Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

s-1-5-21 virus


  • This topic is locked This topic is locked
30 replies to this topic

#1 DJKdjk

DJKdjk

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 16 March 2017 - 05:05 AM

Hello Bleepingcomputer,

My windows 10 computer has got infected by an S-1-5-21 virus. At first my Avira keeps sending me "registry blocked" notices, but once it turned my Thinkpad into sleep mode for 5 seconds so that's quite serious.

When I scan with Avira nothing gets found. I found it out in the chrome icon - security and there was a new user.

I am deeply troubled. What should I do first? Performing a FRST scan? I also searched on Google and found my virus had a new user id: s-1-5-21-4268989845-4028146873-3326386853-1000

Thank you so much in advance!


Edited by DJKdjk, 16 March 2017 - 08:00 AM.


BC AdBot (Login to Remove)

 


#2 DJKdjk

DJKdjk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 16 March 2017 - 05:19 AM

Also: I found it infected all shortcuts in C:\Users\Public\Desktop.



#3 DJKdjk

DJKdjk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 16 March 2017 - 06:01 AM

Update: I scanned with Malwarebytes and got the log:

Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 3/16/17
Scan Time: 6:07 PM
Logfile: 新建文本文档(1).txt
Administrator: Yes
 
-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.75
Update Package Version: 1.0.1513
License: Trial
 
-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: DESKTOP-K31PDH6\djk
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 464725
Time Elapsed: 14 min, 21 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 6
Adware.ChinAd, HKLM\SOFTWARE\WOW6432NODE\QiLu Inc., Quarantined, [1416], [375034],1.0.1513
PUP.Optional.Ludashi, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\ComputerZ_CN.exe, Quarantined, [2165], [340607],1.0.1513
Adware.ChinAd, HKLM\SOFTWARE\WOW6432NODE\THUNDER NETWORK\Xmp, Quarantined, [1416], [375032],1.0.1513
Adware.ChinAd, HKLM\SOFTWARE\WOW6432NODE\MOZILLAPLUGINS\@xunlei.com/npxunlei;version=1.0.0.2, Quarantined, [1416], [375036],1.0.1513
PUP.Optional.Ludashi, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\ComputerZ_CN.exe, Quarantined, [2165], [340607],1.0.1513
PUP.Optional.Ludashi, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ComputerZ_x64, Quarantined, [2165], [340210],1.0.1513
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 17
Adware.ChinAd, C:\ProgramData\Thunder Network\DownloadLib, Quarantined, [1416], [374745],1.0.1513
Adware.ChinAd, C:\PROGRAMDATA\THUNDER NETWORK, Quarantined, [1416], [374745],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\LiveUpdateLanguage, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\ServiceLoadModule, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\XLUE, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\bho\xl_ext_chrome, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServiceDlls, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\UserAgent, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\xldqvideo, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\bho, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\PROGRAM FILES (X86)\COMMON FILES\THUNDER NETWORK, Quarantined, [1416], [374929],1.0.1513
 
File: 150
Adware.ChinAd, C:\PROGRAMDATA\THUNDER NETWORK\DOWNLOADLIB\PUB_STORE.DAT, Quarantined, [1416], [374745],1.0.1513
PUP.Optional.OnClickAds, C:\USERS\DJL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\LOCAL STORAGE\http_onclickads.net_0.localstorage, Quarantined, [18310], [256543],1.0.1513
PUP.Optional.OnClickAds, C:\USERS\DJL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\LOCAL STORAGE\http_onclickads.net_0.localstorage-journal, Quarantined, [18310], [256543],1.0.1513
Adware.ChinAd, C:\PROGRAM FILES (X86)\COMMON FILES\THUNDER NETWORK\USERAGENT\LIBEXPAT.DLL, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\bho\xl_ext_chrome\atl90.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\bho\xl_ext_chrome\com.xunlei.thunder.json, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\bho\xl_ext_chrome\Microsoft.VC90.ATL.manifest, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\bho\xl_ext_chrome\Microsoft.VC90.CRT.manifest, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\bho\xl_ext_chrome\minizip.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\bho\xl_ext_chrome\msvcp90.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\bho\xl_ext_chrome\msvcr90.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\bho\xl_ext_chrome\uninstall.exe, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\bho\xl_ext_chrome\XLBugHandler.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\bho\xl_ext_chrome\XLBugReport.exe, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\bho\xl_ext_chrome\xl_ext_chrome.exe, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\bho\xl_ext_chrome\zlib1.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\XLUE\atl90.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\XLUE\libexpat.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\XLUE\libpng13.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\XLUE\Microsoft.VC90.ATL.manifest, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\XLUE\Microsoft.VC90.CRT.manifest, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\XLUE\minizip.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\XLUE\msvcp90.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\XLUE\msvcr90.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\XLUE\XLBugHandler.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\XLUE\XLBugReport.exe, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\XLUE\XLFSIO.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\XLUE\XLGraphic.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\XLUE\XLGraphicPlus.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\XLUE\XLLuaRuntime.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\XLUE\XLUE.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\XLUE\XLUEIPC.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\XLUE\XLUEOPC.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\XLUE\XLUEOPS.exe, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\XLUE\zlib1.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\atl90.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\LRTAgent.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\Microsoft.VC90.ATL.manifest, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\Microsoft.VC90.CRT.manifest, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\msvcp90.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\msvcr90.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\pusher.ini, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\sqlite3.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\Uninst.exe, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\xappdisp.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\xappdrv.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\xappex.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\xappllv.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\XAppLuaTool.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\xappmon.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\XmpTipWnd.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\XmpTipWnd.exe, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\StreamI.cfg, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\XLBugHandler.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\atl90.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\latest_stat.xml, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\libexpat.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\Microsoft.VC90.ATL.manifest, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\Microsoft.VC90.CRT.manifest, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\minizip.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\msvcp90.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\msvcr90.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\stat.xml, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\tdservicedelegate.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\tdshareddata.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\thunder_stat.xml, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\tps.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\UnInstall.exe, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\XLBugReport.exe, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\XLDocSer.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\XLFSIO.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\XLLuaRuntime.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\XLServiceLoadPlatform_7.9.43.ini, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\XLSP.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\xlstat.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\XLURLSnifferManager.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\XLWFPConfig.xml, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\XLWFPConfig_7.9.43.xml, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\XLWFPDOWNLOAD-SSID-{DB09E578-4ECF-486e-90A5-505A33219F71}_7.9.43.xml, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\XLWFPDownload.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\XLWFPManager.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\zlib1.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\al.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\asyn_download_interface.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\asyn_frame.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\atl71.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\auto_update.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\backend_agent.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\bt_kernel.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\dl_peer_id.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\dl_uac_tool.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\DownloadServerNeedFileList.dat, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\download_interface.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\down_dispatcher.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\dphubt.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\dtnet.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\emule_kernel.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\fs.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\libexpat.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\MediaFileHeaderFirst.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\MediaParser.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\media_data.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\Microsoft.VC90.CRT.manifest, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\minizip.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\mini_unzip_dll.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\module_downloader.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\module_downloader.ini, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\mp.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\msvcp71.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\msvcp90.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\msvcr71.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\msvcr90.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\p2p.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\p2p_local_res.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\p2p_session_com.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\p2p_upload.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\p2sp.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\ptl.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\ptl_proxy.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\sl.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\stream.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\TA.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\task_report.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\TDPRepair.exe, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\ThunderPlatform.exe, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\tp_doctor.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\tp_proxy.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\ts.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\UACTool.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\upnp.exe, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\utl.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\VodData.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\XLBugHandler.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\XLBugReport.exe, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\XLCrypto.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\xldc.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\xldcagent.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\XLFSIO.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\XLLuaRuntime.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\xl_client.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\xl_data.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\xl_data_warehouse.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\zlib1.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\download_engine.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\p2p_cloud.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\1.1.2.264_1111\ThunderFW.exe, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\TP\Ver1\tp_install.history, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\UserAgent\UserAgent.ini, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\UserAgent\UserAgent2.0.2.18.dll, Quarantined, [1416], [374929],1.0.1513
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\xldqvideo\pusher, Quarantined, [1416], [374929],1.0.1513
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)


#4 DJKdjk

DJKdjk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 16 March 2017 - 06:03 AM

And it is not solved. Still, s-1-5-21 is in the chrome.lnk file.



#5 DJKdjk

DJKdjk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 16 March 2017 - 07:01 AM

Other symptoms: whenever I open Avira, or charge my battery, or finish a malwarebytes scan, avira would pop out and say "registry blocked".

My Chrome New Tab appeared as "chrome://newtab" instead of "New Tab". 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:45 AM

Posted 16 March 2017 - 08:21 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs.

Wait for further instructions.

#7 DJKdjk

DJKdjk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 16 March 2017 - 08:06 PM

Hello, I am in China so I use GTM+8. Sorry for the inconvenience.

Here is the FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-03-2017
Ran by djk (administrator) on DESKTOP-K31PDH6 (17-03-2017 08:58:08)
Running from C:\Users\DJL\Desktop
Loaded Profiles: djk (Available Profiles: djk)
Platform: Windows 10 Home China Version 1607 (X64) Language: 中文(简体,中国)
Internet Explorer Version 11 (Default browser: "C:\Users\DJL\AppData\Local\Avira\Scout\Application\scout.exe" -- "%1")
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Lenovo.) C:\Windows\System32\ibmpmsvc.exe
(Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_1ee0e91871b217e3\igfxCUIService.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\sched.exe
(Adobe Systems, Incorporated) C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avguard.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Security Assist\isaHelperService.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Autodesk, Inc.) C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\SoftwareUpdater\Avira.SoftwareUpdater.ServiceHost.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(Intel Corporation) C:\Windows\System32\ibtsiva.exe
() C:\Program Files (x86)\HiSuite\HandSetService\HuaweiHiSuiteService64.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\VIRTSCRL\lvvsst.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tphkload.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.SpeedupService.exe
() C:\Program Files\Lenovo\Lenovo Mouse Suite\Service\PelService.exe
() C:\Program Files\Dolby\Dolby DAX2\DAX2_API\DolbyDAX2API.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\micmute.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(Intel) C:\Program Files\Intel Corporation\USB over IP\bin\UoipService.exe
(Lenovo(Beijing) limited.) C:\Program Files (x86)\Lenovo Drivers Management\lenovodrvsrv.exe
(Microsoft Corporation) C:\Windows\System32\Locator.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tpnumlkd.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tposd.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\shtctky.exe
(Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_1ee0e91871b217e3\igfxEM.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
(Synaptics) C:\Program Files\Synaptics\SynTP\SynLenovoHelper.exe
(Lenovo(Beijing) limited.) C:\Program Files (x86)\Lenovo Drivers Management\lenovodrvtray.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
() C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.12.112.0_x64__kzf8qxf38zg5c\SkypeHost.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersServer.exe
(Microsoft Corporation) C:\Windows\System32\InputMethod\CHS\ChsIME.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.SettingsApp.exe
(Lenovo Group Limited) C:\Program Files (x86)\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.SettingsApp.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.SettingsApp.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avshadow.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
(Lenovo.) C:\Windows\System32\TpShocks.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
(Primax Electronics Ltd.) C:\Program Files\Lenovo\Lenovo Mouse Suite\ICO.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Adobe Systems, Incorporated) C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avgnt.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
() C:\Users\DJL\AppData\Roaming\baidu\BaiduYunGuanjia\yundetectservice.exe
() C:\Users\DJL\AppData\Roaming\Lantern\lantern.exe
() C:\Users\DJL\AppData\Roaming\Lantern\lantern.exe
(Avira Operations GmbH \u0026 Co. KG) C:\Users\DJL\AppData\Local\Avira\Scout Update\ScoutUpdate.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE
(Valve Corporation) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Microsoft® Windows® Operating System) C:\Windows\System32\Taskmgr.exe
() C:\Program Files\Lenovo\Lenovo Mouse Suite\FSRremoS.EXE
(Primax Electronics Ltd.) C:\Program Files\Lenovo\Lenovo Mouse Suite\PELMICED.EXE
() C:\Program Files\Lenovo\Lenovo Mouse Suite\Service\PelElvDm.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\ipmgui.exe
(Lenovo) C:\Program Files\Lenovo\Lenovo Solution Center\LSCNotify.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Lenovo) C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [508128 2016-01-07] (Adobe Systems Incorporated)
HKLM\...\Run: [Daemon for Mouse Suite] => C:\Program Files\Lenovo\Lenovo Mouse Suite\ICO.EXE [94528 2015-08-24] (Primax Electronics Ltd.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176440 2017-01-19] (Apple Inc.)
HKLM\...\Run: [avgnt] => C:\Program Files (x86)\Avira\Antivirus\avgnt.exe [917576 2016-12-19] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2780112 2017-01-20] (Malwarebytes)
HKU\S-1-5-21-4268989145-4028146873-3326586853-1001\...\Run: [BaiduYunDetect] => C:\Users\DJL\AppData\Roaming\baidu\BaiduYunGuanjia\YunDetectService.exe [1051680 2017-01-09] ()
HKU\S-1-5-21-4268989145-4028146873-3326586853-1001\...\Run: [Lantern] => C:\Users\DJL\AppData\Roaming\Lantern\lantern.exe [15832864 2017-02-09] ()
HKU\S-1-5-21-4268989145-4028146873-3326586853-1001\...\Run: [Avira Scout Update] => C:\Users\DJL\AppData\Local\Avira\Scout Update\ScoutUpdate.exe [157656 2016-09-07] (Avira Operations GmbH \u0026 Co. KG)
HKU\S-1-5-21-4268989145-4028146873-3326586853-1001\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [3019552 2017-03-14] (Valve Corporation)
HKU\S-1-5-21-4268989145-4028146873-3326586853-1001\...\Policies\Explorer: [] 
HKU\S-1-5-21-4268989145-4028146873-3326586853-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\scrnsave.scr [37376 2016-07-16] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [AAADesktopTips] -> {4562B511-62E9-4533-B7B2-56A8BB10B482} => C:\Users\Public\Thunder Network\KanKan\reghelper\xappex.1.1.1.85.(226).dll [2016-04-21] (深圳市迅雷网络技术有限公司)
ShellIconOverlayIdentifiers: [AutoCAD Digital Signatures Icon Overlay Handler] -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\Windows\system32\AcSignIcon.dll [2015-02-06] (Autodesk, Inc.)
Startup: C:\Users\DJL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\发送至 OneNote.lnk [2016-11-05]
ShortcutTarget: 发送至 OneNote.lnk -> C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\DJL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\发送至 OneNote.lnk [2016-11-05]
ShortcutTarget: 发送至 OneNote.lnk -> C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
AutoConfigURL: [S-1-5-21-4268989145-4028146873-3326586853-1001] => hxxp://localhost:53580/proxy_on.pac?nocache=1489712169992367600&token=9349eb082aa9a32aa04bdba5cac1d1ab
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 218.85.157.99 218.85.152.99
Tcpip\..\Interfaces\{142508aa-3dcb-4d9b-b8d2-803418b90997}: [DhcpNameServer] 218.85.157.99 218.85.152.99
Tcpip\..\Interfaces\{b45d6d5a-95d1-4602-9bc7-1e46a21588a4}: [DhcpNameServer] 192.168.1.1 192.168.1.1
ManualProxies: 0hxxp://localhost:53580/proxy_on.pac?nocache=1489712169992367600&token=9349eb082aa9a32aa04bdba5cac1d1ab
 
Internet Explorer:
==================
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = 
HKU\S-1-5-21-4268989145-4028146873-3326586853-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://lenovo15.msn.com/?pc=LCTE
HKU\S-1-5-21-4268989145-4028146873-3326586853-1001\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.thinkworld.com.cn
SearchScopes: HKU\S-1-5-21-4268989145-4028146873-3326586853-1001 -> {B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} URL = hxxps://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=79081068_oem_dg
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office16\OCHelper.dll [2015-07-31] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_101\bin\ssv.dll [2016-07-23] (Oracle Corporation)
BHO: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\DC\x64\AcroIEFavStub.dll [2015-03-17] (Adobe Systems Incorporated)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office16\GROOVEEX.DLL [2015-07-31] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_101\bin\jp2ssv.dll [2016-07-23] (Oracle Corporation)
BHO: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\DC\x64\AcroIEFavStub.dll [2015-03-17] (Adobe Systems Incorporated)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office16\OCHelper.dll [2015-07-31] (Microsoft Corporation)
BHO-x32: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\DC\AcroIEFavStub.dll [2015-03-17] (Adobe Systems Incorporated)
BHO-x32: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office16\GROOVEEX.DLL [2015-07-31] (Microsoft Corporation)
BHO-x32: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\DC\AcroIEFavStub.dll [2015-03-17] (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\DC\x64\AcroIEFavStub.dll [2015-03-17] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\DC\AcroIEFavStub.dll [2015-03-17] (Adobe Systems Incorporated)
Handler-x32: mso-minsb.16 - {3459B272-CC19-4448-86C9-DDC3B4B2FAD3} - C:\Program Files (x86)\Microsoft Office\Office16\MSOSB.DLL [2015-07-31] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\Office16\MSOSB.DLL [2015-07-31] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\DJL\AppData\Roaming\Mozilla\Firefox\Profiles\J28NQ7TJ.default [2016-09-18]
FF Extension: (Avira Browser Safety) - C:\Users\DJL\AppData\Roaming\Mozilla\Firefox\Profiles\J28NQ7TJ.default\Extensions\abs@avira.com [2016-07-18]
FF Extension: (Avira SafeSearch Plus) - C:\Users\DJL\AppData\Roaming\Mozilla\Firefox\Profiles\J28NQ7TJ.default\Extensions\safesearchplus2@avira.com [2016-09-19]
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\Browser\WCFirefoxExtn
FF Extension: (Adobe Acrobat DC - Create PDF) - C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\Browser\WCFirefoxExtn [2017-03-15] [not signed]
FF Plugin: @java.com/DTPlugin,version=11.101.2 -> C:\Program Files\Java\jre1.8.0_101\bin\dtplugin\npDeployJava1.dll [2016-07-23] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.101.2 -> C:\Program Files\Java\jre1.8.0_101\bin\plugin2\npjp2.dll [2016-07-23] (Oracle Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2015-07-29] (Adobe Systems)
FF Plugin-x32: @baidu.com/YunWebDetectPlugin -> C:\Users\DJL\AppData\Roaming\baidu\BaiduYunGuanjia\npYunWebDetect.dll [2017-01-09] (Baidu.com, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=5.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2016-03-17] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2016-03-17] (Intel Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2015-07-31] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office16\NPSPWRAP.DLL [2015-07-31] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2016-12-29] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2016-12-29] (NVIDIA Corporation)
FF Plugin-x32: @qq.com/npchrome -> C:\Program Files (x86)\Common Files\Tencent\Npchrome\npchrome.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-17] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-17] (Google Inc.)
FF Plugin-x32: @wolfram.com/Mathematica -> C:\Program Files (x86)\Common Files\Wolfram Research\Browser\9.0.1.4108024\npmathplugin.dll [2013-02-13] (Wolfram Research, Inc.)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\Air\nppdf32.dll [2015-03-17] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2015-07-29] (Adobe Systems)
FF Plugin HKU\S-1-5-21-4268989145-4028146873-3326586853-1001: @1.qq.com/npqqwebgame -> C:\Users\DJL\AppData\Roaming\Tencent\WebGamePlugin\1.0.4.3\npqqwebgame.dll [No File]
FF Plugin HKU\S-1-5-21-4268989145-4028146873-3326586853-1001: @scout.avira-update.com/Avira Scout Update;version=3 -> C:\Users\DJL\AppData\Local\Avira\Scout Update\1.3.31.5\npScoutUpdate3.dll [2016-11-23] (Avira Operations GmbH & Co. KG)
FF Plugin HKU\S-1-5-21-4268989145-4028146873-3326586853-1001: @scout.avira-update.com/Avira Scout Update;version=9 -> C:\Users\DJL\AppData\Local\Avira\Scout Update\1.3.31.5\npScoutUpdate3.dll [2016-11-23] (Avira Operations GmbH & Co. KG)
FF Plugin HKU\S-1-5-21-4268989145-4028146873-3326586853-1001: @xunlei.com/npxunlei;version=1.0.0.2 -> C:\Program Files (x86)\Thunder Network\Thunder\Data\npxunlei1.0.0.2.dll [No File]
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2015-07-31] (Microsoft Corporation)
 
Chrome: 
=======
CHR DefaultSearchURL: Default -> hxxps://search.avira.net/#web/result?source=omnibar&q={searchTerms}
CHR DefaultSearchKeyword: Default -> Avira
CHR DefaultSuggestURL: Default -> hxxps://search.avira.net/suggestions?q={searchTerms}&li=ff&hl=en
CHR Profile: C:\Users\DJL\AppData\Local\Google\Chrome\User Data\Default [2017-03-17]
CHR Extension: (WOT: Web of Trust, Website Reputation Ratings) - C:\Users\DJL\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhmmomiinigofkjcapegjjndpbikblnp [2017-02-28]
CHR Extension: (Tampermonkey) - C:\Users\DJL\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo [2016-12-15]
CHR Extension: (Adobe Acrobat) - C:\Users\DJL\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2017-03-04]
CHR Extension: (Video Downloader professional) - C:\Users\DJL\AppData\Local\Google\Chrome\User Data\Default\Extensions\elicpjhcidhpjomhibiffojpinpmmpil [2016-10-29]
CHR Extension: (Sound Pirate) - C:\Users\DJL\AppData\Local\Google\Chrome\User Data\Default\Extensions\idleenniidjlnmnjkjmmnocnkmjibadd [2016-11-30]
CHR Extension: (Take Webpage Screenshots Entirely - FireShot) - C:\Users\DJL\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbpblocgmgfnpjjppndjkmgjaogfceg [2016-11-16]
CHR Extension: (Video Downloader GetThemAll) - C:\Users\DJL\AppData\Local\Google\Chrome\User Data\Default\Extensions\nbkekaeindpfpcoldfckljplboolgkfm [2017-02-26]
CHR Extension: (Chrome Web Store Payments) - C:\Users\DJL\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-10]
CHR Extension: (iZhihu) - C:\Users\DJL\AppData\Local\Google\Chrome\User Data\Default\Extensions\omcldpfdihfogiklcdlopeokkedbhjop [2017-01-22]
CHR Extension: (Chrome Media Router) - C:\Users\DJL\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-08]
CHR Extension: (Sci-Hub) - D:\Sci-Hub [2016-11-02] [UpdateUrl: hxxp://31.184.194.81/update] <==== ATTENTION
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [ipmkfpcnmccejididiaagpgchgjfajgp] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ipmkfpcnmccejididiaagpgchgjfajgp] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AGSService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [2227312 2017-02-27] (Adobe Systems, Incorporated)
S2 AntiVirMailService; C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe [1089592 2016-12-19] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\Antivirus\sched.exe [476736 2016-12-19] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\Antivirus\avguard.exe [476736 2016-12-19] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe [1490296 2016-12-19] (Avira Operations GmbH & Co. KG)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-09-22] (Apple Inc.)
R2 Autodesk Content Service; C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe [31160 2015-02-05] (Autodesk, Inc.)
R2 Avira.ServiceHost; C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe [372272 2016-12-29] (Avira Operations GmbH & Co. KG)
R2 AviraPhantomVPN; C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe [310152 2017-02-10] (Avira Operations GmbH & Co. KG)
R2 AviraUpdaterService; C:\Program Files (x86)\Avira\SoftwareUpdater\Avira.SoftwareUpdater.ServiceHost.exe [25232 2016-12-09] (Avira Operations GmbH & Co. KG)
S3 cphs; C:\WINDOWS\System32\DriverStore\FileRepository\igdlh64.inf_amd64_1ee0e91871b217e3\IntelCpHeciSvc.exe [310224 2017-01-11] (Intel Corporation)
S3 cplspcon; C:\WINDOWS\System32\DriverStore\FileRepository\igdlh64.inf_amd64_1ee0e91871b217e3\IntelCpHDCPSvc.exe [488904 2017-01-11] (Intel Corporation)
R2 DAX2API; C:\Program Files\Dolby\Dolby DAX2\DAX2_API\DolbyDAX2API.exe [163328 2016-01-27] () [File not signed]
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1156216 2015-12-09] (NVIDIA Corporation)
R2 HuaweiHiSuiteService64.exe; C:\Program Files (x86)\HiSuite\HandSetService\HuaweiHiSuiteService64.exe [192200 2016-10-12] ()
R2 ibtsiva; C:\WINDOWS\system32\ibtsiva.exe [165616 2015-11-12] (Intel Corporation)
R2 igfxCUIService2.0.0.0; C:\WINDOWS\System32\DriverStore\FileRepository\igdlh64.inf_amd64_1ee0e91871b217e3\igfxCUIService.exe [350672 2017-01-11] (Intel Corporation)
R2 ImControllerService; C:\Program Files\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe [61768 2017-02-15] (Lenovo Group Limited)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [974632 2016-02-19] (Intel® Corporation)
S3 Intel® Security Assist; C:\Program Files (x86)\Intel\Intel® Security Assist\isa.exe [335360 2016-03-18] (Intel Corporation) [File not signed]
S3 Intel® WiDi SAM; C:\Program Files (x86)\Intel Corporation\Intel WiDi\Intel® Software Asset Manager\bin\IntelSoftwareAssetManagerService.exe [19088 2015-06-16] (Intel Corporation)
R2 IntelUSBoverIP; C:\Program Files\Intel Corporation\USB over IP\bin\UoipService.exe [396992 2015-07-06] (Intel)
R2 isaHelperSvc; C:\Program Files (x86)\Intel\Intel® Security Assist\isaHelperService.exe [8704 2016-03-18] (Intel Corporation) [File not signed]
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [209184 2016-04-05] (Intel Corporation)
R2 Lenovo.VIRTSCRLSVC; C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe [114632 2015-07-13] (Lenovo Group Limited)
R2 LenovoDrvSv; C:\Program Files (x86)\Lenovo Drivers Management\lenovodrvsrv.exe [108472 2015-12-08] (Lenovo(Beijing) limited.)
S3 LSC.Services.SystemService; C:\Program Files\Lenovo\Lenovo Solution Center\App\LSC.Services.SystemService.exe [273232 2016-06-02] (Lenovo)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4355024 2017-01-20] (Malwarebytes)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [268704 2016-04-04] ()
R2 NVDisplay.ContainerLocalSystem; C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe [458176 2016-12-29] (NVIDIA Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1872504 2015-12-09] (NVIDIA Corporation)
R3 NvStreamNetworkSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe [8185464 2015-12-09] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [6477432 2015-12-09] (NVIDIA Corporation)
R2 PelService; C:\Program Files\Lenovo\Lenovo Mouse Suite\Service\PelService.exe [187200 2015-08-25] ()
R2 SpeedupService; C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.SpeedupService.exe [26632 2016-09-05] (Avira Operations GmbH & Co. KG)
S3 SUService; C:\Program Files (x86)\Lenovo\System Update\SUService.exe [23416 2017-01-18] ()
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [266328 2016-11-25] (Synaptics Incorporated)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3833248 2016-04-04] (Intel® Corporation)
S2 XLServicePlatform; C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\XLSP.dll [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 avgntflt; C:\WINDOWS\System32\DRIVERS\avgntflt.sys [151352 2016-12-19] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [153904 2016-12-19] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\WINDOWS\system32\DRIVERS\avkmgr.sys [35488 2016-04-04] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\WINDOWS\system32\DRIVERS\avnetflt.sys [78208 2016-04-04] (Avira Operations GmbH & Co. KG)
S3 dg_ssudbus; C:\WINDOWS\system32\DRIVERS\ssudbus.sys [129152 2016-04-25] (Samsung Electronics Co., Ltd.)
R1 ESProtectionDriver; C:\WINDOWS\system32\drivers\mbae64.sys [77408 2017-02-24] ()
U5 hw_usbdev; C:\Windows\System32\Drivers\hw_usbdev.sys [116864 2016-10-12] (Huawei Technologies Co., Ltd.)
R3 ibtusb; C:\WINDOWS\system32\DRIVERS\ibtusb.sys [300304 2015-11-13] (Intel Corporation)
R3 igfx; C:\WINDOWS\System32\DriverStore\FileRepository\igdlh64.inf_amd64_1ee0e91871b217e3\igdkmd64.sys [11041744 2017-01-11] (Intel Corporation)
R2 MBAMChameleon; C:\WINDOWS\system32\drivers\MBAMChameleon.sys [186304 2017-03-17] (Malwarebytes)
R3 MBAMFarflt; C:\WINDOWS\system32\drivers\farflt.sys [111544 2017-03-17] (Malwarebytes)
R3 MBAMProtection; C:\WINDOWS\system32\drivers\mbam.sys [43968 2017-03-17] (Malwarebytes)
R0 MBAMSwissArmy; C:\WINDOWS\System32\drivers\MBAMSwissArmy.sys [251840 2017-03-17] (Malwarebytes)
R3 MBAMWebProtection; C:\WINDOWS\system32\drivers\mwac.sys [92088 2017-03-17] (Malwarebytes)
S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
U5 Netwtw02; C:\Windows\System32\Drivers\Netwtw02.sys [6722320 2015-12-25] (Intel Corporation)
R3 Netwtw04; C:\WINDOWS\System32\drivers\Netwtw04.sys [7136016 2016-04-15] (Intel Corporation)
R3 nvlddmkm; C:\WINDOWS\System32\DriverStore\FileRepository\nvltwu.inf_amd64_dc8ffafad3ea7ddd\nvlddmkm.sys [14190520 2017-01-17] (NVIDIA Corporation)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19576 2015-12-09] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\WINDOWS\system32\drivers\nvvad64v.sys [50472 2015-08-11] (NVIDIA Corporation)
R3 pelmouse; C:\WINDOWS\system32\DRIVERS\pelmouse.sys [23040 2015-12-17] (TPMX Electronics Ltd.)
R3 pelusblf; C:\WINDOWS\system32\DRIVERS\pelusblf.sys [35328 2015-12-22] (TPMX Electronics Ltd.)
R3 pelvendr; C:\WINDOWS\system32\DRIVERS\pelvendr.sys [11776 2009-11-02] (TPMX Electronics Ltd.)
S3 phidmice; C:\WINDOWS\system32\DRIVERS\phidmice.sys [35328 2015-12-17] (TPMX Electronics Ltd.)
S3 pmouself; C:\WINDOWS\system32\DRIVERS\pmouself.sys [23040 2013-03-26] (TPMX Electronics Ltd.)
S3 pvendrlf; C:\WINDOWS\system32\DRIVERS\pvendrlf.sys [12288 2013-03-26] (TPMX Electronics Ltd.)
R3 RTSPER; C:\WINDOWS\system32\DRIVERS\RtsPer.sys [762584 2015-11-13] (Realsil Semiconductor Corporation)
R3 rtsuvc; C:\WINDOWS\system32\DRIVERS\rtsuvc.sys [3084544 2015-10-19] (Realtek Semiconductor Corp.)
S3 SmbDrv; C:\WINDOWS\System32\drivers\Smb_driver_AMDASF.sys [42088 2015-10-29] (Synaptics Incorporated)
R3 SmbDrvI; C:\WINDOWS\system32\DRIVERS\Smb_driver_Intel.sys [72792 2016-11-25] (Synaptics Incorporated)
S3 ssudmdm; C:\WINDOWS\system32\DRIVERS\ssudmdm.sys [221824 2016-04-25] (Samsung Electronics Co., Ltd.)
R1 SynaMetSMI; C:\WINDOWS\system32\DRIVERS\SynaSmi.sys [38200 2016-06-28] (Windows ® Win 7 DDK provider)
R3 usb3Hub; C:\WINDOWS\System32\drivers\usb3Hub.sys [212056 2015-07-06] (Windows ® Win 7 DDK provider)
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
R1 XLGuard; C:\WINDOWS\System32\drivers\XLGuard.sys [28432 2016-01-19] (深圳市迅雷网络技术有限公司)
R2 XLWFP; C:\WINDOWS\System32\drivers\xlwfp.sys [56080 2016-01-19] (深圳市迅雷网络技术有限公司)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
NETSVCx32: HpSvc -> no filepath.
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-03-17 08:58 - 2017-03-17 08:58 - 00032859 _____ C:\Users\DJL\Desktop\FRST.txt
2017-03-17 08:58 - 2017-03-17 08:58 - 00000000 ____D C:\Users\DJL\Desktop\FRST-OlderVersion
2017-03-17 08:57 - 2017-03-17 08:58 - 02424832 _____ (Farbar) C:\Users\DJL\Desktop\FRST64.exe
2017-03-17 08:57 - 2017-03-17 08:58 - 00000000 ____D C:\FRST
2017-03-17 08:56 - 2017-03-17 08:56 - 00000000 ___HD C:\Users\Public\Documents\AdobeGC
2017-03-17 08:56 - 2017-03-17 08:56 - 00000000 ___HD C:\OneDriveTemp
2017-03-16 18:58 - 2017-03-16 18:58 - 00025179 _____ C:\Users\DJL\Desktop\新建文本文档(1).txt
2017-03-16 18:53 - 2017-03-17 08:56 - 00092088 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mwac.sys
2017-03-16 18:07 - 2017-03-17 08:56 - 00186304 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMChameleon.sys
2017-03-16 18:07 - 2017-03-17 08:55 - 00111544 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\farflt.sys
2017-03-16 18:07 - 2017-03-17 08:55 - 00043968 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2017-03-16 18:06 - 2017-03-16 18:06 - 00001919 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-03-16 18:06 - 2017-03-16 18:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-03-16 18:06 - 2017-03-16 18:06 - 00000000 ____D C:\Program Files\Malwarebytes
2017-03-16 18:06 - 2017-02-24 06:23 - 00077408 _____ C:\WINDOWS\system32\Drivers\mbae64.sys
2017-03-14 18:54 - 2017-03-14 18:54 - 00000000 ____D C:\ProgramData\AVAST Software
2017-03-12 18:47 - 2017-03-12 18:47 - 00007605 _____ C:\Users\DJL\AppData\Local\Resmon.ResmonCfg
2017-03-06 22:15 - 2017-03-06 22:15 - 00000000 ____D C:\Users\DJL\Documents\CCTalk
2017-03-06 22:15 - 2017-03-06 22:15 - 00000000 ____D C:\Users\DJL\AppData\Local\CrashRpt
2017-03-06 22:14 - 2017-03-07 09:14 - 00002089 _____ C:\Users\DJL\Desktop\CCtalk.lnk
2017-03-06 22:14 - 2017-03-06 22:14 - 00000000 ____D C:\Users\DJL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CCtalk
2017-03-06 22:14 - 2017-03-06 22:14 - 00000000 ____D C:\Program Files (x86)\Hujiang
2017-03-06 22:12 - 2017-03-06 22:15 - 00000000 ____D C:\Users\DJL\AppData\Roaming\Hujiang
2017-03-06 12:00 - 2017-03-07 09:14 - 00001147 _____ C:\Users\DJL\Desktop\格式工厂.lnk
2017-03-06 12:00 - 2017-03-06 12:03 - 00000000 ____D C:\FFOutput
2017-03-06 12:00 - 2017-03-06 12:00 - 00000000 ____D C:\Users\DJL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\格式工厂
2017-02-25 09:26 - 2017-02-25 09:26 - 00289924 ____H C:\WINDOWS\SysWOW64\mlfcache.dat
2017-02-25 09:25 - 2017-02-25 09:25 - 00000000 ____D C:\Users\DJL\AppData\Local\svchost
2017-02-24 13:10 - 2017-02-24 17:29 - 00000396 _____ C:\WINDOWS\Tasks\NetSpeedGuard.job
2017-02-24 13:10 - 2017-02-24 13:10 - 00003398 _____ C:\WINDOWS\System32\Tasks\bssatask
2017-02-24 13:10 - 2017-02-24 13:10 - 00003102 _____ C:\WINDOWS\System32\Tasks\NetSpeedGuard
2017-02-24 13:09 - 2017-02-25 12:50 - 00000000 ____D C:\Program Files (x86)\BSSAClient
2017-02-24 09:57 - 2017-03-05 22:59 - 00000270 _____ C:\WINDOWS\Tasks\Lenovo Active Protection System.job
2017-02-24 09:57 - 2017-03-05 09:15 - 00002742 _____ C:\WINDOWS\System32\Tasks\Lenovo Active Protection System
2017-02-24 09:57 - 2017-02-24 09:57 - 00000000 ____D C:\Users\Default\AppData\Local\Lenovo
2017-02-24 09:57 - 2017-02-24 09:57 - 00000000 ____D C:\Users\Default User\AppData\Local\Lenovo
2017-02-23 17:38 - 2017-02-24 10:01 - 00000444 _____ C:\WINDOWS\system32\Drivers\etc\hosts.ics
2017-02-21 13:44 - 2017-02-21 13:44 - 00000000 ____D C:\Users\DJL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\百度网盘
2017-02-17 18:56 - 2017-03-07 08:07 - 00000000 ____D C:\Users\DJL\AppData\LocalLow\uTorrent
2017-02-16 07:39 - 2017-02-16 07:39 - 00000000 ____D C:\Users\DJL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Avira
2017-02-15 20:26 - 2017-02-15 20:26 - 00257864 _____ (Lenovo Group Limited) C:\WINDOWS\system32\iMDriverHelper.dll
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-03-17 08:56 - 2016-11-04 11:12 - 00000000 ____D C:\Program Files (x86)\Steam
2017-03-17 08:56 - 2016-09-13 19:00 - 00000000 ____D C:\Users\Public\Speedup Sessions
2017-03-17 08:56 - 2016-06-26 13:57 - 00000000 ____D C:\Program Files (x86)\Lenovo Drivers Management
2017-03-17 08:56 - 2016-06-23 10:33 - 00000000 ___RD C:\Users\DJL\OneDrive
2017-03-17 08:55 - 2016-09-18 13:43 - 00251840 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-03-17 08:55 - 2016-08-04 12:07 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-03-17 08:55 - 2016-08-04 12:03 - 00000000 ____D C:\Users\DJL
2017-03-17 08:55 - 2016-08-04 12:02 - 00000000 ____D C:\ProgramData\NVIDIA
2017-03-17 08:55 - 2016-08-04 12:01 - 00000000 ____D C:\WINDOWS\system32\SleepStudy
2017-03-16 21:05 - 2016-07-16 14:04 - 03407872 _____ C:\WINDOWS\system32\config\BBI
2017-03-16 21:04 - 2016-07-16 19:36 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-03-16 20:50 - 2016-07-17 06:33 - 02136532 _____ C:\WINDOWS\system32\prfh0804.dat
2017-03-16 20:50 - 2016-07-17 06:33 - 01955654 _____ C:\WINDOWS\system32\prfc0804.dat
2017-03-16 20:50 - 2015-11-03 15:38 - 09183116 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-03-16 20:49 - 2016-11-16 18:03 - 00189939 _____ C:\WINDOWS\system32\InstallUtil.InstallLog
2017-03-16 18:24 - 2016-07-16 19:47 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-03-16 18:06 - 2016-09-18 13:42 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-03-16 16:37 - 2017-02-11 09:56 - 00000000 ____D C:\Users\DJL\AppData\Local\CrashDumps
2017-03-16 16:29 - 2016-07-16 19:47 - 00000000 ___HD C:\Program Files\WindowsApps
2017-03-16 14:45 - 2016-08-10 17:15 - 00000000 ____D C:\Users\DJL\AppData\Local\Battle.net
2017-03-15 22:01 - 2016-06-24 18:33 - 00000000 ____D C:\WINDOWS\system32\MRT
2017-03-15 21:59 - 2016-06-24 18:33 - 138634176 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-03-15 07:37 - 2016-07-16 14:04 - 00032768 _____ C:\WINDOWS\system32\config\ELAM
2017-03-14 12:07 - 2016-06-24 17:48 - 00485032 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2017-03-11 21:12 - 2016-06-20 06:32 - 00000000 ____D C:\ProgramData\Lenovo
2017-03-10 23:01 - 2016-06-23 10:32 - 00000000 ____D C:\Users\DJL\AppData\Local\Packages
2017-03-10 22:09 - 2016-06-25 08:48 - 00000000 ____D C:\Users\DJL\AppData\Roaming\Skype
2017-03-10 13:17 - 2016-07-16 19:49 - 00835576 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2017-03-10 13:17 - 2016-07-16 19:49 - 00177656 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2017-03-07 21:44 - 2016-11-10 19:46 - 00000000 ____D C:\Users\DJL\AppData\Roaming\uTorrent
2017-03-07 09:14 - 2017-01-22 13:06 - 00001185 _____ C:\Users\DJL\Desktop\KeePass 2.lnk
2017-03-07 09:14 - 2016-07-18 13:29 - 00002415 _____ C:\Users\DJL\Desktop\Avira Scout.lnk
2017-03-06 12:00 - 2016-10-26 09:36 - 00000000 ____D C:\Program Files (x86)\FormatFactory
2017-03-05 18:37 - 2016-04-25 06:01 - 00000000 ____D C:\ProgramData\Package Cache
2017-03-05 09:15 - 2017-02-07 12:49 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lenovo ThinkVantage Tools
2017-03-02 22:22 - 2016-06-23 10:32 - 00000000 ____D C:\Users\DJL\AppData\Local\Lenovo
2017-02-28 21:52 - 2016-07-18 09:14 - 00001120 _____ C:\Users\Public\Desktop\Avira Phantom VPN.lnk
2017-02-28 21:52 - 2016-07-18 09:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2017-02-28 19:54 - 2016-12-13 12:25 - 00003286 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task v2
2017-02-28 19:54 - 2016-06-23 10:33 - 00002274 _____ C:\Users\DJL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-02-23 17:42 - 2016-06-25 13:02 - 00000000 ____D C:\Users\DJL\AppData\Local\ElevatedDiagnostics
2017-02-23 17:38 - 2016-07-16 19:47 - 00000000 ____D C:\WINDOWS\system32\NDF
2017-02-17 08:06 - 2016-08-10 17:20 - 00000000 ____D C:\Users\DJL\Documents\StarCraft II
2017-02-17 08:06 - 2016-08-10 17:10 - 00000000 ____D C:\Users\DJL\AppData\Roaming\Battle.net
2017-02-15 14:10 - 2016-07-08 13:08 - 00000000 ____D C:\Users\DJL\AppData\Local\Eclipse
2017-02-15 14:10 - 2016-07-08 13:08 - 00000000 ____D C:\Users\DJL\.p2
 
==================== Files in the root of some directories =======
 
2016-07-14 08:54 - 2016-07-14 08:54 - 0003173 _____ () C:\Program Files (x86)\UpdateCfg.ini
2016-09-02 15:03 - 2016-09-01 19:03 - 2710480 _____ (淘宝) C:\Users\DJL\AppData\Roaming\DandelionSetup.exe
2016-09-07 10:06 - 2016-10-20 18:09 - 0000347 _____ () C:\Users\DJL\AppData\Local\Perfmon.PerfmonCfg
2017-03-12 18:47 - 2017-03-12 18:47 - 0007605 _____ () C:\Users\DJL\AppData\Local\Resmon.ResmonCfg
2017-01-20 14:13 - 2017-01-20 14:13 - 0000000 _____ () C:\Users\DJL\AppData\Local\{4A8F1C51-8A0A-4826-8B75-C665013D595D}
2016-07-18 13:31 - 2016-07-18 13:31 - 0000000 _____ () C:\Users\DJL\AppData\Local\{A1343A0B-F52E-459C-AB75-80287A022EC1}
2016-08-04 12:02 - 2016-08-04 12:02 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2016-10-15 13:07 - 2016-10-15 13:07 - 0000133 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.351.32.bc
2016-07-08 13:28 - 2016-07-08 13:28 - 0000133 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.351.64.bc
2016-08-04 12:02 - 2016-08-04 12:02 - 0000102 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.64.bc
 
Some files in TEMP:
====================
2016-08-04 12:12 - 2016-09-19 07:56 - 0000000 ____D () C:\Users\DJL\AppData\Local\Temp\avgnt.exe
2017-03-06 11:56 - 2017-03-06 11:59 - 47616432 _____ (Free Time Co., Ltd) C:\Users\DJL\AppData\Local\Temp\FFSetupLatest.exe
2016-11-18 11:59 - 2016-11-17 18:48 - 11572656 _____ (SurfRight B.V.) C:\Users\DJL\AppData\Local\Temp\HitmanPro.exe
2016-09-21 09:01 - 2017-02-15 21:23 - 16840704 _____ () C:\Users\DJL\AppData\Local\Temp\SkypeSetup.exe
2017-01-09 22:22 - 2017-01-09 22:31 - 5046894 _____ () C:\Users\DJL\AppData\Local\Temp\{F79E43F1-6E8D-47AA-91FA-AD3D1B6E320B}-mini_installer_16.11.2883.2017.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-03-13 18:41
 
==================== End of FRST.txt ============================
 
addition.txt is in the attachment.

Attached Files



#8 DJKdjk

DJKdjk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 16 March 2017 - 08:50 PM

Also: I got a Windows update (KB4013429) yesterday and I can't install it. Stuck at Preparing Windows when I turned it off.

 

Update: computer restarted just now and it is installed. Should I perform another FRST scan?


Edited by DJKdjk, 17 March 2017 - 04:24 AM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:45 AM

Posted 17 March 2017 - 10:10 AM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

AutoConfigURL: [S-1-5-21-4268989145-4028146873-3326586853-1001] => hxxp://localhost:53580/proxy_on.pac?nocache=1489712169992367600&token=9349eb082aa9a32aa04bdba5cac1d1ab
ManualProxies: 0hxxp://localhost:53580/proxy_on.pac?nocache=1489712169992367600&token=9349eb082aa9a32aa04bdba5cac1d1ab
SearchScopes: HKU\S-1-5-21-4268989145-4028146873-3326586853-1001 -> {B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} URL = hxxps://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=79081068_oem_dg
FF Plugin-x32: @qq.com/npchrome -> C:\Program Files (x86)\Common Files\Tencent\Npchrome\npchrome.dll [No File]
FF Plugin HKU\S-1-5-21-4268989145-4028146873-3326586853-1001: @1.qq.com/npqqwebgame -> C:\Users\DJL\AppData\Roaming\Tencent\WebGamePlugin\1.0.4.3\npqqwebgame.dll [No File]
FF Plugin HKU\S-1-5-21-4268989145-4028146873-3326586853-1001: @xunlei.com/npxunlei;version=1.0.0.2 -> C:\Program Files (x86)\Thunder Network\Thunder\Data\npxunlei1.0.0.2.dll [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\DJL\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-10]
CHR Extension: (Chrome Media Router) - C:\Users\DJL\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-08]
CHR Extension: (Sci-Hub) - D:\Sci-Hub [2016-11-02] [UpdateUrl: hxxp://31.184.194.81/update] <==== ATTENTION
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [ipmkfpcnmccejididiaagpgchgjfajgp] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ipmkfpcnmccejididiaagpgchgjfajgp] - hxxps://clients2.google.com/service/update2/crx
S2 XLServicePlatform; C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\XLSP.dll [X]
NETSVCx32: HpSvc -> no filepath.
CustomCLSID: HKU\S-1-5-21-4268989145-4028146873-3326586853-1001_Classes\CLSID\{4553208E-9C27-4CC9-872B-12B6AFB7C208}\InprocServer32 -> C:\Users\DJL\AppData\Local\Avira\Scout Update\1.3.29.5\psuser_64.dll => No File

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after these updates remove these old version(s) via the Control Panel > Programs > Programs and Features.
Java 8 Update 101 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180101F0}) (Version: 8.0.1010.13 - Oracle Corporation)
Java SE Development Kit 8 Update 91 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180910}) (Version: 8.0.910.14 - Oracle Corporation)

Please post the Fixldog.txt and let me know what problem persists.

#10 DJKdjk

DJKdjk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 17 March 2017 - 09:10 PM

My Fixlog.txt:
Fix result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by djk (18-03-2017 09:49:43) Run:1
Running from C:\Users\DJL\Desktop
Loaded Profiles: djk (Available Profiles: djk)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
AutoConfigURL: [S-1-5-21-4268989145-4028146873-3326586853-1001] => hxxp://localhost:53580/proxy_on.pac?nocache=1489712169992367600&token=9349eb082aa9a32aa04bdba5cac1d1ab
ManualProxies: 0hxxp://localhost:53580/proxy_on.pac?nocache=1489712169992367600&token=9349eb082aa9a32aa04bdba5cac1d1ab
SearchScopes: HKU\S-1-5-21-4268989145-4028146873-3326586853-1001 -> {B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} URL = hxxps://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=79081068_oem_dg
FF Plugin-x32: @qq.com/npchrome -> C:\Program Files (x86)\Common Files\Tencent\Npchrome\npchrome.dll [No File]
FF Plugin HKU\S-1-5-21-4268989145-4028146873-3326586853-1001: @1.qq.com/npqqwebgame -> C:\Users\DJL\AppData\Roaming\Tencent\WebGamePlugin\1.0.4.3\npqqwebgame.dll [No File]
FF Plugin HKU\S-1-5-21-4268989145-4028146873-3326586853-1001: @xunlei.com/npxunlei;version=1.0.0.2 -> C:\Program Files (x86)\Thunder Network\Thunder\Data\npxunlei1.0.0.2.dll [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\DJL\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-10]
CHR Extension: (Chrome Media Router) - C:\Users\DJL\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-08]
CHR Extension: (Sci-Hub) - D:\Sci-Hub [2016-11-02] [UpdateUrl: hxxp://31.184.194.81/update] <==== ATTENTION
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [ipmkfpcnmccejididiaagpgchgjfajgp] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ipmkfpcnmccejididiaagpgchgjfajgp] - hxxps://clients2.google.com/service/update2/crx
S2 XLServicePlatform; C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\XLSP.dll [X]
NETSVCx32: HpSvc -> no filepath.
CustomCLSID: HKU\S-1-5-21-4268989145-4028146873-3326586853-1001_Classes\CLSID\{4553208E-9C27-4CC9-872B-12B6AFB7C208}\InprocServer32 -> C:\Users\DJL\AppData\Local\Avira\Scout Update\1.3.29.5\psuser_64.dll => No File
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-21-4268989145-4028146873-3326586853-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\AutoConfigURL => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies\\ => value removed successfully
HKU\S-1-5-21-4268989145-4028146873-3326586853-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} => key removed successfully
HKCR\CLSID\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} => key not found. 
HKLM\Software\Wow6432Node\MozillaPlugins\@qq.com/npchrome => key removed successfully
HKU\S-1-5-21-4268989145-4028146873-3326586853-1001\Software\MozillaPlugins\@1.qq.com/npqqwebgame => key removed successfully
C:\Users\DJL\AppData\Roaming\Tencent\WebGamePlugin\1.0.4.3\npqqwebgame.dll => not found.
HKU\S-1-5-21-4268989145-4028146873-3326586853-1001\Software\MozillaPlugins\@xunlei.com/npxunlei;version=1.0.0.2 => key removed successfully
C:\Program Files (x86)\Thunder Network\Thunder\Data\npxunlei1.0.0.2.dll => not found.
C:\Users\DJL\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\DJL\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
D:\Sci-Hub <==== ATTENTION => not found
HKLM\SOFTWARE\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk => key removed successfully
HKLM\SOFTWARE\Google\Chrome\Extensions\ipmkfpcnmccejididiaagpgchgjfajgp => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ipmkfpcnmccejididiaagpgchgjfajgp => key removed successfully
HKLM\System\CurrentControlSet\Services\XLServicePlatform => key removed successfully
XLServicePlatform => service removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs HpSvc => removed successfully
HKU\S-1-5-21-4268989145-4028146873-3326586853-1001_Classes\CLSID\{4553208E-9C27-4CC9-872B-12B6AFB7C208} => key removed successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 1685408 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 71121334 B
Java, Flash, Steam htmlcache => 504814400 B
Windows/system/drivers => 37237542 B
Edge => 123473813 B
Chrome => 799999179 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 21565 B
LocalService => 354416 B
NetworkService => 32194 B
DJL => 1971435661 B
 
RecycleBin => 5405276 B
EmptyTemp: => 3.3 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 09:55:49 ====
 
After reboot most things seemed normal. However, the user s-1-5-21 still persists in chrome.lnk (very weird). Is it a virus?
Also chrome still uses chrome://newtab instead of New Tab.
 
What became better: no more "registry blocked".


#11 DJKdjk

DJKdjk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 18 March 2017 - 01:24 AM

Another problem:

 

when I search in Chrome several times, the website becomes

 

https://www.google.com/search?q= xxx&rlz=1C1CHBD_enSG710__710&oq=xxx&aqs=chrome..69i57j0l5.1962j0j7&sourceid=chrome&ie=UTF-8#q=yyy&*

 

in which xxx is the thing I searched first and yyy is the thing I just searched.



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:45 AM

Posted 18 March 2017 - 09:29 AM

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.

===

Lets see what we can find in the Registry.

Farbar Recovery Scan Tool (FRST) - Registry Search
Follow the instructions below to download and execute a Registry search on your system with FRST, and provide the log in your next reply.
  • Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • In the Search text area, copy and paste the following:
s-1-5-21-4268989845-4028146873-3326386853-1000
  • Once done, click on the Search Registry button and wait for FRST to finish the search;
  • On completion, a log will open in Notepad. Copy and paste its content in your next reply;


#13 DJKdjk

DJKdjk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 18 March 2017 - 10:29 PM

Sorry, found out it should be s-1-5-21-4268989145-4028146873-3326586853-1000
 
Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by djk (19-03-2017 11:22:49)
Running from C:\Users\DJL\Desktop
Boot Mode: Normal
 
================== Search Registry: "s-1-5-21-4268989145-4028146873-3326586853-1000" ===========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UserManager\Users\1044478]
"Sid"="S-1-5-21-4268989145-4028146873-3326586853-1000"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\features\S-1-5-21-4268989145-4028146873-3326586853-1000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SystemProtectedUserData\S-1-5-21-4268989145-4028146873-3326586853-1000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{4D7E73DE-E41A-4F52-BF00-2C597DF56DDB}"="v2.25
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{A9A9DE05-DBD0-411D-8046-A801E0FC0B3D}"="v2.25
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System]
"{74047759-837F-4BD4-842A-1448A0403544}"="v2.25
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System]
"{7A950357-9A05-45AF-B5FA-C377C31296B1}"="v2.25
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System]
"{C4B168AA-178F-4D3E-8CA5-52FFB95427B4}"="v2.25
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System]
"{4AD5145E-7C21-4681-8FC6-EA201A045F19}"="v2.25
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System]
"{E4F37421-FA14-4153-A3A3-769C031BF322}"="v2.25
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System]
"{DB078132-80AC-4BB4-BD32-9AC1442678F1}"="v2.25
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System]
"{43117544-3059-4DD5-A016-E2BF5C18EBDE}"="v2.25
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System]
"{AD1BD6A4-0965-4B69-BB38-E7349A9DB80C}"="v2.25
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System]
"{AE392979-C27A-41A4-A3EE-F3CEBBB89236}"="v2.25
[HKEY_USERS\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-4268989145-4028146873-3326586853-1000]
 
====== End of Search ======


#14 DJKdjk

DJKdjk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 18 March 2017 - 11:09 PM

You may want to look at what I found for  s-1-5-21-4268989145-4028146873-3326586853

I found that there are 3 users, ending with -1001 (the biggest, I think it's resembling me)

-1000 which is shown above

-500 which only appeared in 3 registries.

Attached Files



#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:45 AM

Posted 19 March 2017 - 09:09 AM

This xappex.dll was removed by the AdwCleaner tool.
Adware.ChinAd, C:\Program Files (x86)\Common Files\Thunder Network\Kankan\Pusher\xappex.dll, Quarantined, [1416], [374929],1.0.1513

It's still listed in the FRST log. We will remove it.
ShellIconOverlayIdentifiers: [AAADesktopTips] -> {4562B511-62E9-4533-B7B2-56A8BB10B482} => C:\Users\Public\Thunder Network\KanKan\reghelper\xappex.1.1.1.85.(226).dll [2016-04-21] (?????????????)

I will also have a look at all your profiles before suggesting any removal from the registry.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
CloseProcesses:

ShellIconOverlayIdentifiers: [AAADesktopTips] -> {4562B511-62E9-4533-B7B2-56A8BB10B482} => C:\Users\Public\Thunder Network\KanKan\reghelper\xappex.1.1.1.85.(226).dll [2016-04-21] (?????????????)
C:\Users\Public\Thunder Network\KanKan\reghelper\xappex.1.1.1.73.(848).dll
C:\Users\Public\Thunder Network\KanKan\reghelper
C:\Users\Public\Thunder Network\KanKan
C:\Users\Public\Thunder Network

Reg: reg query ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList""

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users