Solved Suspected Malware. Significant HD activity when there shouldn't be.

DCHammer · 2016/07/04

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [125]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeaack => " "= "Service "
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeaack.sys => " "= "Driver "
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeavfk => " "= "Service "
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeavfk.sys => " "= "Driver "
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek => " "= "Service "
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek.sys => " "= "Driver "
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => " "= "Service "
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => " "= "Driver "
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k => " "= "Service "
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k.sys => " "= "Driver "
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => " "= "Service "

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com
IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com
IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com
IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com
IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com
IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com
IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com
IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com

There are 7812 more sites.

IE trusted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\att.com -> *.teleconference.att.com
IE trusted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\brainshark.com -> brainshark.com
IE trusted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\cisco.com -> cisco.com
IE trusted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\concursolutions.com -> concursolutions.com
IE trusted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\desktop-shipping.com -> desktop-shipping.com
IE trusted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\fidelity.com -> fidelity.com
IE trusted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\ge.com -> *.gecits.ge.com
IE trusted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\hrdpt.com -> *.compucom.hrdpt.com
IE trusted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\ingrammicro.ca -> ingrammicro.ca
IE trusted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\ingrammicro.com -> ingrammicro.com
IE trusted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\livemeeting.com -> livemeeting.com
IE trusted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\medco.com -> medco.com
IE trusted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\synnex.ca -> synnex.ca
IE trusted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\synnex.com -> synnex.com
IE trusted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\techdata.ca -> techdata.ca
IE trusted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\techdata.com -> techdata.com
IE restricted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\007guard.com -> install.007guard.com
IE restricted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\008k.com -> www.008k.com
IE restricted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\00hq.com -> www.00hq.com
IE restricted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\010402.com -> 010402.com
IE restricted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\0190-dialers.com -> 0190-dialers.com
IE restricted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\01i.info -> 01i.info
IE restricted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\02pmnzy5eo29bfk4.com -> 02pmnzy5eo29bfk4.com
IE restricted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\0411dd.com -> 0411dd.com
IE restricted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\0511zfhl.com -> 0511zfhl.com
IE restricted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\05p.com -> 05p.com
IE restricted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\0632qyw.com -> 0632qyw.com
IE restricted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\07ic5do2myz3vzpk.com -> 07ic5do2myz3vzpk.com
IE restricted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\08nigbmwk43i01y6.com -> 08nigbmwk43i01y6.com
IE restricted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\093qpeuqpmz6ebfa.com -> 093qpeuqpmz6ebfa.com
IE restricted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\0calories.net -> 0calories.net
IE restricted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\0cj.net -> 0cj.net
IE restricted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\0scan.com -> www.0scan.com
IE restricted site: HKU\S-1-5-21-415762479-31080894-1349916565-56332\...\1-2005-search.com -> www.1-2005-search.com

There are 12627 more sites.

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 22:04 - 2016-07-02 13:45 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts

127.0.0.1 localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-415762479-31080894-1349916565-56332\Control Panel\Desktop\\Wallpaper -> C:\Users\dcarlson\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 24.226.10.193 - 24.226.10.194
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{70D9243A-16AD-41C4-ACA7-67D4D6B367CC}] => (Allow) C:\Program Files\Microsoft Lync\communicator.exe
FirewallRules: [{B224B7FB-10E0-4FA6-B373-D4BAD871C12E}] => (Allow) C:\Program Files\Microsoft Lync\UcMapi.exe
FirewallRules: [{D5FEA481-C1A2-4A44-99DF-121B0A7A6274}] => (Allow) C:\Program Files\Microsoft Lync\communicator.exe
FirewallRules: [{A7199697-4D1A-4D9D-92AC-E9B1E6AB2D18}] => (Allow) C:\Program Files\Microsoft Lync\communicator.exe
FirewallRules: [{AA9D4814-ACF5-4AB1-B7CB-0FBA9C830240}] => (Allow) C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
FirewallRules: [{BC815849-36B4-4164-91D5-85AFEE9DE60D}] => (Allow) C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
FirewallRules: [{10C20614-5CBA-4321-B536-B9B7305DFBD0}] => (Allow) C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
FirewallRules: [{259C21C3-49F7-44C7-BFFE-8E797DE9C059}] => (Allow) C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
FirewallRules: [{B336B316-4813-4B7D-9CCC-EE798EB390E7}] => (Allow) C:\Program Files\Common Files\Symantec Shared\ccApp.exe
FirewallRules: [{9B47246D-6CEF-44DB-BB2E-15633BD0F1C0}] => (Allow) C:\Program Files\Common Files\Symantec Shared\ccApp.exe
FirewallRules: [TCP Query User{41D08BB2-DDA6-4D4F-AF8B-34417AA4F8FE}C:\users\dcarlson\appdata\local\akamai\netsession_win.exe] => (Allow) C:\users\dcarlson\appdata\local\akamai\netsession_win.exe
FirewallRules: [UDP Query User{E108BF58-4FFD-4312-A5D5-C99F5E983C30}C:\users\dcarlson\appdata\local\akamai\netsession_win.exe] => (Allow) C:\users\dcarlson\appdata\local\akamai\netsession_win.exe
FirewallRules: [TCP Query User{7F9906B1-A39E-4772-B1BF-112469683499}C:\users\dcarlson\appdata\local\akamai\netsession_win.exe] => (Allow) C:\users\dcarlson\appdata\local\akamai\netsession_win.exe
FirewallRules: [UDP Query User{29B603D0-5FA3-44E4-B2A9-6428FD8CF09C}C:\users\dcarlson\appdata\local\akamai\netsession_win.exe] => (Allow) C:\users\dcarlson\appdata\local\akamai\netsession_win.exe
FirewallRules: [{663A047D-65E8-44E3-A550-1C6E00A993E1}] => (Block) C:\users\dcarlson\appdata\local\akamai\netsession_win.exe
FirewallRules: [{76B04000-4FB7-409B-B0DF-C3A3F2F5045D}] => (Block) C:\users\dcarlson\appdata\local\akamai\netsession_win.exe
FirewallRules: [{8196BC63-90FB-4DD9-AF05-830D7FE9AD46}] => (Allow) C:\Program Files\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{83A6C6AA-8AEC-44D0-8299-7FDB62494402}] => (Allow) LPort=2869
FirewallRules: [{F912A0E4-4597-4773-B354-A7FB05DAA0CF}] => (Allow) LPort=1900
FirewallRules: [{C30A4230-CF97-40C1-9157-B1DCA7881BAF}] => (Allow) C:\Program Files\Research In Motion\BlackBerry Desktop\Rim.Desktop.exe
FirewallRules: [{7CB823E1-45BE-4FF3-BB08-EDAF04753F55}] => (Allow) C:\Program Files\Research In Motion\BlackBerry Desktop\Rim.Desktop.exe
FirewallRules: [{3262C9E3-9053-4E07-A024-3340675A92B8}] => (Allow) LPort=4481
FirewallRules: [{98B866A9-ED4B-4A1B-8B5D-73CBCACD3688}] => (Allow) LPort=4481
FirewallRules: [{23839938-7032-43E7-BF64-A3CB049C3FD7}] => (Allow) LPort=4482
FirewallRules: [{28800957-72D5-4C20-AE39-A033AF334832}] => (Allow) LPort=4482
FirewallRules: [TCP Query User{1C242AF4-28BA-4C42-A7F8-F3F4DC3AE3C6}C:\program files\dukto\dukto.exe] => (Allow) C:\program files\dukto\dukto.exe
FirewallRules: [UDP Query User{0C8864A9-3B70-425C-A6DE-5D4E18EA9481}C:\program files\dukto\dukto.exe] => (Allow) C:\program files\dukto\dukto.exe
FirewallRules: [{F5BA8590-42B0-446C-851C-4873D374F6E5}] => (Allow) C:\Windows\System32\lxcccoms.exe
FirewallRules: [{6AEFE55D-1AF7-44C8-A2B1-16D2F362B6E3}] => (Allow) C:\Windows\System32\lxcccoms.exe
FirewallRules: [{CC006189-334E-4482-B5AF-BD22D5681451}] => (Allow) C:\Windows\System32\spool\drivers\w32x86\3\lxccpswx.exe
FirewallRules: [{38A1E7E0-00EA-4A6D-8ADC-03AFA00427B3}] => (Allow) C:\Windows\System32\spool\drivers\w32x86\3\lxccpswx.exe
FirewallRules: [{E793BFAD-E7EA-4E81-86CF-7418836C096B}] => (Allow) C:\Program Files\Skype\Phone\Skype.exe
FirewallRules: [{8ED79445-9914-49E0-A2E6-BC84609C053B}] => (Allow) LPort=54925
FirewallRules: [{83171D20-3110-4A0F-B35A-6661A2615A85}] => (Allow) LPort=5910
FirewallRules: [TCP Query User{B486AE54-BD7A-4016-957B-745DC1AD7F5F}C:\users\dcarlson\appdata\local\crossloop\crossloopconnect.exe] => (Allow) C:\users\dcarlson\appdata\local\crossloop\crossloopconnect.exe
FirewallRules: [UDP Query User{EAD15331-4807-44D7-8AE0-E96E5FD49D34}C:\users\dcarlson\appdata\local\crossloop\crossloopconnect.exe] => (Allow) C:\users\dcarlson\appdata\local\crossloop\crossloopconnect.exe
FirewallRules: [{86242C0E-A029-4212-B480-97BEE2901FCF}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
FirewallRules: [TCP Query User{395A0FCF-7369-484D-B89B-136A11184F18}C:\program files\wondershare\allmytube\urlreqservice.exe] => (Allow) C:\program files\wondershare\allmytube\urlreqservice.exe
FirewallRules: [UDP Query User{5100A058-C345-42F7-981E-11C1E8E25AD9}C:\program files\wondershare\allmytube\urlreqservice.exe] => (Allow) C:\program files\wondershare\allmytube\urlreqservice.exe
FirewallRules: [{03727BE5-288C-4DE8-94B2-C0FB504D6396}] => (Allow) C:\Program Files\Splashtop\Splashtop Remote\SERVER\SRServer.exe
FirewallRules: [{F1F3B52A-5D53-435E-A990-81B9A96D8745}] => (Allow) C:\Program Files\Splashtop\Splashtop Remote\SERVER\SRFeature.exe
FirewallRules: [{1D6FD91C-6EFA-4CCF-A5CB-264EC9511381}] => (Allow) C:\Program Files\Splashtop\Splashtop Remote\SERVER\DataProxy.exe
FirewallRules: [TCP Query User{A08B57EF-0B92-4308-BBB8-FACCAF947A62}C:\users\dcarlson\desktop\easy_search_utility_4500.exe] => (Allow) C:\users\dcarlson\desktop\easy_search_utility_4500.exe
FirewallRules: [UDP Query User{739A5841-FD53-49B9-8865-C0DCC69BC322}C:\users\dcarlson\desktop\easy_search_utility_4500.exe] => (Allow) C:\users\dcarlson\desktop\easy_search_utility_4500.exe
FirewallRules: [{F8635BC9-4582-48BF-818B-43F6848C1CBD}] => (Allow) C:\Users\dcarlson\AppData\Roaming\Dropbox\bin\Dropbox.exe
FirewallRules: [{1A54AFEA-6AD6-46A0-8BEB-B8FA60473437}] => (Allow) C:\Users\dcarlson\AppData\Roaming\Dropbox\bin\Dropbox.exe
FirewallRules: [TCP Query User{A11231A8-FF51-4EAF-830C-850982F0CF5A}C:\users\dcarlson\appdata\roaming\dropbox\bin\dropbox.exe] => (Allow) C:\users\dcarlson\appdata\roaming\dropbox\bin\dropbox.exe
FirewallRules: [UDP Query User{E665E063-E1A3-4C86-B1AF-CDE977A3F428}C:\users\dcarlson\appdata\roaming\dropbox\bin\dropbox.exe] => (Allow) C:\users\dcarlson\appdata\roaming\dropbox\bin\dropbox.exe
FirewallRules: [{8B6A373A-F9B2-43F2-9956-1ADEAF7F4DE4}] => (Allow) tunmgr.exe
FirewallRules: [{665455E2-9AF2-4486-AD51-724C492DDAD9}] => (Allow) tunmgr.exe
FirewallRules: [{5ECB1DE1-8821-4BA2-BD6B-68785E11EA80}] => (Allow) mDNSResponder.exe
FirewallRules: [{FB3A168B-B4CD-482E-951C-C3721A9A84B7}] => (Allow) mDNSResponder.exe
FirewallRules: [{270DF461-6434-49AA-801F-0CCD9E32B342}] => (Allow) C:\Program Files\Common Files\Research In Motion\nginx\nginx.exe
FirewallRules: [{3B373F6A-B9EE-427D-9643-87DABEFFB633}] => (Allow) C:\Program Files\Common Files\Research In Motion\tunnel manager\PeerManager.exe
FirewallRules: [{F54997CD-B0C5-4CE7-85FD-549C32E2DD18}] => (Allow) C:\Program Files\BlackBerry\BlackBerry Blend\desktopinvokeproxy.exe
FirewallRules: [{A07B5DA5-24D4-4A51-A0CE-D7BE23721BDD}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{822E3A5D-B204-4C59-8840-18CF6EF79429}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{BA06ABE8-7C26-4D35-82D1-AF647030CAE3}] => (Allow) C:\Program Files\McAfee\Common Framework\FrameworkService.exe
FirewallRules: [{4F310F8F-6856-4317-A7CC-B48F467A0BB3}] => (Allow) C:\Program Files\McAfee\Common Framework\FrameworkService.exe
FirewallRules: [{7D843DA0-2619-4AAC-9A28-2D1FB0B67996}] => (Allow) C:\Program Files\McAfee\Common Framework\MfeServiceMgr.exe
FirewallRules: [{5A23357A-D4A6-41E8-832C-BAB2EEC5AE03}] => (Allow) C:\Program Files\McAfee\Common Framework\MfeServiceMgr.exe
FirewallRules: [{2753A03A-C5E3-4E25-9492-A303704EB8AC}] => (Allow) C:\Program Files\McAfee\Common Framework\FrameworkService.exe
FirewallRules: [{31DC0B16-0E62-4A1F-865D-E670078D5515}] => (Allow) C:\Program Files\McAfee\Common Framework\FrameworkService.exe
FirewallRules: [{AF7D6F74-9A34-4A2F-BAA3-D3EC01D8EB75}] => (Allow) C:\Program Files\McAfee\Common Framework\MfeServiceMgr.exe
FirewallRules: [{1A1EB850-B4A6-4556-A6A4-02EF59386900}] => (Allow) C:\Program Files\McAfee\Common Framework\MfeServiceMgr.exe
FirewallRules: [{8FAF0C32-6036-4599-8E72-CEEFBD4BE693}] => (Allow) C:\Program Files\McAfee\Common Framework\FrameworkService.exe
FirewallRules: [{6CABCACD-3318-4E1B-88A4-4EDEFE262723}] => (Allow) C:\Program Files\McAfee\Common Framework\FrameworkService.exe
FirewallRules: [{D2B02A11-41AF-435F-8E59-A6C219428653}] => (Allow) C:\Program Files\McAfee\Common Framework\MfeServiceMgr.exe
FirewallRules: [{1C0DBE26-BACC-4E3B-82C9-81FE8623BC2B}] => (Allow) C:\Program Files\McAfee\Common Framework\MfeServiceMgr.exe
FirewallRules: [{C4CC7B8B-3E4B-49F1-95FE-7D9BADB6073A}] => (Allow) C:\Windows\CCM\RemCtrl\CmRcService.exe
FirewallRules: [{F00C5C16-4548-41F4-9BB3-D5459EC19CAD}] => (Allow) LPort=54925
FirewallRules: [{9F465D28-26B7-4BD3-938D-813BA4128944}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{4CE1714F-0D96-45B1-BC80-292F343BE2BD}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe

==================== Restore Points =========================

==================== Faulty Device Manager Devices =============

Name: Nexthink Collector
Description: Nexthink Collector
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: nxtdrv
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: Microsoft Virtual WiFi Miniport Adapter
Description: Microsoft Virtual WiFi Miniport Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: vwifimp
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action ", and then click "Enable Device ". This starts the Enable Device wizard. Follow the instructions.

Name: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows
Description: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Cisco Systems
Service: vpnva
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action ", and then click "Enable Device ". This starts the Enable Device wizard. Follow the instructions.

==================== Event log errors: =========================

Application errors:
==================
Error: (07/03/2016 07:48:06 PM) (Source: Brother BrLog) (EventID: 1001) (User: )
Description: STI BrtSTI: [2016/07/03 19:48:06.831]: [00002976]: SendSKeySettingToDevice:: Snmp Load Error[-1] To[192.168.0.3]

Error: (07/03/2016 07:46:53 PM) (Source: Brother BrLog) (EventID: 1001) (User: )
Description: STI BrtSTI: [2016/07/03 19:46:53.828]: [00002976]: SendSKeySettingToDevice:: Snmp Load Error[-1] To[192.168.0.3]

Error: (07/03/2016 07:45:41 PM) (Source: Brother BrLog) (EventID: 1001) (User: )
Description: STI BrtSTI: [2016/07/03 19:45:41.833]: [00002976]: SendSKeySettingToDevice:: Snmp Load Error[-1] To[192.168.0.3]

Error: (07/03/2016 07:44:30 PM) (Source: Brother BrLog) (EventID: 1001) (User: )
Description: STI BrtSTI: [2016/07/03 19:44:30.819]: [00002976]: SendSKeySettingToDevice:: Snmp Load Error[-1] To[192.168.0.3]

Error: (07/03/2016 07:43:18 PM) (Source: Brother BrLog) (EventID: 1001) (User: )
Description: STI BrtSTI: [2016/07/03 19:43:18.828]: [00002976]: SendSKeySettingToDevice:: Snmp Load Error[-1] To[192.168.0.3]

Error: (07/03/2016 07:42:06 PM) (Source: Brother BrLog) (EventID: 1001) (User: )
Description: STI BrtSTI: [2016/07/03 19:42:06.318]: [00002976]: SendSKeySettingToDevice:: Snmp Load Error[-1] To[192.168.0.3]

Error: (07/03/2016 07:40:53 PM) (Source: Brother BrLog) (EventID: 1001) (User: )
Description: STI BrtSTI: [2016/07/03 19:40:53.331]: [00002976]: SendSKeySettingToDevice:: Snmp Load Error[-1] To[192.168.0.3]

Error: (07/03/2016 07:39:41 PM) (Source: Brother BrLog) (EventID: 1001) (User: )
Description: STI BrtSTI: [2016/07/03 19:39:41.337]: [00002976]: SendSKeySettingToDevice:: Snmp Load Error[-1] To[192.168.0.3]

Error: (07/03/2016 07:38:30 PM) (Source: Brother BrLog) (EventID: 1001) (User: )
Description: STI BrtSTI: [2016/07/03 19:38:30.336]: [00002976]: SendSKeySettingToDevice:: Snmp Load Error[-1] To[192.168.0.3]

Error: (07/03/2016 07:37:18 PM) (Source: Brother BrLog) (EventID: 1001) (User: )
Description: STI BrtSTI: [2016/07/03 19:37:18.845]: [00002976]: SendSKeySettingToDevice:: Snmp Load Error[-1] To[192.168.0.3]

System errors:
=============
Error: (07/03/2016 07:41:13 PM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain COMPUCOM due to the following:
%%1311 = There are currently no logon servers available to service the logon request.

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.

ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (07/03/2016 06:58:25 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (07/03/2016 06:08:12 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: COMPUCOM)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (07/03/2016 04:50:15 PM) (Source: TermService) (EventID: 1067) (User: )
Description: The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted.
.

Error: (07/03/2016 03:48:30 PM) (Source: atapi) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort0.

Error: (07/03/2016 03:48:30 PM) (Source: atapi) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort0.

Error: (07/03/2016 03:48:30 PM) (Source: atapi) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort0.

Error: (07/03/2016 03:48:30 PM) (Source: atapi) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort0.

Error: (07/03/2016 03:48:30 PM) (Source: atapi) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort0.

Error: (07/03/2016 03:48:30 PM) (Source: atapi) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort0.

CodeIntegrity:
===================================
Date: 2015-11-29 20:37:56.766
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-lua_31bf3856ad364e35_6.1.7601.17514_none_a851c71dbb0d8483\consent.exe because the set of per-page image hashes could not be found on the system.

Date: 2015-11-29 20:37:56.750
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-lua_31bf3856ad364e35_6.1.7601.17514_none_a851c71dbb0d8483\consent.exe because the set of per-page image hashes could not be found on the system.

Date: 2015-11-25 17:23:46.627
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-lua_31bf3856ad364e35_6.1.7601.17514_none_a851c71dbb0d8483\consent.exe because the set of per-page image hashes could not be found on the system.

Date: 2015-11-25 17:23:46.614
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-lua_31bf3856ad364e35_6.1.7601.17514_none_a851c71dbb0d8483\consent.exe because the set of per-page image hashes could not be found on the system.

Date: 2015-11-21 20:45:44.965
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-lua_31bf3856ad364e35_6.1.7601.17514_none_a851c71dbb0d8483\consent.exe because the set of per-page image hashes could not be found on the system.

Date: 2015-11-21 20:45:44.950
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-lua_31bf3856ad364e35_6.1.7601.17514_none_a851c71dbb0d8483\consent.exe because the set of per-page image hashes could not be found on the system.

Date: 2015-11-17 19:07:10.803
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-lua_31bf3856ad364e35_6.1.7601.17514_none_a851c71dbb0d8483\consent.exe because the set of per-page image hashes could not be found on the system.

Date: 2015-11-17 19:07:10.783
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-lua_31bf3856ad364e35_6.1.7601.17514_none_a851c71dbb0d8483\consent.exe because the set of per-page image hashes could not be found on the system.

Date: 2015-11-13 17:25:56.135
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-lua_31bf3856ad364e35_6.1.7601.17514_none_a851c71dbb0d8483\consent.exe because the set of per-page image hashes could not be found on the system.

Date: 2015-11-13 17:25:56.116
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-lua_31bf3856ad364e35_6.1.7601.17514_none_a851c71dbb0d8483\consent.exe because the set of per-page image hashes could not be found on the system.

==================== Memory info ===========================

Processor: Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz
Percentage of memory in use: 66%
Total physical RAM: 3497.23 MB
Available physical RAM: 1167.68 MB
Total Virtual: 6992.79 MB
Available Virtual: 4083.93 MB

==================== Drives ================================

Drive c: (OSDisk) (Fixed) (Total:465.46 GB) (Free:281.95 GB) NTFS
Drive g: (NUVI) (Removable) (Total:1.89 GB) (Free:1.89 GB) FAT

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 0619DEE1)
Partition 1: (Not Active) - (Size=465.5 GB) - (Type=07 NTFS)
Partition 2: (Active) - (Size=300 MB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 1.9 GB) (Disk ID: 00000000)

Partition: GPT.

==================== End of Addition.txt ============================

broni · 2016/07/04

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST(FRST64) and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

DCHammer · 2016/07/05

Here is the fixlog:

Fix result of Farbar Recovery Scan Tool (x86) Version: 20-06-2016 01
Ran by DCarlson (2016-07-05 10:54:44) Run:1
Running from C:\Users\dcarlson\Desktop
Loaded Profiles: DCarlson (Available Profiles: DCarlson & CMPC_User & Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-415762479-31080894-1349916565-56332\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {C2BAE1FA-6009-452A-9F5C-6141E21A68C9} URL =
S3 catchme; \??\C:\Users\dcarlson\AppData\Local\Temp\catchme.sys [X]
U3 mfeavfk01; no ImagePath
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Users\dcarlson\CTX.DAT
C:\Users\dcarlson\en_res.dll
C:\Users\dcarlson\es_res.dll
C:\Users\dcarlson\fr_res.dll
C:\Users\dcarlson\grm_res.dll
C:\Users\dcarlson\it_res.dll
C:\Users\dcarlson\jp_res.dll
C:\Users\dcarlson\mfc80u.dll
C:\Users\dcarlson\msvcr80.dll
C:\Users\dcarlson\PCPE Setup.exe
C:\Users\dcarlson\pt_res.dll
C:\Users\dcarlson\ru_res.dll
C:\Users\dcarlson\zh_res.dll
2013-03-25 10:40 - 2013-03-25 10:40 - 0053248 _____ () C:\Program Files\MD5_SHA-1 Utility.exe
2013-03-26 17:14 - 2013-03-26 17:14 - 0448512 _____ (OldTimer Tools) C:\Program Files\TFC.exe
2013-05-13 10:03 - 2013-05-13 10:04 - 0000000 _____ () C:\Users\dcarlson\AppData\Roaming\bitlord_log.txt
2013-04-26 11:08 - 2014-07-16 14:33 - 0038483 _____ () C:\Users\dcarlson\AppData\Roaming\Comma Separated Values (DOS).ADR
2013-04-26 10:18 - 2014-01-16 12:31 - 0038487 _____ () C:\Users\dcarlson\AppData\Roaming\Comma Separated Values (Windows).ADR
2013-04-05 14:10 - 2014-01-08 14:30 - 0000616 _____ () C:\Users\dcarlson\AppData\Roaming\Rim.Desktop.Exception.log
2013-04-05 14:08 - 2013-04-05 14:08 - 0001147 _____ () C:\Users\dcarlson\AppData\Roaming\Rim.Desktop.HttpServerSetup.log
2013-04-05 14:10 - 2013-04-05 14:10 - 0000000 _____ () C:\Users\dcarlson\AppData\Roaming\Rim.DesktopHelper.Exception.log
2013-05-13 10:08 - 2013-05-13 10:08 - 0000218 _____ () C:\Users\dcarlson\AppData\Local\recently-used.xbel
2015-10-30 10:19 - 2016-05-12 11:43 - 0007609 _____ () C:\Users\dcarlson\AppData\Local\Resmon.ResmonCfg
C:\Users\dcarlson\AppData\Local\Temp\dllnt_dump.dll
CustomCLSID: HKU\S-1-5-21-415762479-31080894-1349916565-56332_Classes\CLSID\{D166BD15-03AF-413A-BEFD-0679FF410B49}\InprocServer32 -> C:\Users\dcarlson\AppData\Local\Dropbox\Update\1.3.27.29\psuser.dll => No File
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [125]

*****************

HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION => restored successfully
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\*.exe <====== ATTENTION => restored successfully
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\*.exe <====== ATTENTION => restored successfully
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION => restored successfully
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
"HKLM\SOFTWARE\Policies\Google" => key removed successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
"HKU\S-1-5-21-415762479-31080894-1349916565-56332\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
catchme => service removed successfully.
mfeavfk01 => service removed successfully.
VGPU => service removed successfully.
C:\Users\dcarlson\CTX.DAT => moved successfully
C:\Users\dcarlson\en_res.dll => moved successfully
C:\Users\dcarlson\es_res.dll => moved successfully
C:\Users\dcarlson\fr_res.dll => moved successfully
C:\Users\dcarlson\grm_res.dll => moved successfully
C:\Users\dcarlson\it_res.dll => moved successfully
C:\Users\dcarlson\jp_res.dll => moved successfully
C:\Users\dcarlson\mfc80u.dll => moved successfully
C:\Users\dcarlson\msvcr80.dll => moved successfully
C:\Users\dcarlson\PCPE Setup.exe => moved successfully
C:\Users\dcarlson\pt_res.dll => moved successfully
C:\Users\dcarlson\ru_res.dll => moved successfully
C:\Users\dcarlson\zh_res.dll => moved successfully
C:\Program Files\MD5_SHA-1 Utility.exe => moved successfully
C:\Program Files\TFC.exe => moved successfully
C:\Users\dcarlson\AppData\Roaming\bitlord_log.txt => moved successfully
C:\Users\dcarlson\AppData\Roaming\Comma Separated Values (DOS).ADR => moved successfully
C:\Users\dcarlson\AppData\Roaming\Comma Separated Values (Windows).ADR => moved successfully
C:\Users\dcarlson\AppData\Roaming\Rim.Desktop.Exception.log => moved successfully
C:\Users\dcarlson\AppData\Roaming\Rim.Desktop.HttpServerSetup.log => moved successfully
C:\Users\dcarlson\AppData\Roaming\Rim.DesktopHelper.Exception.log => moved successfully
C:\Users\dcarlson\AppData\Local\recently-used.xbel => moved successfully
C:\Users\dcarlson\AppData\Local\Resmon.ResmonCfg => moved successfully
C:\Users\dcarlson\AppData\Local\Temp\dllnt_dump.dll => moved successfully
"HKU\S-1-5-21-415762479-31080894-1349916565-56332_Classes\CLSID\{D166BD15-03AF-413A-BEFD-0679FF410B49}" => key removed successfully.
C:\ProgramData\TEMP => ":5C321E34" ADS removed successfully..

The system needed a reboot.

==== End of Fixlog 10:54:50 ====

DCHammer · 2016/07/05

And by the way, it didn't seem to be any better yesterday and actually blue screened overnight. But it does seem to be more responsive since running this fix in FRST. Although there is still a silly amount of HDD activity. I saw that ccmexec.exe was churning the drive. I stopped that service and things are much better. I'll turn it back on occasionally and let SMS do what it's supposed to so the corporate Admins don't freak out but that's eliminated a TON of HDD activity.

broni · 2016/07/05

In this forum we make sure that your computer is clean.
When we're done and the issue still persists you'll have create new topic in Windows forum.

Last scans...

Download Security Check from here or here and save it to your Desktop.

Double-click SecurityCheck.exe

Follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.
NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
Make sure the following options are checked:

Internet Services

Windows Firewall

System Restore

Security Center

Windows Update

Windows Defender

Other Services

Press "Scan ".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe

Double click on TFC.exe to run the program.

Click on Start button to begin cleaning process.

TFC will close all running programs, and it may ask you to restart computer.

Download Sophos Free Virus Removal Tool and save it to your desktop.

Double click the icon and select Run

Click Next

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

Copy and paste the results in your reply

Close the Notepad document, close the Threat Details screen, then click Start cleanup

Click Exit to close the program

DCHammer · 2016/07/05

Here is the checkup.txt log:

Results of screen317's Security Check version 1.014 --- 12/23/15
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
McAfee VirusScan Enterprise
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
SpywareBlaster 5.5
SUPERAntiSpyware
Secunia PSI (3.0.0.6005)
Java 8 Update 91
Java version 32-bit out of Date!
Mozilla Firefox (Meeting.)
Mozilla Thunderbird (45.1.1)
Google Chrome (51.0.2704.103)
Google Chrome (51.0.2704.106)
Google Chrome (SetupMetrics.pma..)
````````Process Check: objlist.exe by Laurent````````
McAfee VirusScan Enterprise VsTskMgr.exe
McAfee VirusScan Enterprise mfeann.exe
Malwarebytes Anti-Malware BusinessMessaging.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

DCHammer · 2016/07/05

FSS log:

Farbar Service Scanner Version: 27-01-2016
Ran by DCarlson (administrator) on 05-07-2016 at 21:09:13
Running from "C:\Users\dcarlson\Desktop "
Microsoft Windows 7 Enterprise Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Policy:
========================

Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate "=DWORD:1

Windows Defender:
==============

Other Services:
==============

File Check:
========
C:\Windows\system32\nsisvc.dll => File is digitally signed
C:\Windows\system32\Drivers\nsiproxy.sys => File is digitally signed
C:\Windows\system32\dhcpcore.dll => File is digitally signed
C:\Windows\system32\Drivers\afd.sys => File is digitally signed
C:\Windows\system32\Drivers\tdx.sys => File is digitally signed
C:\Windows\system32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\system32\dnsrslvr.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\mpssvc.dll => File is digitally signed
C:\Windows\system32\bfe.dll => File is digitally signed
C:\Windows\system32\Drivers\mpsdrv.sys => File is digitally signed
C:\Windows\system32\SDRSVC.dll => File is digitally signed
C:\Windows\system32\vssvc.exe => File is digitally signed
C:\Windows\system32\wscsvc.dll => File is digitally signed
C:\Windows\system32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\system32\wuaueng.dll => File is digitally signed
C:\Windows\system32\qmgr.dll => File is digitally signed
C:\Windows\system32\es.dll => File is digitally signed
C:\Windows\system32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\system32\ipnathlp.dll => File is digitally signed
C:\Windows\system32\iphlpsvc.dll => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed

**** End of log ****

DCHammer · 2016/07/05

TFC Complete. Sophos is running now.

DCHammer · 2016/07/05

TFC is complete and Sophos is running. It blue screened the first time but this PC will do that so I'm not positive it was Sophos so I ran it again.

DCHammer · 2016/07/06

Blue screened a second time as well. Can't get it to complete.

broni · 2016/07/06

Try this...

Please run a free online scan with the ESET Online Scanner

Disable your antivirus program

Click on "Run ESET Online Scanner" button.

Tick the box next to YES, I accept the Terms of Use

Click Start

Accept any security warnings from your browser.

Check Scan archives

Click Start

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan completes, push List of found threats

Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

DCHammer · 2016/07/07

I discovered when running the ESET scan that there were huge, >30GB, backup files from my phone that were taking forever to scan. ESET also crashed the first time it ran. I eliminated everything that wasn't needed from those backups and the scan is running WAY faster.
When it completes, I'll post the results. Should I go back and try running Sophos or RogueKiller which never completed successfully prior?

broni · 2016/07/07

Just Eset will be fine

DCHammer · 2016/07/08

It crashed twice more. Doesn't blue screen but I get a popup saying it stopped working.

broni · 2016/07/08

Restart computer and try again.

DCHammer · 2016/07/09

Same result after and reboot and making sure nothing else was running. It did say there was one infected file.

DCHammer · 2016/07/09

I ran Sophos and it completed successfully now and said the computer is clean.

DCHammer · 2016/07/09

I also just got RogueKiller to complete. Here is the log:

RogueKiller V12.3.7.0 [Jul 4 2016] (Free) by Adlice Software
mail : Contact - Adlice Software
Feedback : Adlice forum
Website : RogueKiller Anti-Malware Free Download - Official Website
Blog : Adlice Software

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : DCarlson [Administrator]
Started from : C:\Users\dcarlson\Desktop\RogueKiller (1).exe
Mode : Delete -- Date : 07/09/2016 16:11:14

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 5 ¤¤¤
[PUM.HomePage] HKEY_USERS\S-1-5-21-415762479-31080894-1349916565-56332\Software\Microsoft\Internet Explorer\Main | Start Page : about:Tabs -> Not selected
[PUM.StartMenu] HKEY_USERS\S-1-5-21-415762479-31080894-1349916565-56332\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 2 -> Not selected
[PUM.StartMenu] HKEY_USERS\S-1-5-21-415762479-31080894-1349916565-56332\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0 -> Not selected
[PUM.StartMenu] HKEY_USERS\S-1-5-21-415762479-31080894-1349916565-56332\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0 -> Not selected
[PUM.StartMenu] HKEY_USERS\S-1-5-21-415762479-31080894-1349916565-56332\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0 -> Not selected

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST9500420AS ATA Device +++++
--- User ---
[MBR] 3798d94c74a705b0dff542acd010d05c
[BSP] 104590634a464058998829dc02c7014d : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476627 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 976134144 | Size: 300 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

broni · 2016/07/09

Your computer is clean

1. This step will remove all cleaning tools we used, it'll reset restore points (so you won't get reinfected by accidentally using some older restore point) and it'll make some other minor adjustments...
This is a very crucial step so make sure you don't skip it.
Download DelFix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.

Double-click Delfix.exe to start the tool.
Make sure the following items are checked:

Activate UAC (optional; some users prefer to keep it off)

Remove disinfection tools

Create registry backup

Purge System Restore

Reset system settings

Now click "Run" and wait patiently.
Once finished a logfile will be created. You don't have to attach it to your next reply.

2. Make sure Windows Updates are current.

3. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

4. Check if your browser plugins are up to date.
Firefox - Keep your Firefox healthy with a quick checkup
other browsers: Qualys BrowserCheck (click on "Scan without installing plugin" and then on "Scan now ")

5. Download, and install WOT (Web OF Trust): Safe Browsing Tool | WOT (Web of Trust). It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC), AdwCleaner and Junkware Removal Tool (JRT) weekly (you need to redownload these tools since they were removed by DelFix).

8. Download and install Secunia Personal Software Inspector (PSI): Personal Software Inspector. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

11. Read:
How did I get infected?, With steps so it does not happen again!: How did I get infected? - Anti-Virus, Anti-Malware, and Privacy Software
Simple and easy ways to keep your computer safe and secure on the Internet: Simple and easy ways to keep your computer safe and secure on the Internet
About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs) which change your browser settings: Answers to common security questions - Best Practices - Anti-Virus, Anti-Malware, and Privacy Software

12. Please, let me know, how your computer is doing.

DCHammer · 2016/07/11

Thank you so much for your help. You've been a terrific support over the years. I'd have to look at the history to see how many different computers you've helped me with. It's been a few. Only mine twice though. Always helping friends.

Log in or Sign up

Solved Suspected Malware. Significant HD activity when there shouldn't be.

DCHammer Well-Known Member Thread Starter

broni Moderator Malware Analyst

Attached Files:

fixlist.txt

DCHammer Well-Known Member Thread Starter

DCHammer Well-Known Member Thread Starter

broni Moderator Malware Analyst

DCHammer Well-Known Member Thread Starter

DCHammer Well-Known Member Thread Starter

DCHammer Well-Known Member Thread Starter

DCHammer Well-Known Member Thread Starter

DCHammer Well-Known Member Thread Starter

broni Moderator Malware Analyst

DCHammer Well-Known Member Thread Starter

broni Moderator Malware Analyst

DCHammer Well-Known Member Thread Starter

broni Moderator Malware Analyst

DCHammer Well-Known Member Thread Starter

DCHammer Well-Known Member Thread Starter

DCHammer Well-Known Member Thread Starter

broni Moderator Malware Analyst

DCHammer Well-Known Member Thread Starter

Share This Page

Log in or Sign up

Solved Suspected Malware. Significant HD activity when there shouldn't be.

DCHammer Well-Known Member Thread Starter

broni Moderator Malware Analyst

Attached Files:

fixlist.txt

DCHammer Well-Known Member Thread Starter

DCHammer Well-Known Member Thread Starter

broni Moderator Malware Analyst

DCHammer Well-Known Member Thread Starter

DCHammer Well-Known Member Thread Starter

DCHammer Well-Known Member Thread Starter

DCHammer Well-Known Member Thread Starter

DCHammer Well-Known Member Thread Starter

broni Moderator Malware Analyst

DCHammer Well-Known Member Thread Starter

broni Moderator Malware Analyst

DCHammer Well-Known Member Thread Starter

broni Moderator Malware Analyst

DCHammer Well-Known Member Thread Starter

DCHammer Well-Known Member Thread Starter

DCHammer Well-Known Member Thread Starter

broni Moderator Malware Analyst

DCHammer Well-Known Member Thread Starter

Share This Page

Useful Searches