Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Navsmart.info Malware


  • This topic is locked This topic is locked
22 replies to this topic

#1 Junkai-Dong

Junkai-Dong

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 18 September 2016 - 07:02 AM

Hello, I am a student from China. When I was trying to download one of my iso files, Navsmart got into my computer. It changed my Chrome homepage to navsmart and the icon and address were changed too.

 

I tried hard. I downloaded these antimalware:

Avira

Adwcleaner

FRST

Malwarebytes

 

I tried using avira, but it did not found out anything about navsmart.

Adwcleaner found 85 malware.

Malwarebytes deleted a lot of cookies.

 

The thing is, I found out a folder in C:\Users\DJL\AppData\Roaming\Browsers which is full of bat.xxx.exe files created by the malware. After I deleted it, the icon of Chrome became ok. But when I open Chrome, it said Unable to load extension from some really long address and jumps to navsmart. Sometimes it was ok.

 

I tried using FRST and I will attach both the FRST.txt and and Addition.txt to my post.

 

In Addition.txt, most of the application problems of acrobat, spss and office are due to my cracking. The other things are in Chinese, but I cannot help because I am not a CS guy= =Really sorry for that and I really need your help. Is this serious??? Do I need to reboot of do something like that???

Attached Files



BC AdBot (Login to Remove)

 


#2 Junkai-Dong

Junkai-Dong
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 18 September 2016 - 07:19 AM

Update: when I try to open a new window of Chrome, it jumps to navsmart; but clicking on the "new tab" gives the about:blank, which is what I wanted.



#3 Jo*

Jo*

  • Malware Response Team
  • 3,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:06:56 AM

Posted 18 September 2016 - 07:31 AM

:welcome: to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / music / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


:step1: Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***


:step2: Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step3: Please download AdwCleaner by Xplode and save to your Desktop.
Double-click AdwCleaner.exe
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
    The actual line should say "Pending. Please uncheck elements you do not want to remove" => scan is complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
    If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

***


:step4: MiniToolbox by Farbar

Disable your antivirus if it does not allow you to download the tool!
Please download MiniToolBox, save it to your desktop and run it.
Place a checkmark in Select all, then click Go and post the result (MTB.txt). A copy of Result.txt will be saved in the same directory the tool is run.
Copy and paste the contents of that logfile in your next reply.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#4 Junkai-Dong

Junkai-Dong
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 18 September 2016 - 08:59 AM

Gosh, it took a while to scan. Here are the results.

Several things that I want to report: MBAR had no malware found and adwcleaner was outdated, so I downloaded the latest version v6.020.

Also another thing is that about three hours ago, before I wrote this topic, I ran adwcleaner once. It worked; but soon navsmart went back to my chrome.

 

Checkup.txt:

 Results of screen317's Security Check version 1.014 --- 12/23/15  
   x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
Avira Antivirus    
Windows Defender   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 Java version 32-bit out of Date! 
 Google Chrome (53.0.2785.116) 
 Google Chrome (SetupMetrics...) 
````````Process Check: objlist.exe by Laurent````````  
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbam.exe  
 Avira Antivir avgnt.exe 
 Avira Antivir avguard.exe 
 Avira Antivirus sched.exe  
 Avira Antivirus avshadow.exe  
 Malwarebytes Anti-Malware mbamscheduler.exe   
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  % 
````````````````````End of Log`````````````````````` 
 
mbar-log-2016-09-18 (21-26-51).txt:
Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org
 
Database version:
  main:    v2016.09.18.03
  rootkit: v2016.08.15.01
 
Windows 10 x64 NTFS
Internet Explorer 11.187.14393.0
djk :: DESKTOP-K31PDH6 [administrator]
 
2016/9/18 21:26:51
mbar-log-2016-09-18 (21-26-51).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 351250
Time elapsed: 12 minute(s), 54 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
AdwCleaner[C3].txt:
# AdwCleaner v6.020 - Logfile created 18/09/2016 at 21:46:08
# Updated on 14/09/2016 by ToolsLib
# Database : 2016-09-17.1 [Local]
# Operating System : Windows 10 Home China  (X64)
# Username : djk - DESKTOP-K31PDH6
# Running from : C:\Users\DJL\Desktop\Terminate NAV!\adwcleaner_6.020.exe
# Mode: Clean
 
 
 
***** [ Services ] *****
 
 
 
***** [ Folders ] *****
 
[#] Folder deleted on reboot: C:\Program Files (x86)\LuDaShi
 
 
***** [ Files ] *****
 
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
[-] Shortcut disinfected: C:\Users\Public\Desktop\Google Chrome.lnk
[-] Shortcut disinfected: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
[-] Shortcut disinfected: C:\Users\DJL\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[-] Shortcut disinfected: C:\Users\DJL\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
[-] Key deleted: HKU\S-1-5-21-4268989145-4028146873-3326586853-1001\Software\Ludashi
[#] Key deleted on reboot: HKCU\Software\Ludashi
[#] Key deleted on reboot: [x64] HKCU\Software\Ludashi
 
 
***** [ Web browsers ] *****
 
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [8017 Bytes] - [18/09/2016 13:23:59]
C:\AdwCleaner\AdwCleaner[C2].txt - [1967 Bytes] - [18/09/2016 18:32:16]
C:\AdwCleaner\AdwCleaner[C3].txt - [1572 Bytes] - [18/09/2016 21:46:08]
C:\AdwCleaner\AdwCleaner[S0].txt - [7792 Bytes] - [18/09/2016 13:13:05]
C:\AdwCleaner\AdwCleaner[S1].txt - [7865 Bytes] - [18/09/2016 13:15:57]
C:\AdwCleaner\AdwCleaner[S2].txt - [7938 Bytes] - [18/09/2016 13:17:59]
C:\AdwCleaner\AdwCleaner[S3].txt - [7949 Bytes] - [18/09/2016 13:20:29]
C:\AdwCleaner\AdwCleaner[S4].txt - [2322 Bytes] - [18/09/2016 18:30:49]
C:\AdwCleaner\AdwCleaner[S5].txt - [2613 Bytes] - [18/09/2016 21:45:09]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C3].txt - [2083 Bytes] ##########
 
AdwCleaner[S5].txt
# AdwCleaner v6.020 - Logfile created 18/09/2016 at 21:45:09
# Updated on 14/09/2016 by ToolsLib
# Database : 2016-09-17.1 [Local]
# Operating System : Windows 10 Home China  (X64)
# Username : djk - DESKTOP-K31PDH6
# Running from : C:\Users\DJL\Desktop\Terminate NAV!\adwcleaner_6.020.exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
No malicious services found.
 
 
***** [ Folders ] *****
 
Folder Found:  C:\Program Files (x86)\LuDaShi
 
 
***** [ Files ] *****
 
No malicious files found.
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
Key Found:  : \root\subscription\\ActiveScriptEventConsumer [ASEC]
 
 
***** [ Shortcuts ] *****
 
Shortcut infected:  C:\Users\Public\Desktop\Google Chrome.lnk (  --load-extension="C:\Users\DJL\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://navsmart.info )
Shortcut infected:  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk (  --load-extension="C:\Users\DJL\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://navsmart.info )
Shortcut infected:  C:\Users\DJL\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (  --load-extension="C:\Users\DJL\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://navsmart.info )
Shortcut infected:  C:\Users\DJL\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (  --load-extension="C:\Users\DJL\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://nav
 
 
***** [ Scheduled Tasks ] *****
 
No malicious task found.
 
 
***** [ Registry ] *****
 
Key Found:  HKU\S-1-5-21-4268989145-4028146873-3326586853-1001\Software\Ludashi
Key Found:  HKCU\Software\Ludashi
Key Found:  [x64] HKCU\Software\Ludashi
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
No malicious Chromium based browser items found.
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [8017 Bytes] - [18/09/2016 13:23:59]
C:\AdwCleaner\AdwCleaner[C2].txt - [1967 Bytes] - [18/09/2016 18:32:16]
C:\AdwCleaner\AdwCleaner[S0].txt - [7792 Bytes] - [18/09/2016 13:13:05]
C:\AdwCleaner\AdwCleaner[S1].txt - [7865 Bytes] - [18/09/2016 13:15:57]
C:\AdwCleaner\AdwCleaner[S2].txt - [7938 Bytes] - [18/09/2016 13:17:59]
C:\AdwCleaner\AdwCleaner[S3].txt - [7949 Bytes] - [18/09/2016 13:20:29]
C:\AdwCleaner\AdwCleaner[S4].txt - [2322 Bytes] - [18/09/2016 18:30:49]
C:\AdwCleaner\AdwCleaner[S5].txt - [2457 Bytes] - [18/09/2016 21:45:09]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S5].txt - [2530 Bytes] ##########
 

MTB.txt was too long so I will write another post.

MTB.txt

MiniToolBox by Farbar  Version: 17-06-2016
Ran by djk (administrator) on 18-09-2016 at 21:51:21
Running from "C:\Users\DJL\Desktop\Terminate NAV!"
Microsoft Windows 10 家庭中文版  (X64)
Model: 20FWA00TCD Manufacturer: LENOVO
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
Windows IP ����
 
�ѳɹ�ˢ�� DNS �������档
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
ProxyServer: 127.0.0.1:1081
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
 
========================= FF Proxy Settings: ============================== 
 
 
"Reset FF Proxy Settings": Firefox Proxy settings were reset.
 
========================= Hosts content: =================================
127.0.0.1 lmlicenses.wip4.adobe.com
127.0.0.1 lm.licenses.adobe.com
127.0.0.1 activate.adobe.com
127.0.0.1 practivate.adobe.com
127.0.0.1 ereg.adobe.com
127.0.0.1 activate.wip3.adobe.com
127.0.0.1 wip3.adobe.com
127.0.0.1 3dns-3.adobe.com
127.0.0.1 3dns-2.adobe.com
127.0.0.1 adobe-dns.adobe.com
127.0.0.1 adobe-dns-2.adobe.com
127.0.0.1 adobe-dns-3.adobe.com
127.0.0.1 ereg.wip3.adobe.com
127.0.0.1 activate-sea.adobe.com
127.0.0.1 wwis-dubc1-vip60.adobe.com
127.0.0.1 activate-sjc0.adobe.com
========================= IP Configuration: ================================
 
Intel® Dual Band Wireless-AC 8260 = WLAN (Connected)
TAP-Windows Adapter V9 = 以太网 2 (Media disconnected)
Intel® Ethernet Connection (2) I219-LM = 以太网 (Media disconnected)
 
 
#========================
# IPv4 配置
#========================
pushd interface ipv4
 
reset
set global icmpredirects=enabled
set interface interface="以太网 2" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="WLAN" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="以太网" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="蓝牙网络连接" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="本地连接* 1" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="本地连接* 2" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
 
 
popd
# IPv4 配置结束
 
 
 
Windows IP 配置
 
   主机名  . . . . . . . . . . . . . : DESKTOP-K31PDH6
   主 DNS 后缀 . . . . . . . . . . . : 
   节点类型  . . . . . . . . . . . . : 混合
   IP 路由已启用 . . . . . . . . . . : 否
   WINS 代理已启用 . . . . . . . . . : 否
 
以太网适配器 以太网:
 
   媒体状态  . . . . . . . . . . . . : 媒体已断开连接
   连接特定的 DNS 后缀 . . . . . . . : 
   描述. . . . . . . . . . . . . . . : Intel® Ethernet Connection (2) I219-LM
   物理地址. . . . . . . . . . . . . : 50-7B-9D-F7-5E-54
   DHCP 已启用 . . . . . . . . . . . : 是
   自动配置已启用. . . . . . . . . . : 是
 
无线局域网适配器 本地连接* 2:
 
   媒体状态  . . . . . . . . . . . . : 媒体已断开连接
   连接特定的 DNS 后缀 . . . . . . . : 
   描述. . . . . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   物理地址. . . . . . . . . . . . . : 44-85-00-AB-83-DB
   DHCP 已启用 . . . . . . . . . . . : 是
   自动配置已启用. . . . . . . . . . : 是
 
以太网适配器 以太网 2:
 
   媒体状态  . . . . . . . . . . . . : 媒体已断开连接
   连接特定的 DNS 后缀 . . . . . . . : 
   描述. . . . . . . . . . . . . . . : TAP-Windows Adapter V9
   物理地址. . . . . . . . . . . . . : 00-FF-CD-ED-D7-5F
   DHCP 已启用 . . . . . . . . . . . : 是
   自动配置已启用. . . . . . . . . . : 是
 
无线局域网适配器 WLAN:
 
   连接特定的 DNS 后缀 . . . . . . . : 
   描述. . . . . . . . . . . . . . . : Intel® Dual Band Wireless-AC 8260
   物理地址. . . . . . . . . . . . . : 44-85-00-AB-83-DA
   DHCP 已启用 . . . . . . . . . . . : 是
   自动配置已启用. . . . . . . . . . : 是
   本地链接 IPv6 地址. . . . . . . . : fe80::4c55:9fc7:6a52:8900%3(首选) 
   IPv4 地址 . . . . . . . . . . . . : 192.168.1.104(首选) 
   子网掩码  . . . . . . . . . . . . : 255.255.255.0
   获得租约的时间  . . . . . . . . . : 2016年9月18日 21:46:45
   租约过期的时间  . . . . . . . . . : 2016年9月18日 23:46:46
   默认网关. . . . . . . . . . . . . : 192.168.1.1
   DHCP 服务器 . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 38044928
   DHCPv6 客户端 DUID  . . . . . . . : 00-01-00-01-1E-FD-01-E2-50-7B-9D-F7-5E-54
   DNS 服务器  . . . . . . . . . . . : 211.162.47.1
                                       211.162.46.1
   TCPIP 上的 NetBIOS  . . . . . . . : 已启用
 
隧道适配器 本地连接* 3:
 
   连接特定的 DNS 后缀 . . . . . . . : 
   描述. . . . . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
   物理地址. . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP 已启用 . . . . . . . . . . . : 否
   自动配置已启用. . . . . . . . . . : 是
   IPv6 地址 . . . . . . . . . . . . : 2001:0:78c6:e79a:1886:779:3f57:fe97(首选) 
   本地链接 IPv6 地址. . . . . . . . : fe80::1886:779:3f57:fe97%18(首选) 
   默认网关. . . . . . . . . . . . . : ::
   DHCPv6 IAID . . . . . . . . . . . : 285212672
   DHCPv6 客户端 DUID  . . . . . . . : 00-01-00-01-1E-FD-01-E2-50-7B-9D-F7-5E-54
   TCPIP 上的 NetBIOS  . . . . . . . : 已禁用
 
隧道适配器 isatap.{142508AA-3DCB-4D9B-B8D2-803418B90997}:
 
   媒体状态  . . . . . . . . . . . . : 媒体已断开连接
   连接特定的 DNS 后缀 . . . . . . . : 
   描述. . . . . . . . . . . . . . . : Microsoft ISATAP Adapter #4
   物理地址. . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP 已启用 . . . . . . . . . . . : 否
   自动配置已启用. . . . . . . . . . : 是
服务器:  dns.fzgwbn.net.cn
Address:  211.162.47.1
 
名称:    google.com
Addresses:  2404:6800:4005:801::200e
 216.58.199.14
 
 
正在 Ping google.com [216.58.199.14] 具有 32 字节的数据:
请求超时。
请求超时。
 
216.58.199.14 的 Ping 统计信息:
    数据包: 已发送 = 2,已接收 = 0,丢失 = 2 (100% 丢失),
服务器:  dns.fzgwbn.net.cn
Address:  211.162.47.1
 
名称:    yahoo.com
Addresses:  2001:4998:44:204::a7
 2001:4998:58:c02::a9
 2001:4998:c:a06::2:4008
 206.190.36.45
 98.138.253.109
 98.139.183.24
 
 
正在 Ping yahoo.com [98.139.183.24] 具有 32 字节的数据:
请求超时。
请求超时。
 
98.139.183.24 的 Ping 统计信息:
    数据包: 已发送 = 2,已接收 = 0,丢失 = 2 (100% 丢失),
 
正在 Ping 127.0.0.1 具有 32 字节的数据:
来自 127.0.0.1 的回复: 字节=32 时间<1ms TTL=128
来自 127.0.0.1 的回复: 字节=32 时间<1ms TTL=128
 
127.0.0.1 的 Ping 统计信息:
    数据包: 已发送 = 2,已接收 = 2,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
    最短 = 0ms,最长 = 0ms,平均 = 0ms
===========================================================================
接口列表
 17...50 7b 9d f7 5e 54 ......Intel® Ethernet Connection (2) I219-LM
  8...44 85 00 ab 83 db ......Microsoft Wi-Fi Direct Virtual Adapter
 20...00 ff cd ed d7 5f ......TAP-Windows Adapter V9
  3...44 85 00 ab 83 da ......Intel® Dual Band Wireless-AC 8260
  1...........................Software Loopback Interface 1
 18...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================
 
IPv4 路由表
===========================================================================
活动路由:
网络目标        网络掩码          网关       接口   跃点数
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.104     50
        127.0.0.0        255.0.0.0            在链路上         127.0.0.1    331
        127.0.0.1  255.255.255.255            在链路上         127.0.0.1    331
  127.255.255.255  255.255.255.255            在链路上         127.0.0.1    331
      192.168.1.0    255.255.255.0            在链路上     192.168.1.104    306
    192.168.1.104  255.255.255.255            在链路上     192.168.1.104    306
    192.168.1.255  255.255.255.255            在链路上     192.168.1.104    306
        224.0.0.0        240.0.0.0            在链路上         127.0.0.1    331
        224.0.0.0        240.0.0.0            在链路上     192.168.1.104    306
  255.255.255.255  255.255.255.255            在链路上         127.0.0.1    331
  255.255.255.255  255.255.255.255            在链路上     192.168.1.104    306
===========================================================================
永久路由:
  无
 
IPv6 路由表
===========================================================================
活动路由:
 接口跃点数网络目标                网关
  1    331 ::1/128                  在链路上
  3    306 fe80::/64                在链路上
  3    306 fe80::4c55:9fc7:6a52:8900/128
                                    在链路上
  1    331 ff00::/8                 在链路上
  3    306 ff00::/8                 在链路上
===========================================================================
永久路由:
  无
========================= Winsock entries =====================================
 
Catalog5 01 C:\WINDOWS\SysWoW64\napinsp.dll [55808] (Microsoft Corporation)
Catalog5 02 C:\WINDOWS\SysWoW64\pnrpnsp.dll [70656] (Microsoft Corporation)
Catalog5 03 C:\WINDOWS\SysWoW64\pnrpnsp.dll [70656] (Microsoft Corporation)
Catalog5 04 C:\WINDOWS\SysWoW64\NLAapi.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog5 06 C:\WINDOWS\SysWoW64\winrnr.dll [24064] (Microsoft Corporation)
Catalog5 07 C:\WINDOWS\SysWoW64\wshbth.dll [51712] (Microsoft Corporation)
Catalog9 01 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 02 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 03 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 11 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 12 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 13 C:\WINDOWS\SysWoW64\mswsock.dll [306016] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\napinsp.dll [67584] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\NLAapi.dll [80896] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [31744] (Microsoft Corporation)
x64-Catalog5 07 C:\Windows\System32\wshbth.dll [62976] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 12 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 13 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (09/18/2016 09:49:40 PM) (Source: SideBySide) (User: )
Description: 生成“C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8.manifest1”的激活上下文失败。在指令清单或策略文件“C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8.manifest2”的第 C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8.manifest3 行中出现错误。
应用程序所需的组件版本与已处于活动状态的另一个组件版本冲突。
冲突的组件包括:
组件 1: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8.manifest。
组件 2: C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_74bc87d3d22d9abe.manifest。
 
Error: (09/18/2016 06:46:42 PM) (Source: SideBySide) (User: )
Description: 生成“C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8.manifest1”的激活上下文失败。在指令清单或策略文件“C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8.manifest2”的第 C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8.manifest3 行中出现错误。
应用程序所需的组件版本与已处于活动状态的另一个组件版本冲突。
冲突的组件包括:
组件 1: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8.manifest。
组件 2: C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_74bc87d3d22d9abe.manifest。
 
Error: (09/18/2016 06:10:40 PM) (Source: SideBySide) (User: )
Description: “assemblyIdentity1”的激活上下文生成失败。在指令清单或策略文件“assemblyIdentity2”的第 assemblyIdentity3 行出现错误。
元素“assemblyIdentity”中属性“version”的值“6.0.0.6u9b41”无效。
 
Error: (09/18/2016 06:10:39 PM) (Source: SideBySide) (User: )
Description: “assemblyIdentity1”的激活上下文生成失败。在指令清单或策略文件“assemblyIdentity2”的第 assemblyIdentity3 行出现错误。
元素“assemblyIdentity”中属性“version”的值“6.0.0.6u9b41”无效。
 
Error: (09/18/2016 06:09:20 PM) (Source: SideBySide) (User: )
Description: “UccApi,processorArchitecture="AMD64",type="win32",version="16.0.0.0"1”的激活上下文生成失败。在指令清单或策略文件“UccApi,processorArchitecture="AMD64",type="win32",version="16.0.0.0"2”的第 UccApi,processorArchitecture="AMD64",type="win32",version="16.0.0.0"3 行出现错误。
在指令清单中找到的组件标识与请求组件的标识不匹配。
参考是 UccApi,processorArchitecture="AMD64",type="win32",version="16.0.0.0"。
定义是 UccApi,processorArchitecture="x86",type="win32",version="16.0.0.0"。
请使用 sxstrace.exe 进行详细诊断。
 
Error: (09/18/2016 06:09:19 PM) (Source: SideBySide) (User: )
Description: 生成“C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8.manifest1”的激活上下文失败。在指令清单或策略文件“C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8.manifest2”的第 C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8.manifest3 行中出现错误。
应用程序所需的组件版本与已处于活动状态的另一个组件版本冲突。
冲突的组件包括:
组件 1: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8.manifest。
组件 2: C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_74bc87d3d22d9abe.manifest。
 
Error: (09/18/2016 05:23:18 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: 加密服务处理系统写入程序对象中的 OnIdentity() 调用时失败。
 
 
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft 链路层发现协议.
 
System Error:
拒绝访问。
 
Error: (09/18/2016 05:23:14 PM) (Source: VSS) (User: )
Description: 卷影复制服务错误: 查询 IVssWriterCallback 接口时的错误。hr = 0x80070005, 拒绝访问。
此错误通常是由编写器或请求方过程中的错误安全设置造成的。
 
 
操作:
   正在搜集写入程序数据
 
上下文:
   写入程序类 ID: {e8132975-6f93-4464-a53e-1050253ae220}
   写入程序名称: System Writer
   写入程序实例 ID: {cb88fb73-8d3a-47f7-93e0-195616694c5f}
 
Error: (09/18/2016 04:58:16 PM) (Source: SideBySide) (User: )
Description: 生成“C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8.manifest1”的激活上下文失败。在指令清单或策略文件“C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8.manifest2”的第 C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8.manifest3 行中出现错误。
应用程序所需的组件版本与已处于活动状态的另一个组件版本冲突。
冲突的组件包括:
组件 1: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8.manifest。
组件 2: C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_74bc87d3d22d9abe.manifest。
 
Error: (09/18/2016 01:43:39 PM) (Source: SideBySide) (User: )
Description: “assemblyIdentity1”的激活上下文生成失败。在指令清单或策略文件“assemblyIdentity2”的第 assemblyIdentity3 行出现错误。
元素“assemblyIdentity”中属性“version”的值“6.0.0.6u9b41”无效。
 
 
System errors:
=============
Error: (09/18/2016 09:49:07 PM) (Source: DCOM) (User: DESKTOP-K31PDH6)
Description: 计算机-默认本地激活{C2F03A33-21F5-47FA-B4BB-156362A2F239}{316CDED5-E4AE-4B15-9113-7055D84DCC97}DESKTOP-K31PDH6djkS-1-5-21-4268989145-4028146873-3326586853-1001LocalHost (使用 LRPC)Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewyS-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742
 
Error: (09/18/2016 09:49:06 PM) (Source: DCOM) (User: DESKTOP-K31PDH6)
Description: 计算机-默认本地激活{C2F03A33-21F5-47FA-B4BB-156362A2F239}{316CDED5-E4AE-4B15-9113-7055D84DCC97}DESKTOP-K31PDH6djkS-1-5-21-4268989145-4028146873-3326586853-1001LocalHost (使用 LRPC)Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewyS-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742
 
Error: (09/18/2016 09:49:06 PM) (Source: DCOM) (User: DESKTOP-K31PDH6)
Description: 计算机-默认本地激活{C2F03A33-21F5-47FA-B4BB-156362A2F239}{316CDED5-E4AE-4B15-9113-7055D84DCC97}DESKTOP-K31PDH6djkS-1-5-21-4268989145-4028146873-3326586853-1001LocalHost (使用 LRPC)Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewyS-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742
 
Error: (09/18/2016 09:49:06 PM) (Source: DCOM) (User: DESKTOP-K31PDH6)
Description: 计算机-默认本地激活{C2F03A33-21F5-47FA-B4BB-156362A2F239}{316CDED5-E4AE-4B15-9113-7055D84DCC97}DESKTOP-K31PDH6djkS-1-5-21-4268989145-4028146873-3326586853-1001LocalHost (使用 LRPC)Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewyS-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742
 
Error: (09/18/2016 09:49:05 PM) (Source: DCOM) (User: DESKTOP-K31PDH6)
Description: 计算机-默认本地激活{C2F03A33-21F5-47FA-B4BB-156362A2F239}{316CDED5-E4AE-4B15-9113-7055D84DCC97}DESKTOP-K31PDH6djkS-1-5-21-4268989145-4028146873-3326586853-1001LocalHost (使用 LRPC)Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewyS-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742
 
Error: (09/18/2016 09:49:05 PM) (Source: DCOM) (User: DESKTOP-K31PDH6)
Description: 计算机-默认本地激活{C2F03A33-21F5-47FA-B4BB-156362A2F239}{316CDED5-E4AE-4B15-9113-7055D84DCC97}DESKTOP-K31PDH6djkS-1-5-21-4268989145-4028146873-3326586853-1001LocalHost (使用 LRPC)Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewyS-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742
 
Error: (09/18/2016 09:49:05 PM) (Source: DCOM) (User: DESKTOP-K31PDH6)
Description: 计算机-默认本地激活{C2F03A33-21F5-47FA-B4BB-156362A2F239}{316CDED5-E4AE-4B15-9113-7055D84DCC97}DESKTOP-K31PDH6djkS-1-5-21-4268989145-4028146873-3326586853-1001LocalHost (使用 LRPC)Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewyS-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742
 
Error: (09/18/2016 09:48:10 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: 应用程序-特定本地激活{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}{F72671A9-012C-4725-9D2F-2A4D32D65169}NT AUTHORITYSYSTEMS-1-5-18LocalHost (使用 LRPC)不可用不可用
 
Error: (09/18/2016 09:46:40 PM) (Source: Service Control Manager) (User: )
Description: 由于下列错误,XLServicePlatform 服务启动失败: 
%%1053 = 服务没有及时响应启动或控制请求。
 
 
Error: (09/18/2016 09:46:40 PM) (Source: Service Control Manager) (User: )
Description: 等待 XLServicePlatform 服务的连接超时(30000 毫秒)。
 
 
Microsoft Office Sessions:
=========================
Error: (09/18/2016 09:49:40 PM) (Source: SideBySide)(User: )
Description: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8.manifestC:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_74bc87d3d22d9abe.manifestC:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\Acrobat.exe
 
Error: (09/18/2016 06:46:42 PM) (Source: SideBySide)(User: )
Description: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8.manifestC:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_74bc87d3d22d9abe.manifestC:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\Acrobat.exe
 
Error: (09/18/2016 06:10:40 PM) (Source: SideBySide)(User: )
Description: assemblyIdentityversion6.0.0.6u9b41C:\Program Files (x86)\IBM\SPSS\Statistics\19\JRE\bin\unpack200.exeC:\Program Files (x86)\IBM\SPSS\Statistics\19\JRE\bin\unpack200.exe19
 
Error: (09/18/2016 06:10:39 PM) (Source: SideBySide)(User: )
Description: assemblyIdentityversion6.0.0.6u9b41C:\Program Files (x86)\IBM\SPSS\Statistics\19\JRE\bin\unpack.dllC:\Program Files (x86)\IBM\SPSS\Statistics\19\JRE\bin\unpack.dll19
 
Error: (09/18/2016 06:09:20 PM) (Source: SideBySide)(User: )
Description: UccApi,processorArchitecture="AMD64",type="win32",version="16.0.0.0"UccApi,processorArchitecture="x86",type="win32",version="16.0.0.0"C:\Program Files (x86)\Microsoft Office\Office16\lync.exe.ManifestC:\Program Files (x86)\Microsoft Office\Office16\UccApi.DLL1
 
Error: (09/18/2016 06:09:19 PM) (Source: SideBySide)(User: )
Description: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8.manifestC:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_74bc87d3d22d9abe.manifestC:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\Acrobat.exe
 
Error: (09/18/2016 05:23:18 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description: 
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft 链路层发现协议.
 
System Error:
拒绝访问。
 
Error: (09/18/2016 05:23:14 PM) (Source: VSS)(User: )
Description: 0x80070005, 拒绝访问。
 
 
操作:
   正在搜集写入程序数据
 
上下文:
   写入程序类 ID: {e8132975-6f93-4464-a53e-1050253ae220}
   写入程序名称: System Writer
   写入程序实例 ID: {cb88fb73-8d3a-47f7-93e0-195616694c5f}
 
Error: (09/18/2016 04:58:16 PM) (Source: SideBySide)(User: )
Description: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_2d0f50fcbdb171b8.manifestC:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.0_none_74bc87d3d22d9abe.manifestC:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\Acrobat.exe
 
Error: (09/18/2016 01:43:39 PM) (Source: SideBySide)(User: )
Description: assemblyIdentityversion6.0.0.6u9b41C:\Program Files (x86)\IBM\SPSS\Statistics\19\JRE\bin\unpack200.exeC:\Program Files (x86)\IBM\SPSS\Statistics\19\JRE\bin\unpack200.exe19
 
 
CodeIntegrity Errors:
===================================
  Date: 2016-08-10 20:47:58.571
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\SysWOW64\usermgrcli.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-08-10 20:47:46.678
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\SysWOW64\usermgrcli.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-08-06 23:34:13.244
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\SysWOW64\usermgrcli.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-08-06 23:34:00.525
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\SysWOW64\usermgrcli.dll because the set of per-page image hashes could not be found on the system.
 
 
=========================== Installed Programs ============================
 
ACA & MEP 2016 Object Enabler (HKLM\...\{5783F2D7-F004-0000-5102-0060B0CE6BBA}) (Version: 7.8.41.0 - Autodesk) Hidden
ACAD Private (HKLM\...\{5783F2D7-F001-0000-3102-0060B0CE6BBA}) (Version: 20.1.49.0 - Autodesk) Hidden
Adobe Acrobat DC (HKLM-x32\...\{AC76BA86-1033-FFFF-7760-0C0F074E4100}) (Version: 15.007.20033 - Adobe Systems Incorporated)
Adobe Flash Player 22 PPAPI (HKLM-x32\...\Adobe Flash Player PPAPI) (Version: 22.0.0.209 - Adobe Systems Incorporated)
Adobe Photoshop CS6 (HKLM-x32\...\{74EB3499-8B95-4B5C-96EB-7B342F3FD0C6}) (Version: 13.0 - Adobe Systems Incorporated)
Aurora (HKLM-x32\...\Aurora) (Version:  - )
AutoCAD 2016 - 简体中文 (Simplified Chinese) (HKLM\...\{5783F2D7-F001-0804-2102-0060B0CE6BBA}) (Version: 20.1.49.0 - Autodesk) Hidden
AutoCAD 2016 (HKLM\...\{5783F2D7-F001-0000-0102-0060B0CE6BBA}) (Version: 20.1.49.0 - Autodesk) Hidden
AutoCAD 2016 Language Pack - 简体中文 (Simplified Chinese) (HKLM\...\{5783F2D7-F001-0804-1102-0060B0CE6BBA}) (Version: 20.1.49.0 - Autodesk) Hidden
Autodesk Advanced Material Library Image Library 2016 (HKLM-x32\...\{94AD53E7-493B-4291-8714-7A3B761D2783}) (Version: 6.3.0.15 - Autodesk)
Autodesk App Manager 2016 (HKLM-x32\...\{4ECF9E00-2978-46AF-BD80-455EFEAB7A93}) (Version: 2.0.0 - Autodesk)
Autodesk Application Manager (HKLM-x32\...\Autodesk Application Manager) (Version: 5.0.142.14 - Autodesk)
Autodesk AutoCAD 2016 - 简体中文 (Simplified Chinese) (HKLM\...\AutoCAD 2016 - 简体中文 (Simplified Chinese)) (Version: 20.1.49.0 - Autodesk)
Autodesk AutoCAD Performance Feedback Tool 1.2.4 (HKLM-x32\...\{4E20873D-BC20-495C-AFD9-B18877B7F9BB}) (Version: 1.2.4.0 - Autodesk)
Autodesk BIM 360 Glue AutoCAD 2016 Add-in 64 bit (HKLM\...\{4BEE127E-95C4-434D-ABAC-65155192BB24}) (Version: 4.35.1742 - Autodesk)
Autodesk Content Service (HKLM\...\{A37CDB58-AAE8-0000-8C13-E0F7BACB0D5F}) (Version: 3.2.0.0 - Autodesk) Hidden
Autodesk Content Service (HKLM\...\Autodesk Content Service) (Version: 3.2.0.0 - Autodesk)
Autodesk Content Service Language Pack (HKLM\...\{A37CDB58-AAE8-0001-8C13-E0F7BACB0D5F}) (Version: 3.2.0.0 - Autodesk) Hidden
Autodesk Material Library 2016 (HKLM-x32\...\{29A7D6EC-63C2-42FD-8143-5812ABD2923F}) (Version: 6.3.0.15 - Autodesk)
Autodesk Material Library Base Resolution Image Library 2016 (HKLM-x32\...\{6B4CFC6E-ECB0-47FE-95D3-65C680ED0687}) (Version: 6.3.0.15 - Autodesk)
Autodesk 精选应用 2016 (HKLM-x32\...\{D42F37CD-9AF9-4435-A474-B387C5BB6B47}) (Version: 2.0.0 - Autodesk)
Avira Antivirus (HKLM-x32\...\Avira Antivirus) (Version: 15.0.20.59 - Avira Operations GmbH & Co. KG)
Avira Launcher (HKLM-x32\...\{82dc2ab6-088f-4e0a-8e27-bb829481d3bc}) (Version: 1.2.70.16079 - Avira Operations GmbH & Co. KG)
Avira Launcher (HKLM-x32\...\{8CC8333A-AC85-4E68-88BB-4E3452CE4981}) (Version: 1.2.70.16079 - Avira Operations GmbH & Co. KG) Hidden
Avira Phantom VPN (HKLM-x32\...\Avira Phantom VPN) (Version: 1.5.2.25975 - Avira Operations GmbH & Co. KG)
Avira Scout (HKCU\...\Avira Scout) (Version: 16.7.2743.1275 - Avira Operations GmbH & Co. KG)
Avira Software Updater (HKLM-x32\...\{F2396C9D-4724-4BB9-87A0-A137C4C69524}) (Version: 1.2.3.14696 - Avira Operations GmbH & Co. KG)
Avira System Speedup (HKLM-x32\...\Avira System Speedup_is1) (Version: 2.6.5.2921 - Avira Operations GmbH & Co. KG)
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
CS反恐精英 (HKLM-x32\...\CS反恐精英) (Version:  - )
Dolby Audio X2 Windows API SDK (HKLM\...\{6A478BF2-F67F-4ABC-A7F1-B6B5BA862371}) (Version: 0.6.3.44 - Dolby Laboratories, Inc.)
Dolby Audio X2 Windows APP (HKLM\...\{7DA57EF8-9D20-4126-AF15-D0CC97D0C017}) (Version: 0.6.3.48 - Dolby Laboratories, Inc.)
FARO LS 1.1.502.0 (64bit) (HKLM-x32\...\{66D83FE0-D798-4B38-86FE-FB48151E5AEF}) (Version: 5.2.0.35213 - FARO Scanner Production)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 53.0.2785.116 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.31.5 - Google Inc.) Hidden
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.14.276 - SurfRight B.V.)
IBM SPSS Statistics 19 (HKLM-x32\...\{06C43FAA-7226-41EF-A05E-9AE0AA849FFE}) (Version: 19.0.0 - SPSS Inc., an IBM Company)
Integrated Camera (HKLM-x32\...\{E399A5B3-ED53-4DEA-AF04-8011E1EB1EAC}) (Version: 10.0.10240.11135 - Realtek Semiconductor Corp.)
Intel® Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 11.0.5.1192 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 20.19.15.4416 - Intel Corporation)
Intel® WiDi (HKLM\...\{C7CD6D54-26AF-4D93-B06F-D81ACE8624CB}) (Version: 6.0.40.0 - Intel Corporation)
Intel® Security Assist (HKLM-x32\...\{B294CE94-FE0F-4427-910C-180AF9FCFED1}) (Version: 1.0.1.620 - Intel Corporation)
Java 8 Update 101 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180101F0}) (Version: 8.0.1010.13 - Oracle Corporation)
Java SE Development Kit 8 Update 91 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180910}) (Version: 8.0.910.14 - Oracle Corporation)
Lantern (HKCU\...\Lantern) (Version: 3.1.4 - Brave New Software Project, Inc.)
Lenovo Active Protection System (HKLM\...\{46A84694-59EC-48F0-964C-7E76E9F8A2ED}) (Version: 1.81.00.09 - Lenovo)
Lenovo Auto Scroll Utility (HKLM\...\LenovoAutoScrollUtility) (Version: 2.20 - Lenovo)
Lenovo Mouse Suite (HKLM\...\MouseSuite98) (Version: 6.80 - Lenovo)
Lenovo On Screen Display (HKLM\...\OnScreenDisplay) (Version: 8.80.10 - Lenovo)
Lenovo Power Management Driver (HKLM\...\Power Management Driver) (Version: 1.67.11.08 - Lenovo)
Lenovo QuickOptimizer (HKLM\...\{8D2C871B-1B9F-45AC-9C43-2BB18089CDFA}) (Version: 1.0.022.00 - Lenovo)
Lenovo Solution Center (HKLM\...\{C1FC707B-AE6B-4DC4-89A5-6628A01F8103}) (Version: 3.3.003.00 - Lenovo)
Lenovo System Interface Foundation (HKLM\...\{C2E5CA37-C862-4A69-AC6D-24F450A20C16}) (Version: 1.0.066.00 - Lenovo)
Lenovo System Update (HKLM-x32\...\{25C64847-B900-48AD-A164-1B4F9B774650}) (Version: 5.07.0029 - Lenovo)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Mathematica Extras 9.0 (4108024) (HKLM\...\A-WIN-Extras 9.0.1 4108024_is1) (Version: 9.0.1 - Wolfram Research, Inc.)
MathType 6 (HKLM-x32\...\DSMT6) (Version: 6.9 - Design Science, Inc.)
MATLAB R2016a (HKLM\...\Matlab R2016a) (Version: 9.0 - MathWorks)
Metric Collection SDK (HKLM-x32\...\{DDAA788F-52E6-44EA-ADB8-92837B11BF26}) (Version: 1.1.0008.00 - Lenovo Group Limited) Hidden
Microsoft Office 专业增强版 2016  (HKLM-x32\...\Office16.PROPLUS) (Version: 16.0.4266.1001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026 (HKLM-x32\...\{e46eca4f-393b-40df-9f49-076faf788d83}) (Version: 14.0.23026.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23026 (HKLM-x32\...\{74d0e5db-b326-4dae-a6b2-445b9de1836e}) (Version: 14.0.23026.0 - Microsoft Corporation)
NVIDIA GeForce Experience 2.8.1.21 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.8.1.21 - NVIDIA Corporation)
NVIDIA PhysX 系统软件 9.15.0428 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.15.0428 - NVIDIA Corporation)
NVIDIA 图形驱动程序 359.23 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 359.23 - NVIDIA Corporation)
QQ International (HKLM-x32\...\{3CA54984-A14B-42FE-9FF1-7EA90151D725}) (Version: 1.91.1369.0 - Tencent Technology(Shenzhen) Company Limited)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7746 - Realtek Semiconductor Corp.)
SHIELD Streaming (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_GFExperience.NvStreamSrv) (Version: 4.1.0250 - NVIDIA Corporation) Hidden
SHIELD Wireless Controller Driver (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_ShieldWirelessController) (Version: 2.8.1.21 - NVIDIA Corporation) Hidden
SketchUp 输入 2016 (HKLM-x32\...\{C769FB7C-1F55-4B31-9A2A-21CEC50F4F92}) (Version: 2.0.0 - Autodesk)
Skype™ 7.26 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.26.101 - Skype Technologies S.A.)
Starcraft (HKLM-x32\...\Starcraft) (Version:  - )
SumatraPDF (HKLM-x32\...\SumatraPDF) (Version: 3.1.1 - Krzysztof Kowalczyk)
Synaptics WBF Fingerprint Reader Drivers (HKLM\...\{3EAF1BE2-2B6B-4A18-BCDD-E7FC39883570}) (Version: 5.1.311.26 - Synaptics Incorporated)
Tencent QQMail Plugin (HKLM-x32\...\QQMailPlugin) (Version:  - )
TeX Live 2015 (HKCU\...\TeXLive2015) (Version: 2015 - )
ThinkPad Settings Dependency (HKLM\...\{08515684-CE49-47EF-B509-326A2E91BC5C}_is1) (Version: 3.0.1.29 - Lenovo)
Thinkpad USB Ethernet Adapter Driver (HKLM-x32\...\{D8102684-7BA1-4948-88B9-535F84E6E588}) (Version: 10.1.506.2015 - Lenovo)
Windows 驱动程序包 - Synaptics Incorporated (WUDFRd) Biometric  (11/25/2015 5.0.87.06) (HKLM\...\F8B4040AC2D2A99F0A0D6180E212825041A851D9) (Version: 11/25/2015 5.0.87.06 - Synaptics Incorporated)
WinRAR 5.40 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.40.0 - win.rar GmbH)
Wolfram Mathematica 9 (M-WIN-LC 9.0.1 4108350) (HKLM\...\M-WIN-LC 9.0.1 4108350_is1) (Version: 9.0.1 - Wolfram Research, Inc.)
百度云管家 (HKLM-x32\...\百度云管家) (Version: 5.4.5 - 百度在线网络技术(北京)有限公司)
联想驱动管理 (HKLM-x32\...\Lenovo Drivers Management) (Version: 2016.2.22.1025 - 联想(北京)有限公司)
星际争霸II (HKLM-x32\...\StarCraft II) (Version:  - Blizzard Entertainment)
英特尔® 无线 Bluetooth® (HKLM-x32\...\{96677A0F-0F07-4DAD-9458-4D259BD39053}) (Version: 18.1.1546.2762 - Intel Corporation)
英特尔® PROSet/无线软件 (HKLM-x32\...\{98056bc1-85a0-40e7-bb2b-995cefa1292f}) (Version: 18.40.2 - Intel Corporation)
英特尔® 芯片组设备软件 (HKLM-x32\...\{c7f54569-0018-439c-809a-48046a4d4ebc}) (Version: 10.1.1.9 - Intel® Corporation) Hidden
 
========================= Devices: ================================
 
 
========================= Memory info: ===================================
 
Percentage of memory in use: 19%
Total physical RAM: 20345.08 MB
Available physical RAM: 16468.64 MB
Total Virtual: 23417.08 MB
Available Virtual: 19118.05 MB
 
========================= Partitions: =====================================
 
1 Drive c: (Windows) (Fixed) (Total:237.23 GB) (Free:153.61 GB) NTFS
2 Drive d: () (Fixed) (Total:265.75 GB) (Free:216.96 GB) NTFS
3 Drive e: (本地磁盘) (Fixed) (Total:200.01 GB) (Free:172.03 GB) NTFS
 
========================= Users: ========================================
 
\\DESKTOP-K31PDH6 的用户帐户
 
Administrator            DefaultAccount           djk                      
Guest                    
命令成功完成。
 
========================= Minidump Files ==================================
 
C:\WINDOWS\Minidump\081116-9218-01.dmp
========================= Restore Points ==================================
 
13-09-2016 11:00:52 Avira System Speedup 2.6.5
18-09-2016 09:23:17 Checkpoint by HitmanPro
 
**** End of log ****


#5 Junkai-Dong

Junkai-Dong
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 18 September 2016 - 09:02 AM

I need to go to bed now. If you need any translation, please post it and I will translate it into English. Thank you very much, Jo.

I will see if the Chrome still opens navstart.info tomorrow. If it is still on, I will give a report. Till now it works ok since last restart.



#6 Junkai-Dong

Junkai-Dong
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 18 September 2016 - 09:05 AM

Oh no. It is starting again when I closed Chrome and opens Chrome.



#7 Junkai-Dong

Junkai-Dong
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 18 September 2016 - 09:08 AM

Also I use a proxy, it is called lantern. Maybe it just did not work that time when the program is pinging yahoo and google, for I can search normally on Google now.



#8 Jo*

Jo*

  • Malware Response Team
  • 3,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:06:56 AM

Posted 18 September 2016 - 09:18 AM

Also I use a proxy, it is called lantern. Maybe it just did not work that time when the program is pinging yahoo and google, for I can search normally on Google now.

Which of these values are related to your lantern proxy?

ProxyServer: [S-1-5-21-4268989145-4028146873-3326586853-1001] => 127.0.0.1:1081
AutoConfigURL: [S-1-5-21-4268989145-4028146873-3326586853-1001] => hxxp://127.0.0.1:16823/proxy_on.pac?1474197364695763200
ManualProxies: 0hxxp://127.0.0.1:16823/proxy_on.pac?1474197364695763200

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#9 Junkai-Dong

Junkai-Dong
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 18 September 2016 - 09:28 AM

These values all belong to lantern.



#10 Jo*

Jo*

  • Malware Response Team
  • 3,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:06:56 AM

Posted 18 September 2016 - 10:07 AM

Hello,
 

***


Copy FRST / FSRT64.exe to your desktop!

Log on to all your user accounts now - without restarting !

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (usually your desktop) as fixlist.txt




Start
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
GroupPolicy: Restriction - Chrome <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {CED89A59-AEC6-4FEC-A258-A008BC78CDBF} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKLM -> {CED89A59-AEC6-4FEC-A258-A008BC78CDBF} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKLM-x32 -> DefaultScope {CED89A59-AEC6-4FEC-A258-A008BC78CDBF} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKLM-x32 -> {CED89A59-AEC6-4FEC-A258-A008BC78CDBF} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKU\S-1-5-21-4268989145-4028146873-3326586853-1001 -> DefaultScope {64AF4D11-6492-4C25-B014-B6C6CEE3B0C5} URL = hxxps://www.baidu.com/s?tn=80035161_2_dg&wd={searchTerms}
SearchScopes: HKU\S-1-5-21-4268989145-4028146873-3326586853-1001 -> {64AF4D11-6492-4C25-B014-B6C6CEE3B0C5} URL = hxxps://www.baidu.com/s?tn=80035161_2_dg&wd={searchTerms}
SearchScopes: HKU\S-1-5-21-4268989145-4028146873-3326586853-1001 -> {B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} URL = hxxps://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=79081068_oem_dg&ch=33
CHR DefaultSearchURL: Default -> hxxps://search.avira.net/#web/result?source=omnibar&q={searchTerms}
CHR DefaultSuggestURL: Default -> hxxps://search.avira.net/suggestions?q={searchTerms}&li=ff&hl=en
ShortcutWithArgument: C:\Users\DJL\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\DJL\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://navsmart.info
ShortcutWithArgument: C:\Users\DJL\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\DJL\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://navsmart.info
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\DJL\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://navsmart.info
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\DJL\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://navsmart.info
EmptyTemp:
End

NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Run FRST / FSRT64 again as Administrator like we did before but this time press the Fix button just once and wait.
The tool will make a log (Fixlog.txt) please post it to your reply.

---

Download and run Chrome Software Cleaner

---

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#11 Junkai-Dong

Junkai-Dong
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 18 September 2016 - 07:01 PM

Both run. Chrome Cleaner found nothing.

 

Here is fixlog.txt.

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 18-09-2016
Ran by djk (19-09-2016 07:52:51) Run:2
Running from C:\Users\DJL\Desktop\Terminate NAV!
Loaded Profiles: djk (Available Profiles: djk)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
GroupPolicy: Restriction - Chrome <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {CED89A59-AEC6-4FEC-A258-A008BC78CDBF} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKLM -> {CED89A59-AEC6-4FEC-A258-A008BC78CDBF} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKLM-x32 -> DefaultScope {CED89A59-AEC6-4FEC-A258-A008BC78CDBF} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKLM-x32 -> {CED89A59-AEC6-4FEC-A258-A008BC78CDBF} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKU\S-1-5-21-4268989145-4028146873-3326586853-1001 -> DefaultScope {64AF4D11-6492-4C25-B014-B6C6CEE3B0C5} URL = hxxps://www.baidu.com/s?tn=80035161_2_dg&wd={searchTerms}
SearchScopes: HKU\S-1-5-21-4268989145-4028146873-3326586853-1001 -> {64AF4D11-6492-4C25-B014-B6C6CEE3B0C5} URL = hxxps://www.baidu.com/s?tn=80035161_2_dg&wd={searchTerms}
SearchScopes: HKU\S-1-5-21-4268989145-4028146873-3326586853-1001 -> {B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} URL = hxxps://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=79081068_oem_dg&ch=33
CHR DefaultSearchURL: Default -> hxxps://search.avira.net/#web/result?source=omnibar&q={searchTerms}
CHR DefaultSuggestURL: Default -> hxxps://search.avira.net/suggestions?q={searchTerms}&li=ff&hl=en
ShortcutWithArgument: C:\Users\DJL\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\DJL\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://navsmart.info
ShortcutWithArgument: C:\Users\DJL\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\DJL\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://navsmart.info
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\DJL\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://navsmart.info
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\DJL\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://navsmart.info
EmptyTemp:
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CED89A59-AEC6-4FEC-A258-A008BC78CDBF}" => key removed successfully
HKCR\CLSID\{CED89A59-AEC6-4FEC-A258-A008BC78CDBF} => key not found. 
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{CED89A59-AEC6-4FEC-A258-A008BC78CDBF}" => key removed successfully
HKCR\Wow6432Node\CLSID\{CED89A59-AEC6-4FEC-A258-A008BC78CDBF} => key not found. 
HKU\S-1-5-21-4268989145-4028146873-3326586853-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKU\S-1-5-21-4268989145-4028146873-3326586853-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{64AF4D11-6492-4C25-B014-B6C6CEE3B0C5}" => key removed successfully
HKCR\CLSID\{64AF4D11-6492-4C25-B014-B6C6CEE3B0C5} => key not found. 
"HKU\S-1-5-21-4268989145-4028146873-3326586853-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}" => key removed successfully
HKCR\CLSID\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} => key not found. 
Chrome DefaultSearchURL => removed successfully
Chrome DefaultSuggestURL => removed successfully
C:\Users\DJL\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk => Shortcut argument removed successfully.
C:\Users\DJL\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk => Shortcut argument removed successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk => Shortcut argument removed successfully.
C:\Users\Public\Desktop\Google Chrome.lnk => Shortcut argument removed successfully.
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 76697 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 46505839 B
Java, Flash, Steam htmlcache => 98002 B
Windows/system/drivers => 12427547 B
Edge => 367020630 B
Chrome => 10434795 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 100460 B
NetworkService => 0 B
DJL => 284443422 B
 
RecycleBin => 8961876 B
EmptyTemp: => 696.2 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 07:54:11 ====


#12 Junkai-Dong

Junkai-Dong
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 18 September 2016 - 07:04 PM

Bad news: I cannot run Chrome now.



#13 Junkai-Dong

Junkai-Dong
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 18 September 2016 - 08:17 PM

Update: I had to restart because when I went for breakfast and went back, I found out that I cannot login. After I pressed Enter with my passcode, it cannot display the normal desktop.

 

However, after restart, the Chrome was ok.



#14 Junkai-Dong

Junkai-Dong
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 18 September 2016 - 08:18 PM

Are there any more checks I should do to make sure that my computer is safe?



#15 Jo*

Jo*

  • Malware Response Team
  • 3,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:06:56 AM

Posted 19 September 2016 - 02:54 AM

Hello,

:step1: Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 5 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7/8/10 users need to right click and choose Run as Administrator
You only need to get one of them to run, not all of them.Do not reboot your computer after running rkill as the malware programs will start again.


---


:step2: Malwarebytes' Anti-Malware
If this program is already installed: Skip the installation and run only the scan!
Download and install: Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
How to get logs: (Export log to save as txt)
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Export'.
  • Click 'Text file (*.txt)'
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.
(Copy to clipboard for pasting into forum replies or tickets)
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

---


:step3: Please download Junkware Removal Tool from HERE and save it to your desktop.
Shutdown your antivirus to avoid any potential conflicts.
Double click JRT.exe to run the tool.
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • JRT will begin to backup your registry and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, the log JRT.txt is saved on your desktop and will automatically open.
Enable your antivirus!
Post the contents of JRT.txt into your next reply.


***


:step4: How the computer is running now?

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users