Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Remove CBL blacklist pc1 Requested by, and for Oh My!


  • This topic is locked This topic is locked
13 replies to this topic

#1 m618

m618

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:51 PM

Posted 18 October 2016 - 02:47 AM

Dear Gary,

 

This topic is for pc1. 

 

FRST.txt 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 16-10-2016
Ran by liao (administrator) on 601-PC (18-10-2016 13:32:02)
Running from C:\Users\liao\Desktop
Loaded Profiles: 601 & liao (Available Profiles: 601 & liao)
Platform: Microsoft Windows 7 專業版  Service Pack 1 (X86) Language: 中文 (繁體台灣)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avguard.exe
(Kaspersky Lab ZAO) C:\Program Files\Kaspersky Lab\Kaspersky Small Office Security 15.0.2\avp.exe
(Symantec Corporation) C:\Program Files\Symantec\pcAnywhere\awhost32.exe
(Symantec Corporation) C:\Program Files\Symantec\pcAnywhere\awhprobe.exe
() D:\SmartERP\DSCPatchAgent.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
(Kaspersky Lab ZAO) C:\Program Files\Kaspersky Lab\Kaspersky Small Office Security 15.0.2\avpui.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
(Adobe Systems Inc.) C:\Program Files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
(Ulead Systems, Inc.) C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(Intel Corporation) C:\Program Files\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(DesktopCal, Inc.) C:\Users\liao\AppData\Roaming\DesktopCal\desktopcal.exe
(© 2015 Microsoft Corporation) C:\Users\liao\AppData\Local\Microsoft\BingSvc\BingSvc.exe
(Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe
(Borland Software Corporation) D:\SmartERP\s_dsbin\scktsrvr.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Launcher\Avira.Systray.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Program Files\Windows Live\Mail\wlmail.exe
(Microsoft Corporation) C:\Program Files\Windows Live\Contacts\wlcomm.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Data Systems Consulting Co., Ltd.) D:\SmartERP\c_dsbin\MainMenu.exe
(Data Systems Consulting Co., Ltd.) D:\SmartERP\c_dsbin\LeaderWorkCenter.exe
() D:\SmartERP\s_dsbin\LeaderWorkCenterS.exe
(Data Systems Consulting Co., Ltd.) D:\SmartERP\s_dsbin\ValidatorS.exe
(Data Systems Consulting Co., Ltd.) D:\SmartERP\s_dsbin\VarManagerS.exe
(Data Systems Consulting Co., Ltd.) D:\SmartERP\s_dsbin\CopIS01S.exe
(Data Systems Consulting Co., Ltd.) D:\SmartERP\s_dsbin\CounterS.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Farbar) C:\Users\liao\Desktop\frstenglish.exe.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [avgnt] => C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [917584 2016-10-11] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [41360 2015-09-24] (Adobe Systems Incorporated)
HKLM\...\Run: [Acrobat Assistant 8.0] => C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [840592 2015-09-24] (Adobe Systems Inc.)
HKLM\...\Run: [Ulead AutoDetector v2] => C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe [95504 2007-08-02] (Ulead Systems, Inc.)
HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM\...\Run: [Avira SystrayStartTrigger] => C:\Program Files\Avira\Launcher\Avira.SystrayStartTrigger.exe [60136 2016-08-24] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [NvBackend] => C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe [1804616 2015-09-18] (NVIDIA Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [10996368 2012-06-11] (Realtek Semiconductor)
HKLM\...\Run: [USB3MON] => C:\Program Files\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-03-27] (Intel Corporation)
Winlogon\Notify\PCANotify: C:\Windows\system32\PCANotify.dll [2007-04-27] (Symantec Corporation)
Winlogon\Notify\ScCertProp: wlnotify.dll [X]
HKU\S-1-5-21-1647030546-948482808-2970852980-1000\...\Run: [Lingoes] => C:\Program Files\Lingoes\Translator2\Lingoes.exe [2682880 2014-08-16] (Lingoes Project)
HKU\S-1-5-21-1647030546-948482808-2970852980-1000\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [29642368 2016-09-12] (Skype Technologies S.A.)
HKU\S-1-5-21-1647030546-948482808-2970852980-1000\...\MountPoints2: {8c899cf1-7858-11e5-a101-8631a9662098} - D:\Run.exe
HKU\S-1-5-21-1647030546-948482808-2970852980-1000\...\MountPoints2: {d0e8ac3f-787b-11e5-a875-806e6f6e6963} - E:\Run.exe
HKU\S-1-5-21-793592983-989196123-2685349833-1121\...\Run: [GoogleChromeAutoLaunch_C1B0586B1FD1D0A0F3068F3614D083CF] => C:\Program Files\Google\Chrome\Application\chrome.exe [966760 2016-09-25] (Google Inc.)
HKU\S-1-5-21-793592983-989196123-2685349833-1121\...\Run: [DesktopCal] => C:\Users\liao\AppData\Roaming\DesktopCal\desktopcal.exe [282624 2015-04-14] (DesktopCal, Inc.)
HKU\S-1-5-21-793592983-989196123-2685349833-1121\...\Run: [BingSvc] => C:\Users\liao\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2016-03-04] (© 2015 Microsoft Corporation)
HKU\S-1-5-21-793592983-989196123-2685349833-1121\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [29642368 2016-09-12] (Skype Technologies S.A.)
HKU\S-1-5-21-793592983-989196123-2685349833-1121\...\MountPoints2: {9e049440-c5a5-11e5-bafc-94de80727912} - F:\Setup.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Borland Socket Server.lnk [2015-10-22]
ShortcutTarget: Borland Socket Server.lnk -> D:\SmartERP\s_dsbin\scktsrvr.exe (Borland Software Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 172.16.1.3 172.16.1.2
Tcpip\..\Interfaces\{0CB05B4D-946D-4C1E-A123-AD5FE0F4EF92}: [DhcpNameServer] 172.16.1.3 172.16.1.2
Tcpip\..\Interfaces\{33F21A59-CBA3-4943-AEC7-C3DE1571F5AE}: [DhcpNameServer] 172.16.1.3 172.16.1.2
 
Internet Explorer:
==================
BHO: Virtual Keyboard Plugin -> {4A66AD60-A03D-4D01-86F0-5F0F7C0EF1AD} -> C:\Program Files\Kaspersky Lab\Kaspersky Small Office Security 15.0.2\IEExt\ie_plugin.dll [2016-09-14] (Kaspersky Lab ZAO)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-26] (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO: Content Blocker Plugin -> {93BC2EA7-2F17-4729-948A-D2E03FFB2412} -> C:\Program Files\Kaspersky Lab\Kaspersky Small Office Security 15.0.2\IEExt\ie_plugin.dll [2016-09-14] (Kaspersky Lab ZAO)
BHO: Safe Money Plugin -> {AB379017-4C03-4E00-8EDF-E6D6AF7CCF82} -> C:\Program Files\Kaspersky Lab\Kaspersky Small Office Security 15.0.2\IEExt\ie_plugin.dll [2016-09-14] (Kaspersky Lab ZAO)
BHO: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2015-09-24] (Adobe Systems Incorporated)
BHO: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2015-09-24] (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2015-09-24] (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-793592983-989196123-2685349833-1121 -> No Name - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} -  No File
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll [2009-02-26] (Microsoft Corporation)
 
FireFox:
========
FF HKLM\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: (Adobe Acrobat - Create PDF) - C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2015-10-22] [not signed]
FF HKLM\...\Firefox\Extensions: [content_blocker_663BE8@kaspersky.com] - C:\Program Files\Kaspersky Lab\Kaspersky Small Office Security 15.0.2\FFExt\content_blocker@kaspersky.com
FF Extension: (Dangerous Websites Blocker) - C:\Program Files\Kaspersky Lab\Kaspersky Small Office Security 15.0.2\FFExt\content_blocker@kaspersky.com [2016-09-14]
FF HKLM\...\Firefox\Extensions: [virtual_keyboard_074028@kaspersky.com] - C:\Program Files\Kaspersky Lab\Kaspersky Small Office Security 15.0.2\FFExt\virtual_keyboard@kaspersky.com
FF Extension: (Virtual Keyboard) - C:\Program Files\Kaspersky Lab\Kaspersky Small Office Security 15.0.2\FFExt\virtual_keyboard@kaspersky.com [2016-09-14]
FF HKLM\...\Firefox\Extensions: [online_banking_08806E@kaspersky.com] - C:\Program Files\Kaspersky Lab\Kaspersky Small Office Security 15.0.2\FFExt\online_banking@kaspersky.com
FF Extension: (Safe Money) - C:\Program Files\Kaspersky Lab\Kaspersky Small Office Security 15.0.2\FFExt\online_banking@kaspersky.com [2016-09-14]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_23_0_0_185.dll [2016-10-12] ()
FF Plugin: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
FF Plugin: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
FF Plugin: @kaspersky.com/content_blocker_663BE8 -> C:\Program Files\Kaspersky Lab\Kaspersky Small Office Security 15.0.2\FFExt\content_blocker@kaspersky.com [2016-09-14] ()
FF Plugin: @kaspersky.com/online_banking_08806E -> C:\Program Files\Kaspersky Lab\Kaspersky Small Office Security 15.0.2\FFExt\online_banking@kaspersky.com [2016-09-14] ()
FF Plugin: @kaspersky.com/virtual_keyboard_074028 -> C:\Program Files\Kaspersky Lab\Kaspersky Small Office Security 15.0.2\FFExt\virtual_keyboard@kaspersky.com [2016-09-14] ()
FF Plugin: @nvidia.com/3DVision -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-08-25] (NVIDIA Corporation)
FF Plugin: @nvidia.com/3DVisionStreaming -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-08-25] (NVIDIA Corporation)
FF Plugin: @qq.com/npqscall -> C:\Program Files\Common Files\Tencent\Npchrome\npactivex.dll [2015-10-22] (Tencent)
FF Plugin: @qq.com/QQPhotoDrawEx -> C:\Program Files\Tencent\Qzone\npQQPhotoDrawEx.dll [2013-08-13] ()
FF Plugin: @qq.com/QzoneMusic -> C:\Program Files\Tencent\QQMusic\QzoneMusic\npQzoneMusic.dll [2015-09-18] (Tencent)
FF Plugin: @qq.com/TXSSO -> C:\Program Files\Common Files\Tencent\TXSSO\1.2.2.25\Bin\npSSOAxCtrlForPTLogin.dll [2013-09-25] (Tencent)
FF Plugin: @tencent.com/npQQMailWebKit,version=1.0.0.1 -> C:\Program Files\QQMailPlugin\npQQMailWebKit.dll [2013-04-25] (Tencent)
FF Plugin: @tencent.com/nptxftnWebKit,version=1.0.0.1 -> C:\Program Files\QQMailPlugin\nptxftnWebKit.dll [2013-04-08] (Tencent Technology (Shenzhen) Company Limited)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.1.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.2.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin: Adobe Acrobat -> C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll [2015-09-24] (Adobe Systems Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-10-01] (Adobe Systems Inc.)
FF Plugin: JFGuide -> C:\Program Files\NetSurveillance\CMS\npGuide.dll [2016-08-11] ()
FF Plugin: JFWeb -> C:\Program Files\NetSurveillance\CMS\npWebPlugin.dll [2016-08-11] ()
 
Chrome: 
=======
CHR Profile: C:\Users\liao\AppData\Local\Google\Chrome\User Data\Default [2016-10-18]
CHR Extension: (Google Drive) - C:\Users\liao\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-08-09]
CHR Extension: (Kaspersky Protection) - C:\Users\liao\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbhjdbfgekjfcfkkfjjmlmojhbllhbho [2016-09-14]
CHR Extension: (MSN Homepage & Bing Search Engine) - C:\Users\liao\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcfenmboojpjinhpgggodefccipikbpd [2016-09-01]
CHR Extension: (Google Docs Offline) - C:\Users\liao\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-08-09]
CHR Extension: (Chrome Web Store Payments) - C:\Users\liao\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-05]
CHR Extension: (Chrome Media Router) - C:\Users\liao\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-09-22]
CHR HKLM\...\Chrome\Extension: [dbhjdbfgekjfcfkkfjjmlmojhbllhbho] - hxxps://chrome.google.com/webstore/detail/dbhjdbfgekjfcfkkfjjmlmojhbllhbho
CHR HKU\S-1-5-21-793592983-989196123-2685349833-1121\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 AntiVirMailService; C:\Program Files\Avira\AntiVir Desktop\avmailc7.exe [1086040 2016-10-11] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files\Avira\AntiVir Desktop\sched.exe [475232 2016-10-11] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [475232 2016-10-11] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files\Avira\AntiVir Desktop\avwebg7.exe [1489240 2016-10-11] (Avira Operations GmbH & Co. KG)
R2 Avira.ServiceHost; C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe [346928 2016-08-24] (Avira Operations GmbH & Co. KG)
R2 AVP15.0.2; C:\Program Files\Kaspersky Lab\Kaspersky Small Office Security 15.0.2\avp.exe [194000 2015-07-05] (Kaspersky Lab ZAO)
R2 awhost32; C:\Program Files\Symantec\pcAnywhere\awhost32.exe [136568 2009-02-10] (Symantec Corporation)
R2 DSCPatchService; D:\SmartERP\DSCPatchAgent.exe [694656 2009-07-03] ()
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [462048 2012-04-20] (Intel® Corporation)
R2 jhi_service; C:\Program Files\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
S2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [45568 2014-04-28] (Hewlett-Packard) [File not signed]
S2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [55808 2014-04-28] (Hewlett-Packard) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [118240 2016-10-11] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [140272 2016-10-11] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [37896 2015-12-16] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [60088 2016-06-03] (Avira Operations GmbH & Co. KG)
R1 awecho; C:\Windows\System32\drivers\awechomd.sys [13368 2007-03-30] (Symantec Corporation)
R1 awlegacy; C:\Windows\System32\Drivers\awlegacy.sys [17848 2007-03-30] (Symantec Corporation)
R1 AW_HOST; C:\Windows\System32\drivers\aw_host5.sys [18232 2007-03-30] (Symantec Corporation)
R0 cm_km_w; C:\Windows\System32\DRIVERS\cm_km_w.sys [197864 2015-07-05] (Kaspersky Lab UK Ltd)
S3 cxru0wdm; C:\Windows\System32\DRIVERS\cxru0wdm.sys [296984 2014-05-30] (HID Global Corporation)
R1 Gernuwa; C:\Windows\system32\Drivers\Gernuwa.sys [20536 2007-03-30] (Symantec Corporation)
R0 iusb3hcs; C:\Windows\System32\DRIVERS\iusb3hcs.sys [15640 2012-03-27] (Intel Corporation)
R3 iusb3hub; C:\Windows\System32\DRIVERS\iusb3hub.sys [349976 2012-03-27] (Intel Corporation)
R3 iusb3xhc; C:\Windows\System32\DRIVERS\iusb3xhc.sys [792856 2012-03-27] (Intel Corporation)
R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [155304 2016-09-14] (Kaspersky Lab ZAO)
R2 kldisk; C:\Windows\System32\DRIVERS\kldisk.sys [54640 2016-09-14] (Kaspersky Lab ZAO)
R3 klflt; C:\Windows\System32\DRIVERS\klflt.sys [128728 2015-07-05] (Kaspersky Lab ZAO)
R1 klhk; C:\Windows\System32\DRIVERS\klhk.sys [53168 2016-09-14] (AO Kaspersky Lab)
R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [704432 2016-09-14] (Kaspersky Lab ZAO)
R1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [44120 2016-09-14] (AO Kaspersky Lab)
R3 klkbdflt; C:\Windows\System32\DRIVERS\klkbdflt.sys [44920 2016-09-14] (Kaspersky Lab ZAO)
R3 klmouflt; C:\Windows\System32\DRIVERS\klmouflt.sys [44408 2016-09-14] (Kaspersky Lab ZAO)
R1 klpd; C:\Windows\System32\DRIVERS\klpd.sys [23920 2015-07-05] (Kaspersky Lab ZAO)
R1 kltdi; C:\Windows\System32\DRIVERS\kltdi.sys [54328 2015-07-05] (Kaspersky Lab ZAO)
R1 Klwtp; C:\Windows\System32\DRIVERS\klwtp.sys [76472 2016-09-14] (Kaspersky Lab ZAO)
R1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [157240 2016-09-14] (Kaspersky Lab ZAO)
R3 L1C; C:\Windows\System32\DRIVERS\L1C62x86.sys [99992 2012-07-19] (Qualcomm Atheros Co., Ltd.)
S3 LVUSBSta; C:\Windows\System32\DRIVERS\LVUSBSta.sys [41888 2007-05-11] (Logitech Inc.)
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [55104 2012-07-17] (Intel Corporation)
R1 QQProtect; C:\Windows\system32\drivers\QQProtect.sys [184888 2013-10-21] (Tencent)
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
U4 klkbdflt2; system32\DRIVERS\klkbdflt2.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-10-18 13:30 - 2016-10-18 13:32 - 00021546 _____ C:\Users\liao\Desktop\FRST.txt
2016-10-18 13:30 - 2016-10-18 13:30 - 00000000 ____D C:\FRST
2016-10-18 13:28 - 2016-10-18 13:28 - 01756672 _____ (Farbar) C:\Users\liao\Desktop\frstenglish.exe.exe
2016-10-18 08:59 - 2016-10-18 08:59 - 00000000 ____D C:\Users\liao\AppData\Local\{D29122E0-8D8A-464D-98BB-16AFA5D9BDD3}
2016-10-17 09:24 - 2016-10-17 09:24 - 00000000 ____D C:\Users\liao\AppData\Local\{A21C348E-A25B-4BC6-A0D2-6ADB402FC3EC}
2016-10-15 10:23 - 2016-10-15 10:23 - 00000000 ____D C:\Users\liao\AppData\Local\{692A687C-1AB9-4E37-8466-189229B7CE6E}
2016-10-14 09:30 - 2016-10-14 09:30 - 00000000 ____D C:\Users\liao\AppData\Local\{BD254C1B-CA0D-4431-B0E6-F246A806B370}
2016-10-13 09:22 - 2016-10-13 09:22 - 00000000 ____D C:\Users\liao\AppData\Local\{2E983530-3A50-494F-90A4-8923F29A3C62}
2016-10-12 18:15 - 2016-10-12 18:15 - 00000000 ____D C:\Users\liao\AppData\Local\{4240F7A5-C720-4D67-B0F6-5938B34A6D0D}
2016-10-12 15:51 - 2016-10-01 03:28 - 00346312 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2016-10-12 15:51 - 2016-09-30 23:20 - 04000488 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2016-10-12 15:51 - 2016-09-30 23:20 - 03944680 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2016-10-12 15:51 - 2016-09-30 13:54 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2016-10-12 15:51 - 2016-09-30 13:54 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2016-10-12 15:51 - 2016-09-30 13:47 - 20306944 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-10-12 15:51 - 2016-09-30 13:42 - 00498688 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-10-12 15:51 - 2016-09-30 13:42 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2016-10-12 15:51 - 2016-09-30 13:42 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2016-10-12 15:51 - 2016-09-30 13:42 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2016-10-12 15:51 - 2016-09-30 13:41 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2016-10-12 15:51 - 2016-09-30 13:38 - 02286592 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-10-12 15:51 - 2016-09-30 13:36 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2016-10-12 15:51 - 2016-09-30 13:35 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2016-10-12 15:51 - 2016-09-30 13:33 - 00476160 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2016-10-12 15:51 - 2016-09-30 13:32 - 00663552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-10-12 15:51 - 2016-09-30 13:32 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2016-10-12 15:51 - 2016-09-30 13:32 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2016-10-12 15:51 - 2016-09-30 13:32 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2016-10-12 15:51 - 2016-09-30 13:27 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2016-10-12 15:51 - 2016-09-30 13:24 - 00416256 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2016-10-12 15:51 - 2016-09-30 13:19 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2016-10-12 15:51 - 2016-09-30 13:19 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2016-10-12 15:51 - 2016-09-30 13:17 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2016-10-12 15:51 - 2016-09-30 13:15 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2016-10-12 15:51 - 2016-09-30 13:14 - 00279040 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2016-10-12 15:51 - 2016-09-30 13:13 - 00130048 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2016-10-12 15:51 - 2016-09-30 13:12 - 04608512 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-10-12 15:51 - 2016-09-30 13:07 - 00230400 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2016-10-12 15:51 - 2016-09-30 13:05 - 02055680 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2016-10-12 15:51 - 2016-09-30 13:05 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2016-10-12 15:51 - 2016-09-30 13:05 - 00693248 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-10-12 15:51 - 2016-09-30 13:05 - 00689152 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2016-10-12 15:51 - 2016-09-30 13:03 - 13653504 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-10-12 15:51 - 2016-09-30 12:46 - 02444288 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-10-12 15:51 - 2016-09-30 12:43 - 01312768 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-10-12 15:51 - 2016-09-30 12:42 - 00710144 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2016-10-12 15:51 - 2016-09-15 23:15 - 00741888 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll
2016-10-12 15:51 - 2016-09-15 23:15 - 00084480 _____ (Microsoft Corporation) C:\Windows\system32\INETRES.dll
2016-10-12 15:51 - 2016-09-13 04:54 - 00067816 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2016-10-12 15:51 - 2016-09-13 04:53 - 00137960 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2016-10-12 15:51 - 2016-09-13 04:53 - 00067304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2016-10-12 15:51 - 2016-09-13 04:49 - 01063936 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2016-10-12 15:51 - 2016-09-13 04:49 - 01017856 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2016-10-12 15:51 - 2016-09-13 04:49 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2016-10-12 15:51 - 2016-09-13 04:49 - 00655360 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2016-10-12 15:51 - 2016-09-13 04:49 - 00553472 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2016-10-12 15:51 - 2016-09-13 04:49 - 00260608 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2016-10-12 15:51 - 2016-09-13 04:49 - 00254464 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2016-10-12 15:51 - 2016-09-13 04:49 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2016-10-12 15:51 - 2016-09-13 04:49 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2016-10-12 15:51 - 2016-09-13 04:49 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2016-10-12 15:51 - 2016-09-13 04:49 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2016-10-12 15:51 - 2016-09-13 04:49 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2016-10-12 15:51 - 2016-09-13 04:49 - 00076800 _____ (Microsoft Corporation) C:\Windows\system32\adsmsext.dll
2016-10-12 15:51 - 2016-09-13 04:49 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2016-10-12 15:51 - 2016-09-13 04:49 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2016-10-12 15:51 - 2016-09-13 04:49 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2016-10-12 15:51 - 2016-09-13 04:49 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2016-10-12 15:51 - 2016-09-13 04:29 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2016-10-12 15:51 - 2016-09-13 04:28 - 02399232 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-10-12 15:51 - 2016-09-13 04:26 - 00226304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2016-10-12 15:51 - 2016-09-13 04:26 - 00124416 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2016-10-12 15:51 - 2016-09-13 04:26 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2016-10-12 15:51 - 2016-09-13 04:25 - 00036352 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2016-10-12 15:51 - 2016-09-13 04:25 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2016-10-12 15:51 - 2016-09-13 04:25 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2016-10-12 15:51 - 2016-09-13 03:08 - 01251328 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2016-10-12 15:51 - 2016-09-13 03:08 - 00909824 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2016-10-12 15:51 - 2016-09-10 23:53 - 02291712 _____ (Microsoft Corporation) C:\Windows\system32\MSVidCtl.dll
2016-10-12 15:51 - 2016-09-10 02:01 - 01310528 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2016-10-12 15:51 - 2016-09-10 02:00 - 00400896 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2016-10-12 15:51 - 2016-09-10 02:00 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2016-10-12 15:51 - 2016-09-10 01:59 - 00644096 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2016-10-12 15:51 - 2016-09-10 01:59 - 00050688 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2016-10-12 15:51 - 2016-09-10 01:59 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2016-10-12 15:51 - 2016-09-10 01:59 - 00038912 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2016-10-12 15:51 - 2016-09-10 01:59 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2016-10-12 15:51 - 2016-09-10 01:42 - 00097792 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2016-10-12 15:51 - 2016-09-10 01:42 - 00050688 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2016-10-12 15:51 - 2016-09-10 01:42 - 00029696 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2016-10-12 15:51 - 2016-09-10 01:42 - 00016896 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2016-10-12 15:51 - 2016-09-10 01:39 - 00262656 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2016-10-12 15:51 - 2016-09-10 01:37 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2016-10-12 15:51 - 2016-09-09 23:53 - 01406976 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2016-10-12 15:51 - 2016-09-09 23:53 - 00488448 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2016-10-12 15:51 - 2016-09-09 23:53 - 00478208 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2016-10-12 15:51 - 2016-09-09 23:53 - 00268800 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2016-10-12 15:51 - 2016-09-09 23:53 - 00213504 _____ (Microsoft Corporation) C:\Windows\system32\centel.dll
2016-10-12 15:51 - 2016-09-09 23:53 - 00184320 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2016-10-12 15:51 - 2016-09-09 23:53 - 00107008 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2016-10-12 15:51 - 2016-09-09 04:34 - 00208896 _____ (Microsoft Corporation) C:\Windows\system32\WebClnt.dll
2016-10-12 15:51 - 2016-09-09 04:34 - 00087040 _____ (Microsoft Corporation) C:\Windows\system32\davclnt.dll
2016-10-12 15:51 - 2016-09-08 22:49 - 00117248 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2016-10-12 15:51 - 2016-09-08 22:49 - 00081408 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dfsc.sys
2016-10-12 15:51 - 2016-08-29 23:12 - 12880384 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2016-10-12 15:51 - 2016-08-29 23:12 - 01806848 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2016-10-12 15:51 - 2016-08-29 23:12 - 01499648 _____ (Microsoft Corporation) C:\Windows\system32\ExplorerFrame.dll
2016-10-12 15:51 - 2016-08-29 22:55 - 02972672 _____ (Microsoft Corporation) C:\Windows\explorer.exe
2016-10-12 15:51 - 2016-08-17 04:27 - 00259072 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbhub.sys
2016-10-12 15:51 - 2016-08-17 04:27 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbccgp.sys
2016-10-12 15:51 - 2016-08-17 04:26 - 00285696 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbport.sys
2016-10-12 15:51 - 2016-08-17 04:26 - 00046592 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbehci.sys
2016-10-12 15:51 - 2016-08-17 04:26 - 00024576 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbuhci.sys
2016-10-12 15:51 - 2016-08-17 04:26 - 00020480 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbohci.sys
2016-10-12 15:51 - 2016-08-17 04:26 - 00006016 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbd.sys
2016-10-12 15:51 - 2016-08-13 00:47 - 12574208 _____ (Microsoft Corporation) C:\Windows\system32\wmploc.DLL
2016-10-12 15:51 - 2016-08-13 00:47 - 11410432 _____ (Microsoft Corporation) C:\Windows\system32\wmp.dll
2016-10-12 15:51 - 2016-08-13 00:31 - 00008192 _____ (Microsoft Corporation) C:\Windows\system32\spwmp.dll
2016-10-12 15:51 - 2016-08-13 00:31 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\msdxm.ocx
2016-10-12 15:51 - 2016-08-13 00:31 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\dxmasf.dll
2016-10-12 15:51 - 2016-08-13 00:21 - 00437248 _____ (Microsoft Corporation) C:\Windows\system32\scavengeui.dll
2016-10-12 15:51 - 2016-08-06 23:15 - 01178112 _____ (Microsoft Corporation) C:\Windows\system32\WsmSvc.dll
2016-10-12 15:51 - 2016-08-06 23:15 - 00249344 _____ (Microsoft Corporation) C:\Windows\system32\WSManMigrationPlugin.dll
2016-10-12 15:51 - 2016-08-06 23:15 - 00214016 _____ (Microsoft Corporation) C:\Windows\system32\WsmWmiPl.dll
2016-10-12 15:51 - 2016-08-06 23:15 - 00146944 _____ (Microsoft Corporation) C:\Windows\system32\WsmAuto.dll
2016-10-12 15:51 - 2016-08-06 23:15 - 00054272 _____ (Microsoft Corporation) C:\Windows\system32\WsmRes.dll
2016-10-12 15:51 - 2016-08-06 22:53 - 00199168 _____ (Microsoft Corporation) C:\Windows\system32\WSManHTTPConfig.exe
2016-10-12 15:51 - 2016-08-06 22:53 - 00012288 _____ (Microsoft Corporation) C:\Windows\system32\wsmprovhost.exe
2016-10-12 15:51 - 2016-08-06 22:53 - 00010240 _____ (Microsoft Corporation) C:\Windows\system32\wsmplpxy.dll
2016-10-12 15:51 - 2016-07-22 22:51 - 00123904 _____ (Microsoft Corporation) C:\Windows\system32\poqexec.exe
2016-10-12 15:51 - 2016-06-14 23:25 - 00078568 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mountmgr.sys
2016-10-12 15:51 - 2016-06-14 23:21 - 03209216 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll
2016-10-12 15:51 - 2016-06-14 23:21 - 01329664 _____ (Microsoft Corporation) C:\Windows\system32\quartz.dll
2016-10-12 15:51 - 2016-06-14 23:21 - 01176064 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2016-10-12 15:51 - 2016-06-14 23:21 - 01005056 _____ (Microsoft Corporation) C:\Windows\system32\cryptui.dll
2016-10-12 15:51 - 2016-06-14 23:21 - 00988160 _____ (Microsoft Corporation) C:\Windows\system32\drmv2clt.dll
2016-10-12 15:51 - 2016-06-14 23:21 - 00744960 _____ (Microsoft Corporation) C:\Windows\system32\blackbox.dll
2016-10-12 15:51 - 2016-06-14 23:21 - 00617984 _____ (Microsoft Corporation) C:\Windows\system32\wmdrmsdk.dll
2016-10-12 15:51 - 2016-06-14 23:21 - 00519680 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll
2016-10-12 15:51 - 2016-06-14 23:21 - 00504320 _____ (Microsoft Corporation) C:\Windows\system32\msscp.dll
2016-10-12 15:51 - 2016-06-14 23:21 - 00489984 _____ (Microsoft Corporation) C:\Windows\system32\evr.dll
2016-10-12 15:51 - 2016-06-14 23:21 - 00474624 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2016-10-12 15:51 - 2016-06-14 23:21 - 00442368 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll
2016-10-12 15:51 - 2016-06-14 23:21 - 00406016 _____ (Microsoft Corporation) C:\Windows\system32\drmmgrtn.dll
2016-10-12 15:51 - 2016-06-14 23:21 - 00374784 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll
2016-10-12 15:51 - 2016-06-14 23:21 - 00354816 _____ (Microsoft Corporation) C:\Windows\system32\mfplat.dll
2016-10-12 15:51 - 2016-06-14 23:21 - 00275968 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll
2016-10-12 15:51 - 2016-06-14 23:21 - 00265216 _____ (Microsoft Corporation) C:\Windows\system32\msnetobj.dll
2016-10-12 15:51 - 2016-06-14 23:21 - 00195072 _____ (Microsoft Corporation) C:\Windows\system32\AudioSes.dll
2016-10-12 15:51 - 2016-06-14 23:21 - 00179200 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll
2016-10-12 15:51 - 2016-06-14 23:21 - 00157184 _____ (Microsoft Corporation) C:\Windows\system32\pcasvc.dll
2016-10-12 15:51 - 2016-06-14 23:21 - 00145920 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll
2016-10-12 15:51 - 2016-06-14 23:21 - 00106496 _____ (Microsoft Corporation) C:\Windows\system32\cryptnet.dll
2016-10-12 15:51 - 2016-06-14 23:21 - 00103424 _____ (Microsoft Corporation) C:\Windows\system32\mfps.dll
2016-10-12 15:51 - 2016-06-14 23:21 - 00080896 _____ (Microsoft Corporation) C:\Windows\system32\cryptsp.dll
2016-10-12 15:51 - 2016-06-14 23:21 - 00008704 _____ (Microsoft Corporation) C:\Windows\system32\pcaevts.dll
2016-10-12 15:51 - 2016-06-14 23:21 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\mferror.dll
2016-10-12 15:51 - 2016-06-14 23:17 - 00593920 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\PEAuth.sys
2016-10-12 15:51 - 2016-06-14 23:05 - 00100352 _____ (Microsoft Corporation) C:\Windows\system32\audiodg.exe
2016-10-12 15:51 - 2016-06-14 23:05 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\rrinstaller.exe
2016-10-12 15:51 - 2016-06-14 23:05 - 00023040 _____ (Microsoft Corporation) C:\Windows\system32\mfpmp.exe
2016-10-12 15:51 - 2016-06-14 23:00 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msmmsp.dll
2016-10-12 15:51 - 2016-06-14 22:55 - 00009728 _____ (Microsoft Corporation) C:\Windows\system32\pcawrk.exe
2016-10-12 15:51 - 2016-06-14 22:55 - 00008192 _____ (Microsoft Corporation) C:\Windows\system32\pcalua.exe
2016-10-12 15:51 - 2016-06-14 22:54 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\pcadm.dll
2016-10-12 09:29 - 2016-10-12 09:29 - 00000000 ____D C:\Users\liao\AppData\Local\{AB5E916B-B608-48DE-A1A7-0388A12A012B}
2016-10-11 17:11 - 2016-10-11 17:10 - 00028568 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avusbflt.sys
2016-10-11 08:51 - 2016-10-11 08:51 - 00000000 ____D C:\Users\liao\AppData\Local\{58F8F60B-CDA0-432A-B585-263B2F7BC526}
2016-10-09 12:08 - 2016-10-09 12:08 - 00000000 ____D C:\Users\liao\AppData\Local\{4B6EE3EF-8A68-4117-A02E-A06DA337DF68}
2016-10-09 11:44 - 2016-10-09 11:44 - 00002669 _____ C:\Users\Public\Desktop\Skype.lnk
2016-10-09 11:44 - 2016-10-09 11:44 - 00000000 ___RD C:\Program Files\Skype
2016-10-09 11:44 - 2016-10-09 11:44 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2016-10-09 11:44 - 2016-10-09 11:44 - 00000000 ____D C:\Program Files\Common Files\Skype
2016-10-09 11:43 - 2016-10-09 11:43 - 41759360 _____ (Skype Technologies S.A.) C:\Users\liao\Downloads\SkypeSetupFull.exe
2016-10-07 18:36 - 2016-10-07 18:36 - 00354403 _____ C:\Users\liao\Desktop\ski camera technical data.pdf
2016-10-07 10:26 - 2016-10-07 10:26 - 00000000 ____D C:\Users\liao\AppData\Local\{C33B799A-8F00-4C46-8250-F075EC51A739}
2016-10-06 08:50 - 2016-10-06 08:50 - 00000000 ____D C:\Users\liao\AppData\Local\{AF1E2862-3C60-48F3-B566-236561F4EC92}
2016-10-05 08:52 - 2016-10-05 08:52 - 00000000 ____D C:\Users\liao\AppData\Local\{A06B0A57-ED55-4241-A85E-40115AC63FD5}
2016-10-04 11:42 - 2016-10-04 11:42 - 00000000 ____D C:\Users\liao\AppData\Local\{AB4EBC27-ED26-4D87-AC72-CF61418F5A6E}
2016-10-03 09:03 - 2016-10-03 09:03 - 00000000 ____D C:\Users\liao\AppData\Local\{C3842F6B-7CBF-4875-9679-B34955036116}
2016-09-30 08:39 - 2016-09-30 08:40 - 00000000 ____D C:\Users\liao\AppData\Local\{A48E3A7C-F416-44CA-8C49-40CC2433E86C}
2016-09-29 19:24 - 2016-09-29 19:24 - 00072704 _____ C:\Users\liao\Downloads\tool1.xls
2016-09-29 09:21 - 2016-09-29 09:21 - 00000000 ____D C:\Users\liao\AppData\Local\{6FAD633F-E869-4966-9A07-9E580613091E}
2016-09-26 14:39 - 2016-09-26 14:39 - 00000000 ____D C:\Users\liao\AppData\Local\CrashDumps
2016-09-26 08:59 - 2016-09-26 08:59 - 00000000 ____D C:\Users\liao\AppData\Local\{EFB0D318-DA8D-4120-9144-A90202B8613A}
2016-09-23 08:52 - 2016-09-23 08:52 - 00000000 ____D C:\Users\liao\AppData\Local\{211ADF9D-1E20-4ECD-A97C-8F8E35E6EEB0}
2016-09-22 09:20 - 2016-09-22 09:20 - 00000000 ____D C:\Users\liao\AppData\Local\{B2FB71EE-FFF1-45D4-A306-7573916EA1BF}
2016-09-21 09:23 - 2016-09-21 09:23 - 00000000 ____D C:\Users\liao\AppData\Local\{04460E17-62C5-4764-AF5C-F13ADFCDA45D}
2016-09-21 09:17 - 2016-08-05 23:13 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2016-09-20 09:03 - 2016-09-20 09:03 - 00000000 ____D C:\Users\liao\AppData\Local\{C8829067-9272-4742-AC21-B2FE6EA49878}
2016-09-20 09:00 - 2016-09-20 09:42 - 00000000 ____D C:\Windows\system32\appmgmt
2016-09-19 20:12 - 2016-09-19 20:12 - 00015875 _____ C:\Users\liao\Desktop\20160919 liao pc report.txt
2016-09-19 08:55 - 2016-09-19 08:55 - 00000000 ____D C:\Users\liao\AppData\Local\{CAE9AA6E-2107-445C-85D6-960F2112049F}
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-10-18 13:29 - 2015-10-22 09:59 - 00000000 ____D C:\Users\liao\AppData\Roaming\Skype
2016-10-18 13:19 - 2016-09-14 10:22 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2016-10-18 13:01 - 2015-10-22 09:46 - 00000128 _____ C:\Windows\system32\config\netlogon.ftl
2016-10-18 13:01 - 2015-10-22 09:18 - 00000530 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-10-18 13:01 - 2015-10-22 09:17 - 00000526 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-10-18 09:45 - 2015-10-22 09:18 - 00000526 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-10-18 09:01 - 2009-07-14 12:34 - 00015280 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-10-18 09:01 - 2009-07-14 12:34 - 00015280 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-10-18 08:53 - 2015-10-22 10:23 - 00000000 ____D C:\ProgramData\NVIDIA
2016-10-18 08:53 - 2009-07-14 12:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-10-14 15:18 - 2015-11-06 08:24 - 00000000 ____D C:\Users\liao\AppData\Roaming\vlc
2016-10-13 10:24 - 2009-07-14 10:37 - 00000000 ____D C:\Windows\rescache
2016-10-13 09:18 - 2015-10-22 09:06 - 01304906 _____ C:\Windows\system32\PerfStringBackup.INI
2016-10-13 09:18 - 2009-07-14 16:44 - 00400390 _____ C:\Windows\system32\prfh0404.dat
2016-10-13 09:18 - 2009-07-14 16:44 - 00122126 _____ C:\Windows\system32\prfc0404.dat
2016-10-13 09:18 - 2009-07-14 10:37 - 00000000 ____D C:\Windows\inf
2016-10-13 09:11 - 2009-07-14 12:33 - 00438144 _____ C:\Windows\system32\FNTCACHE.DAT
2016-10-13 09:10 - 2015-10-22 10:29 - 00000000 ___SD C:\Windows\system32\CompatTel
2016-10-13 09:10 - 2015-10-22 10:29 - 00000000 ____D C:\Windows\system32\appraiser
2016-10-13 09:09 - 2009-07-14 10:37 - 00000000 ____D C:\Windows\system32\Dism
2016-10-12 18:31 - 2015-10-22 10:24 - 00000000 ____D C:\Windows\system32\MRT
2016-10-12 18:26 - 2015-10-22 10:24 - 141042968 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-10-12 12:32 - 2015-10-22 11:34 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2016-10-12 10:40 - 2015-10-22 09:17 - 00796352 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2016-10-12 10:40 - 2015-10-22 09:17 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2016-10-12 10:40 - 2015-10-22 09:17 - 00000000 ____D C:\Windows\system32\Macromed
2016-10-12 09:41 - 2016-07-21 15:59 - 00000000 ____D C:\Users\liao\Desktop\TT
2016-10-11 17:12 - 2015-10-22 10:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2016-10-11 17:10 - 2015-10-22 09:12 - 00140272 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2016-10-11 17:10 - 2015-10-22 09:12 - 00118240 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2016-10-09 11:44 - 2015-10-22 09:12 - 00000000 ____D C:\ProgramData\Skype
2016-10-04 11:47 - 2015-10-22 09:19 - 00002117 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-09-21 11:24 - 2016-09-16 17:48 - 00000000 ____D C:\Users\liao\AppData\Local\NPE
2016-09-20 16:02 - 2016-03-10 16:00 - 00000000 ____D C:\Users\liao\Documents\Tencent Files
2016-09-20 09:42 - 2015-10-22 09:56 - 00000000 ____D C:\Users\liao
2016-09-19 17:35 - 2015-10-22 10:20 - 00000000 ____D C:\ProgramData\Package Cache
 
==================== Files in the root of some directories =======
 
2016-08-29 09:19 - 2016-08-29 09:24 - 0042241 _____ () C:\Program Files\CMS Setup Log.txt
 
Some files in TEMP:
====================
C:\Users\601\AppData\Local\Temp\avgnt.exe
C:\Users\601\AppData\Local\Temp\Offercast_AVIRAV7_.exe
C:\Users\601\AppData\Local\Temp\QzoneMusic.exe
C:\Users\liao\AppData\Local\Temp\avgnt.exe
C:\Users\liao\AppData\Local\Temp\BingSvc.exe
C:\Users\liao\AppData\Local\Temp\BSvcProcessor.exe
C:\Users\liao\AppData\Local\Temp\BSvcUpdater.exe
C:\Users\liao\AppData\Local\Temp\dkcuninstall.dll
C:\Users\liao\AppData\Local\Temp\SkypeSetup.exe
C:\Users\liao\AppData\Local\Temp\vlc-2.2.4-win32.exe
C:\Users\liao\AppData\Local\Temp\_is7B95.exe
C:\Users\liao\AppData\Local\Temp\_isF0F2.exe
 
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-10-17 09:42
 
==================== End of FRST.txt ============================

 

 

 

Addition.txt

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 16-10-2016
Ran by liao (18-10-2016 13:32:57)
Running from C:\Users\liao\Desktop
Microsoft Windows 7 專業版  Service Pack 1 (X86) (2015-10-22 01:03:12)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
601 (S-1-5-21-1647030546-948482808-2970852980-1000 - Administrator - Enabled) => C:\Users\601
Administrator (S-1-5-21-1647030546-948482808-2970852980-500 - Administrator - Disabled)
Guest (S-1-5-21-1647030546-948482808-2970852980-501 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Avira Antivirus (Enabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859}
AV: Kaspersky Small Office Security (Enabled - Up to date) {86367591-4BE4-AE08-2FD9-7FCB8259CD98}
AS: Avira Antivirus (Enabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: Kaspersky Small Office Security (Enabled - Up to date) {3D579475-6DDE-A186-1569-44B9F9DE8725}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Kaspersky Small Office Security (Enabled) {BE0DF4B4-018B-AF50-0486-D6FE7C8A8AE3}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
32 Bit HP CIO Components Installer (Version: 17.1.1 - Hewlett-Packard) Hidden
Adobe Acrobat Reader DC (HKLM\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.020.20039 - Adobe Systems Incorporated)
Adobe Acrobat X Pro - ChineseT (HKLM\...\{AC76BA86-1028-0000-7760-000000000005}) (Version: 10.1.16 - Adobe Systems)
Adobe Flash Player 23 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 23.0.0.185 - Adobe Systems Incorporated)
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver (HKLM\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 2.1.0.7 - Atheros Communications Inc.)
Avira Antivirus (HKLM\...\Avira Antivirus) (Version: 15.0.22.54 - Avira Operations GmbH & Co. KG)
Avira Launcher (HKLM\...\{af1966e2-5e60-4d93-8a48-c21462a87e3c}) (Version: 1.2.71.9779 - Avira Operations GmbH & Co. KG)
Avira Launcher (Version: 1.2.71.9779 - Avira Operations GmbH & Co. KG) Hidden
CMS (HKLM\...\CMS) (Version:  - )
D3DX10 (Version: 15.4.2368.0902 - Microsoft) Hidden
DHTML Editing Component (HKLM\...\{2EA870FA-585F-4187-903D-CB9FFD21E2E0}) (Version: 6.02.0001 - Microsoft Corporation)
DSC Smart ERP Systems (HKLM\...\{D55CA3A1-A7B8-4F8E-A6AC-3AC69C169117}) (Version: 8.2.0.0 - Data Systems Consulting Co., Ltd.)
EPSON AL-M2410 Advanced Printer Driver (HKLM\...\EPSON AL-M2410 Advanced) (Version:  - SEIKO EPSON Corporation)
Google Chrome (HKLM\...\Google Chrome) (Version: 53.0.2785.143 - Google Inc.)
Google Update Helper (Version: 1.3.31.5 - Google Inc.) Hidden
Intel® Management Engine Components (HKLM\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.1.0.1252 - Intel Corporation)
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 1.0.4.225 - Intel Corporation)
Junk Mail filter update (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Kaspersky Small Office Security (HKLM\...\InstallWIX_{33F9240D-1887-4FF9-8A6E-35F32A05A277}) (Version: 15.0.2.396 - 卡巴斯基實驗室)
Kaspersky Small Office Security (Version: 15.0.2.361 - 卡巴斯基實驗室) Hidden
Lingoes 2.9.2 (HKLM\...\Lingoes Translator_is1) (Version: 2.9.2 - Lingoes Project)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office Enterprise 2007 (HKLM\...\ENTERPRISE) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Excel 2007 Help 更新程式 (KB963678) (HKLM\...\{90120000-0016-0404-0000-0000000FF1CE}_ENTERPRISE_{15EEA099-97F0-4952-8597-88472FF062D2}) (Version:  - Microsoft)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Powerpoint 2007 Help 更新程式 (KB963669) (HKLM\...\{90120000-0018-0404-0000-0000000FF1CE}_ENTERPRISE_{A7688131-70CB-4945-BAFA-11053AC34D75}) (Version:  - Microsoft)
Microsoft Office Word 2007 Help 更新程式 (KB963665) (HKLM\...\{90120000-001B-0404-0000-0000000FF1CE}_ENTERPRISE_{AD30F628-2AAE-43E0-A0D8-CDFA976E6A9E}) (Version:  - Microsoft)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
NetSurveillance (HKLM\...\NetSurveillance) (Version:  - )
NVIDIA 3D Vision 驅動程式 355.82 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 355.82 - NVIDIA Corporation)
NVIDIA HD 音訊驅動程式 1.3.34.3 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.34.3 - NVIDIA Corporation)
NVIDIA 更新程式 10.4.0 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 10.4.0 - NVIDIA Corporation)
NVIDIA 圖形驅動程式 355.82 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 355.82 - NVIDIA Corporation)
Phone F USB Driver (HKLM\...\{4ABC4629-CAD4-4A88-B87B-2F3DB67D4FFD}) (Version: 3.3.0 - Mobile)
Realtek Ethernet Controller Driver (HKLM\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.82.317.2014 - Realtek)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6662 - Realtek Semiconductor Corp.)
Skype™ 7.28 (HKLM\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.28.101 - Skype Technologies S.A.)
Symantec pcAnywhere (HKLM\...\{12518183-866A-11D3-97DF-0000F8D8F2E9}) (Version: 12.5.0 - Symantec Corporation)
Tencent QQMail Plugin (HKLM\...\QQMailPlugin) (Version:  - )
Ulead PhotoImpact X3 (HKLM\...\InstallShield_{15803703-25FA-4C01-A062-3F4A59937E87}) (Version: 1.00.0000 - Corel)
Ulead PhotoImpact X3 (Version: 1.00.0000 - Corel) Hidden
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
VLC media player (HKLM\...\VLC media player) (Version: 2.2.4 - VideoLAN)
Windows Live 程式集 (HKLM\...\WinLiveSuite) (Version: 15.4.3555.0308 - Microsoft Corporation)
WinRAR 壓縮工具 (HKLM\...\WinRAR archiver) (Version:  - )
桌面日曆 2.2.1.3583 (HKU\S-1-5-21-793592983-989196123-2685349833-1121\...\DesktopCal) (Version: 2.2.1.3583 - DesktopCal, Inc.)
腾讯QQ2013 (HKLM\...\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}) (Version: 1.99.8820.0 - 腾讯科技(深圳)有限公司)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-793592983-989196123-2685349833-1121_Classes\CLSID\{0BBFE402-CCA1-4f64-9322-13B66D841049}\InprocServer32 -> C:\Users\liao\AppData\Local\TechSmith\SnagIt\Accessories\{23102CBF-AC8D-4424-9364-A79738894850}\MSWo (the data entry has 17 more characters).
CustomCLSID: HKU\S-1-5-21-793592983-989196123-2685349833-1121_Classes\CLSID\{25D005BF-FE63-4cce-AA25-CE952B1D9381}\InprocServer32 -> C:\Users\liao\AppData\Local\TechSmith\SnagIt\Accessories\{638B203F-8FB6-49ec-A139-AB8C530F0CAB}\MSPo (the data entry has 23 more characters).
CustomCLSID: HKU\S-1-5-21-793592983-989196123-2685349833-1121_Classes\CLSID\{54050FBB-F2AE-404b-8BFD-7EE3EC784A52}\InprocServer32 -> C:\Users\liao\AppData\Local\TechSmith\SnagIt\Accessories\{18AA4E21-D540-4a3a-9F9F-E6DE33D6F253}\MSEx (the data entry has 18 more characters).
CustomCLSID: HKU\S-1-5-21-793592983-989196123-2685349833-1121_Classes\CLSID\{6B1948B3-9547-42F8-9B37-7AA9768134C4}\InprocServer32 -> C:\Users\liao\AppData\Local\TechSmith\SnagIt\Accessories\{23102CBF-AC8D-4424-9364-A79738894850}\MSWo (the data entry has 17 more characters).
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {19B5FC71-6354-4183-BEE5-EA11BCFCDAA1} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-10-22] (Google Inc.)
Task: {228D363D-484A-471C-9791-E4DA60D92EF8} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-09-16] (Adobe Systems Incorporated)
Task: {2AA14B33-CA0A-4D35-844A-F00E1CFF7A81} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-10-22] (Google Inc.)
Task: {62FD7366-911E-4218-A552-7B158CB115AF} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2016-10-12] (Adobe Systems Incorporated)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2015-10-22 10:23 - 2015-08-25 22:27 - 00106288 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax.dll
2009-07-03 10:56 - 2009-07-03 10:56 - 00694656 _____ () D:\SmartERP\DSCPatchAgent.exe
2015-10-22 09:11 - 2010-03-15 18:53 - 00141824 _____ () C:\Program Files\WinRAR\rarext.dll
2015-09-24 23:42 - 2015-09-24 23:42 - 00019456 _____ () C:\Program Files\Adobe\Acrobat 10.0\Acrobat\locale\zh_tw\acrotray.cht
2015-10-22 09:37 - 2007-08-02 21:07 - 00034064 _____ () C:\Program Files\Common Files\Ulead Systems\AutoDetector\DetMethod.dll
2014-10-03 22:23 - 2014-10-03 22:23 - 00139264 _____ () C:\Users\liao\AppData\Roaming\DesktopCal\lua51.dll
2014-10-03 22:23 - 2014-10-03 22:23 - 00565827 _____ () C:\Users\liao\AppData\Roaming\DesktopCal\sqlite3.dll
2015-10-22 13:37 - 2012-06-25 10:41 - 01198912 _____ () C:\Program Files\Intel\Intel® Management Engine Components\UNS\ACE.dll
2016-10-04 11:47 - 2016-09-25 11:47 - 01805416 _____ () C:\Program Files\Google\Chrome\Application\53.0.2785.143\libglesv2.dll
2016-10-04 11:47 - 2016-09-25 11:47 - 00093288 _____ () C:\Program Files\Google\Chrome\Application\53.0.2785.143\libegl.dll
2015-09-24 23:42 - 2015-09-24 23:42 - 00101376 _____ () C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Locale\zh_tw\PDFMaker\PDFMOfficeAddin.CHT
2015-11-11 03:41 - 2015-11-11 03:41 - 00756376 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL
2000-11-20 10:11 - 2011-08-23 13:27 - 00132096 _____ () C:\Windows\system32\LdResD5.dll
2015-10-22 11:27 - 2014-01-28 13:51 - 01097728 _____ () C:\Windows\system32\qrpt50.bpl
2015-10-22 11:27 - 2008-03-24 10:03 - 01787392 _____ () C:\Windows\system32\dcctd5.bpl
2015-10-22 11:27 - 2013-12-03 11:57 - 00054784 _____ () C:\Windows\system32\DesignVR50.bpl
2015-10-22 11:27 - 2013-01-03 17:18 - 00214016 _____ () D:\SmartERP\s_dsbin\LeaderWorkCenterS.exe
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)
 
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 10:04 - 2009-06-11 05:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1647030546-948482808-2970852980-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\601\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
HKU\S-1-5-21-793592983-989196123-2685349833-1121\Control Panel\Desktop\\Wallpaper -> 
DNS Servers: 172.16.1.3 - 172.16.1.2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{64E87BFB-5D5E-4072-B96B-8E075CDE8882}] => (Allow) C:\Program Files\Tencent\QQ\QQProtect\Bin\QQProtect.exe
FirewallRules: [{E0AD7752-C8E5-4FC8-B8E9-94D592C744AA}] => (Allow) C:\Program Files\Tencent\QQ\QQProtect\Bin\QQProtect.exe
FirewallRules: [{6CF32932-277F-4E0C-8039-D19BBCD610B5}] => (Allow) C:\Program Files\Tencent\QQ\Bin\QQ.exe
FirewallRules: [{D9FA9B07-A3B3-4BF4-A4FE-5337B727428D}] => (Allow) C:\Program Files\Tencent\QQ\Bin\QQ.exe
FirewallRules: [{07F09E55-239E-4618-A59D-DE7281B5C2CB}] => (Allow) C:\Program Files\Tencent\QQ\Bin\auclt.exe
FirewallRules: [{669958E5-F4A6-47D5-BA5F-9E255B3947FD}] => (Allow) C:\Program Files\Tencent\QQ\Bin\auclt.exe
FirewallRules: [{FF85F643-563B-4750-B086-F2D16B65E314}] => (Allow) C:\Program Files\Common Files\Tencent\QQDownload\119\Tencentdl.exe
FirewallRules: [{7DB84E77-4DA2-420E-9D61-4F109087E210}] => (Allow) C:\Program Files\Common Files\Tencent\QQDownload\119\Tencentdl.exe
FirewallRules: [{98E40024-9519-4210-A4C8-8F553AF88B58}] => (Allow) C:\Users\Public\Documents\Tencent\QQGameMicro\IEProc.exe
FirewallRules: [{D627F9B3-B38A-473A-AF10-4872740CF93A}] => (Allow) C:\Users\Public\Documents\Tencent\QQGameMicro\QQGameMicro.exe
FirewallRules: [{F356655F-774F-4274-A01E-9729DD327286}] => (Allow) C:\Program Files\Tencent\QQMusic\QzoneMusic\QzoneMusic.exe
FirewallRules: [{7E9D28B5-6254-4169-BE22-1179C2C398BE}] => (Allow) C:\Program Files\Tencent\QQMusic\QzoneMusic\QzoneMusic.exe
FirewallRules: [{389FC5EC-2E1C-4A3B-BEE6-E61BDA7D0114}] => (Allow) C:\Users\601\AppData\Roaming\Tencent\QQ\STemp\BackupDLTmp\Download\MiniQTUpdate.exe
FirewallRules: [{2CC33FA5-EB30-425D-BF79-7BAF2173D1A7}] => (Allow) C:\Users\601\AppData\Roaming\Tencent\QQ\STemp\BackupDLTmp\Download\MiniQTUpdate.exe
FirewallRules: [{56CDA69E-C87C-4E03-953C-0D4A9F0D128D}] => (Allow) C:\Program Files\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{75440D97-9F26-44F5-A5D0-40C503D2D5C6}] => (Allow) LPort=2869
FirewallRules: [{8A535388-7EA6-4B8D-8EB1-54E6D99CC0FD}] => (Allow) LPort=1900
FirewallRules: [{70368B84-C338-410D-9A46-5C8ECF5812DE}] => (Allow) C:\Program Files\Symantec\pcAnywhere\awhost32.exe
FirewallRules: [{FB2BD95F-0EAB-46F6-BD35-A84C6CCF410D}] => (Allow) C:\Program Files\Symantec\pcAnywhere\awhost32.exe
FirewallRules: [{77958008-9DE5-4930-A645-7883F5604DAC}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
FirewallRules: [TCP Query User{BC7CDF2E-6519-4C48-B0C1-D2EE39AFB054}D:\smarterp\s_dsbin\scktsrvr.exe] => (Allow) D:\smarterp\s_dsbin\scktsrvr.exe
FirewallRules: [UDP Query User{2DB630AF-9C58-4FCB-B137-75DCCAC80A80}D:\smarterp\s_dsbin\scktsrvr.exe] => (Allow) D:\smarterp\s_dsbin\scktsrvr.exe
FirewallRules: [TCP Query User{CC1058F7-657B-4888-8257-9C821D99CEB1}C:\program files\cms\cms.exe] => (Allow) C:\program files\cms\cms.exe
FirewallRules: [UDP Query User{77A8E128-ADA6-4D36-88D7-0200E862AB98}C:\program files\cms\cms.exe] => (Allow) C:\program files\cms\cms.exe
FirewallRules: [{4850F377-9584-4FE5-AB3F-EE011315E1C9}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe
FirewallRules: [{2D220878-D7AE-42A3-AACE-6496D54861CC}] => (Allow) C:\Program Files\Skype\Phone\Skype.exe
 
==================== Restore Points =========================
 
12-10-2016 18:26:07 Windows Update
13-10-2016 09:16:26 Windows Update
 
==================== Faulty Device Manager Devices =============
 
Name: SM 匯流排控制器
Description: SM 匯流排控制器
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (10/18/2016 09:02:21 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: 程式 wlmail.exe 版本 15.4.3555.308 已停止與 Windows 互動而且已關閉。若要查看是否有此問題的詳細資訊請檢查位於 [行動作業中心] 控制台中的問題歷程記錄。
 
處理程序識別碼: 1b58
 
開始時間: 01d228dad7eda475
 
終止時間: 0
 
應用程式路徑: C:\Program Files\Windows Live\Mail\wlmail.exe
 
報告識別碼: 60aa7ffb-94ce-11e6-b910-94de80727912
 
Error: (10/17/2016 07:20:05 PM) (Source: DSCPatchService) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (10/17/2016 07:20:05 PM) (Source: DSCPatchService) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (10/15/2016 10:49:07 AM) (Source: DSCPatchService) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (10/15/2016 10:49:06 AM) (Source: DSCPatchService) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (10/14/2016 06:33:55 PM) (Source: DSCPatchService) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (10/14/2016 06:33:55 PM) (Source: DSCPatchService) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (10/13/2016 09:10:42 AM) (Source: DSCPatchService) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (10/13/2016 09:10:42 AM) (Source: DSCPatchService) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (10/12/2016 06:33:23 PM) (Source: DSCPatchService) (EventID: 0) (User: )
Description: Event-ID 0
 
 
System errors:
=============
Error: (10/18/2016 01:01:49 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1006) (User: MISUMI)
Description: 群組原則處理失敗。Windows 無法驗證網域控制站中的 Active Directory 服務 (LDAP Bind 函數呼叫失敗)。請參閱 [詳細資料] 索引標籤以取得錯誤碼和描述。
 
Error: (10/18/2016 10:38:54 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1006) (User: MISUMI)
Description: 群組原則處理失敗。Windows 無法驗證網域控制站中的 Active Directory 服務 (LDAP Bind 函數呼叫失敗)。請參閱 [詳細資料] 索引標籤以取得錯誤碼和描述。
 
Error: (10/18/2016 09:03:52 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1006) (User: MISUMI)
Description: 群組原則處理失敗。Windows 無法驗證網域控制站中的 Active Directory 服務 (LDAP Bind 函數呼叫失敗)。請參閱 [詳細資料] 索引標籤以取得錯誤碼和描述。
 
Error: (10/18/2016 09:03:50 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NT AUTHORITY)
Description: 由於無法連線到網域控制站導致群組原則處理失敗。這可能是暫時性情況。一旦電腦順利連線到網域控制站並順利處理群組原則會產生成功訊息。若數個小時之後還是沒有看到成功訊息請連絡您的系統管理員。
 
Error: (10/18/2016 08:53:48 AM) (Source: SCardSvr) (EventID: 602) (User: )
Description: WDM Reader 驅動程式初始化動作無法開啟讀卡機:  系統找不到指定的路徑。
 
Error: (10/17/2016 07:19:50 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: 伺服器 {F9717507-6651-4EDB-BFF7-AE615179BCCF} 沒有在指定的等候逾時內登錄 DCOM。
 
Error: (10/17/2016 05:49:25 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1006) (User: MISUMI)
Description: 群組原則處理失敗。Windows 無法驗證網域控制站中的 Active Directory 服務 (LDAP Bind 函數呼叫失敗)。請參閱 [詳細資料] 索引標籤以取得錯誤碼和描述。
 
Error: (10/17/2016 04:18:24 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1006) (User: MISUMI)
Description: 群組原則處理失敗。Windows 無法驗證網域控制站中的 Active Directory 服務 (LDAP Bind 函數呼叫失敗)。請參閱 [詳細資料] 索引標籤以取得錯誤碼和描述。
 
Error: (10/17/2016 02:24:23 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1006) (User: MISUMI)
Description: 群組原則處理失敗。Windows 無法驗證網域控制站中的 Active Directory 服務 (LDAP Bind 函數呼叫失敗)。請參閱 [詳細資料] 索引標籤以取得錯誤碼和描述。
 
Error: (10/17/2016 12:38:21 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1006) (User: MISUMI)
Description: 群組原則處理失敗。Windows 無法驗證網域控制站中的 Active Directory 服務 (LDAP Bind 函數呼叫失敗)。請參閱 [詳細資料] 索引標籤以取得錯誤碼和描述。
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i3-3220 CPU @ 3.30GHz
Percentage of memory in use: 63%
Total physical RAM: 3561.19 MB
Available physical RAM: 1300.92 MB
Total Virtual: 7120.71 MB
Available Virtual: 2075.57 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:299.9 GB) (Free:247.63 GB) NTFS
Drive d: (新增磁碟區) (Fixed) (Total:300 GB) (Free:298.5 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 7504D83E)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=299.9 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=300 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================

 

 

RK.txt

 

R o g u e K i l l e r   V 1 2 . 7 . 3 . 0   [ O c t   1 7   2 0 1 6 ]   ( MQ?Hr)   b y   A d l i c e   S o f t w a r e 
 
 ?譸  :   h t t p : / / w w w . a d l i c e . c o m / c o n t a c t / 
 
 a?炓气  :   h t t p : / / f o r u m . a d l i c e . c o m 
 
 瓠斝  :   h t t p : / / w w w . a d l i c e . c o m / d o w n l o a d / r o g u e k i l l e r / 
 
 ?=?h  :   h t t p : / / w w w . a d l i c e . c o m 
 
 
 
 \Omiq}  :   W i n d o w s   7   ( 6 . 1 . 7 6 0 1   S e r v i c e   P a c k   1 )   3 2   b i t s   v e r s i o n 
 
 ?汦寬  :   j!j_
 
 O(u  :   l i a o   [ q}t嗿] 
 
 ?汦  :   C : \ P r o g r a m   F i l e s \ R o g u e K i l l e r \ R o g u e K i l l e r . e x e 
 
 !j_  :   柋  - -   嶒g  :   1 0 / 1 8 / 2 0 1 6   1 3 : 4 2 : 3 3   ( D u r a t i o n   :   0 1 : 4 4 : 5 4 ) 
 
 
 
 ? ? ?   2?z  :   0   ? ? ? 
 
 
 
 ? ? ?   q}{v? :   3 7   ? ? ? 
 
 [ P U P ]   H K E Y _ C L A S S E S _ R O O T \ C L S I D \ { 0 3 7 6 6 B 5 E - B D 0 9 - 4 4 d b - 8 F 9 2 - 5 1 0 5 1 7 A C 2 1 5 5 }   ( C : \ P r o g r a m   F i l e s \ T e n c e n t \ Q Q \ B i n \ A p p C o m . d l l )   - >   ~b0R
 
 [ S u s p i c i o u s . P a t h ]   H K E Y _ C L A S S E S _ R O O T \ C L S I D \ { 0 B B F E 4 0 2 - C C A 1 - 4 f 6 4 - 9 3 2 2 - 1 3 B 6 6 D 8 4 1 0 4 9 }   ( C : \ U s e r s \ l i a o \ A p p D a t a \ L o c a l \ T e c h S m i t h \ S n a g I t \ A c c e s s o r i e s \ { 2 3 1 0 2 C B F - A C 8 D - 4 4 2 4 - 9 3 6 4 - A 7 9 7 3 8 8 9 4 8 5 0 } \ M S W o r d . d l l )   - >   ~b0R
 
 [ P U P ]   H K E Y _ C L A S S E S _ R O O T \ C L S I D \ { 1 B 7 F 3 7 B 4 - 2 C B C - 4 5 4 8 - A E 2 6 - 1 B 3 9 1 6 F 9 F 6 0 7 }   ( C : \ P r o g r a m   F i l e s \ T e n c e n t \ Q Q \ B i n \ A p p C o m . d l l )   - >   ~b0R
 
 [ S u s p i c i o u s . P a t h ]   H K E Y _ C L A S S E S _ R O O T \ C L S I D \ { 2 5 D 0 0 5 B F - F E 6 3 - 4 c c e - A A 2 5 - C E 9 5 2 B 1 D 9 3 8 1 }   ( C : \ U s e r s \ l i a o \ A p p D a t a \ L o c a l \ T e c h S m i t h \ S n a g I t \ A c c e s s o r i e s \ { 6 3 8 B 2 0 3 F - 8 F B 6 - 4 9 e c - A 1 3 9 - A B 8 C 5 3 0 F 0 C A B } \ M S P o w e r P o i n t . d l l )   - >   ~b0R
 
 [ P U P ]   H K E Y _ C L A S S E S _ R O O T \ C L S I D \ { 2 B 6 4 7 1 8 3 - 3 7 B 6 - 4 E F E - 9 1 2 8 - B 4 D 3 0 A D 0 6 C 4 4 }   ( C : \ P r o g r a m   F i l e s \ T e n c e n t \ Q Q \ B i n \ A p p C o m . d l l )   - >   ~b0R
 
 [ P U P ]   H K E Y _ C L A S S E S _ R O O T \ C L S I D \ { 3 7 0 8 6 F 3 4 - 1 C 2 B - 4 2 8 2 - A 0 9 E - 8 E 0 A 7 E F 2 A 8 F 0 }   ( C : \ P r o g r a m   F i l e s \ T e n c e n t \ Q Q \ B i n \ A p p C o m . d l l )   - >   ~b0R
 
 [ S u s p i c i o u s . P a t h ]   H K E Y _ C L A S S E S _ R O O T \ C L S I D \ { 5 4 0 5 0 F B B - F 2 A E - 4 0 4 b - 8 B F D - 7 E E 3 E C 7 8 4 A 5 2 }   ( C : \ U s e r s \ l i a o \ A p p D a t a \ L o c a l \ T e c h S m i t h \ S n a g I t \ A c c e s s o r i e s \ { 1 8 A A 4 E 2 1 - D 5 4 0 - 4 a 3 a - 9 F 9 F - E 6 D E 3 3 D 6 F 2 5 3 } \ M S E x c e l . d l l )   - >   ~b0R
 
 [ P U P ]   H K E Y _ C L A S S E S _ R O O T \ C L S I D \ { 6 3 4 0 6 2 6 3 - B 1 E 1 - 4 7 1 7 - 8 D A 6 - 7 2 7 0 F F A 5 1 8 A 9 }   ( C : \ P r o g r a m   F i l e s \ T e n c e n t \ Q Q \ B i n \ A p p C o m . d l l )   - >   ~b0R
 
 [ S u s p i c i o u s . P a t h ]   H K E Y _ C L A S S E S _ R O O T \ C L S I D \ { 6 B 1 9 4 8 B 3 - 9 5 4 7 - 4 2 F 8 - 9 B 3 7 - 7 A A 9 7 6 8 1 3 4 C 4 }   ( C : \ U s e r s \ l i a o \ A p p D a t a \ L o c a l \ T e c h S m i t h \ S n a g I t \ A c c e s s o r i e s \ { 2 3 1 0 2 C B F - A C 8 D - 4 4 2 4 - 9 3 6 4 - A 7 9 7 3 8 8 9 4 8 5 0 } \ M S W o r d . d l l )   - >   ~b0R
 
 [ P U P ]   H K E Y _ C L A S S E S _ R O O T \ C L S I D \ { 8 7 A F 5 3 8 B - F 0 5 2 - 4 A 0 B - B A E 0 - E 6 8 6 A D 9 2 1 1 1 9 }   ( C : \ P r o g r a m   F i l e s \ T e n c e n t \ Q Q \ B i n \ A p p C o m . d l l )   - >   ~b0R
 
 [ P U P ]   H K E Y _ C L A S S E S _ R O O T \ C L S I D \ { E C F 5 C D 3 4 - 3 8 3 3 - 4 b 9 b - 9 C 8 A - 9 6 6 8 3 E 0 D 7 B 1 3 }   ( C : \ P r o g r a m   F i l e s \ T e n c e n t \ Q Q \ B i n \ A p p C o m . d l l )   - >   ~b0R
 
 [ P U P ]   H K E Y _ C L A S S E S _ R O O T \ m e t n s d   - >   ~b0R
 
 [ P U P ]   H K E Y _ C L A S S E S _ R O O T \ T e n c e n t   - >   ~b0R
 
 [ P U M . D n s ]   H K E Y _ L O C A L _ M A C H I N E \ S y s t e m \ C o n t r o l S e t 0 0 1 \ S e r v i c e s \ T c p i p \ P a r a m e t e r s   |   D h c p N a m e S e r v e r   :   1 7 2 . 1 6 . 1 . 3   1 7 2 . 1 6 . 1 . 2   ( [ ] [ ] )     - >   ~b0R
 
 [ P U M . D n s ]   H K E Y _ L O C A L _ M A C H I N E \ S y s t e m \ C o n t r o l S e t 0 0 2 \ S e r v i c e s \ T c p i p \ P a r a m e t e r s   |   D h c p N a m e S e r v e r   :   1 7 2 . 1 6 . 1 . 3   1 7 2 . 1 6 . 1 . 2   ( [ ] [ ] )     - >   ~b0R
 
 [ P U M . D n s ]   H K E Y _ L O C A L _ M A C H I N E \ S y s t e m \ C o n t r o l S e t 0 0 1 \ S e r v i c e s \ T c p i p \ P a r a m e t e r s \ I n t e r f a c e s \ { 0 C B 0 5 B 4 D - 9 4 6 D - 4 C 1 E - A 1 2 3 - A D 5 F E 0 F 4 E F 9 2 }   |   D h c p N a m e S e r v e r   :   1 7 2 . 1 6 . 1 . 3   1 7 2 . 1 6 . 1 . 2   ( [ ] [ ] )     - >   ~b0R
 
 [ P U M . D n s ]   H K E Y _ L O C A L _ M A C H I N E \ S y s t e m \ C o n t r o l S e t 0 0 1 \ S e r v i c e s \ T c p i p \ P a r a m e t e r s \ I n t e r f a c e s \ { 3 3 F 2 1 A 5 9 - C B A 3 - 4 9 4 3 - A E C 7 - C 3 D E 1 5 7 1 F 5 A E }   |   D h c p N a m e S e r v e r   :   1 7 2 . 1 6 . 1 . 3   1 7 2 . 1 6 . 1 . 2   ( [ ] [ ] )     - >   ~b0R
 
 [ P U M . D n s ]   H K E Y _ L O C A L _ M A C H I N E \ S y s t e m \ C o n t r o l S e t 0 0 2 \ S e r v i c e s \ T c p i p \ P a r a m e t e r s \ I n t e r f a c e s \ { 0 C B 0 5 B 4 D - 9 4 6 D - 4 C 1 E - A 1 2 3 - A D 5 F E 0 F 4 E F 9 2 }   |   D h c p N a m e S e r v e r   :   1 7 2 . 1 6 . 1 . 3   1 7 2 . 1 6 . 1 . 2   ( [ ] [ ] )     - >   ~b0R
 
 [ P U M . D n s ]   H K E Y _ L O C A L _ M A C H I N E \ S y s t e m \ C o n t r o l S e t 0 0 2 \ S e r v i c e s \ T c p i p \ P a r a m e t e r s \ I n t e r f a c e s \ { 3 3 F 2 1 A 5 9 - C B A 3 - 4 9 4 3 - A E C 7 - C 3 D E 1 5 7 1 F 5 A E }   |   D h c p N a m e S e r v e r   :   1 7 2 . 1 6 . 1 . 3   1 7 2 . 1 6 . 1 . 2   ( [ ] [ ] )     - >   ~b0R
 
 [ P U P ]   H K E Y _ L O C A L _ M A C H I N E \ S y s t e m \ C o n t r o l S e t 0 0 1 \ S e r v i c e s \ S h a r e d A c c e s s \ P a r a m e t e r s \ F i r e w a l l P o l i c y \ F i r e w a l l R u l e s   |   { 6 4 E 8 7 B F B - 5 D 5 E - 4 0 7 2 - B 9 6 B - 8 E 0 7 5 C D E 8 8 8 2 }   :   v 2 . 1 0 | A c t i o n = A l l o w | A c t i v e = T R U E | D i r = I n | P r o t o c o l = 6 | P r o f i l e = P u b l i c | A p p = C : \ P r o g r a m   F i l e s \ T e n c e n t \ Q Q \ Q Q P r o t e c t \ B i n \ Q Q P r o t e c t . e x e | N a m e = Q Q P r o t e c t |   [ 7 ]   - >   ~b0R
 
 [ P U P ]   H K E Y _ L O C A L _ M A C H I N E \ S y s t e m \ C o n t r o l S e t 0 0 1 \ S e r v i c e s \ S h a r e d A c c e s s \ P a r a m e t e r s \ F i r e w a l l P o l i c y \ F i r e w a l l R u l e s   |   { E 0 A D 7 7 5 2 - C 8 E 5 - 4 F C 8 - B 8 E 9 - 9 4 D 5 9 2 C 7 4 4 A A }   :   v 2 . 1 0 | A c t i o n = A l l o w | A c t i v e = T R U E | D i r = I n | P r o t o c o l = 1 7 | P r o f i l e = P u b l i c | A p p = C : \ P r o g r a m   F i l e s \ T e n c e n t \ Q Q \ Q Q P r o t e c t \ B i n \ Q Q P r o t e c t . e x e | N a m e = Q Q P r o t e c t |   [ 7 ]   - >   ~b0R
 
 [ P U P ]   H K E Y _ L O C A L _ M A C H I N E \ S y s t e m \ C o n t r o l S e t 0 0 1 \ S e r v i c e s \ S h a r e d A c c e s s \ P a r a m e t e r s \ F i r e w a l l P o l i c y \ F i r e w a l l R u l e s   |   { 6 C F 3 2 9 3 2 - 2 7 7 F - 4 E 0 C - 8 0 3 9 - D 1 9 B B C D 6 1 0 B 5 }   :   v 2 . 1 0 | A c t i o n = A l l o w | A c t i v e = T R U E | D i r = I n | P r o t o c o l = 6 | P r o f i l e = P u b l i c | A p p = C : \ P r o g r a m   F i l e s \ T e n c e n t \ Q Q \ B i n \ Q Q . e x e | N a m e = ? ? Q Q 2 0 1 3 |   [ 7 ]   - >   ~b0R
 
 [ P U P ]   H K E Y _ L O C A L _ M A C H I N E \ S y s t e m \ C o n t r o l S e t 0 0 1 \ S e r v i c e s \ S h a r e d A c c e s s \ P a r a m e t e r s \ F i r e w a l l P o l i c y \ F i r e w a l l R u l e s   |   { D 9 F A 9 B 0 7 - A 3 B 3 - 4 B F 4 - A 4 F E - 5 3 3 7 B 7 2 7 4 2 8 D }   :   v 2 . 1 0 | A c t i o n = A l l o w | A c t i v e = T R U E | D i r = I n | P r o t o c o l = 1 7 | P r o f i l e = P u b l i c | A p p = C : \ P r o g r a m   F i l e s \ T e n c e n t \ Q Q \ B i n \ Q Q . e x e | N a m e = ? ? Q Q 2 0 1 3 |   [ 7 ]   - >   ~b0R
 
 [ P U P ]   H K E Y _ L O C A L _ M A C H I N E \ S y s t e m \ C o n t r o l S e t 0 0 1 \ S e r v i c e s \ S h a r e d A c c e s s \ P a r a m e t e r s \ F i r e w a l l P o l i c y \ F i r e w a l l R u l e s   |   { 0 7 F 0 9 E 5 5 - 2 3 9 E - 4 6 1 8 - A 5 9 D - D E 7 2 8 1 B 5 C 2 C B }   :   v 2 . 1 0 | A c t i o n = A l l o w | A c t i v e = T R U E | D i r = I n | P r o t o c o l = 6 | P r o f i l e = P u b l i c | A p p = C : \ P r o g r a m   F i l e s \ T e n c e n t \ Q Q \ B i n \ a u c l t . e x e | N a m e = Q Q U p d a t e |   [ 7 ]   - >   ~b0R
 
 [ P U P ]   H K E Y _ L O C A L _ M A C H I N E \ S y s t e m \ C o n t r o l S e t 0 0 1 \ S e r v i c e s \ S h a r e d A c c e s s \ P a r a m e t e r s \ F i r e w a l l P o l i c y \ F i r e w a l l R u l e s   |   { 6 6 9 9 5 8 E 5 - F 4 A 6 - 4 7 D 5 - B A 5 F - 9 E 2 5 5 B 3 9 4 7 F D }   :   v 2 . 1 0 | A c t i o n = A l l o w | A c t i v e = T R U E | D i r = I n | P r o t o c o l = 1 7 | P r o f i l e = P u b l i c | A p p = C : \ P r o g r a m   F i l e s \ T e n c e n t \ Q Q \ B i n \ a u c l t . e x e | N a m e = Q Q U p d a t e |   [ 7 ]   - >   ~b0R
 
 [ P U P ]   H K E Y _ L O C A L _ M A C H I N E \ S y s t e m \ C o n t r o l S e t 0 0 1 \ S e r v i c e s \ S h a r e d A c c e s s \ P a r a m e t e r s \ F i r e w a l l P o l i c y \ F i r e w a l l R u l e s   |   { F 3 5 6 6 5 5 F - 7 7 4 F - 4 2 7 4 - A 0 1 E - 9 7 2 9 D D 3 2 7 2 8 6 }   :   v 2 . 1 0 | A c t i o n = A l l o w | A c t i v e = T R U E | D i r = I n | P r o t o c o l = 6 | P r o f i l e = P u b l i c | A p p = C : \ P r o g r a m   F i l e s \ T e n c e n t \ Q Q M u s i c \ Q z o n e M u s i c \ Q z o n e M u s i c . e x e | N a m e = Q z o n e M u s i c |   [ 7 ]   - >   ~b0R
 
 [ P U P ]   H K E Y _ L O C A L _ M A C H I N E \ S y s t e m \ C o n t r o l S e t 0 0 1 \ S e r v i c e s \ S h a r e d A c c e s s \ P a r a m e t e r s \ F i r e w a l l P o l i c y \ F i r e w a l l R u l e s   |   { 7 E 9 D 2 8 B 5 - 6 2 5 4 - 4 1 6 9 - B E 2 2 - 1 1 7 9 C 2 C 3 9 8 B E }   :   v 2 . 1 0 | A c t i o n = A l l o w | A c t i v e = T R U E | D i r = I n | P r o t o c o l = 1 7 | P r o f i l e = P u b l i c | A p p = C : \ P r o g r a m   F i l e s \ T e n c e n t \ Q Q M u s i c \ Q z o n e M u s i c \ Q z o n e M u s i c . e x e | N a m e = Q z o n e M u s i c |   [ 7 ]   - >   ~b0R
 
 [ P U P ]   H K E Y _ L O C A L _ M A C H I N E \ S y s t e m \ C o n t r o l S e t 0 0 2 \ S e r v i c e s \ S h a r e d A c c e s s \ P a r a m e t e r s \ F i r e w a l l P o l i c y \ F i r e w a l l R u l e s   |   { 6 4 E 8 7 B F B - 5 D 5 E - 4 0 7 2 - B 9 6 B - 8 E 0 7 5 C D E 8 8 8 2 }   :   v 2 . 1 0 | A c t i o n = A l l o w | A c t i v e = T R U E | D i r = I n | P r o t o c o l = 6 | P r o f i l e = P u b l i c | A p p = C : \ P r o g r a m   F i l e s \ T e n c e n t \ Q Q \ Q Q P r o t e c t \ B i n \ Q Q P r o t e c t . e x e | N a m e = Q Q P r o t e c t |   [ 7 ]   - >   ~b0R
 
 [ P U P ]   H K E Y _ L O C A L _ M A C H I N E \ S y s t e m \ C o n t r o l S e t 0 0 2 \ S e r v i c e s \ S h a r e d A c c e s s \ P a r a m e t e r s \ F i r e w a l l P o l i c y \ F i r e w a l l R u l e s   |   { E 0 A D 7 7 5 2 - C 8 E 5 - 4 F C 8 - B 8 E 9 - 9 4 D 5 9 2 C 7 4 4 A A }   :   v 2 . 1 0 | A c t i o n = A l l o w | A c t i v e = T R U E | D i r = I n | P r o t o c o l = 1 7 | P r o f i l e = P u b l i c | A p p = C : \ P r o g r a m   F i l e s \ T e n c e n t \ Q Q \ Q Q P r o t e c t \ B i n \ Q Q P r o t e c t . e x e | N a m e = Q Q P r o t e c t |   [ 7 ]   - >   ~b0R
 
 [ P U P ]   H K E Y _ L O C A L _ M A C H I N E \ S y s t e m \ C o n t r o l S e t 0 0 2 \ S e r v i c e s \ S h a r e d A c c e s s \ P a r a m e t e r s \ F i r e w a l l P o l i c y \ F i r e w a l l R u l e s   |   { 6 C F 3 2 9 3 2 - 2 7 7 F - 4 E 0 C - 8 0 3 9 - D 1 9 B B C D 6 1 0 B 5 }   :   v 2 . 1 0 | A c t i o n = A l l o w | A c t i v e = T R U E | D i r = I n | P r o t o c o l = 6 | P r o f i l e = P u b l i c | A p p = C : \ P r o g r a m   F i l e s \ T e n c e n t \ Q Q \ B i n \ Q Q . e x e | N a m e = ? ? Q Q 2 0 1 3 |   [ 7 ]   - >   ~b0R
 
 [ P U P ]   H K E Y _ L O C A L _ M A C H I N E \ S y s t e m \ C o n t r o l S e t 0 0 2 \ S e r v i c e s \ S h a r e d A c c e s s \ P a r a m e t e r s \ F i r e w a l l P o l i c y \ F i r e w a l l R u l e s   |   { D 9 F A 9 B 0 7 - A 3 B 3 - 4 B F 4 - A 4 F E - 5 3 3 7 B 7 2 7 4 2 8 D }   :   v 2 . 1 0 | A c t i o n = A l l o w | A c t i v e = T R U E | D i r = I n | P r o t o c o l = 1 7 | P r o f i l e = P u b l i c | A p p = C : \ P r o g r a m   F i l e s \ T e n c e n t \ Q Q \ B i n \ Q Q . e x e | N a m e = ? ? Q Q 2 0 1 3 |   [ 7 ]   - >   ~b0R
 
 [ P U P ]   H K E Y _ L O C A L _ M A C H I N E \ S y s t e m \ C o n t r o l S e t 0 0 2 \ S e r v i c e s \ S h a r e d A c c e s s \ P a r a m e t e r s \ F i r e w a l l P o l i c y \ F i r e w a l l R u l e s   |   { 0 7 F 0 9 E 5 5 - 2 3 9 E - 4 6 1 8 - A 5 9 D - D E 7 2 8 1 B 5 C 2 C B }   :   v 2 . 1 0 | A c t i o n = A l l o w | A c t i v e = T R U E | D i r = I n | P r o t o c o l = 6 | P r o f i l e = P u b l i c | A p p = C : \ P r o g r a m   F i l e s \ T e n c e n t \ Q Q \ B i n \ a u c l t . e x e | N a m e = Q Q U p d a t e |   [ 7 ]   - >   ~b0R
 
 [ P U P ]   H K E Y _ L O C A L _ M A C H I N E \ S y s t e m \ C o n t r o l S e t 0 0 2 \ S e r v i c e s \ S h a r e d A c c e s s \ P a r a m e t e r s \ F i r e w a l l P o l i c y \ F i r e w a l l R u l e s   |   { 6 6 9 9 5 8 E 5 - F 4 A 6 - 4 7 D 5 - B A 5 F - 9 E 2 5 5 B 3 9 4 7 F D }   :   v 2 . 1 0 | A c t i o n = A l l o w | A c t i v e = T R U E | D i r = I n | P r o t o c o l = 1 7 | P r o f i l e = P u b l i c | A p p = C : \ P r o g r a m   F i l e s \ T e n c e n t \ Q Q \ B i n \ a u c l t . e x e | N a m e = Q Q U p d a t e |   [ 7 ]   - >   ~b0R
 
 [ P U P ]   H K E Y _ L O C A L _ M A C H I N E \ S y s t e m \ C o n t r o l S e t 0 0 2 \ S e r v i c e s \ S h a r e d A c c e s s \ P a r a m e t e r s \ F i r e w a l l P o l i c y \ F i r e w a l l R u l e s   |   { F 3 5 6 6 5 5 F - 7 7 4 F - 4 2 7 4 - A 0 1 E - 9 7 2 9 D D 3 2 7 2 8 6 }   :   v 2 . 1 0 | A c t i o n = A l l o w | A c t i v e = T R U E | D i r = I n | P r o t o c o l = 6 | P r o f i l e = P u b l i c | A p p = C : \ P r o g r a m   F i l e s \ T e n c e n t \ Q Q M u s i c \ Q z o n e M u s i c \ Q z o n e M u s i c . e x e | N a m e = Q z o n e M u s i c |   [ 7 ]   - >   ~b0R
 
 [ P U P ]   H K E Y _ L O C A L _ M A C H I N E \ S y s t e m \ C o n t r o l S e t 0 0 2 \ S e r v i c e s \ S h a r e d A c c e s s \ P a r a m e t e r s \ F i r e w a l l P o l i c y \ F i r e w a l l R u l e s   |   { 7 E 9 D 2 8 B 5 - 6 2 5 4 - 4 1 6 9 - B E 2 2 - 1 1 7 9 C 2 C 3 9 8 B E }   :   v 2 . 1 0 | A c t i o n = A l l o w | A c t i v e = T R U E | D i r = I n | P r o t o c o l = 1 7 | P r o f i l e = P u b l i c | A p p = C : \ P r o g r a m   F i l e s \ T e n c e n t \ Q Q M u s i c \ Q z o n e M u s i c \ Q z o n e M u s i c . e x e | N a m e = Q z o n e M u s i c |   [ 7 ]   - >   ~b0R
 
 [ P U M . S t a r t M e n u ]   H K E Y _ U S E R S \ S - 1 - 5 - 2 1 - 1 6 4 7 0 3 0 5 4 6 - 9 4 8 4 8 2 8 0 8 - 2 9 7 0 8 5 2 9 8 0 - 1 0 0 0 \ S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ E x p l o r e r \ A d v a n c e d   |   S t a r t _ S h o w M y G a m e s   :   0     - >   ~b0R
 
 [ P U M . S t a r t M e n u ]   H K E Y _ U S E R S \ S - 1 - 5 - 2 1 - 7 9 3 5 9 2 9 8 3 - 9 8 9 1 9 6 1 2 3 - 2 6 8 5 3 4 9 8 3 3 - 1 1 2 1 \ S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ E x p l o r e r \ A d v a n c e d   |   S t a r t _ S h o w M y G a m e s   :   0     - >   ~b0R
 
 
 
 ? ? ?   嬁\O  :   0   ? ? ? 
 
 
 
 ? ? ?   Hh  :   4   ? ? ? 
 
 [ P U P ] [ Hh]   C : \ U s e r s \ l i a o \ D e s k t o p \ ? ? Q Q . l n k   [ L N K @ ]   C : \ P R O G R A ~ 1 \ T e n c e n t \ Q Q \ Q Q P R O T ~ 1 \ B i n \ Q Q P R O T ~ 1 . E X E   - >   ~b0R
 
 [ P U P ] [ ?>Y]   C : \ U s e r s \ l i a o \ A p p D a t a \ R o a m i n g \ T e n c e n t   - >   ~b0R
 
 [ P U P ] [ ?>Y]   C : \ P r o g r a m D a t a \ T e n c e n t   - >   ~b0R
 
 [ P U P ] [ ?>Y]   C : \ P r o g r a m   F i l e s \ T e n c e n t   - >   ~b0R
 
 
 
 ? ? ?   W M I   :   0   ? ? ? 
 
 
 
 ? ? ?   ;N_jHh  :   0   ? ? ? 
 
 
 
 ? ? ?   A n t i r o o t k i t   :   0   ( D r i v e r :   瀧 Q)   ? ? ? 
 
 
 
 ? ? ?   瓠?p?hV  :   1   ? ? ? 
 
 [ P U P ] [ C H R O M E : A d d o n ]   D e f a u l t   :   M S N   H o m e p a g e   &   B i n g   S e a r c h   E n g i n e   [ f c f e n m b o o j p j i n h p g g g o d e f c c i p i k b p d ]   - >   ~b0R
 
 
 
 ? ? ?   M B R   ▏嶓  :   ? ? ? 
 
 + + + + +   P h y s i c a l D r i v e 0 :   W D C   W D 1 0 E Z E X - 0 0 B N 5 A 0   A T A   D e v i c e   + + + + + 
 
 - - -   U s e r   - - - 
 
 [ M B R ]   6 3 c d d 1 5 7 0 0 1 f 6 f 1 1 6 6 1 4 c 2 7 e f 3 a 6 7 a e 2 
 
 [ B S P ]   5 4 e 3 2 f 8 4 f f 2 b b 0 b 0 2 f 4 7 f 6 2 f 3 c a 8 1 0 e d   :   W i n d o w s   V i s t a / 7 / 8 | V T . U n k n o w n   M B R   C o d e 
 
 P a r t i t i o n   t a b l e : 
 
 0   -   [ A C T I V E ]   N T F S   ( 0 x 7 )   [ V I S I B L E ]   O f f s e t   ( s e c t o r s ) :   2 0 4 8   |   S i z e :   1 0 0   M B   [ W i n d o w s   V i s t a / 7 / 8   B o o t s t r a p   |   W i n d o w s   V i s t a / 7 / 8   B o o t l o a d e r ] 
 
 1   -   [ X X X X X X ]   N T F S   ( 0 x 7 )   [ V I S I B L E ]   O f f s e t   ( s e c t o r s ) :   2 0 6 8 4 8   |   S i z e :   3 0 7 1 0 0   M B   [ W i n d o w s   V i s t a / 7 / 8   B o o t s t r a p   |   W i n d o w s   V i s t a / 7 / 8   B o o t l o a d e r ] 
 
 2   -   [ X X X X X X ]   N T F S   ( 0 x 7 )   [ V I S I B L E ]   O f f s e t   ( s e c t o r s ) :   6 2 9 1 4 7 6 4 8   |   S i z e :   3 0 7 2 0 0   M B   [ W i n d o w s   V i s t a / 7 / 8   B o o t s t r a p   |   W i n d o w s   V i s t a / 7 / 8   B o o t l o a d e r ] 
 
 U s e r   =   L L 1   . . .   O K 
 
 U s e r   =   L L 2   . . .   O K 
 
 
 
 

 

 



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:51 AM

Posted 18 October 2016 - 08:15 AM

Greetings Hetty.

Allow me some time to review.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:51 AM

Posted 18 October 2016 - 02:27 PM

Greetings Hetty. Thank you for your patience.

Can you confirm you are aware of Tencent on the computer?

There is a suspicious registry key identified by RogueKiller I want to follow up on. We will do that via the Fixlist.

Please consider and do this.

===================================================

Multiple Antivirus Programs

-------------------

I do not recommend that you have more than one anti virus product installed on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please remove all but one of the Antivirus programs currently on your computer, even if only one is running. You can uninstall the program(s) via Add/Remove Programs, or Programs and Features in the Control Panel.
 

Avira Antivirus
Kaspersky Small Office Security


===================================================

Uninstalling a Program using Add/Remove Program

--------------------

I recommend the uninstalling of the below listed program(s). If you desire to keep the program I would ask that you reinstall it following our efforts here.
  • Press windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type appwiz.cpl and press Enter
  • A list of installed programs will be displayed
  • Uninstall the following by clicking on the program(s) below (and any other similar names) and selecting Remove or Uninstall

Symantec pcAnywhere

  • Reboot your computer
===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
Winlogon\Notify\ScCertProp: wlnotify.dll [X]
Toolbar: HKU\S-1-5-21-793592983-989196123-2685349833-1121 -> No Name - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} -  No File
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
U4 klkbdflt2; system32\DRIVERS\klkbdflt2.sys [X]
2016-10-18 08:59 - 2016-10-18 08:59 - 00000000 ____D C:\Users\liao\AppData\Local\{D29122E0-8D8A-464D-98BB-16AFA5D9BDD3}
2016-10-17 09:24 - 2016-10-17 09:24 - 00000000 ____D C:\Users\liao\AppData\Local\{A21C348E-A25B-4BC6-A0D2-6ADB402FC3EC}
2016-10-15 10:23 - 2016-10-15 10:23 - 00000000 ____D C:\Users\liao\AppData\Local\{692A687C-1AB9-4E37-8466-189229B7CE6E}
2016-10-14 09:30 - 2016-10-14 09:30 - 00000000 ____D C:\Users\liao\AppData\Local\{BD254C1B-CA0D-4431-B0E6-F246A806B370}
2016-10-13 09:22 - 2016-10-13 09:22 - 00000000 ____D C:\Users\liao\AppData\Local\{2E983530-3A50-494F-90A4-8923F29A3C62}
2016-10-12 18:15 - 2016-10-12 18:15 - 00000000 ____D C:\Users\liao\AppData\Local\{4240F7A5-C720-4D67-B0F6-5938B34A6D0D}
2016-10-12 09:29 - 2016-10-12 09:29 - 00000000 ____D C:\Users\liao\AppData\Local\{AB5E916B-B608-48DE-A1A7-0388A12A012B}
2016-10-11 08:51 - 2016-10-11 08:51 - 00000000 ____D C:\Users\liao\AppData\Local\{58F8F60B-CDA0-432A-B585-263B2F7BC526}
2016-10-09 12:08 - 2016-10-09 12:08 - 00000000 ____D C:\Users\liao\AppData\Local\{4B6EE3EF-8A68-4117-A02E-A06DA337DF68}
2016-10-07 10:26 - 2016-10-07 10:26 - 00000000 ____D C:\Users\liao\AppData\Local\{C33B799A-8F00-4C46-8250-F075EC51A739}
2016-10-06 08:50 - 2016-10-06 08:50 - 00000000 ____D C:\Users\liao\AppData\Local\{AF1E2862-3C60-48F3-B566-236561F4EC92}
2016-10-05 08:52 - 2016-10-05 08:52 - 00000000 ____D C:\Users\liao\AppData\Local\{A06B0A57-ED55-4241-A85E-40115AC63FD5}
2016-10-04 11:42 - 2016-10-04 11:42 - 00000000 ____D C:\Users\liao\AppData\Local\{AB4EBC27-ED26-4D87-AC72-CF61418F5A6E}
2016-10-03 09:03 - 2016-10-03 09:03 - 00000000 ____D C:\Users\liao\AppData\Local\{C3842F6B-7CBF-4875-9679-B34955036116}
2016-09-30 08:39 - 2016-09-30 08:40 - 00000000 ____D C:\Users\liao\AppData\Local\{A48E3A7C-F416-44CA-8C49-40CC2433E86C}
2016-09-29 09:21 - 2016-09-29 09:21 - 00000000 ____D C:\Users\liao\AppData\Local\{6FAD633F-E869-4966-9A07-9E580613091E}
2016-09-26 08:59 - 2016-09-26 08:59 - 00000000 ____D C:\Users\liao\AppData\Local\{EFB0D318-DA8D-4120-9144-A90202B8613A}
2016-09-23 08:52 - 2016-09-23 08:52 - 00000000 ____D C:\Users\liao\AppData\Local\{211ADF9D-1E20-4ECD-A97C-8F8E35E6EEB0}
2016-09-22 09:20 - 2016-09-22 09:20 - 00000000 ____D C:\Users\liao\AppData\Local\{B2FB71EE-FFF1-45D4-A306-7573916EA1BF}
2016-09-21 09:23 - 2016-09-21 09:23 - 00000000 ____D C:\Users\liao\AppData\Local\{04460E17-62C5-4764-AF5C-F13ADFCDA45D}
2016-09-20 09:03 - 2016-09-20 09:03 - 00000000 ____D C:\Users\liao\AppData\Local\{C8829067-9272-4742-AC21-B2FE6EA49878}
2016-09-19 08:55 - 2016-09-19 08:55 - 00000000 ____D C:\Users\liao\AppData\Local\{CAE9AA6E-2107-445C-85D6-960F2112049F}
C:\Users\liao\AppData\Local\Temp\_is7B95.exe
C:\Users\liao\AppData\Local\Temp\_isF0F2.exe
C:\Users\601\AppData\Local\Temp\Offercast_AVIRAV7_.exe
FirewallRules: [{70368B84-C338-410D-9A46-5C8ECF5812DE}] => (Allow) C:\Program Files\Symantec\pcAnywhere\awhost32.exe
FirewallRules: [{FB2BD95F-0EAB-46F6-BD35-A84C6CCF410D}] => (Allow) C:\Program Files\Symantec\pcAnywhere\awhost32.exe
R2 awhost32; C:\Program Files\Symantec\pcAnywhere\awhost32.exe [136568 2009-02-10] (Symantec Corporation)
C:\Program Files\Symantec
cmd: regedit /e "%userprofile%\desktop\look.txt" "HKEY_CLASSES_ROOT\metnsd"
CMD: type "%userprofile%\desktop\look.txt"
  • Right click on FRST.exe, select Run as administrator then press the Fix button
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Tencent?
  • Did you uninstall an antivirus and Symantec?
  • Fixlog

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 m618

m618
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:51 PM

Posted 19 October 2016 - 01:11 AM

Dear Gary,

 

I uninstalled Avira antivirus (both the software itself & Avira Launcher) and uninstalled Symantec pcanywhere.

 

Yes, I recognize Tencent, it's a public company in China which provides QQ (a messaging software commonly used in China), it's similar to Skype.

However, I uploaded to virustotal which shows QQProtect.exe contains a Trojan. Attached File  BP pc1(liao) found trojan in Tencent QQProtect.exe.jpg   53.48KB   0 downloads

It's a legitimate software from a legitimate company. I don't understand how it could contain trojan virus.

Should I delete QQProtect.exe, or FRST will fix it ?

 

 

Fixlog.txt

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 16-10-2016
Ran by liao (19-10-2016 13:52:41) Run:1
Running from C:\Users\liao\Desktop
Loaded Profiles: 601 & liao (Available Profiles: 601 & liao)
Boot Mode: Normal
 
==============================================
 
fixlist content:
*****************
Winlogon\Notify\ScCertProp: wlnotify.dll [X]
Toolbar: HKU\S-1-5-21-793592983-989196123-2685349833-1121 -> No Name - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} -  No File
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
U4 klkbdflt2; system32\DRIVERS\klkbdflt2.sys [X]
2016-10-18 08:59 - 2016-10-18 08:59 - 00000000 ____D C:\Users\liao\AppData\Local\{D29122E0-8D8A-464D-98BB-16AFA5D9BDD3}
2016-10-17 09:24 - 2016-10-17 09:24 - 00000000 ____D C:\Users\liao\AppData\Local\{A21C348E-A25B-4BC6-A0D2-6ADB402FC3EC}
2016-10-15 10:23 - 2016-10-15 10:23 - 00000000 ____D C:\Users\liao\AppData\Local\{692A687C-1AB9-4E37-8466-189229B7CE6E}
2016-10-14 09:30 - 2016-10-14 09:30 - 00000000 ____D C:\Users\liao\AppData\Local\{BD254C1B-CA0D-4431-B0E6-F246A806B370}
2016-10-13 09:22 - 2016-10-13 09:22 - 00000000 ____D C:\Users\liao\AppData\Local\{2E983530-3A50-494F-90A4-8923F29A3C62}
2016-10-12 18:15 - 2016-10-12 18:15 - 00000000 ____D C:\Users\liao\AppData\Local\{4240F7A5-C720-4D67-B0F6-5938B34A6D0D}
2016-10-12 09:29 - 2016-10-12 09:29 - 00000000 ____D C:\Users\liao\AppData\Local\{AB5E916B-B608-48DE-A1A7-0388A12A012B}
2016-10-11 08:51 - 2016-10-11 08:51 - 00000000 ____D C:\Users\liao\AppData\Local\{58F8F60B-CDA0-432A-B585-263B2F7BC526}
2016-10-09 12:08 - 2016-10-09 12:08 - 00000000 ____D C:\Users\liao\AppData\Local\{4B6EE3EF-8A68-4117-A02E-A06DA337DF68}
2016-10-07 10:26 - 2016-10-07 10:26 - 00000000 ____D C:\Users\liao\AppData\Local\{C33B799A-8F00-4C46-8250-F075EC51A739}
2016-10-06 08:50 - 2016-10-06 08:50 - 00000000 ____D C:\Users\liao\AppData\Local\{AF1E2862-3C60-48F3-B566-236561F4EC92}
2016-10-05 08:52 - 2016-10-05 08:52 - 00000000 ____D C:\Users\liao\AppData\Local\{A06B0A57-ED55-4241-A85E-40115AC63FD5}
2016-10-04 11:42 - 2016-10-04 11:42 - 00000000 ____D C:\Users\liao\AppData\Local\{AB4EBC27-ED26-4D87-AC72-CF61418F5A6E}
2016-10-03 09:03 - 2016-10-03 09:03 - 00000000 ____D C:\Users\liao\AppData\Local\{C3842F6B-7CBF-4875-9679-B34955036116}
2016-09-30 08:39 - 2016-09-30 08:40 - 00000000 ____D C:\Users\liao\AppData\Local\{A48E3A7C-F416-44CA-8C49-40CC2433E86C}
2016-09-29 09:21 - 2016-09-29 09:21 - 00000000 ____D C:\Users\liao\AppData\Local\{6FAD633F-E869-4966-9A07-9E580613091E}
2016-09-26 08:59 - 2016-09-26 08:59 - 00000000 ____D C:\Users\liao\AppData\Local\{EFB0D318-DA8D-4120-9144-A90202B8613A}
2016-09-23 08:52 - 2016-09-23 08:52 - 00000000 ____D C:\Users\liao\AppData\Local\{211ADF9D-1E20-4ECD-A97C-8F8E35E6EEB0}
2016-09-22 09:20 - 2016-09-22 09:20 - 00000000 ____D C:\Users\liao\AppData\Local\{B2FB71EE-FFF1-45D4-A306-7573916EA1BF}
2016-09-21 09:23 - 2016-09-21 09:23 - 00000000 ____D C:\Users\liao\AppData\Local\{04460E17-62C5-4764-AF5C-F13ADFCDA45D}
2016-09-20 09:03 - 2016-09-20 09:03 - 00000000 ____D C:\Users\liao\AppData\Local\{C8829067-9272-4742-AC21-B2FE6EA49878}
2016-09-19 08:55 - 2016-09-19 08:55 - 00000000 ____D C:\Users\liao\AppData\Local\{CAE9AA6E-2107-445C-85D6-960F2112049F}
C:\Users\liao\AppData\Local\Temp\_is7B95.exe
C:\Users\liao\AppData\Local\Temp\_isF0F2.exe
C:\Users\601\AppData\Local\Temp\Offercast_AVIRAV7_.exe
FirewallRules: [{70368B84-C338-410D-9A46-5C8ECF5812DE}] => (Allow) C:\Program Files\Symantec\pcAnywhere\awhost32.exe
FirewallRules: [{FB2BD95F-0EAB-46F6-BD35-A84C6CCF410D}] => (Allow) C:\Program Files\Symantec\pcAnywhere\awhost32.exe
R2 awhost32; C:\Program Files\Symantec\pcAnywhere\awhost32.exe [136568 2009-02-10] (Symantec Corporation)
C:\Program Files\Symantec
cmd: regedit /e "%userprofile%\desktop\look.txt" "HKEY_CLASSES_ROOT\metnsd"
CMD: type "%userprofile%\desktop\look.txt"
*****************
 
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp" => key removed successfully.
HKU\S-1-5-21-793592983-989196123-2685349833-1121\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} => value removed successfully.
HKCR\CLSID\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} => key not found. 
gdrv => service removed successfully.
klkbdflt2 => service could not remove
C:\Users\liao\AppData\Local\{D29122E0-8D8A-464D-98BB-16AFA5D9BDD3} => moved successfully
C:\Users\liao\AppData\Local\{A21C348E-A25B-4BC6-A0D2-6ADB402FC3EC} => moved successfully
C:\Users\liao\AppData\Local\{692A687C-1AB9-4E37-8466-189229B7CE6E} => moved successfully
C:\Users\liao\AppData\Local\{BD254C1B-CA0D-4431-B0E6-F246A806B370} => moved successfully
C:\Users\liao\AppData\Local\{2E983530-3A50-494F-90A4-8923F29A3C62} => moved successfully
C:\Users\liao\AppData\Local\{4240F7A5-C720-4D67-B0F6-5938B34A6D0D} => moved successfully
C:\Users\liao\AppData\Local\{AB5E916B-B608-48DE-A1A7-0388A12A012B} => moved successfully
C:\Users\liao\AppData\Local\{58F8F60B-CDA0-432A-B585-263B2F7BC526} => moved successfully
C:\Users\liao\AppData\Local\{4B6EE3EF-8A68-4117-A02E-A06DA337DF68} => moved successfully
C:\Users\liao\AppData\Local\{C33B799A-8F00-4C46-8250-F075EC51A739} => moved successfully
C:\Users\liao\AppData\Local\{AF1E2862-3C60-48F3-B566-236561F4EC92} => moved successfully
C:\Users\liao\AppData\Local\{A06B0A57-ED55-4241-A85E-40115AC63FD5} => moved successfully
C:\Users\liao\AppData\Local\{AB4EBC27-ED26-4D87-AC72-CF61418F5A6E} => moved successfully
C:\Users\liao\AppData\Local\{C3842F6B-7CBF-4875-9679-B34955036116} => moved successfully
C:\Users\liao\AppData\Local\{A48E3A7C-F416-44CA-8C49-40CC2433E86C} => moved successfully
C:\Users\liao\AppData\Local\{6FAD633F-E869-4966-9A07-9E580613091E} => moved successfully
C:\Users\liao\AppData\Local\{EFB0D318-DA8D-4120-9144-A90202B8613A} => moved successfully
C:\Users\liao\AppData\Local\{211ADF9D-1E20-4ECD-A97C-8F8E35E6EEB0} => moved successfully
C:\Users\liao\AppData\Local\{B2FB71EE-FFF1-45D4-A306-7573916EA1BF} => moved successfully
C:\Users\liao\AppData\Local\{04460E17-62C5-4764-AF5C-F13ADFCDA45D} => moved successfully
C:\Users\liao\AppData\Local\{C8829067-9272-4742-AC21-B2FE6EA49878} => moved successfully
C:\Users\liao\AppData\Local\{CAE9AA6E-2107-445C-85D6-960F2112049F} => moved successfully
C:\Users\liao\AppData\Local\Temp\_is7B95.exe => moved successfully
C:\Users\liao\AppData\Local\Temp\_isF0F2.exe => moved successfully
C:\Users\601\AppData\Local\Temp\Offercast_AVIRAV7_.exe => moved successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{70368B84-C338-410D-9A46-5C8ECF5812DE} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{FB2BD95F-0EAB-46F6-BD35-A84C6CCF410D} => value removed successfully.
awhost32 => service not found.
"C:\Program Files\Symantec" => not found.
 
========= regedit /e "%userprofile%\desktop\look.txt" "HKEY_CLASSES_ROOT\metnsd" =========
 
 
========= End of CMD: =========
 
 
========= type "%userprofile%\desktop\look.txt" =========
 
Windows Registry Editor Version 5.00
 
[HKEY_CLASSES_ROOT\metnsd]
 
[HKEY_CLASSES_ROOT\metnsd\clsid]
"SequenceID"=hex:ae,4a,96,4a,f2,5b,27,48,9e,cf,a7,2f,93,a5,dc,45
 
 
========= End of CMD: =========
 
 
==== End of Fixlog 13:52:43 ====

Edited by m618, 19 October 2016 - 01:13 AM.


#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:51 AM

Posted 19 October 2016 - 08:56 AM

Hi Hetty,

The reason why I asked about Tencent is because I believed it to be legitimate but there is some information, as you found out, that says it is malicious. One detection out of 55 is meaningless, especially if the detection is by an unknown scanner program. However, there is additional information linking Tencent to the [HKEY_CLASSES_ROOT\metnsd] registry key information provided in the Fixlog. To be honest, I am not 100% sure what to make of it.

My leaning is to remove the registry key but not touch anything else, even though there is some mention of Tencent in the Trendmicro page. Since we have a copy of the registry key saved we could import the key back if we found removal of the key caused problems. I don't think it will but I am not certain of that. Since at this point there is no other evidence of malicious software on the computer, and no direct connection between this computer and your IP blocking, we could leave it as well.

I wanted to provide my analysis and thoughts so that you could review it yourself to see what you thought. Since Tencent is unknown to me at least that portion of this puzzle will be more familiar to you.

Let me know what you think.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 m618

m618
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:51 PM

Posted 19 October 2016 - 10:05 AM

Dear Gary,

 

Thank you for detailed explanation. Could you show me how to find registry key ?

 

Since Tencent is just a messaging software, it's okay to simply delete it and download it again. Will this be something we can try as well ?

 

Could you still tell me how to remove registry key, and import the key back if the removal of key caused problem. I think it's better to know that in case it happens to a software that cannot be easily removed and reinstalled.

 

 

Kind regards,

Hetty


Edited by m618, 19 October 2016 - 10:05 AM.


#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:51 AM

Posted 19 October 2016 - 11:05 AM

I don't think you need to uninstall and reinstall Tencent but you certainly can if you'd like.

Here is the cleanest way to do what you want with the registry key. This only applies to registry keys and not other software or programs.

===================================================

Manually Exporting and Deleting a Registry Key

-------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type regedit and press Enter
  • Navigate to the following registry entry, expanding each category as necessary

HKEY_CLASSES_ROOT\metnsd

  • Right click on metnsd and select Export
  • Save the file onto you Desktop as metnsd.reg
  • After Verifying the metnsd.reg file is on your Desktop, right click on metnsd and select Delete
  • Click Yes to confirm deletion
  • Reboot your computer
===================================================

Manually Importing a Registry Key (.reg) File

-------------------
  • Right click on the metnsd.reg file located on your Desktop and select Merge
  • Once you receive confirmation the information was successfully merged reboot your computer

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 m618

m618
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:51 PM

Posted 20 October 2016 - 05:35 AM

Dear Gary,

 

I did not uninstall Tencent.

I followed your instruction to remove registry key on pc1. What's the next step to do ?

 

I have an idea to prevent malware coming from mails.

I would like to restrict most users from executing software that is not allowed by the administrator, I think that will prevent malware coming from mails,

because even if users click on the pdf, word files that contain malware, the malware won't be able to start because the users don't have the accessibility to start unauthorized software

 

It that a good idea ?  If yes, which forum should I post to learn about that ?

 

 

Kind regards,

Hetty



#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:51 AM

Posted 20 October 2016 - 08:08 AM

Greetings Hetty.

You might address your question in the General Security Forum.

Let's run these.

===================================================

ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal.
  • Download esetsmartinstaller_enu.exe and save it to your Desktop
  • Double click the icon
  • Check YES, I accept the Terms of Use
  • Click the Start button
  • Accept any security warnings from your browser
  • Click Advanced settings
  • Check the following items

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Start
  • ESET will then download updates and begin scanning your computer
  • If no threats are found simply click Uninstall application on close and hit Finish
  • If threats are found click List of found threats
  • Click Export to text file
  • Save the file on your Desktop as ESET.txt
  • Click Back
  • Review the list of entries and if there are any you want to keep stop and copy/paste the ESET.txt report in your reply for my review
  • If you do not wish to keep any of the entries check Uninstall application on close and Delete quarantined files
  • Click Finish
  • Close the ESET Online Scanner window
  • Copy and paste the contents of ESET.txt in your reply
===================================================

screen317's Security Check

--------------------
  • Please download screen317's Security Check to your desktop
  • Double-click icon to launch the program
  • Click OK
  • Select Run Note: If you receive an error message saying UNSUPPORTED OPERATING SYSTEM! ABORTED! reboot your computer and attempt to run it again
  • Allow the program to run
  • A Notepad document will open on your desktop. Please copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • ESET log
  • Security Check log
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 m618

m618
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:51 PM

Posted 23 October 2016 - 09:11 AM

Dear Gary,
 
 
ESET.txt
C:\FRST\Quarantine\C\Users\601\AppData\Local\Temp\Offercast_AVIRAV7_.exe.xBAD a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application cleaned by deleting
 
I chose to Uninstall application on close and Delete quarantined files
 

Security Check.txt

(Screen317)



Results of screen317's Security Check version 1.014 --- 12/23/15
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Kaspersky Small Office Security
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Adobe Flash Player 23.0.0.185
Google Chrome (53.0.2785.116)
Google Chrome (53.0.2785.143)
Google Chrome (SetupMetrics...)
````````Process Check: objlist.exe by Laurent````````
Kaspersky Lab Kaspersky Small Office Security 15.0.2 avp.exe
Kaspersky Lab Kaspersky Small Office Security 15.0.2 avpui.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:
````````````````````End of Log``````````````````````
 
Kind regards,
Hetty

Edited by Oh My!, 23 October 2016 - 02:17 PM.


#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:51 AM

Posted 23 October 2016 - 02:20 PM

Thank you Hetty,

We are all set with this machine. Let me know when you have seen this so that I may close this one.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 m618

m618
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:51 PM

Posted 24 October 2016 - 12:38 AM

Dear Gary,

 

The machine is all set because the application found in ESET was uninstalled ? If Yes, you may close the topic, thank you.

 

Kind regards,

Hetty 



#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:51 AM

Posted 24 October 2016 - 08:39 AM

Hi Hetty,

We are all set because the computer is clean and up to date. The ESET results were very minor and detected something annoying rather than malicious.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:51 AM

Posted 24 October 2016 - 08:40 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users