Author Topic: [In Progress] possible rootkit  (Read 1994 times)

Offline fkpc1

  • Bronze Member
  • Posts: 20
  • Ad eundum quo nemo ante iit
[In Progress] possible rootkit
« on: March 11, 2017, 08:10:53 AM »
Hi

I was redirected to this website from lenovo.com because i detect a rootkit witch i have not been able to remove!
The rootkit was detected by GMER and was not given any name. GMER detected changes to the master boot record, hidden files in system32 and rootkit behavior. I remove all threats with GMER and reprogramed the master boot record but i still have suspicious activities on my computer. My firewall have a lot of listings which says XXXX-server and a lot of strange network connections, even when all programs are closed. Pleas help..
« Last Edit: March 11, 2017, 08:44:55 AM by Hoov »
Autodidacticism

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27122
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: possible rootkit
« Reply #1 on: March 11, 2017, 08:46:58 AM »
Hello, welcome to SpywareHammer.

I go by Hoov, and I will be helping you with your problem. I am also the one that redirected you here. I must ask you to do a few things for me.

First, tell me everything that you have done, to try and fix this problem.Also tell me any other problems you are having, no matter how small or long you have been dealing with them.

Second, please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

Third, follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go.

Fourth, Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

Fifth, if we start this fix, I need you to stick with me until the end. Just because your computer is running better does not mean it is fixed.

Before we start trying to fix your computer, you need to make sure your data is backed up. Also let me know of any software you have running that encrypts your harddrive.

One last thing, I need you to tell me if this computer belongs to a school or to a company or orginization of some kind. If it does, please let me know. Also tell me if there is an IT department responsible for this computer.

Now onto trying to fix your computer.

Please follow the instructions in this post.

Also can you copy the GMER log and paste it into the post as well.



Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline fkpc1

  • Bronze Member
  • Posts: 20
  • Ad eundum quo nemo ante iit
Re: [In Progress] possible rootkit
« Reply #2 on: March 11, 2017, 01:03:59 PM »
message when running dds "dds is not meant to run in compatibility mode"..
I'm running Windows 8.1
Autodidacticism

Offline fkpc1

  • Bronze Member
  • Posts: 20
  • Ad eundum quo nemo ante iit
Re: [In Progress] possible rootkit
« Reply #3 on: March 11, 2017, 01:35:30 PM »
Hi Hoov, thanks for your reply :)

I had this problem for a month or two, it started with a search for some programing tools,
and so i tried a few free ones, something i apparently shouldn't have done.
I noticed that i got a lot of strange bat files all over the operating system, a lot of network traffic,
and strange firewall rules who all ended with "server". So i decided to try to scan the computer with
different malware tools including GEMER witch reported changes to the master boot record,
a notification of rootkit behavior in the operating system and infected hidden files in system32.
Then i presided to fix the master boot record myself since it's an easy thing to do. I then used
"OneKey Recovery" to solve the problem completely, but it didn't seem to do the trick. Im still
experiencing some strange network activity and "server" rules in the firewall.
I have also experienced some other strange problems like network card stop working,
suddenly missing or incorrect drivers notifications and touchpad stop working.

Answer to your questions:
This computer is private and belongs to me so there wont be any problems.
il give you free range to tamper with it in any way you might see fit to solve the problem.
I'm also only using this forum to try to fix the issues and i have backed up the machine,
and no encryption is used, so all should be set to go.


GMER
GMER reported changes to the master boot record, a notification of rootkit behavior
in the operating system and infected hidden files in system32.
After i reprogrammed the master boot record i was unable to replicate the report,
but the network activities and firewall rules remains..
Autodidacticism

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27122
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] possible rootkit
« Reply #4 on: March 11, 2017, 01:42:33 PM »
download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right click on it to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline fkpc1

  • Bronze Member
  • Posts: 20
  • Ad eundum quo nemo ante iit
Re: [In Progress] possible rootkit
« Reply #5 on: March 13, 2017, 10:59:54 AM »
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 12-03-2017
Ran by bruker (administrator) on LENOVO-PC (13-03-2017 17:52:28)
Running from C:\Users\bruker\Desktop
Loaded Profiles: bruker (Available Profiles: bruker & Gjest)
Platform: Windows 8.1 (Update) (X64) Language: Norsk, bokmål (Norge)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Conexant Systems Inc.) C:\Windows\System32\CxAudMsg64.exe
(Intel(R) Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Lenovo) C:\Program Files\Lenovo\OneKey Optimizer\bin\FbService.exe
(Intel Corporation) C:\Windows\System32\ibtsiva.exe
(Lenovo(beijing) Limited) C:\Program Files\Lenovo\OneKey Optimizer\bin\OKOUpdataService.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\SettingsDependency\SettingsService.exe
(LENOVO INCORPORATED.) C:\Program Files\Lenovo\iMController\SystemAgentService.exe
() C:\Program Files\Lenovo PhoneCompanion\LPAWDService.exe
(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\Lenovo Settings\x86\LenovoSetSvr.exe
(Lenovo(beijing) Limited) C:\Windows\System32\LenovoWiFiHotspotSvr.exe
(Maxthon) C:\Program Files (x86)\Maxthon\Modules\Service\Update\MaxthonUpdateSvc.exe
(Lenovo(beijing) Limited) C:\Program Files\Lenovo\OneKey Optimizer\bin\OKOControlSvc.exe
(Lenovo) C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe
(Intel(R) Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
() C:\Program Files\CyberLink\Shared files\RichVideo64.exe
(Conexant Systems, Inc.) C:\Windows\SysWOW64\SASrv.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
() C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe
() C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe
(VMware, Inc.) C:\Windows\SysWOW64\vmnetdhcp.exe
(VMware, Inc.) C:\Windows\SysWOW64\vmnat.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(VMware, Inc.) C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Lenovo) C:\Windows\System32\LenovoUpdate.exe
() C:\Program Files (x86)\Lenovo\CCSDK\CCSDK.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Pokki) C:\Users\bruker\AppData\Local\SweetLabs App Platform\Engine\ServiceHostAppUpdater.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Windows\System32\igfxTray.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
() C:\Program Files (x86)\Lenovo\CCSDK\WinGather.exe
() C:\Program Files\CONEXANT\ForteConfig\fmapp.exe
(Conexant Systems, Inc.) C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe
(Realtek semiconductor) C:\Windows\RTFTrack.exe
() C:\Program Files\Lenovo\LenovoUtility\utility.exe
(Lenovo(beijing) Limited) C:\Program Files\Lenovo\OneKey Optimizer\bin\OneKeyOptimizerTray.exe
(Lenovo(beijing) Limited) C:\Program Files\Lenovo\OneKey Optimizer\bin\OnekeyOptimizerUpdata.exe
(CyberLink) C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvc_P2G8.exe
(CyberLink Corp.) C:\Program Files (x86)\Lenovo\PowerDVD10\PDVD10Serv.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(Lenovo) C:\Program Files\Lenovo\Lenovo Solution Center\LSCNotify.exe
(Lenovo Corporation) C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe
(Pokki) C:\Users\bruker\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe
(Pokki) C:\Users\bruker\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe
(Pokki) C:\Users\bruker\AppData\Local\SweetLabs App Platform\Engine\ServiceStartMenuIndexer.exe
(Lenovo(beijing) Limited) C:\Program Files\Lenovo\OneKey Optimizer\bin\OneKeyOptimizer.exe
() C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\iumsvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\ui\updateui.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [322712 2014-10-09] (Intel Corporation)
HKLM\...\Run: [ForteConfig] => C:\Program Files\Conexant\ForteConfig\fmapp.exe [49056 2010-10-26] ()
HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SACpl.exe [1830616 2014-04-10] (Conexant Systems, Inc.)
HKLM\...\Run: [cAudioFilterAgent] => C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [919768 2014-11-20] (Conexant Systems, Inc.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2809072 2014-10-21] (Synaptics Incorporated)
HKLM\...\Run: [RtsFT] => C:\windows\RTFTrack.exe [4060376 2014-10-22] (Realtek semiconductor)
HKLM\...\Run: [LENOVO.TPKNRRES] => rundll32.exe "C:\Program Files\Lenovo\Communications Utility\LibStartStub.dll",AVStartupStub
HKLM\...\Run: [LenovoUtility] => C:\Program Files\Lenovo\LenovoUtility\utility.exe [791368 2015-03-10] ()
HKLM\...\Run: [PhoneCompanion] => C:\Program Files\Lenovo PhoneCompanion\Phone Companion.exe [802800 2015-03-10] (Lenovo)
HKLM\...\Run: [OneKeyOptimizer] => C:\Program Files\Lenovo\OneKey Optimizer\bin\OneKeyOptimizerTray.exe [559896 2014-11-19] (Lenovo(beijing) Limited)
HKLM-x32\...\Run: [CLMLServer_For_P2G8] => C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvc_P2G8.exe [110344 2014-09-09] (CyberLink)
HKLM-x32\...\Run: [CLVirtualDrive] => C:\Program Files (x86)\Lenovo\Power2Go\VirtualDrive.exe [492808 2014-09-09] (CyberLink Corp.)
HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [9292504 2016-12-21] (Piriform Ltd)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\..\Interfaces\{EC987C79-0B2A-45C3-A78E-1DE4CE07352D}: [DhcpNameServer] 193.213.112.4 130.67.15.198
Tcpip\..\Interfaces\{F915FF06-AB07-44CC-80ED-C6D837030E5F}: [DhcpNameServer] 150.212.1.3

Internet Explorer:
==================
HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://lenovo13.msn.com/?pc=LCJB
HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://lenovo13.msn.com/?pc=LCJB
HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.lenovo.com
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2423566268-3429370631-2639371571-1001 -> DefaultScope {1F891EB7-C29B-4FBE-B6D0-90B6B118356A} URL =
SearchScopes: HKU\S-1-5-21-2423566268-3429370631-2639371571-1001 -> {1F891EB7-C29B-4FBE-B6D0-90B6B118356A} URL =

FireFox:
========
FF DefaultProfile: 6q5fd3l3.default
FF ProfilePath: C:\Users\bruker\AppData\Roaming\Mozilla\Firefox\Profiles\6q5fd3l3.default [2017-03-13]
FF Extension: (Adblock Plus) - C:\Users\bruker\AppData\Roaming\Mozilla\Firefox\Profiles\6q5fd3l3.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2017-03-09]
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.56 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2014-09-03] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2014-09-03] (Intel Corporation)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 AVControlCenter; C:\Program Files\Lenovo\Communications Utility\AVControlCenter32.exe [599024 2014-08-06] (Lenovo Corporation)
R2 CCSDK; C:\Program Files (x86)\Lenovo\CCSDK\CCSDK.exe [644080 2014-10-22] ()
S3 ESRV_SVC_QUEENCREEK; C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe [805632 2016-11-17] ()
R2 FastbootService; C:\Program Files\Lenovo\OneKey Optimizer\bin\FbService.exe [191512 2014-11-20] (Lenovo) [File not signed]
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [18584 2014-10-09] (Intel Corporation)
R2 igfxCUIService1.0.0.0; C:\windows\system32\igfxCUIService.exe [344184 2016-05-12] (Intel Corporation)
S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [887256 2014-05-13] (Intel(R) Corporation)
R2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [131544 2014-09-03] (Intel Corporation)
R3 iumsvc; C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\iumsvc.exe [174368 2014-04-09] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [154584 2014-09-03] (Intel Corporation)
S3 Lenovo EasyPlus Hotspot; C:\Program Files (x86)\Common Files\lenovo\easyplussdk\bin\EPHotspot64.exe [533760 2014-06-03] (Lenovo)
R2 Lenovo OKO Service; C:\Program Files\Lenovo\OneKey Optimizer\bin\OKOUpdataService.exe [2544408 2014-11-19] (Lenovo(beijing) Limited)
R2 Lenovo Settings Service; C:\Program Files\Lenovo\SettingsDependency\SettingsService.exe [2005320 2014-10-13] (Lenovo Group Limited)
R2 Lenovo System Agent Service; C:\Program Files\Lenovo\iMController\SystemAgentService.exe [584664 2015-12-14] (LENOVO INCORPORATED.)
S3 LENOVO.TVTVCAM; C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe [727536 2014-08-06] (Lenovo Corporation)
R2 LenovoPAWDService; C:\Program Files\Lenovo PhoneCompanion\LPAWDService.exe [133440 2015-03-10] ()
R2 LenovoSetSvr; C:\Program Files (x86)\Lenovo\Lenovo Settings\x86\LenovoSetSvr.exe [258544 2014-06-19] (Lenovo(beijing) Limited)
R3 LenovoUpdate; C:\windows\System32\LenovoUpdate.exe [26608 2017-01-13] (Lenovo)
R2 LenovoWiFiHotspotSvr; C:\Windows\System32\LenovoWiFiHotspotSvr.exe [218952 2014-08-26] (Lenovo(beijing) Limited)
S3 LSCWinService; C:\Program Files\Lenovo\Lenovo Solution Center\App\LSCWinService.exe [272776 2014-10-17] ()
R2 MaxthonUpdateSvc; C:\Program Files (x86)\Maxthon\Modules\Service\Update\MaxthonUpdateSvc.exe [1844024 2014-08-01] (Maxthon)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [268704 2016-10-06] ()
R2 OKOControlSvc; C:\Program Files\Lenovo\OneKey Optimizer\bin\OKOControlSvc.exe [113944 2014-11-17] (Lenovo(beijing) Limited)
R2 PhoneCompanionPusher; C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe [321520 2015-03-10] (Lenovo)
S3 PhoneCompanionVap; C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionVap.exe [338416 2015-03-10] (Lenovo)
R2 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [390632 2012-04-24] ()
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [190704 2014-10-21] (Synaptics Incorporated)
R2 SystemUsageReportSvc_QUEENCREEK; C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe [156928 2016-11-17] ()
S3 USER_ESRV_SVC_QUEENCREEK; C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe [805632 2016-11-17] ()
R2 VeriFaceSrv; C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe [68880 2015-03-10] ()
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347880 2014-03-24] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2014-03-24] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3732896 2016-10-06] (Intel® Corporation)
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 CLVirtualDrive; C:\windows\system32\DRIVERS\CLVirtualDrive.sys [91912 2013-11-12] (CyberLink)
R0 Fastboot; C:\windows\System32\DRIVERS\Fastboot.sys [70168 2014-11-20] (Windows (R) Win 7 DDK provider) [File not signed]
R3 ibtusb; C:\windows\system32\DRIVERS\ibtusb.sys [229632 2016-11-28] (Intel Corporation)
R3 KMDFVirtualKbd; C:\windows\System32\drivers\KMDFVirtualKbd.sys [22264 2014-08-04] ()
R3 KMDFVirtualMouse; C:\windows\System32\drivers\KMDFVirtualMouse.sys [21240 2014-08-04] ()
R3 MEIx64; C:\windows\system32\DRIVERS\TeeDriverx64.sys [126976 2014-09-03] (Intel Corporation)
R3 NETwNb64; C:\windows\system32\DRIVERS\Netwbw02.sys [3517200 2016-10-20] (Intel Corporation)
S3 NETwNe64; C:\windows\system32\DRIVERS\NETwew02.sys [4649440 2013-06-18] (Intel Corporation)
R3 rtsuvc; C:\windows\system32\DRIVERS\rtsuvc.sys [2584280 2014-10-22] (Realtek Semiconductor Corp.)
S3 semav6msr64; C:\windows\system32\drivers\semav6msr64.sys [21984 2016-10-18] ()
R3 SmbDrvI; C:\windows\system32\DRIVERS\Smb_driver_Intel.sys [31472 2014-10-21] (Synaptics Incorporated)
R0 vsock; C:\windows\system32\DRIVERS\vsock.sys [91712 2016-09-30] (VMware, Inc.)
S0 WdBoot; C:\windows\System32\drivers\WdBoot.sys [35856 2014-03-24] (Microsoft Corporation)
R0 WdFilter; C:\windows\System32\drivers\WdFilter.sys [257880 2014-03-24] (Microsoft Corporation)
R3 WdNisDrv; C:\windows\System32\Drivers\WdNisDrv.sys [123224 2014-03-24] (Microsoft Corporation)
R3 wsvd; C:\windows\system32\DRIVERS\wsvd.sys [102376 2012-06-14] ("CyberLink)
U3 fxlyrpog; \??\C:\Users\bruker\AppData\Local\Temp\fxlyrpog.sys [X] <==== ATTENTION

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-13 17:52 - 2017-03-13 17:52 - 00015259 _____ C:\Users\bruker\Desktop\FRST.txt
2017-03-13 17:51 - 2017-03-13 17:52 - 00000000 ____D C:\FRST
2017-03-13 17:50 - 2017-03-13 17:48 - 02424832 _____ (Farbar) C:\Users\bruker\Desktop\FRST64.exe
2017-03-13 17:48 - 2017-03-13 17:48 - 02424832 _____ (Farbar) C:\Users\bruker\Downloads\FRST64.exe
2017-03-11 22:40 - 2017-03-11 22:40 - 00000023 _____ C:\Users\bruker\Downloads\rvl1qb3c.bat
2017-03-11 20:55 - 2017-03-11 20:56 - 00484528 _____ C:\windows\Minidump\031117-16562-01.dmp
2017-03-11 19:56 - 2017-03-11 19:57 - 00688992 _____ (Swearware) C:\Users\bruker\Downloads\dds.com
2017-03-11 18:32 - 2017-03-11 18:32 - 00380928 _____ C:\Users\bruker\Downloads\rvl1qb3c(1).exe
2017-03-11 18:21 - 2017-03-11 18:21 - 00001920 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2017-03-11 18:21 - 2017-03-11 18:21 - 00000000 ____D C:\Program Files\HitmanPro
2017-03-11 18:20 - 2017-03-11 18:20 - 00000000 _____ C:\Users\bruker\Desktop\Nytt tekstdokument.txt
2017-03-11 18:05 - 2017-03-11 18:20 - 02069192 _____ C:\TDSSKiller.3.1.0.12_11.03.2017_18.05.02_log.txt
2017-03-11 18:04 - 2017-03-11 18:04 - 00343024 _____ C:\windows\Minidump\031117-21453-01.dmp
2017-03-11 17:56 - 2017-03-11 17:57 - 00235198 _____ C:\TDSSKiller.3.1.0.12_11.03.2017_17.56.54_log.txt
2017-03-11 17:40 - 2017-03-11 17:41 - 00017586 _____ C:\Users\bruker\Desktop\gmercopy.txt
2017-03-11 17:10 - 2017-03-11 17:11 - 00380928 _____ C:\Users\bruker\Downloads\rvl1qb3c.exe
2017-03-11 16:25 - 2017-03-11 20:36 - 00019381 _____ C:\Users\bruker\Desktop\fkpc.txt
2017-03-09 09:58 - 2017-03-09 09:58 - 00002361 _____ C:\Users\Gjest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lenovo Web Start.lnk
2017-03-09 09:58 - 2017-03-09 09:58 - 00002301 _____ C:\Users\Gjest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PC App Store.lnk
2017-03-09 09:58 - 2017-03-09 09:58 - 00002130 _____ C:\Users\Gjest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Start Menu.lnk
2017-03-09 08:44 - 2017-03-09 09:59 - 00000000 ____D C:\Users\Gjest\AppData\LocalLow\Mozilla
2017-03-09 08:44 - 2017-03-09 08:48 - 00000000 ____D C:\Users\Gjest\AppData\Local\Mozilla
2017-03-09 08:44 - 2017-03-09 08:44 - 00000000 ____D C:\Users\Gjest\AppData\Roaming\Mozilla
2017-03-08 23:17 - 2017-03-08 23:17 - 00000000 ____D C:\Users\Gjest\AppData\Roaming\LSC
2017-03-08 23:10 - 2017-03-08 23:10 - 00000000 ____D C:\Users\Gjest\AppData\Local\Lenovo
2017-03-08 23:09 - 2017-03-08 23:09 - 00000000 ____D C:\Users\Gjest\Desktop\aaa
2017-03-08 23:09 - 2017-03-08 23:09 - 00000000 ____D C:\Users\Gjest\AppData\Roaming\Intel Corporation
2017-03-08 23:08 - 2017-03-08 23:08 - 00000000 ____D C:\Users\Gjest\AppData\Local\Power2Go8
2017-03-08 23:07 - 2017-03-13 17:20 - 00000000 ____D C:\Users\Gjest
2017-03-08 23:07 - 2017-03-09 09:59 - 00000000 ____D C:\Users\Gjest\AppData\Local\Pokki
2017-03-08 23:07 - 2017-03-09 08:43 - 00000000 __SHD C:\Users\Gjest\IntelGraphicsProfiles
2017-03-08 23:07 - 2017-03-08 23:07 - 00001453 _____ C:\Users\Gjest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2017-03-08 23:07 - 2017-03-08 23:07 - 00000020 ___SH C:\Users\Gjest\ntuser.ini
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 _SHDL C:\Users\Gjest\Start-meny
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 _SHDL C:\Users\Gjest\Skrivere
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 _SHDL C:\Users\Gjest\Programdata
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 _SHDL C:\Users\Gjest\Mine dokumenter
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 _SHDL C:\Users\Gjest\Maler
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 _SHDL C:\Users\Gjest\Lokale innstillinger
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 _SHDL C:\Users\Gjest\Documents\Mine bilder
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 _SHDL C:\Users\Gjest\Documents\Min musikk
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 _SHDL C:\Users\Gjest\Documents\Intern video
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 _SHDL C:\Users\Gjest\AppData\Roaming\Microsoft\Windows\Start Menu\Programmer
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 _SHDL C:\Users\Gjest\AppData\Local\Programdata
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 _SHDL C:\Users\Gjest\AppData\Local\Logg
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 _SHDL C:\Users\Gjest\AndrMask
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 ____D C:\Users\Gjest\AppData\Roaming\Intel
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 ____D C:\Users\Gjest\AppData\Roaming\Adobe
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 ____D C:\Users\Gjest\AppData\Local\VirtualStore
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 ____D C:\Users\Gjest\AppData\Local\Packages
2017-03-08 23:07 - 2015-03-10 13:32 - 00000000 ____D C:\Users\Gjest\AppData\Roaming\Macromedia
2017-03-08 23:07 - 2015-03-10 13:23 - 00000187 _____ C:\Users\Gjest\Desktop\Google Play Music.url
2017-03-08 23:07 - 2015-03-10 13:23 - 00000126 _____ C:\Users\Gjest\Desktop\Adobe Photo Offer.url
2017-03-08 23:07 - 2014-03-26 11:21 - 00000190 _____ C:\Users\Gjest\Desktop\FREE CALLS with Voxox.url
2017-03-08 23:07 - 2014-03-18 10:55 - 00000369 _____ C:\Users\Gjest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pictures.lnk
2017-03-08 23:07 - 2014-03-18 10:55 - 00000369 _____ C:\Users\Gjest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Documents.lnk
2017-03-08 08:00 - 2017-03-08 08:00 - 01239752 _____ (Microsoft Corporation) C:\Users\bruker\Downloads\wlsetup-web.exe
2017-03-07 20:05 - 2017-03-07 20:05 - 00000000 ____D C:\Users\bruker\AppData\Local\CyberLink
2017-03-07 19:52 - 2017-03-07 19:57 - 01348144 _____ C:\TDSSKiller.3.1.0.12_07.03.2017_19.52.43_log.txt
2017-03-07 19:50 - 2017-03-11 18:08 - 00000000 ____D C:\TDSSKiller_Quarantine
2017-03-07 19:08 - 2017-03-07 19:50 - 00464238 _____ C:\TDSSKiller.3.1.0.12_07.03.2017_19.08.30_log.txt
2017-03-07 19:07 - 2017-03-07 19:08 - 04747704 _____ (AO Kaspersky Lab) C:\Users\bruker\Downloads\tdsskiller.exe
2017-03-07 18:50 - 2017-03-08 07:27 - 00000000 ____D C:\ProgramData\HitmanPro
2017-03-07 18:49 - 2017-03-07 18:50 - 11581544 _____ (SurfRight B.V.) C:\Users\bruker\Downloads\1hitmanpro_x64.exe
2017-03-07 17:12 - 2017-03-07 17:12 - 00000000 _____ C:\Users\bruker\Desktop\mormor1994.txt
2017-03-07 09:28 - 2017-03-07 09:28 - 00000000 ____D C:\Users\bruker\Documents\Virtual Machines
2017-03-07 09:25 - 2017-03-07 09:31 - 00000000 ____D C:\Users\bruker\AppData\Roaming\VMware
2017-03-07 09:25 - 2016-11-11 23:16 - 00088128 _____ (VMware, Inc.) C:\windows\system32\Drivers\vmx86.sys
2017-03-07 09:25 - 2016-09-30 01:12 - 00091712 _____ (VMware, Inc.) C:\windows\system32\Drivers\vsock.sys
2017-03-07 09:25 - 2016-09-30 01:12 - 00069104 _____ (VMware, Inc.) C:\windows\system32\vsocklib.dll
2017-03-07 09:25 - 2016-09-30 01:12 - 00065016 _____ (VMware, Inc.) C:\windows\SysWOW64\vsocklib.dll
2017-03-07 09:24 - 2017-03-07 09:24 - 00001215 _____ C:\Users\Public\Desktop\VMware Workstation 12 Player.lnk
2017-03-07 09:24 - 2016-11-11 23:22 - 00400968 _____ (VMware, Inc.) C:\windows\SysWOW64\vmnat.exe
2017-03-07 09:24 - 2016-11-11 23:22 - 00366664 _____ (VMware, Inc.) C:\windows\SysWOW64\vmnetdhcp.exe
2017-03-07 09:24 - 2016-11-11 23:21 - 01148488 _____ (VMware, Inc.) C:\windows\system32\vnetlib64.dll
2017-03-07 09:24 - 2016-11-11 23:05 - 00066624 _____ (VMware, Inc.) C:\windows\system32\vnetinst.dll
2017-03-07 09:24 - 2016-11-11 23:05 - 00045632 _____ (VMware, Inc.) C:\windows\system32\Drivers\vmnet.sys
2017-03-07 09:24 - 2016-11-11 23:05 - 00044096 _____ (VMware, Inc.) C:\windows\system32\Drivers\vmnetuserif.sys
2017-03-07 09:24 - 2016-09-06 18:48 - 00083008 _____ (VMware, Inc.) C:\windows\system32\Drivers\hcmon.sys
2017-03-04 11:44 - 2017-03-04 11:44 - 00346704 _____ C:\windows\system32\FNTCACHE.DAT
2017-03-04 11:15 - 2017-03-04 11:15 - 00000000 ____D C:\Users\bruker\AppData\Local\ElevatedDiagnostics
2017-03-04 07:03 - 2017-03-04 07:15 - 1684013056 _____ C:\Users\bruker\Downloads\linuxmint-18.1-cinnamon-32bit.iso
2017-03-04 07:00 - 2017-03-07 10:53 - 00000000 ____D C:\Users\bruker\AppData\Local\VMware
2017-03-04 06:59 - 2017-03-11 20:56 - 00000000 ____D C:\ProgramData\VMware
2017-03-04 06:59 - 2017-03-04 06:59 - 00000000 ____D C:\Program Files\Common Files\VMware
2017-03-04 06:59 - 2017-03-04 06:59 - 00000000 ____D C:\Program Files (x86)\VMware
2017-03-04 06:57 - 2017-03-04 06:57 - 78312488 _____ (VMware, Inc.) C:\Users\bruker\Downloads\VMware-player-12.5.2-4638234.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-13 17:47 - 2017-01-14 15:57 - 00000000 ____D C:\Users\bruker\AppData\LocalLow\Mozilla
2017-03-13 17:41 - 2017-01-14 00:03 - 00003936 _____ C:\windows\System32\Tasks\User_Feed_Synchronization-{B2429706-9735-4103-8538-53164E5E1D4B}
2017-03-13 16:35 - 2017-01-13 23:56 - 00000000 ____D C:\Users\bruker\AppData\Local\SweetLabs App Platform
2017-03-13 16:33 - 2017-01-13 23:57 - 00000000 __SHD C:\Users\bruker\IntelGraphicsProfiles
2017-03-12 12:08 - 2017-01-14 00:03 - 00003600 _____ C:\windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2423566268-3429370631-2639371571-1001
2017-03-12 11:02 - 2017-01-13 23:57 - 00000000 ____D C:\Users\bruker\AppData\Local\Packages
2017-03-12 11:02 - 2013-08-22 16:36 - 00000000 ___HD C:\Program Files\WindowsApps
2017-03-12 11:02 - 2013-08-22 16:36 - 00000000 ____D C:\windows\AppReadiness
2017-03-11 22:59 - 2015-03-10 13:34 - 00000000 ____D C:\ProgramData\CyberLink
2017-03-11 22:46 - 2015-03-10 11:58 - 00453632 _____ C:\windows\system32\perfh014.dat
2017-03-11 22:46 - 2015-03-10 11:58 - 00078798 _____ C:\windows\system32\perfc014.dat
2017-03-11 22:46 - 2014-03-18 10:53 - 01389364 _____ C:\windows\system32\PerfStringBackup.INI
2017-03-11 22:46 - 2013-08-22 14:36 - 00000000 ____D C:\windows\Inf
2017-03-11 20:55 - 2017-01-14 16:37 - 650676046 _____ C:\windows\MEMORY.DMP
2017-03-11 20:55 - 2017-01-14 16:37 - 00000000 ____D C:\windows\Minidump
2017-03-11 20:55 - 2013-08-22 15:45 - 00000006 ____H C:\windows\Tasks\SA.DAT
2017-03-11 17:58 - 2015-03-10 13:26 - 00002560 _____ C:\windows\system32\VfService.trf
2017-03-11 17:56 - 2017-01-16 04:06 - 135657872 ____C (Microsoft Corporation) C:\windows\system32\MRT.exe
2017-03-11 17:16 - 2017-01-14 15:55 - 00000000 ____D C:\Users\bruker\AppData\Local\Lenovo
2017-03-11 17:13 - 2015-03-10 13:24 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lenovo
2017-03-11 17:13 - 2015-03-10 13:01 - 00000000 ____D C:\Program Files (x86)\Lenovo
2017-03-11 11:45 - 2017-01-14 15:57 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-03-11 11:45 - 2017-01-14 15:56 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-03-11 11:44 - 2013-08-22 14:25 - 00262144 ___SH C:\windows\system32\config\BBI
2017-03-09 14:02 - 2017-01-14 00:06 - 00000000 ____D C:\Users\bruker\AppData\Local\Adobe
2017-03-07 20:48 - 2013-08-22 16:36 - 00000000 ____D C:\windows\system32\NDF
2017-03-07 09:24 - 2015-03-10 12:36 - 01408180 _____ C:\windows\SysWOW64\PerfStringBackup.INI
2017-03-05 00:08 - 2013-08-22 16:36 - 00000000 ____D C:\windows\rescache
2017-03-04 15:56 - 2015-03-10 12:59 - 00000000 ____D C:\ProgramData\Lenovo
2017-03-04 14:49 - 2013-08-22 16:20 - 00000000 ____D C:\windows\CbsTemp
2017-03-04 14:47 - 2015-03-10 11:52 - 00000000 ____D C:\windows\SysWOW64\XPSViewer
2017-03-04 14:47 - 2014-03-18 10:38 - 00000000 ____D C:\Program Files\Windows Journal
2017-03-04 14:47 - 2014-03-18 10:25 - 00000000 ____D C:\windows\SysWOW64\winrm
2017-03-04 14:47 - 2014-03-18 10:25 - 00000000 ____D C:\windows\SysWOW64\WCN
2017-03-04 14:47 - 2014-03-18 10:25 - 00000000 ____D C:\windows\SysWOW64\slmgr
2017-03-04 14:47 - 2014-03-18 10:25 - 00000000 ____D C:\windows\SysWOW64\Printing_Admin_Scripts
2017-03-04 14:47 - 2014-03-18 10:25 - 00000000 ____D C:\windows\system32\winrm
2017-03-04 14:47 - 2014-03-18 10:25 - 00000000 ____D C:\windows\system32\WCN
2017-03-04 14:47 - 2014-03-18 10:25 - 00000000 ____D C:\windows\system32\slmgr
2017-03-04 14:47 - 2014-03-18 10:25 - 00000000 ____D C:\windows\system32\Printing_Admin_Scripts
2017-03-04 14:47 - 2013-08-22 16:36 - 00000000 ___RD C:\windows\ImmersiveControlPanel
2017-03-04 14:47 - 2013-08-22 16:36 - 00000000 ____D C:\windows\WinStore
2017-03-04 14:47 - 2013-08-22 16:36 - 00000000 ____D C:\windows\SysWOW64\MUI
2017-03-04 14:47 - 2013-08-22 16:36 - 00000000 ____D C:\windows\SysWOW64\Com
2017-03-04 14:47 - 2013-08-22 16:36 - 00000000 ____D C:\windows\system32\MUI
2017-03-04 14:47 - 2013-08-22 16:36 - 00000000 ____D C:\windows\system32\migwiz
2017-03-04 14:47 - 2013-08-22 16:36 - 00000000 ____D C:\windows\PolicyDefinitions
2017-03-04 14:47 - 2013-08-22 16:36 - 00000000 ____D C:\windows\IME
2017-03-04 14:47 - 2013-08-22 16:36 - 00000000 ____D C:\Program Files\Windows Photo Viewer
2017-03-04 14:47 - 2013-08-22 16:36 - 00000000 ____D C:\Program Files\Windows Defender
2017-03-04 14:47 - 2013-08-22 16:36 - 00000000 ____D C:\Program Files\Common Files\System
2017-03-04 14:47 - 2013-08-22 16:36 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2017-03-04 14:47 - 2013-08-22 16:36 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2017-03-04 14:47 - 2013-08-22 14:36 - 00000000 ____D C:\windows\SysWOW64\oobe
2017-03-04 14:47 - 2013-08-22 14:36 - 00000000 ____D C:\windows\SysWOW64\Dism
2017-03-04 14:47 - 2013-08-22 14:36 - 00000000 ____D C:\windows\system32\Sysprep
2017-03-04 14:47 - 2013-08-22 14:36 - 00000000 ____D C:\windows\system32\oobe
2017-03-04 14:47 - 2013-08-22 14:36 - 00000000 ____D C:\windows\system32\Dism
2017-03-04 14:47 - 2013-08-22 14:36 - 00000000 ____D C:\windows\servicing
2017-03-04 14:46 - 2013-08-22 16:36 - 00000000 ____D C:\windows\system32\SystemResetPlatform
2017-03-04 14:46 - 2013-08-22 16:36 - 00000000 ____D C:\windows\system32\Com
2017-03-04 14:46 - 2013-08-22 16:36 - 00000000 ____D C:\windows\Help
2017-03-04 11:44 - 2017-01-13 23:56 - 00000000 ____D C:\Users\bruker
2017-03-04 11:42 - 2015-03-10 12:48 - 00000000 ___HD C:\windows\system32\WLANProfiles
2017-03-04 11:42 - 2013-08-22 16:36 - 00000000 __RSD C:\windows\Media
2017-03-04 11:42 - 2013-08-22 16:36 - 00000000 ____D C:\windows\system32\ras
2017-03-04 11:42 - 2013-08-22 16:36 - 00000000 ____D C:\windows\system32\icsxml
2017-03-04 11:42 - 2013-08-22 16:36 - 00000000 ____D C:\windows\system32\ias
2017-03-04 11:42 - 2013-08-22 16:36 - 00000000 ____D C:\windows\MediaViewer
2017-03-04 11:42 - 2013-08-22 16:36 - 00000000 ____D C:\windows\FileManager
2017-03-04 11:42 - 2013-08-22 16:36 - 00000000 ____D C:\windows\Camera
2017-03-04 11:41 - 2017-01-30 13:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2017-03-04 11:41 - 2017-01-15 18:33 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel Driver Update Utility
2017-03-04 11:41 - 2017-01-14 00:01 - 00000000 ____D C:\ProgramData\OneKey Optimizer
2017-03-04 11:27 - 2013-08-22 16:36 - 00000000 ____D C:\windows\registration
2017-03-04 06:58 - 2013-08-22 16:36 - 00000000 ____D C:\Program Files\Common Files\microsoft shared

==================== Files in the root of some directories =======

2015-03-10 12:37 - 2015-03-10 12:37 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

Some files in TEMP:
====================
2017-03-11 14:25 - 2017-03-07 18:50 - 11581544 _____ (SurfRight B.V.) C:\Users\bruker\AppData\Local\Temp\HitmanPro.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\wininit.exe => File is digitally signed
C:\windows\explorer.exe => File is digitally signed
C:\windows\SysWOW64\explorer.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\SysWOW64\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\SysWOW64\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\SysWOW64\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\dnsapi.dll => File is digitally signed
C:\windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-03-13 12:44

==================== End of FRST.txt ============================
Autodidacticism

Offline fkpc1

  • Bronze Member
  • Posts: 20
  • Ad eundum quo nemo ante iit
Re: [In Progress] possible rootkit
« Reply #6 on: March 13, 2017, 11:01:00 AM »
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 12-03-2017
Ran by bruker (13-03-2017 17:53:10)
Running from C:\Users\bruker\Desktop
Windows 8.1 (Update) (X64) (2017-01-13 22:56:34)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2423566268-3429370631-2639371571-500 - Administrator - Disabled)
bruker (S-1-5-21-2423566268-3429370631-2639371571-1001 - Administrator - Enabled) => C:\Users\bruker
Gjest (S-1-5-21-2423566268-3429370631-2639371571-501 - Limited - Enabled) => C:\Users\Gjest

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

. . . (Version: 2.1.28.3 - Intel) Hidden
. . . (x32 Version: 2.6.2.4 - Intel) Hidden
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 18.0.0.144 - Adobe Systems Incorporated)
CCleaner (HKLM\...\CCleaner) (Version: 5.26 - Piriform)
CCSDK (HKLM-x32\...\{AE75190B-11B4-4F90-8254-DAB275CF2557}_is1) (Version: 1.1.0.7 - Lenovo)
Conexant HD Audio (HKLM\...\CNXT_AUDIO_HDA) (Version: 8.65.55.52 - Conexant)
CyberLink Power2Go 8 (HKLM-x32\...\InstallShield_{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}) (Version: 8.0.0.4505 - CyberLink Corp.)
CyberLink PowerDirector 10 (HKLM-x32\...\InstallShield_{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}) (Version: 10.0.0.2810 - CyberLink Corp.)
CyberLink PowerDirector 10 (Version: 10.0.0.2810 - CyberLink Corp.) Hidden
Dependency Package Update (Version: 1.6.29.00 - Lenovo Inc.) Hidden
Dependency Package Update (Version: 1.6.38.00 - Lenovo Inc.) Hidden
Dependency Package Update (x32 Version: 1.6.32.00 - Lenovo Group Limited) Hidden
Dependency Package Update (x32 Version: 1.6.38.00 - Lenovo Group Limited) Hidden
Dependency Package Update (x32 Version: 1.6.38.01 - Lenovo Group Limited) Hidden
Dolby Digital Plus Advanced Audio (HKLM\...\{B0BFC63F-EA07-419E-960B-3FB2ED5DD0B2}) (Version: 7.5.1.1 - Dolby Laboratories Inc)
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.15.281 - SurfRight B.V.)
Host App Service (HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\...\SweetLabs_AP) (Version: 0.269.8.114 - Pokki)
Intel(R) Chipset Device Software (x32 Version: 10.0.22 - Intel(R) Corporation) Hidden
Intel(R) Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1008 - Intel Corporation)
Intel(R) Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 10.0.28.1006 - Intel Corporation)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.14.4414 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 13.5.0.1056 - Intel Corporation)
Intel(R) Update Manager (HKLM-x32\...\{84A2B59B-6A7B-4C01-8592-15C9BFE6AC36}) (Version: 2.4.3 - Intel Corporation)
Intel(R) Wireless Bluetooth(R) (HKLM-x32\...\{33CC8A21-60F6-4338-9CF4-208F424CC57E}) (Version: 19.30.1649.0949 - Intel Corporation)
Intel® Driver Update Utility (HKLM-x32\...\{66e8e99a-eb6f-4403-9fc2-0ddd4d6f353e}) (Version: 2.6.2.4 - Intel)
Intel® PROSet/Wireless-programvare (HKLM-x32\...\{aa2c2346-d0c0-4d3e-9ab1-11a48b4cb9f3}) (Version: 19.20.3 - Intel Corporation)
Lenovo Dependency Package (HKLM\...\Lenovo Dependency Package_is1) (Version: 1.6.38.00 - Lenovo Group Limited)
Lenovo EasyCamera (HKLM-x32\...\{E0A7ED39-8CD6-4351-93C3-69CCA00D12B4}) (Version: 6.2.9200.10292 - Realtek Semiconductor Corp.)
Lenovo Experience Improvement (HKLM\...\LenovoExperienceImprovement) (Version: 1.1.12.0 - Lenovo)
Lenovo FusionEngine  (HKLM-x32\...\Lenovo FusionEngine) (Version: 1.0.13.0 - Lenovo, Inc.)
Lenovo Mobile Phone Wireless Import (HKLM-x32\...\InstallShield_{DFB2E0D6-8DDE-49A4-B8F7-03C14DACCBA6}) (Version: 1.1.1.9 - Lenovo)
Lenovo Mobile Phone Wireless Import (x32 Version: 1.1.1.9 - Lenovo) Hidden
Lenovo OneKey Recovery (HKLM-x32\...\InstallShield_{46F4D124-20E5-4D12-BE52-EC177A7A4B42}) (Version: 8.1.0.2619 - CyberLink Corp.)
Lenovo OneKey Recovery (Version: 8.1.0.2619 - CyberLink Corp.) Hidden
Lenovo Patch Utility (x32 Version: 1.3.2.6 - Lenovo Group Limited) Hidden
Lenovo Patch Utility 64 bit (Version: 1.3.2.6 - Lenovo Group Limited) Hidden
Lenovo PhoneCompanion (HKLM-x32\...\InstallShield_{0F82EA83-B0C5-4AB9-9695-DFE92C5FD57B}) (Version: 2.0.0.19 - Lenovo)
Lenovo PhoneCompanion (x32 Version: 2.0.0.19 - Lenovo) Hidden
Lenovo Photo Master (HKLM-x32\...\InstallShield_{BC94C56A-3649-420C-8756-2ADEBE399D33}) (Version: 1.0.1826.01 - CyberLink Corp.)
Lenovo Photo Master (x32 Version: 1.0.1826.01 - CyberLink Corp.) Hidden
Lenovo PowerDVD10 (HKLM-x32\...\InstallShield_{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}) (Version: 10.0.6806.52 - CyberLink Corp.)
Lenovo PowerDVD10 (x32 Version: 10.0.6806.52 - CyberLink Corp.) Hidden
Lenovo Settings - Camera Audio (HKLM\...\{88C6A6D9-324C-46E8-BA87-563D14021442}_is1) (Version: 4.3.5.0 - Lenovo Corporation)
Lenovo Settings (HKLM\...\{D14CCBF5-1A3A-4C08-955B-BE6D519835C4}_is1) (Version: 2.0.0.4 - Lenovo)
Lenovo Settings Dependency Package (HKLM\...\{3694BA2E-BE31-4B7E-886B-A0B559E69D4D}_is1) (Version: 2.3.1.28 - Lenovo Group Limited)
Lenovo Settings Service (HKLM\...\{8C6F1EBA-17F1-4481-B688-9777E63E985F}_is1) (Version: 2.3.0.20 - Lenovo Group Limited)
Lenovo Settings UMDF driver (HKLM\...\{2BDC7413-65EA-4B99-8C4B-02F11075BE6D}_is1) (Version: 1.2.0.6 - Lenovo Group Limited)
Lenovo Settings WiFi (HKLM\...\{86045A6C-C156-4349-A3E2-47A88A42F5C2}_is1) (Version: 2.0.0.2 - Lenovo)
Lenovo SHAREit (HKLM-x32\...\Lenovo SHAREit_is1) (Version: 2.0.5.0 - Lenovo Group Limited)
Lenovo Solution Center (HKLM\...\{4C2B6F96-3AED-4E3F-8DCE-917863D1E6B1}) (Version: 2.7.003.00 - Lenovo Group Limited)
Lenovo VeriFace Pro (HKLM\...\Lenovo VeriFace) (Version: 5.1.14.6181 - Lenovo)
Lenovo Web Start (HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\...\Pokki_04bb6df446330549a2cb8d67fbd1a745025b7bd1) (Version: 1.0.2.53457 - Pokki)
LenovoUtility (HKLM-x32\...\InstallShield_{6ADA7E88-8D16-4D0D-BC90-2B93AC5E56DA}) (Version: 2.0.0.5 - Lenovo)
LenovoUtility (x32 Version: 2.0.0.5 - Lenovo) Hidden
Maxthon Cloud Browser (HKLM-x32\...\Maxthon3) (Version: 4.4.2.2000 - Maxthon International Limited)
Metric Collection SDK 35 (x32 Version: 1.2.0001.00 - Lenovo Group Limited) Hidden
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4641.3004 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Mozilla Firefox 52.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 52.0 (x86 en-US)) (Version: 52.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 52.0.0.6270 - Mozilla)
OneKey Optimizer (HKLM-x32\...\InstallShield_{D5D573DC-D989-4769-9B56-D6A7EA503D7F}) (Version: 1.1.20.16 - Lenovo)
OneKey Optimizer (x32 Version: 1.1.20.16 - Lenovo) Hidden
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.3.9600.39059 - Realtek Semiconductor Corp.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.33.529.2014 - Realtek)
Start Menu (HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\...\SweetLabs_Start_Menu) (Version: 0.269.8.114 - Pokki)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 18.0.7.132 - Synaptics Incorporated)
User Manuals (HKLM-x32\...\InstallShield_{F07C2CF8-4C53-4EC3-8162-A6221E36EB88}) (Version: 3.0.0.3 - Lenovo)
User Manuals (x32 Version: 3.0.0.3 - Lenovo) Hidden
VMware Player (HKLM\...\{6D211A09-EB2A-4B83-ACCB-13B1BC12AF4E}) (Version: 12.5.2 - VMware, Inc.)
Windows Driver Package - Lenovo (ACPIVPC) System  (09/24/2013 19.29.2.34) (HKLM\...\EE9B1F2037C580F36D92FA431CC02BFF04C31F15) (Version: 09/24/2013 19.29.2.34 - Lenovo)
Windows Driver Package - Lenovo (WUDFRd) LenovoVhid  (07/25/2013 10.30.0.288) (HKLM\...\6BCA401E9CBEED970D75F55FA5320F60D11984E9) (Version: 07/25/2013 10.30.0.288 - Lenovo)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-2423566268-3429370631-2639371571-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\windows\system32\igfxEM.exe (Intel Corporation)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {1700397D-6635-45D0-A374-81E1C5C616CF} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473 => C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\iumsvc.exe [2014-04-09] ()
Task: {190E36B5-64EC-4082-A0A5-FD2253F1C153} - System32\Tasks\OFFICE2013ACT => C:\ProgramData\Office2013\OFFICEICON.vbs [2013-06-03] ()
Task: {196C199A-A4C0-412D-93E3-F14A43E0AAA9} - System32\Tasks\Lenovo\Dependency Package Auto Update => C:\Program Files\Lenovo\iMController\AutoUpdate.exe [2015-12-14] ()
Task: {270D2904-4009-41BD-A54C-526FC6011111} - System32\Tasks\Lenovo\LSC\LSCHardwareScan => C:\Program Files\Lenovo\Lenovo Solution Center\LSC.exe [2014-10-17] ()
Task: {3FCA37D8-817A-4FD8-B6DA-4F6137F38BF9} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program 64 35 => C:\Program Files (x86)\Lenovo\Customer Feedback Program 35\Lenovo.TVT.CustomerFeedback.Agent35.exe [2014-05-30] (Lenovo)
Task: {49B8E9E8-7C0C-4817-8664-5AFE181DF97D} - System32\Tasks\Lenovo\Experience Improvement => C:\Program Files\Lenovo\ExperienceImprovement\LenovoExperienceImprovement.exe [2017-01-15] (Lenovo)
Task: {4A640F26-6D3C-43C6-BE27-FF2015CF8BC0} - System32\Tasks\USER_ESRV_SVC_QUEENCREEK => Wscript.exe //B //NoLogo "C:\Program Files\Intel\SUR\QUEENCREEK\task.vbs"
Task: {6760203C-1963-4406-8717-C4BE4F90F477} - System32\Tasks\PDVDServ Task => C:\Program Files (x86)\Lenovo\PowerDVD10\PDVD10Serv.EXE [2013-03-08] (CyberLink Corp.)
Task: {736DDA93-0598-401C-A569-D667A4196A12} - System32\Tasks\Intel\Intel Telemetry 2 => C:\Program Files\Intel\Telemetry 2.0\lrio.exe [2016-03-17] (Intel Corporation)
Task: {75476E85-FE5E-45A6-81E1-8E42C0CF66A4} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473-Logon => C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\iumsvc.exe [2014-04-09] ()
Task: {86059797-E31A-4035-92EE-65D4770868F7} - System32\Tasks\SweetLabs App Platform => C:\Users\bruker\AppData\Local\SweetLabs App Platform\Engine\ServiceHostAppUpdater.exe [2016-11-16] (Pokki)
Task: {8DCB437F-07E0-4FFE-BCF7-97818DE460BC} - System32\Tasks\Maxthon Update => C:\Program Files (x86)\Maxthon\Bin\Maxthon.exe [2014-09-11] (Maxthon International ltd.)
Task: {9BC7E8E9-2E2F-47E3-A4BE-80BA534C113A} - System32\Tasks\Lenovo\LSC\Lenovo Solution Center Notifications => C:\Program Files\Lenovo\Lenovo Solution Center\LSCNotify.exe [2014-10-17] (Lenovo)
Task: {B3734F07-A2E7-4980-8BBC-4A5BB0661CF9} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program 64 => C:\Program Files (x86)\Lenovo\Customer Feedback Program\Lenovo.TVT.CustomerFeedback.Agent.exe [2014-09-02] (Lenovo)
Task: {B71B665E-C258-47A6-94C6-27789E1AEC28} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program => C:\Program Files\Lenovo\Customer Feedback Program\Lenovo.TVT.CustomerFeedback.Agent.exe [2014-10-17] (Lenovo)
Task: {D147A058-6B52-4DC9-8001-B24C0D19D248} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_ERROR_HB => C:\windows\system32\MRT.exe [2017-03-11] (Microsoft Corporation)
Task: {EA14572F-C8E1-4F6A-8928-15FBA991D0CB} - System32\Tasks\Lenovo\LSC\LSCHardwareScanPostpone => C:\Program Files\Lenovo\Lenovo Solution Center\LSC.exe [2014-10-17] ()
Task: {F1253C49-3FEC-4A91-825A-4DF94942F276} - System32\Tasks\Lenovo\Lenovo Solution Center Launcher => C:\Program Files\lenovo\lenovo solution center\App\LSCService.exe [2014-10-17] (Lenovo)
Task: {F5CD9FD0-0110-4E9A-B5CA-4D60140566C5} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-12-21] (Piriform Ltd)
Task: {FC09625A-95BF-44E6-A81E-338E0CB6E101} - System32\Tasks\Microsoft\Windows\PLA\LSC Memory => Rundll32.exe C:\windows\system32\pla.dll,PlaHost "LSC Memory" "$(Arg0)"

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2015-03-10 13:43 - 2014-11-20 18:43 - 00016920 _____ () C:\Program Files\Lenovo\OneKey Optimizer\bin\FbServicePS.dll
2015-03-10 13:40 - 2015-03-10 13:40 - 00133440 _____ () C:\Program Files\Lenovo PhoneCompanion\LPAWDService.exe
2015-03-10 13:30 - 2012-04-24 11:43 - 00390632 _____ () C:\Program Files\CyberLink\Shared files\RichVideo64.exe
2016-11-17 22:05 - 2016-11-17 22:05 - 00156928 _____ () C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe
2016-11-17 22:05 - 2016-11-17 22:05 - 00111360 _____ () C:\Program Files\Intel Driver Update Utility\SUR\Common.dll
2016-11-17 22:05 - 2016-11-17 22:05 - 00274176 _____ () C:\Program Files\Intel Driver Update Utility\SUR\analyzer.dll
2015-03-10 13:26 - 2015-03-10 13:26 - 00068880 _____ () C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe
2015-03-10 13:26 - 2015-03-10 13:26 - 00672016 _____ () C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfDataStorageInterface.dll
2015-03-10 13:25 - 2014-10-22 18:15 - 00644080 _____ () C:\Program Files (x86)\Lenovo\CCSDK\CCSDK.exe
2015-03-10 13:43 - 2014-11-17 23:35 - 00036632 _____ () C:\Program Files\Lenovo\OneKey Optimizer\bin\Metric.dll
2015-03-10 13:43 - 2014-11-17 23:35 - 00166680 _____ () C:\Program Files\Lenovo\OneKey Optimizer\bin\Lenovo.MetricCollectionMFCx64.dll
2015-03-09 19:41 - 2016-05-12 22:12 - 00382072 _____ () C:\windows\system32\igfxTray.exe
2015-03-10 13:25 - 2014-10-22 18:15 - 00410096 _____ () C:\Program Files (x86)\Lenovo\CCSDK\WinGather.exe
2015-03-10 12:37 - 2010-10-26 05:40 - 00049056 _____ () C:\Program Files\CONEXANT\ForteConfig\fmapp.exe
2015-03-10 13:25 - 2015-03-10 13:25 - 00791368 _____ () C:\Program Files\Lenovo\LenovoUtility\utility.exe
2015-03-10 13:25 - 2015-03-10 13:25 - 00097048 _____ () C:\Program Files\Lenovo\LenovoUtility\kbdhook.dll
2015-03-10 13:43 - 2014-11-17 23:35 - 00041240 _____ () C:\Program Files\Lenovo\OneKey Optimizer\bin\res_NO_Norwegian_NOR.dll
2015-03-10 13:43 - 2014-11-20 18:43 - 00159256 _____ () C:\Program Files\Lenovo\OneKey Optimizer\bin\FbApi.dll
2015-03-10 13:43 - 2014-11-17 23:35 - 00036120 _____ () C:\Program Files\Lenovo\OneKey Optimizer\bin\zd.dll
2015-03-10 13:43 - 2015-03-10 13:43 - 00019232 _____ () C:\windows\Microsoft.Net\assembly\GAC_MSIL\Lenovo.MetricCollectionSDK\v4.0_1.1.9.0__d43be3ee47b19ecb\Lenovo.MetricCollectionSDK.dll
2014-04-09 19:29 - 2014-04-09 19:29 - 00174368 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\iumsvc.exe
2014-09-03 19:03 - 2014-09-03 19:03 - 01241560 _____ () C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\ACE.dll
2015-03-10 13:31 - 2014-07-04 05:35 - 00627672 _____ () C:\Program Files (x86)\Lenovo\Power2Go\CLMediaLibrary.dll
2014-07-04 20:35 - 2014-07-04 20:35 - 00016856 _____ () C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvcPS.dll
2016-11-16 00:02 - 2016-11-16 00:02 - 00569856 _____ () C:\Users\bruker\AppData\Local\SweetLabs App Platform\Engine\ppGoogleNaClPluginChrome.dll
2016-11-16 00:02 - 2016-11-16 00:02 - 01400846 _____ () C:\Users\bruker\AppData\Local\SweetLabs App Platform\Engine\avcodec-54.dll
2016-11-16 00:02 - 2016-11-16 00:02 - 00151054 _____ () C:\Users\bruker\AppData\Local\SweetLabs App Platform\Engine\avutil-51.dll
2016-11-16 00:02 - 2016-11-16 00:02 - 00222734 _____ () C:\Users\bruker\AppData\Local\SweetLabs App Platform\Engine\avformat-54.dll
2014-04-09 19:30 - 2014-04-09 19:30 - 00041248 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\win32api.pyd
2014-04-09 19:29 - 2014-04-09 19:29 - 00059680 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\pywintypes27.dll
2014-04-09 19:29 - 2014-04-09 19:29 - 00119072 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\pythoncom27.dll
2014-04-09 19:29 - 2014-04-09 19:29 - 00562464 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\urlmon.dll
2014-04-09 19:29 - 2014-04-09 19:29 - 00401184 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\iertutil.dll
2014-04-09 19:29 - 2014-04-09 19:29 - 00412448 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\WININET.dll
2014-04-09 19:30 - 2014-04-09 19:30 - 00020256 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\_multiprocessing.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00025376 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\win32service.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00022816 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\servicemanager.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00018208 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\win32event.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00027424 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\_socket.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00277280 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\_ssl.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00113952 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\_hashlib.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00016672 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\select.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00040736 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\_ctypes.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00023328 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\win32process.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00020256 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\win32ts.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00018720 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\win32profile.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00042784 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\win32security.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00336160 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\_bsddb.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00023328 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\win32evtlog.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00024864 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\win32inet.pyd
2014-04-09 19:29 - 2014-04-09 19:29 - 00021280 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\EnvironmentID.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\30129027.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\45627861.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\30129027.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\45627861.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 14:25 - 2013-08-22 14:25 - 00000824 ____A C:\windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\Control Panel\Desktop\\Wallpaper -> C:\windows\Web\Wallpaper\Lenovo\LenovoWallPaper.jpg
DNS Servers: 193.213.112.4 - 130.67.15.198
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

HKLM\...\StartupApproved\Run: => "PhoneCompanion"
HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\...\StartupApproved\Run: => "CCleaner Monitoring"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{FD7B10FD-344B-4511-A3D6-625DAC42460B}] => (Allow) %USERPROFILE%\Downloads\1hitmanpro_x64.exe
FirewallRules: [{6C016D34-6D5F-4C36-9B82-D68284C688D3}] => (Allow) %USERPROFILE%\Downloads\1hitmanpro_x64.exe

==================== Restore Points =========================

07-03-2017 09:22:54 Installed VMware Player

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (03/13/2017 12:18:16 AM) (Source: lupdate) (EventID: 0) (User: )
Description: Event-ID 0

Error: (03/13/2017 12:18:16 AM) (Source: lupdate) (EventID: 0) (User: )
Description: Event-ID 0

Error: (03/12/2017 06:37:53 PM) (Source: lupdate) (EventID: 0) (User: )
Description: Event-ID 0

Error: (03/12/2017 06:37:53 PM) (Source: lupdate) (EventID: 0) (User: )
Description: Event-ID 0

Error: (03/12/2017 02:55:02 PM) (Source: lupdate) (EventID: 0) (User: )
Description: Event-ID 0

Error: (03/12/2017 02:55:02 PM) (Source: lupdate) (EventID: 0) (User: )
Description: Event-ID 0

Error: (03/12/2017 11:37:39 AM) (Source: lupdate) (EventID: 0) (User: )
Description: Event-ID 0

Error: (03/12/2017 11:37:39 AM) (Source: lupdate) (EventID: 0) (User: )
Description: Event-ID 0

Error: (03/11/2017 09:16:21 PM) (Source: lupdate) (EventID: 0) (User: )
Description: Event-ID 0

Error: (03/11/2017 09:16:20 PM) (Source: lupdate) (EventID: 0) (User: )
Description: Event-ID 0


System errors:
=============
Error: (03/13/2017 05:22:17 PM) (Source: DCOM) (EventID: 10010) (User: Lenovo-PC)
Description: Serveren {1B1F472E-3221-4826-97DB-2C2324D389AE} ble ikke registrert hos DCOM innen fristen for tidsavbrudd.

Error: (03/13/2017 05:21:45 PM) (Source: DCOM) (EventID: 10010) (User: Lenovo-PC)
Description: Serveren {BF6C1E47-86EC-4194-9CE5-13C15DCB2001} ble ikke registrert hos DCOM innen fristen for tidsavbrudd.

Error: (03/13/2017 12:45:16 PM) (Source: DCOM) (EventID: 10010) (User: Lenovo-PC)
Description: Serveren {1B1F472E-3221-4826-97DB-2C2324D389AE} ble ikke registrert hos DCOM innen fristen for tidsavbrudd.

Error: (03/13/2017 12:45:15 PM) (Source: DCOM) (EventID: 10010) (User: Lenovo-PC)
Description: Serveren {4545DEA0-2DFC-4906-A728-6D986BA399A9} ble ikke registrert hos DCOM innen fristen for tidsavbrudd.

Error: (03/13/2017 12:45:15 PM) (Source: DCOM) (EventID: 10010) (User: Lenovo-PC)
Description: Serveren {4545DEA0-2DFC-4906-A728-6D986BA399A9} ble ikke registrert hos DCOM innen fristen for tidsavbrudd.

Error: (03/13/2017 12:45:10 PM) (Source: DCOM) (EventID: 10010) (User: Lenovo-PC)
Description: Serveren {4545DEA0-2DFC-4906-A728-6D986BA399A9} ble ikke registrert hos DCOM innen fristen for tidsavbrudd.

Error: (03/13/2017 12:45:09 PM) (Source: DCOM) (EventID: 10010) (User: Lenovo-PC)
Description: Serveren {4545DEA0-2DFC-4906-A728-6D986BA399A9} ble ikke registrert hos DCOM innen fristen for tidsavbrudd.

Error: (03/13/2017 12:44:58 PM) (Source: DCOM) (EventID: 10010) (User: Lenovo-PC)
Description: Serveren {4545DEA0-2DFC-4906-A728-6D986BA399A9} ble ikke registrert hos DCOM innen fristen for tidsavbrudd.

Error: (03/13/2017 12:44:58 PM) (Source: DCOM) (EventID: 10010) (User: Lenovo-PC)
Description: Serveren {4545DEA0-2DFC-4906-A728-6D986BA399A9} ble ikke registrert hos DCOM innen fristen for tidsavbrudd.

Error: (03/13/2017 12:44:46 PM) (Source: DCOM) (EventID: 10010) (User: Lenovo-PC)
Description: Serveren {BF6C1E47-86EC-4194-9CE5-13C15DCB2001} ble ikke registrert hos DCOM innen fristen for tidsavbrudd.


==================== Memory info ===========================

Processor: Intel(R) Core(TM) i3-4030U CPU @ 1.90GHz
Percentage of memory in use: 51%
Total physical RAM: 4017.09 MB
Available physical RAM: 1955.1 MB
Total Virtual: 8113.09 MB
Available Virtual: 5631.89 MB

==================== Drives ================================

Drive c: (Windows8_OS) (Fixed) (Total:422.91 GB) (Free:381.77 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive d: (LENOVO) (Fixed) (Total:25 GB) (Free:24.93 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 3F946AB0)

Partition: GPT.

==================== End of Addition.txt ============================
Autodidacticism

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27122
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] possible rootkit
« Reply #7 on: March 14, 2017, 06:54:52 PM »
There is some evidence of some malware. So I need you to run a few scans. At first it might be the nitnoid kind of malware we get rid of, but we will get it all.

1.- Download AdwCleaner by Xplode onto your Desktop.
  •   Please close all open programs and internet browsers.
  •   Double click on Adwcleaner.exe to run the tool.
  •   Click on the Scan button..
  •   Please be patient as this can take a while to complete.
  •   You will get a prompt asking to close all programs. Click OK.
  •   Click OK again to reboot your computer. A text file will open after the restart.
  •   Please post the content of that logfile in your reply.
  •   You can find the logfile at C:\AdwCleaner[Sn].txt.
2.- Download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Run the tool by double-clicking it.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt in your next message.
3.- Please download RogueKiller and Save to the desktop.
  • Close all windows and browsers
  • Double click on RogueKiller.exe to run the tool.
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please post it in your next reply.


Also I still need to see the GMER log. If you did not save it, go ahead and run it again and save it then post it with the above logs. [/list]

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline fkpc1

  • Bronze Member
  • Posts: 20
  • Ad eundum quo nemo ante iit
Re: [In Progress] possible rootkit
« Reply #8 on: March 15, 2017, 12:02:49 PM »
Hi

This might seem strange but every time i try to run GEMER it crashes, i tried to download it again but i didn't help!
I only got this report:

GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2017-03-11 17:39:46
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\00000034 WDC_WD5000LPCX-24C6HT0 rev.02.01A02 465,76GB
Running: rvl1qb3c.exe; Driver: C:\Users\bruker\AppData\Local\Temp\fxlyrpog.sys


---- Threads - GMER 2.2 ----

Thread  C:\windows\system32\csrss.exe [576:600]                                                                                                 fffff960009832d0

---- Registry - GMER 2.2 ----

Reg     HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime                                                                            0xDB 0xE3 0x35 0x8E ...
Reg     HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime                                                                               0xFD 0x0A 0x3D 0x8E ...
Reg     HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@nb-NO                                                                        25
Reg     HKLM\SYSTEM\CurrentControlSet\Control\CrashControl@LastCrashTime                                                                             0xAE 0xE0 0x72 0x21 ...
Reg     HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\CMN15B70_1E_07DD_8C^A1A9E0A1B6F92A66BCC6BBD88F2AA032@Timestamp           0x69 0xE3 0x02 0xE3 ...
Reg     HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid                                                                                             632
Reg     HKLM\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings@StringCacheGeneration                                                          62
Reg     HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager\Defrag@TotalBytesSaved                                           0x00 0x50 0x13 0x00 ...
Reg     HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed                                                            -591347284
Reg     HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID                                                                             7a3037b0-84a0-4f52-a3ba-cbe5860
Reg     HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId                                                                         2
Reg     HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName                                                                                  \BaseNamedObjects\WDI_{5cedc21f-02ed-42b8-b959-9ef808b3498d}
Reg     HKLM\SYSTEM\CurrentControlSet\Services\BITS@Start                                                                                            3
Reg     HKLM\SYSTEM\CurrentControlSet\Services\BITS                                                                                                 
Reg     HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\f406695d01af                                                                 
Reg     HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{81b104fe-f83e-4eed-bc3e-00c2b13dfafb}@LastProbeTime                        1489233160
Reg     HKLM\SYSTEM\CurrentControlSet\Services\ialm\Device0@ProfilingToolValues                                                                      0
Reg     HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{8733623C-FE8D-4762-B7C1-786A18CFE3DB}@DefunctTimestamp                    0x55 0xD5 0xC3 0x58 ...
Reg     HKLM\SYSTEM\CurrentControlSet\Services\pla\Configuration@RPCEndPoint                                                                         {7EC9982F-5FBC-490F-BB78-25254F3014F1}
Reg     HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge                                                                  1
Reg     HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime                                                              ?l?r?, ?mar ?11 ?17, 03:51:30??????????????????????????????????
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch                                                                              2254
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch                                                                             366
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile@DefaultOutboundAction                            0
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile@DefaultInboundAction                             1
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@WFDPRINT-SCAN-In-Active                          v2.22|Action=Allow|Active=FALSE|Dir=In|Profile=Public|App=%SystemRoot%\system32\svchost.exe|Svc=stisvc|Name=@FirewallAPI.dll,-36860|Desc=@FirewallAPI.dll,-36861|EmbedCtxt=@FirewallAPI.dll,-36851|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@WFDPRINT-SPOOL-In-Active                         v2.22|Action=Allow|Active=FALSE|Dir=In|Profile=Public|App=%SystemRoot%\system32\spoolsv.exe|Svc=Spooler|Name=@FirewallAPI.dll,-36856|Desc=@FirewallAPI.dll,-36857|EmbedCtxt=@FirewallAPI.dll,-36851|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@WFDPRINT-DAFWSD-In-Active                        v2.22|Action=Allow|Active=FALSE|Dir=In|Profile=Public|App=%SystemRoot%\system32\dashost.exe|Name=@FirewallAPI.dll,-36852|Desc=@FirewallAPI.dll,-36853|LUAuth=O:LSD:(A;;CC;;;S-1-5-92-3339056971-1291069075-3798698925-2882100687-0)|EmbedCtxt=@FirewallAPI.dll,-36851|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@PlayTo-QWave-In-TCP-PlayToScope                  v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Private|Profile=Public|LPort=2177|RA42=Ply2Renders|RA62=Ply2Renders|App=%SystemRoot%\system32\svchost.exe|Svc=Qwave|Name=@FirewallAPI.dll,-36014|Desc=@FirewallAPI.dll,-36015|EmbedCtxt=@FirewallAPI.dll,-36001|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@PlayTo-QWave-In-UDP-PlayToScope                  v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=17|Profile=Private|Profile=Public|LPort=2177|RA42=Ply2Renders|RA62=Ply2Renders|App=%SystemRoot%\system32\svchost.exe|Svc=Qwave|Name=@FirewallAPI.dll,-36010|Desc=@FirewallAPI.dll,-36011|EmbedCtxt=@FirewallAPI.dll,-36001|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@PlayTo-UPnP-Events-PlayToScope                   v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Public|LPort=2869|RA42=Ply2Renders|RA62=Ply2Renders|App=System|Name=@FirewallAPI.dll,-36106|Desc=@FirewallAPI.dll,-36107|EmbedCtxt=@FirewallAPI.dll,-36001|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@PlayTo-SSDP-Discovery-PlayToScope                v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=17|Profile=Public|LPort2_20=Ply2Disc|App=%SystemRoot%\system32\svchost.exe|Svc=ssdpsrv|Name=@FirewallAPI.dll,-36104|Desc=@FirewallAPI.dll,-36105|EmbedCtxt=@FirewallAPI.dll,-36001|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@PlayTo-In-RTSP-PlayToScope                       v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Public|LPort=23554|LPort=23555|LPort=23556|RA42=Ply2Renders|RA62=Ply2Renders|App=%SystemRoot%\system32\mdeserver.exe|Name=@FirewallAPI.dll,-36008|Desc=@FirewallAPI.dll,-36009|EmbedCtxt=@FirewallAPI.dll,-36001|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@PlayTo-In-RTSP-LocalSubnetScope                  v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Private|LPort=23554|LPort=23555|LPort=23556|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\mdeserver.exe|Name=@FirewallAPI.dll,-36008|Desc=@FirewallAPI.dll,-36009|EmbedCtxt=@FirewallAPI.dll,-36001|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@PlayTo-In-RTSP-NoScope                           v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Domain|LPort=23554|LPort=23555|LPort=23556|App=%SystemRoot%\system32\mdeserver.exe|Name=@FirewallAPI.dll,-36008|Desc=@FirewallAPI.dll,-36009|EmbedCtxt=@FirewallAPI.dll,-36001|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@PlayTo-In-UDP-PlayToScope                        v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=17|Profile=Public|RA42=Ply2Renders|RA62=Ply2Renders|App=%SystemRoot%\system32\mdeserver.exe|Name=@FirewallAPI.dll,-36004|Desc=@FirewallAPI.dll,-36005|EmbedCtxt=@FirewallAPI.dll,-36001|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@PlayTo-In-UDP-LocalSubnetScope                   v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=17|Profile=Private|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\mdeserver.exe|Name=@FirewallAPI.dll,-36004|Desc=@FirewallAPI.dll,-36005|EmbedCtxt=@FirewallAPI.dll,-36001|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@PlayTo-In-UDP-NoScope                            v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=17|Profile=Domain|App=%SystemRoot%\system32\mdeserver.exe|Name=@FirewallAPI.dll,-36004|Desc=@FirewallAPI.dll,-36005|EmbedCtxt=@FirewallAPI.dll,-36001|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@PlayTo-HTTPSTR-In-TCP-PlayToScope                v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Public|LPort=10246|RA42=Ply2Renders|RA62=Ply2Renders|App=System|Name=@FirewallAPI.dll,-36002|Desc=@FirewallAPI.dll,-36003|EmbedCtxt=@FirewallAPI.dll,-36001|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@PlayTo-HTTPSTR-In-TCP-LocalSubnetScope           v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Private|LPort=10246|RA4=LocalSubnet|RA6=LocalSubnet|App=System|Name=@FirewallAPI.dll,-36002|Desc=@FirewallAPI.dll,-36003|EmbedCtxt=@FirewallAPI.dll,-36001|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@PlayTo-HTTPSTR-In-TCP-NoScope                    v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Domain|LPort=10246|App=System|Name=@FirewallAPI.dll,-36002|Desc=@FirewallAPI.dll,-36003|EmbedCtxt=@FirewallAPI.dll,-36001|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-UDP3540-Out  v2.22|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Private|RPort=3540|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=pnrpsvc|Name=@%systemroot%\system32\provsvc.dll,-207|Desc=@%systemroot%\system32\provsvc.dll,-208|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-UDP3540-In   v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|LPort=3540|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=pnrpsvc|Name=@%systemroot%\system32\provsvc.dll,-205|Desc=@%systemroot%\system32\provsvc.dll,-206|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-TCP3587-Out  v2.22|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Private|RPort=3587|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=p2psvc|Name=@%systemroot%\system32\provsvc.dll,-203|Desc=@%systemroot%\system32\provsvc.dll,-204|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-TCP3587-In   v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|LPort=3587|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=p2psvc|Name=@%systemroot%\system32\provsvc.dll,-200|Desc=@%systemroot%\system32\provsvc.dll,-201|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@WirelessDisplay-In-TCP                           v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Private|Profile=Public|App=%systemroot%\system32\WUDFHost.exe|Name=@wifidisplay.dll,-10200|Desc=@wifidisplay.dll,-10201|LUAuth=O:LSD:(A;;CC;;;S-1-5-84-0-0-0-0-0)|EmbedCtxt=@wifidisplay.dll,-100|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{BC56C518-CC26-438D-A7C8-5A9E427F4DCF}           v2.20|Action=Allow|Active=TRUE|Dir=In|App=%ProgramFiles% (x86)\Mozilla Firefox\firefox.exe|Name=f|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{D5EDAFDB-D8E0-461C-B88C-7D20AE30E186}           v2.20|Action=Allow|Active=TRUE|Dir=Out|App=%ProgramFiles% (x86)\Mozilla Firefox\firefox.exe|Name=f|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{B0510376-7A70-49F0-A886-BCC9801D345D}           v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Domain|App=C:\Program Files (x86)\IObit\IObit Unlocker\unins000.exe|Name=Avinstaller IObit Unlocker|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{88762182-EE4A-4B91-B4A5-04011C43F67E}           v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=17|Profile=Domain|App=C:\Program Files (x86)\IObit\IObit Unlocker\unins000.exe|Name=Avinstaller IObit Unlocker|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{33519B5B-5F40-4A6F-A12D-9F20C228F568}           v2.20|Action=Allow|Active=TRUE|Dir=In|App=%USERPROFILE%\Downloads\flashplayer24_xa_install.exe|Name=flash|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{FDBDB0ED-DB70-4AB4-AAD4-FED9C258155F}           v2.20|Action=Allow|Active=TRUE|Dir=Out|App=%USERPROFILE%\Downloads\flashplayer24_xa_install.exe|Name=flash|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile@DefaultOutboundAction                            0
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile@DefaultInboundAction                             1
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile@DefaultOutboundAction                          0
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile@DefaultInboundAction                           1
Reg     HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence                                                                       45
Reg     HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3EDE0977-41AC-4F49-9B29-F72C1E2D53D1}@LeaseObtainedTime                  1489247445
Reg     HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3EDE0977-41AC-4F49-9B29-F72C1E2D53D1}@T1                                 1489248345
Reg     HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3EDE0977-41AC-4F49-9B29-F72C1E2D53D1}@T2                                 1489249020
Reg     HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3EDE0977-41AC-4F49-9B29-F72C1E2D53D1}@LeaseTerminatesTime                1489249245
Reg     HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{79B0512E-80E5-494C-A1DE-7D7F10BE146B}@LeaseObtainedTime                  1489247445
Reg     HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{79B0512E-80E5-494C-A1DE-7D7F10BE146B}@T1                                 1489248345
Reg     HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{79B0512E-80E5-494C-A1DE-7D7F10BE146B}@T2                                 1489249020
Reg     HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{79B0512E-80E5-494C-A1DE-7D7F10BE146B}@LeaseTerminatesTime                1489249245
Reg     HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EC987C79-0B2A-45C3-A78E-1DE4CE07352D}@LeaseObtainedTime                  1489236645
Reg     HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EC987C79-0B2A-45C3-A78E-1DE4CE07352D}@T1                                 1489279845
Reg     HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EC987C79-0B2A-45C3-A78E-1DE4CE07352D}@T2                                 1489312245
Reg     HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EC987C79-0B2A-45C3-A78E-1DE4CE07352D}@LeaseTerminatesTime                1489323045
Reg     HKCU\Software\Microsoft\Windows\CurrentVersion\AccountPicture@DisplayName                                                                    kenneth
Reg     HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown                                                               1

---- EOF - GMER 2.2 ----
Autodidacticism

Offline fkpc1

  • Bronze Member
  • Posts: 20
  • Ad eundum quo nemo ante iit
Re: [In Progress] possible rootkit
« Reply #9 on: March 15, 2017, 12:17:44 PM »
Report from AdwClearer, found 29 threats:

# AdwCleaner v6.044 - Logfile created 15/03/2017 at 19:09:36
# Updated on 28/02/2017 by Malwarebytes
# Database : 2017-03-15.2 [Server]
# Operating System : Windows 8.1  (X64)
# Username : bruker - LENOVO-PC
# Running from : C:\Users\bruker\Downloads\AdwCleaner.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

No malicious services found.


***** [ Folders ] *****

Folder Found:  C:\Users\bruker\AppData\Local\SweetLabs App Platform
Folder Found:  C:\Users\Gjest\AppData\Local\Pokki
Folder Found:  C:\ProgramData\Pokki
Folder Found:  C:\ProgramData\Application Data\Pokki
Folder Found:  C:\Users\Default User\AppData\Local\Pokki
Folder Found:  C:\Users\Default\AppData\Local\Pokki
Folder Found:  C:\Users\Public\Pokki


***** [ Files ] *****

File Found:  C:\Users\bruker\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\PC App Store.lnk
File Found:  C:\Users\bruker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PC App Store.lnk
File Found:  C:\Users\Gjest\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\PC App Store.lnk
File Found:  C:\Users\Gjest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PC App Store.lnk


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

Task Found:  SweetLabs App Platform


***** [ Registry ] *****

Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Pokki_04bb6df446330549a2cb8d67fbd1a745025b7bd1
Key Found:  HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\Software\Classes\pokki
Key Found:  HKCU\Software\Classes\pokki
Key Found:  [x64] HKCU\Software\Classes\pokki
Key Found:  HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\Software\SweetLabs App Platform
Key Found:  HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\SweetLabs_AP
Key Found:  HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\SweetLabs_Start_Menu
Key Found:  HKCU\Software\SweetLabs App Platform
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SweetLabs_AP
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SweetLabs_Start_Menu
Key Found:  [x64] HKCU\Software\SweetLabs App Platform
Key Found:  [x64] HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SweetLabs_AP
Key Found:  [x64] HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SweetLabs_Start_Menu
Key Found:  HKCU\Software\Classes\AllFileSystemObjects\shell\pokki
Key Found:  HKCU\Software\Classes\Directory\shell\pokki
Key Found:  HKCU\Software\Classes\Drive\shell\pokki
Key Found:  HKCU\Software\Classes\lnkfile\shell\pokki


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
No malicious Chromium based browser items found.

*************************

C:\AdwCleaner\AdwCleaner[S0].txt - [3047 Bytes] - [15/03/2017 19:09:36]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3120 Bytes] ##########
Autodidacticism

Offline fkpc1

  • Bronze Member
  • Posts: 20
  • Ad eundum quo nemo ante iit
Re: [In Progress] possible rootkit
« Reply #10 on: March 15, 2017, 12:21:46 PM »
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.2 (03.10.2017)
Operating System: Windows 8.1 x64
Ran by bruker (Administrator) on 15.03.2017 at 19:19:07,23
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 3

Successfully deleted: C:\ProgramData\pokki (Folder)
Successfully deleted: C:\Users\bruker\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\pc app store.lnk (Shortcut)
Successfully deleted: C:\Users\bruker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\pc app store.lnk (Shortcut)



Registry: 3

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{1F891EB7-C29B-4FBE-B6D0-90B6B118356A} (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)
Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 15.03.2017 at 19:20:06,30
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Autodidacticism

Offline fkpc1

  • Bronze Member
  • Posts: 20
  • Ad eundum quo nemo ante iit
Re: [In Progress] possible rootkit
« Reply #11 on: March 15, 2017, 12:24:56 PM »
RogueKiller is not compatible so it cant run..!
Autodidacticism

Offline fkpc1

  • Bronze Member
  • Posts: 20
  • Ad eundum quo nemo ante iit
Re: [In Progress] possible rootkit
« Reply #12 on: March 15, 2017, 12:31:07 PM »
TDSKiller found this:


[InfectedObject]
Verdict: UnsignedFile.Multi.Generic

[InfectedObject]
Type: Service
Name: Fastboot
Type: Kernel driver (0x1)
Start: Boot (0x0)
ImagePath: System32\DRIVERS\Fastboot.sys

[InfectedFile]
Type: Raw image
Src: C:\windows\system32\DRIVERS\Fastboot.sys
md5: 2454972F30E1E946FC73696932EA9C22
sha256: 962F013599E87CE937F6B6C4A8BC075E64E5E3CF8DB0BE2C03EBCB24DB00D70B

[InfectedObject]
Verdict: UnsignedFile.Multi.Generic

[InfectedObject]
Type: Service
Name: FastbootService
Type: n/a (0x10)
Start: Auto (0x2)
ImagePath: "C:\Program Files\Lenovo\OneKey Optimizer\bin\FbService.exe"

[InfectedFile]
Type: Raw image
Src: C:\Program Files\Lenovo\OneKey Optimizer\bin\FbService.exe
md5: 2E7A98ADE2CF733C46859E40A5348DB1
sha256: 3B3143DDAEEBAD5AA2C2E76B9DCDAE80D6E066D327B7CA17745EF5E9AB029A49

[InfectedObject]
Verdict: UnsignedFile.Multi.Generic

[InfectedObject]
Type: File

[InfectedFile]
Type: Raw image
Src: C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe
md5: 3AFB53497E47A09FE736ACFC6B8D62A0
sha256: 5C10C23E0E9F4F1B086E20DB68312106429B9913B80C3E2B9823B829796FC32F

Autodidacticism

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27122
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] possible rootkit
« Reply #13 on: March 15, 2017, 03:15:34 PM »
Run a scan with ADWCleaner again, go thru each tab and make sure everything is checked. Then click the clean button and post the resulting log.

Let me know how that goes.

Do you know how to start Windows Cleanly?

As for TDSSKiller, please do not run scans unless I ask for them. It is possible for these tools to do damage to your system if run at the wrong time or manner. Right now I think the items found by TDSSKiller are legitimate items. But we have not gotten to that point yet.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline fkpc1

  • Bronze Member
  • Posts: 20
  • Ad eundum quo nemo ante iit
Re: [In Progress] possible rootkit
« Reply #14 on: March 15, 2017, 04:17:49 PM »
# AdwCleaner v6.044 - Logfile created 15/03/2017 at 23:11:53
# Updated on 28/02/2017 by Malwarebytes
# Database : 2017-03-15.2 [Local]
# Operating System : Windows 8.1  (X64)
# Username : bruker - LENOVO-PC
# Running from : C:\Users\bruker\Downloads\AdwCleaner.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****



***** [ Folders ] *****

  • Folder deleted on reboot: C:\Users\bruker\AppData\Local\SweetLabs App Platform
  • [-] Folder deleted: C:\Users\Gjest\AppData\Local\Pokki
    [-] Folder deleted: C:\Users\Default User\AppData\Local\Pokki
  • Folder deleted on reboot: C:\Users\Default\AppData\Local\Pokki
  • [-] Folder deleted: C:\Users\Public\Pokki


    ***** [ Files ] *****

    [-] File deleted: C:\Users\bruker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PC App Store.lnk
    [-] File deleted: C:\Users\Gjest\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\PC App Store.lnk
    [-] File deleted: C:\Users\Gjest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PC App Store.lnk


    ***** [ DLL ] *****



    ***** [ WMI ] *****



    ***** [ Shortcuts ] *****



    ***** [ Scheduled Tasks ] *****

    [-] Task deleted: SweetLabs App Platform


    ***** [ Registry ] *****

    [-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Pokki_04bb6df446330549a2cb8d67fbd1a745025b7bd1
    [-] Key deleted: HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\Software\Classes\pokki
  • Key deleted on reboot: HKCU\Software\Classes\pokki
  • Key deleted on reboot: [x64] HKCU\Software\Classes\pokki
  • [-] Key deleted: HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\Software\SweetLabs App Platform
    [-] Key deleted: HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\SweetLabs_AP
    [-] Key deleted: HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\SweetLabs_Start_Menu
  • Key deleted on reboot: HKCU\Software\SweetLabs App Platform
  • Key deleted on reboot: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SweetLabs_AP
  • Key deleted on reboot: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SweetLabs_Start_Menu
  • Key deleted on reboot: [x64] HKCU\Software\SweetLabs App Platform
  • Key deleted on reboot: [x64] HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SweetLabs_AP
  • Key deleted on reboot: [x64] HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SweetLabs_Start_Menu
  • [-] Key deleted: HKCU\Software\Classes\AllFileSystemObjects\shell\pokki
    [-] Key deleted: HKCU\Software\Classes\Directory\shell\pokki
    [-] Key deleted: HKCU\Software\Classes\Drive\shell\pokki
    [-] Key deleted: HKCU\Software\Classes\lnkfile\shell\pokki


    ***** [ Web browsers ] *****



    *************************

    :: "Tracing" keys deleted
    :: Winsock settings cleared
    :: " Image File Execution Options" keys deleted
    :: "Prefetch" files deleted
    :: Proxy settings cleared
    :: TCP/IP settings cleared
    :: Firewall rules cleared
    :: IPSec settings cleared
    :: BITS queue cleared
    :: IE policies deleted
    :: Chrome policies deleted
    :: Hosts file cleared

    *************************

    C:\AdwCleaner\AdwCleaner
[C0].txt - [3226 Bytes] - [15/03/2017 23:11:53]
C:\AdwCleaner\AdwCleaner[S0].txt - [3215 Bytes] - [15/03/2017 19:09:36]
C:\AdwCleaner\AdwCleaner[S1].txt - [3072 Bytes] - [15/03/2017 23:03:33]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [3445 Bytes] ##########
Autodidacticism