Unknown Infection - involves remote access, recorded tv, spybot and porn

No files or folders seem to have been tampered with lately, nor have any programs appeared in my start up menu that I myself haven't opened. The last dates on files that appears to have been messed with are around 3/28.

Event viewer shows me the following information of concern. Could you review it as well? It's my own sloppy transcript typed quickly at night and does not contain all the listings:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="sbNet" />
<EventID Qualifiers="0">100</EventID>
<Level>4</Level>
<Task>2</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2016-04-03T09:55:01.000000000Z" />
<EventRecordID>15844</EventRecordID>
<Channel>Application</Channel>
<Computer>Lee-PC</Computer>
<Security />
</System>
- <EventData>
<Data>Source: 127.0.0.1 URI: Message: Listening on port 21321</Data>
</EventData>
</Event>


Event 301 ESENT:
Windows (4040) Windows: The database engine has begun replaying logfile c:\programdata\microsoft\search\data\applications\windows\mss.log
Logged: 4/3/2016 12:47:41AM

System Event 20003, UserPnp
Driver Management has concluded the process to add service tunnel for device instance id root\*isatap\0001 with the following status: 0
Logged: 4/3/2016 12:36:18pm

System Event 7036, Service Control Manager
The following have entered the running state on 4/3/2016 ending about 1:01 pm):
multimedia class scheduler
windows image acquisition (WIA) service
TCP/IP NetBIOS Helper
Intel Management Engine Interface driver
Driver Management has concluded the proces to add Service tunnel for Device Instance ID ROOT\*ISATAP\0001 with the following status: 0
The WinHTTP Web Proxy Auto-Discovery Service service
The Software Protection service
PnP - X IP Bus Enumerator Service
Portable Device Enumerator Service
Microsoft .NET Framework NGEN v4.0.3.0.3.1.9_x64
" x86
Background Intelligent Transfer Service
Computer Browser Service
Peer Networking Grouping
Peer Name Resolution Protocol
Peer Networking Identity Manager
HomeGroup Listener Service
HomeGroup Provider Service
Function Discovery Provider Host

A new media server was not initilized because the windows media delivery engine did not initalize due to error '0x800700b7'
Media server 'lee-pc: lee' was successfully initialized and is sharing media with network media devices
(I'D REALLY RATHER IT WASN'T DOING THAT..)

Windows Search
SSDP discovery

SNMP service encountered an error while accessing the registry key system\currentcontrolset\services\snmp\parameters\extensionagents
" parameters\trapconfiguration
message queuing triggers
distributed link tracking client
program compatability assistant
network location awareness service
MBAMService
function discovery resource publication
application host helper
encrypting file system
group profile policy
user profile service
remote procedure call (RPC)
RPC endpoint mapper
file system filter 'MBAMP' Protector IL has successfully loaded and registered with filter manager

***Working from the most recent events on back, I'm now at events logged around 4/3/2016 5:54:53am.  This is not all my notifications but hopefully gives you an idea of what is still here that I'm able to see that may still be of concern.***

Edited by bleedle, 04 April 2016 - 08:42 AM.

Let's run these two scans to get a more uniform look:
 
 
Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.

==========
 
 
Please download MiniToolBox, save it to your desktop and run it. Checkmark the following checkboxes:

• Flush DNS
• Report IE Proxy Settings
• Reset IE Proxy Settings
• Report FF Proxy Settings
• Reset FF Proxy Settings
• List content of Hosts
• List IP configuration
• List Winsock Entries
• List last 10 Event Viewer log
• List Installed Programs
• List Devices
• List Users, Partitions and Memory size.
• List Minidump Files
• List Restore Points

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run. Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

Ok, I did download these programs again as instructed, saved them over the first ones I had dl'd and ran as admin. I forgot to unplug my speakers which connect via a USB and an headphone jack.

Farbar Service Scanner Version: 27-01-2016
Ran by Lee (administrator) on 05-04-2016 at 02:32:52
Running from "C:\Users\Lee\Desktop"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Policy:
========================


Action Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****

Now, MBT.txt:

MiniToolBox by Farbar  Version: 07-02-2016 01
Ran by Lee (administrator) on 05-04-2016 at 02:37:54
Running from "C:\Users\Lee\Desktop"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Model: HP ProBook 6460b Manufacturer: Hewlett-Packard
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================
127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com
127.0.0.1    www.00hq.com
127.0.0.1    00hq.com
127.0.0.1    010402.com
127.0.0.1    www.032439.com
127.0.0.1    032439.com
127.0.0.1    www.0scan.com
127.0.0.1    0scan.com
127.0.0.1    1000gratisproben.com
127.0.0.1    www.1000gratisproben.com
127.0.0.1    1001namen.com
127.0.0.1    www.1001namen.com
127.0.0.1    100888290cs.com
127.0.0.1    www.100888290cs.com
127.0.0.1    www.100sexlinks.com
127.0.0.1    100sexlinks.com
127.0.0.1    10sek.com
127.0.0.1    www.10sek.com
127.0.0.1    www.1-2005-search.com
127.0.0.1    1-2005-search.com
127.0.0.1    123fporn.info
127.0.0.1    www.123fporn.info
127.0.0.1    123haustiereundmehr.com
127.0.0.1    www.123haustiereundmehr.com
127.0.0.1    123moviedownload.com
127.0.0.1    www.123moviedownload.com

There are 15472 entries.

========================= IP Configuration: ================================

Intel® Centrino® Advanced-N 6205 = Wireless Network Connection 2 (Connected)
avast! SecureLine TAP Adapter v3 = Local Area Connection 2 (Hardware not present)
Intel® 82579V Gigabit Network Connection = Local Area Connection (Media disconnected)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : Lee-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : Belkin

Wireless LAN adapter Wireless Network Connection 2:

   Connection-specific DNS Suffix  . : Belkin
   Description . . . . . . . . . . . : Intel® Centrino® Advanced-N 6205
   Physical Address. . . . . . . . . : 8C-70-5A-D4-30-38
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::e5c1:8226:75cf:1b07%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.2.3(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Sunday, April 03, 2016 5:54:58 AM
   Lease Expires . . . . . . . . . . : Friday, May 12, 2152 9:06:16 AM
   Default Gateway . . . . . . . . . : 192.168.2.1
   DHCP Server . . . . . . . . . . . : 192.168.2.1
   DHCPv6 IAID . . . . . . . . . . . : 227307610
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1D-92-51-3C-A0-B3-CC-23-8D-B0
   DNS Servers . . . . . . . . . . . : 192.168.2.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wireless Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
   Physical Address. . . . . . . . . : 8C-70-5A-D4-30-39
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : MAR02.pri
   Description . . . . . . . . . . . : Intel® 82579V Gigabit Network Connection
   Physical Address. . . . . . . . . : A0-B3-CC-23-8D-B0
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.Belkin:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : Belkin
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{37BC6EB9-4B24-4F4F-B7FB-2DA7AF404D3B}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.MAR02.pri:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:5cf2:8c15:3026:23d6:3f57:fdfc(Preferred)
   Link-local IPv6 Address . . . . . : fe80::3026:23d6:3f57:fdfc%12(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled
Server:  UnKnown
Address:  192.168.2.1

Name:    google.com
Addresses:  2607:f8b0:4004:80b::200e
      216.58.217.142


Pinging google.com [216.58.217.142] with 32 bytes of data:
Reply from 216.58.217.142: bytes=32 time=27ms TTL=57
Reply from 216.58.217.142: bytes=32 time=27ms TTL=57

Ping statistics for 216.58.217.142:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 27ms, Maximum = 27ms, Average = 27ms
Server:  UnKnown
Address:  192.168.2.1

Name:    yahoo.com
Addresses:  2001:4998:44:204::a7
      2001:4998:58:c02::a9
      2001:4998:c:a06::2:4008
      98.138.253.109
      98.139.183.24
      206.190.36.45


Pinging yahoo.com [98.138.253.109] with 32 bytes of data:
Reply from 98.138.253.109: bytes=32 time=57ms TTL=52
Reply from 98.138.253.109: bytes=32 time=57ms TTL=52

Ping statistics for 98.138.253.109:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 57ms, Maximum = 57ms, Average = 57ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 13...8c 70 5a d4 30 38 ......Intel® Centrino® Advanced-N 6205
 14...8c 70 5a d4 30 39 ......Microsoft Virtual WiFi Miniport Adapter
 11...a0 b3 cc 23 8d b0 ......Intel® 82579V Gigabit Network Connection
  1...........................Software Loopback Interface 1
 17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 31...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.2.1      192.168.2.3     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.2.0    255.255.255.0         On-link       192.168.2.3    281
      192.168.2.3  255.255.255.255         On-link       192.168.2.3    281
    192.168.2.255  255.255.255.255         On-link       192.168.2.3    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       192.168.2.3    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       192.168.2.3    281
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 12     58 ::/0                     On-link
  1    306 ::1/128                  On-link
 12     58 2001::/32                On-link
 12    306 2001:0:5cf2:8c15:3026:23d6:3f57:fdfc/128
                                    On-link
 13    281 fe80::/64                On-link
 12    306 fe80::/64                On-link
 12    306 fe80::3026:23d6:3f57:fdfc/128
                                    On-link
 13    281 fe80::e5c1:8226:75cf:1b07/128
                                    On-link
  1    306 ff00::/8                 On-link
 12    306 ff00::/8                 On-link
 13    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 07 C:\Windows\SysWOW64\wshbth.dll [36352] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 11 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 12 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 13 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 07 C:\Windows\System32\wshbth.dll [47104] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 12 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 13 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (04/03/2016 05:55:02 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/03/2016 12:47:21 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/02/2016 12:52:54 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/02/2016 11:21:22 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/01/2016 01:39:44 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/31/2016 02:25:39 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/30/2016 01:47:51 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/29/2016 03:28:45 AM) (Source: Application Error) (User: )
Description: Faulting application name: SDFSSvc.exe, version: 2.4.40.217, time stamp: 0x535a5114
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0x00000000
Fault offset: 0x00000000
Faulting process id: 0x9f8
Faulting application start time: 0xSDFSSvc.exe0
Faulting application path: SDFSSvc.exe1
Faulting module path: SDFSSvc.exe2
Report Id: SDFSSvc.exe3

Error: (03/28/2016 08:21:15 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/28/2016 01:57:58 PM) (Source: ESENT) (User: )
Description: WinMail (3372) WindowsMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.


System errors:
=============
Error: (04/03/2016 05:55:11 AM) (Source: WMPNetworkSvc) (User: )
Description: 0x800700b7

Error: (04/03/2016 05:55:11 AM) (Source: WMPNetworkSvc) (User: )
Description: 00x800700b7http://+:10243/WMPNSSv4/2811996591/

Error: (04/03/2016 05:55:11 AM) (Source: WMPNetworkSvc) (User: )
Description: 0x800700b7

Error: (04/03/2016 05:55:11 AM) (Source: WMPNetworkSvc) (User: )
Description: 00x800700b7http://+:10243/WMPNSSv4/2811996591/

Error: (04/03/2016 05:55:05 AM) (Source: SNMP) (User: )
Description: The SNMP Service encountered an error while accessing the registry key SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ExtensionAgents.

Error: (04/03/2016 05:55:05 AM) (Source: SNMP) (User: )
Description: The SNMP Service encountered an error while accessing the registry key SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ExtensionAgents.

Error: (04/03/2016 05:55:05 AM) (Source: SNMP) (User: )
Description: The SNMP Service encountered an error while accessing the registry key SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration.

Error: (04/03/2016 05:54:58 AM) (Source: Service Control Manager) (User: )
Description: The Par1284 service failed to start due to the following error:
%%1275

Error: (04/03/2016 05:54:58 AM) (Source: Application Popup) (User: )
Description: \??\C:\Program Files\FlexiSIGN-PRO 8.1v1\Program\Par1284.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (04/03/2016 12:47:42 AM) (Source: WMPNetworkSvc) (User: )
Description: 0x800700b7


Microsoft Office Sessions:
=========================
Error: (04/03/2016 05:55:02 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/03/2016 12:47:21 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/02/2016 12:52:54 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/02/2016 11:21:22 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/01/2016 01:39:44 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/31/2016 02:25:39 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/30/2016 01:47:51 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/29/2016 03:28:45 AM) (Source: Application Error)(User: )
Description: SDFSSvc.exe2.4.40.217535a5114unknown0.0.0.00000000000000000000000009f801d18950e58330caC:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exeunknownde9a2c46-f57f-11e5-baed-a0b3cc238db0

Error: (03/28/2016 08:21:15 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/28/2016 01:57:58 PM) (Source: ESENT)(User: )
Description: WinMail3372WindowsMail0:


CodeIntegrity Errors:
===================================
  Date: 2016-04-05 02:37:50.688
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-04-05 02:34:20.700
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-04-05 02:32:34.797
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-04-05 00:22:28.278
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-04-04 23:12:35.081
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-04-04 22:29:09.237
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-04-04 22:17:31.269
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-04-04 22:12:58.323
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-04-04 22:04:24.609
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-04-04 22:04:21.578
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.


=========================== Installed Programs ============================

Avast Free Antivirus (HKLM-x32\...\Avast) (Version: 11.1.2253 - AVAST Software)
ERUNT 1.1j (HKLM-x32\...\ERUNT_is1) (Version:  - Lars Hederer)
FlexiSIGN-PRO 8.1v1 (HKLM-x32\...\{DE904758-4539-4EE7-8F09-6EC07F6AC383}) (Version: 1.00.0000 - Scanvec Amiable)
GIMP 2.8.14 (HKLM\...\GIMP-2_is1) (Version: 2.8.14 - The GIMP Team)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 49.0.2623.110 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.29.5 - Google Inc.) Hidden
IDT Audio (HKLM-x32\...\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}) (Version: 1.0.6433.0 - IDT)
Intel® Network Connections Drivers (HKLM\...\PROSet) (Version: 18.1 - Intel)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.3347 - Intel Corporation)
Intel® SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
IObit Unlocker (HKLM-x32\...\IObit Unlocker_is1) (Version: 1.1 - IObit)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Mozilla Firefox 45.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 45.0.1 (x86 en-US)) (Version: 45.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 45.0.0.5906 - Mozilla)
SafeZone Stable 1.48.2066.95 (HKLM-x32\...\SafeZone 1.48.2066.95) (Version: 1.48.2066.95 - Avast Software) Hidden
Skype™ 7.18 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.18.112 - Skype Technologies S.A.)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)

========================= Devices: ================================

Name: avast! SecureLine TAP Adapter v3
Description: avast! SecureLine TAP Adapter v3
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: TAP-Windows Provider V9
Service: aswTap
Device ID: ROOT\NET\0000
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


========================= Memory info: ===================================

Percentage of memory in use: 27%
Total physical RAM: 6078.36 MB
Available physical RAM: 4427.52 MB
Total Virtual: 12154.92 MB
Available Virtual: 10165.3 MB

========================= Partitions: =====================================

1 Drive c: (Windows) (Fixed) (Total:234.45 GB) (Free:177.87 GB) NTFS

========================= Users: ========================================

User accounts for \\LEE-PC

Administrator            Guest                    Lee                      
Lee3                     

========================= Minidump Files ==================================

No minidump file found

========================= Restore Points ==================================

20-03-2016 18:45:20 Windows Modules Installer
22-03-2016 14:53:18 Windows Update
25-03-2016 17:30:07 Windows Update
26-03-2016 15:27:33 Removed Microsoft Silverlight
26-03-2016 16:21:22 Windows Modules Installer
28-03-2016 17:48:38 freshstndoldwindows
29-03-2016 11:11:07 Windows Update
01-04-2016 13:38:22 Windows Update
01-04-2016 17:37:33 Restore Point Created by FRST

**** End of log ****
 

still have 15,000 porn files having a good ol time on my computer. Off to make sure user account "Lee3" isn't an admin account... it's not supposed to be.

Have a great night/morning.

Hey bleedle,

We need to search for a few things with SystemLook:

• Please download SystemLook (64-bit) by jpshortstuff and save it to your desktop
• Double-click the program to run it, paste the entire text into the main text box:
  

  :dir
  C:\RPKTools /s
  

• Click the Look button to start the scan
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

<script src="safari-extension://com.ebay.safari.myebaymanager-QYHMMGCMJR/2cbd655/background/helpers/prefilterHelper.js" type="text/javascript"> </script>

Hey bleedle,

We need to search for a few things with SystemLook:

• Please download SystemLook (64-bit) by jpshortstuff and save it to your desktop
• Double-click the program to run it, paste the entire text into the main text box:
  

  :dir
  C:\RPKTools /s
  

• Click the Look button to start the scan
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

***I assumed I was to "run as admin", so I did. All the dates listed appear to be before I bought this refurbished laptop in Sept 2015:**

SystemLook 30.07.11 by jpshortstuff
Log created at 08:32 on 06/04/2016 by Lee
Administrator - Elevation successful

========== dir ==========

C:\RPKTools - Parameters: "/s"

---Files---
CabExtractor (2).exe    --a---- 62600 bytes    [16:56 25/11/2014]    [08:52 15/04/2013]
CabExtractor.exe    --a---- 62600 bytes    [16:56 25/11/2014]    [08:52 15/04/2013]
closesysprep (2).bat    --a---- 38 bytes    [16:56 25/11/2014]    [15:07 26/11/2014]
closesysprep.bat    --a---- 38 bytes    [16:56 25/11/2014]    [15:07 26/11/2014]
copy_unattend (2).bat    --a---- 396 bytes    [16:56 25/11/2014]    [15:07 26/11/2014]
copy_unattend.bat    --a---- 396 bytes    [16:56 25/11/2014]    [15:07 26/11/2014]
CreateDriverInjectionTask (2).bat    --a---- 197 bytes    [16:56 25/11/2014]    [15:07 26/11/2014]
CreateDriverInjectionTask.bat    --a---- 197 bytes    [16:56 25/11/2014]    [15:07 26/11/2014]
createtask (2).bat    --a---- 178 bytes    [16:56 25/11/2014]    [15:07 26/11/2014]
createtask.bat    --a---- 178 bytes    [16:56 25/11/2014]    [15:07 26/11/2014]
findstr (2).exe    --a---- 62464 bytes    [16:56 25/11/2014]    [13:01 23/05/2013]
findstr.exe    --a---- 62464 bytes    [16:56 25/11/2014]    [13:01 23/05/2013]
GetDeviceList (2).exe    --a---- 91272 bytes    [16:56 25/11/2014]    [08:52 15/04/2013]
GetDeviceList.exe    --a---- 91272 bytes    [16:56 25/11/2014]    [08:52 15/04/2013]
Reseal to Audit (2).lnk    --a---- 1788 bytes    [16:56 25/11/2014]    [13:01 23/05/2013]
Reseal to Audit.lnk    --a---- 1788 bytes    [16:56 25/11/2014]    [13:01 23/05/2013]
Reseal to OOBE (2).lnk    --a---- 1783 bytes    [16:56 25/11/2014]    [13:01 23/05/2013]
Reseal to OOBE.lnk    --a---- 1783 bytes    [16:56 25/11/2014]    [13:01 23/05/2013]
reseal_to_audit (2).bat    --a---- 383 bytes    [16:56 25/11/2014]    [15:07 26/11/2014]
reseal_to_audit.bat    --a---- 383 bytes    [16:56 25/11/2014]    [15:07 26/11/2014]
reseal_to_oobe (2).bat    --a---- 382 bytes    [16:56 25/11/2014]    [15:07 26/11/2014]
reseal_to_oobe.bat    --a---- 382 bytes    [16:56 25/11/2014]    [15:07 26/11/2014]
RPKDriverInst (2).bat    --a---- 348 bytes    [16:56 25/11/2014]    [15:07 26/11/2014]
RPKDriverInst (2).exe    --a---- 209032 bytes    [16:56 25/11/2014]    [08:52 15/04/2013]
RPKDriverInst.bat    --a---- 348 bytes    [16:56 25/11/2014]    [15:07 26/11/2014]
RPKDriverInst.exe    --a---- 209032 bytes    [16:56 25/11/2014]    [08:52 15/04/2013]
RpkHal (2).exe    --a---- 170120 bytes    [16:56 25/11/2014]    [08:52 15/04/2013]
RpkHal.exe    --a---- 170120 bytes    [16:56 25/11/2014]    [08:52 15/04/2013]
RPKRestore (2).exe    --a---- 860808 bytes    [16:56 25/11/2014]    [08:52 15/04/2013]
RPKRestore.exe    --a---- 860808 bytes    [16:56 25/11/2014]    [08:52 15/04/2013]
Run DMC (2).lnk    --a---- 1734 bytes    [16:56 25/11/2014]    [13:01 23/05/2013]
Run DMC.lnk    --a---- 1734 bytes    [16:56 25/11/2014]    [13:01 23/05/2013]
Run Driver Injection (2).lnk    --a---- 2651 bytes    [16:56 25/11/2014]    [13:01 23/05/2013]
Run Driver Injection.lnk    --a---- 2651 bytes    [16:56 25/11/2014]    [13:01 23/05/2013]
rundmc (2).bat    --a---- 89 bytes    [16:56 25/11/2014]    [15:07 26/11/2014]
rundmc.bat    --a---- 89 bytes    [16:56 25/11/2014]    [15:07 26/11/2014]
unattend_reseal (2).xml    --a---- 3321 bytes    [16:56 25/11/2014]    [15:07 26/11/2014]
unattend_reseal.xml    --a---- 3321 bytes    [16:56 25/11/2014]    [15:07 26/11/2014]

C:\RPKTools\DMC    d-a----    [16:56 25/11/2014]
DMC (2).exe    --a---- 227464 bytes    [16:56 25/11/2014]    [05:40 15/04/2013]
DMC.exe    --a---- 227464 bytes    [16:56 25/11/2014]    [05:40 15/04/2013]
DMC.exe (2).config    --a---- 1799 bytes    [16:56 25/11/2014]    [15:05 12/04/2013]
DMC.exe.config    --a---- 1799 bytes    [16:56 25/11/2014]    [15:05 12/04/2013]

C:\RPKTools\DMC\Locales    d-a----    [16:56 25/11/2014]
ar-EG (2).xml    --a---- 4269 bytes    [16:56 25/11/2014]    [13:59 05/04/2013]
ar-EG.xml    --a---- 4269 bytes    [16:56 25/11/2014]    [13:59 05/04/2013]
cs-CZ (2).xml    --a---- 3643 bytes    [16:56 25/11/2014]    [13:59 05/04/2013]
cs-CZ.xml    --a---- 3643 bytes    [16:56 25/11/2014]    [13:59 05/04/2013]
de-DE (2).xml    --a---- 3778 bytes    [16:56 25/11/2014]    [13:59 05/04/2013]
de-DE.xml    --a---- 3778 bytes    [16:56 25/11/2014]    [13:59 05/04/2013]
en-US (2).xml    --a---- 3444 bytes    [16:56 25/11/2014]    [13:59 05/04/2013]
en-US.xml    --a---- 3444 bytes    [16:56 25/11/2014]    [13:59 05/04/2013]
es-ES (2).xml    --a---- 3819 bytes    [16:56 25/11/2014]    [13:59 05/04/2013]
es-ES.xml    --a---- 3819 bytes    [16:56 25/11/2014]    [13:59 05/04/2013]
fr-FR (2).xml    --a---- 3863 bytes    [16:56 25/11/2014]    [13:59 05/04/2013]
fr-FR.xml    --a---- 3863 bytes    [16:56 25/11/2014]    [13:59 05/04/2013]
ja-JP (2).xml    --a---- 4227 bytes    [16:56 25/11/2014]    [13:59 05/04/2013]
ja-JP.xml    --a---- 4227 bytes    [16:56 25/11/2014]    [13:59 05/04/2013]
ko-KR (2).xml    --a---- 3873 bytes    [16:56 25/11/2014]    [13:59 05/04/2013]
ko-KR.xml    --a---- 3873 bytes    [16:56 25/11/2014]    [13:59 05/04/2013]
pl-PL (2).xml    --a---- 3691 bytes    [16:56 25/11/2014]    [13:59 05/04/2013]
pl-PL.xml    --a---- 3691 bytes    [16:56 25/11/2014]    [13:59 05/04/2013]
pt-BR (2).xml    --a---- 3678 bytes    [16:56 25/11/2014]    [13:59 05/04/2013]
pt-BR.xml    --a---- 3678 bytes    [16:56 25/11/2014]    [13:59 05/04/2013]
ru-RU (2).xml    --a---- 4870 bytes    [16:56 25/11/2014]    [13:59 05/04/2013]
ru-RU.xml    --a---- 4870 bytes    [16:56 25/11/2014]    [13:59 05/04/2013]

C:\RPKTools\DriverInjection    d-a----    [16:56 25/11/2014]
DriverInjection (2).exe    --a---- 82944 bytes    [16:56 25/11/2014]    [12:46 23/05/2013]
driverinjection (2).log    --a---- 486 bytes    [17:03 25/11/2014]    [17:41 26/11/2014]
DriverInjection.exe    --a---- 82944 bytes    [16:56 25/11/2014]    [12:46 23/05/2013]
DriverInjection.exe (2).config    --a---- 3044 bytes    [16:56 25/11/2014]    [13:59 05/04/2013]
DriverInjection.exe.config    --a---- 3044 bytes    [16:56 25/11/2014]    [13:59 05/04/2013]
driverinjection.log    --a---- 486 bytes    [17:03 25/11/2014]    [17:41 26/11/2014]
LinqKit (2).dll    --a---- 16896 bytes    [16:56 25/11/2014]    [09:20 23/05/2013]
LinqKit.dll    --a---- 16896 bytes    [16:56 25/11/2014]    [09:20 23/05/2013]

-= EOF =-

Okay, doing a little research I have found that those files are harmless.

I do have a question concerning another "hidden" file that shows up, do you recognize this?

2016-03-28 14:08 - 2016-03-28 14:08 - 00000000 ____H C:\Users\Lee3\Documents\Default.rdp

==========

I missed a bad ip entry from the FRST scan so lets now remove it...

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

<script src="safari-extension://com.ebay.safari.myebaymanager-QYHMMGCMJR/25a92235/background/helpers/prefilterHelper.js" type="text/javascript"> </script>

"I do have a question concerning another "hidden" file that shows up, do you recognize this?

2016-03-28 14:08 - 2016-03-28 14:08 - 00000000 ____H C:\Users\Lee3\Documents\Default.rdp"

- Not particularly as in I didn't (purposely) create it, but it appears as though I may have created the "Lee3" standard user profile perhaps 10 minutes before.  It's a remote desktop file though and that's what I'm concerned with. I am the only person using this laptop here or elsewhere... or at least, I should be.

Fix result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by Lee (2016-04-06 23:15:10) Run:2
Running from C:\Users\Lee\Desktop
Loaded Profiles: Lee (Available Profiles: Lee & Lee3 & Administrator)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:

Tcpip\..\Interfaces\{0F187158-005D-405E-8A18-55C3979BAFDB}: [DhcpNameServer] 192.168.5.2

*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0F187158-005D-405E-8A18-55C3979BAFDB}\\DhcpNameServer => value removed successfully


The system needed a reboot.

==== End of Fixlog 23:15:20 ====

And you yourself have never used Remote Desktop on this machine?

No. I use the window's homegroup network, but not remote access. This is what concerns me, because I'm an indie journalist. This is my machine only and I need it on lockdown. The industry I write about has had arrests made for hackers in the past. I noticed earlier in march a 3rd party root certificate from usertrust had installed itself onto my machine. When I looked it up I found a Tor blog from about 5 years ago that details a vulnerability in this cert. that allows a person to impersonate you on your machine undetected. Since that was installed I have had a few files directly related to my research in this field either be emptied, or saved over as blank. The certificate comes from the same city that this industry is centered it...which is why I noticed it at all.  I don't think I have malware, I think I have a hacker. I'll also mention that my searches via search engines have seemed like complete garbage ever since.

I've gone into the rdp settings to mess them up, like choosing to connect with a 56k modem, not allowing printer and clipboard access, all the worst settings to prevent this from happening, but within a day or two it's all reset for premium access. Somewhere I do have "do not allow remote access to this computer" chosen, which remains, but if someone is connecting and they're not using the usual means to do it, then I'm not sure that's enough.

Edited by bleedle, 07 April 2016 - 01:31 PM.

Well then, let's just remove it:

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

After running the fix, update me on your computer's behavior.

**Yes, sir! Can you check for more .rdp files on my machine? 3/28 certainly wasn't the first time I started having issues with them, but it was likely the day I deleted the old standard account and opened the new one, "Lee3", instead. I don't need it or really use it anymore... should I delete it? Remember, I'm ready to wipe my whole drive spotless and install a trusted version of windows from scratch to make this problem go away.**

Fix result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by Lee (2016-04-07 21:28:58) Run:3
Running from C:\Users\Lee\Desktop
Loaded Profiles: Lee (Available Profiles: Lee & Lee3 & Administrator)
Boot Mode: Normal
==============================================

fixlist content:
*****************
2016-03-28 14:08 - 2016-03-28 14:08 - 00000000 ____H C:\Users\Lee3\Documents\Default.rdp
*****************

C:\Users\Lee3\Documents\Default.rdp => moved successfully

==== End of Fixlog 21:28:58 ====

As for an update on how my machine is behaving... I tend to notice a lot of things, and am completely self taught through experience doing so - so what I notice might not be relevant, but I'll list peculiar happenings and notices here as I come across them beginning now, 10pm on 4/7. Leading up until now there were noticeable system audit failures searching for my old and new standard user accounts leading up until the time you started working with me, but I'll skip those for now.

- To begin, I just noticed I cannot edit how my icons appear in the task bar (when I right click the windows button, select "properties", and then "customize" under the taskbar tab. I have been able to use this option before...). Nor can I select "restore default icon behaviors". The options are there, but they're greyed out - clicking on them does nothing. Heading to event viewer now...

[*****UPDATE 10:40pm:*****]

I know I said I'd begin with 10pm, but these came up under "applications" in event viewer when I turned my computer on at 9:18pm this evening. I apologize if this is a whole lot of nothing...

- The EventSystem sub system is suppressing duplicate event log entries for a duration of 86400 seconds.
- The User Profile Service has started successfully
- Message Queuing service started
- The descriptiong for Event ID 100 from source sbNet cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. Source: 127.0.0.1 (WHICH IS THE DRIVE THAT HOLDS ALL THE PORN ON MY COMPUTER...), Message listening on port 21323
- same notice as above, message listing on port 21322
- skype update started
- The description for event ID 100 from source sbNet cannot be found... (that one again), this time message listening on port 21321
- Event filter with query "select" * from _InstanceModificationevent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered throguh this filter until the problem is corrected
    - "error 0x80041003" is responsible for a lot of questionable logs in my event viewer
- The Windows Security Center Service has started
- Windows Management Instrumentation Service subsystems initialized successfully
- Windows Management Instrumentation Service started sucessfully [<----**this word is misspelled**]
- Message Queuing Triggers started successfully
- The winlogon notification subscriber <sessionenv> was unavailable to handle a notification event
- Windows license validated
- The description for Event ID 100 from source sbNet cannot be found ... [**AGAIN! This time, message listening on port 21327**]
- Windows (3448) Windows: The database engine has begun replaying logfile C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log (source: ESENT)
    - OMGoodness what IS that?!
- Windows (3448) Windows: The database engine has successfully completed recovery steps. (Source: ESENT)
- Windows (3448) Windows: The database engine (6.01.7601.0000) started a new instance (0)
- Windows (3448) Windows: The database engine is initiating recovery steps.
- The Windows Search Service started
- SkypeUpdate service is shutting down due to idle timeout.
- Skype stopped
- Software Protecion service is starting
- The description for Event ID 0 from source gupdate cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted.
- Initialization status for service objects:
C:\Windows\system32\sppwinob.dll, msft:spp/windowsfunctionality/agent/7.0, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/phone/1.0, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/pkey/2005, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:spp/TaskScheduler/1.0, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/1.0, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/licenserenewal/1.0, 0x00000000, 0x00000000
Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-SPP" Guid="{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}" EventSourceName="Software Protection Platform Service" />
- The software protection service has started. 6.1.7601.17514
- The software protection service has completed licensing status check. Application Id = 55c92734-d682-4d71-983e-d6ec3f16059f. Licensing Status = [**followed by 21 lines of code**]
- The descriptiong for Event ID 1903 from source HHCTRL cannot be found. Either the cmoponent that raises this event is not installed on your local computer.... (etc. This error happens alot, usually at 5 min intervals, think it's something in the task scheduler)
- Then THESE LoadPerf entries... "Performance counters for the WmiApRpl (WmiApRpl) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.
and
- Performance counters for the WmiApRpl (WmiApRpl) service were loaded successfully. The Record Data in the data section contains the new index values assigned to this service.
- The software protection service has stopped.

Then it's back to my regularly scheduled "the descripton for event ID 1903 from source HHCTRL cannot be found" errors every 5 minutes like clockwork right up until 10pm. This all happened between the time I started my computer at 9:18 and ran your fixlist at 10. I didn't run anything before that, just pushed the power button and came to check this thread, and some facebook messages using incognito views in firefox and google chrome. All but about 3 of these are from "User: N/A".

Edited by bleedle, 07 April 2016 - 09:44 PM.

Reviewing my files for when they were last accessed, I found an out of place jpg called "mule to break" on 3/30. It was a picture of a donkey with a password on it - I'd never seen it before. Immediately before that was a text file that contained this line:

- 2016:04:04 09:33:31.0194 PID: 06472 THREAD: 09752 - CGuideSource::OpenDatabase() - Verified database C:\ProgramData\Microsoft\eHome\mcepg2-1.db exists

when you navigate there you find a handful of logs. the one called "FirstRun" has logs from "Lee" and "My-LT" (which I had DELETED, but is now once again a folder in "Users", it's locked as are, unexplainably, most of the accounts there, it's "shared", and says it was created July 2009... I had originally created it last month.) Entries in this log look like this, for example:
  <Optional_Sections t="14:28:12">
        <NavigateTo t="14:28:12" Page="fr.chooserpage.xml" Nav="Forward" />
        <Choice t="14:28:23" Number="3" Name="Set up my media libraries" />
        <FirstRunModule t="14:28:23" Name="MediaDiscovery">
            <NavigateTo t="14:28:23" Page="fr.consolidatedLibrary.xml" Nav="Forward" />
            <FirstRunModuleFinish t="14:29:15" Name="MediaDiscovery" Duration="0:51.787" Reason="Ended" />
        </FirstRunModule>
        <FirstRunModule t="14:29:15" Name="RecordedTVDiscovery">
            <NavigateTo t="14:29:15" Page="fr.qmediasearch.xml" Nav="Forward" />
            <NavigateTo t="14:30:00" Page="fr.qfolderslocation.xml" Nav="Forward" />
            <NavigateTo t="14:30:09" Page="fr.networkshareslist.xml" Nav="Forward" />
            <NavigateTo t="14:30:18" Page="fr.folderschanged.xml" Nav="Forward" />
            <FirstRunModuleFinish t="14:30:26" Name="RecordedTVDiscovery" Duration="1:11.339" Reason="Ended" />
        </FirstRunModule>
        <FirstRunModule t="14:30:26" Name="ConsolidatedLibrary">
            <NavigateTo t="14:30:26" Page="fr.consolidatedlibrary.xml" Nav="Forward" />
            <FirstRunModuleFinish t="14:30:32" Name="ConsolidatedLibrary" Duration="0:5.803" Reason="Ended" />
        </FirstRunModule>
        <FirstRunModule t="14:30:32" Name="RecordedTVDiscovery">
            <NavigateTo t="14:30:32" Page="fr.qmediasearch.xml" Nav="Forward" />
            <NavigateTo t="14:30:40" Page="fr.qfolderslocation.xml" Nav="Forward" />
            <NavigateTo t="14:30:43" Page="fr.pickfolders.xml" Nav="Forward" />
            <NavigateTo t="14:31:13" Page="fr.folderschanged.xml" Nav="Forward" />
            <NavigateTo t="14:31:20" Page="fr.chooserpage.xml" Nav="Forward" />
        </FirstRunModule>
        <FirstRunModule t="14:31:27" Name="Summary">
            <NavigateTo t="14:31:27" Page="fr.summary.xml" Nav="Forward" />
            <FirstRunModuleFinish t="14:31:29" Name="Summary" Duration="0:2.201" Reason="Ended" />
        </FirstRunModule>
        <Finishing_FirstRun Total_duration="5:34.228" Finishing_path="executing" />
    </Optional_Sections>

and this:
<FirstRun_Execution Start_time="03/28/2016 12:56:29" Username="Lee" Version="1" Origin="Settings">
    <NetworkTunerDiscoveryStart t="12:56:29">3/28/2016 12:56:29 PM</NetworkTunerDiscoveryStart>
    <NetworkTunerHelper t="12:56:29">CheckForNewTuners - Wait on the current discovery for 45000 milisecs</NetworkTunerHelper>
    <NetworkTunerHelper t="12:56:29">WaitForNetworkTunerSearchHandler - Wait started</NetworkTunerHelper>
    <NetworkTunerHelper t="12:56:29">WaitForNetworkTunerSearchHandler - Wait returned true</NetworkTunerHelper>
    <NetworkTunerDiscoveryEnd t="12:56:29">3/28/2016 12:56:29 PM</NetworkTunerDiscoveryEnd>
    <LocationTvSignalStartNoRecorders t="12:56:29" />
    <FirstRunModule t="12:56:29" Name="TvSignal">
        <NavigateTo t="12:56:29" Page="fr.criticalexception.xml" Nav="Forward" />
        <FirstRunModuleFinish t="12:56:35" Name="TvSignal" Duration="0:5.670" State="Cancelled" />
    </FirstRunModule>
    <Finishing_FirstRun Total_duration="0:5.860" Finishing_path="cancelling" />
</FirstRun_Execution>

<FirstRun_Execution Start_time="03/28/2016 12:56:37" Username="Lee" Version="1" Origin="Settings">
    <NetworkTunerDiscoveryStart t="12:56:37">3/28/2016 12:56:37 PM</NetworkTunerDiscoveryStart>
    <NetworkTunerHelper t="12:56:37">CheckForNewTuners - Wait on the current discovery for 45000 milisecs</NetworkTunerHelper>
    <NetworkTunerHelper t="12:56:37">WaitForNetworkTunerSearchHandler - Wait started</NetworkTunerHelper>
    <NetworkTunerHelper t="12:56:37">WaitForNetworkTunerSearchHandler - Wait returned true</NetworkTunerHelper>
    <NetworkTunerDiscoveryEnd t="12:56:37">3/28/2016 12:56:37 PM</NetworkTunerDiscoveryEnd>
    <LocationTvSignalStartNoRecorders t="12:56:37" />
    <FirstRunModule t="12:56:37" Name="TvSignal">
        <NavigateTo t="12:56:37" Page="fr.criticalexception.xml" Nav="Forward" />
        <Finishing_FirstRun Total_duration="1059912776:45.720" Finishing_path="exiting" />
    </FirstRunModule>
</FirstRun_Execution>

<FirstRun_Execution Start_time="03/28/2016 13:08:51" Username="Lee" Version="1" Origin="Settings">
    <FirstRunModule t="13:08:55" Name="FolderDiscovery">
        <NavigateTo t="13:08:55" Page="fr.qfolderslocation.xml" Nav="Forward" />
        <NavigateTo t="13:09:06" Page="fr.networkshareslist.xml" Nav="Forward" />
        <NavigateTo t="13:10:22" Page="fr.canceloutro.xml" Nav="Forward" />
        <Finishing_FirstRun Total_duration="1:35.490" Finishing_path="cancelling" />
    </FirstRunModule>
</FirstRun_Execution>



RegSearch.txt last entry looks like this:
2016:04:04 09:33:30.0870 PID: 05564 THREAD: 05264 - Enter DoReindexSearchRoot()
2016:04:04 09:33:30.0977 PID: 05564 THREAD: 05264 - Enter DoCompleteSearchIndexing()
2016:04:04 09:33:31.0268 PID: 05564 THREAD: 05264 - DoCompleteSearchIndexing() : Indexed Items: 2, Outstanding Adds: 0, Outstanding Modifies: 0
2016:04:04 09:33:31.0282 PID: 05564 THREAD: 05264 - DoCompleteSearchIndexing() : Catalog State: Paused, Reason: UserActivity
2016:04:04 12:39:17.0451 PID: 05564 THREAD: 05264 - DoCompleteSearchIndexing() : Catalog State: Idle, Reason: None
2016:04:04 12:39:17.0467 PID: 05564 THREAD: 05264 - DoCompleteSearchIndexing() : Indexing should now be complete.
2016:04:04 12:39:17.0467 PID: 05564 THREAD: 05264 - Enter InitiatePVRRescheduling()
2016:04:04 12:39:17.0483 PID: 05564 THREAD: 05264 - InitiatePVRRescheduling() : Launched post-index reschedule asynchronously
2016:04:04 12:39:17.0483 PID: 05564 THREAD: 05264 - Leave InitiatePVRRescheduling()
2016:04:04 12:39:17.0483 PID: 05564 THREAD: 05264 - Leave DoCompleteSearchIndexing()
2016:04:04 12:39:17.0485 PID: 05564 THREAD: 05264 - Leave DoReindexSearchRoot()


One level up at programdata\microsoft\ehome\packages are folders for "sportsschedule' and "sportsv2". I don't really watch any sports and was completely unaware this computer had TV capability at all.

Explains where the "recordedTV" issue is coming from though.

Program Data\Microsoft\ehomes\logs was last accessed at 12:01 this morning, April 8th.  On a possibly related tangent, Windows Firewall has been changing a lot of settings from Private to Public and back again over the past several days. Last instances were around 5:53am this morning.

Edited by bleedle, 08 April 2016 - 09:36 AM.

Hey bleedle,

I'm ready to wipe my whole drive spotless and install a trusted version of windows from scratch to make this problem go away.

From what is going on in your system, I believe that is probably the best course of action.  You've evidently been hit with some type of back-door infection and the only sure fire way to prevent reoccurrence is to "nuke-and-pave."  If you need instructions on reformatting / reinstalling Win7 you can find them here: http://pcsupport.about.com/od/operatingsystems/ss/windows-7-clean-install-part-1.htm

If you need further assistance, I would be glad to help.

Please take the time to read below on how to secure the machine and take the necessary steps to keep it clean

Lawrence Abrams, the founder of BleepingComputer.com, has developed an excellent tutorial which will provide you with the information you need to know to keep your computer secure and clean. Please take the time to read:

• Simple and easy ways to keep your computer safe and secure on the Internet.

In addition, here are some more links you might find of interest:

• Malwarebytes Anti-Ransomware Beta guards against CryptoLocker which encrypts your files making them inaccessible. <<< Very Important. For more information read the explanation by quietman7
• Miekies' prevention suggestions
• So How did I get infected?
• Microsoft - 'Security at home'
• Calendar of Updates: See which updates have been released.
• How to backup your Data with Cobian Backup: because you never know when your harddisk might fail or your data gets corrupted (CryptoLocker)
• osalt: Find (free) open source alternatives to known commercial software.

Thank you for placing your trust in BleepingComputer. It was a pleasure serving you.

I will keep this thread open for a few days in case something comes up that we need to deal with.