Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Daily audit failure in Event Viewer


  • Please log in to reply
8 replies to this topic

#1 plat1098

plat1098

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:56 PM

Posted 01 January 2016 - 05:07 PM

Hello: had recent use of the forums for a bad ransomware attack, blocked fortunately, and received great and reassuring assistance, most grateful.  I installed Windows 10 as a direct result and currently have a stable system except for one thing.  Here's a shot of the event log with ID 5061, an everyday thing.  Once, it was successful after the dism.exe command prompt, then it reverted to failures again.  The certutil command prompt revealed "my Personal," no clue what that means.  Rummaged around in the Microsoft forums, and it's a very common problem with multiple causes, it seems.  Those identical to my issue got no resolution.  Many posters feel it's an inherent bug in the Windows 10 makeup, does anyone agree?  Is there a solution to this audit failure--after what I've been thru with this machine recently, any little thing is a vulnerability to me now.  Thanks!

Attached File  5061.PNG   29.24KB   0 downloads


Freedom really has its limits when there's no one sharing in it...Captured!  Southside Johnny & the Asbury Jukes  :heart:


BC AdBot (Login to Remove)

 


#2 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,089 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:08:56 PM

Posted 03 January 2016 - 08:02 AM

Very little info here for us to go on.

 

Please let us know what happened with the ransomware attack - and who/how it was blocked/fixed.

 

As DISM isn't working, the next step is usually a Reset selecting the Keep My Files option.

If that doesn't work - then try the Reset with the Remove Everything option (this'll wipe everything out - so backup your stuff first).


My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#3 plat1098

plat1098
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:56 PM

Posted 05 January 2016 - 01:47 PM

Ah, I apologize for the lack of info.  Had problems with loss of Internet connection-resolved those with reconfiguring router/modem set up and patching tear in cable.

 

Then, reset winsock and flushed DNS-- so far, no audit failure.  SO FAR. Wonder if there's a connection between the audit and the hardware mess I had. From other posts, it seems to be something that can be safely ignored, but I'm not comfortable with that. 

 

Dism does indeed work, the scanhealth command never found anything.  Neither did System File Checker.  I tried Dism.exe restore health by itself with the above results.  Sorry for the confusing info.

 

Yes, the exploit.....  I had a stack/pivot mitigation during reinstall of Windows 8.1.  From what I've read about this, it's uncommon.  Event Viewer revealed red errors in all the targeted areas, including Media Player and Volume Shadow Copy Service.  It was successfully blocked by my shield,  The name of the shield is HitmanPro Alert. The activity from this attack caused considerable damage to my existing OS, so I installed Windows 10, with highly satisfactory initial results. No malware was ever found.  The reassurance from the expert in the Malware Removal forum was gratefully accepted.

 

I'm reading the latest articles on ransomware provided by this site and it's really unbelievable how these crooks are viewing ransomware as a cutesy little cottage industry, complete with friendly tutorials on crafting their malware and tips on setting just the right ransom amount.  Outrageous!


Freedom really has its limits when there's no one sharing in it...Captured!  Southside Johnny & the Asbury Jukes  :heart:


#4 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,089 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:08:56 PM

Posted 06 January 2016 - 08:37 AM

So, you're having audit failure events even though it's a clean install of W10 - and the malware expert gave you a clean bill of health?

 

Try selecting "Cookies and website data" for clearance when exiting Internet Explorer.

See if that stops the Audit events.

 

Beyond that, I wonder about:

- an infection despite the expert's assessment

- a corrupted installer

- a reinfection

- a hardware problem

- something installed after the initial installation

 

As such, I'd expect the most positive results to come from:

- running hardware diagnostics ( http://www.carrona.org/hwdiag.html )

- then wiping the hard drive clean (and maybe resetting the BIOS/UEFI) - with a tool such as DBAN/KillDisk (step 3 here:  http://www.carrona.org/canned.html#clean )

- then installing Windows clean - and then check the Audit events


My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#5 plat1098

plat1098
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:56 PM

Posted 06 January 2016 - 11:13 PM

So interesting you mentioned clearing browser data from IE. The exact opposite seems to happen in Edge (No IE any longer).   The errors and audit failures are Event ID 10016 and 5061 respectively.  "The DCOM blah blah blah from the application container Microsoft Edge....... " is what my 10016 ID is specific for.  The audit one, 5061, is something about an open key.  I installed another browser, made it my default, and then experimented with clearing browser data from Edge.  Immediately, both Event IDs appeared in the viewer, in two separate trials.  This is much too coincidental,  Now what?  Based on recent experiences, I don't want to leave a possibly corrupted or damaged browser app lying around as that's a vulnerability, isn't it?  You can't uninstall Edge, can you?  In conjunction with the 10016 event, Edge will launch but not load any pages or news apps on its start page so it's not an error you can "safely ignore."  You have to restart the machine in order to get the browser's function back.   I'm not going to use Edge at all in the next 24 hours.  Let's see what Event Viewer says. And if I get a solution, I'll post it back here because I'm certain there are many others who have the same or similar issues.

 

My computer's manufacturer has a proprietary hardware scan which checks graphics, motherboard, etc.  That was negative as of a week ago except for needing W10- compatible chipset drivers, done. I run about three little scans a day using a variety of tools--nothing.  Adwcleaner and Junkware Removal Tool--nothing.  SFC and DISM--nothing. Perhaps Windows installer corrupted the installation of Edge, I don't know.  Why do you suggest resetting the BIOS?  Do you feel it's necessary now in light of these latest findings?  Do you think resetting Windows 10 would be an option?


Freedom really has its limits when there's no one sharing in it...Captured!  Southside Johnny & the Asbury Jukes  :heart:


#6 plat1098

plat1098
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:56 PM

Posted 07 January 2016 - 02:36 PM

Well, it's Edge.  No errors, warnings or audit failures using the Firefox browser.  Here are 3 snips showing the Event Viewer errors all occurring around the same time I cleared Edge browsing history but the only way to prove it's triggered by that specifically is if someone took remote access of this machine and tested it,  After the DNS server warning, Edge doesn't load anything and is inoperable.  It's all tied into clearing browser data.  I do this only once and the 10016 and 5061 IDs appear, Edge still loads pages.  If I clear browsing data multiple times in one session, the DNS warning appears and Edge fails.  So these are the two issues I have, I don't think they can be resolved here unless someone has the "perfect" method for reinstalling the Edge browser or additional information regarding Edge browser:

 

1.  Could the stack/pivot mitigation have corrupted Internet Explorer and this corruption then carried over into Edge? I couldn't test IE at the time because I couldn't load the final 20 Windows updates. Installed Windows 10 right after that.

 

2.  Would a full system restore to 8.1 from this latest W10 build result in a damaged/inoperable machine?  I'm afraid to try!

 

I posted this issue in Microsoft forums yesterday because the vast majority of problems come from users like me who installed Windows 10 over a pre-existing version.  The Microsoft tech who responded recommended I clear browsing data from Edge to reset it--lol! Yeah right!

 

I am considering your hardware scans because now for some reason, Lenovo Solution Center doesn't load. Thanks, Lenovo.

 

plat1098

 

 

 

Attached Files


Freedom really has its limits when there's no one sharing in it...Captured!  Southside Johnny & the Asbury Jukes  :heart:


#7 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,089 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:08:56 PM

Posted 07 January 2016 - 06:37 PM

The cookies and website data thing that I asked about was a last minute addition to my post.
It appeared to be a common workaround (with some chance of success) in the number of posts I viewed while searching around the web.

 

I'm not a malware expert, and have really no clue about the stack/pivot mitigation.

I'd suggest posting over in the Am I Infected Forums for an expert's opinion:    http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/

 

There is no sure way to remove Edge.  AFAIK it's as tied into the OS as was Internet Explorer.

If you did remove it, that might make the system more vulnerable and may expose you to move exploits.

 

IMO I would first try resetting W10 with the Keep My Files option

Then, if that doesn't work, then I'd try a Reset using the Remove Everything option.

Finally, if that doesn't work, then the next step is to revert to W8.1

If you have W8.1 recovery media, that should not damage the system (and should wipe every trace of W10 from the system).

 

Hardware scans are always nice to run.  We run them at work on everything that comes in.  It saves a lot of time if you find a hardware problem before you start trying to fix software problems.


My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#8 plat1098

plat1098
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:56 PM

Posted 08 January 2016 - 05:21 PM

Thank you for this excellent advice, usasma, I am copying the above and retaining it for personal reference, OK?  Hardware scans are practically a must so after rummaging around in the Lenovo website, I replaced my ancient version with the newest one, thanks for telling me, Lenovo. 

 

Reinstalled Edge via the Powershell command prompt, and was only getting the audit failure when clearing browser, forget it, it's still defective in my book, Glad you acknowledge this is a potential risk.  Took it off the taskbar altogether to use only in emergencies.  So many bitter complaints about Windows 10, I tell you, but if you installed it over another version and have underlying hardware/software issues, your chances of failures and problems skyrocket, it seems.  Hardware and software scans are really important.

 

Thanks again!  plat1098


Freedom really has its limits when there's no one sharing in it...Captured!  Southside Johnny & the Asbury Jukes  :heart:


#9 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,089 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:08:56 PM

Posted 08 January 2016 - 07:52 PM

As each new version of Windows comes out - it increases the complexity of the OS.

With the increase in complexity comes an increased chance of problems when you do anything with the OS.

 

But despite this trend, the OS has actually become more stable and easier to troubleshoot.

 

Technicians have long stated that you should never do an upgrade of an OS.
Rather you should 'clean' install each new version.

And, with W10, we've found that there are many more problems with the upgraded systems than there are with the clean install systems.

 

Good luck!


My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users