: The attempted operation is not supported for the type of object referenced.
. IPSec Services could not be started.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Policy Change
Event ID: 615
Date: 10/20/2007
Time: 9:54:05 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
IPSec Services: IPSec Services has experienced a critical failure and has shut down with error code: The network connection was aborted by the local system.
. Stopped IPSec Services can be a potential security hazard to the machine. Please contact your machine administrator to re-start the service.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Only System Error on startup:
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: 10/20/2007
Time: 9:54:09 PM
User: N/A
Computer: DUSTYFOOT
Description:
The IPSEC Services service terminated with the following error:
The attempted operation is not supported for the type of object referenced.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
END WARNINGS AND ERRORS
START COMPLETE LISt of secuRITY INFORMATION EVENTS
First Security Success Audits:
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 514
Date: 10/20/2007
Time: 9:53:36 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
An authentication package has been loaded by the Local Security Authority. This authentication package will be used to authenticate logon attempts.
Authentication Package Name: C:\WINDOWS\system32\LSASRV .dll : Negotiate
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Next Authentication Packages loaded by LSA:
Kerberos
NTLM
MS Unified Security Protocol Provider
Schannel
WDigest
MS Authentication Package V1.0
Then:
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 515
Date: 10/20/2007
Time: 9:53:36 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.
Logon Process Name: KSecDD
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Next Logon Processes registered by LSA:
Winlogon
Winlogon\MSGina
scecli (Notification Package loaded by SAM)
DCOMSCM (trusted logon processes)
************************** ********** ********** ***
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 10/20/2007
Time: 9:53:36 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-0 0000000000 0}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/20/2007
Time: 9:53:36 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivil ege
SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 10/20/2007
Time: 9:53:37 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-0 0000000000 0}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/20/2007
Time: 9:53:37 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivil ege
SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 10/20/2007
Time: 9:53:37 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: DUSTYFOOT
Description:
Successful Logon:
User Name: LOCAL SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E5)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-0 0000000000 0}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/20/2007
Time: 9:53:37 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x3E5)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivil ege
SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
************************** ********** ********** ********** *
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 515
Date: 10/20/2007
Time: 9:53:38 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.
Logon Process Name: CHAP
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
More trusted loglon processes:
LAN Manager Workstation Service
KSecDD
Event Type: Success Audit
Event Source: Security
Event Category: Policy Change
Event ID: 806
Date: 10/20/2007
Time: 9:53:41 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
Per User Audit Policy was refreshed.
Number of elements: 0
Policy ID: (0x0,0x1104D)
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 10/20/2007
Time: 9:53:42 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_P ACKAGE_V1_ 0
Logon account: carol
Source Workstation: DUSTYFOOT
Error Code: 0xC000006A
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 10/20/2007
Time: 9:53:42 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: carol
Domain: DUSTYFOOT
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: DUSTYFOOT
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 10/20/2007
Time: 9:53:45 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_P ACKAGE_V1_ 0
Logon account: carol
Source Workstation: DUSTYFOOT
Error Code: 0x0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
************************** ********** ********** ********** *
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 10/20/2007
Time: 9:53:45 PM
User: DUSTYFOOT\carol
Computer: DUSTYFOOT
Description:
Successful Logon:
User Name: carol
Domain: DUSTYFOOT
Logon ID: (0x0,0x11553)
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: DUSTYFOOT
Logon GUID: {00000000-0000-0000-0000-0 0000000000 0}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/20/2007
Time: 9:53:45 PM
User: DUSTYFOOT\carol
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x11553)
Privileges: SeChangeNotifyPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 10/20/2007
Time: 9:53:46 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: DUSTYFOOT
Description:
Successful Logon:
User Name: LOCAL SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E5)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-0 0000000000 0}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/20/2007
Time: 9:53:46 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name: LOCAL SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E5)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivil ege
SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 10/20/2007
Time: 9:53:46 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: DUSTYFOOT
Description:
Successful Logon:
User Name: LOCAL SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E5)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-0 0000000000 0}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/20/2007
Time: 9:53:46 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name: LOCAL SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E5)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivil ege
SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
************************** ********** ********** ********** *
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 10/20/2007
Time: 9:53:46 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-0 0000000000 0}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/20/2007
Time: 9:53:46 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivil ege
SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 10/20/2007
Time: 9:53:47 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DUSTYFOOT
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x16583)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-0 0000000000 0}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 515
Date: 10/20/2007
Time: 9:54:01 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.
Logon Process Name: Secondary Logon Service
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Policy Change
Event ID: 615
Date: 10/20/2007
Time: 9:54:05 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
IPSec Services: IPSec Services failed to initialize IKE module with error code: The attempted operation is not supported for the type of object referenced.
. IPSec Services could not be started.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Policy Change
Event ID: 615
Date: 10/20/2007
Time: 9:54:05 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
IPSec Services: IPSec Services failed to initialize IKE module with error code: The attempted operation is not supported for the type of object referenced.
. IPSec Services could not be started.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 10/20/2007
Time: 9:54:07 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: DUSTYFOOT
Description:
Successful Logon:
User Name: LOCAL SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E5)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-0 0000000000 0}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/20/2007
Time: 9:54:07 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name: LOCAL SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E5)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivil ege
SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/20/2007
Time: 9:54:07 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name: LOCAL SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E5)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivil ege
SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/20/2007
Time: 9:55:01 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name: LOCAL SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E5)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivil ege
SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 10/20/2007
Time: 9:55:02 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: DUSTYFOOT
Description:
Successful Logon:
User Name: LOCAL SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E5)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-0 0000000000 0}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/20/2007
Time: 9:55:02 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name: LOCAL SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E5)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivil ege
SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
************************** ********** ********** ********** *****
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 515
Date: 10/20/2007
Time: 9:55:02 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.
Logon Process Name: RASMAN
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
************************** ********** ********** *******
Event Type: Success Audit
Event Source: Security
Event Category: Policy Change
Event ID: 848
Date: 10/20/2007
Time: 9:55:05 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
The following policy was active when the Windows Firewall started.
Group Policy applied: No
Profile used: Standard
Interface: All interfaces
Operational mode: Off
Services:
File and Printer Sharing: Enabled
Remote Desktop: Disabled
UPnP Framework: Enabled
Allow remote administration: Disabled
Allow unicast responses to multicast/broadcast traffic: Disabled
Security Logging:
Log dropped packets: Disabled
Log successful connections Disabled
ICMP:
Allow incoming echo request: Enabled
Allow incoming timestamp request: Disabled
Allow incoming mask request: Disabled
Allow incoming router request: Disabled
Allow outgoing destination unreachable: Disabled
Allow outgoing source quench: Disabled
Allow outgoing parameter problem: Disabled
Allow outgoing time exceeded: Disabled
Allow redirect: Disabled
Allow outgoing packet too big: Disabled
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Policy Change
Event ID: 849
Date: 10/20/2007
Time: 9:55:05 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
An application was listed as an exception when the Windows Firewall started.
Policy origin: Local Policy
Profile used: Standard
Name: McAfee Network Agent
Path: C:\Program Files\Common Files\McAfee\MNA\McNASvc.e xe
State: Enabled
Scope: All subnets
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
More apps listed as exception to windows firewall:
Windows Messenger
SV_HTTpd
UPnpFramework
Remote Assistance
Alohabob PC Relocator
Skype
TurboTax
TurboTax Update Manager
NETBIOS Name Service
NETBIOS Datagram Service
NETBIOS Session Service
SMP over TCP
SSDP Component of UPnP Framework
UPnP Framework over TCP
Remote Desktop
Event Type: Success Audit
Event Source: Security
Event Category: Policy Change
Event ID: 848
Date: 10/20/2007
Time: 9:55:05 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
The following policy was active when the Windows Firewall started.
Group Policy applied: -
Profile used: -
Interface: -
Operational mode: Off
Services:
File and Printer Sharing: -
Remote Desktop: -
UPnP Framework: -
Allow remote administration: -
Allow unicast responses to multicast/broadcast traffic: -
Security Logging:
Log dropped packets: -
Log successful connections -
ICMP:
Allow incoming echo request: Disabled
Allow incoming timestamp request: Disabled
Allow incoming mask request: Disabled
Allow incoming router request: Disabled
Allow outgoing destination unreachable: Disabled
Allow outgoing source quench: Disabled
Allow outgoing parameter problem: Disabled
Allow outgoing time exceeded: Disabled
Allow redirect: Disabled
Allow outgoing packet too big: Disabled
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
************************** ********** ********** ******
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 10/20/2007
Time: 9:55:13 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-0 0000000000 0}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/20/2007
Time: 9:55:13 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivil ege
SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 10/20/2007
Time: 9:55:19 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-0 0000000000 0}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/20/2007
Time: 9:55:19 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivil ege
SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 515
Date: 10/20/2007
Time: 9:55:22 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.
Logon Process Name: KSecDD
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 10/20/2007
Time: 9:55:37 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-0 0000000000 0}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/20/2007
Time: 9:55:37 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivil ege
SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 10/20/2007
Time: 10:23:39 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DUSTYFOOT
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0xF8E02)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: VIVIEN
Logon GUID: {00000000-0000-0000-0000-0 0000000000 0}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 10/20/2007
Time: 10:23:49 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DUSTYFOOT
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0xF8E02)
Logon Type: 3
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 10/20/2007
Time: 10:55:40 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DUSTYFOOT
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x12B3F1)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: VIVIEN
Logon GUID: {00000000-0000-0000-0000-0 0000000000 0}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 10/20/2007
Time: 10:55:50 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DUSTYFOOT
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x12B3F1)
Logon Type: 3
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
************************** ********** ********** *******
I'm asking for someone who knows in detail the MS Windows XP home edition startup to look at the following startup logs and let me know what, if anything, is abnormal and how to clean them up. I'd also like a few questionable items explained even if they're normal.
I'm particularly concerned by the number of times the security event combo 528/576 (successful login / special privileges assigned) occurs. One recent startup ran through those 2 steps 13 times. For Network Service (5), Local Service (6), my user login "carol" (1), Network Service-Anonymous Login (1). I also wonder what the 515 events for trusted login processes CHAP and SECONDARY LOGIN SERVICE are. Immediately after the second of those my IPSec fails to initialize the IKE module.
My trusted login process KSecDD has to have 3 separate 515 events (registered with LSA) during a single startup sequence. Why would that be?
Why are there 3 distinct attempts to logon NT Authority/Anonymous User spaced 30 minutes apart at the very end of the process? It appears to me there are days when this logon attempt events 540/538)repeats about every 30 minutes the entire time my computer is on.
Why is there a per use audit policy refresh (event 806) followed by failed attempt to logon carol by the MS AUTHORIZATION PACKAGE, followed by the computer attempt to logon carol. Should the computer be attempting the carol login first by any chance?
The following details from my event log start with all the warnings and errors in Apps and System. Then it is followed by a detailed list of security event logs.
Thanks, Carol
Only Application Warning on startup:
Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1517
Date: 10/20/2007
Time: 9:47:05 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
Windows saved user DUSTYFOOT\carol registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.
This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
First Security Errors on startup:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 10/20/2007
Time: 9:53:42 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_P
Logon account: carol
Source Workstation: DUSTYFOOT
Error Code: 0xC000006A
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 10/20/2007
Time: 9:53:42 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: carol
Domain: DUSTYFOOT
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: DUSTYFOOT
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Second Security Errors on startup:
Event Type: Failure Audit
Event Source: Security
Event Category: Policy Change
Event ID: 615
Date: 10/20/2007
Time: 9:54:05 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
IPSec Services: IPSec Services failed to initialize IKE module with error code: The attempted operation is not supported for the type of object referenced.
. IPSec Services could not be started.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Policy Change
Event ID: 615
Date: 10/20/2007
Time: 9:54:05 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
IPSec Services: IPSec Services has experienced a critical failure and has shut down with error code: The network connection was aborted by the local system.
. Stopped IPSec Services can be a potential security hazard to the machine. Please contact your machine administrator to re-start the service.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Only System Error on startup:
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: 10/20/2007
Time: 9:54:09 PM
User: N/A
Computer: DUSTYFOOT
Description:
The IPSEC Services service terminated with the following error:
The attempted operation is not supported for the type of object referenced.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
END WARNINGS AND ERRORS
START COMPLETE LISt of secuRITY INFORMATION EVENTS
First Security Success Audits:
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 514
Date: 10/20/2007
Time: 9:53:36 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
An authentication package has been loaded by the Local Security Authority. This authentication package will be used to authenticate logon attempts.
Authentication Package Name: C:\WINDOWS\system32\LSASRV
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Next Authentication Packages loaded by LSA:
Kerberos
NTLM
MS Unified Security Protocol Provider
Schannel
WDigest
MS Authentication Package V1.0
Then:
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 515
Date: 10/20/2007
Time: 9:53:36 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.
Logon Process Name: KSecDD
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Next Logon Processes registered by LSA:
Winlogon
Winlogon\MSGina
scecli (Notification Package loaded by SAM)
DCOMSCM (trusted logon processes)
**************************
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 10/20/2007
Time: 9:53:36 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/20/2007
Time: 9:53:36 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivil
SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 10/20/2007
Time: 9:53:37 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/20/2007
Time: 9:53:37 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivil
SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 10/20/2007
Time: 9:53:37 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: DUSTYFOOT
Description:
Successful Logon:
User Name: LOCAL SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E5)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/20/2007
Time: 9:53:37 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x3E5)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivil
SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
**************************
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 515
Date: 10/20/2007
Time: 9:53:38 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.
Logon Process Name: CHAP
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
More trusted loglon processes:
LAN Manager Workstation Service
KSecDD
Event Type: Success Audit
Event Source: Security
Event Category: Policy Change
Event ID: 806
Date: 10/20/2007
Time: 9:53:41 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
Per User Audit Policy was refreshed.
Number of elements: 0
Policy ID: (0x0,0x1104D)
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 10/20/2007
Time: 9:53:42 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_P
Logon account: carol
Source Workstation: DUSTYFOOT
Error Code: 0xC000006A
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 10/20/2007
Time: 9:53:42 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: carol
Domain: DUSTYFOOT
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: DUSTYFOOT
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 10/20/2007
Time: 9:53:45 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_P
Logon account: carol
Source Workstation: DUSTYFOOT
Error Code: 0x0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
**************************
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 10/20/2007
Time: 9:53:45 PM
User: DUSTYFOOT\carol
Computer: DUSTYFOOT
Description:
Successful Logon:
User Name: carol
Domain: DUSTYFOOT
Logon ID: (0x0,0x11553)
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: DUSTYFOOT
Logon GUID: {00000000-0000-0000-0000-0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/20/2007
Time: 9:53:45 PM
User: DUSTYFOOT\carol
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x11553)
Privileges: SeChangeNotifyPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 10/20/2007
Time: 9:53:46 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: DUSTYFOOT
Description:
Successful Logon:
User Name: LOCAL SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E5)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/20/2007
Time: 9:53:46 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name: LOCAL SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E5)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivil
SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 10/20/2007
Time: 9:53:46 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: DUSTYFOOT
Description:
Successful Logon:
User Name: LOCAL SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E5)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/20/2007
Time: 9:53:46 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name: LOCAL SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E5)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivil
SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
**************************
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 10/20/2007
Time: 9:53:46 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/20/2007
Time: 9:53:46 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivil
SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 10/20/2007
Time: 9:53:47 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DUSTYFOOT
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x16583)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 515
Date: 10/20/2007
Time: 9:54:01 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.
Logon Process Name: Secondary Logon Service
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Policy Change
Event ID: 615
Date: 10/20/2007
Time: 9:54:05 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
IPSec Services: IPSec Services failed to initialize IKE module with error code: The attempted operation is not supported for the type of object referenced.
. IPSec Services could not be started.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Policy Change
Event ID: 615
Date: 10/20/2007
Time: 9:54:05 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
IPSec Services: IPSec Services failed to initialize IKE module with error code: The attempted operation is not supported for the type of object referenced.
. IPSec Services could not be started.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 10/20/2007
Time: 9:54:07 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: DUSTYFOOT
Description:
Successful Logon:
User Name: LOCAL SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E5)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/20/2007
Time: 9:54:07 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name: LOCAL SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E5)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivil
SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/20/2007
Time: 9:54:07 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name: LOCAL SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E5)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivil
SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/20/2007
Time: 9:55:01 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name: LOCAL SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E5)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivil
SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 10/20/2007
Time: 9:55:02 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: DUSTYFOOT
Description:
Successful Logon:
User Name: LOCAL SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E5)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/20/2007
Time: 9:55:02 PM
User: NT AUTHORITY\LOCAL SERVICE
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name: LOCAL SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E5)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivil
SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
**************************
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 515
Date: 10/20/2007
Time: 9:55:02 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.
Logon Process Name: RASMAN
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
**************************
Event Type: Success Audit
Event Source: Security
Event Category: Policy Change
Event ID: 848
Date: 10/20/2007
Time: 9:55:05 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
The following policy was active when the Windows Firewall started.
Group Policy applied: No
Profile used: Standard
Interface: All interfaces
Operational mode: Off
Services:
File and Printer Sharing: Enabled
Remote Desktop: Disabled
UPnP Framework: Enabled
Allow remote administration: Disabled
Allow unicast responses to multicast/broadcast traffic: Disabled
Security Logging:
Log dropped packets: Disabled
Log successful connections Disabled
ICMP:
Allow incoming echo request: Enabled
Allow incoming timestamp request: Disabled
Allow incoming mask request: Disabled
Allow incoming router request: Disabled
Allow outgoing destination unreachable: Disabled
Allow outgoing source quench: Disabled
Allow outgoing parameter problem: Disabled
Allow outgoing time exceeded: Disabled
Allow redirect: Disabled
Allow outgoing packet too big: Disabled
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Policy Change
Event ID: 849
Date: 10/20/2007
Time: 9:55:05 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
An application was listed as an exception when the Windows Firewall started.
Policy origin: Local Policy
Profile used: Standard
Name: McAfee Network Agent
Path: C:\Program Files\Common Files\McAfee\MNA\McNASvc.e
State: Enabled
Scope: All subnets
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
More apps listed as exception to windows firewall:
Windows Messenger
SV_HTTpd
UPnpFramework
Remote Assistance
Alohabob PC Relocator
Skype
TurboTax
TurboTax Update Manager
NETBIOS Name Service
NETBIOS Datagram Service
NETBIOS Session Service
SMP over TCP
SSDP Component of UPnP Framework
UPnP Framework over TCP
Remote Desktop
Event Type: Success Audit
Event Source: Security
Event Category: Policy Change
Event ID: 848
Date: 10/20/2007
Time: 9:55:05 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
The following policy was active when the Windows Firewall started.
Group Policy applied: -
Profile used: -
Interface: -
Operational mode: Off
Services:
File and Printer Sharing: -
Remote Desktop: -
UPnP Framework: -
Allow remote administration: -
Allow unicast responses to multicast/broadcast traffic: -
Security Logging:
Log dropped packets: -
Log successful connections -
ICMP:
Allow incoming echo request: Disabled
Allow incoming timestamp request: Disabled
Allow incoming mask request: Disabled
Allow incoming router request: Disabled
Allow outgoing destination unreachable: Disabled
Allow outgoing source quench: Disabled
Allow outgoing parameter problem: Disabled
Allow outgoing time exceeded: Disabled
Allow redirect: Disabled
Allow outgoing packet too big: Disabled
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
**************************
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 10/20/2007
Time: 9:55:13 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/20/2007
Time: 9:55:13 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivil
SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 10/20/2007
Time: 9:55:19 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/20/2007
Time: 9:55:19 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivil
SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 515
Date: 10/20/2007
Time: 9:55:22 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.
Logon Process Name: KSecDD
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 10/20/2007
Time: 9:55:37 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/20/2007
Time: 9:55:37 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivil
SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 10/20/2007
Time: 10:23:39 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DUSTYFOOT
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0xF8E02)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: VIVIEN
Logon GUID: {00000000-0000-0000-0000-0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 10/20/2007
Time: 10:23:49 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DUSTYFOOT
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0xF8E02)
Logon Type: 3
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 10/20/2007
Time: 10:55:40 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DUSTYFOOT
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x12B3F1)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: VIVIEN
Logon GUID: {00000000-0000-0000-0000-0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 10/20/2007
Time: 10:55:50 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DUSTYFOOT
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x12B3F1)
Logon Type: 3
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
**************************
Curious, Are you running VPN client software on this box?
ASKER
Possibly, how can I confirm? I think I have it with my Venturi Client which allows me to connect to the Internet via my cell phone by plugging my cell phone into my laptop which a certain connector from Veriaon. I haven't used this in over a year.
I could also have something like that with the VAIO software that came with the product. I know there are options to let VAIO tech support get at my computer ... something I'd rather not have since I'd never call them at this point. I think I tried to remove this once with bad results.
I could also have something like that pertaining to access to my work network from home. All processed through MS Outlook. Don't know any more than that.
I could also have something like that with the VAIO software that came with the product. I know there are options to let VAIO tech support get at my computer ... something I'd rather not have since I'd never call them at this point. I think I tried to remove this once with bad results.
I could also have something like that pertaining to access to my work network from home. All processed through MS Outlook. Don't know any more than that.
It seems to me that you do have something like that running. IPSEC and IKE errors are specifically related to VPN activity. My first hunch, which hasn't really delved into this further, is that you have Mcafee and the firewall going, both probably intefering with a VPN client. Something is trying to start, and it is not happy.
My suggestion is to disable Mcafee from starting up, and try this again (reboot) to see what happens, you can re-enable to later. My concern is that McAfee is blocking the other program.
Then if it still behaves this way, turn off the window firewall, and try rebooting again.
Eliminate the variables. Then we can really figure out what program is causing this.
My suggestion is to disable Mcafee from starting up, and try this again (reboot) to see what happens, you can re-enable to later. My concern is that McAfee is blocking the other program.
Then if it still behaves this way, turn off the window firewall, and try rebooting again.
Eliminate the variables. Then we can really figure out what program is causing this.
ASKER
Disabling McAfee removes the only Application Error on startup (Event 1517: Windows saved user DUSTYFOOT\carol registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.) It does not appear to affect anything else.
I still have a series of 13 528/576 event pairs. I still have the same Security Failure Audits. My KSecDD still registers with the LSA 3 times every startup. And I still have the only System Error on startup:
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: 10/22/2007
Time: 10:26:27 PM
User: N/A
Computer: DUSTYFOOT
Description:
The IPSEC Services service terminated with the following error:
The attempted operation is not supported for the type of object referenced.
Carol
I still have a series of 13 528/576 event pairs. I still have the same Security Failure Audits. My KSecDD still registers with the LSA 3 times every startup. And I still have the only System Error on startup:
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: 10/22/2007
Time: 10:26:27 PM
User: N/A
Computer: DUSTYFOOT
Description:
The IPSEC Services service terminated with the following error:
The attempted operation is not supported for the type of object referenced.
Carol
ASKER
My Windows Firewall is turned off and was turned off when I ran the above logs. Why then did I get an EID 848 "Policies active when windows firewall started" ?????
Can you list the add remove programs entries? Maybe a post of the log from hijackthis would detail all the processes starting up.
http://www.majorgeeks.com/download5554.html
Thanks
http://www.majorgeeks.com/download5554.html
Thanks
ASKER
My startup list follows. FYI, I'm no longer using the following and tried uninstall at least to remove them from here: Skype, Musicmatch. ALSO, the "Find Fast" popup window starts up every time I start my computer, and this action began a few months ago, right around the time things seemed to start to slow down. I never thought I did anything to cause the "Find Fast" window to open at startup.
Carol
StartupList report, 10/23/2007, 2:42:01 PM
StartupList version: 1.52.2
Started from : D:\Program Files\HiJack This\HiJackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Showing rarely important sections
========================== ========== ========== ====
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\System32\Ati2ev xx.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Quicken Online Backup\AgentSrv.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\H WAPI.exe
C:\PROGRA~1\McAfee\MSC\mcm scsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.e xe
C:\PROGRA~1\McAfee\VIRUSS~ 1\mcods.ex e
C:\PROGRA~1\McAfee\MSC\mcp romgr.exe
c:\PROGRA~1\COMMON~1\mcafe e\redirsvc \redirsvc. exe
C:\PROGRA~1\McAfee\VIRUSS~ 1\mcshield .exe
C:\Program Files\McAfee\MPF\MPFSrv.ex e
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\Ati2ev xx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ICO.EX E
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\WINDOWS\System32\ezSP_P x.exe
C:\WINDOWS\system32\spool\ drivers\w3 2x86\3\hpz tsb04.exe
D:\Program Files\iPod\Bin\iPodWatcher .exe
C:\Program Files\Venturi2\Configurato r\ventcfg. exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\SiteAdvisor\6021\Sit eAdv.exe
D:\Program Files\Skype\Phone\Skype.ex e
C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe
C:\Program Files\Apoint\Apntex.exe
c:\PROGRA~1\mcafee.com\age nt\mcagent .exe
C:\Program Files\Venturi2\Client\vent c.exe
D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
D:\Program Files\Microsoft Office\Office\FINDFAST.EXE
d:\Program Files\Musicmatch\Musicmatc h Jukebox\mim.exe
C:\Program Files\PerSono\perstray.exe
C:\Program Files\ScanSoft\NaturallySp eaking8\Pr ogram\nats peak.exe
D:\Program Files\iPod\Bin\iPodSrv.exe
D:\Program Files\Microsoft Office\Office\OSA.EXE
d:\Program Files\Musicmatch\Musicmatc h Jukebox\MMDiag.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\Webshots.scr
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\mcafee\msc\mcuimgr.e xe
C:\WINDOWS\system32\wuaucl t.exe
D:\Program Files\HiJack This\HiJackThis.exe
-------------------------- ---------- ---------- ----
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\carol\Start Menu\Programs\Startup]
Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySp eaking8\Pr ogram\nats peak.exe
Microsoft Find Fast.lnk = D:\Program Files\Microsoft Office\Office\FINDFAST.EXE
Office Startup.lnk = D:\Program Files\Microsoft Office\Office\OSA.EXE
Webshots.lnk = D:\Program Files\Webshots\Launcher.ex e
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Find Fast.lnk = D:\Program Files\Microsoft Office\Office\FINDFAST.EXE
Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
Perstray.lnk = ?
Quicken Online Backup TaskBar Icon.LNK = C:\Program Files\Quicken Online Backup\CBSysTray.exe
-------------------------- ---------- ---------- ----
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\W indows NT\CurrentVersion\Winlogon ]
UserInit = C:\WINDOWS\system32\userin it.exe,
-------------------------- ---------- ---------- ----
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \Run
Apoint = C:\Program Files\Apoint\Apoint.exe
ATIModeChange = Ati2mdxx.exe
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Mouse Suite 98 Daemon = ICO.EXE
BluetoothAuthenticationAge nt = rundll32.exe irprops.cpl,,BluetoothAuth entication Agent
SonyPowerCfg = C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
HKSERV.EXE = C:\Program Files\Sony\HotKey Utility\HKserv.exe
ISBMgr.exe = C:\Program Files\Sony\ISB Utility\ISBMgr.exe
VAIO Update 2 = "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
ezShieldProtector for Px = C:\WINDOWS\System32\ezSP_P x.exe
VAIO Recovery = C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl. dll,NvStar tup
Microsoft IntelliType Pro = "C:\Program Files\Microsoft Hardware\Keyboard\speedkey .exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe " -atboottime
POINTER = point32.exe
ADUserMon = C:\Program Files\Iomega\AutoDisk\ADUs erMon.exe
HPDJ Taskbar Utility = C:\WINDOWS\system32\spool\ drivers\w3 2x86\3\hpz tsb04.exe
iPodWatcher = D:\Program Files\iPod\Bin\iPodWatcher .exe
MimBoot = d:\PROGRA~1\MUSICM~1\MUSIC M~1\mimboo t.exe
Venturi Configurator = C:\Program Files\Venturi2\Configurato r\ventcfg. exe
SSBkgdUpdate = C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgd update.exe -Embedding -boot
RCScheduleCheck = C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
SiteAdvisor = C:\Program Files\SiteAdvisor\6021\Sit eAdv.exe
-------------------------- ---------- ---------- ----
Autorun entries from Registry:
HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Run
Skype = "D:\Program Files\Skype\Phone\Skype.ex e" /nosplash /minimized
swg = C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe
-------------------------- ---------- ---------- ----
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Ac tive Setup\Installed Components
(* = disabled by HKCU twin)
[>{22d6f312-b0f6-11d0-94ab -0080c74c7 e95}]
StubPath = C:\WINDOWS\inf\unregmp2.ex e /ShowWMP
[>{26923b43-4d38-484f-9b9e -de4607462 76c}] *
StubPath = %systemroot%\system32\shmg rate.exe OCInstallUserConfigIE
[>{881dd1c5-3dcf-431b-b061 -f3f88e8be 88a}]
StubPath = %systemroot%\system32\shmg rate.exe OCInstallUserConfigOE
[{2C7339CF-2B09-4501-B3F3- F3508C9228 ED}] *
StubPath = %SystemRoot%\system32\regs vr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\them eui.dll
[{44BBA840-CC51-11CF-AAFA- 00AA00B601 5C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{7790769C-0471-11d2-AF11- 00C04FA35D 02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85- 00AA005B43 40}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85- 00AA005B43 83}] *
StubPath = %SystemRoot%\system32\ie4u init.exe
[{89B4C1CD-B018-4511-B0A1- 5476DBF708 20}] *
StubPath = C:\WINDOWS\System32\Rundll 32.exe C:\WINDOWS\System32\mscori es.dll,Ins tall
-------------------------- ---------- ---------- ----
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\We bshots.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
-------------------------- ---------- ---------- ----
Checking for EXPLORER.EXE instances:
C:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explor er.exe: not present
C:\WINDOWS\System\Explorer .exe: not present
C:\WINDOWS\System32\Explor er.exe: not present
C:\WINDOWS\Command\Explore r.exe: not present
C:\WINDOWS\Fonts\Explorer. exe: not present
-------------------------- ---------- ---------- ----
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
-------------------------- ---------- ---------- ----
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d ll - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3}
(no name) - C:\Program Files\SiteAdvisor\6028\Sit eAdv.dll - {089FD14D-132B-48FC-8861-0 048AE11321 5}
scriptproxy - c:\PROGRA~1\mcafee\VIRUSS~ 1\scriptcl .dll - {7DB2D5A0-7241-4E79-B68D-6 309F01C523 1}
(no name) - c:\program files\google\googletoolbar 3.dll - {AA58ED58-01DD-4d91-8333-C F10577473F 7}
(no name) - C:\Program Files\Google\GoogleToolbar Notifier\2 .0.301.716 4\swg.dll - {AF69DE43-7D58-4638-B6FA-C E66B5AD205 D}
-------------------------- ---------- ---------- ----
Enumerating Task Scheduler jobs:
McDefragTask.job
McQcTask.job
-------------------------- ---------- ---------- ----
Enumerating Download Program Files:
[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\macrom ed\Directo r\SwDir.dl l
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitc heckcontro l.dll
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204
[Talisma NetAgent Customer ActiveX Control version 3]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\custappx3.dll
CODEBASE = https://quicken.ehosts.net/netagent/objects/custappx3.cab
[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macrom ed\Directo r\SwDir.dl l
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
[Webshots Multiple Media Uploader - Container]
InProcServer32 = C:\WINDOWS\DOWNLO~1\WSAXCO ~1.OCX
CODEBASE = http://community.webshots.com/html/atx/wsaxcontrol.cab
[CPlayFirstTriJinxControl Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55.dll
CODEBASE = http://download.games.yahoo.com/games/web_games/playfirst/trijinx/TriJinx.1.0.0.55.cab
[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc3.cab
[Jigsaw Genius Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\jigsaw .ocx
CODEBASE = http://www.worldwinner.com/games/v42/jigsaw/jigsaw.cab
[McAfee.com Operating System Class]
InProcServer32 = C:\WINDOWS\system32\mcinsc tl.dll
CODEBASE = http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
[Blockwerx Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\BLOCKW ~1.OCX
CODEBASE = http://www.worldwinner.com/games/v47/blockwerx/blockwerx.cab
[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb. dll
CODEBASE = http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1112749910175
[Wwlaunch Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\wwlaun ch.ocx
CODEBASE = http://www.worldwinner.com/games/shared/wwlaunch.cab
[Get_ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\HPGETD ~1.OCX
CODEBASE = https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
[SwapIt Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\swapit .ocx
CODEBASE = http://www.worldwinner.com/games/v61/swapit/swapit.cab
[Tile City Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\tileci ty.ocx
CODEBASE = http://www.worldwinner.com/games/v41/tilecity/tilecity.cab
[DwnldGroupMgr Class]
InProcServer32 = C:\WINDOWS\system32\mcgdmg r.dll
CODEBASE = http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macrom ed\Flash\F lash9b.ocx
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
[TikGames Online Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\gpcontrol.dll
CODEBASE = http://download.games.yahoo.com/games/web_games/tikgames/pandacraze/gpcontrol.cab
-------------------------- ---------- ---------- ----
Enumerating Winsock LSP files:
NameSpace #4: C:\WINDOWS\system32\wshbth .dll
-------------------------- ---------- ---------- ----
Enumerating Windows NT/2000/XP services
Connected Agent Service: C:\Program Files\Quicken Online Backup\AgentSrv.EXE -asv (autostart)
Ati HotKey Poller: %SystemRoot%\System32\Ati2 evxx.exe (autostart)
Windows Audio: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
Cryptographic Services: %SystemRoot%\system32\svch ost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svch ost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svch ost.exe -k NetworkService (autostart)
Error Reporting Service: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\serv ices.exe (autostart)
HID Input Service: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
Server: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svch ost.exe -k LocalService (autostart)
McAfee HackerWatch Service: "C:\Program Files\Common Files\McAfee\HackerWatch\H WAPI.exe" (autostart)
McAfee Services: C:\PROGRA~1\McAfee\MSC\mcm scsvc.exe (autostart)
McAfee Network Agent: "c:\program files\common files\mcafee\mna\mcnasvc.e xe" (autostart)
McAfee Scanner: C:\PROGRA~1\McAfee\VIRUSS~ 1\mcods.ex e (autostart)
McAfee Protection Manager: C:\PROGRA~1\McAfee\MSC\mcp romgr.exe (autostart)
McAfee Redirector Service: c:\PROGRA~1\COMMON~1\mcafe e\redirsvc \redirsvc. exe (autostart)
McAfee Real-time Scanner: C:\PROGRA~1\McAfee\VIRUSS~ 1\mcshield .exe (autostart)
mdmxsdk: System32\DRIVERS\mdmxsdk.s ys (autostart)
McAfee Personal Firewall Service: "C:\Program Files\McAfee\MPF\MPFSrv.ex e" (autostart)
Plug and Play: %SystemRoot%\system32\serv ices.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsas s.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsas s.exe (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svch ost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsas s.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
Secondary Logon: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svch ost.exe -k netsvcs (autostart)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
SoundMAX Agent Service: C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe (autostart)
Print Spooler: %SystemRoot%\system32\spoo lsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svch ost.exe -k imgsvc (autostart)
Themes: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svch ost.exe -k netsvcs (autostart)
Plantronics USB Audio Adapter EQ Filter Driver: System32\DRIVERS\uacflt.sy s (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr .exe (autostart)
Windows Time: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svch ost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svch ost.exe -k netsvcs (autostart)
Security Center: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svch ost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
-------------------------- ---------- ---------- ----
Enumerating ShellServiceObjectDelayLoa d items:
PostBootReminder: C:\WINDOWS\system32\SHELL3 2.dll
CDBurn: C:\WINDOWS\system32\SHELL3 2.dll
WebCheck: C:\WINDOWS\System32\webche ck.dll
SysTray: C:\WINDOWS\System32\stobje ct.dll
-------------------------- ---------- ---------- ----
End of report, 17,380 bytes
Report generated in 0.211 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Carol
StartupList report, 10/23/2007, 2:42:01 PM
StartupList version: 1.52.2
Started from : D:\Program Files\HiJack This\HiJackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Showing rarely important sections
==========================
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\System32\Ati2ev
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Quicken Online Backup\AgentSrv.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\H
C:\PROGRA~1\McAfee\MSC\mcm
c:\program files\common files\mcafee\mna\mcnasvc.e
C:\PROGRA~1\McAfee\VIRUSS~
C:\PROGRA~1\McAfee\MSC\mcp
c:\PROGRA~1\COMMON~1\mcafe
C:\PROGRA~1\McAfee\VIRUSS~
C:\Program Files\McAfee\MPF\MPFSrv.ex
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ICO.EX
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\WINDOWS\System32\ezSP_P
C:\WINDOWS\system32\spool\
D:\Program Files\iPod\Bin\iPodWatcher
C:\Program Files\Venturi2\Configurato
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\SiteAdvisor\6021\Sit
D:\Program Files\Skype\Phone\Skype.ex
C:\Program Files\Google\GoogleToolbar
C:\Program Files\Apoint\Apntex.exe
c:\PROGRA~1\mcafee.com\age
C:\Program Files\Venturi2\Client\vent
D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
D:\Program Files\Microsoft Office\Office\FINDFAST.EXE
d:\Program Files\Musicmatch\Musicmatc
C:\Program Files\PerSono\perstray.exe
C:\Program Files\ScanSoft\NaturallySp
D:\Program Files\iPod\Bin\iPodSrv.exe
D:\Program Files\Microsoft Office\Office\OSA.EXE
d:\Program Files\Musicmatch\Musicmatc
C:\WINDOWS\System32\svchos
C:\WINDOWS\Webshots.scr
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\mcafee\msc\mcuimgr.e
C:\WINDOWS\system32\wuaucl
D:\Program Files\HiJack This\HiJackThis.exe
--------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\carol\Start Menu\Programs\Startup]
Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySp
Microsoft Find Fast.lnk = D:\Program Files\Microsoft Office\Office\FINDFAST.EXE
Office Startup.lnk = D:\Program Files\Microsoft Office\Office\OSA.EXE
Webshots.lnk = D:\Program Files\Webshots\Launcher.ex
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Find Fast.lnk = D:\Program Files\Microsoft Office\Office\FINDFAST.EXE
Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
Perstray.lnk = ?
Quicken Online Backup TaskBar Icon.LNK = C:\Program Files\Quicken Online Backup\CBSysTray.exe
--------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\W
UserInit = C:\WINDOWS\system32\userin
--------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi
Apoint = C:\Program Files\Apoint\Apoint.exe
ATIModeChange = Ati2mdxx.exe
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Mouse Suite 98 Daemon = ICO.EXE
BluetoothAuthenticationAge
SonyPowerCfg = C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
HKSERV.EXE = C:\Program Files\Sony\HotKey Utility\HKserv.exe
ISBMgr.exe = C:\Program Files\Sony\ISB Utility\ISBMgr.exe
VAIO Update 2 = "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
ezShieldProtector for Px = C:\WINDOWS\System32\ezSP_P
VAIO Recovery = C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.
Microsoft IntelliType Pro = "C:\Program Files\Microsoft Hardware\Keyboard\speedkey
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe
POINTER = point32.exe
ADUserMon = C:\Program Files\Iomega\AutoDisk\ADUs
HPDJ Taskbar Utility = C:\WINDOWS\system32\spool\
iPodWatcher = D:\Program Files\iPod\Bin\iPodWatcher
MimBoot = d:\PROGRA~1\MUSICM~1\MUSIC
Venturi Configurator = C:\Program Files\Venturi2\Configurato
SSBkgdUpdate = C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgd
RCScheduleCheck = C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
SiteAdvisor = C:\Program Files\SiteAdvisor\6021\Sit
--------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Wi
Skype = "D:\Program Files\Skype\Phone\Skype.ex
swg = C:\Program Files\Google\GoogleToolbar
--------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Ac
(* = disabled by HKCU twin)
[>{22d6f312-b0f6-11d0-94ab
StubPath = C:\WINDOWS\inf\unregmp2.ex
[>{26923b43-4d38-484f-9b9e
StubPath = %systemroot%\system32\shmg
[>{881dd1c5-3dcf-431b-b061
StubPath = %systemroot%\system32\shmg
[{2C7339CF-2B09-4501-B3F3-
StubPath = %SystemRoot%\system32\regs
[{44BBA840-CC51-11CF-AAFA-
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{7790769C-0471-11d2-AF11-
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85-
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-
StubPath = %SystemRoot%\system32\ie4u
[{89B4C1CD-B018-4511-B0A1-
StubPath = C:\WINDOWS\System32\Rundll
--------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\We
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------
Checking for EXPLORER.EXE instances:
C:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explor
C:\WINDOWS\System\Explorer
C:\WINDOWS\System32\Explor
C:\WINDOWS\Command\Explore
C:\WINDOWS\Fonts\Explorer.
--------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d
(no name) - C:\Program Files\SiteAdvisor\6028\Sit
scriptproxy - c:\PROGRA~1\mcafee\VIRUSS~
(no name) - c:\program files\google\googletoolbar
(no name) - C:\Program Files\Google\GoogleToolbar
--------------------------
Enumerating Task Scheduler jobs:
McDefragTask.job
McQcTask.job
--------------------------
Enumerating Download Program Files:
[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\macrom
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitc
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204
[Talisma NetAgent Customer ActiveX Control version 3]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\custappx3.dll
CODEBASE = https://quicken.ehosts.net/netagent/objects/custappx3.cab
[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macrom
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
[Webshots Multiple Media Uploader - Container]
InProcServer32 = C:\WINDOWS\DOWNLO~1\WSAXCO
CODEBASE = http://community.webshots.com/html/atx/wsaxcontrol.cab
[CPlayFirstTriJinxControl Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55.dll
CODEBASE = http://download.games.yahoo.com/games/web_games/playfirst/trijinx/TriJinx.1.0.0.55.cab
[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc3.cab
[Jigsaw Genius Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\jigsaw
CODEBASE = http://www.worldwinner.com/games/v42/jigsaw/jigsaw.cab
[McAfee.com Operating System Class]
InProcServer32 = C:\WINDOWS\system32\mcinsc
CODEBASE = http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
[Blockwerx Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\BLOCKW
CODEBASE = http://www.worldwinner.com/games/v47/blockwerx/blockwerx.cab
[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.
CODEBASE = http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1112749910175
[Wwlaunch Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\wwlaun
CODEBASE = http://www.worldwinner.com/games/shared/wwlaunch.cab
[Get_ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\HPGETD
CODEBASE = https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
[SwapIt Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\swapit
CODEBASE = http://www.worldwinner.com/games/v61/swapit/swapit.cab
[Tile City Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\tileci
CODEBASE = http://www.worldwinner.com/games/v41/tilecity/tilecity.cab
[DwnldGroupMgr Class]
InProcServer32 = C:\WINDOWS\system32\mcgdmg
CODEBASE = http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macrom
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
[TikGames Online Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\gpcontrol.dll
CODEBASE = http://download.games.yahoo.com/games/web_games/tikgames/pandacraze/gpcontrol.cab
--------------------------
Enumerating Winsock LSP files:
NameSpace #4: C:\WINDOWS\system32\wshbth
--------------------------
Enumerating Windows NT/2000/XP services
Connected Agent Service: C:\Program Files\Quicken Online Backup\AgentSrv.EXE -asv (autostart)
Ati HotKey Poller: %SystemRoot%\System32\Ati2
Windows Audio: %SystemRoot%\System32\svch
Background Intelligent Transfer Service: %SystemRoot%\System32\svch
Computer Browser: %SystemRoot%\System32\svch
Cryptographic Services: %SystemRoot%\system32\svch
DCOM Server Process Launcher: %SystemRoot%\system32\svch
DHCP Client: %SystemRoot%\System32\svch
DNS Client: %SystemRoot%\System32\svch
Error Reporting Service: %SystemRoot%\System32\svch
Event Log: %SystemRoot%\system32\serv
HID Input Service: %SystemRoot%\System32\svch
Server: %SystemRoot%\System32\svch
Workstation: %SystemRoot%\System32\svch
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svch
McAfee HackerWatch Service: "C:\Program Files\Common Files\McAfee\HackerWatch\H
McAfee Services: C:\PROGRA~1\McAfee\MSC\mcm
McAfee Network Agent: "c:\program files\common files\mcafee\mna\mcnasvc.e
McAfee Scanner: C:\PROGRA~1\McAfee\VIRUSS~
McAfee Protection Manager: C:\PROGRA~1\McAfee\MSC\mcp
McAfee Redirector Service: c:\PROGRA~1\COMMON~1\mcafe
McAfee Real-time Scanner: C:\PROGRA~1\McAfee\VIRUSS~
mdmxsdk: System32\DRIVERS\mdmxsdk.s
McAfee Personal Firewall Service: "C:\Program Files\McAfee\MPF\MPFSrv.ex
Plug and Play: %SystemRoot%\system32\serv
IPSEC Services: %SystemRoot%\System32\lsas
Protected Storage: %SystemRoot%\system32\lsas
Remote Procedure Call (RPC): %SystemRoot%\system32\svch
Security Accounts Manager: %SystemRoot%\system32\lsas
Task Scheduler: %SystemRoot%\System32\svch
Secondary Logon: %SystemRoot%\System32\svch
System Event Notification: %SystemRoot%\system32\svch
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svch
Shell Hardware Detection: %SystemRoot%\System32\svch
SoundMAX Agent Service: C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
Print Spooler: %SystemRoot%\system32\spoo
System Restore Service: %SystemRoot%\System32\svch
Windows Image Acquisition (WIA): %SystemRoot%\System32\svch
Themes: %SystemRoot%\System32\svch
Distributed Link Tracking Client: %SystemRoot%\system32\svch
Plantronics USB Audio Adapter EQ Filter Driver: System32\DRIVERS\uacflt.sy
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr
Windows Time: %SystemRoot%\System32\svch
WebClient: %SystemRoot%\System32\svch
Windows Management Instrumentation: %systemroot%\system32\svch
Security Center: %SystemRoot%\System32\svch
Automatic Updates: %systemroot%\system32\svch
Wireless Zero Configuration: %SystemRoot%\System32\svch
--------------------------
Enumerating ShellServiceObjectDelayLoa
PostBootReminder: C:\WINDOWS\system32\SHELL3
CDBurn: C:\WINDOWS\system32\SHELL3
WebCheck: C:\WINDOWS\System32\webche
SysTray: C:\WINDOWS\System32\stobje
--------------------------
End of report, 17,380 bytes
Report generated in 0.211 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You know, this doesn't look bad to me, I wouldn't be surprised if Findfast (installed by defult with Office 97) was the root of this.
I'll look at this some more.
I'll look at this some more.
ASKER
How do I kill Findfast?
Go into the start menu, under programs, locate the folder that says startup and expand it. In there rt click and delete the two items that say Findfast and Osa
ASKER
Killing Findfast didn't seem to do much. The error messages I originally reported have NOT disappeared. The first app error (1517) is apparently a shutdown error, so I noticed it after the next reboot. The system error 7023 re IPSec serivces being terminated is also still there.
Ive narrowed down the time period in the startup process that seems to be the problem. On my 10/23/07 2:37:08 startup the important time frame was from 2:37:17 to 2:37:32. Then there are a series of Anonymous Logins Id like to understand. Finally, there is the shutdown error that says something is still holding onto Dustyfoot\carol. Here are the details:
ACTIVITY REPORTED 2:37:17 to 2:37:32.
2:37:17 -- There are 2 APP EID:0 events Hackerwatch and AgentSrv. At the same time a SEC EID: 540 shows ANONYMOUS login attempt.
2:37:22 -- FAILURE SEC AUDIT EID:680 System registers attempt by MICROSOFT_AUTHENTICATION_P ACKAGE_V1_ 0 to logon account carol. SEC EID 529: Logon failure reported for unknown user name or bad password for carol.
2:37:23 several things happen nearly simultaneously.
2:37:23 SECURITY EVENTS.
EID:515 Secondary Logon Service registered with LSA.
EID:528 user=NT AUTHORITY/LOCAL Service. UN(user name)=LOCAL SERVICE. DN(domain name)=NTAUTHORITY. LT(logon type)=5.
EID:576 -- user=NT AUTHORITY/LOCAL Service. UN=LOCAL SERVICE. DN=NTAUTHORITY.
EID:615 user:NT AUTHORITY\NETWORK SERVICE. IPSec Services failed to initialize IKE module with error code. IPSec could not be started.
EID:615 -- user:NT AUTHORITY\NETWORK SERVICE. IPSec Services experienced critical failure. The network connection was aborted by the local system.
2:37:23 APP EVENT EID:1800 Windows Security Center Service has started.
2:37:23 SYSTEM ERROR EID 7023: Computer Dustyfoot event, IPSEC Services terminated, not supported for the type of object referenced. (Dustyfoot is the laptop. Is there some setting somewhere in my network that says Dustyfoot shouldnt control IPSEC services & like perhaps my router should?)
After that things could very well be normal. Im a bit worried about the repeated logons by ANONYMOUS. Approximately every 30 minutes after startup there is a 540-538 paidr of SECURITY Success Audits. The times from the 10/23/07 2:37 startup period of being online were:
3:04, 3:36, 4:08, 4:40, 5:12, 5:44, 6:16, 6:48, 7:05, 7:20, 7:52, 8:24, 8:45, 9:28
Once during the same time period there was a Guest logon and logoff from VIVIEN, another computer on the network. Copy follows:
Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 10/23/2007
Time: 7:05:57 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_P ACKAGE_V1_ 0
Logon account: Guest
Source Workstation: VIVIEN
Error Code: 0x0
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/23/2007
Time: 7:05:57 PM
User: DUSTYFOOT\Guest
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x6486BF)
Privileges: SeChangeNotifyPrivilege
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 10/23/2007
Time: 7:05:57 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DUSTYFOOT
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x648704)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: VIVIEN
Logon GUID: {00000000-0000-0000-0000-0 0000000000 0}
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 10/23/2007
Time: 7:05:57 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DUSTYFOOT
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x648704)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: VIVIEN
Logon GUID: {00000000-0000-0000-0000-0 0000000000 0}
The APP EID:1517 I thought was cleared up yesterday is still there. Its just its a shutdown error, but it does say some program has not let go of Dustyfoot\carol and I'd like to clear that up.
Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1517
Date: 10/23/2007
Time: 9:35:10 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
Windows saved user DUSTYFOOT\carol registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.
This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
What do you think?
Carol
Ive narrowed down the time period in the startup process that seems to be the problem. On my 10/23/07 2:37:08 startup the important time frame was from 2:37:17 to 2:37:32. Then there are a series of Anonymous Logins Id like to understand. Finally, there is the shutdown error that says something is still holding onto Dustyfoot\carol. Here are the details:
ACTIVITY REPORTED 2:37:17 to 2:37:32.
2:37:17 -- There are 2 APP EID:0 events Hackerwatch and AgentSrv. At the same time a SEC EID: 540 shows ANONYMOUS login attempt.
2:37:22 -- FAILURE SEC AUDIT EID:680 System registers attempt by MICROSOFT_AUTHENTICATION_P
2:37:23 several things happen nearly simultaneously.
2:37:23 SECURITY EVENTS.
EID:515 Secondary Logon Service registered with LSA.
EID:528 user=NT AUTHORITY/LOCAL Service. UN(user name)=LOCAL SERVICE. DN(domain name)=NTAUTHORITY. LT(logon type)=5.
EID:576 -- user=NT AUTHORITY/LOCAL Service. UN=LOCAL SERVICE. DN=NTAUTHORITY.
EID:615 user:NT AUTHORITY\NETWORK SERVICE. IPSec Services failed to initialize IKE module with error code. IPSec could not be started.
EID:615 -- user:NT AUTHORITY\NETWORK SERVICE. IPSec Services experienced critical failure. The network connection was aborted by the local system.
2:37:23 APP EVENT EID:1800 Windows Security Center Service has started.
2:37:23 SYSTEM ERROR EID 7023: Computer Dustyfoot event, IPSEC Services terminated, not supported for the type of object referenced. (Dustyfoot is the laptop. Is there some setting somewhere in my network that says Dustyfoot shouldnt control IPSEC services & like perhaps my router should?)
After that things could very well be normal. Im a bit worried about the repeated logons by ANONYMOUS. Approximately every 30 minutes after startup there is a 540-538 paidr of SECURITY Success Audits. The times from the 10/23/07 2:37 startup period of being online were:
3:04, 3:36, 4:08, 4:40, 5:12, 5:44, 6:16, 6:48, 7:05, 7:20, 7:52, 8:24, 8:45, 9:28
Once during the same time period there was a Guest logon and logoff from VIVIEN, another computer on the network. Copy follows:
Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 10/23/2007
Time: 7:05:57 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_P
Logon account: Guest
Source Workstation: VIVIEN
Error Code: 0x0
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 10/23/2007
Time: 7:05:57 PM
User: DUSTYFOOT\Guest
Computer: DUSTYFOOT
Description:
Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x6486BF)
Privileges: SeChangeNotifyPrivilege
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 10/23/2007
Time: 7:05:57 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DUSTYFOOT
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x648704)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: VIVIEN
Logon GUID: {00000000-0000-0000-0000-0
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 10/23/2007
Time: 7:05:57 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DUSTYFOOT
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x648704)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: VIVIEN
Logon GUID: {00000000-0000-0000-0000-0
The APP EID:1517 I thought was cleared up yesterday is still there. Its just its a shutdown error, but it does say some program has not let go of Dustyfoot\carol and I'd like to clear that up.
Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1517
Date: 10/23/2007
Time: 9:35:10 PM
User: NT AUTHORITY\SYSTEM
Computer: DUSTYFOOT
Description:
Windows saved user DUSTYFOOT\carol registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.
This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
What do you think?
Carol
Well, at least we have less to cope with. Now, we should find more out.... However, I must admit I'm straining. I'm focusing not on the security events but on the system stuff. Logon events from other PC's don't seem as relevant to performance of you startup.....
Hmmm. I wonder if anyone will chime in, since it's late.
Hmmm. I wonder if anyone will chime in, since it's late.
ASKER
I'm closing this because we never got any other bites. Killing Find Fast did help, so you get points for that. I ended up purchasing Fix-It and found there were lots of registry associations that had gotten de-linked. There's no way, really, that you should have know that. Thanks for trying.