Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible malware/rootkit/strange additional services/folders/files installed


  • This topic is locked This topic is locked
8 replies to this topic

#1 Daonewithnoteef

Daonewithnoteef

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 18 March 2018 - 01:01 AM

Afternoon,

 

Thank you in advanced for assisting me in working out what the problem is on my laptop. I am fairly well across the basics on PC's and I'm even comfortable to undertake many (specific) intermediate level activities however I must admit there is ALOT I'm lacking which I'm conceding may be a contributing factor to this all.

 

***Lead up story to the issue/current environment below, skip this if you just want to know about this specific device***

________

 

So essentially this issue is happening to my laptop (this current device) and my desktop PC. I run a Archer A9 router/modem which connects all my devices to the internet. I have the following devices connected to the Archer/Internet:

 

-A custom gaming PC which connects to the router via USB plug in TP-Link AC1300 Dual Band Wireless Adapter (too far from router hence the adapter plus faster speeds).

-WIFI printer/scanner (Brother HL-L2380DW).

-MacBook Pro (Model A1502).

-Two new iPhone 7 +.

-TV (Panasonic TX55EX600E).

-Xbox 1s.

-ipad air.

-Sync 3 (Ford Ranger occasionally connects to the WIFI for automatic updates).

 

I am very security conscious and am aware how real and potentially crippling IoT infections are/can be/will be and how potentially dangerous UPnP is and so on. That's why I have never set up or wanted to set up any kind of home network, I do not need all my devices communicating with one another, I do not want ANY of my devices "automatically" doing anything with one another without my explicit actions or knowledge. Yes I'm going overboard, yes it will probably be fine but I cannot feel comfortable until each device is accounted for and I know what device is accessing which port for what reason. I need each separate device being exactly that, separate I only need these device to access the internet to be able to function properly i.e. TV to have whatever it needs enabled to stream Netflix but not be enabled as a media server or have mirror view enabled and constantly searching for something to connect to.

 

When going through the fix and/or possible issues please keep the above in mind, it will explain a lot of what you will find (disabled services, deleted/paused/uninstalled devices/services/drivers etc) and as I said at the very top - probably is not helping at all and may even be the cause! 

 

_______

 

Current Device + Issues

 

-Laptop - Lenovo ideapad 100s Windows 10 Home x64

-Processor Intel® Pentium® CPU  N3710  @ 1.60GHz, 1601 Mhz, 4 Core(s), 4 Logical Processor(s)

​-RAM type unknown (4gb/3.85gb available)

​-Motherboard unknown

​-HDD unknown (NTFS - 118gb - 63 available)

 

Issues:

 

Essentially I have noticed many folders/files/programs being installed without my knowledge and a vast majority have been to do with services/programs with the words remote/network/connection/wireless/firmware/proxy/stream/mobile/server/client/web/host/shell/routing/net/share/gateway/DNS/virtual and so on. Now I understand what each of these items are alone and I understand this is a laptop and it is essentially a portable computer which needs many "non hard wired" capabilities to be able to do whatever a buyer may want it to. Its just the amount of services/programs I have noticed devoted to these things is massively excessive and unnecessary. I may be wrong and each item may be 100% legitimate and have its reason for being there but have noticed new one appearing frequently. I have also stressed that my understanding of any of these may be out of context/they have other meanings when used in different contexts so forgive my ignorance if ive completely missed something. Also even when logged in as administrator I seem to get plenty of "access denied" and system options that I know are suppose to be there but are either greyed out or missing. Any attempt to work through all this makes me feel like I'm chasing a ghost. A few more issues/questions:

 

- Some processes running x64, some in x86 - normal?

- I thought group policy is disabled in Win10 Home however it seems to be enabled/restricting my movements.

- I suspect my drivers may be contributing to some sort of issue.

- Windows update/Windows Defender/Signed drivers/Certificates etc seem to report no issues however upon look in detail at each on I find updates failed, definitions failed to load/download/signed drivers and certificates that expired or cant be trusted.

- Using different security tools (Have used GMER/CCleaner/Rootkit Revealer/Malwarebytes etc etc) show contradictory results and most show signs of some underlying problem that I can never uncover.

- Selecting settings for any system setting may or may not still be selected once a reboot happens, essentially the system goes back to default regardless of what's selected.

- Duplicates and/or incorrect locations for system processes (lsass/csrss/smss etc)

- New/Strange/unnecessary drivers/devices sometimes 2/3/4/5 different devices (mostly hidden) for the same simple device which already is installed.

 

 

I guess I just need someone with knowledge in this department to have a look at my logs, clean any infection/issue and possibly enlighten me in some areas to fill the gaps in my knowledge base to help me work through these things without the need of assistance in the future.

 

Apologies for the novel, I just felt it was important to get down everything up front so we an save time and work through the next steps quickly, future posts will not be excessive I promise! 

 

Thanks again for any help!

 

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:11 PM

Posted 23 March 2018 - 01:05 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> https://www.bleepingcomputer.com/logreply/673426 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Gunto

Gunto

    Bleepin' Reject Phoenix


  • Malware Response Team
  • 1,284 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:North Las Vegas, Nevada, USA
  • Local time:11:11 AM

Posted 05 April 2018 - 01:37 PM

Hi, Daonewithnoteef! What a charming name! I'm going to try to help you out. :)
 
Before we get started, here are some things I need you to remember:
  • Please don't make any changes to your computer, or run programs, without asking me first! This will make it practically impossible for me to assist you.
  • Always read my posts completely before doing anything, and follow the instructions in the order I give them to you, unless stated otherwise.
  • If you're getting help elsewhere, or have already resolved the problem, please let me know so I can close this thread.
  • Please respond to me within five days of me replying to you. If you need more time, please let me know. I will close topics that I have not received a response from within five days.
  • Please be patient with me. I need some time to analyze your logs and responses so I can correctly help you. I should respond to you within two days, but if I haven't, please send me a PM! I may have missed your response. Bribing me with candy for faster replies is not advised.
  • If something goes wrong, you don't understand something, or you don't know what to do, please stop and ask me before proceeding with any further steps!
First of all, please don't worry about posting novels. Really, I'd much prefer you to be as detailed and precise as possible; it narrows down the issue quite nicely! Plus, I certainly won't hesitate to add detail if necessary, for the same reasons. :P
 
Now, to address some of your concerns:
 
"- Some processes running x64, some in x86 - normal?"
Yes, this is normal. Many programs are only compatible when ran in x86/32-bit mode.
 
"- I thought group policy is disabled in Win10 Home however it seems to be enabled/restricting my movements."
Group policy is not disabled in Win10 Home; it simply does not include the group policy editor. Other programs - including malware - may add GP restrictions themselves. This is a bit unusual, however; I see no group policies in your logs whatsoever.
 
"- I suspect my drivers may be contributing to some sort of issue."
This is quite possible. So far, I see next to nothing in your logs which seems to correspond to the issues you're describing, except for the numerous disabled devices and program failures.
 
"- Windows update/Windows Defender/Signed drivers/Certificates etc seem to report no issues however upon look in detail at each on I find updates failed, definitions failed to load/download/signed drivers and certificates that expired or cant be trusted."
This isn't necessarily a malware problem, but it could be. Trust me when I say that Windows Updates fail for me all the time, and I haven't gotten malware in years. Microsoft's updating services are often a buggy mess, which is very unfortunate when security or major glitches are involved.
 
"- Using different security tools (Have used GMER/CCleaner/Rootkit Revealer/Malwarebytes etc etc) show contradictory results and most show signs of some underlying problem that I can never uncover."
For the most part, this is to be expected. Rootkit-scanners practically never display only malicious entries; they can be as detailed as listing every single running driver and/or service, among other things, to as vague as only listing "suspicious" activity (which may still be legitimate). These tools are generally designed for experts who know what they're looking for. CCleaner really isn't a security tool, even if it can potentially clean out infections hiding in your temp files.
 
I am, however, particularly interested in the results of the MBAM scan; do you still have the log file(s) detailing what it detected and cleaned, if anything? To do this, open MBAM, click Reports, select the scan report (if there are more than one, do this for each of the ones relevant to your current issues, or at least around the time you began having issues), click View Report, then Export, and either click Copy to Clipboard to directly paste it/them into your reply immediately, or Text File (*.txt) to save it/them for copying later. As a note, you don't need to do this before the other steps; feel free to retrieve the log(s) alongside or after the others later in this post.
 
"- Selecting settings for any system setting may or may not still be selected once a reboot happens, essentially the system goes back to default regardless of what's selected."
At present, I really don't know why this is happening. Either something is reverting your adjustments on its own, or they aren't saving at all. If possible, can you be specific as to which ones stick and which don't?
 
"- Duplicates and/or incorrect locations for system processes (lsass/csrss/smss etc)"
Obviously cause for concern, but again, I'm not seeing any of these. I can, however, search for them.
 
"- New/Strange/unnecessary drivers/devices sometimes 2/3/4/5 different devices (mostly hidden) for the same simple device which already is installed."
This one is quite possibly what I'm seeing when looking at your numerous disabled devices, although all of them seem unique enough to not look like duplicates.
 
Also, you really aren't being paranoid to keep UPnP and such disabled. Most of the time, it's just a disaster waiting to happen.
 
My current verdict is that you may have been previously infected, but MBAM or something else managed to get rid of the brunt of it; your current issues may be the result of residual malware, lingering settings from previous malware, and/or unrelated issues entirely. I will do my best to help you, even if it means consulting my more-experienced colleagues for advice or referring you to someone more suited for the task, although I do hope I can fix it myself!
 
Farbar Recovery Scan Tool
 
To start with, I'll have you to run a fix and search with FRST. The fix will get rid of unnecessary startup entries, orphans, and some useless junk. I don't think any of these are causing your problems, but it's good to clear this stuff out anyway. The search will look around your PC for any unruly duplicates of the files you mentioned.
  • Open up Notepad, and copy and paste the text in the following box into the Notepad text field:
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [18383328 2017-10-05] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_LENOVO_DOLBYDRAGON] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1493984 2017-10-05] (Realtek Semiconductor)
HKLM\...\Run: [LenovoUtility] => C:\Program Files\Lenovo\LenovoUtility\utility.exe [791848 2017-06-16] ()
HKLM\...\Run: [RtHDVBg_LENOVO_MICPKEY] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1493984 2017-10-05] (Realtek Semiconductor)
HKU\S-1-5-21-1344870063-3032559576-765385003-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://lenovo17win10.msn.com/?pc=LCTE
HKU\S-1-5-21-1344870063-3032559576-765385003-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://lenovo17win10.msn.com/?pc=LCTE
HKU\S-1-5-21-1344870063-3032559576-765385003-1001\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.lenovo.com
C:\ProgramData\DP45977C.lfl
C:\WINDOWS\system32\{EC94D02F-D200-4428-9531-05AF7F9799CB}.bat
C:\DRIVER
C:\Users\MBV\AppData\Local\Temp\NTA.exe
C:\Users\MBV\AppData\Local\Temp\RG.exe
Intel(R) Chipset Device Software (HKLM-x32\...\{a2d9fda8-65eb-4c06-81ef-31e0a4daa335}) (Version: 10.1.1.11 - Intel(R) Corporation) Hidden
LenovoUtility (HKLM-x32\...\{6ADA7E88-8D16-4D0D-BC90-2B93AC5E56DA}) (Version: 3.0.0.4 - Lenovo) Hidden
Office 16 Click-to-Run Extensibility Component (HKLM-x32\...\{90160000-008C-0000-0000-0000000FF1CE}) (Version: 16.0.6965.2079 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-008F-0000-1000-0000000FF1CE}) (Version: 16.0.6965.2079 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (HKLM-x32\...\{90160000-008C-0409-0000-0000000FF1CE}) (Version: 16.0.6965.2079 - Microsoft Corporation) Hidden
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
Save it to the same location as FRST as fixlist.txt.
  • Open up FRST, and click the Fix button. If it asks you to reboot in order to complete the fix, please do so.
  • Once it's done fixing things, it will create Fixlog.txt in the same folder. Please copy and paste it into your reply.
  • With FRST still open, copy and paste the text in the following box into the text field next to Search::
lsass.exe;csrss.exe;smss.exe
When done, click the Search Files button. It may take a while for FRST to search for these files, but when it's done, it'll create Search.txt in the same folder. Please copy and paste it into your reply.
 

Disabled Devices and Services

 

Next, I'll need to verify with you which devices and services you disabled yourself, or which ones might have been disabled otherwise and potentially causing trouble.

 

FRST tells me the following devices are disabled:

Microphone (Realtek High Definition Audio)

Root Print Queue

Speakers (Realtek High Definition Audio)

Microsoft Wi-Fi Direct Virtual Adapter

Lenovo EasyCamera

Microsoft Kernel Debug Network Adapter

Intel® Wireless Bluetooth®

Intel® Display Audio

Remote Desktop Device Redirector Bus

 

None of these are really necessary (well, apart from perhaps your speakers/audio); I'm simply trying to verify that you're the one who disabled them. I'm also rather puzzled as to why the first three I listed don't seem to have any services installed, but I'm going to take it one issue at a time with this hardware.

 

I'd also like to know if you disabled System Restore yourself. Again, technically not necessary, but it is an extremely useful service for undoing damage caused by malware, faulty drivers, and other things. As such, I'd recommend you to enable it. If you're not sure how:

  • Open File Explorer, right click on This PC, and select Properties. In the new window that opens, click System protection.
  • In the smaller window that opens, click Configure... and ensure Turn on system protection is ticked. You may adjust the max usage dial (which indicates how much data is used on System Restore at any time) to your liking, although I recommend allowing it to use at least 20%, depending on how much space you wish to spare. When done, click OK.
Final Questions/Notes
 
Last, but not least, you mentioned scanning with Windows Defender, GMER, and Rootkit Revealer, and from your language they ran without issue in this regard, although your logs indicate that they either crashed (GMER and RR) or were otherwise ended prematurely (WD). Is this true, or is the error reporter just acting up? Also, if you have any logs from these, I'd love to see them.
 
I know I've been asking a ton of questions, but all of this is to make sure I'm headed in the right direction, so that I don't run nonsensical fixes.
 
Gunto

Beautiful avatar by Plumbeck!

 

Bury me in honor; when I'm dead and hit the ground, a love back home, it unfolds...


#4 Gunto

Gunto

    Bleepin' Reject Phoenix


  • Malware Response Team
  • 1,284 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:North Las Vegas, Nevada, USA
  • Local time:11:11 AM

Posted 08 April 2018 - 12:29 PM

Important note: The user here isn't able to reply to this topic at all currently, and must PM me to stay in contact. As such, I will be copying our PMs to assure that nothing shady is happening, as well as providing unaltered screenshots. All of my PM instructions are/will be aimed at getting back to this topic.

 

Sent Yesterday, 05:52 PM

Hi Gunto,

I have received your comprehensive email regarding my possible malware and other related issues however I cannot post a reply to the forum! Every time I go to reply the space bar doesnt work, it redirects me and the pc bogs down making it impossible to reply! I dont know what the hell this could be but even when trying to post a reply to the forum via my iPhone 7(this device Im on now) I cannot enter the link to even view the specific forum. 

The space bar works fine after closing IE and the pc runs (still crap) ok after that. 

Again, I appreciate your efforts in the reply and I dont want this opportunity to go to waste to fix any of these brain melting issues Im having. Any ideas??! 

Thanks, 

Daonewithnoteef

N.B. Its a very charming handle I do say so myself!

 

 

Sent Today, 10:22 AM

Hi,

 

Well, I certainly can't say I was expecting this.  :blink: That being said, I really don't think I'm supposed to provide malware assistance through private messages, so I'm going to have to try to get you able to use the forum again ASAP. Considering your circumstances, I think this is acceptable for now (and if not, the staff will definitely let me know). That said, as soon as you're able to reply to your forum topic, you'll need to use that instead of PMing me (unless, of course, I've been absent as detailed in my intro post).

 

Are you able to download and install Firefox? If you can't do it through Edge/IE, try downloading it on another computer, putting it on an external device like a USB drive or CD, then transfer the installer to the target computer. After installing it, can you post on the forum? If so, please follow up on my previous post. If not, let me know.

 

Also, you'll see another one of my replies to your forum topic; you can ignore it. I'm just letting the public know exactly what's going on, so they don't think we're trying to bypass any rules.

 

Gunto

 

 

Attached File  untitled1.png   224.33KB   0 downloadsAttached File  untitled2.png   197.68KB   0 downloads

 


Beautiful avatar by Plumbeck!

 

Bury me in honor; when I'm dead and hit the ground, a love back home, it unfolds...


#5 Gunto

Gunto

    Bleepin' Reject Phoenix


  • Malware Response Team
  • 1,284 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:North Las Vegas, Nevada, USA
  • Local time:11:11 AM

Posted 11 April 2018 - 12:34 PM

Hi,

It's been three days since my last post and PM, so I am bumping this topic just in case you missed my previous reply. If you need more time to get back to me, please let me know, because I'll assume you're inactive otherwise.

If I still haven't heard from you in two days, this topic will be locked, so please get back to me by then.

Gunto


Beautiful avatar by Plumbeck!

 

Bury me in honor; when I'm dead and hit the ground, a love back home, it unfolds...


#6 Daonewithnoteef

Daonewithnoteef
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 12 April 2018 - 02:31 AM

Hi Gunto,
 
Yes im still here and desperately need further assistance. Your Firefox idea worked great, i am now able to reply in the forums, apologies about the private messages!
 
I had to reset the laptop and a few other things before it worked enough to be usable so ive done a fresh FRST scan and attached the results.
 
I think we should start fresh if that ok with you?? Thanking you very much in advance. Let me know if you need anything else.

Attached Files



#7 Gunto

Gunto

    Bleepin' Reject Phoenix


  • Malware Response Team
  • 1,284 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:North Las Vegas, Nevada, USA
  • Local time:11:11 AM

Posted 12 April 2018 - 04:28 PM

Hi,

 

Great that Firefox worked! You did nothing wrong with regards to the PMs. We insist on helping others publicly simply for transparency reasons; as helpers, we're held in high accountability here on BC, so these precautions are taken with your safety in mind. Since you had no other choice in order to contact me, you did the next best thing. :)

 

Now then, back to the computer. I'm going to need more information before I can do much else.

 

By "reset the laptop and a few other things," do you mean to say you reset the computer to factory default? This does seem to be the case with your logs showing Windows.old and numerous recreated system files/folders. If so, are your symptoms still identical? Which "other things" did you reset?

 

One thing I have definitely noticed is that your logs are largely at odds with your symptoms, and sometimes even with each other... For instance, you installed Firefox, but the only sign of it whatsoever is the installation executable. I can't really conceive of any good reason for this at the moment. :wacko:

 

Perhaps most importantly, you seem to be completely ignoring the first point in my intro post to not modify the computer without asking or telling me first. Like I said, this makes it impossible for me to help you; it's bad enough that your logs and testimony seem to contradict, but having to deal with that and figuring out exactly what you've changed is beyond a nightmare. Still, it was an excellent choice on your part to get fresh FRST logs, so thank you very much for that, at least! In the future, please either ask me before repairing anything, or if you have no other choice and cannot warn me first, explain what you did in detail. This makes the whole process considerably easier on everyone involved!

 

I'm still interested in seeing any MBAM logs, though I'm not entirely sure if they're still around after your reset. Please navigate to C:\Windows.old\ProgramData\Malwarebytes\MBAMService\ScanResults if it exists, and if there are any files in there, sort them by date (if there are more than a small amount) and find any that were created around the time you started having problems. I don't think you can directly attach JSON files (but I'd really prefer it if you just copied and pasted logs whenever possible in the first place), so to get to the contents, open the file(s) in Notepad and copy and paste its/their contents into your response.

 

I've also got a small FRST script for you, but it won't improve performance aside from getting rid of a couple "file not found" errors. However, all of this stuff is unnecessary/garbage anyway, and you might as well be rid of it.

  • Open up Notepad, and copy and paste the text in the following box into the Notepad text field:
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [18383328 2017-10-05] (Realtek Semiconductor)
S2 ImControllerInstallerService; "X:\windows\System32\ImController.InfInstaller.exe" [X]
S2 ImControllerService; "X:\Program Files\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe" [X]
C:\ProgramData\DP45977C.lfl
C:\DRIVER
LenovoUtility (HKLM-x32\...\{6ADA7E88-8D16-4D0D-BC90-2B93AC5E56DA}) (Version: 3.0.0.4 - Lenovo) Hidden
Intel(R) Chipset Device Software (HKLM-x32\...\{a2d9fda8-65eb-4c06-81ef-31e0a4daa335}) (Version: 10.1.1.11 - Intel(R) Corporation) Hidden
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File
ContextMenuHandlers4: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} =>  -> No File
ContextMenuHandlers4: [EncryptionMenu] -> {A470F8CF-A1E8-4f65-8335-227475AA5C46} =>  -> No File
ContextMenuHandlers4: [Offline Files] -> {474C98EE-CF3D-41f5-80E3-4AAB0AB04301} =>  -> No File
ContextMenuHandlers5: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers6: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} =>  -> No File
ContextMenuHandlers6: [Offline Files] -> {474C98EE-CF3D-41f5-80E3-4AAB0AB04301} =>  -> No File
C:\WINDOWS\system32\{EC94D02F-D200-4428-9531-05AF7F9799CB}.bat
Save it to the same location as FRST as fixlist.txt.
  • Open up FRST, and click the Fix button. If it asks you to reboot in order to complete the fix, please do so.
  • Once it's done fixing things, it will create Fixlog.txt in the same folder. Please copy and paste it into your reply.

I'll be needing your answers before doing much else, so I'll be awaiting your response!

 

Gunto


Beautiful avatar by Plumbeck!

 

Bury me in honor; when I'm dead and hit the ground, a love back home, it unfolds...


#8 Gunto

Gunto

    Bleepin' Reject Phoenix


  • Malware Response Team
  • 1,284 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:North Las Vegas, Nevada, USA
  • Local time:11:11 AM

Posted 15 April 2018 - 04:28 PM

Hi,

 

Still with me? My previous conditions in the last bump still apply.

 

If you aren't able to respond regularly within about three days, let me know, so I don't keep bumping this needlessly. For example, "I'm only able to respond to you about twice a week, so bump after five days instead if I'm silent." Otherwise, as stated before, I'll lock this topic after two more days of inactivity.

 

Gunto


Beautiful avatar by Plumbeck!

 

Bury me in honor; when I'm dead and hit the ground, a love back home, it unfolds...


#9 Gunto

Gunto

    Bleepin' Reject Phoenix


  • Malware Response Team
  • 1,284 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:North Las Vegas, Nevada, USA
  • Local time:11:11 AM

Posted 17 April 2018 - 05:19 PM

This topic is now locked due to the lack of feedback.
 
If you still need help, please send me (or any moderator if I am unavailable) a PM asking for this topic to be unlocked.

Beautiful avatar by Plumbeck!

 

Bury me in honor; when I'm dead and hit the ground, a love back home, it unfolds...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users