lmmkwnasvc.ese what is it?

Johnw January 26, 2019 at 17:17:42

Here are the first 2 steps, more steps will be needed, after I see the results of these logs. Step 1: Run AdwCleaner http://www.softpedia.com/get/Antivi... http://www.raymond.cc/blog/adwclean... http://www.bleepingcomputer.com/dow... Author's site https://toolslib.net/downloads/view... Tutorial http://general-changelog-team.fr/en... Close all open programs and internet browsers. Double click on AdwCleaner.exe to run the tool. Click Scan In the results tabs, uncheck anything you don't want to remove. Click on Cleaning. Confirm each time with Ok. Your computer will be rebooted automatically. A text file will open after the restart. Please Copy & Paste the contents of that logfile with your next answer. You also can find the logfile at C:\AdwCleaner [C1 or later].txt as well. http://i.imgur.com/r3PoAEG.gif Step 2: Run Malwarebytes Anti-Malware ( MBAM ) Use Threat Scan. http://www.softpedia.com/get/Antivi... http://www.freewarefiles.com/Malwar... http://www.freewarefiles.com/screen... http://www.malwarebytes.org/downloads/ Forum http://www.malwarebytes.org/forums/ After the Free trial, I choose this. http://fs5.directupload.net/images/... You then get this screen. http://fs5.directupload.net/images/... Or, Deactivate Malwarebytes for Windows Premium Trial https://support.malwarebytes.com/do... At the end of a scan, you will get something like this. http://fs5.directupload.net/images/... http://fs5.directupload.net/images/... http://fs5.directupload.net/images/... After clicking on > View Report & then > Export. Click 'Copy to Clipboard' Paste the contents of the clipboard into your reply.

riider January 27, 2019 at 08:48:29

"lmmkwnasvc.exe" Are you sure about that spelling? Did you search your computer to see what folder it's in? From what I could find, nasvc is Nero, masvc is McAfee.

Jeff Root January 27, 2019 at 09:14:23

I'm very interested in part of the original question: How is the program launched? -- Jeff, in Minneapolis

riider January 27, 2019 at 09:17:45

Managing startup apps: https://www.ccleaner.com/docs/cclea... Get the Slim version: https://www.ccleaner.com/ccleaner/b...

Jeff Root January 27, 2019 at 09:47:03

Ha! I probably haven't clicked the "Tools" button since the day I installed CCleaner. Totally forgot about those functions. -- Jeff, in Minneapolis

I wanted to give up. So far gmer "says" rootkit it is a weird .sys file from about 07.20.18. ADWcleaner Malwarebytes and others turn up nothing. System does explorer hangs every now and then. When running ccleaner it hangs on while cleaning IE files(I use FF exclusively) I haven't tried other startup managers but I don't see how that one exe is being executed(I'm gonna do a more thorough inspection). Trying to end the task in the taskmanager always gives the file access denied error. All those tools from bleepingcomputer turn up nothing and one wont even run on win10 adwcleaner/jrt/farbar(this one I don't even know what it does). The rootkit scanners turn up nothing. I've downloaded all the tools I could find and will do a scan on each a little later. I installed windows on another ssd there are no hardware issues but no weird .sys being ran either. I mispelled .exe in the title but that is the file that shows up in system32 (lmmkwnasvc.exe) I suspect is random xxxxxxxsvc.exe which is why google and duckduckgo turn up nothing. The original ssd did have errors so I scanned it from within the other install using chkdsk and they are apparently fixed (was getting bsod/stop errors). I've had the issue since a while back and do remember malwarebytes finding "stuff" and "fixing" (computer became snappy again) on one of the reboots w/o installation of anything I found malwarebytes antimalware uninstalled and back to being slow. Rescanned and manually deleted the entries a couple of trojans/rats and some adware. I suspect rootkit because any attempt at deleting temp folders/files causes a hang. I am gonna try again will post the logs of the rescans. Truth can become lie, but if lies become truth we're in trouble.

Johnw January 28, 2019 at 18:27:00

"I suspect rootkit" Yep. "I am gonna try again will post the logs of the rescans" Yes please.

awsmbr- gmer both crash on full scan awsmbr pulls a stop error actually. The weirdness with rtaxmgb? I can't even access the folder let alone delete it. I still have not found how that lmmkwnasvc.exe is launching. Superantispyware just found cookies ADWcleaner clean aswmbr (avast-gmer rootkit scanner)crashes on scan (it's also annoying to run because it has to download 300mb of definitions?) gmer does initial scan crashes on full. mcaffes rootkit remover found nothing. rootkitbuster(bitdefender) wont even run mbar nothing Malware antimalware nothing (tracking cookies) I've already reinstalled on another ssd, but this is the drive with all my applications so I'm trying to save this install now just on pure principal. I hear TrustedInstaller is an actual windows thing? if i delete auelpsvz.sys I wonder what happens I'm at my wit's end on this one. GMER 2.2.19882 - <a href="http://www.gmer.net" target="_blank" rel="nofollow">http://www.gmer.net</a> Rootkit scan 2019-01-29 07:26:36 Windows 6.2.9200 x64 \Device\Harddisk2\DR2 -> \Device\00000038 SanDisk_SDSSDA120G rev.Z33130RL 111.79GB Running: 1dciwgeu.exe; Driver: C:\Users\rwn\AppData\Local\Temp\ffadyfob.sys ---- Threads - GMER 2.2 ---- Thread [496:2480] 00007ff8de4c95a0 Thread [496:11224] 00007ff8e7e2f440 Thread [496:4344] 00007ff8e7e2f440 Thread [496:1228] 00007ff8e7e2f440 Thread [1968:2228] 00007ff8e693f130 Thread [1968:12000] 00007ff8e7e2f440 Thread c:\windows\system32\svchost.exe [2176:6200] 00007ff8dd9b28c0 Thread c:\windows\system32\svchost.exe [2316:2572] 00007ff8dda14200 Thread c:\windows\system32\svchost.exe [2316:17396] 00007ff8dda14200 Thread [2500:2748] 00007ff8dd5b3420 Thread [2500:2628] 00007ff8e7e2f440 Thread [2500:11408] 00007ff8e7e2f440 Thread [2500:17076] 00007ff8e7e2f440 Thread [2500:6620] 00007ff8e7e2f440 Thread c:\windows\system32\svchost.exe [2512:2756] 00007ff8dd203100 Thread c:\windows\system32\svchost.exe [2512:2760] 00007ff8dd2460d0 Thread c:\windows\system32\svchost.exe [2512:15512] 00007ff8dd203100 Thread [2640:2764] 00007ff8dcf7f210 Thread [2640:2828] 00007ff8e7e2f440 Thread [2640:2744] 00007ff8e7e2f440 Thread [2640:15280] 00007ff8e7e2f440 Thread [2640:15216] 00007ff8e7e2f440 Thread [2640:15060] 00007ff8e7e2f440 Thread C:\WINDOWS\System32\svchost.exe [3304:7132] 00007ff8dd716330 Thread c:\windows\system32\svchost.exe [3800:3836] 00007ff8e2fb6b20 Thread c:\windows\system32\svchost.exe [3800:3904] 00007ff8e2fb6b20 Thread c:\windows\system32\svchost.exe [3800:3912] 00007ff8e2fb6b20 Thread c:\windows\system32\svchost.exe [3800:3920] 00007ff8d35fbc10 Thread c:\windows\system32\svchost.exe [3800:3928] 00007ff8d382cdf0 Thread c:\windows\system32\svchost.exe [3800:5480] 00007ff8d362d030 Thread c:\windows\system32\svchost.exe [3800:5492] 00007ff8d35ddb20 Thread c:\windows\system32\svchost.exe [3800:5496] 00007ff8d35d4b10 Thread C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [4184:6084] 00007ff8cef7502c Thread c:\windows\system32\svchost.exe [7604:1916] 00007ff8d17b0cf0 Thread c:\windows\system32\svchost.exe [7604:15708] 00007ff8d17b0cf0 Thread c:\windows\system32\svchost.exe [7604:5008] 00007ff8d17b0cf0 Thread c:\windows\system32\svchost.exe [7604:14628] 00007ff8b929ffa0 Thread c:\windows\system32\svchost.exe [7604:10736] 00007ff8b929ffa0 Thread c:\windows\system32\svchost.exe [7604:1688] 00007ff8b929ffa0 Thread C:\WINDOWS\system32\SearchIndexer.exe [11588:11668] 00007ff8e693f130 Thread C:\WINDOWS\system32\csrss.exe [6004:17364] ffff828d43026840 Thread C:\WINDOWS\System32\dwm.exe [4816:5776] 00007ff8d73f9fb0 Thread C:\WINDOWS\System32\dwm.exe [4816:3468] 00007ff8d73f9fb0 Thread C:\WINDOWS\System32\dwm.exe [4816:8772] 00007ff8d73f9fb0 Thread C:\WINDOWS\System32\dwm.exe [4816:17028] 00007ff8d73f9fb0 Thread C:\WINDOWS\System32\dwm.exe [4816:10288] 00007ff8d73f9fb0 Thread C:\WINDOWS\System32\dwm.exe [4816:15548] 00007ff8d73f9fb0 Thread C:\WINDOWS\System32\dwm.exe [4816:8876] 00007ff8d73f9fb0 Thread C:\WINDOWS\System32\dwm.exe [4816:8880] 00007ff8d73f9fb0 Thread C:\WINDOWS\System32\dwm.exe [4816:1740] 00007ff8d73f9fb0 Thread c:\windows\system32\taskhostw.exe [4828:10812] 00007ff8d2495870 Thread C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.37.98.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe [15456:14512] 00007ff8cf875c50 ---- Processes - GMER 2.2 ---- Library C:\Users\rwn\AppData\Local\rtaxmgb\rtaxmgb.exe (*** suspicious ***) @ C:\Users\rwn\AppData\Local\rtaxmgb\rtaxmgb.exe [16172] 0000000000ea0000 Library C:\Users\rwn\AppData\Local\rtaxmgb\dtdurec.exe (*** suspicious ***) @ C:\Users\rwn\AppData\Local\rtaxmgb\dtdurec.exe [16028] 0000000000ca0000 Library C:\Users\rwn\AppData\Local\rtaxmgb\ipc_service.dll (*** suspicious ***) @ C:\Users\rwn\AppData\Local\rtaxmgb\dtdurec.exe [16028] 00000000545e0000 Library C:\Users\rwn\AppData\Local\rtaxmgb\libcurl.dll (*** suspicious ***) @ C:\Users\rwn\AppData\Local\rtaxmgb\dtdurec.exe [16028] 000000000f800000 Library C:\Users\rwn\AppData\Local\rtaxmgb\libcef.dll (*** suspicious ***) @ C:\Users\rwn\AppData\Local\rtaxmgb\dtdurec.exe [16028] 000000000fdc0000 Library C:\Users\rwn\AppData\Local\rtaxmgb\chrome_elf.dll (*** suspicious ***) @ C:\Users\rwn\AppData\Local\rtaxmgb\dtdurec.exe [16028] 00000000014b0000 Library C:\Users\rwn\AppData\Local\rtaxmgb\dtdurec.exe (*** suspicious ***) @ C:\Users\rwn\AppData\Local\rtaxmgb\dtdurec.exe [11036] 0000000000ca0000 Library C:\Users\rwn\AppData\Local\rtaxmgb\libcef.dll (*** suspicious ***) @ C:\Users\rwn\AppData\Local\rtaxmgb\dtdurec.exe [11036] 000000000fdc0000 Library C:\Users\rwn\AppData\Local\rtaxmgb\chrome_elf.dll (*** suspicious ***) @ C:\Users\rwn\AppData\Local\rtaxmgb\dtdurec.exe [11036] 00000000014b0000 Library C:\Users\rwn\AppData\Local\rtaxmgb\ipc_service.dll (*** suspicious ***) @ C:\Users\rwn\AppData\Local\rtaxmgb\dtdurec.exe [11036] 00000000545e0000 Library C:\Users\rwn\AppData\Local\rtaxmgb\libcurl.dll (*** suspicious ***) @ C:\Users\rwn\AppData\Local\rtaxmgb\dtdurec.exe [11036] 000000000f800000 Library C:\Users\rwn\AppData\Local\rtaxmgb\D3DCompiler_47.dll (*** suspicious ***) @ C:\Users\rwn\AppData\Local\rtaxmgb\dtdurec.exe [11036] 0000000004870000 Library C:\Users\rwn\AppData\Local\rtaxmgb\libglesv2.dll (*** suspicious ***) @ C:\Users\rwn\AppData\Local\rtaxmgb\dtdurec.exe [11036] 000000000fb60000 Library C:\Users\rwn\AppData\Local\rtaxmgb\libegl.dll (*** suspicious ***) @ C:\Users\rwn\AppData\Local\rtaxmgb\dtdurec.exe [11036] 0000000054590000 ---- Services - GMER 2.2 ---- Service system32\drivers\auelpsvz.sys (*** hidden *** ) [BOOT] nkhesxtd <-- ROOTKIT !!! Service C:\WINDOWS\servicing\TrustedInstaller.exe (*** hidden *** ) [AUTO] TrustedInstaller <-- ROOTKIT !!! ---- EOF - GMER 2.2 ---- Truth can become lie, but if lies become truth we're in trouble.

lmmkwnasvc.exe in action gmer has a dialog that shows all the services and how they're being run lmmkwnasvc.exe is nowhere to be found I had entries show up zvest/schooler folders but no files in them. I guess my intial infection happened on 7.20.18 log included. [ TimeStamp: 20190129 073536 ]Rootkit Remover v0.8.9.209 [Dec 7 2015 - 22:57:24] McAfee Labs. Windows build 6.2.9200 x64 Checking for updates ... Scanning for user-mode threats ... Scanning for kernel-mode threats ... Scan Result --> No trojan or viruses found! Scan Finished # ------------------------------- # Malwarebytes AdwCleaner 7.2.6.0 # ------------------------------- # Build: 12-18-2018 # Database: 2019-01-25.2 (Cloud) # Support: <a href="https://www.malwarebytes.com/support" target="_blank" rel="nofollow">https://www.malwarebytes.com/support</a> # # ------------------------------- # Mode: Scan # ------------------------------- # Start: 01-28-2019 # Duration: 00:00:14 # OS: Windows 10 Enterprise # Scanned: 31744 # Detected: 0 ***** [ Services ] ***** No malicious services found. ***** [ Folders ] ***** No malicious folders found. ***** [ Files ] ***** No malicious files found. ***** [ DLL ] ***** No malicious DLLs found. ***** [ WMI ] ***** No malicious WMI found. ***** [ Shortcuts ] ***** No malicious shortcuts found. ***** [ Tasks ] ***** No malicious tasks found. ***** [ Registry ] ***** No malicious registry entries found. ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries found. ***** [ Chromium URLs ] ***** No malicious Chromium URLs found. ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries found. ***** [ Firefox URLs ] ***** No malicious Firefox URLs found. AdwCleaner[S00].txt - [12568 octets] - [20/07/2018 01:17:57] AdwCleaner[C00].txt - [10622 octets] - [20/07/2018 01:19:29] AdwCleaner[S01].txt - [2245 octets] - [20/07/2018 15:33:35] AdwCleaner[C01].txt - [2285 octets] - [20/07/2018 15:34:00] AdwCleaner[S02].txt - [1623 octets] - [12/11/2018 15:10:33] AdwCleaner[C02].txt - [1751 octets] - [12/11/2018 15:10:54] AdwCleaner[S03].txt - [1660 octets] - [26/01/2019 18:40:10] AdwCleaner[C03].txt - [1826 octets] - [26/01/2019 18:41:28] ########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S04].txt ########## The 7.20.18 scan results from awdcleaner # ------------------------------- # Malwarebytes AdwCleaner 7.2.2.0 # ------------------------------- # Build: 07-17-2018 # Database: 2018-07-19.5 # Support: <a href="https://www.malwarebytes.com/support" target="_blank" rel="nofollow">https://www.malwarebytes.com/support</a> # # ------------------------------- # Mode: Clean # ------------------------------- # Start: 07-20-2018 # Duration: 00:00:05 # OS: Windows 10 Pro # Cleaned: 116 # Failed: 0 ***** [ Services ] ***** Deleted Quoteex Deleted Update service Deleted backlh Deleted windowsmanagementservice Deleted MicroService ***** [ Folders ] ***** Deleted C:\Users\rwn\AppData\Local\XService Deleted C:\ProgramData\Quoteexs Deleted C:\ProgramData\Logic Cramble Deleted C:\ProgramData\Microleaves Deleted C:\Program Files (x86)\Microleaves Deleted C:\Users\rwn\AppData\Roaming\Microleaves Deleted C:\Users\rwn\AppData\Roaming\AGData Deleted C:\Users\rwn\AppData\Local\AdvinstAnalytics Deleted C:\Program Files (x86)\AnonymizerGadget Deleted C:\Users\rwn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget Deleted C:\Windows\Syswow64\SSL Deleted C:\ProgramData\Quoteex Deleted C:\Windows\Installer\{5266F634-7B7D-4537-BDDC-98DD6CFCBAA1} Deleted C:\Program Files (x86)\PQwick1.1 Deleted C:\Windows\Temp\Smartbar ***** [ Files ] ***** Deleted C:\Program Files\MOZILLA FIREFOX\DEFAULTS\PREF\SECURE_CERT.JS Deleted C:\Users\rwn\AppData\Roaming\Mozilla\Firefox\Profiles\buin1i4l.default\searchplugins\findit.xml Deleted C:\Users\rwn\appdata\local\installationconfiguration.xml Deleted C:\Users\rwn\AppData\Local\Main.dat Deleted C:\Windows\Installer\SOURCEHASH{5266F634-7B7D-4537-BDDC-98DD6CFCBAA1} Deleted C:\Windows\SysWOW64\findit.xml ***** [ DLL ] ***** No malicious DLLs cleaned. ***** [ WMI ] ***** No malicious WMI cleaned. ***** [ Shortcuts ] ***** Deleted C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk Deleted C:\Users\Public\Desktop\Mozilla Firefox.lnk Deleted C:\Users\rwn\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk Deleted C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk Deleted C:\Users\Public\Desktop\Google Chrome.lnk Deleted C:\Users\rwn\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk ***** [ Tasks ] ***** Deleted C:\Windows\Tasks\Online Application V2G5.job Deleted C:\Windows\System32\Tasks\Online Application V2G5 Deleted C:\Windows\Tasks\Online Application V2G4.job Deleted C:\Windows\System32\Tasks\Online Application V2G4 Deleted C:\Windows\Tasks\Online Application V2G6.job Deleted C:\Windows\System32\Tasks\Online Application V2G6 Deleted C:\Windows\System32\Tasks\AGProxyCheck Deleted C:\Windows\Tasks\Online Application V2G2.job Deleted C:\Windows\System32\Tasks\Online Application V2G2 Deleted C:\Windows\Tasks\Online Application V2G3.job Deleted C:\Windows\System32\Tasks\Online Application V2G3 Deleted C:\Windows\Tasks\Online Application V2G1.job Deleted C:\Windows\System32\Tasks\Online Application V2G1 Deleted C:\Windows\Tasks\Updater_Online_Application.job Deleted C:\Windows\System32\Tasks\Updater_Online_Application ***** [ Registry ] ***** Deleted HKLM\Software\Wow6432Node\mtQuoteex Deleted HKLM\Software\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\SILENTPROCESSEXIT\Quoteex.exe Deleted HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs - "C:\ProgramData\Quoteex\Zamhome.dll" Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs - "C:\ProgramData\Quoteex\Aplight.dll" Deleted HKLM\Software\Wow6432Node\Microleaves Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{84F2E683-E4F6-4C14-B5C1-7F20B5DD0A10} Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{84F2E683-E4F6-4C14-B5C1-7F20B5DD0A10} Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application V2G5 Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4F609031-7034-4590-88CC-E2D0714C5C72} Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4F609031-7034-4590-88CC-E2D0714C5C72} Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application V2G4 Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{274D915B-166F-480A-AA74-CD71F9C08687} Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{274D915B-166F-480A-AA74-CD71F9C08687} Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application V2G6 Deleted HKLM\SOFTWARE\5ba32463b3ad2e431a07e36b29f9a59c Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{72EDE76D-26FB-40FE-BD96-A1CE7A28ED88} Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AGProxyCheck Deleted HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\BlockAdsPro Deleted HKLM\Software\Wow6432Node\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\26D9E607FFF0C58C7844B47FF8B6E079E5A2220E Deleted HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\26D9E607FFF0C58C7844B47FF8B6E079E5A2220E Deleted HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{E1527582-8509-4011-B922-29E3FB548882}_is1 Deleted HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce|WinResSync Deleted HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|WinResSync Deleted HKCU\Software\Microsoft\Windows\CurrentVersion\Run|WinResSync Deleted HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32|AnonymizerGadget Deleted HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run|AnonymizerGadget Deleted HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\AnonymizerGadget Deleted HKLM\Software\Wow6432Node\xs Deleted HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7a4cb1e5-6d05-41e2-b993-3775ee8e0541}|NameServer - "82.163.143.178,82.163.142.180" Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AC986F1A-CD78-488B-AD94-CF70367A926B} Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AC986F1A-CD78-488B-AD94-CF70367A926B} Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application V2G2 Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A441F922-BDDB-48C5-9A0D-49FA2B84BA1E} Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A441F922-BDDB-48C5-9A0D-49FA2B84BA1E} Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application V2G3 Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B6D967F6-52CD-43C6-87F9-F7EB19B14FCA} Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B6D967F6-52CD-43C6-87F9-F7EB19B14FCA} Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application V2G1 Deleted HKCU\Software\Microsoft\Internet Explorer\SearchScopes|DefaultScope Deleted HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes|DefaultScope Deleted HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{ielnksrch} Deleted HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\ielnksrch Deleted HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Quoteex.exe Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Quoteex.exe Deleted HKU\S-1-5-18\Software\Caphyon\Advanced Updater\{F039D4A9-14D3-4425-A4FA-F2F9D5B0E014} Deleted HKU\.DEFAULT\Software\Caphyon\Advanced Updater\{F039D4A9-14D3-4425-A4FA-F2F9D5B0E014} Deleted HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5266F634-7B7D-4537-BDDC-98DD6CFCBAA1} Deleted HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\436F6625D7B77354DBCD89DDC6CFAB1A Deleted HKLM\Software\Classes\Installer\Products\436F6625D7B77354DBCD89DDC6CFAB1A Deleted HKLM\Software\Classes\Installer\Features\436F6625D7B77354DBCD89DDC6CFAB1A Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8A39D8B6-5D45-4C1E-B32C-BD194924CA21} Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8A39D8B6-5D45-4C1E-B32C-BD194924CA21} Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updater_Online_Application Deleted HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|PQwick Deleted HKCU\Software\Microsoft\Windows\CurrentVersion\Run|PQwick Deleted HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PQwick Deleted HKCU\Environment|SNP Deleted HKCU\Environment|SNF Deleted HKLM\Software\Wow6432Node\SrcAAAesom Browser Enhancer Deleted HKLM\Software\SrcAAAesom Browser Enhancer Deleted HKCU\Software\WajIEnhance Deleted HKLM\Software\Wow6432Node\CLASSES\APPID\56BF5154-0B48-4ADB-902A-6C8B12E270D9 Deleted HKLM\SOFTWARE\CLASSES\APPID\56BF5154-0B48-4ADB-902A-6C8B12E270D9 ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries cleaned. ***** [ Chromium URLs ] ***** Deleted Ask Deleted AOL ***** [ Firefox (and derivatives) ] ***** Deleted Google NoTrack Deleted Block Site ***** [ Firefox URLs ] ***** Deleted file:///C:/ProgramData/Quoteexs/ff.HP Deleted file:///C:/ProgramData/Quoteexs/ff.HP ************************* [+] Delete Tracing Keys [+] Reset Winsock ************************* AdwCleaner[S00].txt - [12568 octets] - [20/07/2018 01:17:57] ########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ########## Truth can become lie, but if lies become truth we're in trouble.

A little background info aswell, I think I installed some game optimizer was trying to run rust on new years the game would crash repeatedly so I started scanning. lmmkwnasvc.exe is undeleteable I've tried have not tried to delete that weird .sys file I think it's how it's being launched. My previous experience with the desktop "glitching" (explorer crashing) was probably due to having superantimalware along with malwarebytes running at the same time as I uninstalled superantimalware and those problems stopped. Was getting a lot of blue screens from the ssd took it out and scanned it using chkdsk from within the new install it didn't find errors on the old c: but it did on one of the reserved mbr partitions those stop errors have also stopped. Now I'm dealing with unable to shutdown from the old installation I woke up this morning to find my computer still on after shutting down last night. The smaller ssd 120gb that holds my original win10 installation wont even let me upgrade/update windows anymore, the new ssd 240gb will but I'll have to start from scratch. All my multimedia apps will need reinstalling and that is the pain I was trying to avoid. lmmkwnasvc.exe was victorious I do some light gaming on my main rig sometimes that's about 100gb of reinstalls alone. lesson learned stay away from any kind of optimizers, i never use them I must've been drunk or something on that 07.20.2018. I managed to copy it but last resort i will need to find a deleter for lmmkwnasvc.exe and that weird sys file. Truth can become lie, but if lies become truth we're in trouble.

riider January 29, 2019 at 10:02:29

As a last resort, delete ALL partitioning & reinstall Windows from scratch. The small "System Reserved" partition MUST go along with the others. Start with a blank slate.

Johnw January 29, 2019 at 13:36:32

"I installed windows on another ssd there are no hardware issues but no weird .sys being ran either" Very good. "Now I'm dealing with unable to shutdown from the old installation" Lets stick with that install, otherwise it is too hard to get my head around what is happening. I will now proceed in small steps. See if you can run this. Hitman Pro, then Copy and Paste the contents of the log, into your reply please. http://www.softpedia.com/get/Intern... https://www.hitmanpro.com/en-us/hmp... How to scan and obtain a log http://forums.majorgeeks.com/showth... Unlimited free scanning and free 30-day version to remove detected malware. Download now (64-bit) https://dl.surfright.nl/HitmanPro_x... message edited by Johnw