Jump to content

CPU hits 100°C, firewall keeps turning off, apps self-allowing through fire


Recommended Posts

 Just like the title says, CPU hits 100°C (water cooled), firewall turns itself off, strange apps self-allowing through firewall. I woke up to the comp crashed and audio didn't work. Did a restore, first time failed second time went as far back as I could and success however still no audio. Not a hardware issue, checked and confirmed. I searched for @FirewallAPI.dll,-80201 and @FirewallAPI.dll,-80206 which landed me here. The other post had original poster search through FRST.txt without luck. I noticed when at  (Control Panel\All Control Panel Items\Windows Defender Firewall\Allowed apps) when I clicked the properties detail of @FirewallAPI.dll,-80201 has a description   of @FirewallAPI.dll,-80202. Notice the switch of the last number. @FirewallAPI.dll,-80206 also has description one number off, @FirewallAPI.dll,-80205. To foil any searches? (see attached screenshot) Questions, just ask. I have been hunting this ***** for a week now. I will wait for your instructions. I am attaching what was asked and some screenshots from the last week. Thank you in advance.

20220331@FirewallAPI.dll,-80206.PNG

20220328_Failed restore.PNG

20220328_LogOnAsAService.PNG

 

 

 

 

Addition.txt FRST.txt 20220331_Malwarebytes_CleanScan.txt 20220331_Text_Malwarebytes.txt

20220331@FirewallAPI.dll,-80206.PNG

20220328_Failed restore.PNG

20220328_LogOnAsAService.PNG

20220331_Text_Malwarebytes.PNG

Link to post
Share on other sites

  • Root Admin

This account should not be enabled

Administrator (S-1-5-21-3271275025-2158743644-2568987073-500 - Administrator - Enabled) => C:\Users\Administrator

 

The computer is experiencing issues that may be hardware related possibly

System errors:
=============
Error: (03/31/2022 03:35:23 PM) (Source: Microsoft-Windows-FilterManager) (EventID: 3) (User: NT AUTHORITY)
Description: Filter Manager failed to attach to volume '\Device\HarddiskVolume14'.  This volume will be unavailable for filtering until a reboot.  The final status was 0xc03a001c.

Error: (03/31/2022 03:35:23 PM) (Source: Microsoft-Windows-FilterManager) (EventID: 3) (User: NT AUTHORITY)
Description: Filter Manager failed to attach to volume '\Device\HarddiskVolume14'.  This volume will be unavailable for filtering until a reboot.  The final status was 0xc03a001c.

Error: (03/31/2022 03:35:23 PM) (Source: Microsoft-Windows-FilterManager) (EventID: 3) (User: ANONYMOUS-FAST)
Description: Filter Manager failed to attach to volume '\Device\Harddisk5\DR7'.  This volume will be unavailable for filtering until a reboot.  The final status was 0xc03a001c.

Error: (03/31/2022 02:23:12 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Peer Name Resolution Protocol service terminated with the following error:
Unable to access a key.

Error: (03/31/2022 02:23:12 PM) (Source: PNRPSvc) (EventID: 102) (User: )
Description: The Peer Name Resolution Protocol cloud did not start because the creation of the default identity failed with error code: 0x80630203.

Error: (03/31/2022 02:14:27 PM) (Source: BugCheck) (EventID: 1001) (User: )
Description: The computer has rebooted from a bugcheck.  The bugcheck was: 0xc000021a (0xffff920091bbfaa0, 0xffffffffc0000428, 0x0000000000000000, 0x0000024178bc0000). A dump was saved in: C:\WINDOWS\MEMORY.DMP. Report Id: 2dd5b80b-73dd-4e0f-bdde-15e5d3580aa4.

Error: (03/31/2022 02:14:24 PM) (Source: SNMP) (EventID: 1500) (User: )
Description: The SNMP Service encountered an error while accessing the registry key SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration.

Error: (03/31/2022 09:25:10 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The AppX Deployment Service (AppXSVC) service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

 

 

Please uninstall the following software

CCLeaner
RogueKiller

 

 

Then disable ESET antivirus real-time protection if enabled and run the following fix

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

  • Root Admin

Thank you for the log @Titan

Windows Resource Protection found corrupt files and successfully repaired them.

Please run the following for me

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

Link to post
Share on other sites

Hey AdvancedSetup,

As you requested. 20220404_SecurityCheck.txt

Maybe unrelated however when I did the last update I lost sound to my external speaker system. Its not a hardware problem as the audio system checked out when I tested it. Also when I did a clean install on 20220222, I believe, there are a couple apps that start halfway below my middle monitor screen. I have three and they are all set to the correct resolution. This has not happened before. Also this @firewall... any concern there? It wont let me remove the access for it on both private and public. When I remove them from either private or public, it will write another line of the app and grant itself access through the one I just removed. Thanks for your help man!

 

20220404_screenshot_AppsOverrideFirewall.PNG

Link to post
Share on other sites

  • Root Admin

No, the Firewall itself needs access and is okay.

Please uninstall, update, or otherwise address the following items as appropriate for your system.

 


--------------------------- [ OtherUtilities ] ----------------------------

Microsoft 365 - en-us v.16.0.14827.20198 Warning! Download Update
How Install Office updates?

 

------------------------------ [ ArchAndFM ] ------------------------------

WinRAR 6.02 (64-bit) v.6.02.0 Warning! Download Update

 

-------------------------------- [ Media ] --------------------------------

VLC media player v.3.0.14 Warning! Download Update


--------------------------- [ AdobeProduction ] ---------------------------

Adobe Acrobat DC (64-bit) v.21.011.20039 Warning! Download Update
^Please run Acrobat DC and go Help - Check for updates...^


------------------------------- [ Browser ] -------------------------------

Mozilla Firefox (x64 en-US) v.98.0.2 Warning! Download Update

 

 

 

Then run the following

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

Thank you

 

Link to post
Share on other sites

Hi AS,

I did what you said and left my comp alone to scan. Woke up this morning and it was still going however it was frozen here (see attached screenshot). Again after taking ScrSht I walked away and one hour later it said nothing found and gave no indication of a report anywhere to be had. Please advise.

I have run the same scanner before and would get like 6 or 8 infected files also with the end summery saying nothing found and all was clear. 201 hits and all clear at the end... doesn't seem correct. The file it was stuck on, I erased the E:\VC file at that location after I took ownership of the file and all child files.

Thanks my man for your help with this!

 

20220405_Screenshot_201-14hrs.PNG

Link to post
Share on other sites

Anything here? It starts when I did the clean install and ends right before I ran the Micro Safety Scanner. I have been noticing Brothers software (New printer I got a year ago) having double apps and files and a lot of them hidden. The very end where this file says "DESTROYPRIVATEDATA" concerns me for reasons not for this forum. Please advise.

wiatrace.log

Link to post
Share on other sites

  • Root Admin

Microsoft Safety Scanner collects bits and pieces of files, folders, registry entries, etc. as sort of a breadcrumb trail locally. So those show as potential infections (really wish Microsoft would stop showing people those entries) but it then uploads it to the Cloud and runs its Artificial Intelligence scanner on it and determines if its really a threat or not.

The actual completed log is the accurate information, not what it shows during the scan.

The term Destroy Private Data is simply coding language to mean remove or delete a routine and move on to the next one. It has nothing to do with your real computer data.

 

Let me have you run another scan. Again, make sure you exit out of Malwarebytes and disable any other real-time protection before running this scan.

 

Sophos Scan & Clean

Download Sophos Free Virus Removal Tool and save it to your desktop. You will need to provide them an email address to get the link to download.

  • If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....
  • Please close all other open applications and Do Not use your PC whilst the scan is in progress... This scan is very thorough so it may take several hours to complete, please be patient...

 

Double click the icon and select Run

Click Next

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

  • Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

 

Attach the results in your next reply

  • Close the Notepad document, close the Threat Details screen, then click Start cleanup

Click Exit to close the program

 

If no threats were found please confirm that result...

  • The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

 

Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs 

Please attach that log on your next reply

Thank you

 

Link to post
Share on other sites

I apologize for the delay. The link goes to Sophos- ScanAndClean. I found an old download of VirusRemovalTool and it updated. See Attached.

I guess it could be a hardware thing at this point however I do not believe so. It's water cooled and I just cleaned and applied new thermal grease the correct way. The other thing is the fluctuation doesn't happen when I put a heavy load on the CPU. Also, it will kick up every time I start poking it. Please advise.

SophosVirusRemovalTool.log

Link to post
Share on other sites

Hey Advance,

Malwarebytes antirootkit came back clean however CPU went ballistic and not scanner running increased load. I didn't see a report however I was guessing where to find it. Please advise and thanks man!

Link to post
Share on other sites

  • Root Admin
  • Upon completion of the scan or after the reboot, two files named UdawJ7P.png mbar-log.txt and system-log.txt will be created.
  • Both files can be found in the extracted MBAR folder on your Desktop.
  • Please attach both files in your next reply.

 

Link to post
Share on other sites

  • Root Admin

Please do the following

 

Create an Autoruns Log:

  • Please download Sysinternals Autoruns from here:   https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
  • Save Autoruns.zip to your computer. Then locate it and extract it to a new folder where you can find and run it.
  • Once it starts you may not be able to easily stop the scan but you can try to press the Escape key on your keyboard.
  • Once scanning is stopped, click on the Options menu at the top of the program and select Scan Options... 
  • Then place a checkmark on the following items Verify Code Signatures, Check VirusTotal.com, and Submit Unknown Images
  • Then WAIT until it's ready again, and click the Rescan button. Agree to the VirusTotal EULA
  • Once the new scan has been completed, please click on the File button at the top of the program and select Save, or use the Save icon, and save the Autoruns.arn file to your desktop and close Autoruns.
  • Right-click on the Autoruns.arn file (it will typically be the name of your computer) on your desktop or where you save it, and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the Autoruns.zip folder (your computer name.zip) you just created to your next reply.

 

 

image.png

 

 

Next, get me this log too

 

Please download HWiNFO the Professional System Information and Diagnostics program.
HWiNFO Portable for Windows

Unzip the program to its own folder such as: C:\HWiNFO
Go to the new folder and locate the file C:\HWiNFO\HWiNFO64.exe and double-click to run it.
Click the RUN button.
Ignore the update, click close.
Click on Save Report and choose HTML and click Next, then Finish
By default, it will create a new report named COMPUTER.HTM in the same folder as the program. C:\HWiNFO
Please zip that file and attach it to your next reply

Thank you

Link to post
Share on other sites

Sorry for the delay. I can't get the M-Flash to acknowledge the SD card after I download and extract the firmware update. I have noticed that the CPU gets hot at night more so than the day. I know enough to know something isn't right however not enough to find and eradicate it. Please advise. Thanks 

Link to post
Share on other sites

Hi Advanced,

Two things have popped up since last post. Both have happened before however not for a long time and both went away when I received help from Bleeping Computer. When I go to shut down it will warn me the an (unidentified) app is preventing me from shutting down. Sometimes with other apps I have open and sometimes stand alone. 

The other thing is on start up, I am getting the recycle bin is corrupt and a question as to if I want to delete it.

 

Also I am not crashing often and this last week couple blue screens. I don't game, torrent or porn. This is for work. I would assume I am on some government lists but that's the world we live in. Anything will help and thanks in advance.

 

Link to post
Share on other sites

  • Root Admin
Posted (edited)

My recommendation is to go sign up on this forum and have them help you track down the cause of the BSOD. They have some well trained people over there that that should be able to help you track that down.

https://www.sysnative.com/forums/forums/bsod-crashes-kernel-debugging.15/

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.