Remote intrusion, registry-manipulations and booting-problems etc

[chased11]

Dear friends,

I have for a long time seen my Win 10 Home installation been degraded. BSOD´s and latency-problems occuring, permissions changed, files missing etc etc.
Using MBAR showed IMAGE FILE EXECUTION OPTIONS regarding MRT, MsMpEng and SvcHost, aka Trojan Agent and Security Hijack. Entries were deleted
but I am not 100% sure they were not false positives. But I can still see i.e problems relating to Windows Defender etc. So I checked the booting process and
found some interesting facts:

ntbtlog shows that boot- and systems-files related to Win Defender "sometimes" at first boots allright but then the log tells me they don´t. Several tries
occurs. We are talking about between 2-3 up to 16 attemts.

Going further I used Autorun, Driverview and InstalledDriverList to find out more. Came to the fact-conclusion that WdBoot and HWPolicy are never booted
which implies confirmation of the strange behavior of Win Defender and why my system/registry have been manipulated without giving me any clear messages
or notice. Device Manager i.e lacks any info about installed drivers! Administrative Shares have been active(hidden) in spite of other settings. Windows Update
is not working on Automat and new drivers are not installed on the same basis. Win Firewall is instable(graphic interface). Window Remote Management Service
have since long been disabled by me. Today the system says this service is "disabled with delayed start"?

InstalledDriverList also show there are 3 hidden dumpfiles(dumping original dump-files) in the booting process.

dump_diskdump.sys
dump_dumpfe.sys
dump_storahei.sys


My system is remotely controlled for sure. I have seen it live also, happening before my eyes. 4 ports are always open and while I was checking several
connected IP-addresses without corresponding name-adress I found out their host certificates did not correspond to their IP-addresses. While I was doing
this work my system started to respond strange. Normal sites that I visited started to give error-messages about safety(would not be reached by Firefox).
Before I closed the internet-connection one of the open local ports readed "close combat".

I can show several registry-settings that comply with the use of Remote Desktop control.

Please help!

 

[iMacg3]

Hi, Welcome to Sysnative.
I'm iMacg3 and will be helping you.

Please keep the following information in mind before we begin:

• Do not run any fixes or tools on your system unless I request that you do so.
• Please read all instructions carefully, and complete them in the order listed.
• If your computer seems to start working normally, please don't abandon the topic. Just because your computer doesn't seem to have a problem doesn't mean that it isn't infected.
• If you have pirated or illegal software on your computer, uninstall it now before proceeding.
• If you have questions about anything, please ask.

--------------------

Download Farbar Recovery Scan Tool and save it to your Desktop.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right-click FRST/FRST64 and select Run as administrator. (Windows XP users double-click on the file).
• If you receive a SmartScreen pop-up, click More Info, then Run Anyway.
• When the tool opens, click Yes to the disclaimer.
• Press the Scan button.
• When finished, two log files will pop up - FRST.txt and Addition.txt.
• Copy and paste the contents of FRST.txt and Addition.txt into your next reply.

Note - FRST.txt and Addition.txt are saved to the same location as FRST/FRST64.

 

[chased11]

Hi iMacg3 and thank you very much for responding,

I just want to explain I am communicating in this matter from another computer and from another place which means it will take
some time (24hours i.e) between my replies. I will not go on-line with an "infected" laptop as of yet.

For your information my laptop is sitting alone behind a switch and a router connected to an apartment-house fibernet.
Laptop was originally bought with a Win 8.1 Home OEM-installation, then upgraded to Win 10 Home. After router/computer
intrusion 2017 I had a "friend" doing a clean installation(1703) on the machine in April. Since then I think the OS has gone
slowly worse by the day. Later I found out Microsoft have warned about doing a clean installation on laptops. Their warnings
were made public already in front of the release of version 1703, Creators Update, in April 5. I had my installation done the
10th.

I downloaded FRST64 and I will run it tonight and bring you the logs tomorrow. Until then I enclose some logs concerning the
boot-process.

My best//

 

[iMacg3]

Hi,

OK, sounds good. :thumbsup2:

Additionally, please let me know of any symptoms that lead you to believe your computer is infected.

Thanks.

 

[chased11]

Here comes some logs about the booting-failures in the following order:

1. Standard MS boot-log "ntbtlog"
2. "Bootdrivers_All" (excl not booted drivers)
3. "BootDrivers_ex_MS) (only 3rd party drivers incl dump-files)
4. "InstalledDriverList_All_incl_not_booted" (strangely enough HWPOLICY not booted is on the list but not WDBOOT?)
5. InstalledDriversList "DriverList_All" in HTML (incl not booted HWPOLICY and WDBOOT)
6. Driverview "reportbootdrivers" in HTML (missing both not booted files)
7. "WDBoot_not loading" (spec)
8. "hwpolicy_not_booting" (spec)

All of the above filedata comes from the same boot-session January 22 2019(checked!). Unfortunately these reports
are not presented in an easy-read format but the size of the better viewed html-format was not allowed due to forum-
policy. I can try to dispatch them separately later.

9. On another boot-session EhStoreClass did not boot (se spec file).

Perhaps enclosed files are redundant to FRST! Also take a look at "Load-count". Several files have very high counts incl ntoskrnl.exe. This
file is by the way in the top when it comes to latency-problems. In Task Manager I nowadays have 2 (two) ntoskrnl.exe-files. One as System (pid 4)
and the other as Registry. Process-Explorer can´t find any file-info about the Registry-file and it´s process and says it is "device not connected".
Looking inside the Registry-file process using other sysnative tools (Process-Monitor i.e) it looks normal!

One obvious failure is problems relating to MS Resource Monitor. After hibernation or normal systemclosing the RM will not start. I have to do
a regular reboot and sometimes more than one. This har been going on for a long time. The same goes for accessing internet. Have to do a re-
boot to get DHCP (and DNS). Computer otherways says it lacks IP-configuration. I think it is because of the missing HWPolicy-system file not
working! Not the adapter-settings per se.

Another example; When starting certain programs you can feel and see that you reach some short resource-limit. In particular I see it when the
programs (i.e when running on external servers) involved have to do a lot of saving during exiting processes. Program not responding for 5-10
seconds. And still I can not see or read any capacity-problems in i.e Task Manager regarding lack of Memory, Processor-power or say Disk-
delays or internet-capacity (I have 100Mbit). I have done MemoryTest in Win 10 with no error!


Regards





​

 

[chased11]

File-limits for HTML is some 97,7 Kb as I understand!

//

 

[iMacg3]

Hi,

OK, thanks for the info. When you can, please post the FRST logs (FRST.txt and Addition.txt).

Thanks.

 

[chased11]

Hi again,

Here comes the FRST-logs(2). Instead of commenting here I took the liberty of adding some comments along the text-rows in the enclosed logs. Look for my mark *) .
As a layman I cannot see or interpret any big problems here, as expected really! Those who can exersice "some" power into my machine have left rootkits or other
stuff far behind I guess. Tomorrow I will try to summerize the most evident examples of what´s been going on and since when. I will also show examples of interesting
settings in registry etc. How could you really expose an intruder or that an intrusion has been done if you can´t expose the directr trafffic for which I am not really qualified.

I also send you some shots regarding the problem file ntoskrnl.exe *3 incl. a new problem-process with LSalso (crypto) involving memory-access.

Happy Weekend
//

 

[iMacg3]

Hi,

If you can't access Internet Explorer from the start menu, press the Start Button, then type Internet Explorer in the search box. Select it from the list of results.
If you'd like to pin it to the taskbar or Start Menu for easy access (if you use IE often) you can right-click on it and select Pin to Taskbar or Pin to Start.

I noticed there are several Firewall restrictions set for svchost.exe. Did you set those yourself?

Your logs are clean of malware. We'll run a FRST script to remove some remnants of SUPERAntiSpyware, some "orphaned" entries, and check the contents of a folder.

Please do this.

Highlight the contents of the below code box and press Ctrl + C:

Start::

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

R1 SASDIFSV; C:\Users\Christer\Desktop\Säkerhet\SuperAntispyware_Scanner\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com) 
R1 SASKUTIL; C:\Users\Christer\Desktop\Säkerhet\SuperAntispyware_Scanner\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

2019-01-20 11:34 - 2019-01-20 11:34 - 000000000 ____D C:\Users\Christer\AppData\Roaming\SUPERAntiSpyware.com
2019-01-20 11:34 - 2019-01-20 11:34 - 000000000 ____D C:\ProgramData\SUPERAntiSpyware.com

ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File  
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File

ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File

[LEFT][COLOR=#222222][FONT=Verdana]C:\Users\Christer\Desktop\Säkerhet\SuperAntispyware_Scanner\SASDIFSV64.SYS
[/FONT][/COLOR][COLOR=#222222][FONT=Verdana]C:\Users\Christer\Desktop\Säkerhet\SuperAntispyware_Scanner\SASKUTIL64.SYS[/FONT][/COLOR][/LEFT]

Folder: C:\Users\Bach\0

End::

Right-click on FRST/FRST64 and select Run as Administrator.
Click on Fix.
Note - there is no need to paste the contents of the code box anywhere.
If your computer restarts, allow it to do so.
Once the fix is complete, a file called fixlog will be saved to the same directory as FRST. The log may open in Notepad as well.
Please copy and paste the contents of the fixlog into your next reply.

Thanks.

 

[chased11]

Hi,

Since I am not running our conversation here on my own computer I have to copy the above CODE into a text-file and run it at home. I guess that works
the same or? Pressing Ctrl+C after opening my own text-file(Notepad) and highlightening the same code and the clicking FIX on FRST64. OK?

You will have the fixlog tomorrow.

1. Internet Explorer. I guess you read my comments about my use ow IE(11) in the FRST-logs? As far as I know IE became a built-in browser from Win 8.1 or Win 10.
That means i.e that I can not reinstall IE if it is missing. And missing it is. I can not find IEXPLORE.Exe on my computer. There is a small directory under C:\Programs etc
with a few files. The rest lies under Appdata or Programdata. Iexplore.exe is missing under "\Program-files\Internet Explorer" where it should be.

As I said before I don´t use IE(the browser) at all. I therefore deactivated IE under controlpanel/program/window-features. I can not reactivate IE. IE is gone which is a kind of strange
because it is supposed to be built-in in Win 10. I probably have to use an install-disc or a new image(in my case) to get IE back. Still I can get to Internet-settings in Controlpanel. IE
is used i.e by one of my programs that is runned on an externa server. Can you explain why iexplore.exe is missing?

2. SvcHost in Firewall. It is pretty difficult to compare registry-data settings for the Window Firefall against the simple settings done in the graphic interface of the Win Firewall. As I said above
(see my comments in the FRST-logs) I do not use Windows default settings. SvcHost have two(2) settings under Outbound: TCP on remote port 80,443 and UDP on remote port 53 are allowed
(have to check again at home). It should be done by the book I think. These settings have been done recently due to a will to hardening security. They are both set for Public, Private and for Domains.
More about the "instability" of my Firewall later. As I said before, Firewall is blocking all incoming and outgoing traffic except what I manually allow.

I can although mention one peculiar thing. Firefox after re-installation did not need to be granted (outbounded) access in Firewall???

Many thanks for your assistance, FIXLOG in next reply tomorrow due to the inconvenience of communicating from another place/computer.

ps! Did you have any reactions to my other comments on the FRST-logs?


//

 

[chased11]

NOTICE!

First few times I logged in here I could write my replies under pretty long times without getting "logged out". Today I been
logged out on a shorter time-basis when trying to send the above reply. What have changed here? When I logged in again
I expected to be returned(redirected) to my ongoing reply-message but your host did not return the "redirected page" as said
after log-in. A blank/white page appeared "foreever). Luckely I saved my written message before being logged-out. Not funny!

//

 

[chased11]

Hi again,

Your message on the 24 of Jan:

"Additionally, please let me know of any symptoms that lead you to believe your computer is infected"

You actually mean that FRST is enough to establish the fact that my computer is not infected by malware etc or is open for illegal use(unauthorized access)?
No of cource you don´t. I have a long list of "facts" that tells me my computer is not infected today but that someone today and since long have access to
my computer. But how can I prove in a material way, being a layman, that someone evidently have removed personal and other user files over the time?
That someone in front of my eyes, in real-time, have changed the behavior of my computer. This is almost impossible to do without beeing an expert including
running suitable software. And doing this at the same time an intruder have admin-access? Difficult enough for an expert or? What I can do is describing the
nature of stuff happening and point to changes in my computer-settings incl OS-configurations that should not exist in my Home version.

So here is my intensions:

1. Check no malware is running or existant(incl hidden) in my computer
2. Fix boot and check Win Defender works properly (HwPolicy, Win Def, EhStorage=possible USB manipulations)
3. Check integrety-status of my Window version ( My version is definately a hybrid one)
4. Set up the proper basic security settings for my computer (lack of Group Policy Editor I need help with accessing the right registry-places)incl control of all log-in facilities.
Looking at different auditing reports there seems to be many security holes or weaknesses here.
5. Making sure all possible remote log-in possiblities are removed incl future ones.
6. Due to the "infection" of earlier flash-memory sticks (and USB-contacts!) I had to reformat them all. This includes recently checked repair-and restore-discs that did not
work well, i.e data suddenly missing. Image-disc for a new Win 10 clean installation is therefor expected to be infected or be insecure.
7. Before downloading a new MS WIN 10 Image I must be sure my computer is working well and that no external access is possible.
8. Checking that BIOS start-up options is not changed and that booting(priority-order)will work during a new installation.

If you feel you have the right competence of helping me with paragraph 2-5 thats fine with me. But maybe you feel it is better if you transfer my case to the right Forum
dealing with named isssues?


So before I start document all issues you please tell me your interest.


Regards

 

[Will]

Hi chased11,

If you don't think that any helper here willing to spend the their free time is of the right competence to help you, you're welcome to find a different forum.

We can only see the details that appear in the log files you're willing to provide us - this covers the vast majority of malware that we encounter, however no single tool can catch everything. The only way to be completely sure your computer is secure is to not own a computer in the first place, let alone connect it to the internet.

If you're concerned that the computer has been, or still is, infected and that the volunteers here are not competent enough to spot this, I would suggest you reformat the machine.

 

[chased11]

Hi there Will,

I guess we confronted a language-barrier here interpreting my words as a rude comment about iMacg3´competence. I am very sorry if he/she feels that way or anybody else for that matter. It was not my point at all. Competence is not about discovering malware here at the Security Arena. As I have said to him/her I was not really expecting any visible malware. Instead I was thinking maybe my problems are more suitable to be handled under perhaps another Forum-headline. The word "competence" was about analyst-specialcompetence, not competence in general but competence within the different fields under different headlines here. So I asked iMac3g if my case (integrity of my Win installation) was better suited for another Forum-headline. Often people are asked to change Forum and I was only bringing such an idea to his attention. Better to start a case were it belongs than to be moved later. And finally again. I was not questioning iMac3g´competence but now when I see that he/she is a Trainee in Win Update I really understands your concern about my language. I am truly sorry Will and iMacg3. English is not my language. I don´t speak or write english regularly. For what it´s worth, I am myself working as a volunteer.

So I would be very glad if you accepted my apologies and perhaps gave me a new chance to think more about my formulations.


Sincerely,

 

[chased11]

ps! I can now see how the following sentences from the original post was badly written. "You actually mean that FRST is enough to establish the fact that my computer is not infected by malware etc or is open for illegal use(unauthorized access)?
No of cource you don´t." Here I was only pointing at the possibility that unauthorized access can exist without any observable malvare/rootkit. No critics about your tools or analyst. But boy... it sure can be interpreted that way! :embarrasment5::doh:

 

[iMacg3]

Hi,

Apology accepted. :smile9:

As of right now, I don't see anything in the logs or information that appears to be symptoms of an infection.
We can check further.

Please run the FRST fix that I posted earlier. If you are using a USB flash drive or other removable storage media to transfer the fix over, you can create a new Notepad document. Then copy and paste the contents of the code box into the notepad document, and save the file as fixlist.txt
Transfer the Fixlist.txt file to the same location FRST is running from. Open FRST, and click Fix.

If the computer restarts, allow it to do so. When the fix is complete, a log will be created in the same location as FRST called Fixlog.txt
Please copy and paste the contents of Fixlog.txt into your next reply.

We'll address the issues with Internet Explorer once you have run the FRST fix.

Thanks.

 

[Sysnative Windows Update]

Just a note: Here you have the ability to attach larger fixlists and therefore make it easier for the OPs :)

 

[iMacg3]

softwaremaniac - Thanks for the information :thumbsup2:

chased11 - Instead of following the instructions in my last post, you can download the attached Fixlist, transfer it to the same location FRST64.exe is running from, then launch FRST and click Fix.

Please post the contents of the fixlog.txt in your next reply.

Thanks.

View attachment fixlist.txt

 

[chased11]

Hi again iMacg3 and thank you for accepting my sincere apology!

Here is the Fixlog. As before I added a few comments using *). Reboot was done!


Fix result of Farbar Recovery Scan Tool (x64) Version: 20.01.2019
Ran by Christer (28-01-2019 23:06:31) Run:1
Running from C:\Users\Christer\Desktop
Loaded Profiles: Christer & Bach (Available Profiles: Christer & Bach)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
R1 SASDIFSV; C:\Users\Christer\Desktop\Säkerhet\SuperAntispyware_Scanner\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Users\Christer\Desktop\Säkerhet\SuperAntispyware_Scanner\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
2019-01-20 11:34 - 2019-01-20 11:34 - 000000000 ____D C:\Users\Christer\AppData\Roaming\SUPERAntiSpyware.com
2019-01-20 11:34 - 2019-01-20 11:34 - 000000000 ____D C:\ProgramData\SUPERAntiSpyware.com
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
C:\Users\Christer\Desktop\Säkerhet\SuperAntispyware_Scanner\SASDIFSV64.SYS
C:\Users\Christer\Desktop\Säkerhet\SuperAntispyware_Scanner\SASKUTIL64.SYS
Folder: C:\Users\Bach\0

*****************

Restore point was successfully created.
Processes closed successfully.
SASDIFSV => Unable to stop service.
HKLM\System\CurrentControlSet\Services\SASDIFSV => removed successfully
SASDIFSV => service removed successfully
SASKUTIL => Unable to stop service.
HKLM\System\CurrentControlSet\Services\SASKUTIL => removed successfully
SASKUTIL => service removed successfully
C:\Users\Christer\AppData\Roaming\SUPERAntiSpyware.com => moved successfully
C:\ProgramData\SUPERAntiSpyware.com => moved successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive1 => removed successfully
HKLM\Software\Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => not found
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive2 => removed successfully
HKLM\Software\Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282} => not found
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive3 => removed successfully
HKLM\Software\Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30} => not found
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive4 => removed successfully
HKLM\Software\Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => not found
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive5 => removed successfully
HKLM\Software\Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => not found
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive6 => removed successfully
HKLM\Software\Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3} => not found
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive7 => removed successfully
HKLM\Software\Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => not found
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive1 => removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => not found
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive2 => removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282} => not found
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive3 => removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30} => not found
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive4 => removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => not found
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive5 => removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => not found
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive6 => removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3} => not found
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive7 => removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => not found
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui => removed successfully
HKLM\Software\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => not found *)
C:\Users\Christer\Desktop\Säkerhet\SuperAntispyware_Scanner\SASDIFSV64.SYS => moved successfully
C:\Users\Christer\Desktop\Säkerhet\SuperAntispyware_Scanner\SASKUTIL64.SYS => moved successfully

*) As said before I have had some problems with this file back to 8.1 period. I think it´s an Intel file associated with Intel Graphics Control Panel (CP). The service of CP is running but the panel is missing! The file should run in
Task Monitor but is missing since a few weeks I think! There has "always" been an error in EventViever for this file if I recall correct.

========================= Folder: C:\Users\Bach\0 ========================

C:\Users\Bach\0 => File

====== End of Folder: ======


=========== EmptyTemp: ==========

BITS transfer queue => 10772480 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 118684996 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 45412 B
Edge => 9216 B
Chrome => 0 B
Firefox => 18492597 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 0 B
LocalService => 0 B
NetworkService => 348084 B
NetworkService => 0 B
Christer => 35236712 B
Bach => 1136511 B

RecycleBin => 620084 B
EmptyTemp: => 176.8 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 23:08:19 ====

 

[iMacg3]

Hi,

As said before I have had some problems with this file back to 8.1 period. I think it´s an Intel file associated with Intel Graphics Control Panel (CP). The service of CP is running but the panel is missing! The file should run in
Task Monitor but is missing since a few weeks I think! There has "always" been an error in EventViever for this file if I recall correct.

That was an "orphaned" registry entry. (igfxcui)

---------------------

Highlight the contents of the below code box and press Ctrl + C:

Start::

VirusTotal: C:\users\bach\0

End::

Right-click on FRST/FRST64 and select Run as Administrator.
Click on Fix.
Note - there is no need to paste the contents of the code box anywhere.
If your computer restarts, allow it to do so.
Once the fix is complete, a file called fixlog will be saved to the same directory as FRST. The log may open in Notepad as well.
Please copy and paste the contents of the fixlog into your next reply.

--------------------

We'll look for any copies of Internet Explorer on the system.

Highlight the contents of the below code box, and press Ctrl + C:

iexplore.exe

Open FRST. Click in the white search box in the FRST window, then press Ctrl + V to paste the contents of the code box into the search window.
Click on Search Files.

Once the search is complete, a log called Search.txt will open. Please post it in your next reply.


Thanks.