Diagnostics Using the Event Viewer

The Window event viewer keeps a running record of all windows errors.  It report errors and warning and tries to gather information about the event that triggered the error.

The event viewer can be accessed several ways:

  • Control Panel > Administrative Tools > Event Viewer
  • R-click on My Computer > Manager > Event Viewer
  • Start > Run > type eventvwr.msc > press ENTER

The event view has at least four separate sections.  We’re interested in the application and system logs.

Application Log

This is where software events are reported – crashes, windows errors, misconfigurations, etc.  We are looking for application crashes.  Each log will give us the name of the

  • program that crashed
  • name of module that crashed it
  • version module
  • memory addresses

Look for internet related or facing applications.  Notoriously, Internet Explorer (iexplore.exe) but also Firefox, Adobe Acrobat or Reader, Quicktime, Java, etc.  These programs all face the internet and represent access to your system via their vulnerabilities that can be exploited.

Check for errors reported by the antivirus program or other utility.

malware removal

Event Viewer

System Log

The system log records hardware related errors – physical problems as well as software/driver problems.  Most common hardware errors relating to malware are the “atapi” and “disk” errors.  If there are “disk” errors, check the root directory of the hard drive for directories called “Found.000”

When Windows detects a bad sector on the hard drive, it attempts to recover the data from the bad sector placing the data in a directory at the root called “Found.000” and marking the sector us bad.

If there is a “Found.000” directory, checks its date.  If there are one or two directories, it could be the work of a rootkit infecting the Master Boot Record.

There could be multiple “found” directories. If there are 10 or more directories, good chance the drive is loosing sectors and on it’s way out.  Symptoms of this type of failure are:

  • Long boot times
  • Pauses during use
  • Lockups

While the drive is still working, back up all data (documents, pictures, music, etc.) then replace the hard drive