Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

laptop infected from a downloaded software


  • This topic is locked This topic is locked
4 replies to this topic

#1 james.z

james.z

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 09 April 2018 - 11:32 PM

Hello, I'm looking for advice and guidance on restoring my laptop to normal. The laptop is running really slow compared to before where it would only takes few seconds to boot up or open up a program. From the looks of it, I believe there is a malicious software at work infecting my laptop. As of right now, I can't do anything on the laptop in normal mode because every time I click on a program, task, or folder, the whole laptop would freeze up or something will crash. Luckily it isn't as bad while booting up in safe mode, but still is affecting the speed of the laptop. The following logs are scanned during safe mode boot. 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14.03.2018
Ran by user (administrator) on USER-PC (09-04-2018 22:19:43)
Running from F:\
Loaded Profiles: user (Available Profiles: user)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: 中文(简体,中国)
Internet Explorer Version 9 (Default browser: "c:\users\user\appdata\local\liebao\liebao.exe" "%1")
Boot Mode: Safe Mode (minimal)
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM-x32\...\Run: [kxesc] => c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe [2065936 2018-02-09] (Kingsoft Corporation)
HKLM-x32\...\Run: [kwifi] => C:\Program Files (x86)\kingsoft\kwifi\kwifi.exe [2354336 2018-01-02] (Kingsoft Corporation)
HKLM-x32\...\Run: [360Safetray] => C:\Program Files (x86)\360\360Safe\safemon\360tray.exe [398944 2017-12-06] (360.cn)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-18\...\RunOnce: [SPReview] => "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"hxxp://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
GroupPolicy: Restriction <==== ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{4032058B-B4B2-4DB9-92AD-860F4E5B0098}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = 
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\root\Office16\OCHelper.dll [2018-03-10] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_121\bin\ssv.dll [2017-02-18] (Oracle Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\root\Office16\URLREDIR.DLL [2018-03-10] (Microsoft Corporation)
BHO: SafeMon Class -> {B69F34DD-F0F9-42DC-9EDD-957187DA688D} -> C:\Program Files (x86)\360\360Safe\safemon\safemon64.dll [2018-02-28] (360.cn)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\root\Office16\GROOVEEX.DLL [2018-03-10] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_121\bin\jp2ssv.dll [2017-02-18] (Oracle Corporation)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll [2018-03-10] (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\URLREDIR.DLL [2018-03-10] (Microsoft Corporation)
BHO-x32: SafeMon Class -> {B69F34DD-F0F9-42DC-9EDD-957187DA688D} -> C:\Program Files (x86)\360\360Safe\safemon\safemon.dll [2018-03-16] (360.cn)
BHO-x32: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\GROOVEEX.DLL [2018-03-10] (Microsoft Corporation)
Handler: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -  No File
Handler: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -  No File
Handler: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2018-03-10] (Microsoft Corporation)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2018-03-10] (Microsoft Corporation)
Handler: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2018-03-10] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2018-03-10] (Microsoft Corporation)
Handler: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2018-03-10] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2018-03-10] (Microsoft Corporation)
Handler: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2018-03-10] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2018-03-10] (Microsoft Corporation)
 
FireFox:
========
FF Plugin: @hunantv.com/HunanTVPlugin -> C:\Program Files (x86)\HunanTV\HunanTVPluginsX64.dll [No File]
FF Plugin: @java.com/DTPlugin,version=11.121.2 -> C:\Program Files\Java\jre1.8.0_121\bin\dtplugin\npDeployJava1.dll [2017-02-18] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.121.2 -> C:\Program Files\Java\jre1.8.0_121\bin\plugin2\npjp2.dll [2017-02-18] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL [2018-03-10] (Microsoft Corporation)
FF Plugin-x32: @360.cn/npaxlogin -> C:\Program Files (x86)\360\360Safe\Utils\npaxlogin.dll [2014-04-22] (360.cn)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-10-14] ()
FF Plugin-x32: @baidu.com/npxbdcntb -> C:\Program Files (x86)\Baidu\BaiduPinyin\3.4.2717.9\npxbdcntb.dll [No File]
FF Plugin-x32: @hunantv.com/HunanTVPlugin -> C:\Program Files (x86)\HunanTV\HunanTVPlugins.dll [No File]
FF Plugin-x32: @kingsfot.com/npkws -> c:\program files (x86)\kingsoft\kingsoft antivirus\npkws.dll [2018-01-02] (Kingsoft Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2018-03-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL [2018-03-10] (Microsoft Corporation)
FF Plugin-x32: @tencent.com/npQQMailWebKit,version=1.0.0.1 -> C:\Program Files (x86)\QQMailPlugin\npQQMailWebKit.dll [No File]
FF Plugin-x32: @tencent.com/nptxftnWebKit,version=1.0.0.1 -> C:\Program Files (x86)\QQMailPlugin\nptxftnWebKit.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.3\npGoogleUpdate3.dll [2017-04-20] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.3\npGoogleUpdate3.dll [2017-04-20] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-07-31] (Adobe Systems Inc.)
FF Plugin HKU\.DEFAULT: @1.qq.com/npqqwebgame -> C:\Windows\system32\config\systemprofile\AppData\Roaming\Tencent\WebGamePlugin\1.0.4.9\npqqwebgame.dll [No File]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S4 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77104 2015-10-06] (Apple Inc.)
S2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [7962800 2018-02-22] (Microsoft Corporation)
S3 dsmainsrv; C:\Program Files (x86)\360\360Safe\deepscan\dsmain.exe [265312 2017-11-22] (360.cn)
S2 knatsvc; C:\Program Files (x86)\kingsoft\kwifi\knatsvc.exe [285272 2017-11-21] (Kingsoft Corporation)
S2 knbcenter; C:\Users\user\AppData\Local\liebao\6.5.115.17898\knbcenter.exe [882936 2018-03-12] (Kingsoft Corporation)
S4 KugouService; C:\Program Files (x86)\KuGou\KGMusic\8.1.51.19889\service.exe [45080 2017-05-15] (酷狗音乐)
S2 kxescore; c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe [314000 2017-11-27] (Kingsoft Corporation)
S4 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4355024 2017-01-20] (Malwarebytes)
S4 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [292568 2014-11-20] (Realtek Semiconductor)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S2 ZhuDongFangYu; C:\Program Files (x86)\360\360Safe\deepscan\ZhuDongFangYu.exe [249952 2018-03-20] (360.cn)
U2 DGPNPSEV; c:\Ksafe\Mydrivers\DriverGenius2013\dgservice.exe [X]
S3 pnphost; C:\Program Files (x86)\DTLSoft\USBBox\pnphost.dll [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S1 360AntiHacker; C:\Windows\System32\Drivers\360AntiHacker64.sys [183416 2017-10-25] (360.cn)
S1 360AntiHijack; C:\Windows\System32\Drivers\360AntiHijack64.sys [60024 2018-01-08] (360.cn)
S1 360Box64; C:\Windows\System32\DRIVERS\360Box64.sys [330176 2016-11-15] (360.cn)
S1 360Camera; C:\Windows\System32\Drivers\360Camera64.sys [49088 2016-11-24] (360.cn)
S1 360FsFlt; C:\Windows\System32\DRIVERS\360FsFlt.sys [435320 2018-03-16] (360.cn)
S1 360Hvm; C:\Windows\System32\Drivers\360Hvm64.sys [285816 2017-11-07] (360安全中心)
S1 360netmon; C:\Windows\System32\DRIVERS\360netmon.sys [87160 2018-01-27] (360.cn)
S1 360qpesv; C:\Windows\System32\DRIVERS\360qpesv64.sys [295032 2018-04-09] (360.cn)
S3 360Sensor; C:\Windows\system32\drivers\360Sensor64.sys [34960 2017-06-14] (360.cn)
S1 BAPIDRV; C:\Windows\System32\DRIVERS\BAPIDRV64.sys [206456 2018-02-08] (360.cn)
S0 bootsafe; C:\Windows\System32\Drivers\bootsafe64.sys [116040 2018-02-03] (Kingsoft Corporation)
R0 DsArk; C:\Windows\System32\drivers\DsArk64.sys [176248 2017-12-14] (360.cn)
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28008 2013-08-27] (Intel Corporation)
S0 KAVBootC; C:\Windows\System32\Drivers\KAVBootC64.sys [54960 2017-10-20] (Kingsoft Corporation)
S1 KDHacker; c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\KDHacker64.sys [203952 2017-10-20] (Kingsoft Corporation)
S2 kisknl; C:\Windows\system32\drivers\kisknl.sys [344904 2018-01-02] (Kingsoft Corporation)
S1 kisnetm; c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksnetm\kisnetm64.sys [109880 2017-10-20] (Kingsoft Corporation)
S2 KNBDrv; C:\Windows\system32\drivers\KNBDrv.sys [151608 2018-03-12] (Kingsoft Corporation)
S2 ksapi64; C:\Windows\System32\drivers\ksapi64.sys [81584 2017-12-09] (Kingsoft Corporation)
S1 LiebaoNAT; C:\Windows\System32\DRIVERS\liebaonat64.sys [41664 2017-11-21] (Kingsoft Corporation)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [129312 2014-09-22] (Intel Corporation)
S1 QMUdisk; \??\C:\Program Files (x86)\Tencent\QQPCMgr\12.9.19141.213\QMUdisk64.sys [X]
S1 softaal; \??\C:\Program Files (x86)\Tencent\QQPCMgr\12.9.19141.213\softaal64.sys [X]
S2 tsnethlpx64; \??\C:\Program Files (x86)\Tencent\QQPCMgr\12.9.19141.213\TsNetHlpX64.sys [X]
S3 X6va021; \??\C:\Windows\SysWOW64\Drivers\X6va021 [X]
S3 X6va029; \??\C:\Windows\SysWOW64\Drivers\X6va029 [X]
S3 X6va031; \??\C:\Windows\SysWOW64\Drivers\X6va031 [X]
S3 X6va060; \??\C:\Windows\SysWOW64\Drivers\X6va060 [X]
S3 X6va061; \??\C:\Windows\SysWOW64\Drivers\X6va061 [X]
S3 X6va062; \??\C:\Windows\SysWOW64\Drivers\X6va062 [X]
S3 X6va063; \??\C:\Windows\SysWOW64\Drivers\X6va063 [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
NETSVCx32: HpSvc -> no filepath.
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-04-09 22:15 - 2018-04-09 22:19 - 000000000 ____D C:\FRST
2018-04-09 22:12 - 2018-04-09 22:12 - 000000020 ___SH C:\Users\TEMP.user-PC.003\ntuser.ini
2018-04-09 22:12 - 2018-04-09 22:12 - 000000000 _SHDL C:\Users\TEMP.user-PC.003\AppData\Roaming\Microsoft\Windows\Start Menu\程序
2018-04-09 22:12 - 2018-04-09 22:12 - 000000000 _SHDL C:\Users\TEMP.user-PC.003\「开始」菜单
2018-04-09 22:12 - 2018-04-09 22:12 - 000000000 ____D C:\Users\TEMP.user-PC.003
2018-04-09 22:12 - 2009-07-14 06:44 - 000000000 ____D C:\Users\TEMP.user-PC.003\AppData\Roaming\Media Center Programs
2018-03-15 22:54 - 2018-03-15 23:45 - 000000000 ____D C:\AdwCleaner
2018-03-15 19:19 - 2018-04-09 22:12 - 000415940 _____ C:\Windows\ntbtlog.txt
2018-03-13 14:37 - 2017-06-14 18:29 - 000034960 _____ (360.cn) C:\Windows\system32\Drivers\360Sensor64.sys
2018-03-13 12:06 - 2018-03-13 12:30 - 000000000 ____D C:\Users\TEMP.user-PC.002\AppData\LocalLow\360WD
2018-03-13 11:51 - 2018-03-13 13:44 - 000000000 ____D C:\Users\TEMP.user-PC.002
2018-03-13 11:51 - 2018-03-13 11:51 - 000000000 ____D C:\Users\TEMP.user-PC.002\AppData\Local\liebao
2018-03-13 11:21 - 2018-03-13 11:21 - 000000020 ___SH C:\Users\TEMP.user-PC.001\ntuser.ini
2018-03-13 11:21 - 2018-03-13 11:21 - 000000000 _SHDL C:\Users\TEMP.user-PC.001\AppData\Roaming\Microsoft\Windows\Start Menu\程序
2018-03-13 11:21 - 2018-03-13 11:21 - 000000000 _SHDL C:\Users\TEMP.user-PC.001\「开始」菜单
2018-03-13 11:21 - 2018-03-13 11:21 - 000000000 ____D C:\Users\TEMP.user-PC.001\AppData\Local\liebao
2018-03-13 11:21 - 2018-03-13 11:21 - 000000000 ____D C:\Users\TEMP.user-PC.001
2018-03-13 11:21 - 2009-07-14 06:44 - 000000000 ____D C:\Users\TEMP.user-PC.001\AppData\Roaming\Media Center Programs
2018-03-13 10:28 - 2018-03-13 10:28 - 000000020 ___SH C:\Users\TEMP.user-PC.000\ntuser.ini
2018-03-13 10:28 - 2018-03-13 10:28 - 000000000 _SHDL C:\Users\TEMP.user-PC.000\AppData\Roaming\Microsoft\Windows\Start Menu\程序
2018-03-13 10:28 - 2018-03-13 10:28 - 000000000 _SHDL C:\Users\TEMP.user-PC.000\「开始」菜单
2018-03-13 10:28 - 2018-03-13 10:28 - 000000000 ____D C:\Users\TEMP.user-PC.000\AppData\Local\liebao
2018-03-13 10:28 - 2018-03-13 10:28 - 000000000 ____D C:\Users\TEMP.user-PC.000
2018-03-13 10:28 - 2009-07-14 06:44 - 000000000 ____D C:\Users\TEMP.user-PC.000\AppData\Roaming\Media Center Programs
2018-03-13 10:05 - 2018-03-13 10:05 - 000000020 ___SH C:\Users\TEMP.user-PC\ntuser.ini
2018-03-13 10:05 - 2018-03-13 10:05 - 000000000 _SHDL C:\Users\TEMP.user-PC\AppData\Roaming\Microsoft\Windows\Start Menu\程序
2018-03-13 10:05 - 2018-03-13 10:05 - 000000000 _SHDL C:\Users\TEMP.user-PC\「开始」菜单
2018-03-13 10:05 - 2018-03-13 10:05 - 000000000 ____D C:\Users\TEMP.user-PC\AppData\Local\liebao
2018-03-13 10:05 - 2018-03-13 10:05 - 000000000 ____D C:\Users\TEMP.user-PC
2018-03-13 10:05 - 2009-07-14 06:44 - 000000000 ____D C:\Users\TEMP.user-PC\AppData\Roaming\Media Center Programs
2018-03-13 09:57 - 2018-03-13 09:57 - 000006816 ____N C:\bootsqm.dat
2018-03-13 09:49 - 2018-03-13 09:49 - 000000000 __SHD C:\found.000
2018-03-13 08:26 - 2018-03-13 08:26 - 000000000 ____D C:\Users\TEMP\AppData\Local\liebao
2018-03-13 08:25 - 2018-03-13 08:25 - 000000020 ___SH C:\Users\TEMP\ntuser.ini
2018-03-13 08:25 - 2018-03-13 08:25 - 000000000 _SHDL C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\程序
2018-03-13 08:25 - 2018-03-13 08:25 - 000000000 _SHDL C:\Users\TEMP\「开始」菜单
2018-03-13 08:25 - 2018-03-13 08:25 - 000000000 ____D C:\Users\TEMP
2018-03-13 08:25 - 2009-07-14 06:44 - 000000000 ____D C:\Users\TEMP\AppData\Roaming\Media Center Programs
2018-03-12 22:56 - 2018-03-12 22:56 - 000001138 _____ C:\Users\user\Desktop\猎豹安全浏览器.lnk
2018-03-12 22:56 - 2018-03-12 22:56 - 000000000 ____D C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\猎豹安全浏览器
2018-03-12 22:55 - 2018-03-12 22:55 - 000218440 _____ (Kingsoft Corporation) C:\Windows\system32\Drivers\knbdrv_ev.sys
2018-03-12 22:55 - 2018-03-12 22:55 - 000165704 _____ (Kingsoft Corporation) C:\Windows\system32\Drivers\knbdrv64_ev.sys
2018-03-12 22:55 - 2018-03-12 22:55 - 000151608 _____ (Kingsoft Corporation) C:\Windows\system32\Drivers\KNBDrv64.sys
2018-03-12 22:55 - 2018-03-12 22:55 - 000151608 _____ (Kingsoft Corporation) C:\Windows\system32\Drivers\knbdrv.sys
2018-03-12 22:55 - 2018-03-12 22:55 - 000122520 _____ (Kingsoft Corporation) C:\Windows\system32\Drivers\ksapi_ev.sys
2018-03-12 22:55 - 2018-03-12 22:55 - 000114776 _____ (Kingsoft Corporation) C:\Windows\system32\Drivers\ksapi.sys
2018-03-12 22:55 - 2018-03-12 22:55 - 000079000 _____ (Kingsoft Corporation) C:\Windows\system32\Drivers\ksapi64_ev.sys
2018-03-12 22:55 - 2017-12-09 01:03 - 000081584 _____ (Kingsoft Corporation) C:\Windows\system32\Drivers\ksapi64.sys
2018-03-12 22:54 - 2018-03-12 22:56 - 000000000 ____D C:\Users\user\AppData\Local\liebao
2018-03-10 14:48 - 2018-03-10 14:48 - 000000000 ____D C:\Program Files\Common Files\DESIGNER
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-04-09 21:51 - 2009-07-14 06:32 - 000414290 _____ C:\Windows\system32\prfh0804.dat
2018-04-09 21:51 - 2009-07-14 06:32 - 000138510 _____ C:\Windows\system32\prfc0804.dat
2018-04-09 21:51 - 2009-07-14 01:13 - 001414784 _____ C:\Windows\system32\PerfStringBackup.INI
2018-04-09 21:36 - 2017-10-20 08:32 - 000000001 _____ C:\Windows\system32\Drivers\360Hvm64.dat
2018-04-09 21:24 - 2017-11-06 09:25 - 000000432 _____ C:\Windows\system32\Drivers\etc\hosts.ics
2018-04-09 21:22 - 2016-12-17 03:33 - 000000206 __RSH C:\ProgramData\ntuser.pol
2018-04-09 21:18 - 2009-07-14 01:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-04-09 20:47 - 2009-07-14 00:45 - 000015136 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-04-09 20:43 - 2009-07-14 00:45 - 000015136 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-04-09 20:31 - 2017-10-20 08:36 - 000295032 _____ (360.cn) C:\Windows\system32\Drivers\360qpesv64.sys
2018-03-20 16:29 - 2009-07-13 23:20 - 000000000 ____D C:\Windows\inf
2018-03-20 15:58 - 2017-10-20 17:09 - 000002044 _____ C:\Users\Public\Desktop\垃圾清理.lnk
2018-03-16 03:37 - 2017-10-20 08:32 - 000435320 _____ (360.cn) C:\Windows\system32\Drivers\360fsflt.sys
2018-03-16 03:01 - 2017-10-20 08:33 - 000000000 ____D C:\360用户文件
2018-03-12 23:00 - 2017-10-20 08:25 - 000000000 ____D C:\ProgramData\Kingsoft
2018-03-12 22:55 - 2017-10-20 08:33 - 000000000 ____D C:\Users\user\AppData\LocalLow\360WD
2018-03-12 14:29 - 2015-06-12 21:47 - 000000000 ____D C:\Users\user\AppData\Roaming\KuGou8
2018-03-10 14:49 - 2016-11-11 17:01 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2018-03-10 14:48 - 2009-07-13 23:20 - 000000000 ____D C:\Program Files\Common Files\Microsoft Shared
2018-03-10 14:45 - 2016-11-11 16:56 - 000000000 ____D C:\Program Files\Microsoft Office
 
==================== Files in the root of some directories =======
 
2017-11-01 08:45 - 2017-10-31 20:07 - 000880968 _____ () C:\ProgramData\app.exe
2016-10-27 22:28 - 2016-10-27 22:28 - 001754304 _____ () C:\ProgramData\QQGAMEPBL2024.DLL
2016-10-27 22:28 - 2016-10-27 22:28 - 001447104 _____ () C:\ProgramData\QQGamePBL344.exe
2016-12-07 19:03 - 2016-12-07 19:03 - 001696960 _____ () C:\ProgramData\QQGAMEQCK2205.DLL
2016-12-11 23:14 - 2016-12-11 23:14 - 001389760 _____ () C:\ProgramData\QQGameQCK2432.exe
 
Some files in TEMP:
====================
2018-03-05 15:03 - 2018-03-12 13:48 - 003082152 _____ (360.cn) C:\Users\user\AppData\Local\Temp\360SafeIme.exe
2017-10-24 16:39 - 2017-10-24 16:39 - 000513840 _____ () C:\Users\user\AppData\Local\Temp\masar_runxx.dl.dll
2017-05-03 17:21 - 2017-05-03 17:21 - 002061064 _____ () C:\Users\user\AppData\Local\Temp\masauto_runxx.dl.dll
2015-08-05 19:58 - 2015-08-05 19:58 - 000518592 _____ () C:\Users\user\AppData\Local\Temp\masblog_runxx.dl.dll
2016-05-06 19:33 - 2016-05-06 19:33 - 001892776 _____ (TODO: <Company name>) C:\Users\user\AppData\Local\Temp\masflag_runxx.dl.dll
2017-07-19 16:36 - 2017-07-19 16:36 - 001464072 _____ () C:\Users\user\AppData\Local\Temp\QYAgent_runxx.dl.dll
2018-02-06 15:47 - 2018-03-12 22:47 - 000190048 _____ (360.cn) C:\Users\user\AppData\Local\Temp\SimpleIME.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2018-03-09 13:04
 
==================== End of FRST.txt ============================


BC AdBot (Login to Remove)

 


#2 james.z

james.z
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 10 April 2018 - 12:21 AM

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 14.03.2018
Ran by user (09-04-2018 22:21:32)
Running from F:\
Windows 7 Home Premium Service Pack 1 (X64) (2015-06-12 13:00:02)
Boot Mode: Safe Mode (minimal)
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-2369721095-1413440205-1466323716-500 - Administrator - Disabled)
Guest (S-1-5-21-2369721095-1413440205-1466323716-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2369721095-1413440205-1466323716-1002 - Limited - Enabled)
user (S-1-5-21-2369721095-1413440205-1466323716-1000 - Administrator - Enabled) => C:\Users\TEMP.user-PC.003
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: 金山毒霸铠甲防御 (Enabled - Up to date) {7ABCE12F-C6E4-9881-73BB-C28F80F2D87D}
AS: 360安全卫士 (Enabled - Up to date) {90070FFA-C3F2-CD79-5E3F-7527D7EF99C0}
AS: Malwarebytes (Disabled - Out of date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: 金山毒霸铠甲防御 (Enabled - Up to date) {C1DD00CB-E0DE-970F-490B-F9FDFB7592C0}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
360安全卫士 (HKLM-x32\...\360安全卫士) (Version: 11.4.0.2001 - 360安全中心)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 17.012.20098 - Adobe Systems Incorporated)
Adobe Flash Player 28 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 28.0.0.161 - Adobe Systems Incorporated)
Adobe Flash Player 28 PPAPI (HKLM-x32\...\Adobe Flash Player PPAPI) (Version: 28.0.0.161 - Adobe Systems Incorporated)
Apple Mobile Device Support (HKLM\...\{3540181E-340A-4E7A-B409-31663472B2F7}) (Version: 9.1.0.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{FFD1F7F1-1AC9-4BC4-A908-0686D635ABAF}) (Version: 2.1.4.131 - Apple Inc.)
Apple 应用程序支持 (64 位) (HKLM\...\{691F30EB-9009-475A-B8A9-E1BF39598FD5}) (Version: 4.1.2 - Apple Inc.)
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.29 - Piriform)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 57.0.2987.133 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.3 - Google Inc.) Hidden
Hearthstone (HKLM-x32\...\Hearthstone) (Version:  - Blizzard Entertainment)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.2849 - Intel Corporation)
Intel® SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
iTunes (HKLM\...\{FBEB98F8-64E4-4FA3-A15E-4A9F42FF962E}) (Version: 12.3.2.35 - Apple Inc.)
Java 8 Update 121 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180121F0}) (Version: 8.0.1210.13 - Oracle Corporation)
Java SE Development Kit 8 Update 121 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180121}) (Version: 8.0.1210.13 - Oracle Corporation)
Java SE Development Kit 8 Update 131 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180131}) (Version: 8.0.1310.11 - Oracle Corporation)
jGRASP (HKLM-x32\...\jGRASP) (Version: 2.0.3_05 - Auburn University)
Malwarebytes version 3.0.6.1469 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.0.6.1469 - Malwarebytes)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft .NET Framework 4.6.1 (简体中文) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 2052) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Office 365 ProPlus - en-us (HKLM\...\O365ProPlusRetail - en-us) (Version: 16.0.9029.2167 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
NetBeans IDE 8.2 (HKLM\...\nbi-nb-base-8.2.0.0.201609300101) (Version: 8.2 - NetBeans.org)
Office 16 Click-to-Run Extensibility Component (HKLM\...\{90160000-008C-0000-1000-0000000FF1CE}) (Version: 16.0.9029.2167 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-007E-0000-1000-0000000FF1CE}) (Version: 16.0.9029.2167 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (HKLM\...\{90160000-008C-0409-1000-0000000FF1CE}) (Version: 16.0.9029.2167 - Microsoft Corporation) Hidden
QQ游戏 (HKLM-x32\...\QQ游戏) (Version: 5.8.46912.0 - 腾讯公司)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7391 - Realtek Semiconductor Corp.)
Renesas Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\{5442DAB8-7177-49E1-8B22-09A049EA5996}) (Version: 2.1.16.0 - Renesas Electronics Corporation) Hidden
Renesas Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996}) (Version: 2.1.16.0 - Renesas Electronics Corporation)
Revo Uninstaller 2.0.3 (HKLM\...\{A28DBDA2-3CC7-4ADC-8BFE-66D7743C6C97}_is1) (Version: 2.0.3 - VS Revo Group, Ltd.)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.6 - VideoLAN)
WinRAR 压缩文件管理器 (HKLM-x32\...\WinRAR archiver) (Version:  - )
憋七 (HKLM-x32\...\{DB7CC047-54FC-4B8A-A404-1259C77C3E65}) (Version:  - )
金山毒霸 (HKLM-x32\...\Kingsoft Internet Security) (Version: 2017.11.8.4 - Kingsoft Internet Security)
竞技斗地主 (HKLM-x32\...\{054EB426-5D5C-4D5D-8ABB-9FDCEC3A31E6}) (Version:  - )
酷狗音乐 (HKLM-x32\...\酷狗音乐) (Version: 8.1.51.19889 - 酷狗音乐)
酷我音乐 (HKLM-x32\...\KwMusic7) (Version: 8.7.3.1 - 酷我科技)
赖子山庄 (HKLM-x32\...\{DB7EF88E-5BBE-42A2-80A4-AD515FF0A6CB}) (Version:  - )
猎豹安全浏览器 (HKLM-x32\...\liebao) (Version: 6.5.115.18430 - 猎豹工作室)
猎豹免费WiFi (HKLM-x32\...\kwifi) (Version: 5.1 - Cheetah Mobile)
驱动精灵 (HKLM-x32\...\DriverGenius) (Version: 2013 - 驱动之家)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
ShellIconOverlayIdentifiers: [       360UDiskGuard Icon Overlay] -> {CC00F81D-5262-450A-B1FA-D6BEE3406263} => C:\Program Files (x86)\360\360Safe\safemon\360UDiskGuard64.dll [2018-03-16] (360.cn)
ContextMenuHandlers1: [AGpShellExt] -> {5CD76C57-6893-478A-B776-47E7C82504BE} =>  -> No File
ContextMenuHandlers1-x32: [duba_32bit] -> {D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4} => c:\program files (x86)\kingsoft\kingsoft antivirus\kavmenu.dll [2017-12-20] (Kingsoft Corporation)
ContextMenuHandlers1-x32: [duba_64bit] -> {DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51} => c:\program files (x86)\kingsoft\kingsoft antivirus\kavmenu64.dll [2017-12-20] (Kingsoft Corporation)
ContextMenuHandlers1-x32: [kwansvc] -> {367F6AE2-6809-4bed-B09B-228893FB33DD} => c:\program files (x86)\kingsoft\kingsoft antivirus\kwansvc64.dll [2017-10-20] (Kingsoft Corporation)
ContextMenuHandlers1-x32: [Safe360Ext] -> {7C0F6D57-E799-4C8A-A319-8E2B4D724CF0} => C:\Program Files (x86)\360\360Safe\Utils\shell360ext64.dll [2017-10-20] (360.cn)
ContextMenuHandlers1-x32: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext64.dll [2008-06-19] ()
ContextMenuHandlers1-x32-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext.dll [2008-09-16] ()
ContextMenuHandlers2-x32: [duba_32bit] -> {D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4} => c:\program files (x86)\kingsoft\kingsoft antivirus\kavmenu.dll [2017-12-20] (Kingsoft Corporation)
ContextMenuHandlers2-x32: [duba_64bit] -> {DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51} => c:\program files (x86)\kingsoft\kingsoft antivirus\kavmenu64.dll [2017-12-20] (Kingsoft Corporation)
ContextMenuHandlers2-x32: [kwansvc] -> {367F6AE2-6809-4bed-B09B-228893FB33DD} => c:\program files (x86)\kingsoft\kingsoft antivirus\kwansvc64.dll [2017-10-20] (Kingsoft Corporation)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-01-20] (Malwarebytes)
ContextMenuHandlers4-x32: [duba_32bit] -> {D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4} => c:\program files (x86)\kingsoft\kingsoft antivirus\kavmenu.dll [2017-12-20] (Kingsoft Corporation)
ContextMenuHandlers4-x32: [duba_64bit] -> {DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51} => c:\program files (x86)\kingsoft\kingsoft antivirus\kavmenu64.dll [2017-12-20] (Kingsoft Corporation)
ContextMenuHandlers4-x32: [kwansvc] -> {367F6AE2-6809-4bed-B09B-228893FB33DD} => c:\program files (x86)\kingsoft\kingsoft antivirus\kwansvc64.dll [2017-10-20] (Kingsoft Corporation)
ContextMenuHandlers4-x32: [Safe360Ext] -> {7C0F6D57-E799-4C8A-A319-8E2B4D724CF0} => C:\Program Files (x86)\360\360Safe\Utils\shell360ext64.dll [2017-10-20] (360.cn)
ContextMenuHandlers4-x32: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext64.dll [2008-06-19] ()
ContextMenuHandlers4-x32-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext.dll [2008-09-16] ()
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\Windows\system32\igfxpph.dll [2012-09-01] (Intel Corporation)
ContextMenuHandlers5: [kwansvc] -> {367F6AE2-6809-4bed-B09B-228893FB33DD} => c:\program files (x86)\kingsoft\kingsoft antivirus\kwansvc64.dll [2017-10-20] (Kingsoft Corporation)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-01-20] (Malwarebytes)
ContextMenuHandlers6: [Safe360Ext] -> {7C0F6D57-E799-4C8A-A319-8E2B4D724CF0} => C:\Program Files (x86)\360\360Safe\Utils\shell360ext64.dll [2017-10-20] (360.cn)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext64.dll [2008-06-19] ()
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext.dll [2008-09-16] ()
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {1D8CA44D-F0FC-4E6A-A394-B553B13E572E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-06-20] (Google Inc.)
Task: {20DED5D7-BBC3-4F50-9D73-EF1C6F3A84A7} - \{FD8CAE6F-A69D-4899-A029-DEB5B3EBC3A8} -> No File <==== ATTENTION
Task: {3FDEACFA-69E1-499A-A034-49ACCD2986A1} - System32\Tasks\Adobe Flash Player PPAPI Notifier => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_28_0_0_161_pepper.exe [2018-02-13] (Adobe Systems Incorporated)
Task: {62471158-BB40-407F-8DB0-5A916BBB047B} - System32\Tasks\{1717748E-C5A9-4170-AE36-3BC2388BAEAB} => C:\Windows\system32\pcalua.exe -a C:\Users\user\Desktop\laizi_hall_201607.exe -d C:\Users\user\Desktop
Task: {6BFF34E3-BEBF-4FE9-BBB1-59B4F5D49629} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2018-02-22] (Microsoft Corporation)
Task: {742CFCFA-00AC-4568-9501-E53161DEB8CE} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerRegistration => C:\Program Files\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2018-03-10] (Microsoft Corporation)
Task: {78FF3B78-24FC-4362-99DB-91D0A37A451A} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe
Task: {AE2B4CA1-C599-4C9D-9607-48AD7E66A77B} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn2016 => C:\Program Files\Microsoft Office\root\Office16\msoia.exe [2018-03-10] (Microsoft Corporation)
Task: {B231AEA2-717A-407B-BD40-9FED9AA81485} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-07-19] (Adobe Systems Incorporated)
Task: {B37475A5-D230-499D-9E99-C9E8A7A13A53} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-06-20] (Google Inc.)
Task: {B882CC3A-8EEE-4C54-8EEF-FE1199E9A305} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerLogon => C:\Program Files\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2018-03-10] (Microsoft Corporation)
Task: {D11B3E94-926F-4A50-8AAE-C057304A1E1C} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack2016 => C:\Program Files\Microsoft Office\root\Office16\msoia.exe [2018-03-10] (Microsoft Corporation)
Task: {D484951E-A86D-4C7F-93F2-62FF232DE1E3} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2018-02-22] (Microsoft Corporation)
Task: {D78BAF57-63D5-4EB0-A65E-7A63E053FA78} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\Office16\OLicenseHeartbeat.exe [2018-03-10] (Microsoft Corporation)
Task: {DF6BAD9F-04E8-40CF-9830-C73B82F55C58} - System32\Tasks\{9D1B20D0-AE04-4FFE-94CB-B10813E95839} => C:\Windows\system32\pcalua.exe -a C:\Users\user\AppData\Local\Temp\201614-142959\dotnet_setup.exe -d C:\Users\user\Downloads <==== ATTENTION
Task: {DFE4A84E-697F-47CC-9C62-26B23EFDAF7C} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2018-02-13] (Adobe Systems Incorporated)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Adobe Flash Player PPAPI Notifier.job_ => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_24_0_0_194_pepper.exe
Task: C:\Windows\Tasks\QQBrowser Updater Task.job_ => C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe <==== ATTENTION
Task: C:\Windows\Tasks\QQBrowser Updater Task(Core).job_ => C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe <==== ATTENTION
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
ShortcutWithArgument: C:\Users\Public\Desktop\金山猎豹游戏中心.lnk -> C:\Program Files (x86)\kingsoft\kingsoft antivirus\kvipwiz.exe (Kingsoft Corporation) -> /vip:kybox /from:2198 /webbrowser:0 /weburl:hxxp://wan.liebao.cn?frm=kjfs-db&referer=jsdb
 
==================== Loaded Modules (Whitelisted) ==============
 
2017-08-20 11:30 - 2018-03-10 14:39 - 008933552 _____ () C:\Program Files\Microsoft Office\root\Office16\1033\GrooveIntlResource.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="1"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 22:34 - 2009-06-10 17:00 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
DNS Servers: Media is not connected to internet.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
MSCONFIG\Services: AdobeARMservice => 2
MSCONFIG\Services: AdobeFlashPlayerUpdateSvc => 3
MSCONFIG\Services: AERTFilters => 2
MSCONFIG\Services: Apple Mobile Device Service => 2
MSCONFIG\Services: BFAssistantSvc_1561394442 => 3
MSCONFIG\Services: Bonjour Service => 2
MSCONFIG\Services: cphs => 3
MSCONFIG\Services: gupdate => 3
MSCONFIG\Services: gupdatem => 3
MSCONFIG\Services: iPod Service => 3
MSCONFIG\Services: KugouService => 2
MSCONFIG\Services: MBAMService => 2
MSCONFIG\Services: RtkAudioService => 2
MSCONFIG\Services: Steam Client Service => 3
MSCONFIG\Services: XYService => 3
MSCONFIG\Services: ZhuDongFangYu => 
MSCONFIG\startupfolder: C:^Users^user^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^QQ游戏启动加速程序.lnk => C:\Windows\pss\QQ游戏启动加速程序.lnk.Startup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: CCleaner Monitoring => "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
MSCONFIG\startupreg: ctfmon => C:\Windows\system32\ctfmon.exe
MSCONFIG\startupreg: HCDNClient => "C:\Program Files (x86)\IQIYI Video\LStyle\5.6.40.4071\QyKernel.exe" -shell_start
MSCONFIG\startupreg: HotKeysCmds => C:\Windows\system32\hkcmd.exe
MSCONFIG\startupreg: HunanTV => "C:\Program Files (x86)\HunanTV\HunanTV.exe" -autorun
MSCONFIG\startupreg: IgfxTray => C:\Windows\system32\igfxtray.exe
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: JJPlayer => "C:\Program Files (x86)\JJPlayer\JJPlayer.exe" -autorun
MSCONFIG\startupreg: KuGou8 => C:\Program Files (x86)\KuGou\KGMusic\KuGou.exe -Mini
MSCONFIG\startupreg: Lync => "C:\Program Files\Microsoft Office\Root\Office16\lync.exe" /fromrunkey
MSCONFIG\startupreg: Malwarebytes TrayApp => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe
MSCONFIG\startupreg: NUSB3MON => "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
MSCONFIG\startupreg: Persistence => C:\Windows\system32\igfxpers.exe
MSCONFIG\startupreg: QQ2009 => "C:\Program Files (x86)\Tencent\QQ\QQProtect\Bin\QQProtect.exe" /background
MSCONFIG\startupreg: QQMicroGameBoxTray => "C:\Users\user\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe" -/autorun
MSCONFIG\startupreg: QyClient => "C:\Program Files (x86)\IQIYI Video\LStyle\5.6.40.4071\QyClient.exe" startup
MSCONFIG\startupreg: RTHDVCPL => "C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe" -s
MSCONFIG\startupreg: SmartCalendar => "C:\Program Files (x86)\DTLSoft\SmartCalendar\SmartCalendar.exe" /start
MSCONFIG\startupreg: Steam => "C:\Program Files (x86)\Steam\steam.exe" -silent
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{4DA18B59-3B12-4E42-AAD5-5F684E207CBA}] => (Allow) C:\Program Files (x86)\KuGou\KGMusic\KuGou.exe
FirewallRules: [{4E199B29-6D40-48BA-BCFF-6259312CA0F6}] => (Allow) C:\Program Files (x86)\KuGou\KGMusic\KuGou.exe
FirewallRules: [{17DDF5C2-D6CA-416A-AADF-68B4F3D8E95E}] => (Allow) C:\Program Files (x86)\Battle.net\Battle.net.exe
FirewallRules: [{F6F9365E-7AF8-4952-B139-A775A34648DB}] => (Allow) C:\Program Files (x86)\Battle.net\Battle.net.exe
FirewallRules: [{97D3C4E4-B07A-4A47-B9D1-DCFBF2340AD5}] => (Allow) C:\Program Files (x86)\Hearthstone\Hearthstone.exe
FirewallRules: [{049C275C-2BCB-4D0A-84E7-C9E6E17BDE1A}] => (Allow) C:\Program Files (x86)\Hearthstone\Hearthstone.exe
FirewallRules: [TCP Query User{13A59DE8-2FD1-407B-A628-7E76B543B61D}C:\program files (x86)\hearthstone\hearthstone.exe] => (Allow) C:\program files (x86)\hearthstone\hearthstone.exe
FirewallRules: [UDP Query User{2650B45A-5165-4F84-8EE8-181760AB1FC8}C:\program files (x86)\hearthstone\hearthstone.exe] => (Allow) C:\program files (x86)\hearthstone\hearthstone.exe
FirewallRules: [{4A789176-F88C-4A37-9F91-D0386E45B502}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{E0D948B3-75DA-44B5-8302-2DB4F1D9AB97}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{783E02D4-DE97-48BB-97D2-8D68791712A7}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{FB446CAD-D3B4-47A4-A228-7336142DE5E6}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{19B156B4-3E5A-4C37-ACFD-392877317EFC}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{AF68284A-4AC0-450E-A433-54E02C7EACFA}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{8D7CE80A-B492-49E2-A94A-F25CA3FA821A}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{E7F55C89-3C23-4482-B3F0-20365B2449CF}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{A47A59A5-1364-4E51-B07A-7C31DE67E616}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [TCP Query User{5DEA17D9-416B-45DF-95EC-C9ED990EF59C}C:\users\user\appdata\roaming\kugou8\appstore\6\dlna_player.exe] => (Block) C:\users\user\appdata\roaming\kugou8\appstore\6\dlna_player.exe
FirewallRules: [UDP Query User{836B7D7C-48DF-4591-98EA-686FED295BED}C:\users\user\appdata\roaming\kugou8\appstore\6\dlna_player.exe] => (Block) C:\users\user\appdata\roaming\kugou8\appstore\6\dlna_player.exe
FirewallRules: [{D2CA2719-BE28-4F31-93BF-1B700D449F18}] => (Allow) C:\program files (x86)\common files\tencent\qqdownload\135\tencentdl.exe
FirewallRules: [TCP Query User{9320E85D-5C06-4CCC-8DEF-B183D2547BEF}C:\users\user\appdata\local\xldl\download\minithunderplatform.exe] => (Allow) C:\users\user\appdata\local\xldl\download\minithunderplatform.exe
FirewallRules: [UDP Query User{264573D7-DD7F-4FBD-B2B2-97EE1829BAF0}C:\users\user\appdata\local\xldl\download\minithunderplatform.exe] => (Allow) C:\users\user\appdata\local\xldl\download\minithunderplatform.exe
FirewallRules: [{D3CE12AD-0F6A-43F8-9478-40BEC008F2B3}] => (Allow) C:\program files (x86)\common files\tencent\qqdownload\135\tencentdl.exe
FirewallRules: [{B433FFA1-30E0-44D7-90A2-8077AED3F3C1}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\Lync.exe
FirewallRules: [{91AC15EC-E7F8-42A5-A1CF-1336964DDEF5}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\UcMapi.exe
FirewallRules: [{BF92750E-2B0F-4F60-9B04-78328C4F4504}] => (Allow) C:\Program Files (x86)\KuGou\KGMusic\8.1.23.19503\KGService.exe
FirewallRules: [{A00E6A05-8FDC-46DD-9393-882664F35A11}] => (Allow) C:\Program Files (x86)\KuGou\KGMusic\8.1.23.19503\KGService.exe
FirewallRules: [{8598B498-1E37-44BE-BF48-65E5A2035242}] => (Allow) C:\Program Files (x86)\KuGou\KGMusic\8.1.23.19503\kgupnp.exe
FirewallRules: [{AE1EAED3-D3C2-4089-B5DE-A479C71F0CC1}] => (Allow) C:\Program Files (x86)\KuGou\KGMusic\8.1.23.19503\kgupnp.exe
FirewallRules: [{38AED7FE-BA4B-4516-9295-BAC84B9C84DD}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\Lync.exe
FirewallRules: [{04076EA9-8341-4EDF-9EA5-D0DA97DCFBFF}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\UcMapi.exe
FirewallRules: [{1617A807-1508-47BF-BDBF-8B660E853416}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{DB905AC9-01C3-46ED-BF94-E3A395D501AC}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{DC252076-2C01-469F-AD31-9AADF616EF4A}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{044E2578-11C7-4F43-B978-61BD94098622}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{4C6344D5-18F7-419A-9862-52F9ABD8050C}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{6E092FCC-FE6A-40A3-ABA5-BCDA892B229A}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Limbo\limbo.exe
FirewallRules: [{9C6071F2-A540-404C-B4A4-F02C5301673D}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Limbo\limbo.exe
FirewallRules: [TCP Query User{6D900F64-C76F-4098-BF23-28CAB0DE7BAB}C:\program files (x86)\kugou\kgmusic\8.1.23.19503\kgservice.exe] => (Block) C:\program files (x86)\kugou\kgmusic\8.1.23.19503\kgservice.exe
FirewallRules: [UDP Query User{E5C9B665-F615-406C-B72E-7B6CF3BEE228}C:\program files (x86)\kugou\kgmusic\8.1.23.19503\kgservice.exe] => (Block) C:\program files (x86)\kugou\kgmusic\8.1.23.19503\kgservice.exe
FirewallRules: [{621D026A-9B5E-438C-8328-9719DE8C83AC}] => (Allow) C:\Program Files (x86)\KuGou\KGMusic\KuGou.exe
FirewallRules: [{67D06ED0-BB7C-40A5-9D96-D79CDA76933F}] => (Allow) C:\Program Files (x86)\KuGou\KGMusic\KuGou.exe
FirewallRules: [{8C97E8C5-481B-4DDD-ABA8-C4DA40B4EE8B}] => (Allow) C:\Program Files (x86)\KuGou\KGMusic\8.1.51.19889\KGService.exe
FirewallRules: [{641968D2-7691-4394-84CC-2CBD85A339DF}] => (Allow) C:\Program Files (x86)\KuGou\KGMusic\8.1.51.19889\KGService.exe
FirewallRules: [{3619C770-0D57-42E9-96A2-E8E3D472C75D}] => (Allow) C:\Program Files (x86)\KuGou\KGMusic\8.1.51.19889\kgupnp.exe
FirewallRules: [{B6BC3CDE-EA9A-40D9-B9BE-192B3683DCD2}] => (Allow) C:\Program Files (x86)\KuGou\KGMusic\8.1.51.19889\kgupnp.exe
FirewallRules: [{9DD60E0C-AF43-41EE-BD52-42C115143265}] => (Allow) C:\Users\user\AppData\Roaming\KuGou8\AppStore\6\dlna_player.exe
FirewallRules: [{44BFF90F-0962-4C94-900B-CB175781CB9E}] => (Allow) C:\Users\user\AppData\Roaming\KuGou8\AppStore\6\dlna_player.exe
FirewallRules: [TCP Query User{5E92D530-7F90-43B6-8520-ADE596D6DE86}C:\program files (x86)\kugou\kgmusic\8.1.51.19889\kgservice.exe] => (Block) C:\program files (x86)\kugou\kgmusic\8.1.51.19889\kgservice.exe
FirewallRules: [UDP Query User{C82C41C6-885F-422A-8411-F07F19F84344}C:\program files (x86)\kugou\kgmusic\8.1.51.19889\kgservice.exe] => (Block) C:\program files (x86)\kugou\kgmusic\8.1.51.19889\kgservice.exe
FirewallRules: [{D4DBDC1A-18D9-478C-9E85-79AEA371B0CA}] => (Allow) C:\Program Files (x86)\kuwo\kuwomusic\8.7.3.1_P2T1\bin\KwMusic.exe
FirewallRules: [{DFBFC77E-9892-4813-84D3-B3383C10BF00}] => (Allow) C:\Program Files (x86)\kuwo\kuwomusic\8.7.3.1_P2T1\bin\KwMusic.exe
FirewallRules: [{D4926BB0-7AD9-4153-BB59-F07D5529E87B}] => (Allow) C:\Program Files (x86)\kuwo\kuwomusic\8.7.3.1_P2T1\bin\KwService.exe
FirewallRules: [{17CDEE68-80EF-4755-8BEA-CD0BCB336C22}] => (Allow) C:\Program Files (x86)\kuwo\kuwomusic\8.7.3.1_P2T1\bin\KwService.exe
FirewallRules: [{72883C5E-D948-4467-B60E-9F0CCD748913}] => (Allow) C:\Program Files (x86)\360\360Safe\LiveUpdate360.exe
FirewallRules: [{C498C53B-3570-4804-B0A4-A9D32F862D3B}] => (Allow) C:\Program Files (x86)\360\360Safe\LiveUpdate360.exe
FirewallRules: [{67D943D7-B96A-4914-94A0-0F1262A9326C}] => (Allow) C:\Users\user\AppData\Roaming\360se6\Application\360se.exe
FirewallRules: [{A83D0BEB-B973-4198-8AE7-706091A78264}] => (Allow) C:\Users\user\AppData\Roaming\360se6\Application\360se.exe
FirewallRules: [{7BD0FBD8-BCF3-4335-9B6F-5E04A2C595D8}] => (Allow) C:\Users\user\AppData\Roaming\360se6\Application\8.1.1.158\installer\seup.exe
FirewallRules: [{DF1BA19A-EC4A-443F-B6E4-ABD6A0038245}] => (Allow) C:\Users\user\AppData\Roaming\360se6\Application\8.1.1.158\installer\seup.exe
FirewallRules: [{1E01444D-7D97-49C7-8ADE-C885A66F1B91}] => (Allow) C:\Program Files (x86)\360\360Safe\safemon\360Tray.exe
FirewallRules: [{B86FCD71-331E-43A9-914B-ED9A6348D295}] => (Allow) C:\Program Files (x86)\360\360Safe\safemon\360Tray.exe
FirewallRules: [{CCAE8DEA-0244-44A3-8634-72C4161953D7}] => (Allow) C:\Program Files (x86)\360\360Safe\netmon\360SpeedTest.exe
FirewallRules: [{15BDC397-8BF7-4ABB-A938-ACD023CD2988}] => (Allow) C:\Program Files (x86)\360\360Safe\netmon\360SpeedTest.exe
FirewallRules: [{8FD6E845-E93A-4FBF-9874-D2B085D41606}] => (Allow) C:\Program Files (x86)\kingsoft\kwifi\kwifi.exe
FirewallRules: [{4BA08843-A938-4E48-A5E5-27C1CE20A030}] => (Allow) C:\Program Files (x86)\kingsoft\kingsoft antivirus\xlmodule\download\minithunderplatform.exe
FirewallRules: [{E97B9C51-E7C8-4D0E-9A37-5F6098FB80F8}] => (Allow) C:\Program Files (x86)\kingsoft\kingsoft antivirus\xlmodule\download\minithunderplatform.exe
FirewallRules: [{9C6129C9-C4EA-47A7-B4BE-F675AEEC7599}] => (Allow) C:\Program Files (x86)\kingsoft\kingsoft antivirus\xlmodule\download\minithunderplatform.exe
FirewallRules: [{48C380B9-F155-471D-BA92-AA050DEFADC7}] => (Allow) C:\Program Files (x86)\kingsoft\kingsoft antivirus\xlmodule\download\minithunderplatform.exe
FirewallRules: [{0AD61916-D328-417D-860F-778A4AF0A4A8}] => (Allow) C:\Program Files (x86)\zk\zkremote\zkremote.exe
FirewallRules: [{4893638A-04E5-485A-8F69-E47D264D6E9B}] => (Allow) C:\Program Files (x86)\360\360Safe\safemon\360tray.exe
FirewallRules: [{6FE275A1-414A-412A-A4D5-D26B49978124}] => (Allow) C:\Program Files (x86)\360\360Safe\safemon\360tray.exe
FirewallRules: [{94605161-F3C6-4334-8EDE-DC6FE4BAF7D8}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\outlook.exe
FirewallRules: [{325D4AFF-8A37-4604-9B01-DC40BB4B7A57}] => (Allow) C:\Users\user\AppData\Local\liebao\6.5.115.17898\Module\thunder\download\MiniThunderPlatform.exe
FirewallRules: [{D2062146-83F1-4211-98EC-3B1A1668EC6A}] => (Allow) C:\Users\user\AppData\Local\liebao\6.5.115.17898\Module\thunder\download\MiniThunderPlatform.exe
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\拇指通科技\赖子山庄\games\bieqipk\bieqi.exe] => \:*:Enabled:\憋七
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\拇指通科技\赖子山庄\games\jjddzpk\jjddz.exe] => \:*:Enabled:\竞技斗地主
 
==================== Restore Points =========================
 
26-11-2017 23:57:50 Windows 模块安装程序
27-11-2017 00:05:35 Windows 模块安装程序
01-12-2017 16:09:58 设备驱动程序包安装: Microsoft 网络适配器
16-12-2017 22:11:36 Windows 模块安装程序
16-12-2017 22:17:47 Windows 模块安装程序
 
==================== Faulty Device Manager Devices =============
 
Name: Security Processor Loader Driver
Description: Security Processor Loader Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: spldr
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
 
Name: bootsafe
Description: bootsafe
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: bootsafe
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
 
Name: WiMAX Bus Eumerator
Description: WiMAX Bus Eumerator
Class Guid: 
Manufacturer: 
Service: 
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
Name: KAVBootC
Description: KAVBootC
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: KAVBootC
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (04/09/2018 10:12:00 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1511) (User: user-PC)
Description: Windows 找不到本地配置文件,正在用临时配置文件让您登录。当您注销时,对此配置文件所作的更改将丢失。
 
Error: (04/09/2018 10:12:00 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1515) (User: user-PC)
Description: Windows 已经备份了此用户的配置文件。下次此用户登录时,Windows 将自动尝试使用此备份的配置文件。
 
Error: (04/09/2018 10:12:00 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1502) (User: user-PC)
Description: Windows 不能加载本地存储的配置文件。此问题的可能原因是安全权限不足或本地配置文件损坏。
 
 详细信息 - 由注册表启动的 I/O 操作失败并无法恢复。注册表无法读入、写出或清除任意一个包含注册表系统映像的文件。
 
Error: (04/09/2018 10:12:00 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1508) (User: NT AUTHORITY)
Description: Windows 不能加载注册表。这通常是由于内存或安全权限不足造成的。
 
 详细信息 - C:\Users\user\ntuser.dat 的 由注册表启动的 I/O 操作失败并无法恢复。注册表无法读入、写出或清除任意一个包含注册表系统映像的文件。
 
Error: (04/09/2018 09:50:26 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1511) (User: user-PC)
Description: Windows 找不到本地配置文件,正在用临时配置文件让您登录。当您注销时,对此配置文件所作的更改将丢失。
 
Error: (04/09/2018 09:50:26 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1515) (User: user-PC)
Description: Windows 已经备份了此用户的配置文件。下次此用户登录时,Windows 将自动尝试使用此备份的配置文件。
 
Error: (04/09/2018 09:50:26 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1502) (User: user-PC)
Description: Windows 不能加载本地存储的配置文件。此问题的可能原因是安全权限不足或本地配置文件损坏。
 
 详细信息 - 由注册表启动的 I/O 操作失败并无法恢复。注册表无法读入、写出或清除任意一个包含注册表系统映像的文件。
 
Error: (04/09/2018 09:50:26 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1508) (User: NT AUTHORITY)
Description: Windows 不能加载注册表。这通常是由于内存或安全权限不足造成的。
 
 详细信息 - C:\Users\user\ntuser.dat 的 由注册表启动的 I/O 操作失败并无法恢复。注册表无法读入、写出或清除任意一个包含注册表系统映像的文件。
 
 
System errors:
=============
Error: (04/09/2018 10:39:30 PM) (Source: Disk) (EventID: 7) (User: )
Description: 设备 \Device\Harddisk0\DR0 有一个不正确的区块。
 
Error: (04/09/2018 10:39:27 PM) (Source: Disk) (EventID: 7) (User: )
Description: 设备 \Device\Harddisk0\DR0 有一个不正确的区块。
 
Error: (04/09/2018 10:39:24 PM) (Source: Disk) (EventID: 7) (User: )
Description: 设备 \Device\Harddisk0\DR0 有一个不正确的区块。
 
Error: (04/09/2018 10:39:20 PM) (Source: Disk) (EventID: 7) (User: )
Description: 设备 \Device\Harddisk0\DR0 有一个不正确的区块。
 
Error: (04/09/2018 10:39:17 PM) (Source: Disk) (EventID: 7) (User: )
Description: 设备 \Device\Harddisk0\DR0 有一个不正确的区块。
 
Error: (04/09/2018 10:39:14 PM) (Source: Disk) (EventID: 7) (User: )
Description: 设备 \Device\Harddisk0\DR0 有一个不正确的区块。
 
Error: (04/09/2018 10:39:10 PM) (Source: Disk) (EventID: 7) (User: )
Description: 设备 \Device\Harddisk0\DR0 有一个不正确的区块。
 
Error: (04/09/2018 10:39:07 PM) (Source: Disk) (EventID: 7) (User: )
Description: 设备 \Device\Harddisk0\DR0 有一个不正确的区块。
 
 
Windows Defender:
===================================
Date: 2016-09-13 16:49:10.165
Description: 
Windows Defender 已检测到间谍软件或其他可能不需要的软件。
有关详细信息,请参阅以下信息:
名称:BrowserModifier:Win32/Xiazai
ID:223573
严重性:高
类别:浏览器修改程序
找到的路径:file:C:\360安全浏览器下载\iPadia2(iPad模拟器)2014@2247_35579.exe
检测类型:实际
检测源:系统
状态:未知
用户:NT AUTHORITY\SYSTEM
进程名称:
 
Date: 2016-09-11 16:52:08.982
Description: 
Windows Defender 已检测到间谍软件或其他可能不需要的软件。
有关详细信息,请参阅以下信息:
名称:BrowserModifier:Win32/Xiazai
ID:223573
严重性:高
类别:浏览器修改程序
找到的路径:file:C:\360安全浏览器下载\iPadia2(iPad模拟器)2014@2247_35579.exe
检测类型:实际
检测源:系统
状态:未知
用户:NT AUTHORITY\SYSTEM
进程名称:
 
Date: 2016-09-10 14:38:14.679
Description: 
Windows Defender 已检测到间谍软件或其他可能不需要的软件。
有关详细信息,请参阅以下信息:
名称:BrowserModifier:Win32/Xiazai
ID:223573
严重性:高
类别:浏览器修改程序
找到的路径:file:C:\360安全浏览器下载\iPadia2(iPad模拟器)2014@2247_35579.exe
检测类型:实际
检测源:系统
状态:未知
用户:NT AUTHORITY\SYSTEM
进程名称:
 
Date: 2016-09-09 23:56:58.570
Description: 
Windows Defender 已检测到间谍软件或其他可能不需要的软件。
有关详细信息,请参阅以下信息:
名称:BrowserModifier:Win32/Xiazai
ID:223573
严重性:高
类别:浏览器修改程序
找到的路径:file:C:\360安全浏览器下载\iPadia2(iPad模拟器)2014@2247_35579.exe
检测类型:实际
检测源:系统
状态:未知
用户:NT AUTHORITY\SYSTEM
进程名称:
 
Date: 2016-09-08 23:15:30.220
Description: 
Windows Defender 已检测到间谍软件或其他可能不需要的软件。
有关详细信息,请参阅以下信息:
名称:BrowserModifier:Win32/Xiazai
ID:223573
严重性:高
类别:浏览器修改程序
找到的路径:file:C:\360安全浏览器下载\iPadia2(iPad模拟器)2014@2247_35579.exe
检测类型:实际
检测源:系统
状态:未知
用户:NT AUTHORITY\SYSTEM
进程名称:
 
Date: 2017-02-07 22:55:56.614
Description: 
Windows Defender 在尝试加载签名时遇到错误,并将尝试还原回已知正确的签名集。
已尝试签名:当前
错误代码:0x80070002
错误描述:系统找不到指定的文件。 
签名版本:0.0.0.0
引擎版本:0.0.0.0
 
Date: 2017-02-07 22:55:56.614
Description: 
Windows Defender 在尝试更新签名时遇到错误。
新签名版本:
旧签名版本:
更新源:签名更新文件夹
签名类型:反间谍软件
更新类型:增量
用户:NT AUTHORITY\SYSTEM
当前引擎版本:
旧引擎版本:
错误代码:0x80070002
错误描述:系统找不到指定的文件。 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5-2450M CPU @ 2.50GHz
Percentage of memory in use: 11%
Total physical RAM: 8086.17 MB
Available physical RAM: 7184.79 MB
Total Virtual: 16170.52 MB
Available Virtual: 15316.7 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:698.54 GB) (Free:620.24 GB) NTFS
Drive f: (USB) (Removable) (Total:14.6 GB) (Free:11.99 GB) FAT32
 
\\?\Volume{7e7b956e-1101-11e5-bf3f-806e6f6e6963}\ (系统保留) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 698.6 GB) (Disk ID: 07F2837E)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=698.5 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 14.6 GB) (Disk ID: 00273DE6)
Partition 1: (Active) - (Size=14.6 GB) - (Type=0C)
 
==================== End of Addition.txt ============================


#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,161 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:08 AM

Posted 10 April 2018 - 07:46 PM

Greetings james.z and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

What program(s) did you download that you are concerned about?

I would like you to back up all of your data files, like music, documents, photos, etc. Please let me know when you have been able to do that.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,161 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:08 AM

Posted 13 April 2018 - 09:55 PM

Greetings,

===================================================

Do You Still Need Help?

It has been 3 days since my last post.
  • Do you still need help with this?
  • If you have not replied within 48 hours I will assume you have abandoned the Topic and it will be closed.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,161 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:08 AM

Posted 15 April 2018 - 01:23 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users