Ever since i downloaded the 16 windows updates (something like that) a day or 2 ago my computer has been alot slower and having random problems. Sometimes the internet wont play sound but things like skype will, my computer will randomly not read certain songs on cds when i click them in windows media player (discs have no scratches). Has anyone else had any problems?
To check if i had any viruses i did a regular scan and just deleted like 4 tracking cookies. then i scanned my processes with one of nortons features. The 2 things it didnt recognize were
autochk.exe
verclsid.exe
They were created 1-7 days ago and it sayed not many users had those programs and their trustworthiness was unknown.
32bit windows 7 professional
Italia,
You could have harmless problems or serious problems.
Boot into Safe Mode.
once there, navigate to:
\Windows\logs\cbs
Now use DIR to see what's there.
you will see cbs.log and it's size will be monstrous.
To help us separate the wheat from the chaff, I'm going to ask you to delete that file:
DEL CBS.log
Use the EXIT command to get back and now reboot your computer.
Run SFC /SCANNOW once again.
Once again boot into safe mode.
Navigate to \windows\logs\cbs
Execute the following command:
FindStr /c:"[SR]" CBS.log > sfcdetails.txt
Attach sfcdetails.txt to your next post.
I am really sorry, but may I respectfully disagree?
Since this issue has come after updating, if it *is* from the update, we will lose all evidence and any possible chance of analysis if we delete the CBS.log. True, the WindowsUpdate.log will still exist, but CBS.log and WindowsUpdate.log are not the same, and I really don't want to lose such a valuable log (although we may actually be able to recover it from the System Restore Cache via Shadow Explorer)
That command ("FindStr /c:"[SR]" CBS.log > sfcdetails.txt") parses the CBS.log. It only takes a few seconds to do. Just parse the log using that Command without deleting the log file, and all will be well. It only takes about 3 seconds to parse the whole CBS.log on a modern computer.
Also, SFC sections of the log are extremely distinctive, and feature at the bottom of the CBS.log. It is very likely that there will actually only be about 20 lines between the bottom of the log and the SFC log.
Also, I hate parsing the log. Many people don't realise this, but that parsing method loses a vast amount of useful information from the SFC run, and that information saves me a great deal of time when fixing SFC corruptions.
May I please take the whole CBS.log? Do you mind?
Please copy the C:\Windows\Logs\CBS folder to your Desktop, right click on it > Send to > Compressed (zipped) folder, and upload the new file which is created on your Desktop here.
Thanks a lot!
Richard
Alright rich i did what u said. Let me know what u find. Thanks
EDIT: i found why my browser was slow. i was running firefox 4 and it sucks lol. i just downgraded to 3.6.17 and its much better. but i would still like to know whats up with that integrity stuff. check out the attachment and let me know what you find please :), cuz i still have this prob
Windows Resource Protection found corrupt files but was unable to fix some of them.
Details are included in the CBS.Log windir\logs\cbs\cbs.log
Hello!
I am very sorry for the delay.
There is something very interesting going on here.
You mentioned in your first post these two: autochk.exe and verclsid.exe
SFC has reported three corruptions: autochk.exe, netlogon.dll.mui, verclsid.exe
Now, all of these are genuine Windows files. The file names are perfectly legit.
However, I am beginning to suspect due to your reported dates that there may be something dodgy going on here.
Can I please ask you to upload to Virus Total the following three files: http://www.virustotal.com/
C:\Windows\WinSxS\Manifests\netlogon.dll.mui
C:\Windows\System32\verclsid.exe
C:\Windows\System32\autochk.exe
Please post your logs from Virus Total. We can never be too careful about malware.
After that, I intend to fix these corrupt files, and hopefully all will work. I have fixed countless SFC corruptions across multiple forums over several years. Unfortunately, I do not have enough posts on this single forum to appear very senior.
It is completely your choice. I know that we should not be leaving you in this dilemma, but you have got to choose between KarlsNooks and myself.
From my "limited" experience, it is never a good idea to delete a log file, and all of that evidence, however, you have already uploaded it, and so long as you don't delete your uploaded log, or at the very least keep a backup copy, then it isn't so bad to delete it, because those who can read a whole CBS.log will still have a copy to read.
Also, it just seems to pointless. If we are going to parse the log, why on Earth do we need to delete it first!
Here is the SFC section from a CBS.log!
Code:
CSI 000001b4 [SR] Verify complete
2011-06-17 23:52:22, Info CSI 000001b5 [SR] Repairing 3 components
2011-06-17 23:52:22, Info CSI 000001b6 [SR] Beginning Verify and Repair transaction
2011-06-17 23:52:22, Info CSI 000001b7 Hashes for file member \SystemRoot\WinSxS\x86_microsoft-windows-autochk_31bf3856ad364e35_6.1.7601.17514_none_e3fb573520033bfa\autochk.exe do not match actual file [l:22{11}]"autochk.exe" :
Found: {l:32 b:QdPZxP1ox+XKw36/Sf0UyTIpcLuplcvhg3sAX8felOw=} Expected: {l:32 b:LgNTZumhom+xXx5IVwVuateTK86Mxou0tlVgn0JNJ1Y=}
2011-06-17 23:52:22, Info CSI 000001b8 [SR] Cannot repair member file [l:22{11}]"autochk.exe" of Microsoft-Windows-Autochk, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2011-06-17 23:52:22, Info CSI 000001b9 Hashes for file member \SystemRoot\WinSxS\x86_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2f99db0d8023bf41\netlogon.dll.mui do not match actual file [l:32{16}]"netlogon.dll.mui" :
Found: {l:32 b:snREg2vduBP5Dq/yCQpr9xcRsJUjvsT9xLluAP1eso8=} Expected: {l:32 b:IdGl52BHfNzx6/vOIwZ4QIoikWNqZf/ehFhvUa3W0pY=}
2011-06-17 23:52:22, Info CSI 000001ba [SR] Cannot repair member file [l:32{16}]"netlogon.dll.mui" of Microsoft-Windows-Security-Netlogon.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2011-06-17 23:52:22, Info CSI 000001bb Hashes for file member \SystemRoot\WinSxS\x86_microsoft-windows-verclsid_31bf3856ad364e35_6.1.7600.16385_none_bbbd275974c7e191\verclsid.exe do not match actual file [l:24{12}]"verclsid.exe" :
Found: {l:32 b:w1XMf6NVjHdopezzHF1z+oEaSRnnitvsH0ZH9HJztq0=} Expected: {l:32 b:CCfRypYPO+NzD2pKBpipwY1kOkZUpCLeucuqWoI7RWU=}
2011-06-17 23:52:22, Info CSI 000001bc [SR] Cannot repair member file [l:24{12}]"verclsid.exe" of Microsoft-Windows-verclsid, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2011-06-17 23:52:22, Info CSI 000001bd [SR] Repaired file \SystemRoot\WinSxS\Manifests\\[l:32{16}]"netlogon.dll.mui" by copying from backup
2011-06-17 23:52:22, Info CSI 000001be Hashes for file member \??\C:\Windows\System32\en-US\netlogon.dll.mui do not match actual file [l:32{16}]"netlogon.dll.mui" :
Found: {l:32 b:snREg2vduBP5Dq/yCQpr9xcRsJUjvsT9xLluAP1eso8=} Expected: {l:32 b:IdGl52BHfNzx6/vOIwZ4QIoikWNqZf/ehFhvUa3W0pY=}
2011-06-17 23:52:22, Info CSI 000001bf [SR] Repairing corrupted file [ml:520{260},l:58{29}]"\??\C:\Windows\System32\en-US"\[l:32{16}]"netlogon.dll.mui" from store
2011-06-17 23:52:22, Info CSI 000001c0 Hashes for file member \SystemRoot\WinSxS\x86_microsoft-windows-autochk_31bf3856ad364e35_6.1.7601.17514_none_e3fb573520033bfa\autochk.exe do not match actual file [l:22{11}]"autochk.exe" :
Found: {l:32 b:QdPZxP1ox+XKw36/Sf0UyTIpcLuplcvhg3sAX8felOw=} Expected: {l:32 b:LgNTZumhom+xXx5IVwVuateTK86Mxou0tlVgn0JNJ1Y=}
2011-06-17 23:52:22, Info CSI 000001c1 [SR] Cannot repair member file [l:22{11}]"autochk.exe" of Microsoft-Windows-Autochk, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2011-06-17 23:52:22, Info CSI 000001c2 [SR] This component was referenced by [l:198{99}]"Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7601.17514.WindowsFoundationDelivery"
2011-06-17 23:52:22, Info CSI 000001c3 Hashes for file member \??\C:\Windows\System32\autochk.exe do not match actual file [l:22{11}]"autochk.exe" :
Found: {l:32 b:QdPZxP1ox+XKw36/Sf0UyTIpcLuplcvhg3sAX8felOw=} Expected: {l:32 b:LgNTZumhom+xXx5IVwVuateTK86Mxou0tlVgn0JNJ1Y=}
2011-06-17 23:52:22, Info CSI 000001c4 Hashes for file member \SystemRoot\WinSxS\x86_microsoft-windows-autochk_31bf3856ad364e35_6.1.7601.17514_none_e3fb573520033bfa\autochk.exe do not match actual file [l:22{11}]"autochk.exe" :
Found: {l:32 b:QdPZxP1ox+XKw36/Sf0UyTIpcLuplcvhg3sAX8felOw=} Expected: {l:32 b:LgNTZumhom+xXx5IVwVuateTK86Mxou0tlVgn0JNJ1Y=}
2011-06-17 23:52:22, Info CSI 000001c5 [SR] Could not reproject corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:22{11}]"autochk.exe"; source file in store is also corrupted
2011-06-17 23:52:22, Info CSI 000001c6 Hashes for file member \SystemRoot\WinSxS\x86_microsoft-windows-verclsid_31bf3856ad364e35_6.1.7600.16385_none_bbbd275974c7e191\verclsid.exe do not match actual file [l:24{12}]"verclsid.exe" :
Found: {l:32 b:w1XMf6NVjHdopezzHF1z+oEaSRnnitvsH0ZH9HJztq0=} Expected: {l:32 b:CCfRypYPO+NzD2pKBpipwY1kOkZUpCLeucuqWoI7RWU=}
2011-06-17 23:52:22, Info CSI 000001c7 [SR] Cannot repair member file [l:24{12}]"verclsid.exe" of Microsoft-Windows-verclsid, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2011-06-17 23:52:22, Info CSI 000001c8 [SR] This component was referenced by [l:198{99}]"Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7601.17514.WindowsFoundationDelivery"
2011-06-17 23:52:22, Info CSI 000001c9 Hashes for file member \??\C:\Windows\System32\verclsid.exe do not match actual file [l:24{12}]"verclsid.exe" :
Found: {l:32 b:w1XMf6NVjHdopezzHF1z+oEaSRnnitvsH0ZH9HJztq0=} Expected: {l:32 b:CCfRypYPO+NzD2pKBpipwY1kOkZUpCLeucuqWoI7RWU=}
2011-06-17 23:52:22, Info CSI 000001ca Hashes for file member \SystemRoot\WinSxS\x86_microsoft-windows-verclsid_31bf3856ad364e35_6.1.7600.16385_none_bbbd275974c7e191\verclsid.exe do not match actual file [l:24{12}]"verclsid.exe" :
Found: {l:32 b:w1XMf6NVjHdopezzHF1z+oEaSRnnitvsH0ZH9HJztq0=} Expected: {l:32 b:CCfRypYPO+NzD2pKBpipwY1kOkZUpCLeucuqWoI7RWU=}
2011-06-17 23:52:22, Info CSI 000001cb [SR] Could not reproject corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:24{12}]"verclsid.exe"; source file in store is also corrupted
2011-06-17 23:52:22, Info CSI 000001cc Repair results created:
and here is what it would look like if parsed:
Code:
2011-06-17 23:52:22, Info CSI 000001b5 [SR] Repairing 3 components
2011-06-17 23:52:22, Info CSI 000001b6 [SR] Beginning Verify and Repair transaction
2011-06-17 23:52:22, Info CSI 000001b8 [SR] Cannot repair member file [l:22{11}]"autochk.exe" of Microsoft-Windows-Autochk, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2011-06-17 23:52:22, Info CSI 000001ba [SR] Cannot repair member file [l:32{16}]"netlogon.dll.mui" of Microsoft-Windows-Security-Netlogon.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2011-06-17 23:52:22, Info CSI 000001bc [SR] Cannot repair member file [l:24{12}]"verclsid.exe" of Microsoft-Windows-verclsid, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2011-06-17 23:52:22, Info CSI 000001bd [SR] Repaired file \SystemRoot\WinSxS\Manifests\\[l:32{16}]"netlogon.dll.mui" by copying from backup
2011-06-17 23:52:22, Info CSI 000001bf [SR] Repairing corrupted file [ml:520{260},l:58{29}]"\??\C:\Windows\System32\en-US"\[l:32{16}]"netlogon.dll.mui" from store
2011-06-17 23:52:22, Info CSI 000001c1 [SR] Cannot repair member file [l:22{11}]"autochk.exe" of Microsoft-Windows-Autochk, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2011-06-17 23:52:22, Info CSI 000001c2 [SR] This component was referenced by [l:198{99}]"Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7601.17514.WindowsFoundationDelivery"
2011-06-17 23:52:22, Info CSI 000001c5 [SR] Could not reproject corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:22{11}]"autochk.exe"; source file in store is also corrupted
2011-06-17 23:52:22, Info CSI 000001c7 [SR] Cannot repair member file [l:24{12}]"verclsid.exe" of Microsoft-Windows-verclsid, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2011-06-17 23:52:22, Info CSI 000001c8 [SR] This component was referenced by [l:198{99}]"Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7601.17514.WindowsFoundationDelivery"
2011-06-17 23:52:22, Info CSI 000001cb [SR] Could not reproject corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:24{12}]"verclsid.exe"; source file in store is also corrupted
Do you see how much data is lost? However, there is one bit of data above all that I need.
\SystemRoot\WinSxS\x86_microsoft-windows-autochk_31bf3856ad364e35_6.1.7601.17514_none_e3fb573520033bfa\
Oh, I can work it out. It requires the extraction of the version from the above log, and then the public key token and ID from either an update, service pack, or Windows CD.
This will take me ages, and is error prone. Provide me with CBS.log, and so much time is saved, and so many error are avoided.
Now, numerous times I have helped people to fix SFC corruptions, as opposed to everyone else who just does a Clean Install/Repair Install.
Also, I find it very interesting, your comment about Firefox. I also use Firefox, and updated to 4.0, and found it buggy and slow. I found IE9 to be similar. I downgraded back down to 3.6.latest, with a look I am used to, and I found it to be perfectly stable, and a joy to use. People tell me that 5.0 beta is much more stable than 4.0, but I haven't had to courage to try it yet, because 3.6.latest is so perfect for me.
karlsnooks said:
Now it's time to follow my professional and seasoned advice:
Boot into safe mode.
Navigate to \windows\logs\cbs
Del cbs.log
exit
reboot.
run sfc /scannow
Once again boot into safe mode.
Navigate to \windows\logs\cbs
Execute the following command:
FindStr /c:"[SR]" CBS.log > sfcdetails.txt
Attach sfcdetails.txt to your next post.
I am really, really sorry. I still don't quite understand. *Please may you quote my previous post, and give me your reasoning behind this, because this could be a very interesting debate, because I am not used to deleting log files.
Also, download the CBS.log, scroll down to the very bottom, and not a single line lies between the SFC log and the bottom. Not a single line. And you get the advantage of the unparsed log.
Now click somewhere near the bottom, and use Ctrl-F. Type in "Error ". Notice the additional space. Experience dictates. Search upwards. A clean log. Nothing to worry about there. Excellent! But worth a check!
You could also search for KB numbers, or times.
Richard
P.S. Also, we have the logs already! We already have the CBS.log. I personally am not going to waste any more of your time. I have attached some logs.
- I have attached the CBS.log for anyone who can read it.
- I have attached the bottom of the CBS.log for those who want the whole lot of data, but can't use the scrolling function of notepad.exe to find it themselves (ie can't/won't scroll to the bottom of a CBS.log).
- I have attached the parsed log, because of course we can parse your log, for those who want to disadvantage themselves.
Also, I might well call in MowGreen. He is new to this forum, with only about 50 posts. However, he is an MVP, and has an amazing, amazing record with over 10 years experience with dealing with Windows Update error, and many thousands of posts across so many forums. If he suggests deleting the log and parsing to remove useful data, then I shall unconditionally apologise and back down.
Richard
OK, one last thing! Windows 7 was supposed to be this fantastically stable OS. Microsoft spent so much on making it polished. One of the biggest things they did was to remove a massive issue plaguing previous version of Windows. This was that video RAM was duplicated into system RAM. There were very good reasons for this, and a fix nearly made it into Vista, but not quite. WDDM v1.1 fixed this in 7.
Now, there was one other change. In Vista, the old CBS.log was renamed to CBS.persist.log, and this rolled through, saving the current CBS.log and the previous one.
In 7, although they wanted to make it lite, Microsoft changed this so that all old CBS.logs were saved. Does this suggest something to you? If CBS.logs which are years old are now deliberately saved by Microsoft, does this not suggest to NOT delete the current one!?
@Karlsnooks: *Please quote this post, and my previous one.
button.
to download the ESET Smart Installer. Save it to your desktop.
icon on your desktop.
button.
, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
button.
Quote
