SpywareHammer.com

SpywareHammer Malware Removal Forums => Post Here for Malware Removal ... => Topic started by: fkpc1 on March 11, 2017, 08:10:53 AM

Title: [In Progress] possible rootkit
Post by: fkpc1 on March 11, 2017, 08:10:53 AM
Hi

I was redirected to this website from lenovo.com because i detect a rootkit witch i have not been able to remove!
The rootkit was detected by GMER and was not given any name. GMER detected changes to the master boot record, hidden files in system32 and rootkit behavior. I remove all threats with GMER and reprogramed the master boot record but i still have suspicious activities on my computer. My firewall have a lot of listings which says XXXX-server and a lot of strange network connections, even when all programs are closed. Pleas help..
Title: Re: possible rootkit
Post by: Hoov on March 11, 2017, 08:46:58 AM
Hello, welcome to SpywareHammer.

I go by Hoov, and I will be helping you with your problem. I am also the one that redirected you here. I must ask you to do a few things for me.

First, tell me everything that you have done, to try and fix this problem.Also tell me any other problems you are having, no matter how small or long you have been dealing with them.

Second, please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

Third, follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go.

Fourth, Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

Fifth, if we start this fix, I need you to stick with me until the end. Just because your computer is running better does not mean it is fixed.

Before we start trying to fix your computer, you need to make sure your data is backed up. Also let me know of any software you have running that encrypts your harddrive.

One last thing, I need you to tell me if this computer belongs to a school or to a company or orginization of some kind. If it does, please let me know. Also tell me if there is an IT department responsible for this computer.

Now onto trying to fix your computer.

Please follow the instructions in this post (http://spywarehammer.com/post-here-for-malware-removal/(new-instructions!)-what-do-i-do-first/).

Also can you copy the GMER log and paste it into the post as well.


Title: Re: [In Progress] possible rootkit
Post by: fkpc1 on March 11, 2017, 01:03:59 PM
message when running dds "dds is not meant to run in compatibility mode"..
I'm running Windows 8.1
Title: Re: [In Progress] possible rootkit
Post by: fkpc1 on March 11, 2017, 01:35:30 PM
Hi Hoov, thanks for your reply :)

I had this problem for a month or two, it started with a search for some programing tools,
and so i tried a few free ones, something i apparently shouldn't have done.
I noticed that i got a lot of strange bat files all over the operating system, a lot of network traffic,
and strange firewall rules who all ended with "server". So i decided to try to scan the computer with
different malware tools including GEMER witch reported changes to the master boot record,
a notification of rootkit behavior in the operating system and infected hidden files in system32.
Then i presided to fix the master boot record myself since it's an easy thing to do. I then used
"OneKey Recovery" to solve the problem completely, but it didn't seem to do the trick. Im still
experiencing some strange network activity and "server" rules in the firewall.
I have also experienced some other strange problems like network card stop working,
suddenly missing or incorrect drivers notifications and touchpad stop working.

Answer to your questions:
This computer is private and belongs to me so there wont be any problems.
il give you free range to tamper with it in any way you might see fit to solve the problem.
I'm also only using this forum to try to fix the issues and i have backed up the machine,
and no encryption is used, so all should be set to go.


GMER
GMER reported changes to the master boot record, a notification of rootkit behavior
in the operating system and infected hidden files in system32.
After i reprogrammed the master boot record i was unable to replicate the report,
but the network activities and firewall rules remains..
Title: Re: [In Progress] possible rootkit
Post by: Hoov on March 11, 2017, 01:42:33 PM
download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Title: Re: [In Progress] possible rootkit
Post by: fkpc1 on March 13, 2017, 10:59:54 AM
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 12-03-2017
Ran by bruker (administrator) on LENOVO-PC (13-03-2017 17:52:28)
Running from C:\Users\bruker\Desktop
Loaded Profiles: bruker (Available Profiles: bruker & Gjest)
Platform: Windows 8.1 (Update) (X64) Language: Norsk, bokmål (Norge)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Conexant Systems Inc.) C:\Windows\System32\CxAudMsg64.exe
(Intel(R) Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Lenovo) C:\Program Files\Lenovo\OneKey Optimizer\bin\FbService.exe
(Intel Corporation) C:\Windows\System32\ibtsiva.exe
(Lenovo(beijing) Limited) C:\Program Files\Lenovo\OneKey Optimizer\bin\OKOUpdataService.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\SettingsDependency\SettingsService.exe
(LENOVO INCORPORATED.) C:\Program Files\Lenovo\iMController\SystemAgentService.exe
() C:\Program Files\Lenovo PhoneCompanion\LPAWDService.exe
(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\Lenovo Settings\x86\LenovoSetSvr.exe
(Lenovo(beijing) Limited) C:\Windows\System32\LenovoWiFiHotspotSvr.exe
(Maxthon) C:\Program Files (x86)\Maxthon\Modules\Service\Update\MaxthonUpdateSvc.exe
(Lenovo(beijing) Limited) C:\Program Files\Lenovo\OneKey Optimizer\bin\OKOControlSvc.exe
(Lenovo) C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe
(Intel(R) Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
() C:\Program Files\CyberLink\Shared files\RichVideo64.exe
(Conexant Systems, Inc.) C:\Windows\SysWOW64\SASrv.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
() C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe
() C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe
(VMware, Inc.) C:\Windows\SysWOW64\vmnetdhcp.exe
(VMware, Inc.) C:\Windows\SysWOW64\vmnat.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(VMware, Inc.) C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Lenovo) C:\Windows\System32\LenovoUpdate.exe
() C:\Program Files (x86)\Lenovo\CCSDK\CCSDK.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Pokki) C:\Users\bruker\AppData\Local\SweetLabs App Platform\Engine\ServiceHostAppUpdater.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Windows\System32\igfxTray.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
() C:\Program Files (x86)\Lenovo\CCSDK\WinGather.exe
() C:\Program Files\CONEXANT\ForteConfig\fmapp.exe
(Conexant Systems, Inc.) C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe
(Realtek semiconductor) C:\Windows\RTFTrack.exe
() C:\Program Files\Lenovo\LenovoUtility\utility.exe
(Lenovo(beijing) Limited) C:\Program Files\Lenovo\OneKey Optimizer\bin\OneKeyOptimizerTray.exe
(Lenovo(beijing) Limited) C:\Program Files\Lenovo\OneKey Optimizer\bin\OnekeyOptimizerUpdata.exe
(CyberLink) C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvc_P2G8.exe
(CyberLink Corp.) C:\Program Files (x86)\Lenovo\PowerDVD10\PDVD10Serv.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(Lenovo) C:\Program Files\Lenovo\Lenovo Solution Center\LSCNotify.exe
(Lenovo Corporation) C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe
(Pokki) C:\Users\bruker\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe
(Pokki) C:\Users\bruker\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe
(Pokki) C:\Users\bruker\AppData\Local\SweetLabs App Platform\Engine\ServiceStartMenuIndexer.exe
(Lenovo(beijing) Limited) C:\Program Files\Lenovo\OneKey Optimizer\bin\OneKeyOptimizer.exe
() C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\iumsvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\ui\updateui.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [322712 2014-10-09] (Intel Corporation)
HKLM\...\Run: [ForteConfig] => C:\Program Files\Conexant\ForteConfig\fmapp.exe [49056 2010-10-26] ()
HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SACpl.exe [1830616 2014-04-10] (Conexant Systems, Inc.)
HKLM\...\Run: [cAudioFilterAgent] => C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [919768 2014-11-20] (Conexant Systems, Inc.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2809072 2014-10-21] (Synaptics Incorporated)
HKLM\...\Run: [RtsFT] => C:\windows\RTFTrack.exe [4060376 2014-10-22] (Realtek semiconductor)
HKLM\...\Run: [LENOVO.TPKNRRES] => rundll32.exe "C:\Program Files\Lenovo\Communications Utility\LibStartStub.dll",AVStartupStub
HKLM\...\Run: [LenovoUtility] => C:\Program Files\Lenovo\LenovoUtility\utility.exe [791368 2015-03-10] ()
HKLM\...\Run: [PhoneCompanion] => C:\Program Files\Lenovo PhoneCompanion\Phone Companion.exe [802800 2015-03-10] (Lenovo)
HKLM\...\Run: [OneKeyOptimizer] => C:\Program Files\Lenovo\OneKey Optimizer\bin\OneKeyOptimizerTray.exe [559896 2014-11-19] (Lenovo(beijing) Limited)
HKLM-x32\...\Run: [CLMLServer_For_P2G8] => C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvc_P2G8.exe [110344 2014-09-09] (CyberLink)
HKLM-x32\...\Run: [CLVirtualDrive] => C:\Program Files (x86)\Lenovo\Power2Go\VirtualDrive.exe [492808 2014-09-09] (CyberLink Corp.)
HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [9292504 2016-12-21] (Piriform Ltd)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\..\Interfaces\{EC987C79-0B2A-45C3-A78E-1DE4CE07352D}: [DhcpNameServer] 193.213.112.4 130.67.15.198
Tcpip\..\Interfaces\{F915FF06-AB07-44CC-80ED-C6D837030E5F}: [DhcpNameServer] 150.212.1.3

Internet Explorer:
==================
HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://lenovo13.msn.com/?pc=LCJB
HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://lenovo13.msn.com/?pc=LCJB
HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.lenovo.com
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2423566268-3429370631-2639371571-1001 -> DefaultScope {1F891EB7-C29B-4FBE-B6D0-90B6B118356A} URL =
SearchScopes: HKU\S-1-5-21-2423566268-3429370631-2639371571-1001 -> {1F891EB7-C29B-4FBE-B6D0-90B6B118356A} URL =

FireFox:
========
FF DefaultProfile: 6q5fd3l3.default
FF ProfilePath: C:\Users\bruker\AppData\Roaming\Mozilla\Firefox\Profiles\6q5fd3l3.default [2017-03-13]
FF Extension: (Adblock Plus) - C:\Users\bruker\AppData\Roaming\Mozilla\Firefox\Profiles\6q5fd3l3.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2017-03-09]
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.56 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2014-09-03] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2014-09-03] (Intel Corporation)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 AVControlCenter; C:\Program Files\Lenovo\Communications Utility\AVControlCenter32.exe [599024 2014-08-06] (Lenovo Corporation)
R2 CCSDK; C:\Program Files (x86)\Lenovo\CCSDK\CCSDK.exe [644080 2014-10-22] ()
S3 ESRV_SVC_QUEENCREEK; C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe [805632 2016-11-17] ()
R2 FastbootService; C:\Program Files\Lenovo\OneKey Optimizer\bin\FbService.exe [191512 2014-11-20] (Lenovo) [File not signed]
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [18584 2014-10-09] (Intel Corporation)
R2 igfxCUIService1.0.0.0; C:\windows\system32\igfxCUIService.exe [344184 2016-05-12] (Intel Corporation)
S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [887256 2014-05-13] (Intel(R) Corporation)
R2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [131544 2014-09-03] (Intel Corporation)
R3 iumsvc; C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\iumsvc.exe [174368 2014-04-09] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [154584 2014-09-03] (Intel Corporation)
S3 Lenovo EasyPlus Hotspot; C:\Program Files (x86)\Common Files\lenovo\easyplussdk\bin\EPHotspot64.exe [533760 2014-06-03] (Lenovo)
R2 Lenovo OKO Service; C:\Program Files\Lenovo\OneKey Optimizer\bin\OKOUpdataService.exe [2544408 2014-11-19] (Lenovo(beijing) Limited)
R2 Lenovo Settings Service; C:\Program Files\Lenovo\SettingsDependency\SettingsService.exe [2005320 2014-10-13] (Lenovo Group Limited)
R2 Lenovo System Agent Service; C:\Program Files\Lenovo\iMController\SystemAgentService.exe [584664 2015-12-14] (LENOVO INCORPORATED.)
S3 LENOVO.TVTVCAM; C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe [727536 2014-08-06] (Lenovo Corporation)
R2 LenovoPAWDService; C:\Program Files\Lenovo PhoneCompanion\LPAWDService.exe [133440 2015-03-10] ()
R2 LenovoSetSvr; C:\Program Files (x86)\Lenovo\Lenovo Settings\x86\LenovoSetSvr.exe [258544 2014-06-19] (Lenovo(beijing) Limited)
R3 LenovoUpdate; C:\windows\System32\LenovoUpdate.exe [26608 2017-01-13] (Lenovo)
R2 LenovoWiFiHotspotSvr; C:\Windows\System32\LenovoWiFiHotspotSvr.exe [218952 2014-08-26] (Lenovo(beijing) Limited)
S3 LSCWinService; C:\Program Files\Lenovo\Lenovo Solution Center\App\LSCWinService.exe [272776 2014-10-17] ()
R2 MaxthonUpdateSvc; C:\Program Files (x86)\Maxthon\Modules\Service\Update\MaxthonUpdateSvc.exe [1844024 2014-08-01] (Maxthon)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [268704 2016-10-06] ()
R2 OKOControlSvc; C:\Program Files\Lenovo\OneKey Optimizer\bin\OKOControlSvc.exe [113944 2014-11-17] (Lenovo(beijing) Limited)
R2 PhoneCompanionPusher; C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe [321520 2015-03-10] (Lenovo)
S3 PhoneCompanionVap; C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionVap.exe [338416 2015-03-10] (Lenovo)
R2 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [390632 2012-04-24] ()
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [190704 2014-10-21] (Synaptics Incorporated)
R2 SystemUsageReportSvc_QUEENCREEK; C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe [156928 2016-11-17] ()
S3 USER_ESRV_SVC_QUEENCREEK; C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe [805632 2016-11-17] ()
R2 VeriFaceSrv; C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe [68880 2015-03-10] ()
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347880 2014-03-24] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2014-03-24] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3732896 2016-10-06] (Intel® Corporation)
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 CLVirtualDrive; C:\windows\system32\DRIVERS\CLVirtualDrive.sys [91912 2013-11-12] (CyberLink)
R0 Fastboot; C:\windows\System32\DRIVERS\Fastboot.sys [70168 2014-11-20] (Windows (R) Win 7 DDK provider) [File not signed]
R3 ibtusb; C:\windows\system32\DRIVERS\ibtusb.sys [229632 2016-11-28] (Intel Corporation)
R3 KMDFVirtualKbd; C:\windows\System32\drivers\KMDFVirtualKbd.sys [22264 2014-08-04] ()
R3 KMDFVirtualMouse; C:\windows\System32\drivers\KMDFVirtualMouse.sys [21240 2014-08-04] ()
R3 MEIx64; C:\windows\system32\DRIVERS\TeeDriverx64.sys [126976 2014-09-03] (Intel Corporation)
R3 NETwNb64; C:\windows\system32\DRIVERS\Netwbw02.sys [3517200 2016-10-20] (Intel Corporation)
S3 NETwNe64; C:\windows\system32\DRIVERS\NETwew02.sys [4649440 2013-06-18] (Intel Corporation)
R3 rtsuvc; C:\windows\system32\DRIVERS\rtsuvc.sys [2584280 2014-10-22] (Realtek Semiconductor Corp.)
S3 semav6msr64; C:\windows\system32\drivers\semav6msr64.sys [21984 2016-10-18] ()
R3 SmbDrvI; C:\windows\system32\DRIVERS\Smb_driver_Intel.sys [31472 2014-10-21] (Synaptics Incorporated)
R0 vsock; C:\windows\system32\DRIVERS\vsock.sys [91712 2016-09-30] (VMware, Inc.)
S0 WdBoot; C:\windows\System32\drivers\WdBoot.sys [35856 2014-03-24] (Microsoft Corporation)
R0 WdFilter; C:\windows\System32\drivers\WdFilter.sys [257880 2014-03-24] (Microsoft Corporation)
R3 WdNisDrv; C:\windows\System32\Drivers\WdNisDrv.sys [123224 2014-03-24] (Microsoft Corporation)
R3 wsvd; C:\windows\system32\DRIVERS\wsvd.sys [102376 2012-06-14] ("CyberLink)
U3 fxlyrpog; \??\C:\Users\bruker\AppData\Local\Temp\fxlyrpog.sys [X] <==== ATTENTION

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-13 17:52 - 2017-03-13 17:52 - 00015259 _____ C:\Users\bruker\Desktop\FRST.txt
2017-03-13 17:51 - 2017-03-13 17:52 - 00000000 ____D C:\FRST
2017-03-13 17:50 - 2017-03-13 17:48 - 02424832 _____ (Farbar) C:\Users\bruker\Desktop\FRST64.exe
2017-03-13 17:48 - 2017-03-13 17:48 - 02424832 _____ (Farbar) C:\Users\bruker\Downloads\FRST64.exe
2017-03-11 22:40 - 2017-03-11 22:40 - 00000023 _____ C:\Users\bruker\Downloads\rvl1qb3c.bat
2017-03-11 20:55 - 2017-03-11 20:56 - 00484528 _____ C:\windows\Minidump\031117-16562-01.dmp
2017-03-11 19:56 - 2017-03-11 19:57 - 00688992 _____ (Swearware) C:\Users\bruker\Downloads\dds.com
2017-03-11 18:32 - 2017-03-11 18:32 - 00380928 _____ C:\Users\bruker\Downloads\rvl1qb3c(1).exe
2017-03-11 18:21 - 2017-03-11 18:21 - 00001920 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2017-03-11 18:21 - 2017-03-11 18:21 - 00000000 ____D C:\Program Files\HitmanPro
2017-03-11 18:20 - 2017-03-11 18:20 - 00000000 _____ C:\Users\bruker\Desktop\Nytt tekstdokument.txt
2017-03-11 18:05 - 2017-03-11 18:20 - 02069192 _____ C:\TDSSKiller.3.1.0.12_11.03.2017_18.05.02_log.txt
2017-03-11 18:04 - 2017-03-11 18:04 - 00343024 _____ C:\windows\Minidump\031117-21453-01.dmp
2017-03-11 17:56 - 2017-03-11 17:57 - 00235198 _____ C:\TDSSKiller.3.1.0.12_11.03.2017_17.56.54_log.txt
2017-03-11 17:40 - 2017-03-11 17:41 - 00017586 _____ C:\Users\bruker\Desktop\gmercopy.txt
2017-03-11 17:10 - 2017-03-11 17:11 - 00380928 _____ C:\Users\bruker\Downloads\rvl1qb3c.exe
2017-03-11 16:25 - 2017-03-11 20:36 - 00019381 _____ C:\Users\bruker\Desktop\fkpc.txt
2017-03-09 09:58 - 2017-03-09 09:58 - 00002361 _____ C:\Users\Gjest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lenovo Web Start.lnk
2017-03-09 09:58 - 2017-03-09 09:58 - 00002301 _____ C:\Users\Gjest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PC App Store.lnk
2017-03-09 09:58 - 2017-03-09 09:58 - 00002130 _____ C:\Users\Gjest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Start Menu.lnk
2017-03-09 08:44 - 2017-03-09 09:59 - 00000000 ____D C:\Users\Gjest\AppData\LocalLow\Mozilla
2017-03-09 08:44 - 2017-03-09 08:48 - 00000000 ____D C:\Users\Gjest\AppData\Local\Mozilla
2017-03-09 08:44 - 2017-03-09 08:44 - 00000000 ____D C:\Users\Gjest\AppData\Roaming\Mozilla
2017-03-08 23:17 - 2017-03-08 23:17 - 00000000 ____D C:\Users\Gjest\AppData\Roaming\LSC
2017-03-08 23:10 - 2017-03-08 23:10 - 00000000 ____D C:\Users\Gjest\AppData\Local\Lenovo
2017-03-08 23:09 - 2017-03-08 23:09 - 00000000 ____D C:\Users\Gjest\Desktop\aaa
2017-03-08 23:09 - 2017-03-08 23:09 - 00000000 ____D C:\Users\Gjest\AppData\Roaming\Intel Corporation
2017-03-08 23:08 - 2017-03-08 23:08 - 00000000 ____D C:\Users\Gjest\AppData\Local\Power2Go8
2017-03-08 23:07 - 2017-03-13 17:20 - 00000000 ____D C:\Users\Gjest
2017-03-08 23:07 - 2017-03-09 09:59 - 00000000 ____D C:\Users\Gjest\AppData\Local\Pokki
2017-03-08 23:07 - 2017-03-09 08:43 - 00000000 __SHD C:\Users\Gjest\IntelGraphicsProfiles
2017-03-08 23:07 - 2017-03-08 23:07 - 00001453 _____ C:\Users\Gjest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2017-03-08 23:07 - 2017-03-08 23:07 - 00000020 ___SH C:\Users\Gjest\ntuser.ini
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 _SHDL C:\Users\Gjest\Start-meny
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 _SHDL C:\Users\Gjest\Skrivere
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 _SHDL C:\Users\Gjest\Programdata
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 _SHDL C:\Users\Gjest\Mine dokumenter
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 _SHDL C:\Users\Gjest\Maler
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 _SHDL C:\Users\Gjest\Lokale innstillinger
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 _SHDL C:\Users\Gjest\Documents\Mine bilder
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 _SHDL C:\Users\Gjest\Documents\Min musikk
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 _SHDL C:\Users\Gjest\Documents\Intern video
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 _SHDL C:\Users\Gjest\AppData\Roaming\Microsoft\Windows\Start Menu\Programmer
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 _SHDL C:\Users\Gjest\AppData\Local\Programdata
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 _SHDL C:\Users\Gjest\AppData\Local\Logg
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 _SHDL C:\Users\Gjest\AndrMask
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 ____D C:\Users\Gjest\AppData\Roaming\Intel
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 ____D C:\Users\Gjest\AppData\Roaming\Adobe
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 ____D C:\Users\Gjest\AppData\Local\VirtualStore
2017-03-08 23:07 - 2017-03-08 23:07 - 00000000 ____D C:\Users\Gjest\AppData\Local\Packages
2017-03-08 23:07 - 2015-03-10 13:32 - 00000000 ____D C:\Users\Gjest\AppData\Roaming\Macromedia
2017-03-08 23:07 - 2015-03-10 13:23 - 00000187 _____ C:\Users\Gjest\Desktop\Google Play Music.url
2017-03-08 23:07 - 2015-03-10 13:23 - 00000126 _____ C:\Users\Gjest\Desktop\Adobe Photo Offer.url
2017-03-08 23:07 - 2014-03-26 11:21 - 00000190 _____ C:\Users\Gjest\Desktop\FREE CALLS with Voxox.url
2017-03-08 23:07 - 2014-03-18 10:55 - 00000369 _____ C:\Users\Gjest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pictures.lnk
2017-03-08 23:07 - 2014-03-18 10:55 - 00000369 _____ C:\Users\Gjest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Documents.lnk
2017-03-08 08:00 - 2017-03-08 08:00 - 01239752 _____ (Microsoft Corporation) C:\Users\bruker\Downloads\wlsetup-web.exe
2017-03-07 20:05 - 2017-03-07 20:05 - 00000000 ____D C:\Users\bruker\AppData\Local\CyberLink
2017-03-07 19:52 - 2017-03-07 19:57 - 01348144 _____ C:\TDSSKiller.3.1.0.12_07.03.2017_19.52.43_log.txt
2017-03-07 19:50 - 2017-03-11 18:08 - 00000000 ____D C:\TDSSKiller_Quarantine
2017-03-07 19:08 - 2017-03-07 19:50 - 00464238 _____ C:\TDSSKiller.3.1.0.12_07.03.2017_19.08.30_log.txt
2017-03-07 19:07 - 2017-03-07 19:08 - 04747704 _____ (AO Kaspersky Lab) C:\Users\bruker\Downloads\tdsskiller.exe
2017-03-07 18:50 - 2017-03-08 07:27 - 00000000 ____D C:\ProgramData\HitmanPro
2017-03-07 18:49 - 2017-03-07 18:50 - 11581544 _____ (SurfRight B.V.) C:\Users\bruker\Downloads\1hitmanpro_x64.exe
2017-03-07 17:12 - 2017-03-07 17:12 - 00000000 _____ C:\Users\bruker\Desktop\mormor1994.txt
2017-03-07 09:28 - 2017-03-07 09:28 - 00000000 ____D C:\Users\bruker\Documents\Virtual Machines
2017-03-07 09:25 - 2017-03-07 09:31 - 00000000 ____D C:\Users\bruker\AppData\Roaming\VMware
2017-03-07 09:25 - 2016-11-11 23:16 - 00088128 _____ (VMware, Inc.) C:\windows\system32\Drivers\vmx86.sys
2017-03-07 09:25 - 2016-09-30 01:12 - 00091712 _____ (VMware, Inc.) C:\windows\system32\Drivers\vsock.sys
2017-03-07 09:25 - 2016-09-30 01:12 - 00069104 _____ (VMware, Inc.) C:\windows\system32\vsocklib.dll
2017-03-07 09:25 - 2016-09-30 01:12 - 00065016 _____ (VMware, Inc.) C:\windows\SysWOW64\vsocklib.dll
2017-03-07 09:24 - 2017-03-07 09:24 - 00001215 _____ C:\Users\Public\Desktop\VMware Workstation 12 Player.lnk
2017-03-07 09:24 - 2016-11-11 23:22 - 00400968 _____ (VMware, Inc.) C:\windows\SysWOW64\vmnat.exe
2017-03-07 09:24 - 2016-11-11 23:22 - 00366664 _____ (VMware, Inc.) C:\windows\SysWOW64\vmnetdhcp.exe
2017-03-07 09:24 - 2016-11-11 23:21 - 01148488 _____ (VMware, Inc.) C:\windows\system32\vnetlib64.dll
2017-03-07 09:24 - 2016-11-11 23:05 - 00066624 _____ (VMware, Inc.) C:\windows\system32\vnetinst.dll
2017-03-07 09:24 - 2016-11-11 23:05 - 00045632 _____ (VMware, Inc.) C:\windows\system32\Drivers\vmnet.sys
2017-03-07 09:24 - 2016-11-11 23:05 - 00044096 _____ (VMware, Inc.) C:\windows\system32\Drivers\vmnetuserif.sys
2017-03-07 09:24 - 2016-09-06 18:48 - 00083008 _____ (VMware, Inc.) C:\windows\system32\Drivers\hcmon.sys
2017-03-04 11:44 - 2017-03-04 11:44 - 00346704 _____ C:\windows\system32\FNTCACHE.DAT
2017-03-04 11:15 - 2017-03-04 11:15 - 00000000 ____D C:\Users\bruker\AppData\Local\ElevatedDiagnostics
2017-03-04 07:03 - 2017-03-04 07:15 - 1684013056 _____ C:\Users\bruker\Downloads\linuxmint-18.1-cinnamon-32bit.iso
2017-03-04 07:00 - 2017-03-07 10:53 - 00000000 ____D C:\Users\bruker\AppData\Local\VMware
2017-03-04 06:59 - 2017-03-11 20:56 - 00000000 ____D C:\ProgramData\VMware
2017-03-04 06:59 - 2017-03-04 06:59 - 00000000 ____D C:\Program Files\Common Files\VMware
2017-03-04 06:59 - 2017-03-04 06:59 - 00000000 ____D C:\Program Files (x86)\VMware
2017-03-04 06:57 - 2017-03-04 06:57 - 78312488 _____ (VMware, Inc.) C:\Users\bruker\Downloads\VMware-player-12.5.2-4638234.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-13 17:47 - 2017-01-14 15:57 - 00000000 ____D C:\Users\bruker\AppData\LocalLow\Mozilla
2017-03-13 17:41 - 2017-01-14 00:03 - 00003936 _____ C:\windows\System32\Tasks\User_Feed_Synchronization-{B2429706-9735-4103-8538-53164E5E1D4B}
2017-03-13 16:35 - 2017-01-13 23:56 - 00000000 ____D C:\Users\bruker\AppData\Local\SweetLabs App Platform
2017-03-13 16:33 - 2017-01-13 23:57 - 00000000 __SHD C:\Users\bruker\IntelGraphicsProfiles
2017-03-12 12:08 - 2017-01-14 00:03 - 00003600 _____ C:\windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2423566268-3429370631-2639371571-1001
2017-03-12 11:02 - 2017-01-13 23:57 - 00000000 ____D C:\Users\bruker\AppData\Local\Packages
2017-03-12 11:02 - 2013-08-22 16:36 - 00000000 ___HD C:\Program Files\WindowsApps
2017-03-12 11:02 - 2013-08-22 16:36 - 00000000 ____D C:\windows\AppReadiness
2017-03-11 22:59 - 2015-03-10 13:34 - 00000000 ____D C:\ProgramData\CyberLink
2017-03-11 22:46 - 2015-03-10 11:58 - 00453632 _____ C:\windows\system32\perfh014.dat
2017-03-11 22:46 - 2015-03-10 11:58 - 00078798 _____ C:\windows\system32\perfc014.dat
2017-03-11 22:46 - 2014-03-18 10:53 - 01389364 _____ C:\windows\system32\PerfStringBackup.INI
2017-03-11 22:46 - 2013-08-22 14:36 - 00000000 ____D C:\windows\Inf
2017-03-11 20:55 - 2017-01-14 16:37 - 650676046 _____ C:\windows\MEMORY.DMP
2017-03-11 20:55 - 2017-01-14 16:37 - 00000000 ____D C:\windows\Minidump
2017-03-11 20:55 - 2013-08-22 15:45 - 00000006 ____H C:\windows\Tasks\SA.DAT
2017-03-11 17:58 - 2015-03-10 13:26 - 00002560 _____ C:\windows\system32\VfService.trf
2017-03-11 17:56 - 2017-01-16 04:06 - 135657872 ____C (Microsoft Corporation) C:\windows\system32\MRT.exe
2017-03-11 17:16 - 2017-01-14 15:55 - 00000000 ____D C:\Users\bruker\AppData\Local\Lenovo
2017-03-11 17:13 - 2015-03-10 13:24 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lenovo
2017-03-11 17:13 - 2015-03-10 13:01 - 00000000 ____D C:\Program Files (x86)\Lenovo
2017-03-11 11:45 - 2017-01-14 15:57 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-03-11 11:45 - 2017-01-14 15:56 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-03-11 11:44 - 2013-08-22 14:25 - 00262144 ___SH C:\windows\system32\config\BBI
2017-03-09 14:02 - 2017-01-14 00:06 - 00000000 ____D C:\Users\bruker\AppData\Local\Adobe
2017-03-07 20:48 - 2013-08-22 16:36 - 00000000 ____D C:\windows\system32\NDF
2017-03-07 09:24 - 2015-03-10 12:36 - 01408180 _____ C:\windows\SysWOW64\PerfStringBackup.INI
2017-03-05 00:08 - 2013-08-22 16:36 - 00000000 ____D C:\windows\rescache
2017-03-04 15:56 - 2015-03-10 12:59 - 00000000 ____D C:\ProgramData\Lenovo
2017-03-04 14:49 - 2013-08-22 16:20 - 00000000 ____D C:\windows\CbsTemp
2017-03-04 14:47 - 2015-03-10 11:52 - 00000000 ____D C:\windows\SysWOW64\XPSViewer
2017-03-04 14:47 - 2014-03-18 10:38 - 00000000 ____D C:\Program Files\Windows Journal
2017-03-04 14:47 - 2014-03-18 10:25 - 00000000 ____D C:\windows\SysWOW64\winrm
2017-03-04 14:47 - 2014-03-18 10:25 - 00000000 ____D C:\windows\SysWOW64\WCN
2017-03-04 14:47 - 2014-03-18 10:25 - 00000000 ____D C:\windows\SysWOW64\slmgr
2017-03-04 14:47 - 2014-03-18 10:25 - 00000000 ____D C:\windows\SysWOW64\Printing_Admin_Scripts
2017-03-04 14:47 - 2014-03-18 10:25 - 00000000 ____D C:\windows\system32\winrm
2017-03-04 14:47 - 2014-03-18 10:25 - 00000000 ____D C:\windows\system32\WCN
2017-03-04 14:47 - 2014-03-18 10:25 - 00000000 ____D C:\windows\system32\slmgr
2017-03-04 14:47 - 2014-03-18 10:25 - 00000000 ____D C:\windows\system32\Printing_Admin_Scripts
2017-03-04 14:47 - 2013-08-22 16:36 - 00000000 ___RD C:\windows\ImmersiveControlPanel
2017-03-04 14:47 - 2013-08-22 16:36 - 00000000 ____D C:\windows\WinStore
2017-03-04 14:47 - 2013-08-22 16:36 - 00000000 ____D C:\windows\SysWOW64\MUI
2017-03-04 14:47 - 2013-08-22 16:36 - 00000000 ____D C:\windows\SysWOW64\Com
2017-03-04 14:47 - 2013-08-22 16:36 - 00000000 ____D C:\windows\system32\MUI
2017-03-04 14:47 - 2013-08-22 16:36 - 00000000 ____D C:\windows\system32\migwiz
2017-03-04 14:47 - 2013-08-22 16:36 - 00000000 ____D C:\windows\PolicyDefinitions
2017-03-04 14:47 - 2013-08-22 16:36 - 00000000 ____D C:\windows\IME
2017-03-04 14:47 - 2013-08-22 16:36 - 00000000 ____D C:\Program Files\Windows Photo Viewer
2017-03-04 14:47 - 2013-08-22 16:36 - 00000000 ____D C:\Program Files\Windows Defender
2017-03-04 14:47 - 2013-08-22 16:36 - 00000000 ____D C:\Program Files\Common Files\System
2017-03-04 14:47 - 2013-08-22 16:36 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2017-03-04 14:47 - 2013-08-22 16:36 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2017-03-04 14:47 - 2013-08-22 14:36 - 00000000 ____D C:\windows\SysWOW64\oobe
2017-03-04 14:47 - 2013-08-22 14:36 - 00000000 ____D C:\windows\SysWOW64\Dism
2017-03-04 14:47 - 2013-08-22 14:36 - 00000000 ____D C:\windows\system32\Sysprep
2017-03-04 14:47 - 2013-08-22 14:36 - 00000000 ____D C:\windows\system32\oobe
2017-03-04 14:47 - 2013-08-22 14:36 - 00000000 ____D C:\windows\system32\Dism
2017-03-04 14:47 - 2013-08-22 14:36 - 00000000 ____D C:\windows\servicing
2017-03-04 14:46 - 2013-08-22 16:36 - 00000000 ____D C:\windows\system32\SystemResetPlatform
2017-03-04 14:46 - 2013-08-22 16:36 - 00000000 ____D C:\windows\system32\Com
2017-03-04 14:46 - 2013-08-22 16:36 - 00000000 ____D C:\windows\Help
2017-03-04 11:44 - 2017-01-13 23:56 - 00000000 ____D C:\Users\bruker
2017-03-04 11:42 - 2015-03-10 12:48 - 00000000 ___HD C:\windows\system32\WLANProfiles
2017-03-04 11:42 - 2013-08-22 16:36 - 00000000 __RSD C:\windows\Media
2017-03-04 11:42 - 2013-08-22 16:36 - 00000000 ____D C:\windows\system32\ras
2017-03-04 11:42 - 2013-08-22 16:36 - 00000000 ____D C:\windows\system32\icsxml
2017-03-04 11:42 - 2013-08-22 16:36 - 00000000 ____D C:\windows\system32\ias
2017-03-04 11:42 - 2013-08-22 16:36 - 00000000 ____D C:\windows\MediaViewer
2017-03-04 11:42 - 2013-08-22 16:36 - 00000000 ____D C:\windows\FileManager
2017-03-04 11:42 - 2013-08-22 16:36 - 00000000 ____D C:\windows\Camera
2017-03-04 11:41 - 2017-01-30 13:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2017-03-04 11:41 - 2017-01-15 18:33 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel Driver Update Utility
2017-03-04 11:41 - 2017-01-14 00:01 - 00000000 ____D C:\ProgramData\OneKey Optimizer
2017-03-04 11:27 - 2013-08-22 16:36 - 00000000 ____D C:\windows\registration
2017-03-04 06:58 - 2013-08-22 16:36 - 00000000 ____D C:\Program Files\Common Files\microsoft shared

==================== Files in the root of some directories =======

2015-03-10 12:37 - 2015-03-10 12:37 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

Some files in TEMP:
====================
2017-03-11 14:25 - 2017-03-07 18:50 - 11581544 _____ (SurfRight B.V.) C:\Users\bruker\AppData\Local\Temp\HitmanPro.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\wininit.exe => File is digitally signed
C:\windows\explorer.exe => File is digitally signed
C:\windows\SysWOW64\explorer.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\SysWOW64\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\SysWOW64\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\SysWOW64\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\dnsapi.dll => File is digitally signed
C:\windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-03-13 12:44

==================== End of FRST.txt ============================
Title: Re: [In Progress] possible rootkit
Post by: fkpc1 on March 13, 2017, 11:01:00 AM
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 12-03-2017
Ran by bruker (13-03-2017 17:53:10)
Running from C:\Users\bruker\Desktop
Windows 8.1 (Update) (X64) (2017-01-13 22:56:34)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2423566268-3429370631-2639371571-500 - Administrator - Disabled)
bruker (S-1-5-21-2423566268-3429370631-2639371571-1001 - Administrator - Enabled) => C:\Users\bruker
Gjest (S-1-5-21-2423566268-3429370631-2639371571-501 - Limited - Enabled) => C:\Users\Gjest

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

. . . (Version: 2.1.28.3 - Intel) Hidden
. . . (x32 Version: 2.6.2.4 - Intel) Hidden
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 18.0.0.144 - Adobe Systems Incorporated)
CCleaner (HKLM\...\CCleaner) (Version: 5.26 - Piriform)
CCSDK (HKLM-x32\...\{AE75190B-11B4-4F90-8254-DAB275CF2557}_is1) (Version: 1.1.0.7 - Lenovo)
Conexant HD Audio (HKLM\...\CNXT_AUDIO_HDA) (Version: 8.65.55.52 - Conexant)
CyberLink Power2Go 8 (HKLM-x32\...\InstallShield_{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}) (Version: 8.0.0.4505 - CyberLink Corp.)
CyberLink PowerDirector 10 (HKLM-x32\...\InstallShield_{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}) (Version: 10.0.0.2810 - CyberLink Corp.)
CyberLink PowerDirector 10 (Version: 10.0.0.2810 - CyberLink Corp.) Hidden
Dependency Package Update (Version: 1.6.29.00 - Lenovo Inc.) Hidden
Dependency Package Update (Version: 1.6.38.00 - Lenovo Inc.) Hidden
Dependency Package Update (x32 Version: 1.6.32.00 - Lenovo Group Limited) Hidden
Dependency Package Update (x32 Version: 1.6.38.00 - Lenovo Group Limited) Hidden
Dependency Package Update (x32 Version: 1.6.38.01 - Lenovo Group Limited) Hidden
Dolby Digital Plus Advanced Audio (HKLM\...\{B0BFC63F-EA07-419E-960B-3FB2ED5DD0B2}) (Version: 7.5.1.1 - Dolby Laboratories Inc)
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.15.281 - SurfRight B.V.)
Host App Service (HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\...\SweetLabs_AP) (Version: 0.269.8.114 - Pokki)
Intel(R) Chipset Device Software (x32 Version: 10.0.22 - Intel(R) Corporation) Hidden
Intel(R) Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1008 - Intel Corporation)
Intel(R) Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 10.0.28.1006 - Intel Corporation)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.14.4414 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 13.5.0.1056 - Intel Corporation)
Intel(R) Update Manager (HKLM-x32\...\{84A2B59B-6A7B-4C01-8592-15C9BFE6AC36}) (Version: 2.4.3 - Intel Corporation)
Intel(R) Wireless Bluetooth(R) (HKLM-x32\...\{33CC8A21-60F6-4338-9CF4-208F424CC57E}) (Version: 19.30.1649.0949 - Intel Corporation)
Intel® Driver Update Utility (HKLM-x32\...\{66e8e99a-eb6f-4403-9fc2-0ddd4d6f353e}) (Version: 2.6.2.4 - Intel)
Intel® PROSet/Wireless-programvare (HKLM-x32\...\{aa2c2346-d0c0-4d3e-9ab1-11a48b4cb9f3}) (Version: 19.20.3 - Intel Corporation)
Lenovo Dependency Package (HKLM\...\Lenovo Dependency Package_is1) (Version: 1.6.38.00 - Lenovo Group Limited)
Lenovo EasyCamera (HKLM-x32\...\{E0A7ED39-8CD6-4351-93C3-69CCA00D12B4}) (Version: 6.2.9200.10292 - Realtek Semiconductor Corp.)
Lenovo Experience Improvement (HKLM\...\LenovoExperienceImprovement) (Version: 1.1.12.0 - Lenovo)
Lenovo FusionEngine  (HKLM-x32\...\Lenovo FusionEngine) (Version: 1.0.13.0 - Lenovo, Inc.)
Lenovo Mobile Phone Wireless Import (HKLM-x32\...\InstallShield_{DFB2E0D6-8DDE-49A4-B8F7-03C14DACCBA6}) (Version: 1.1.1.9 - Lenovo)
Lenovo Mobile Phone Wireless Import (x32 Version: 1.1.1.9 - Lenovo) Hidden
Lenovo OneKey Recovery (HKLM-x32\...\InstallShield_{46F4D124-20E5-4D12-BE52-EC177A7A4B42}) (Version: 8.1.0.2619 - CyberLink Corp.)
Lenovo OneKey Recovery (Version: 8.1.0.2619 - CyberLink Corp.) Hidden
Lenovo Patch Utility (x32 Version: 1.3.2.6 - Lenovo Group Limited) Hidden
Lenovo Patch Utility 64 bit (Version: 1.3.2.6 - Lenovo Group Limited) Hidden
Lenovo PhoneCompanion (HKLM-x32\...\InstallShield_{0F82EA83-B0C5-4AB9-9695-DFE92C5FD57B}) (Version: 2.0.0.19 - Lenovo)
Lenovo PhoneCompanion (x32 Version: 2.0.0.19 - Lenovo) Hidden
Lenovo Photo Master (HKLM-x32\...\InstallShield_{BC94C56A-3649-420C-8756-2ADEBE399D33}) (Version: 1.0.1826.01 - CyberLink Corp.)
Lenovo Photo Master (x32 Version: 1.0.1826.01 - CyberLink Corp.) Hidden
Lenovo PowerDVD10 (HKLM-x32\...\InstallShield_{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}) (Version: 10.0.6806.52 - CyberLink Corp.)
Lenovo PowerDVD10 (x32 Version: 10.0.6806.52 - CyberLink Corp.) Hidden
Lenovo Settings - Camera Audio (HKLM\...\{88C6A6D9-324C-46E8-BA87-563D14021442}_is1) (Version: 4.3.5.0 - Lenovo Corporation)
Lenovo Settings (HKLM\...\{D14CCBF5-1A3A-4C08-955B-BE6D519835C4}_is1) (Version: 2.0.0.4 - Lenovo)
Lenovo Settings Dependency Package (HKLM\...\{3694BA2E-BE31-4B7E-886B-A0B559E69D4D}_is1) (Version: 2.3.1.28 - Lenovo Group Limited)
Lenovo Settings Service (HKLM\...\{8C6F1EBA-17F1-4481-B688-9777E63E985F}_is1) (Version: 2.3.0.20 - Lenovo Group Limited)
Lenovo Settings UMDF driver (HKLM\...\{2BDC7413-65EA-4B99-8C4B-02F11075BE6D}_is1) (Version: 1.2.0.6 - Lenovo Group Limited)
Lenovo Settings WiFi (HKLM\...\{86045A6C-C156-4349-A3E2-47A88A42F5C2}_is1) (Version: 2.0.0.2 - Lenovo)
Lenovo SHAREit (HKLM-x32\...\Lenovo SHAREit_is1) (Version: 2.0.5.0 - Lenovo Group Limited)
Lenovo Solution Center (HKLM\...\{4C2B6F96-3AED-4E3F-8DCE-917863D1E6B1}) (Version: 2.7.003.00 - Lenovo Group Limited)
Lenovo VeriFace Pro (HKLM\...\Lenovo VeriFace) (Version: 5.1.14.6181 - Lenovo)
Lenovo Web Start (HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\...\Pokki_04bb6df446330549a2cb8d67fbd1a745025b7bd1) (Version: 1.0.2.53457 - Pokki)
LenovoUtility (HKLM-x32\...\InstallShield_{6ADA7E88-8D16-4D0D-BC90-2B93AC5E56DA}) (Version: 2.0.0.5 - Lenovo)
LenovoUtility (x32 Version: 2.0.0.5 - Lenovo) Hidden
Maxthon Cloud Browser (HKLM-x32\...\Maxthon3) (Version: 4.4.2.2000 - Maxthon International Limited)
Metric Collection SDK 35 (x32 Version: 1.2.0001.00 - Lenovo Group Limited) Hidden
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4641.3004 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Mozilla Firefox 52.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 52.0 (x86 en-US)) (Version: 52.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 52.0.0.6270 - Mozilla)
OneKey Optimizer (HKLM-x32\...\InstallShield_{D5D573DC-D989-4769-9B56-D6A7EA503D7F}) (Version: 1.1.20.16 - Lenovo)
OneKey Optimizer (x32 Version: 1.1.20.16 - Lenovo) Hidden
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.3.9600.39059 - Realtek Semiconductor Corp.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.33.529.2014 - Realtek)
Start Menu (HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\...\SweetLabs_Start_Menu) (Version: 0.269.8.114 - Pokki)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 18.0.7.132 - Synaptics Incorporated)
User Manuals (HKLM-x32\...\InstallShield_{F07C2CF8-4C53-4EC3-8162-A6221E36EB88}) (Version: 3.0.0.3 - Lenovo)
User Manuals (x32 Version: 3.0.0.3 - Lenovo) Hidden
VMware Player (HKLM\...\{6D211A09-EB2A-4B83-ACCB-13B1BC12AF4E}) (Version: 12.5.2 - VMware, Inc.)
Windows Driver Package - Lenovo (ACPIVPC) System  (09/24/2013 19.29.2.34) (HKLM\...\EE9B1F2037C580F36D92FA431CC02BFF04C31F15) (Version: 09/24/2013 19.29.2.34 - Lenovo)
Windows Driver Package - Lenovo (WUDFRd) LenovoVhid  (07/25/2013 10.30.0.288) (HKLM\...\6BCA401E9CBEED970D75F55FA5320F60D11984E9) (Version: 07/25/2013 10.30.0.288 - Lenovo)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-2423566268-3429370631-2639371571-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\windows\system32\igfxEM.exe (Intel Corporation)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {1700397D-6635-45D0-A374-81E1C5C616CF} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473 => C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\iumsvc.exe [2014-04-09] ()
Task: {190E36B5-64EC-4082-A0A5-FD2253F1C153} - System32\Tasks\OFFICE2013ACT => C:\ProgramData\Office2013\OFFICEICON.vbs [2013-06-03] ()
Task: {196C199A-A4C0-412D-93E3-F14A43E0AAA9} - System32\Tasks\Lenovo\Dependency Package Auto Update => C:\Program Files\Lenovo\iMController\AutoUpdate.exe [2015-12-14] ()
Task: {270D2904-4009-41BD-A54C-526FC6011111} - System32\Tasks\Lenovo\LSC\LSCHardwareScan => C:\Program Files\Lenovo\Lenovo Solution Center\LSC.exe [2014-10-17] ()
Task: {3FCA37D8-817A-4FD8-B6DA-4F6137F38BF9} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program 64 35 => C:\Program Files (x86)\Lenovo\Customer Feedback Program 35\Lenovo.TVT.CustomerFeedback.Agent35.exe [2014-05-30] (Lenovo)
Task: {49B8E9E8-7C0C-4817-8664-5AFE181DF97D} - System32\Tasks\Lenovo\Experience Improvement => C:\Program Files\Lenovo\ExperienceImprovement\LenovoExperienceImprovement.exe [2017-01-15] (Lenovo)
Task: {4A640F26-6D3C-43C6-BE27-FF2015CF8BC0} - System32\Tasks\USER_ESRV_SVC_QUEENCREEK => Wscript.exe //B //NoLogo "C:\Program Files\Intel\SUR\QUEENCREEK\task.vbs"
Task: {6760203C-1963-4406-8717-C4BE4F90F477} - System32\Tasks\PDVDServ Task => C:\Program Files (x86)\Lenovo\PowerDVD10\PDVD10Serv.EXE [2013-03-08] (CyberLink Corp.)
Task: {736DDA93-0598-401C-A569-D667A4196A12} - System32\Tasks\Intel\Intel Telemetry 2 => C:\Program Files\Intel\Telemetry 2.0\lrio.exe [2016-03-17] (Intel Corporation)
Task: {75476E85-FE5E-45A6-81E1-8E42C0CF66A4} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473-Logon => C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\iumsvc.exe [2014-04-09] ()
Task: {86059797-E31A-4035-92EE-65D4770868F7} - System32\Tasks\SweetLabs App Platform => C:\Users\bruker\AppData\Local\SweetLabs App Platform\Engine\ServiceHostAppUpdater.exe [2016-11-16] (Pokki)
Task: {8DCB437F-07E0-4FFE-BCF7-97818DE460BC} - System32\Tasks\Maxthon Update => C:\Program Files (x86)\Maxthon\Bin\Maxthon.exe [2014-09-11] (Maxthon International ltd.)
Task: {9BC7E8E9-2E2F-47E3-A4BE-80BA534C113A} - System32\Tasks\Lenovo\LSC\Lenovo Solution Center Notifications => C:\Program Files\Lenovo\Lenovo Solution Center\LSCNotify.exe [2014-10-17] (Lenovo)
Task: {B3734F07-A2E7-4980-8BBC-4A5BB0661CF9} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program 64 => C:\Program Files (x86)\Lenovo\Customer Feedback Program\Lenovo.TVT.CustomerFeedback.Agent.exe [2014-09-02] (Lenovo)
Task: {B71B665E-C258-47A6-94C6-27789E1AEC28} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program => C:\Program Files\Lenovo\Customer Feedback Program\Lenovo.TVT.CustomerFeedback.Agent.exe [2014-10-17] (Lenovo)
Task: {D147A058-6B52-4DC9-8001-B24C0D19D248} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_ERROR_HB => C:\windows\system32\MRT.exe [2017-03-11] (Microsoft Corporation)
Task: {EA14572F-C8E1-4F6A-8928-15FBA991D0CB} - System32\Tasks\Lenovo\LSC\LSCHardwareScanPostpone => C:\Program Files\Lenovo\Lenovo Solution Center\LSC.exe [2014-10-17] ()
Task: {F1253C49-3FEC-4A91-825A-4DF94942F276} - System32\Tasks\Lenovo\Lenovo Solution Center Launcher => C:\Program Files\lenovo\lenovo solution center\App\LSCService.exe [2014-10-17] (Lenovo)
Task: {F5CD9FD0-0110-4E9A-B5CA-4D60140566C5} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-12-21] (Piriform Ltd)
Task: {FC09625A-95BF-44E6-A81E-338E0CB6E101} - System32\Tasks\Microsoft\Windows\PLA\LSC Memory => Rundll32.exe C:\windows\system32\pla.dll,PlaHost "LSC Memory" "$(Arg0)"

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2015-03-10 13:43 - 2014-11-20 18:43 - 00016920 _____ () C:\Program Files\Lenovo\OneKey Optimizer\bin\FbServicePS.dll
2015-03-10 13:40 - 2015-03-10 13:40 - 00133440 _____ () C:\Program Files\Lenovo PhoneCompanion\LPAWDService.exe
2015-03-10 13:30 - 2012-04-24 11:43 - 00390632 _____ () C:\Program Files\CyberLink\Shared files\RichVideo64.exe
2016-11-17 22:05 - 2016-11-17 22:05 - 00156928 _____ () C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe
2016-11-17 22:05 - 2016-11-17 22:05 - 00111360 _____ () C:\Program Files\Intel Driver Update Utility\SUR\Common.dll
2016-11-17 22:05 - 2016-11-17 22:05 - 00274176 _____ () C:\Program Files\Intel Driver Update Utility\SUR\analyzer.dll
2015-03-10 13:26 - 2015-03-10 13:26 - 00068880 _____ () C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe
2015-03-10 13:26 - 2015-03-10 13:26 - 00672016 _____ () C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfDataStorageInterface.dll
2015-03-10 13:25 - 2014-10-22 18:15 - 00644080 _____ () C:\Program Files (x86)\Lenovo\CCSDK\CCSDK.exe
2015-03-10 13:43 - 2014-11-17 23:35 - 00036632 _____ () C:\Program Files\Lenovo\OneKey Optimizer\bin\Metric.dll
2015-03-10 13:43 - 2014-11-17 23:35 - 00166680 _____ () C:\Program Files\Lenovo\OneKey Optimizer\bin\Lenovo.MetricCollectionMFCx64.dll
2015-03-09 19:41 - 2016-05-12 22:12 - 00382072 _____ () C:\windows\system32\igfxTray.exe
2015-03-10 13:25 - 2014-10-22 18:15 - 00410096 _____ () C:\Program Files (x86)\Lenovo\CCSDK\WinGather.exe
2015-03-10 12:37 - 2010-10-26 05:40 - 00049056 _____ () C:\Program Files\CONEXANT\ForteConfig\fmapp.exe
2015-03-10 13:25 - 2015-03-10 13:25 - 00791368 _____ () C:\Program Files\Lenovo\LenovoUtility\utility.exe
2015-03-10 13:25 - 2015-03-10 13:25 - 00097048 _____ () C:\Program Files\Lenovo\LenovoUtility\kbdhook.dll
2015-03-10 13:43 - 2014-11-17 23:35 - 00041240 _____ () C:\Program Files\Lenovo\OneKey Optimizer\bin\res_NO_Norwegian_NOR.dll
2015-03-10 13:43 - 2014-11-20 18:43 - 00159256 _____ () C:\Program Files\Lenovo\OneKey Optimizer\bin\FbApi.dll
2015-03-10 13:43 - 2014-11-17 23:35 - 00036120 _____ () C:\Program Files\Lenovo\OneKey Optimizer\bin\zd.dll
2015-03-10 13:43 - 2015-03-10 13:43 - 00019232 _____ () C:\windows\Microsoft.Net\assembly\GAC_MSIL\Lenovo.MetricCollectionSDK\v4.0_1.1.9.0__d43be3ee47b19ecb\Lenovo.MetricCollectionSDK.dll
2014-04-09 19:29 - 2014-04-09 19:29 - 00174368 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\iumsvc.exe
2014-09-03 19:03 - 2014-09-03 19:03 - 01241560 _____ () C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\ACE.dll
2015-03-10 13:31 - 2014-07-04 05:35 - 00627672 _____ () C:\Program Files (x86)\Lenovo\Power2Go\CLMediaLibrary.dll
2014-07-04 20:35 - 2014-07-04 20:35 - 00016856 _____ () C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvcPS.dll
2016-11-16 00:02 - 2016-11-16 00:02 - 00569856 _____ () C:\Users\bruker\AppData\Local\SweetLabs App Platform\Engine\ppGoogleNaClPluginChrome.dll
2016-11-16 00:02 - 2016-11-16 00:02 - 01400846 _____ () C:\Users\bruker\AppData\Local\SweetLabs App Platform\Engine\avcodec-54.dll
2016-11-16 00:02 - 2016-11-16 00:02 - 00151054 _____ () C:\Users\bruker\AppData\Local\SweetLabs App Platform\Engine\avutil-51.dll
2016-11-16 00:02 - 2016-11-16 00:02 - 00222734 _____ () C:\Users\bruker\AppData\Local\SweetLabs App Platform\Engine\avformat-54.dll
2014-04-09 19:30 - 2014-04-09 19:30 - 00041248 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\win32api.pyd
2014-04-09 19:29 - 2014-04-09 19:29 - 00059680 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\pywintypes27.dll
2014-04-09 19:29 - 2014-04-09 19:29 - 00119072 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\pythoncom27.dll
2014-04-09 19:29 - 2014-04-09 19:29 - 00562464 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\urlmon.dll
2014-04-09 19:29 - 2014-04-09 19:29 - 00401184 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\iertutil.dll
2014-04-09 19:29 - 2014-04-09 19:29 - 00412448 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\WININET.dll
2014-04-09 19:30 - 2014-04-09 19:30 - 00020256 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\_multiprocessing.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00025376 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\win32service.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00022816 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\servicemanager.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00018208 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\win32event.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00027424 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\_socket.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00277280 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\_ssl.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00113952 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\_hashlib.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00016672 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\select.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00040736 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\_ctypes.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00023328 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\win32process.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00020256 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\win32ts.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00018720 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\win32profile.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00042784 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\win32security.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00336160 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\_bsddb.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00023328 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\win32evtlog.pyd
2014-04-09 19:30 - 2014-04-09 19:30 - 00024864 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\win32inet.pyd
2014-04-09 19:29 - 2014-04-09 19:29 - 00021280 _____ () C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\EnvironmentID.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\30129027.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\45627861.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\30129027.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\45627861.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 14:25 - 2013-08-22 14:25 - 00000824 ____A C:\windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\Control Panel\Desktop\\Wallpaper -> C:\windows\Web\Wallpaper\Lenovo\LenovoWallPaper.jpg
DNS Servers: 193.213.112.4 - 130.67.15.198
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

HKLM\...\StartupApproved\Run: => "PhoneCompanion"
HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\...\StartupApproved\Run: => "CCleaner Monitoring"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{FD7B10FD-344B-4511-A3D6-625DAC42460B}] => (Allow) %USERPROFILE%\Downloads\1hitmanpro_x64.exe
FirewallRules: [{6C016D34-6D5F-4C36-9B82-D68284C688D3}] => (Allow) %USERPROFILE%\Downloads\1hitmanpro_x64.exe

==================== Restore Points =========================

07-03-2017 09:22:54 Installed VMware Player

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (03/13/2017 12:18:16 AM) (Source: lupdate) (EventID: 0) (User: )
Description: Event-ID 0

Error: (03/13/2017 12:18:16 AM) (Source: lupdate) (EventID: 0) (User: )
Description: Event-ID 0

Error: (03/12/2017 06:37:53 PM) (Source: lupdate) (EventID: 0) (User: )
Description: Event-ID 0

Error: (03/12/2017 06:37:53 PM) (Source: lupdate) (EventID: 0) (User: )
Description: Event-ID 0

Error: (03/12/2017 02:55:02 PM) (Source: lupdate) (EventID: 0) (User: )
Description: Event-ID 0

Error: (03/12/2017 02:55:02 PM) (Source: lupdate) (EventID: 0) (User: )
Description: Event-ID 0

Error: (03/12/2017 11:37:39 AM) (Source: lupdate) (EventID: 0) (User: )
Description: Event-ID 0

Error: (03/12/2017 11:37:39 AM) (Source: lupdate) (EventID: 0) (User: )
Description: Event-ID 0

Error: (03/11/2017 09:16:21 PM) (Source: lupdate) (EventID: 0) (User: )
Description: Event-ID 0

Error: (03/11/2017 09:16:20 PM) (Source: lupdate) (EventID: 0) (User: )
Description: Event-ID 0


System errors:
=============
Error: (03/13/2017 05:22:17 PM) (Source: DCOM) (EventID: 10010) (User: Lenovo-PC)
Description: Serveren {1B1F472E-3221-4826-97DB-2C2324D389AE} ble ikke registrert hos DCOM innen fristen for tidsavbrudd.

Error: (03/13/2017 05:21:45 PM) (Source: DCOM) (EventID: 10010) (User: Lenovo-PC)
Description: Serveren {BF6C1E47-86EC-4194-9CE5-13C15DCB2001} ble ikke registrert hos DCOM innen fristen for tidsavbrudd.

Error: (03/13/2017 12:45:16 PM) (Source: DCOM) (EventID: 10010) (User: Lenovo-PC)
Description: Serveren {1B1F472E-3221-4826-97DB-2C2324D389AE} ble ikke registrert hos DCOM innen fristen for tidsavbrudd.

Error: (03/13/2017 12:45:15 PM) (Source: DCOM) (EventID: 10010) (User: Lenovo-PC)
Description: Serveren {4545DEA0-2DFC-4906-A728-6D986BA399A9} ble ikke registrert hos DCOM innen fristen for tidsavbrudd.

Error: (03/13/2017 12:45:15 PM) (Source: DCOM) (EventID: 10010) (User: Lenovo-PC)
Description: Serveren {4545DEA0-2DFC-4906-A728-6D986BA399A9} ble ikke registrert hos DCOM innen fristen for tidsavbrudd.

Error: (03/13/2017 12:45:10 PM) (Source: DCOM) (EventID: 10010) (User: Lenovo-PC)
Description: Serveren {4545DEA0-2DFC-4906-A728-6D986BA399A9} ble ikke registrert hos DCOM innen fristen for tidsavbrudd.

Error: (03/13/2017 12:45:09 PM) (Source: DCOM) (EventID: 10010) (User: Lenovo-PC)
Description: Serveren {4545DEA0-2DFC-4906-A728-6D986BA399A9} ble ikke registrert hos DCOM innen fristen for tidsavbrudd.

Error: (03/13/2017 12:44:58 PM) (Source: DCOM) (EventID: 10010) (User: Lenovo-PC)
Description: Serveren {4545DEA0-2DFC-4906-A728-6D986BA399A9} ble ikke registrert hos DCOM innen fristen for tidsavbrudd.

Error: (03/13/2017 12:44:58 PM) (Source: DCOM) (EventID: 10010) (User: Lenovo-PC)
Description: Serveren {4545DEA0-2DFC-4906-A728-6D986BA399A9} ble ikke registrert hos DCOM innen fristen for tidsavbrudd.

Error: (03/13/2017 12:44:46 PM) (Source: DCOM) (EventID: 10010) (User: Lenovo-PC)
Description: Serveren {BF6C1E47-86EC-4194-9CE5-13C15DCB2001} ble ikke registrert hos DCOM innen fristen for tidsavbrudd.


==================== Memory info ===========================

Processor: Intel(R) Core(TM) i3-4030U CPU @ 1.90GHz
Percentage of memory in use: 51%
Total physical RAM: 4017.09 MB
Available physical RAM: 1955.1 MB
Total Virtual: 8113.09 MB
Available Virtual: 5631.89 MB

==================== Drives ================================

Drive c: (Windows8_OS) (Fixed) (Total:422.91 GB) (Free:381.77 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive d: (LENOVO) (Fixed) (Total:25 GB) (Free:24.93 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 3F946AB0)

Partition: GPT.

==================== End of Addition.txt ============================
Title: Re: [In Progress] possible rootkit
Post by: Hoov on March 14, 2017, 06:54:52 PM
There is some evidence of some malware. So I need you to run a few scans. At first it might be the nitnoid kind of malware we get rid of, but we will get it all.

1.- Download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/dl/125/) by Xplode onto your Desktop.
2.- Download Junkware Removal Tool (http://thisisudax.org/downloads/JRT.exe) to your desktop.
3.- Please download RogueKiller (http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe) and Save to the desktop.


Also I still need to see the GMER log. If you did not save it, go ahead and run it again and save it then post it with the above logs. [/list]
Title: Re: [In Progress] possible rootkit
Post by: fkpc1 on March 15, 2017, 12:02:49 PM
Hi

This might seem strange but every time i try to run GEMER it crashes, i tried to download it again but i didn't help!
I only got this report:

GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2017-03-11 17:39:46
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\00000034 WDC_WD5000LPCX-24C6HT0 rev.02.01A02 465,76GB
Running: rvl1qb3c.exe; Driver: C:\Users\bruker\AppData\Local\Temp\fxlyrpog.sys


---- Threads - GMER 2.2 ----

Thread  C:\windows\system32\csrss.exe [576:600]                                                                                                 fffff960009832d0

---- Registry - GMER 2.2 ----

Reg     HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime                                                                            0xDB 0xE3 0x35 0x8E ...
Reg     HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime                                                                               0xFD 0x0A 0x3D 0x8E ...
Reg     HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@nb-NO                                                                        25
Reg     HKLM\SYSTEM\CurrentControlSet\Control\CrashControl@LastCrashTime                                                                             0xAE 0xE0 0x72 0x21 ...
Reg     HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\CMN15B70_1E_07DD_8C^A1A9E0A1B6F92A66BCC6BBD88F2AA032@Timestamp           0x69 0xE3 0x02 0xE3 ...
Reg     HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid                                                                                             632
Reg     HKLM\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings@StringCacheGeneration                                                          62
Reg     HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager\Defrag@TotalBytesSaved                                           0x00 0x50 0x13 0x00 ...
Reg     HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed                                                            -591347284
Reg     HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID                                                                             7a3037b0-84a0-4f52-a3ba-cbe5860
Reg     HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId                                                                         2
Reg     HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName                                                                                  \BaseNamedObjects\WDI_{5cedc21f-02ed-42b8-b959-9ef808b3498d}
Reg     HKLM\SYSTEM\CurrentControlSet\Services\BITS@Start                                                                                            3
Reg     HKLM\SYSTEM\CurrentControlSet\Services\BITS                                                                                                 
Reg     HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\f406695d01af                                                                 
Reg     HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{81b104fe-f83e-4eed-bc3e-00c2b13dfafb}@LastProbeTime                        1489233160
Reg     HKLM\SYSTEM\CurrentControlSet\Services\ialm\Device0@ProfilingToolValues                                                                      0
Reg     HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{8733623C-FE8D-4762-B7C1-786A18CFE3DB}@DefunctTimestamp                    0x55 0xD5 0xC3 0x58 ...
Reg     HKLM\SYSTEM\CurrentControlSet\Services\pla\Configuration@RPCEndPoint                                                                         {7EC9982F-5FBC-490F-BB78-25254F3014F1}
Reg     HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge                                                                  1
Reg     HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime                                                              ?l?r?, ?mar ?11 ?17, 03:51:30??????????????????????????????????
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch                                                                              2254
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch                                                                             366
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile@DefaultOutboundAction                            0
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile@DefaultInboundAction                             1
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@WFDPRINT-SCAN-In-Active                          v2.22|Action=Allow|Active=FALSE|Dir=In|Profile=Public|App=%SystemRoot%\system32\svchost.exe|Svc=stisvc|Name=@FirewallAPI.dll,-36860|Desc=@FirewallAPI.dll,-36861|EmbedCtxt=@FirewallAPI.dll,-36851|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@WFDPRINT-SPOOL-In-Active                         v2.22|Action=Allow|Active=FALSE|Dir=In|Profile=Public|App=%SystemRoot%\system32\spoolsv.exe|Svc=Spooler|Name=@FirewallAPI.dll,-36856|Desc=@FirewallAPI.dll,-36857|EmbedCtxt=@FirewallAPI.dll,-36851|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@WFDPRINT-DAFWSD-In-Active                        v2.22|Action=Allow|Active=FALSE|Dir=In|Profile=Public|App=%SystemRoot%\system32\dashost.exe|Name=@FirewallAPI.dll,-36852|Desc=@FirewallAPI.dll,-36853|LUAuth=O:LSD:(A;;CC;;;S-1-5-92-3339056971-1291069075-3798698925-2882100687-0)|EmbedCtxt=@FirewallAPI.dll,-36851|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@PlayTo-QWave-In-TCP-PlayToScope                  v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Private|Profile=Public|LPort=2177|RA42=Ply2Renders|RA62=Ply2Renders|App=%SystemRoot%\system32\svchost.exe|Svc=Qwave|Name=@FirewallAPI.dll,-36014|Desc=@FirewallAPI.dll,-36015|EmbedCtxt=@FirewallAPI.dll,-36001|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@PlayTo-QWave-In-UDP-PlayToScope                  v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=17|Profile=Private|Profile=Public|LPort=2177|RA42=Ply2Renders|RA62=Ply2Renders|App=%SystemRoot%\system32\svchost.exe|Svc=Qwave|Name=@FirewallAPI.dll,-36010|Desc=@FirewallAPI.dll,-36011|EmbedCtxt=@FirewallAPI.dll,-36001|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@PlayTo-UPnP-Events-PlayToScope                   v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Public|LPort=2869|RA42=Ply2Renders|RA62=Ply2Renders|App=System|Name=@FirewallAPI.dll,-36106|Desc=@FirewallAPI.dll,-36107|EmbedCtxt=@FirewallAPI.dll,-36001|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@PlayTo-SSDP-Discovery-PlayToScope                v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=17|Profile=Public|LPort2_20=Ply2Disc|App=%SystemRoot%\system32\svchost.exe|Svc=ssdpsrv|Name=@FirewallAPI.dll,-36104|Desc=@FirewallAPI.dll,-36105|EmbedCtxt=@FirewallAPI.dll,-36001|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@PlayTo-In-RTSP-PlayToScope                       v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Public|LPort=23554|LPort=23555|LPort=23556|RA42=Ply2Renders|RA62=Ply2Renders|App=%SystemRoot%\system32\mdeserver.exe|Name=@FirewallAPI.dll,-36008|Desc=@FirewallAPI.dll,-36009|EmbedCtxt=@FirewallAPI.dll,-36001|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@PlayTo-In-RTSP-LocalSubnetScope                  v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Private|LPort=23554|LPort=23555|LPort=23556|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\mdeserver.exe|Name=@FirewallAPI.dll,-36008|Desc=@FirewallAPI.dll,-36009|EmbedCtxt=@FirewallAPI.dll,-36001|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@PlayTo-In-RTSP-NoScope                           v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Domain|LPort=23554|LPort=23555|LPort=23556|App=%SystemRoot%\system32\mdeserver.exe|Name=@FirewallAPI.dll,-36008|Desc=@FirewallAPI.dll,-36009|EmbedCtxt=@FirewallAPI.dll,-36001|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@PlayTo-In-UDP-PlayToScope                        v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=17|Profile=Public|RA42=Ply2Renders|RA62=Ply2Renders|App=%SystemRoot%\system32\mdeserver.exe|Name=@FirewallAPI.dll,-36004|Desc=@FirewallAPI.dll,-36005|EmbedCtxt=@FirewallAPI.dll,-36001|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@PlayTo-In-UDP-LocalSubnetScope                   v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=17|Profile=Private|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\mdeserver.exe|Name=@FirewallAPI.dll,-36004|Desc=@FirewallAPI.dll,-36005|EmbedCtxt=@FirewallAPI.dll,-36001|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@PlayTo-In-UDP-NoScope                            v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=17|Profile=Domain|App=%SystemRoot%\system32\mdeserver.exe|Name=@FirewallAPI.dll,-36004|Desc=@FirewallAPI.dll,-36005|EmbedCtxt=@FirewallAPI.dll,-36001|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@PlayTo-HTTPSTR-In-TCP-PlayToScope                v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Public|LPort=10246|RA42=Ply2Renders|RA62=Ply2Renders|App=System|Name=@FirewallAPI.dll,-36002|Desc=@FirewallAPI.dll,-36003|EmbedCtxt=@FirewallAPI.dll,-36001|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@PlayTo-HTTPSTR-In-TCP-LocalSubnetScope           v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Private|LPort=10246|RA4=LocalSubnet|RA6=LocalSubnet|App=System|Name=@FirewallAPI.dll,-36002|Desc=@FirewallAPI.dll,-36003|EmbedCtxt=@FirewallAPI.dll,-36001|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@PlayTo-HTTPSTR-In-TCP-NoScope                    v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Domain|LPort=10246|App=System|Name=@FirewallAPI.dll,-36002|Desc=@FirewallAPI.dll,-36003|EmbedCtxt=@FirewallAPI.dll,-36001|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-UDP3540-Out  v2.22|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Private|RPort=3540|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=pnrpsvc|Name=@%systemroot%\system32\provsvc.dll,-207|Desc=@%systemroot%\system32\provsvc.dll,-208|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-UDP3540-In   v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|LPort=3540|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=pnrpsvc|Name=@%systemroot%\system32\provsvc.dll,-205|Desc=@%systemroot%\system32\provsvc.dll,-206|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-TCP3587-Out  v2.22|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Private|RPort=3587|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=p2psvc|Name=@%systemroot%\system32\provsvc.dll,-203|Desc=@%systemroot%\system32\provsvc.dll,-204|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-TCP3587-In   v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|LPort=3587|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=p2psvc|Name=@%systemroot%\system32\provsvc.dll,-200|Desc=@%systemroot%\system32\provsvc.dll,-201|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@WirelessDisplay-In-TCP                           v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Private|Profile=Public|App=%systemroot%\system32\WUDFHost.exe|Name=@wifidisplay.dll,-10200|Desc=@wifidisplay.dll,-10201|LUAuth=O:LSD:(A;;CC;;;S-1-5-84-0-0-0-0-0)|EmbedCtxt=@wifidisplay.dll,-100|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{BC56C518-CC26-438D-A7C8-5A9E427F4DCF}           v2.20|Action=Allow|Active=TRUE|Dir=In|App=%ProgramFiles% (x86)\Mozilla Firefox\firefox.exe|Name=f|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{D5EDAFDB-D8E0-461C-B88C-7D20AE30E186}           v2.20|Action=Allow|Active=TRUE|Dir=Out|App=%ProgramFiles% (x86)\Mozilla Firefox\firefox.exe|Name=f|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{B0510376-7A70-49F0-A886-BCC9801D345D}           v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Domain|App=C:\Program Files (x86)\IObit\IObit Unlocker\unins000.exe|Name=Avinstaller IObit Unlocker|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{88762182-EE4A-4B91-B4A5-04011C43F67E}           v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=17|Profile=Domain|App=C:\Program Files (x86)\IObit\IObit Unlocker\unins000.exe|Name=Avinstaller IObit Unlocker|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{33519B5B-5F40-4A6F-A12D-9F20C228F568}           v2.20|Action=Allow|Active=TRUE|Dir=In|App=%USERPROFILE%\Downloads\flashplayer24_xa_install.exe|Name=flash|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{FDBDB0ED-DB70-4AB4-AAD4-FED9C258155F}           v2.20|Action=Allow|Active=TRUE|Dir=Out|App=%USERPROFILE%\Downloads\flashplayer24_xa_install.exe|Name=flash|
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile@DefaultOutboundAction                            0
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile@DefaultInboundAction                             1
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile@DefaultOutboundAction                          0
Reg     HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile@DefaultInboundAction                           1
Reg     HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence                                                                       45
Reg     HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3EDE0977-41AC-4F49-9B29-F72C1E2D53D1}@LeaseObtainedTime                  1489247445
Reg     HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3EDE0977-41AC-4F49-9B29-F72C1E2D53D1}@T1                                 1489248345
Reg     HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3EDE0977-41AC-4F49-9B29-F72C1E2D53D1}@T2                                 1489249020
Reg     HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3EDE0977-41AC-4F49-9B29-F72C1E2D53D1}@LeaseTerminatesTime                1489249245
Reg     HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{79B0512E-80E5-494C-A1DE-7D7F10BE146B}@LeaseObtainedTime                  1489247445
Reg     HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{79B0512E-80E5-494C-A1DE-7D7F10BE146B}@T1                                 1489248345
Reg     HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{79B0512E-80E5-494C-A1DE-7D7F10BE146B}@T2                                 1489249020
Reg     HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{79B0512E-80E5-494C-A1DE-7D7F10BE146B}@LeaseTerminatesTime                1489249245
Reg     HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EC987C79-0B2A-45C3-A78E-1DE4CE07352D}@LeaseObtainedTime                  1489236645
Reg     HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EC987C79-0B2A-45C3-A78E-1DE4CE07352D}@T1                                 1489279845
Reg     HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EC987C79-0B2A-45C3-A78E-1DE4CE07352D}@T2                                 1489312245
Reg     HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EC987C79-0B2A-45C3-A78E-1DE4CE07352D}@LeaseTerminatesTime                1489323045
Reg     HKCU\Software\Microsoft\Windows\CurrentVersion\AccountPicture@DisplayName                                                                    kenneth
Reg     HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown                                                               1

---- EOF - GMER 2.2 ----
Title: Re: [In Progress] possible rootkit
Post by: fkpc1 on March 15, 2017, 12:17:44 PM
Report from AdwClearer, found 29 threats:

# AdwCleaner v6.044 - Logfile created 15/03/2017 at 19:09:36
# Updated on 28/02/2017 by Malwarebytes
# Database : 2017-03-15.2 [Server]
# Operating System : Windows 8.1  (X64)
# Username : bruker - LENOVO-PC
# Running from : C:\Users\bruker\Downloads\AdwCleaner.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

No malicious services found.


***** [ Folders ] *****

Folder Found:  C:\Users\bruker\AppData\Local\SweetLabs App Platform
Folder Found:  C:\Users\Gjest\AppData\Local\Pokki
Folder Found:  C:\ProgramData\Pokki
Folder Found:  C:\ProgramData\Application Data\Pokki
Folder Found:  C:\Users\Default User\AppData\Local\Pokki
Folder Found:  C:\Users\Default\AppData\Local\Pokki
Folder Found:  C:\Users\Public\Pokki


***** [ Files ] *****

File Found:  C:\Users\bruker\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\PC App Store.lnk
File Found:  C:\Users\bruker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PC App Store.lnk
File Found:  C:\Users\Gjest\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\PC App Store.lnk
File Found:  C:\Users\Gjest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PC App Store.lnk


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

Task Found:  SweetLabs App Platform


***** [ Registry ] *****

Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Pokki_04bb6df446330549a2cb8d67fbd1a745025b7bd1
Key Found:  HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\Software\Classes\pokki
Key Found:  HKCU\Software\Classes\pokki
Key Found:  [x64] HKCU\Software\Classes\pokki
Key Found:  HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\Software\SweetLabs App Platform
Key Found:  HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\SweetLabs_AP
Key Found:  HKU\S-1-5-21-2423566268-3429370631-2639371571-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\SweetLabs_Start_Menu
Key Found:  HKCU\Software\SweetLabs App Platform
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SweetLabs_AP
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SweetLabs_Start_Menu
Key Found:  [x64] HKCU\Software\SweetLabs App Platform
Key Found:  [x64] HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SweetLabs_AP
Key Found:  [x64] HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SweetLabs_Start_Menu
Key Found:  HKCU\Software\Classes\AllFileSystemObjects\shell\pokki
Key Found:  HKCU\Software\Classes\Directory\shell\pokki
Key Found:  HKCU\Software\Classes\Drive\shell\pokki
Key Found:  HKCU\Software\Classes\lnkfile\shell\pokki


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
No malicious Chromium based browser items found.

*************************

C:\AdwCleaner\AdwCleaner[S0].txt - [3047 Bytes] - [15/03/2017 19:09:36]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3120 Bytes] ##########
Title: Re: [In Progress] possible rootkit
Post by: fkpc1 on March 15, 2017, 12:21:46 PM
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.2 (03.10.2017)
Operating System: Windows 8.1 x64
Ran by bruker (Administrator) on 15.03.2017 at 19:19:07,23
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 3

Successfully deleted: C:\ProgramData\pokki (Folder)
Successfully deleted: C:\Users\bruker\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\pc app store.lnk (Shortcut)
Successfully deleted: C:\Users\bruker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\pc app store.lnk (Shortcut)



Registry: 3

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{1F891EB7-C29B-4FBE-B6D0-90B6B118356A} (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)
Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 15.03.2017 at 19:20:06,30
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Title: Re: [In Progress] possible rootkit
Post by: fkpc1 on March 15, 2017, 12:24:56 PM
RogueKiller is not compatible so it cant run..!
Title: Re: [In Progress] possible rootkit
Post by: fkpc1 on March 15, 2017, 12:31:07 PM
TDSKiller found this:


[InfectedObject]
Verdict: UnsignedFile.Multi.Generic

[InfectedObject]
Type: Service
Name: Fastboot
Type: Kernel driver (0x1)
Start: Boot (0x0)
ImagePath: System32\DRIVERS\Fastboot.sys

[InfectedFile]
Type: Raw image
Src: C:\windows\system32\DRIVERS\Fastboot.sys
md5: 2454972F30E1E946FC73696932EA9C22
sha256: 962F013599E87CE937F6B6C4A8BC075E64E5E3CF8DB0BE2C03EBCB24DB00D70B

[InfectedObject]
Verdict: UnsignedFile.Multi.Generic

[InfectedObject]
Type: Service
Name: FastbootService
Type: n/a (0x10)
Start: Auto (0x2)
ImagePath: "C:\Program Files\Lenovo\OneKey Optimizer\bin\FbService.exe"

[InfectedFile]
Type: Raw image
Src: C:\Program Files\Lenovo\OneKey Optimizer\bin\FbService.exe
md5: 2E7A98ADE2CF733C46859E40A5348DB1
sha256: 3B3143DDAEEBAD5AA2C2E76B9DCDAE80D6E066D327B7CA17745EF5E9AB029A49

[InfectedObject]
Verdict: UnsignedFile.Multi.Generic

[InfectedObject]
Type: File

[InfectedFile]
Type: Raw image
Src: C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe
md5: 3AFB53497E47A09FE736ACFC6B8D62A0
sha256: 5C10C23E0E9F4F1B086E20DB68312106429B9913B80C3E2B9823B829796FC32F

Title: Re: [In Progress] possible rootkit
Post by: Hoov on March 15, 2017, 03:15:34 PM
Run a scan with ADWCleaner again, go thru each tab and make sure everything is checked. Then click the clean button and post the resulting log.

Let me know how that goes.

Do you know how to start Windows Cleanly?

As for TDSSKiller, please do not run scans unless I ask for them. It is possible for these tools to do damage to your system if run at the wrong time or manner. Right now I think the items found by TDSSKiller are legitimate items. But we have not gotten to that point yet.
Title: Re: [In Progress] possible rootkit
Post by: fkpc1 on March 15, 2017, 04:17:49 PM
# AdwCleaner v6.044 - Logfile created 15/03/2017 at 23:11:53
# Updated on 28/02/2017 by Malwarebytes
# Database : 2017-03-15.2 [Local]
# Operating System : Windows 8.1  (X64)
# Username : bruker - LENOVO-PC
# Running from : C:\Users\bruker\Downloads\AdwCleaner.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****



***** [ Folders ] *****

[C0].txt - [3226 Bytes] - [15/03/2017 23:11:53]
C:\AdwCleaner\AdwCleaner[S0].txt - [3215 Bytes] - [15/03/2017 19:09:36]
C:\AdwCleaner\AdwCleaner[S1].txt - [3072 Bytes] - [15/03/2017 23:03:33]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [3445 Bytes] ##########
Title: Re: [In Progress] possible rootkit
Post by: fkpc1 on March 15, 2017, 04:25:36 PM
Is this what you mean with "start Windows Cleanly"?


https://support.microsoft.com/en-us/help/929135/how-to-perform-a-clean-boot-in-windows
Title: Re: [In Progress] possible rootkit
Post by: Hoov on March 15, 2017, 04:38:08 PM
Yes. Reboot windows cleanly, (while you are running your computer this way, disconnect physically from the internet) and try running GMER again. Post the resulting log up here.
Title: Re: [In Progress] possible rootkit
Post by: fkpc1 on March 15, 2017, 06:03:01 PM
Got it working

GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2017-03-16 00:52:49
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\00000034 WDC_WD5000LPCX-24C6HT0 rev.02.01A02 465,76GB
Running: rvl1qb3c.exe; Driver: C:\Users\bruker\AppData\Local\Temp\fxlyrpog.sys


---- User IAT/EAT - GMER 2.2 ----

IAT      C:\windows\Explorer.EXE[2404] @ C:\windows\system32\MAPI32.dll[KERNEL32.dll!GetModuleHandleA]                                       

---- Threads - GMER 2.2 ----

Thread   C:\windows\system32\csrss.exe [576:600]                                                                                             fffff960009ca2d0

---- Services - GMER 2.2 ----

Service  C:\windows\SysWow64\IntelCpHeciSvc.exe (*** hidden *** )                                                                            [DISABLED] cphs                                                     <-- ROOTKIT !!!
Service  C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe (*** hidden *** )                                                                [DISABLED] ESRV_SVC_QUEENCREEK                                      <-- ROOTKIT !!!
Service  C:\Program Files\Intel\WiFi\bin\EvtEng.exe (*** hidden *** )                                                                        [DISABLED] EvtEng                                                   <-- ROOTKIT !!!
Service  C:\Program Files\Lenovo\OneKey Optimizer\bin\FbService.exe (*** hidden *** )                                                        [DISABLED] FastbootService                                          <-- ROOTKIT !!!
Service  C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (*** hidden *** )                                     [DISABLED] IAStorDataMgrSvc                                         <-- ROOTKIT !!!
Service  C:\windows\system32\igfxCUIService.exe (*** hidden *** )                                                                            [DISABLED] igfxCUIService1.0.0.0                                    <-- ROOTKIT !!!
Service  C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe (*** hidden *** )                                                           [DISABLED] Intel(R) Capability Licensing Service TCP IP Interface   <-- ROOTKIT !!!
Service  C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe (*** hidden *** )                 [DISABLED] Intel(R) ME Service                                      <-- ROOTKIT !!!
Service  C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\iumsvc.exe (*** hidden *** )                                               [DISABLED] iumsvc                                                   <-- ROOTKIT !!!
Service  C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe (*** hidden *** )                            [DISABLED] jhi_service                                              <-- ROOTKIT !!!
Service  C:\Program Files\Lenovo\iMController\SystemAgentService.exe (*** hidden *** )                                                       [DISABLED] Lenovo System Agent Service                              <-- ROOTKIT !!!
Service  C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (*** hidden *** )                                    [DISABLED] LMS                                                      <-- ROOTKIT !!!
Service  C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe (*** hidden *** )                                         [DISABLED] MozillaMaintenance                                       <-- ROOTKIT !!!
Service  C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe (*** hidden *** )                                                                    [DISABLED] MyWiFiDHCPDNS                                            <-- ROOTKIT !!!
Service  C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (*** hidden *** )                                                    [DISABLED] RegSrvc                                                  <-- ROOTKIT !!!
Service  C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe (*** hidden *** )                                                       [DISABLED] SystemUsageReportSvc_QUEENCREEK                          <-- ROOTKIT !!!
Service  C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe (*** hidden *** )                                                                [DISABLED] USER_ESRV_SVC_QUEENCREEK                                 <-- ROOTKIT !!!
Service  C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe (*** hidden *** )                                                             [DISABLED] ZeroConfigService                                        <-- ROOTKIT !!!

---- Registry - GMER 2.2 ----

Reg      HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime                                                                   0xB2 0x3C 0xBB 0x83 ...
Reg      HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime                                                                      0x14 0xDD 0xC2 0x83 ...
Reg      HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime                                                                  0xE7 0x90 0xB9 0x53 ...
Reg      HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime                                                               0xD9 0x2D 0xB7 0x53 ...
Reg      HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@nb-NO                                                               30
Reg      HKLM\SYSTEM\CurrentControlSet\Control\CrashControl@LastCrashTime                                                                    0x42 0x34 0x35 0x6D ...
Reg      HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\CMN15B70_1E_07DD_8C^A1A9E0A1B6F92A66BCC6BBD88F2AA032@Timestamp  0x9A 0x60 0x7C 0x84 ...
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid                                                                                    632
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed                                                   -1133083622
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID                                                                    e23c42b4-d271-4935-9d3e-f104a45
Reg      HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName                                                                         \BaseNamedObjects\WDI_{be265b23-1843-4d90-830f-5a0153cd631a}
Reg      HKLM\SYSTEM\CurrentControlSet\Services\AVControlCenter@Start                                                                        4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\AVControlCenter                                                                             
Reg      HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\f406695d01af                                                         
Reg      HKLM\SYSTEM\CurrentControlSet\Services\CCSDK@Start                                                                                  4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\CCSDK                                                                                       
Reg      HKLM\SYSTEM\CurrentControlSet\Services\cphs@Start                                                                                   4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\cphs                                                                                         
Reg      HKLM\SYSTEM\CurrentControlSet\Services\CxAudMsg@Start                                                                               4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\CxAudMsg                                                                                     
Reg      HKLM\SYSTEM\CurrentControlSet\Services\ESRV_SVC_QUEENCREEK@Start                                                                    4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\ESRV_SVC_QUEENCREEK                                                                         
Reg      HKLM\SYSTEM\CurrentControlSet\Services\EvtEng@Start                                                                                 4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\EvtEng                                                                                       
Reg      HKLM\SYSTEM\CurrentControlSet\Services\FastbootService@Start                                                                        4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\FastbootService                                                                             
Reg      HKLM\SYSTEM\CurrentControlSet\Services\ialm\Device0@ProfilingToolValues                                                             0
Reg      HKLM\SYSTEM\CurrentControlSet\Services\IAStorDataMgrSvc@Start                                                                       4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\IAStorDataMgrSvc                                                                             
Reg      HKLM\SYSTEM\CurrentControlSet\Services\ibtsiva@Start                                                                                4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\ibtsiva                                                                                     
Reg      HKLM\SYSTEM\CurrentControlSet\Services\igfxCUIService1.0.0.0@Start                                                                  4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\igfxCUIService1.0.0.0                                                                       
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Intel(R) Capability Licensing Service TCP IP Interface@Start                                 4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Intel(R) Capability Licensing Service TCP IP Interface                                       
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Intel(R) ME Service@Start                                                                    4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Intel(R) ME Service                                                                         
Reg      HKLM\SYSTEM\CurrentControlSet\Services\iumsvc@Start                                                                                 4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\iumsvc                                                                                       
Reg      HKLM\SYSTEM\CurrentControlSet\Services\jhi_service@Start                                                                            4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\jhi_service                                                                                 
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Lenovo EasyPlus Hotspot@Start                                                                4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Lenovo EasyPlus Hotspot                                                                     
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Lenovo OKO Service@Start                                                                     4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Lenovo OKO Service                                                                           
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Lenovo Settings Service@Start                                                                4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Lenovo Settings Service                                                                     
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Lenovo System Agent Service@Start                                                            4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Lenovo System Agent Service                                                                 
Reg      HKLM\SYSTEM\CurrentControlSet\Services\LENOVO.CAMMUTE@Start                                                                         4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\LENOVO.CAMMUTE                                                                               
Reg      HKLM\SYSTEM\CurrentControlSet\Services\LENOVO.TPKNRSVC@Start                                                                        4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\LENOVO.TPKNRSVC                                                                             
Reg      HKLM\SYSTEM\CurrentControlSet\Services\LENOVO.TVTVCAM@Start                                                                         4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\LENOVO.TVTVCAM                                                                               
Reg      HKLM\SYSTEM\CurrentControlSet\Services\LenovoPAWDService@Start                                                                      4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\LenovoPAWDService                                                                           
Reg      HKLM\SYSTEM\CurrentControlSet\Services\LenovoSetSvr@Start                                                                           4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\LenovoSetSvr                                                                                 
Reg      HKLM\SYSTEM\CurrentControlSet\Services\LenovoWiFiHotspotSvr@Start                                                                   4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\LenovoWiFiHotspotSvr                                                                         
Reg      HKLM\SYSTEM\CurrentControlSet\Services\LMS@Start                                                                                    4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\LMS                                                                                         
Reg      HKLM\SYSTEM\CurrentControlSet\Services\LSCWinService@Start                                                                          4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\LSCWinService                                                                               
Reg      HKLM\SYSTEM\CurrentControlSet\Services\MaxthonUpdateSvc@Start                                                                       4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\MaxthonUpdateSvc                                                                             
Reg      HKLM\SYSTEM\CurrentControlSet\Services\MozillaMaintenance@Start                                                                     4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\MozillaMaintenance                                                                           
Reg      HKLM\SYSTEM\CurrentControlSet\Services\MyWiFiDHCPDNS@Start                                                                          4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\MyWiFiDHCPDNS                                                                               
Reg      HKLM\SYSTEM\CurrentControlSet\Services\OKOControlSvc@Start                                                                          4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\OKOControlSvc                                                                               
Reg      HKLM\SYSTEM\CurrentControlSet\Services\PhoneCompanionPusher@Start                                                                   4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\PhoneCompanionPusher                                                                         
Reg      HKLM\SYSTEM\CurrentControlSet\Services\PhoneCompanionVap@Start                                                                      4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\PhoneCompanionVap                                                                           
Reg      HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge                                                         1
Reg      HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime                                                     ?ons?, ?mar ?15 ?17, 11:58:44??????????????????????????????????
Reg      HKLM\SYSTEM\CurrentControlSet\Services\RegSrvc@Start                                                                                4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\RegSrvc                                                                                     
Reg      HKLM\SYSTEM\CurrentControlSet\Services\RichVideo64@Start                                                                            4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\RichVideo64                                                                                 
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch                                                                     2335
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch                                                                    419
Reg      HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence                                                              50
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS                                                                379
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SynTPEnhService@Start                                                                        4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SynTPEnhService                                                                             
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SystemUsageReportSvc_QUEENCREEK@Start                                                        4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SystemUsageReportSvc_QUEENCREEK                                                             
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3EDE0977-41AC-4F49-9B29-F72C1E2D53D1}@Lease                     1800
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3EDE0977-41AC-4F49-9B29-F72C1E2D53D1}@LeaseObtainedTime         1489617803
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3EDE0977-41AC-4F49-9B29-F72C1E2D53D1}@T1                        1489618703
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3EDE0977-41AC-4F49-9B29-F72C1E2D53D1}@T2                        1489619378
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3EDE0977-41AC-4F49-9B29-F72C1E2D53D1}@LeaseTerminatesTime       1489619603
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{79B0512E-80E5-494C-A1DE-7D7F10BE146B}@Lease                     1800
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{79B0512E-80E5-494C-A1DE-7D7F10BE146B}@LeaseObtainedTime         1489617802
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{79B0512E-80E5-494C-A1DE-7D7F10BE146B}@T1                        1489618702
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{79B0512E-80E5-494C-A1DE-7D7F10BE146B}@T2                        1489619377
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{79B0512E-80E5-494C-A1DE-7D7F10BE146B}@LeaseTerminatesTime       1489619602
Reg      HKLM\SYSTEM\CurrentControlSet\Services\USER_ESRV_SVC_QUEENCREEK@Start                                                               4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\USER_ESRV_SVC_QUEENCREEK                                                                     
Reg      HKLM\SYSTEM\CurrentControlSet\Services\VeriFaceSrv@Start                                                                            4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\VeriFaceSrv                                                                                 
Reg      HKLM\SYSTEM\CurrentControlSet\Services\VMAuthdService@Start                                                                         4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\VMAuthdService                                                                               
Reg      HKLM\SYSTEM\CurrentControlSet\Services\VMnetDHCP@Start                                                                              4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\VMnetDHCP                                                                                   
Reg      HKLM\SYSTEM\CurrentControlSet\Services\VMUSBArbService@Start                                                                        4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\VMUSBArbService                                                                             
Reg      HKLM\SYSTEM\CurrentControlSet\Services\VMware NAT Service@Start                                                                     4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\VMware NAT Service                                                                           
Reg      HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv@Start                                                                               2
Reg      HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv                                                                                     
Reg      HKLM\SYSTEM\CurrentControlSet\Services\ZeroConfigService@Start                                                                      4
Reg      HKLM\SYSTEM\CurrentControlSet\Services\ZeroConfigService                                                                           

---- EOF - GMER 2.2 ----
Title: Re: [In Progress] possible rootkit
Post by: Hoov on March 17, 2017, 12:59:21 PM
Sorry it has taken so long to get back to you, it is just I have never seen gmer throw what appears to be so many false positives. I would like you to try something else. Download Malwarebytes (https://www.malwarebytes.com/mwb-download/thankyou/) and install it. Start it up and along the left side click on settings, then along the top click on protection, then below Scan Options change the rootkit setting to ON. Now go back to the dashboard and click the scan now button.

Post the results. This scan could take hours. You might want to start it just before you go to bed and then let it run all night.
Title: Re: [In Progress] possible rootkit
Post by: fkpc1 on March 17, 2017, 02:40:05 PM
I tried but the scan only took 6 minutes and no threats were found..


Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/17/17
Scan Time: 9:24 PM
Logfile:
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.75
Update Package Version: 1.0.1527
License: Trial

-System Information-
OS: Windows 8.1
CPU: x64
File System: NTFS
User: Lenovo-PC\bruker

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 390519
Time Elapsed: 5 min, 59 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)
Title: Re: [In Progress] possible rootkit
Post by: Hoov on March 17, 2017, 03:18:53 PM
You must not have much on this system. I am more willing to believe the Malwarebytes' scan than GMER. The files that GMER detected are all legitimate in location and name.

So lets look at the original problem. Can you post up log entries from your firewall? The ones you are concerned about.
Title: Re: [In Progress] possible rootkit
Post by: fkpc1 on March 17, 2017, 04:18:32 PM
picture of firewall rules
Title: Re: [In Progress] possible rootkit
Post by: fkpc1 on March 17, 2017, 04:45:52 PM
I also had a lot of VPN server rules.. but they disappeared after the MBR repair! I have never used a VPN i my life..!
Title: Re: [In Progress] possible rootkit
Post by: Hoov on March 17, 2017, 05:00:22 PM
VPN servers are some times installed with some software. The firewall logs I need are what you took an image of. Here is a way to get it into a log you can either paste up or attach to a response. https://www.howtogeek.com/220204/how-to-track-firewall-activity-with-the-windows-firewall-log/
Title: Re: [In Progress] possible rootkit
Post by: fkpc1 on March 17, 2017, 05:49:58 PM
Firewall log
Title: Re: [In Progress] possible rootkit
Post by: Hoov on March 17, 2017, 06:15:16 PM
This is going to take a while. I will get back to you as soon as I can.
Title: Re: [In Progress] possible rootkit
Post by: Hoov on March 18, 2017, 06:03:19 PM
Does your ISP allow you to use IPv6 or just IPv4?
Title: Re: [In Progress] possible rootkit
Post by: Hoov on March 18, 2017, 06:27:30 PM
In the log, I have parsed down the entire log to most of it starting and ending in your computer. This is normal. Of the other IPv4 address's I have gotten it down to the following list of destinations.

Adform A/S
Akamai Technologies  Inc.
Amazon.com  Inc.
AppNexus  Inc
China Networks Inter-Exchange
CloudFlare
Criteo SA
Fastly
GoDaddy.com  LLC
Google Inc.
Hurricane Electric  Inc.
MediaMath Inc
Microsoft Corporation
OPENX TECHNOLOGIES  INC.
Quantcast Corporation
Telenor Norge AS
The Rubicon Project  Inc.
Turn Europe (UK) Ltd.
Wal-Mart Stores Inc.
xaxis  inc.

The only one that I do not know what it is is the Chinanet entry. And there were only 5 of them.

I also checked your traffic by port numbers, and all of them are explainable. Even the IPv6 traffic, the ports are legitimate.

Is there any specific traffic that you have concerns about?
Title: Re: [In Progress] possible rootkit
Post by: fkpc1 on March 19, 2017, 12:14:32 PM
Hi Hoov, thanks for taking the time to help me :)

My main concern is:
China Networks Inter-Exchange
Hurricane Electric  Inc.


Telenor Norge AS is my ISP and it allow use of IPv6

Title: Re: [In Progress] possible rootkit
Post by: Hoov on March 19, 2017, 02:07:54 PM
Hurricane Electric is Legitimate. They do translation between IPv4 and IPv6. Take a look here, http://he.net/ .I know them, they have been around since before IPv6 came online.

I am not too concerned about China Networks Inter-Exchange. They are too big. While there may be a few hackers or botnets in their system, it would be like condemning Verizon because of a few hackers. Also you are using a Lenovo system so there will be some connection thru China Networks Inter-Exchange just because of that. And there were only 5 connections.

Also looking at the ports being used in the log, I did not see anything that concerned me. There were a couple ports that I did not recognize and could not find information on, but they were internal communications only and did not leave your computer.
Title: Re: [In Progress] possible rootkit
Post by: fkpc1 on March 19, 2017, 02:56:03 PM
Ok, then we can close the thread since things have been clarified!

Thank you for all your help on this matter :)
Title: Re: [In Progress] possible rootkit
Post by: Hoov on March 19, 2017, 03:40:32 PM
You are welcome. Do you have any other concerns or questions?
Title: Re: [In Progress] possible rootkit
Post by: fkpc1 on March 19, 2017, 03:59:30 PM
No, all is well, installing Norton now :)

Thank you for all your help :)
Title: Re: [In Progress] possible rootkit
Post by: Hoov on March 19, 2017, 06:21:03 PM
You are welcome!
Title: Re: [In Progress] possible rootkit
Post by: Hoov on March 19, 2017, 06:36:25 PM
Now  there are a few things you need to do to fully clean your system and keep it secure.

Run Delfix

This program will remove the tools used and its logs. If anything remains, you can delete manually delete them.
Please download Delfix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix) and save it to your desktop.
Double click on Delfix.exe to run the tool and click on the Run button.

Cleaning out Temporary Files etc. There are several different products that you can use for this. You can go thru the Internet Options in the windows Control Panel. There are several programs that also do the job better than windows does it, in my opinion. There is System Security Suite (http://www.igorshpak.net/software/3ssetup104.zip), EasyCleaner (http://personal.inet.fi/business/toniarts/ecleane.htm), Ccleaner (http://www.ccleaner.com). Also sometimes other program sometimes do it as well as what you originally got it for like ZoneAlarm Security Suite. Just make sure to keep them updated and use them regularly.



Make your Internet Explorer more secure - This can be done by following these simple instructions: (unless you are using ZoneAlarm Security Suite or something similar, then you would secure the browser thru the firewall). There are some good basic instructions for that here (http://www.us-cert.gov/reading_room/securing_browser/).

Use a different browser other than  IE (most exploits are pointed towards IE). One of them is
Firefox (http://www.mozilla.org/products/firefox/).
It is also worth trying Thunderbird (http://www.mozilla.org/products/thunderbird/) for controlling spam in your e-mail.

Always use an UPDATED anti-virus program Make sure you update this at least weekly, if not more often. This is one thing that may save you more than anything else.

Run malware scanners. Three free ones are Spybot Search and Destroy (http://www.safer-networking.org), and AdAware (http://www.lavasoftusa.com) and Malwarebytes' Anti-Malware (http://www.besttechie.net/mbam/mbam-setup.exe)

Always use a firewall.
Any firewall is better than none, and you should pick a firewall that you will use, as even the best firewall is worthless if you turn it off.
 
Learn how to use your firewall Only programs that need it should have access to the net. But these are specific to the firewall you use, so you will need to learn how. Several firewalls have support forums here. My page will help you with ZoneAlarm if that is what you choose. 


Never run two Antivirus programs or two Firewalls  at the same time. They can interfere with each other and cause problems. Some people swear that more protection is provided, but the reverse is true. They tend to argue amongst themselves and end up leaving holes. Now I have more than 1 AV installed on my computer, and I keep them up to date. I only run one at a time, but each program has weakness's, so I keep a backup in case my computer starts acting up.


 MOST IMPORTANT : Windows and IE, and whatever other software that you have that connects to the net, needs to be kept updated. The reason is, these programs connect to the net, and if there is an internal security problem, you have already told your firewall to allow the communication, and thus you will have allowed a hole. UPDATES are important. I suggest that you make sure that Windows Updates and the updates for your antivirus and antimalware programs are set for automatic updates. I also suggest running Secunia PSI (http://secunia.com/products/consumer/psi/sys_req/). Download version 2. It is not the download button, but just underneath it. It will monitor the software you have installed and let you know when something needs to be updated.

Don't ever use P2P or filesharing software Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple. File sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source greatly increases your exposure to infection. That is because the files you are downloading may actually contain a disguised threat. Many very malicious worms and trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities.

Before using any malware detection / removal software Check with Rogue/Suspect Spyware List (http://www.spywarewarrior.com/rogue_anti-spyware.htm) That way you will know if the program you are looking at is on the up and up. If you want to know how it stacks up against other programs check out SpywareWarrior (http://www.spywarewarrior.com/asw-test-guide.htm)

We have a good guide here at Spyware Hammer (http://spywarehammer.com/simplemachinesforum/index.php?topic=398.0) on how to prevent Malware in the Future. You might want to peruse this and follow the recommendations in there.
PLEASE READ IT AND FOLLOW THE RECOMMENDATIONS TO PROTECT YOURSELF.

Let us know if you have any more problems, either new or old.
Have a good time surfing the net, but stay safe.
If you have no more problems, let me know and I will mark this as resolved. Or if you have more questions, ask away, that is why I am here.