Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winnit Event ID 11


  • Please log in to reply
4 replies to this topic

#1 julio99

julio99

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Niagara Falls Ontario canada
  • Local time:03:10 AM

Posted 26 June 2014 - 12:31 PM

 Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. This is what I am getting in the event viewer. I''ve tried Googling this till the cows come home and I still can't find a resolution for this. It seems to show about every 4 hours according to the timeline in Event Viewer and it pops up after a WLAN Auto Config/WLAN AutoConfig service has successfully stopped. Event ID 4001. The same thing about 4 times a day. I'm not getting any crashes, yet, but I know there is something to this as it comes as a warning. I read a thread somewhere in Microsoft that was a possible solution to change the registry value in this stringHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLL whether it was 32 0r 64 to 0 but I don't know enough about this to do that yet until I hear from someone in the know. In the x64 regedit string I showed above it has : AppInit_DLLs RG_SZ c:\progra~2\gs That is the value of the string that the one solution I read about on google said to change from 1 to 0. That value c:\progra~2\gs looks suspicious to me and when I googled it I got a few very similar threads that said it was a piece of malware from flash. Just a thought. They were telling me to get rid of it with a program called AXEKILLER. Like I sid I would rather figure it out if anyone knows before I take some killer software to a legit registry entry. It's still happening today so there is obviously something to this.


Edited by hamluis, 26 June 2014 - 02:19 PM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


m

#2 hamluis

hamluis

    Moderator


  • Moderator
  • 54,863 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:01:10 AM

Posted 26 June 2014 - 01:02 PM

Is that a warning, an information item, or an error per Event Viewer?

 

From what I see, it's a warning...such normally don't merit any action by the user.

 

Worth A Look, IMO and see Andre Da Costa Comments .

 

Louis


Edited by hamluis, 26 June 2014 - 01:07 PM.


#3 julio99

julio99
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Niagara Falls Ontario canada
  • Local time:03:10 AM

Posted 26 June 2014 - 02:12 PM

OK Louis, at least you got what I was referring to whereas so many others didn't have a clue. I thought I was destined to live with this issue forever. Anyway, I took a look at that article you linked me to and the article that I mentioned in my post was pretty much on the same track. With yours I got an idea to go to the x32 registry entry string and look at it and found the AppInit_DLLs string had this "SearchProtect" value which reminded me that I had downloaded a program a while back and somehow this "malware or adware" program SearchProtect must have been bundled with the legit program. I did uninstall this Search Protect and thought that I had gotten rid of all of the remnants, but when I looked in the x32 string registry entry in Autoruns it still had a checkmark next to the entry with SearchProtect. I am talking about the entries in Autoruns so I unchecked the x32 as the x64 was already done. I rebooted and now we shall see if I still get these in the next day or so. I didn't change any values I just unchecked the entries. If you recognize that I messed up let me know and I will rectify, but for now I need to see if this takes care of those entries.

[attachment=151761:App.PNG

Attached Files

  • Attached File  App.PNG   19.29KB   0 downloads

Edited by julio99, 26 June 2014 - 02:23 PM.


#4 hamluis

hamluis

    Moderator


  • Moderator
  • 54,863 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:01:10 AM

Posted 26 June 2014 - 02:18 PM

Well...Search Protect is malware and we don't do that in this forum...I'll move this topic to Am I Infected and they can take a more knowledgeable look at what is and what is not.

 

Louis



#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,239 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:10 AM

Posted 27 June 2014 - 09:52 AM

Hello,let's get the malware off and see how t is.


Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.
    Note: When using "Reset FF Proxy Settings" option Firefox should be closed.



    Download TDSSKiller and save it to your desktop.
  • Extract (unzip) its contents to your desktop.
  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
  • .
    .
    .
    ADW Cleaner

    Please download AdwCleaner by Xplode and save to your Desktop.
  • Double-click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
  • -- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on each one and uncheck any items you want to keep (except you cannot uncheck Chrome and Firefox preferences lines).


    .

    thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
  • .
    .
    .
    .
  • Last run ESET.
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users