Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DarkComet RAT


  • This topic is locked This topic is locked
8 replies to this topic

#1 Er1cL1n

Er1cL1n

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 26 May 2018 - 08:23 PM

I downloaded something from MPGH and it started logging into my accounts and posting stuff on forums. I have booted into safe mode and used malwarebytes to remove the virus. Here are the logs.

 

Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 5/26/18
Scan Time: 8:52 AM
Log File: b1b28165-60e3-11e8-83aa-000000000000.json
Administrator: Yes
 
-Software Information-
Version: 3.4.5.2467
Components Version: 1.0.342
Update Package Version: 1.0.5258
License: Free
 
-System Information-
OS: Windows 8
CPU: x64
File System: NTFS
User: LENOVO-PC\lenovo
 
-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 290405
Threats Detected: 4
Threats Quarantined: 4
Time Elapsed: 2 min, 12 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 1
Backdoor.DarkComet.Trace, HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\SOFTWARE\DC3_FEXEC, Quarantined, [6907], [246706],1.0.5258
 
Registry Value: 1
Trojan.Agent, HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|SERVER RUNTIME SUBSYSTEM, Quarantined, [385], [196479],1.0.5258
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 1
Trojan.StolenData, C:\USERS\LENOVO\APPDATA\ROAMING\DCLOGS, Quarantined, [3619], [250094],1.0.5258
 
File: 1
Trojan.StolenData, C:\USERS\LENOVO\APPDATA\ROAMING\DCLOGS\2018-05-25-6.dc, Quarantined, [3619], [250094],1.0.5258
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)
 
Does this mean I'm in the clear, or are there extra precautions to take to figure out if it is still in fact on my system watching me type every word right now?


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:57 AM

Posted 27 May 2018 - 06:50 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Lets check further.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs for my review.

Wait for further instructions.

#3 Er1cL1n

Er1cL1n
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 27 May 2018 - 09:00 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Lets check further.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs for my review.

Wait for further instructions.

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 16.05.2018 01
Ran by lenovo (27-05-2018 09:58:56)
Running from C:\Users\lenovo\Downloads
Windows 10 Home China Version 1607 14393.2214 (X64) (2017-01-15 23:54:26)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1760713586-1289027972-3592165009-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-1760713586-1289027972-3592165009-503 - Limited - Disabled)
Guest (S-1-5-21-1760713586-1289027972-3592165009-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1760713586-1289027972-3592165009-1006 - Limited - Enabled)
lenovo (S-1-5-21-1760713586-1289027972-3592165009-1001 - Administrator - Enabled) => C:\Users\lenovo
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 18.011.20040 - Adobe Systems Incorporated)
Adobe After Effects CS6 (HKLM-x32\...\{4817D846-700B-474E-A31B-80892B3E92E3}) (Version: 11 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 28.0.0.127 - Adobe Systems Incorporated)
Adobe Creative Cloud (HKLM-x32\...\Adobe Creative Cloud) (Version: 4.4.1.298 - Adobe Systems Incorporated)
Adobe Flash Player 29 PPAPI (HKLM-x32\...\Adobe Flash Player PPAPI) (Version: 29.0.0.171 - Adobe Systems Incorporated)
Adobe Photoshop CC 2017 (HKLM-x32\...\PHSP_18_0_1) (Version: 18.0.1 - Adobe Systems Incorporated)
ANT Drivers Installer x64 (HKLM\...\{3DE56A70-06BA-4863-8FBB-45D041AF0C7A}) (Version: 2.3.4 - Garmin Ltd or its subsidiaries) Hidden
Apple Application Support (HKLM-x32\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
AutoHotkey 1.1.28.02 (HKLM\...\AutoHotkey) (Version: 1.1.28.02 - Lexikos)
Canon IJ Network Scanner Selector EX (HKLM-x32\...\Canon_IJ_Network_Scanner_Selector_EX) (Version:  - Canon Inc.)
Canon IJ Network Tool (HKLM-x32\...\Canon_IJ_Network_UTILITY) (Version: 3.2.0 - Canon Inc.)
Canon IJ Scan Utility (HKLM-x32\...\Canon_IJ_Scan_Utility) (Version:  - Canon Inc.)
Canon MX450 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX450_series) (Version: 1.01 - Canon Inc.)
Conexant HD Audio (HKLM\...\CNXT_AUDIO_HDA) (Version: 8.66.23.50 - Conexant)
Discord (HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\Discord) (Version: 0.0.301 - Discord Inc.)
DisplayDriverAnalyzer (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_DisplayDriverAnalyzer) (Version: 391.01 - NVIDIA Corporation) Hidden
Dolby Digital Plus Advanced Audio (HKLM\...\{B0BFC63F-EA07-419E-960B-3FB2ED5DD0B2}) (Version: 7.6.5.1 - Dolby Laboratories Inc)
Elevated Installer (HKLM-x32\...\{B7768089-44E1-4B51-9213-737959C689E5}) (Version: 6.3.0.0 - Garmin Ltd or its subsidiaries) Hidden
Epic Games Launcher Prerequisites (x64) (HKLM\...\{66C5838F-B854-4A55-89E6-A6138747A4DF}) (Version: 1.0.0.0 - Epic Games, Inc.) Hidden
FACEIT (HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\FACEITApp) (Version: 0.17.3 - FACEIT Ltd.)
FACEIT AC version 1.0 (HKLM\...\{1419E44C-0EF4-4822-9194-9F1A4D43973D}_is1) (Version: 1.0 - FACEIT LTD)
Garmin Express (HKLM-x32\...\{178D3388-656C-4326-BFFF-3607481CA5BB}) (Version: 6.3.0.0 - Garmin Ltd or its subsidiaries) Hidden
Garmin Express (HKLM-x32\...\{aa902576-9ab8-4371-98d1-efde885f775b}) (Version: 6.3.0.0 - Garmin Ltd or its subsidiaries)
Garmin Express Tray (HKLM-x32\...\{C6C8A534-050C-40E9-92FC-4D06A8A487C8}) (Version: 6.3.0.0 - Garmin Ltd or its subsidiaries) Hidden
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 66.0.3359.181 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.17 - Google Inc.) Hidden
Haste Esports Accelerator (HKLM\...\{0F2B71AF-97E9-4B65-9043-749C35A88AE4}) (Version: 1.00.0079 - Haste)
Java 8 Update 162 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180162F0}) (Version: 8.0.1620.12 - Oracle Corporation)
Launcher Prerequisites (x64) (HKLM-x32\...\{c6c5a357-c7ca-4a5f-9789-3bb1af579253}) (Version: 1.0.0.0 - Epic Games, Inc.) Hidden
Lenovo Mouse Suite (HKLM\...\MouseSuite98) (Version: 6.80 - Lenovo)
Lenovo Power Management Driver (HKLM\...\Power Management Driver) (Version: 1.67.12.23 - Lenovo) Hidden
Malwarebytes version 3.4.5.2467 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.4.5.2467 - Malwarebytes)
MEGAsync (HKLM-x32\...\MEGAsync) (Version:  - Mega Limited)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 (HKLM-x32\...\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}) (Version: 12.0.40660.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 (HKLM-x32\...\{61087a79-ac85-455c-934d-1fa22cc64f36}) (Version: 12.0.40660.0 - Microsoft Corporation)
Microsoft Visual C++ 2017 Redistributable (x64) - 14.12.25810 (HKLM-x32\...\{e2ee15e2-a480-4bc5-bfb7-e9803d1d9823}) (Version: 14.12.25810.0 - Microsoft Corporation)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.12.25810 (HKLM-x32\...\{56e11d69-7cc9-40a5-a4f9-8f6190c4d84d}) (Version: 14.12.25810.0 - Microsoft Corporation)
Minecraft (HKLM-x32\...\{1C16BCA3-EBC1-49F6-8623-8FBFB9CCC872}) (Version: 1.0.3.0 - Mojang)
MorphVOX Pro (HKLM-x32\...\{D6C764CB-86E1-4A7C-BBEC-F175E93CBE87}) (Version: 4.4.70.25100 - Screaming Bee)
NordVPN (HKLM-x32\...\{7296DD91-4FC7-47BB-B211-912D9E980FC7}) (Version: 6.13.13 - NordVPN) Hidden
NordVPN (HKLM-x32\...\NordVPN 6.13.13) (Version: 6.13.13 - NordVPN)
Notepad++ (64-bit x64) (HKLM\...\Notepad++) (Version: 7.5.1 - Notepad++ Team)
Nox APP Player (HKLM-x32\...\Nox) (Version: 6.1.0.0 - Duodian Technology Co. Ltd.)
NVIDIA PhysX 系统软件 9.17.0524 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.17.0524 - NVIDIA Corporation)
NVIDIA 图形驱动程序 391.01 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 391.01 - NVIDIA Corporation)
OBS Studio (HKLM-x32\...\OBS Studio) (Version: 20.0.1 - OBS Project)
Process Hacker 2.39 (r124) (HKLM\...\Process_Hacker2_is1) (Version: 2.39.0.124 - wj32)
Python 3.6.4 (32-bit) (HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\{9218130b-5ad0-4cf7-82be-6993cfd6cb84}) (Version: 3.6.4150.0 - Python Software Foundation)
Python 3.6.4 Add to Path (32-bit) (HKLM-x32\...\{B7F6071F-CC88-469C-9AC6-BEBA83594819}) (Version: 3.6.4150.0 - Python Software Foundation) Hidden
Python 3.6.4 Core Interpreter (32-bit) (HKLM-x32\...\{D188614B-E656-4EF1-9F5A-23559EBE8F5A}) (Version: 3.6.4150.0 - Python Software Foundation) Hidden
Python 3.6.4 Development Libraries (32-bit) (HKLM-x32\...\{C3797E33-967D-4687-8F1A-9DE771A00125}) (Version: 3.6.4150.0 - Python Software Foundation) Hidden
Python 3.6.4 Documentation (32-bit) (HKLM-x32\...\{E09874D3-E898-4AB6-B043-EE24DF786088}) (Version: 3.6.4150.0 - Python Software Foundation) Hidden
Python 3.6.4 Executables (32-bit) (HKLM-x32\...\{47A75DB9-F3F5-4697-9261-DBA5162DBB9E}) (Version: 3.6.4150.0 - Python Software Foundation) Hidden
Python 3.6.4 pip Bootstrap (32-bit) (HKLM-x32\...\{54142B43-2FA5-4BBA-BF03-27C10EB50C1E}) (Version: 3.6.4150.0 - Python Software Foundation) Hidden
Python 3.6.4 Standard Library (32-bit) (HKLM-x32\...\{2832768E-9BCA-4421-950C-7186B3BDFC45}) (Version: 3.6.4150.0 - Python Software Foundation) Hidden
Python 3.6.4 Tcl/Tk Support (32-bit) (HKLM-x32\...\{20888FA1-8127-42E3-969F-9BF93245AC83}) (Version: 3.6.4150.0 - Python Software Foundation) Hidden
Python 3.6.4 Test Suite (32-bit) (HKLM-x32\...\{D14FB2FA-51B2-415C-93BF-5053102235EE}) (Version: 3.6.4150.0 - Python Software Foundation) Hidden
Python 3.6.4 Utility Scripts (32-bit) (HKLM-x32\...\{D0730E44-E519-4F39-B926-E2FC0449D67C}) (Version: 3.6.4150.0 - Python Software Foundation) Hidden
Python Launcher (HKLM-x32\...\{B42FF40A-60D4-4096-AC47-C86153D72797}) (Version: 3.6.6196.0 - Python Software Foundation)
QuickTime 7 (HKLM-x32\...\{FF59BD75-466A-4D5A-AD23-AAD87C5FD44C}) (Version: 7.79.80.95 - Apple Inc.)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 10.0.14393.29093 - Realtek Semiconductor Corp.)
Sandboxie 5.24 (64-bit) (HKLM\...\Sandboxie) (Version: 5.24 - Sandboxie Holdings, LLC)
Skype™ 7.37 (HKLM-x32\...\{3B7E914A-93D5-4A29-92BB-AF8C3F66C431}) (Version: 7.37.103 - Skype Technologies S.A.)
Speccy (HKLM\...\Speccy) (Version: 1.31 - Piriform)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
TAP-NordVPN 9.21.2 (HKLM\...\TAP-NordVPN) (Version: 9.21.2 - NordVPN.com)
Thonny 2.1.17 (HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\Thonny_is1) (Version: 2.1.17 - Aivar Annamaa)
Update for Windows 10 for x64-based Systems (KB4023057) (HKLM\...\{5009B7EE-8A15-4A23-B404-15E31D02DA67}) (Version: 2.43.0.0 - Microsoft Corporation)
UpdateAssistant (HKLM\...\{57D07AAD-97E2-4E16-89C4-1A3C51BC9C98}) (Version: 1.16.0.0 - Microsoft Corporation) Hidden
Vulkan Run Time Libraries 1.0.65.1 (HKLM\...\VulkanRT1.0.65.1) (Version: 1.0.65.1 - LunarG, Inc.) Hidden
Windows Setup Remediations (x64) (KB4023057) (HKLM\...\{5534e02f-0f5d-40dd-ba92-bea38d22384d}.sdb) (Version:  - )
WinPcap 4.1.3 (HKLM-x32\...\WinPcapInst) (Version: 4.1.0.2980 - CACE Technologies)
WinRAR 5.40 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.40.0 - win.rar GmbH)
WPS Office (10.2.0.6020) (HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\Kingsoft Office) (Version: 10.2.0.6020 - Kingsoft Corp.)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-1760713586-1289027972-3592165009-1001_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 -> C:\WINDOWS\system32\oleaut32.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1760713586-1289027972-3592165009-1001_Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32 -> C:\WINDOWS\system32\oleaut32.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1760713586-1289027972-3592165009-1001_Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32 -> C:\WINDOWS\system32\oleaut32.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1760713586-1289027972-3592165009-1001_Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32 -> C:\WINDOWS\system32\oleaut32.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1760713586-1289027972-3592165009-1001_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 -> C:\WINDOWS\system32\oleaut32.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1760713586-1289027972-3592165009-1001_Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32 -> C:\WINDOWS\system32\oleaut32.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1760713586-1289027972-3592165009-1001_Classes\CLSID\{70239788-4DAE-49B8-9270-5D8614384B49}\InprocServer32 -> C:\Users\lenovo\AppData\Local\Kingsoft\WPS Office\10.2.0.6020\office6\addons\kpdf2wordshellext\kpdf2wordshellext64.dll (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1760713586-1289027972-3592165009-1001_Classes\CLSID\{e8c77137-e224-5791-b6e9-ff0305797a13}\InprocServer32 -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll (Adobe Systems)
ShellIconOverlayIdentifiers: [ MEGA (Pending)] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\ProgramData\MEGAsync\ShellExtX64.dll [2017-11-16] ()
ShellIconOverlayIdentifiers: [ MEGA (Synced)] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\ProgramData\MEGAsync\ShellExtX64.dll [2017-11-16] ()
ShellIconOverlayIdentifiers: [ MEGA (Syncing)] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\ProgramData\MEGAsync\ShellExtX64.dll [2017-11-16] ()
ShellIconOverlayIdentifiers: [   AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2018-02-10] ()
ShellIconOverlayIdentifiers: [   AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2018-02-10] ()
ShellIconOverlayIdentifiers: [   AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2018-02-10] ()
ShellIconOverlayIdentifiers-x32: [ MEGA (Pending)] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\ProgramData\MEGAsync\ShellExtX64.dll [2017-11-16] ()
ShellIconOverlayIdentifiers-x32: [ MEGA (Synced)] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\ProgramData\MEGAsync\ShellExtX64.dll [2017-11-16] ()
ShellIconOverlayIdentifiers-x32: [ MEGA (Syncing)] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\ProgramData\MEGAsync\ShellExtX64.dll [2017-11-16] ()
ContextMenuHandlers1: [AccExt] -> {2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2018-02-10] ()
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => C:\Program Files\Notepad++\NppShell_06.dll [2017-08-28] ()
ContextMenuHandlers1: [MEGA (Context menu)] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} => C:\ProgramData\MEGAsync\ShellExtX64.dll [2017-11-16] ()
ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2016-08-15] (Alexander Roshal)
ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2016-08-15] (Alexander Roshal)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-03-27] (Malwarebytes)
ContextMenuHandlers3: [MEGA (Context menu)] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} => C:\ProgramData\MEGAsync\ShellExtX64.dll [2017-11-16] ()
ContextMenuHandlers4: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} =>  -> No File
ContextMenuHandlers4: [MEGA (Context menu)] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} => C:\ProgramData\MEGAsync\ShellExtX64.dll [2017-11-16] ()
ContextMenuHandlers5: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\WINDOWS\system32\igfxpph.dll [2017-03-09] (Intel Corporation)
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\WINDOWS\system32\nvshext.dll [2018-02-23] (NVIDIA Corporation)
ContextMenuHandlers6: [AccExt] -> {2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2018-02-10] ()
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-03-27] (Malwarebytes)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2016-08-15] (Alexander Roshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2016-08-15] (Alexander Roshal)
ContextMenuHandlers1_S-1-5-21-1760713586-1289027972-3592165009-1001: [kpdf2wordshellext] -> {70239788-4DAE-49B8-9270-5D8614384B49} => C:\Users\lenovo\AppData\Local\Kingsoft\WPS Office\10.2.0.6020\office6\addons\kpdf2wordshellext\kpdf2wordshellext64.dll [2018-04-03] (Zhuhai Kingsoft Office Software Co.,Ltd)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {027D795A-7ACE-48A3-8DA4-3A33BF21AFB4} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\platform\4.14.17639.18041-0\MpCmdRun.exe [2018-04-25] (Microsoft Corporation)
Task: {1D136606-08C0-4C97-8176-030766513D36} - System32\Tasks\GarminUpdaterTask => C:\Program Files (x86)\Garmin\Express SelfUpdater\ExpressSelfUpdater.exe [2018-03-27] ()
Task: {254119B6-4574-4401-9D1C-F22B520F06A2} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows Defender\platform\4.14.17639.18041-0\MpCmdRun.exe [2018-04-25] (Microsoft Corporation)
Task: {2F0F5542-5546-4CC5-B17C-F86EFB64F3F6} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-11-02] (Google Inc.)
Task: {46BDB45D-C715-4986-B86D-5BBE406FFE97} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-11-02] (Google Inc.)
Task: {5203226B-2775-4200-9E12-73B75361F6C6} - System32\Tasks\Adobe Flash Player Updater => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2018-05-09] (Adobe Systems Incorporated)
Task: {5BCC8179-3479-41E1-9055-F2390081FD5C} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\platform\4.14.17639.18041-0\MpCmdRun.exe [2018-04-25] (Microsoft Corporation)
Task: {70C69765-FDBE-4389-ACA5-4C9BB6A2C061} - System32\Tasks\WpsExternal_lenovo_20180403161957 => C:\Users\lenovo\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe [2018-04-03] (Zhuhai Kingsoft Office Software Co.,Ltd)
Task: {7598C14A-09F1-4652-AC01-73C19B4AED90} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2018-02-09] (Adobe Systems Incorporated)
Task: {7E06CE16-FC45-4C48-B03E-06A861CF9071} - System32\Tasks\Adobe Flash Player PPAPI Notifier => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashUtil32_29_0_0_171_pepper.exe [2018-05-09] (Adobe Systems Incorporated)
Task: {99D5ACC3-C10E-48E3-854B-883C09D4227E} - System32\Tasks\CreateExplorerShellUnelevatedTask => C:\WINDOWS\explorer.exe /NOUACCHECK
Task: {A15E5EE0-CA01-48DF-9F31-C2350CAD86B1} - System32\Tasks\Red Giant Link => C:\Program Files\Red Giant Link\Red Giant Link.exe
Task: {A6DC274D-82AC-4AEA-8428-D0416F84B326} - System32\Tasks\{7DC9BEE2-DA71-4812-BDE1-E1D08BC45DD9} => C:\WINDOWS\system32\pcalua.exe -a C:\WINDOWS\RtCRU64.exe -c /u
Task: {B5450197-EF08-41F6-AAC4-7585A9FE6CF2} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\platform\4.14.17639.18041-0\MpCmdRun.exe [2018-04-25] (Microsoft Corporation)
Task: {B7F301DA-189A-492F-8900-E418A152C0A5} - System32\Tasks\WpsUpdateTask_lenovo => C:\Users\lenovo\AppData\Local\Kingsoft\WPS Office\10.2.0.6020\wtoolex\wpsupdate.exe
Task: {E58BEAAE-6CC3-4856-84A5-DD6B3CC2342E} - System32\Tasks\AdobeAAMUpdater-1.0-MicrosoftAccount-eric_lin_2004@hotmail.com => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2016-07-01] (Adobe Systems Incorporated)
Task: {E64D3DD5-902F-4268-BA24-B8A8D0678812} - System32\Tasks\Adobe Uninstaller => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [2018-02-14] (Adobe Systems Incorporated)
Task: {ED8EF876-775F-4FE6-901A-5D2159509BB3} - System32\Tasks\AdobeGCInvoker-1.0-MicrosoftAccount-eric_lin_2004@hotmail.com => C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGCInvokerUtility.exe [2018-01-05] (Adobe Systems, Incorporated)
Task: {F1887EE4-F892-4CF7-9E22-AE1D646C0E51} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {F4955D5E-A195-4B32-925C-53B292DB3954} - System32\Tasks\MEGA\MEGAsync Update Task S-1-5-21-1760713586-1289027972-3592165009-1001 => C:\ProgramData\MEGAsync\MEGAupdater.exe [2018-01-19] (Mega Limited)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2016-07-16 07:42 - 2016-07-16 07:42 - 000231424 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll
2018-04-10 19:00 - 2018-03-21 23:45 - 002681712 _____ () C:\WINDOWS\system32\CoreUIComponents.dll
2018-04-12 08:05 - 2018-02-24 00:36 - 000543248 _____ () C:\Program Files\NVIDIA Corporation\Display.NvContainer\plugins\LocalSystem\DisplayDriverAnalyzer\_DisplayDriverCrashAnalyzer64.dll
2017-02-11 12:43 - 2015-08-25 11:08 - 000187200 _____ () C:\Program Files\Lenovo\Lenovo Mouse Suite\Service\PelService.exe
2018-05-02 07:49 - 2018-05-02 07:49 - 000430840 _____ () C:\Program Files (x86)\NordVPN\nordvpn-service.exe
2017-01-15 19:46 - 2018-02-23 15:22 - 000133464 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2018-04-20 11:45 - 2018-04-20 11:45 - 000061440 _____ () C:\Program Files\Haste\Haste Esports Accelerator\WinDivert.dll
2016-10-31 15:45 - 2017-11-16 20:05 - 000598528 _____ () C:\ProgramData\MEGAsync\ShellExtX64.dll
2018-02-10 02:12 - 2018-02-10 02:12 - 000614856 _____ () C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll
2016-09-15 03:28 - 2016-09-15 03:28 - 000134656 _____ () C:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll
2017-03-15 12:37 - 2017-03-04 02:31 - 000474112 _____ () C:\Windows\ShellExperiences\QuickActions.dll
2018-05-26 16:44 - 2018-04-02 23:45 - 009761280 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2018-05-26 16:44 - 2018-04-02 23:35 - 001402368 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2018-05-26 16:44 - 2018-04-02 23:34 - 000757760 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
2018-05-26 16:44 - 2018-04-02 23:35 - 002424832 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2018-05-26 16:44 - 2018-04-02 23:38 - 004854272 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2018-05-16 16:48 - 2018-05-14 23:13 - 004443992 _____ () C:\Program Files (x86)\Google\Chrome\Application\66.0.3359.181\libglesv2.dll
2018-05-16 16:48 - 2018-05-14 23:13 - 000099672 _____ () C:\Program Files (x86)\Google\Chrome\Application\66.0.3359.181\libegl.dll
2018-05-25 22:13 - 2018-05-25 22:15 - 001227952 _____ () C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.9226.21755.0_x64__8wekyb3d8bbwe\Office.UI.Xaml.Word.dll
2018-04-25 07:08 - 2018-04-25 07:08 - 000254464 _____ () C:\Program Files (x86)\NordVPN\x86\Liberation.Native.Firewall.dll
2017-06-18 20:08 - 2018-05-01 03:32 - 000788256 _____ () C:\Program Files (x86)\Steam\SDL2.dll
2017-06-18 20:08 - 2016-08-31 21:02 - 004969248 _____ () C:\Program Files (x86)\Steam\v8.dll
2017-06-18 20:08 - 2018-05-18 19:01 - 002632480 _____ () C:\Program Files (x86)\Steam\video.dll
2017-12-14 19:43 - 2017-12-19 21:43 - 005137696 _____ () C:\Program Files (x86)\Steam\libavcodec-57.dll
2017-12-14 19:43 - 2017-12-19 21:43 - 000695584 _____ () C:\Program Files (x86)\Steam\libavformat-57.dll
2017-12-14 19:43 - 2017-12-19 21:43 - 000351520 _____ () C:\Program Files (x86)\Steam\libavresample-3.dll
2017-12-14 19:43 - 2017-12-19 21:43 - 000847136 _____ () C:\Program Files (x86)\Steam\libavutil-55.dll
2017-12-14 19:43 - 2017-12-19 21:43 - 000783648 _____ () C:\Program Files (x86)\Steam\libswscale-4.dll
2017-06-18 20:08 - 2016-08-31 21:02 - 001563936 _____ () C:\Program Files (x86)\Steam\icui18n.dll
2017-06-18 20:08 - 2016-08-31 21:02 - 001195296 _____ () C:\Program Files (x86)\Steam\icuuc.dll
2017-06-18 20:08 - 2018-05-18 19:01 - 000979232 _____ () C:\Program Files (x86)\Steam\bin\chromehtml.DLL
2017-06-18 20:08 - 2016-07-04 18:17 - 000266560 _____ () C:\Program Files (x86)\Steam\openvr_api.dll
2017-06-18 20:10 - 2018-05-01 03:32 - 000788256 _____ () C:\Program Files (x86)\Steam\bin\cef\cef.win7\SDL2.dll
2017-06-18 20:10 - 2018-05-14 15:39 - 083524384 _____ () C:\Program Files (x86)\Steam\bin\cef\cef.win7\libcef.dll
2017-06-18 20:08 - 2015-09-24 19:52 - 000119208 _____ () C:\Program Files (x86)\Steam\winh264.dll
2016-04-13 04:38 - 2017-11-16 20:05 - 000798208 _____ () C:\ProgramData\MEGAsync\libsodium.dll
2017-08-23 08:14 - 2018-05-14 15:39 - 002253600 _____ () C:\Program Files (x86)\Steam\bin\cef\cef.win7\swiftshader\libglesv2.dll
2017-08-23 08:14 - 2018-05-14 15:39 - 000109856 _____ () C:\Program Files (x86)\Steam\bin\cef\cef.win7\swiftshader\libegl.dll
2018-05-23 21:32 - 2018-05-23 21:32 - 000279040 _____ () C:\Program Files (x86)\Steam\steamapps\common\World of Tanks Blitz\FacebookBridge.dll
2017-07-09 16:36 - 2017-07-09 16:49 - 000391680 _____ () C:\Program Files (x86)\Steam\steamapps\common\World of Tanks Blitz\glew32.dll
2017-11-08 21:53 - 2017-11-08 21:53 - 047202304 _____ () C:\Program Files (x86)\Steam\steamapps\common\World of Tanks Blitz\libcef.dll
2017-06-18 20:08 - 2018-05-18 19:01 - 000419104 _____ () C:\Program Files (x86)\Steam\steam.dll
2018-05-04 21:30 - 2018-04-30 23:01 - 001891672 _____ () C:\Users\lenovo\AppData\Local\Discord\app-0.0.301\ffmpeg.dll
2018-05-04 21:30 - 2018-05-04 21:30 - 001910104 _____ () \\?\C:\Users\lenovo\AppData\Roaming\discord\0.0.301\modules\discord_spellcheck\node_modules\cld\build\Release\cld.node
2018-05-04 21:30 - 2018-05-04 21:30 - 000422744 _____ () \\?\C:\Users\lenovo\AppData\Roaming\discord\0.0.301\modules\discord_spellcheck\node_modules\spellchecker\build\Release\spellchecker.node
2018-05-04 21:30 - 2018-05-04 21:30 - 000145240 _____ () \\?\C:\Users\lenovo\AppData\Roaming\discord\0.0.301\modules\discord_spellcheck\node_modules\keyboard-layout\build\Release\keyboard-layout-manager.node
2018-05-04 21:30 - 2018-05-24 16:11 - 009820504 _____ () \\?\C:\Users\lenovo\AppData\Roaming\discord\0.0.301\modules\discord_voice\discord_voice.node
2018-05-04 21:30 - 2018-05-04 21:30 - 001530712 _____ () \\?\C:\Users\lenovo\AppData\Roaming\discord\0.0.301\modules\discord_utils\discord_utils.node
2018-05-04 21:30 - 2018-05-04 21:30 - 000512856 _____ () \\?\C:\Users\lenovo\AppData\Roaming\discord\0.0.301\modules\discord_erlpack\discord_erlpack.node
2018-05-04 21:30 - 2018-05-04 21:30 - 001578840 _____ () \\?\C:\Users\lenovo\AppData\Roaming\discord\0.0.301\modules\discord_game_utils\discord_game_utils.node
2018-05-04 21:30 - 2018-05-12 18:33 - 001728344 _____ () \\?\C:\Users\lenovo\AppData\Roaming\discord\0.0.301\modules\discord_overlay2\discord_overlay2.node
2018-05-04 21:30 - 2018-05-04 21:30 - 002722648 _____ () \\?\C:\Users\lenovo\AppData\Roaming\discord\0.0.301\modules\discord_rpc\discord_rpc.node
2018-05-04 21:30 - 2018-05-04 21:30 - 001249112 _____ () \\?\C:\Users\lenovo\AppData\Roaming\discord\0.0.301\modules\discord_vigilante\discord_vigilante.node
2018-05-04 21:30 - 2018-05-04 21:30 - 002760536 _____ () \\?\C:\Users\lenovo\AppData\Roaming\discord\0.0.301\modules\discord_contact_import\discord_contact_import.node
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\Users\lenovo\Local Settings:lgCCpTXUERcLn0LuO0ekr1yvi [2138]
AlternateDataStreams: C:\Users\lenovo\AppData\Local:lgCCpTXUERcLn0LuO0ekr1yvi [2138]
AlternateDataStreams: C:\Users\lenovo\AppData\Local\Application Data:lgCCpTXUERcLn0LuO0ekr1yvi [2138]
AlternateDataStreams: C:\Users\lenovo\AppData\Local\Temp:1F1WDjreYptc8l8FJx [2052]
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\Software\Classes\regfile: regedit.exe "%1" <==== ATTENTION
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2017-01-15 06:35 - 2017-06-23 20:42 - 000000828 _____ C:\WINDOWS\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\lenovo\Pictures\Wallpapers\317828-universe-wallpaper-3840x2160-for-lockscreen.jpg
DNS Servers: 192.168.2.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
HKLM\...\StartupApproved\Run: => "IgfxTray"
HKLM\...\StartupApproved\Run: => "ForteConfig"
HKLM\...\StartupApproved\Run: => "AdobeAAMUpdater-1.0"
HKLM\...\StartupApproved\Run: => "Wondershare Helper Compact.exe"
HKLM\...\StartupApproved\Run: => "Malwarebytes TrayApp"
HKLM\...\StartupApproved\Run: => "Daemon for Mouse Suite"
HKLM\...\StartupApproved\Run: => "AdobeGCInvoker-1.0"
HKLM\...\StartupApproved\Run32: => "SunJavaUpdateSched"
HKLM\...\StartupApproved\Run32: => "Avira System Speedup Tray"
HKLM\...\StartupApproved\Run32: => "AdobeCS6ServiceManager"
HKLM\...\StartupApproved\Run32: => "SwitchBoard"
HKLM\...\StartupApproved\Run32: => "Wondershare Helper Compact.exe"
HKLM\...\StartupApproved\Run32: => "APSDaemon"
HKLM\...\StartupApproved\Run32: => "Adobe Creative Cloud"
HKLM\...\StartupApproved\Run32: => "IJNetworkScannerSelectorEX"
HKLM\...\StartupApproved\Run32: => "AdobeAAMUpdater-1.0"
HKLM\...\StartupApproved\Run32: => "AdobeGCInvoker-1.0"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\StartupFolder: => "WO Mic Client.lnk"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "BlueStacks Agent"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "GarminExpressTrayApp"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "TunnelBear"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "GlassWire"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "CCleaner Monitoring"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "Skype"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "MiPhoneManager"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "Discord"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "World of Tanks"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "proXPN"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "GoogleChromeAutoLaunch_EE07359CBB5DF117C451479D648E72F4"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "GoogleDriveSync"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "FACEIT"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "QQ2009"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "Server Runtime Subsystem"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [TCP Query User{3862D208-19EB-4074-9F74-C793F835DFD3}C:\program files (x86)\steam\steamapps\common\counter-strike global offensive\csgo.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\counter-strike global offensive\csgo.exe
FirewallRules: [UDP Query User{BAD9EEAF-1B44-4F14-818B-5196CA41340A}C:\program files (x86)\steam\steamapps\common\counter-strike global offensive\csgo.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\counter-strike global offensive\csgo.exe
FirewallRules: [TCP Query User{6967C092-0CA7-4466-B5AB-1D90F8DD0912}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [UDP Query User{36722994-6169-468F-8F3A-0C94ABD68FDE}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [{0C3EFE94-DE51-4CC2-B4FA-2EF736A3A755}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{769DE923-99DB-4A1B-A006-2574F2CBADBF}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{10C05F2E-6197-4AC2-89B4-DE86F5E876D4}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{64ED3F0E-4CDC-4AAA-B6DA-02B57F0D6C0E}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{3C74E005-6A9C-49DC-8DE3-857A80FFFDA5}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\World of Tanks Blitz\wotblitz.exe
FirewallRules: [{D85FAA32-DEC1-4E5C-A712-2708E45F8B2F}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\World of Tanks Blitz\wotblitz.exe
FirewallRules: [{09E213D4-FDD9-4BCB-A724-D4C598A81333}] => (Allow) C:\Users\lenovo\AppData\Local\Kingsoft\WPS Office\10.2.0.6020\office6\wpscloudsvr.exe
FirewallRules: [{9F915563-F864-401F-A5AF-1897DE619B00}] => (Allow) C:\Users\lenovo\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe
FirewallRules: [{CC5EF743-E621-4AFD-AEF8-43E70EC4CB2B}] => (Allow) C:\program files (x86)\common files\tencent\qqdownload\135\bugreport_xf.exe
FirewallRules: [{C8EDFBE6-E7A7-4CB0-BAA5-6A69D4EC57A0}] => (Allow) C:\program files (x86)\common files\tencent\qqdownload\135\tencentdl.exe
FirewallRules: [{31F80DF2-3AAB-435D-A2EF-1A772D011B7D}] => (Allow) C:\Program Files (x86)\WOMic\womicclient.exe
FirewallRules: [{C1EEFFBF-5CF1-409C-8BFA-AD6777383A04}] => (Allow) C:\program files (x86)\common files\tencent\qqdownload\135\tencentdl.exe
FirewallRules: [{30FCA57C-55E0-46CD-8D1C-91694C20DC80}] => (Allow) C:\program files (x86)\common files\tencent\qqdownload\135\bugreport_xf.exe
FirewallRules: [{18A31C50-8A9B-4C1D-8267-E882B84D50F6}] => (Allow) C:\Program Files (x86)\Tencent\QQMusic\QzoneMusic\QzoneMusic.exe
FirewallRules: [{5159D2CB-FE8D-4D3E-82AA-5A3861285BA9}] => (Allow) C:\Program Files (x86)\Tencent\QQMusic\QzoneMusic\QzoneMusic.exe
FirewallRules: [{518A6032-CC58-4D51-B5C8-CCD803737CDA}] => (Allow) C:\Users\Public\Documents\Tencent\QQGameMicro\QQGameMicro.exe
FirewallRules: [{422CA481-56BE-4622-AEE3-94D838D50A1F}] => (Allow) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe
FirewallRules: [TCP Query User{20F4C275-9724-4418-8FC1-4AFFBDE37E62}C:\program files (x86)\steam\steamapps\common\insurgency2\insurgency.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\insurgency2\insurgency.exe
FirewallRules: [UDP Query User{89E57EFF-1154-40BE-82EA-AECB79B16D5A}C:\program files (x86)\steam\steamapps\common\insurgency2\insurgency.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\insurgency2\insurgency.exe
FirewallRules: [TCP Query User{096A2849-1AD8-4CCF-B401-54A13BC689BA}C:\users\lenovo\downloads\greenstreettutorials bngdrive\beamng.drive.v0.11\bin64\beamng.drive.x64.exe] => (Allow) C:\users\lenovo\downloads\greenstreettutorials bngdrive\beamng.drive.v0.11\bin64\beamng.drive.x64.exe
FirewallRules: [UDP Query User{A63256B5-03E5-4D41-89CB-B68648731BDB}C:\users\lenovo\downloads\greenstreettutorials bngdrive\beamng.drive.v0.11\bin64\beamng.drive.x64.exe] => (Allow) C:\users\lenovo\downloads\greenstreettutorials bngdrive\beamng.drive.v0.11\bin64\beamng.drive.x64.exe
FirewallRules: [TCP Query User{09CBB3F1-ABA8-4F70-9928-AF6AFAA53E4C}C:\users\lenovo\downloads\greenstreettutorials counter strike 1.6\counter-strike 16 nosteam\hl.exe] => (Allow) C:\users\lenovo\downloads\greenstreettutorials counter strike 1.6\counter-strike 16 nosteam\hl.exe
FirewallRules: [UDP Query User{64785CD9-AC38-43FB-9A79-0E951598DE96}C:\users\lenovo\downloads\greenstreettutorials counter strike 1.6\counter-strike 16 nosteam\hl.exe] => (Allow) C:\users\lenovo\downloads\greenstreettutorials counter strike 1.6\counter-strike 16 nosteam\hl.exe
FirewallRules: [TCP Query User{AF800B08-289F-4FBE-ABA9-59508C5C9D69}C:\users\lenovo\downloads\bngdrive\beamng.drive.v0.11\bin64\beamng.drive.x64.exe] => (Allow) C:\users\lenovo\downloads\bngdrive\beamng.drive.v0.11\bin64\beamng.drive.x64.exe
FirewallRules: [UDP Query User{6C48C16E-170A-4A8F-8BFB-E9BF54B7D222}C:\users\lenovo\downloads\bngdrive\beamng.drive.v0.11\bin64\beamng.drive.x64.exe] => (Allow) C:\users\lenovo\downloads\bngdrive\beamng.drive.v0.11\bin64\beamng.drive.x64.exe
FirewallRules: [{D0BC20B5-7D40-459E-A719-32C073397645}] => (Allow) C:\Users\lenovo\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe
FirewallRules: [{3811A4E1-2521-471B-9A4E-70F460B66FAE}] => (Allow) C:\Users\lenovo\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe
FirewallRules: [{7616FBCE-3E64-4259-BAF3-ED5ED3FEB5FD}] => (Allow) C:\Users\lenovo\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe
FirewallRules: [{8B7A99A3-3A1B-4688-83AA-02CDCCE923D5}] => (Allow) C:\Users\lenovo\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe
FirewallRules: [TCP Query User{AD2C4EEB-5209-4A8C-8235-810AC036DB76}C:\users\lenovo\downloads\beamng.drive\beamng.drive.v0.11\bin64\beamng.drive.x64.exe] => (Allow) C:\users\lenovo\downloads\beamng.drive\beamng.drive.v0.11\bin64\beamng.drive.x64.exe
FirewallRules: [UDP Query User{EFA06A6C-C72F-4FF3-9C05-D580CBE70EBD}C:\users\lenovo\downloads\beamng.drive\beamng.drive.v0.11\bin64\beamng.drive.x64.exe] => (Allow) C:\users\lenovo\downloads\beamng.drive\beamng.drive.v0.11\bin64\beamng.drive.x64.exe
FirewallRules: [{85A65CD0-E53D-46F8-A578-B585FA1422EA}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{4EEEBA62-EE82-42E5-9F1A-B87232B12388}] => (Allow) C:\Program Files (x86)\Tencent\QQ\Bin\QQ.exe
FirewallRules: [{25D05BB2-5AB5-45F5-9B02-1F6C47B79802}] => (Allow) C:\Program Files (x86)\Tencent\QQ\Bin\auclt.exe
FirewallRules: [{03E7D4CD-9734-4FD9-9695-19E927761405}] => (Allow) C:\Program Files (x86)\Tencent\QQ\Bin\txupd.exe
FirewallRules: [{74317FDB-A38F-4196-886B-99643FE528BB}] => (Allow) C:\Program Files (x86)\Tencent\QQ\Bin\SetupEx\SetupEx.exe
FirewallRules: [{7EBD6D4E-6466-47F8-A7F1-AB4180FF2655}] => (Allow) C:\Program Files (x86)\Tencent\QQ\Bin\maLauncher.exe
FirewallRules: [{6953F469-680D-4172-A6F5-15BE5DE13471}] => (Allow) C:\Program Files (x86)\Tencent\QQ\Bin\maUpdat.exe
FirewallRules: [{3317C258-E051-4218-A688-930E765974E2}] => (Allow) C:\program files (x86)\common files\tencent\qqdownload\135\tencentdl.exe
FirewallRules: [{8173DE0E-3031-4825-875B-93B97C9FFE28}] => (Allow) C:\program files (x86)\common files\tencent\qqdownload\135\bugreport_xf.exe
FirewallRules: [{D555641A-7DFC-463E-9D7A-00B18BAC24C3}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{63E71014-204E-40FF-BFBF-56764E49AC36}] => (Allow) C:\Program Files (x86)\Nox\bin\Nox.exe
FirewallRules: [{3ED1A313-9CA3-49CF-833E-A804E6FF5BFF}] => (Allow) C:\Program Files (x86)\Bignox\BigNoxVM\RT\NoxVMHandle.exe
FirewallRules: [TCP Query User{4CB92E63-0D92-463E-B996-38A364578272}C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => (Allow) C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe
FirewallRules: [UDP Query User{3A528F51-1520-4019-90A2-642A4ABBF1BA}C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => (Allow) C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe
 
==================== Restore Points =========================
 
26-05-2018 22:33:44 malwarecleared
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (05/26/2018 10:33:46 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: 加密服务处理系统写入程序对象中的 OnIdentity() 调用时失败。
 
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft 链路层发现协议.
 
System Error:
拒绝访问。
 
Error: (05/26/2018 04:22:22 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: DLL“C:\Windows\System32\rasctrs.dll”中服务“RemoteAccess”的打开过程失败。该服务的性能数据将不可使用。数据段的第一个四字节 (DWORD) 包含错误代码。
 
Error: (05/26/2018 04:22:22 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: DLL“C:\Windows\System32\bitsperf.dll”中服务“BITS”的打开过程失败。该服务的性能数据将不可使用。数据段的第一个四字节 (DWORD) 包含错误代码。
 
Error: (05/26/2018 04:01:50 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: 加密服务处理系统写入程序对象中的 OnIdentity() 调用时失败。
 
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft 链路层发现协议.
 
System Error:
拒绝访问。
 
Error: (05/26/2018 10:58:25 AM) (Source: Microsoft-Windows-EFS) (EventID: 4401) (User: LENOVO-PC)
Description: 7.488: EFS 服务无法为 EDP 预配用户。错误代码: 0x80070005。
 
Error: (05/26/2018 09:52:31 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: 加密服务处理系统写入程序对象中的 OnIdentity() 调用时失败。
 
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft 链路层发现协议.
 
System Error:
拒绝访问。
 
Error: (05/26/2018 08:55:42 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: LENOVO-PC)
Description: 激活应用 Microsoft.Getstarted_5.12.2691.1000_x64__8wekyb3d8bbwe:App.AppX7mv0s3r0wanj0n66dy6vax24ps6avzvz.mca 失败错误: -2144927149 请查看 Microsoft-Windows-TWinUI/运行日志以了解其他信息。
 
Error: (05/26/2018 08:52:03 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: LENOVO-PC)
Description: 激活应用 Microsoft.Getstarted_5.12.2691.1000_x64__8wekyb3d8bbwe:App.AppX7mv0s3r0wanj0n66dy6vax24ps6avzvz.mca 失败错误: -2144927149 请查看 Microsoft-Windows-TWinUI/运行日志以了解其他信息。
 
 
System errors:
=============
Error: (05/27/2018 09:29:41 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: 应用程序-特定 权限设置并未向在应用程序容器 不可用 SID (不可用)中运行的地址 LocalHost (使用 LRPC) 中的用户 NT AUTHORITY\SYSTEM SID (S-1-5-18)授予针对 CLSID 为 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
、APPID 为 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 的 COM 服务器应用程序的 本地 激活 权限。此安全权限可以使用组件服务管理工具进行修改。
 
Error: (05/27/2018 09:16:56 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: WMPNetworkSvc 服务因下列错误而停止: 
试图引用不存在的令牌。
 
Error: (05/27/2018 09:16:54 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: HvHost 服务因下列错误而停止: 
连到系统上的设备没有发挥作用。
 
Error: (05/27/2018 09:16:54 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: 由于下列错误vcs 服务启动失败: 
Windows 无法验证此文件的数字签名。某软件或硬件最近有所更改可能安装了签名错误或损毁的文件或者安装的文件可能是来路不明的恶意软件。
 
Error: (05/27/2018 09:16:54 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: 由于下列错误NVR0FLASHDev 服务启动失败: 
系统找不到指定的文件。
 
Error: (05/27/2018 09:16:53 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: 由于下列错误HuaweiHiSuiteService64.exe 服务启动失败: 
系统找不到指定的文件。
 
Error: (05/27/2018 09:16:53 AM) (Source: NETLOGON) (EventID: 3095) (User: )
Description: 此计算机被配置为某个工作组的成员
并不是域的成员。
此种配置下不需要运行 Netlogon 服务。
 
Error: (05/26/2018 10:34:24 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: 应用程序-特定 权限设置并未向在应用程序容器 不可用 SID (不可用)中运行的地址 LocalHost (使用 LRPC) 中的用户 NT AUTHORITY\SYSTEM SID (S-1-5-18)授予针对 CLSID 为 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
、APPID 为 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 的 COM 服务器应用程序的 本地 激活 权限。此安全权限可以使用组件服务管理工具进行修改。
 
 
Windows Defender:
===================================
Date: 2018-05-26 21:33:55.742
Description: 
Windows Defender ???????????????????
?????????:
??: HackTool:Win32/Patcher
ID: 2147659947
???: ?
??: ??
??: file:_C:\Users\lenovo\Downloads\Applications\Adobe Programs Crack\Patch.exe
????: ?????
????: ??
???: ????
??: Lenovo-PC\lenovo
????: C:\Users\lenovo\Downloads\esetonlinescanner_enu.exe
????: AV: 1.269.141.0, AS: 1.269.141.0, NIS: 1.269.141.0
????: AM: 1.1.14901.4, NIS: 1.1.14901.4
 
Date: 2018-05-26 10:37:33.989
Description: 
Windows Defender ???????????????????
?????????:
??: HackTool:MSIL/Uflooder.C!bit
ID: 2147709445
???: ?
??: ??
??: file:_C:\Users\lenovo\Downloads\Tools\LOIC\LOIC.exe
????: ?????
????: ??
???: ??
??: NT AUTHORITY\SYSTEM
????: Unknown
????: AV: 1.269.141.0, AS: 1.269.141.0, NIS: 1.269.141.0
????: AM: 1.1.14901.4, NIS: 1.1.14901.4
 
Date: 2018-05-26 10:36:45.669
Description: 
Windows Defender ???????????????????
?????????:
??: HackTool:Win32/Oylecann.A
ID: 2147641076
???: ?
??: ??
??: file:_C:\Users\lenovo\Downloads\Tools\LOIC\LOIC.exe
????: ?????
????: ??
???: ??
??: Lenovo-PC\lenovo
????: Unknown
????: AV: 1.267.543.0, AS: 1.267.543.0, NIS: 1.267.543.0
????: AM: 1.1.14800.3, NIS: 1.1.14800.3
 
Date: 2018-04-28 18:32:04.380
Description: 
??????? Windows Defender ???
?? ID: {9A3B751C-940E-4EE0-9ED0-B33FD5258F4F}
????: ?????
????: ????
??: NT AUTHORITY\SYSTEM
 
Date: 2018-04-19 19:04:45.079
Description: 
??????? Windows Defender ???
?? ID: {B0A1E9A2-46F7-43E1-AB94-314A12BF8C73}
????: ?????
????: ????
??: NT AUTHORITY\SYSTEM
 
Date: 2018-03-19 22:44:32.322
Description: 
Translation: Windows Defender ?????????????
?????: 
?????: 118.5.0.0
???: Microsoft ????????
????: ??????
????: ??
??: NT AUTHORITY\NETWORK SERVICE
??????: 
?????: 2.1.14202.0
????: 0x80072ee7
????: ????????????? 
 
Date: 2018-03-19 22:44:32.315
Description: 
Translation: Windows Defender ?????????????
?????: 
?????: 1.263.792.0
???: Microsoft ????????
????: ?????
????: ??
??: NT AUTHORITY\NETWORK SERVICE
??????: 
?????: 1.1.14600.4
????: 0x80072ee7
????: ????????????? 
 
Date: 2018-03-19 22:44:32.315
Description: 
Translation: Windows Defender ?????????????
?????: 
?????: 1.263.792.0
???: Microsoft ????????
????: ???
????: ??
??: NT AUTHORITY\NETWORK SERVICE
??????: 
?????: 1.1.14600.4
????: 0x80072ee7
????: ????????????? 
 
Date: 2018-03-19 22:44:32.271
Description: 
Translation: Windows Defender ?????????????
?????: 
?????: 1.263.792.0
???: Microsoft ?????
????: ???
????: ??
??: NT AUTHORITY\SYSTEM
??????: 
?????: 1.1.14600.4
????: 0x80240438
????: ????????????????????????????,???“?????”? 
 
Date: 2018-03-06 15:29:16.230
Description: 
Translation: Windows Defender ?????????????
?????: 
?????: 118.2.0.0
???: Microsoft ????????
????: ??????
????: ??
??: NT AUTHORITY\NETWORK SERVICE
??????: 
?????: 2.1.14202.0
????: 0x80072ee7
????: ????????????? 
 
CodeIntegrity:
===================================
 
Date: 2018-05-27 09:16:54.589
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\Common Files\Avnex\vcs64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
Date: 2018-05-26 22:30:44.915
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\Common Files\Avnex\vcs64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
Date: 2018-05-26 08:58:03.849
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\Common Files\Avnex\vcs64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
Date: 2018-05-25 22:08:49.845
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\Common Files\Avnex\vcs64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
Date: 2018-05-20 15:59:35.399
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\Common Files\Avnex\vcs64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
Date: 2018-05-18 16:43:32.261
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\Common Files\Avnex\vcs64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
Date: 2018-05-15 20:51:22.411
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\Common Files\Avnex\vcs64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
Date: 2018-05-12 18:03:58.723
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\Common Files\Avnex\vcs64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5-2520M CPU @ 2.50GHz
Percentage of memory in use: 85%
Total physical RAM: 3937.43 MB
Available physical RAM: 587.63 MB
Total Virtual: 7874.86 MB
Available Virtual: 3614.77 MB
 
==================== Drives ================================
 
Drive c: (Windows) (Fixed) (Total:91.63 GB) (Free:5.66 GB) NTFS ==>[system with boot components (obtained from drive)]
 
\\?\Volume{938d232d-5759-47bc-a13b-6018c5415891}\ (WINRE_DRV) (Fixed) (Total:0.98 GB) (Free:0.61 GB) NTFS
\\?\Volume{ce4b4549-a6b7-499d-a651-f6079bf7d8d2}\ (Lenovo_Recovery) (Fixed) (Total:11.8 GB) (Free:2.5 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 111.8 GB) (Disk ID: D720B0F1)
 
Partition: GPT.
 
==================== End of Addition.txt ============================


#4 Er1cL1n

Er1cL1n
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 27 May 2018 - 09:01 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Lets check further.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs for my review.

Wait for further instructions.

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 16.05.2018 01
Ran by lenovo (27-05-2018 09:58:56)
Running from C:\Users\lenovo\Downloads
Windows 10 Home China Version 1607 14393.2214 (X64) (2017-01-15 23:54:26)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1760713586-1289027972-3592165009-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-1760713586-1289027972-3592165009-503 - Limited - Disabled)
Guest (S-1-5-21-1760713586-1289027972-3592165009-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1760713586-1289027972-3592165009-1006 - Limited - Enabled)
lenovo (S-1-5-21-1760713586-1289027972-3592165009-1001 - Administrator - Enabled) => C:\Users\lenovo
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 18.011.20040 - Adobe Systems Incorporated)
Adobe After Effects CS6 (HKLM-x32\...\{4817D846-700B-474E-A31B-80892B3E92E3}) (Version: 11 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 28.0.0.127 - Adobe Systems Incorporated)
Adobe Creative Cloud (HKLM-x32\...\Adobe Creative Cloud) (Version: 4.4.1.298 - Adobe Systems Incorporated)
Adobe Flash Player 29 PPAPI (HKLM-x32\...\Adobe Flash Player PPAPI) (Version: 29.0.0.171 - Adobe Systems Incorporated)
Adobe Photoshop CC 2017 (HKLM-x32\...\PHSP_18_0_1) (Version: 18.0.1 - Adobe Systems Incorporated)
ANT Drivers Installer x64 (HKLM\...\{3DE56A70-06BA-4863-8FBB-45D041AF0C7A}) (Version: 2.3.4 - Garmin Ltd or its subsidiaries) Hidden
Apple Application Support (HKLM-x32\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
AutoHotkey 1.1.28.02 (HKLM\...\AutoHotkey) (Version: 1.1.28.02 - Lexikos)
Canon IJ Network Scanner Selector EX (HKLM-x32\...\Canon_IJ_Network_Scanner_Selector_EX) (Version:  - Canon Inc.)
Canon IJ Network Tool (HKLM-x32\...\Canon_IJ_Network_UTILITY) (Version: 3.2.0 - Canon Inc.)
Canon IJ Scan Utility (HKLM-x32\...\Canon_IJ_Scan_Utility) (Version:  - Canon Inc.)
Canon MX450 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX450_series) (Version: 1.01 - Canon Inc.)
Conexant HD Audio (HKLM\...\CNXT_AUDIO_HDA) (Version: 8.66.23.50 - Conexant)
Discord (HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\Discord) (Version: 0.0.301 - Discord Inc.)
DisplayDriverAnalyzer (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_DisplayDriverAnalyzer) (Version: 391.01 - NVIDIA Corporation) Hidden
Dolby Digital Plus Advanced Audio (HKLM\...\{B0BFC63F-EA07-419E-960B-3FB2ED5DD0B2}) (Version: 7.6.5.1 - Dolby Laboratories Inc)
Elevated Installer (HKLM-x32\...\{B7768089-44E1-4B51-9213-737959C689E5}) (Version: 6.3.0.0 - Garmin Ltd or its subsidiaries) Hidden
Epic Games Launcher Prerequisites (x64) (HKLM\...\{66C5838F-B854-4A55-89E6-A6138747A4DF}) (Version: 1.0.0.0 - Epic Games, Inc.) Hidden
FACEIT (HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\FACEITApp) (Version: 0.17.3 - FACEIT Ltd.)
FACEIT AC version 1.0 (HKLM\...\{1419E44C-0EF4-4822-9194-9F1A4D43973D}_is1) (Version: 1.0 - FACEIT LTD)
Garmin Express (HKLM-x32\...\{178D3388-656C-4326-BFFF-3607481CA5BB}) (Version: 6.3.0.0 - Garmin Ltd or its subsidiaries) Hidden
Garmin Express (HKLM-x32\...\{aa902576-9ab8-4371-98d1-efde885f775b}) (Version: 6.3.0.0 - Garmin Ltd or its subsidiaries)
Garmin Express Tray (HKLM-x32\...\{C6C8A534-050C-40E9-92FC-4D06A8A487C8}) (Version: 6.3.0.0 - Garmin Ltd or its subsidiaries) Hidden
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 66.0.3359.181 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.17 - Google Inc.) Hidden
Haste Esports Accelerator (HKLM\...\{0F2B71AF-97E9-4B65-9043-749C35A88AE4}) (Version: 1.00.0079 - Haste)
Java 8 Update 162 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180162F0}) (Version: 8.0.1620.12 - Oracle Corporation)
Launcher Prerequisites (x64) (HKLM-x32\...\{c6c5a357-c7ca-4a5f-9789-3bb1af579253}) (Version: 1.0.0.0 - Epic Games, Inc.) Hidden
Lenovo Mouse Suite (HKLM\...\MouseSuite98) (Version: 6.80 - Lenovo)
Lenovo Power Management Driver (HKLM\...\Power Management Driver) (Version: 1.67.12.23 - Lenovo) Hidden
Malwarebytes version 3.4.5.2467 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.4.5.2467 - Malwarebytes)
MEGAsync (HKLM-x32\...\MEGAsync) (Version:  - Mega Limited)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 (HKLM-x32\...\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}) (Version: 12.0.40660.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 (HKLM-x32\...\{61087a79-ac85-455c-934d-1fa22cc64f36}) (Version: 12.0.40660.0 - Microsoft Corporation)
Microsoft Visual C++ 2017 Redistributable (x64) - 14.12.25810 (HKLM-x32\...\{e2ee15e2-a480-4bc5-bfb7-e9803d1d9823}) (Version: 14.12.25810.0 - Microsoft Corporation)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.12.25810 (HKLM-x32\...\{56e11d69-7cc9-40a5-a4f9-8f6190c4d84d}) (Version: 14.12.25810.0 - Microsoft Corporation)
Minecraft (HKLM-x32\...\{1C16BCA3-EBC1-49F6-8623-8FBFB9CCC872}) (Version: 1.0.3.0 - Mojang)
MorphVOX Pro (HKLM-x32\...\{D6C764CB-86E1-4A7C-BBEC-F175E93CBE87}) (Version: 4.4.70.25100 - Screaming Bee)
NordVPN (HKLM-x32\...\{7296DD91-4FC7-47BB-B211-912D9E980FC7}) (Version: 6.13.13 - NordVPN) Hidden
NordVPN (HKLM-x32\...\NordVPN 6.13.13) (Version: 6.13.13 - NordVPN)
Notepad++ (64-bit x64) (HKLM\...\Notepad++) (Version: 7.5.1 - Notepad++ Team)
Nox APP Player (HKLM-x32\...\Nox) (Version: 6.1.0.0 - Duodian Technology Co. Ltd.)
NVIDIA PhysX 系统软件 9.17.0524 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.17.0524 - NVIDIA Corporation)
NVIDIA 图形驱动程序 391.01 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 391.01 - NVIDIA Corporation)
OBS Studio (HKLM-x32\...\OBS Studio) (Version: 20.0.1 - OBS Project)
Process Hacker 2.39 (r124) (HKLM\...\Process_Hacker2_is1) (Version: 2.39.0.124 - wj32)
Python 3.6.4 (32-bit) (HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\{9218130b-5ad0-4cf7-82be-6993cfd6cb84}) (Version: 3.6.4150.0 - Python Software Foundation)
Python 3.6.4 Add to Path (32-bit) (HKLM-x32\...\{B7F6071F-CC88-469C-9AC6-BEBA83594819}) (Version: 3.6.4150.0 - Python Software Foundation) Hidden
Python 3.6.4 Core Interpreter (32-bit) (HKLM-x32\...\{D188614B-E656-4EF1-9F5A-23559EBE8F5A}) (Version: 3.6.4150.0 - Python Software Foundation) Hidden
Python 3.6.4 Development Libraries (32-bit) (HKLM-x32\...\{C3797E33-967D-4687-8F1A-9DE771A00125}) (Version: 3.6.4150.0 - Python Software Foundation) Hidden
Python 3.6.4 Documentation (32-bit) (HKLM-x32\...\{E09874D3-E898-4AB6-B043-EE24DF786088}) (Version: 3.6.4150.0 - Python Software Foundation) Hidden
Python 3.6.4 Executables (32-bit) (HKLM-x32\...\{47A75DB9-F3F5-4697-9261-DBA5162DBB9E}) (Version: 3.6.4150.0 - Python Software Foundation) Hidden
Python 3.6.4 pip Bootstrap (32-bit) (HKLM-x32\...\{54142B43-2FA5-4BBA-BF03-27C10EB50C1E}) (Version: 3.6.4150.0 - Python Software Foundation) Hidden
Python 3.6.4 Standard Library (32-bit) (HKLM-x32\...\{2832768E-9BCA-4421-950C-7186B3BDFC45}) (Version: 3.6.4150.0 - Python Software Foundation) Hidden
Python 3.6.4 Tcl/Tk Support (32-bit) (HKLM-x32\...\{20888FA1-8127-42E3-969F-9BF93245AC83}) (Version: 3.6.4150.0 - Python Software Foundation) Hidden
Python 3.6.4 Test Suite (32-bit) (HKLM-x32\...\{D14FB2FA-51B2-415C-93BF-5053102235EE}) (Version: 3.6.4150.0 - Python Software Foundation) Hidden
Python 3.6.4 Utility Scripts (32-bit) (HKLM-x32\...\{D0730E44-E519-4F39-B926-E2FC0449D67C}) (Version: 3.6.4150.0 - Python Software Foundation) Hidden
Python Launcher (HKLM-x32\...\{B42FF40A-60D4-4096-AC47-C86153D72797}) (Version: 3.6.6196.0 - Python Software Foundation)
QuickTime 7 (HKLM-x32\...\{FF59BD75-466A-4D5A-AD23-AAD87C5FD44C}) (Version: 7.79.80.95 - Apple Inc.)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 10.0.14393.29093 - Realtek Semiconductor Corp.)
Sandboxie 5.24 (64-bit) (HKLM\...\Sandboxie) (Version: 5.24 - Sandboxie Holdings, LLC)
Skype™ 7.37 (HKLM-x32\...\{3B7E914A-93D5-4A29-92BB-AF8C3F66C431}) (Version: 7.37.103 - Skype Technologies S.A.)
Speccy (HKLM\...\Speccy) (Version: 1.31 - Piriform)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
TAP-NordVPN 9.21.2 (HKLM\...\TAP-NordVPN) (Version: 9.21.2 - NordVPN.com)
Thonny 2.1.17 (HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\Thonny_is1) (Version: 2.1.17 - Aivar Annamaa)
Update for Windows 10 for x64-based Systems (KB4023057) (HKLM\...\{5009B7EE-8A15-4A23-B404-15E31D02DA67}) (Version: 2.43.0.0 - Microsoft Corporation)
UpdateAssistant (HKLM\...\{57D07AAD-97E2-4E16-89C4-1A3C51BC9C98}) (Version: 1.16.0.0 - Microsoft Corporation) Hidden
Vulkan Run Time Libraries 1.0.65.1 (HKLM\...\VulkanRT1.0.65.1) (Version: 1.0.65.1 - LunarG, Inc.) Hidden
Windows Setup Remediations (x64) (KB4023057) (HKLM\...\{5534e02f-0f5d-40dd-ba92-bea38d22384d}.sdb) (Version:  - )
WinPcap 4.1.3 (HKLM-x32\...\WinPcapInst) (Version: 4.1.0.2980 - CACE Technologies)
WinRAR 5.40 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.40.0 - win.rar GmbH)
WPS Office (10.2.0.6020) (HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\Kingsoft Office) (Version: 10.2.0.6020 - Kingsoft Corp.)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-1760713586-1289027972-3592165009-1001_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 -> C:\WINDOWS\system32\oleaut32.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1760713586-1289027972-3592165009-1001_Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32 -> C:\WINDOWS\system32\oleaut32.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1760713586-1289027972-3592165009-1001_Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32 -> C:\WINDOWS\system32\oleaut32.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1760713586-1289027972-3592165009-1001_Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32 -> C:\WINDOWS\system32\oleaut32.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1760713586-1289027972-3592165009-1001_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 -> C:\WINDOWS\system32\oleaut32.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1760713586-1289027972-3592165009-1001_Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32 -> C:\WINDOWS\system32\oleaut32.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1760713586-1289027972-3592165009-1001_Classes\CLSID\{70239788-4DAE-49B8-9270-5D8614384B49}\InprocServer32 -> C:\Users\lenovo\AppData\Local\Kingsoft\WPS Office\10.2.0.6020\office6\addons\kpdf2wordshellext\kpdf2wordshellext64.dll (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1760713586-1289027972-3592165009-1001_Classes\CLSID\{e8c77137-e224-5791-b6e9-ff0305797a13}\InprocServer32 -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll (Adobe Systems)
ShellIconOverlayIdentifiers: [ MEGA (Pending)] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\ProgramData\MEGAsync\ShellExtX64.dll [2017-11-16] ()
ShellIconOverlayIdentifiers: [ MEGA (Synced)] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\ProgramData\MEGAsync\ShellExtX64.dll [2017-11-16] ()
ShellIconOverlayIdentifiers: [ MEGA (Syncing)] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\ProgramData\MEGAsync\ShellExtX64.dll [2017-11-16] ()
ShellIconOverlayIdentifiers: [   AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2018-02-10] ()
ShellIconOverlayIdentifiers: [   AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2018-02-10] ()
ShellIconOverlayIdentifiers: [   AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2018-02-10] ()
ShellIconOverlayIdentifiers-x32: [ MEGA (Pending)] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\ProgramData\MEGAsync\ShellExtX64.dll [2017-11-16] ()
ShellIconOverlayIdentifiers-x32: [ MEGA (Synced)] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\ProgramData\MEGAsync\ShellExtX64.dll [2017-11-16] ()
ShellIconOverlayIdentifiers-x32: [ MEGA (Syncing)] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\ProgramData\MEGAsync\ShellExtX64.dll [2017-11-16] ()
ContextMenuHandlers1: [AccExt] -> {2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2018-02-10] ()
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => C:\Program Files\Notepad++\NppShell_06.dll [2017-08-28] ()
ContextMenuHandlers1: [MEGA (Context menu)] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} => C:\ProgramData\MEGAsync\ShellExtX64.dll [2017-11-16] ()
ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2016-08-15] (Alexander Roshal)
ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2016-08-15] (Alexander Roshal)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-03-27] (Malwarebytes)
ContextMenuHandlers3: [MEGA (Context menu)] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} => C:\ProgramData\MEGAsync\ShellExtX64.dll [2017-11-16] ()
ContextMenuHandlers4: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} =>  -> No File
ContextMenuHandlers4: [MEGA (Context menu)] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} => C:\ProgramData\MEGAsync\ShellExtX64.dll [2017-11-16] ()
ContextMenuHandlers5: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\WINDOWS\system32\igfxpph.dll [2017-03-09] (Intel Corporation)
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\WINDOWS\system32\nvshext.dll [2018-02-23] (NVIDIA Corporation)
ContextMenuHandlers6: [AccExt] -> {2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2018-02-10] ()
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-03-27] (Malwarebytes)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2016-08-15] (Alexander Roshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2016-08-15] (Alexander Roshal)
ContextMenuHandlers1_S-1-5-21-1760713586-1289027972-3592165009-1001: [kpdf2wordshellext] -> {70239788-4DAE-49B8-9270-5D8614384B49} => C:\Users\lenovo\AppData\Local\Kingsoft\WPS Office\10.2.0.6020\office6\addons\kpdf2wordshellext\kpdf2wordshellext64.dll [2018-04-03] (Zhuhai Kingsoft Office Software Co.,Ltd)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {027D795A-7ACE-48A3-8DA4-3A33BF21AFB4} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\platform\4.14.17639.18041-0\MpCmdRun.exe [2018-04-25] (Microsoft Corporation)
Task: {1D136606-08C0-4C97-8176-030766513D36} - System32\Tasks\GarminUpdaterTask => C:\Program Files (x86)\Garmin\Express SelfUpdater\ExpressSelfUpdater.exe [2018-03-27] ()
Task: {254119B6-4574-4401-9D1C-F22B520F06A2} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows Defender\platform\4.14.17639.18041-0\MpCmdRun.exe [2018-04-25] (Microsoft Corporation)
Task: {2F0F5542-5546-4CC5-B17C-F86EFB64F3F6} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-11-02] (Google Inc.)
Task: {46BDB45D-C715-4986-B86D-5BBE406FFE97} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-11-02] (Google Inc.)
Task: {5203226B-2775-4200-9E12-73B75361F6C6} - System32\Tasks\Adobe Flash Player Updater => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2018-05-09] (Adobe Systems Incorporated)
Task: {5BCC8179-3479-41E1-9055-F2390081FD5C} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\platform\4.14.17639.18041-0\MpCmdRun.exe [2018-04-25] (Microsoft Corporation)
Task: {70C69765-FDBE-4389-ACA5-4C9BB6A2C061} - System32\Tasks\WpsExternal_lenovo_20180403161957 => C:\Users\lenovo\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe [2018-04-03] (Zhuhai Kingsoft Office Software Co.,Ltd)
Task: {7598C14A-09F1-4652-AC01-73C19B4AED90} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2018-02-09] (Adobe Systems Incorporated)
Task: {7E06CE16-FC45-4C48-B03E-06A861CF9071} - System32\Tasks\Adobe Flash Player PPAPI Notifier => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashUtil32_29_0_0_171_pepper.exe [2018-05-09] (Adobe Systems Incorporated)
Task: {99D5ACC3-C10E-48E3-854B-883C09D4227E} - System32\Tasks\CreateExplorerShellUnelevatedTask => C:\WINDOWS\explorer.exe /NOUACCHECK
Task: {A15E5EE0-CA01-48DF-9F31-C2350CAD86B1} - System32\Tasks\Red Giant Link => C:\Program Files\Red Giant Link\Red Giant Link.exe
Task: {A6DC274D-82AC-4AEA-8428-D0416F84B326} - System32\Tasks\{7DC9BEE2-DA71-4812-BDE1-E1D08BC45DD9} => C:\WINDOWS\system32\pcalua.exe -a C:\WINDOWS\RtCRU64.exe -c /u
Task: {B5450197-EF08-41F6-AAC4-7585A9FE6CF2} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\platform\4.14.17639.18041-0\MpCmdRun.exe [2018-04-25] (Microsoft Corporation)
Task: {B7F301DA-189A-492F-8900-E418A152C0A5} - System32\Tasks\WpsUpdateTask_lenovo => C:\Users\lenovo\AppData\Local\Kingsoft\WPS Office\10.2.0.6020\wtoolex\wpsupdate.exe
Task: {E58BEAAE-6CC3-4856-84A5-DD6B3CC2342E} - System32\Tasks\AdobeAAMUpdater-1.0-MicrosoftAccount-eric_lin_2004@hotmail.com => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2016-07-01] (Adobe Systems Incorporated)
Task: {E64D3DD5-902F-4268-BA24-B8A8D0678812} - System32\Tasks\Adobe Uninstaller => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [2018-02-14] (Adobe Systems Incorporated)
Task: {ED8EF876-775F-4FE6-901A-5D2159509BB3} - System32\Tasks\AdobeGCInvoker-1.0-MicrosoftAccount-eric_lin_2004@hotmail.com => C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGCInvokerUtility.exe [2018-01-05] (Adobe Systems, Incorporated)
Task: {F1887EE4-F892-4CF7-9E22-AE1D646C0E51} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {F4955D5E-A195-4B32-925C-53B292DB3954} - System32\Tasks\MEGA\MEGAsync Update Task S-1-5-21-1760713586-1289027972-3592165009-1001 => C:\ProgramData\MEGAsync\MEGAupdater.exe [2018-01-19] (Mega Limited)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2016-07-16 07:42 - 2016-07-16 07:42 - 000231424 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll
2018-04-10 19:00 - 2018-03-21 23:45 - 002681712 _____ () C:\WINDOWS\system32\CoreUIComponents.dll
2018-04-12 08:05 - 2018-02-24 00:36 - 000543248 _____ () C:\Program Files\NVIDIA Corporation\Display.NvContainer\plugins\LocalSystem\DisplayDriverAnalyzer\_DisplayDriverCrashAnalyzer64.dll
2017-02-11 12:43 - 2015-08-25 11:08 - 000187200 _____ () C:\Program Files\Lenovo\Lenovo Mouse Suite\Service\PelService.exe
2018-05-02 07:49 - 2018-05-02 07:49 - 000430840 _____ () C:\Program Files (x86)\NordVPN\nordvpn-service.exe
2017-01-15 19:46 - 2018-02-23 15:22 - 000133464 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2018-04-20 11:45 - 2018-04-20 11:45 - 000061440 _____ () C:\Program Files\Haste\Haste Esports Accelerator\WinDivert.dll
2016-10-31 15:45 - 2017-11-16 20:05 - 000598528 _____ () C:\ProgramData\MEGAsync\ShellExtX64.dll
2018-02-10 02:12 - 2018-02-10 02:12 - 000614856 _____ () C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll
2016-09-15 03:28 - 2016-09-15 03:28 - 000134656 _____ () C:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll
2017-03-15 12:37 - 2017-03-04 02:31 - 000474112 _____ () C:\Windows\ShellExperiences\QuickActions.dll
2018-05-26 16:44 - 2018-04-02 23:45 - 009761280 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2018-05-26 16:44 - 2018-04-02 23:35 - 001402368 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2018-05-26 16:44 - 2018-04-02 23:34 - 000757760 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
2018-05-26 16:44 - 2018-04-02 23:35 - 002424832 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2018-05-26 16:44 - 2018-04-02 23:38 - 004854272 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2018-05-16 16:48 - 2018-05-14 23:13 - 004443992 _____ () C:\Program Files (x86)\Google\Chrome\Application\66.0.3359.181\libglesv2.dll
2018-05-16 16:48 - 2018-05-14 23:13 - 000099672 _____ () C:\Program Files (x86)\Google\Chrome\Application\66.0.3359.181\libegl.dll
2018-05-25 22:13 - 2018-05-25 22:15 - 001227952 _____ () C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.9226.21755.0_x64__8wekyb3d8bbwe\Office.UI.Xaml.Word.dll
2018-04-25 07:08 - 2018-04-25 07:08 - 000254464 _____ () C:\Program Files (x86)\NordVPN\x86\Liberation.Native.Firewall.dll
2017-06-18 20:08 - 2018-05-01 03:32 - 000788256 _____ () C:\Program Files (x86)\Steam\SDL2.dll
2017-06-18 20:08 - 2016-08-31 21:02 - 004969248 _____ () C:\Program Files (x86)\Steam\v8.dll
2017-06-18 20:08 - 2018-05-18 19:01 - 002632480 _____ () C:\Program Files (x86)\Steam\video.dll
2017-12-14 19:43 - 2017-12-19 21:43 - 005137696 _____ () C:\Program Files (x86)\Steam\libavcodec-57.dll
2017-12-14 19:43 - 2017-12-19 21:43 - 000695584 _____ () C:\Program Files (x86)\Steam\libavformat-57.dll
2017-12-14 19:43 - 2017-12-19 21:43 - 000351520 _____ () C:\Program Files (x86)\Steam\libavresample-3.dll
2017-12-14 19:43 - 2017-12-19 21:43 - 000847136 _____ () C:\Program Files (x86)\Steam\libavutil-55.dll
2017-12-14 19:43 - 2017-12-19 21:43 - 000783648 _____ () C:\Program Files (x86)\Steam\libswscale-4.dll
2017-06-18 20:08 - 2016-08-31 21:02 - 001563936 _____ () C:\Program Files (x86)\Steam\icui18n.dll
2017-06-18 20:08 - 2016-08-31 21:02 - 001195296 _____ () C:\Program Files (x86)\Steam\icuuc.dll
2017-06-18 20:08 - 2018-05-18 19:01 - 000979232 _____ () C:\Program Files (x86)\Steam\bin\chromehtml.DLL
2017-06-18 20:08 - 2016-07-04 18:17 - 000266560 _____ () C:\Program Files (x86)\Steam\openvr_api.dll
2017-06-18 20:10 - 2018-05-01 03:32 - 000788256 _____ () C:\Program Files (x86)\Steam\bin\cef\cef.win7\SDL2.dll
2017-06-18 20:10 - 2018-05-14 15:39 - 083524384 _____ () C:\Program Files (x86)\Steam\bin\cef\cef.win7\libcef.dll
2017-06-18 20:08 - 2015-09-24 19:52 - 000119208 _____ () C:\Program Files (x86)\Steam\winh264.dll
2016-04-13 04:38 - 2017-11-16 20:05 - 000798208 _____ () C:\ProgramData\MEGAsync\libsodium.dll
2017-08-23 08:14 - 2018-05-14 15:39 - 002253600 _____ () C:\Program Files (x86)\Steam\bin\cef\cef.win7\swiftshader\libglesv2.dll
2017-08-23 08:14 - 2018-05-14 15:39 - 000109856 _____ () C:\Program Files (x86)\Steam\bin\cef\cef.win7\swiftshader\libegl.dll
2018-05-23 21:32 - 2018-05-23 21:32 - 000279040 _____ () C:\Program Files (x86)\Steam\steamapps\common\World of Tanks Blitz\FacebookBridge.dll
2017-07-09 16:36 - 2017-07-09 16:49 - 000391680 _____ () C:\Program Files (x86)\Steam\steamapps\common\World of Tanks Blitz\glew32.dll
2017-11-08 21:53 - 2017-11-08 21:53 - 047202304 _____ () C:\Program Files (x86)\Steam\steamapps\common\World of Tanks Blitz\libcef.dll
2017-06-18 20:08 - 2018-05-18 19:01 - 000419104 _____ () C:\Program Files (x86)\Steam\steam.dll
2018-05-04 21:30 - 2018-04-30 23:01 - 001891672 _____ () C:\Users\lenovo\AppData\Local\Discord\app-0.0.301\ffmpeg.dll
2018-05-04 21:30 - 2018-05-04 21:30 - 001910104 _____ () \\?\C:\Users\lenovo\AppData\Roaming\discord\0.0.301\modules\discord_spellcheck\node_modules\cld\build\Release\cld.node
2018-05-04 21:30 - 2018-05-04 21:30 - 000422744 _____ () \\?\C:\Users\lenovo\AppData\Roaming\discord\0.0.301\modules\discord_spellcheck\node_modules\spellchecker\build\Release\spellchecker.node
2018-05-04 21:30 - 2018-05-04 21:30 - 000145240 _____ () \\?\C:\Users\lenovo\AppData\Roaming\discord\0.0.301\modules\discord_spellcheck\node_modules\keyboard-layout\build\Release\keyboard-layout-manager.node
2018-05-04 21:30 - 2018-05-24 16:11 - 009820504 _____ () \\?\C:\Users\lenovo\AppData\Roaming\discord\0.0.301\modules\discord_voice\discord_voice.node
2018-05-04 21:30 - 2018-05-04 21:30 - 001530712 _____ () \\?\C:\Users\lenovo\AppData\Roaming\discord\0.0.301\modules\discord_utils\discord_utils.node
2018-05-04 21:30 - 2018-05-04 21:30 - 000512856 _____ () \\?\C:\Users\lenovo\AppData\Roaming\discord\0.0.301\modules\discord_erlpack\discord_erlpack.node
2018-05-04 21:30 - 2018-05-04 21:30 - 001578840 _____ () \\?\C:\Users\lenovo\AppData\Roaming\discord\0.0.301\modules\discord_game_utils\discord_game_utils.node
2018-05-04 21:30 - 2018-05-12 18:33 - 001728344 _____ () \\?\C:\Users\lenovo\AppData\Roaming\discord\0.0.301\modules\discord_overlay2\discord_overlay2.node
2018-05-04 21:30 - 2018-05-04 21:30 - 002722648 _____ () \\?\C:\Users\lenovo\AppData\Roaming\discord\0.0.301\modules\discord_rpc\discord_rpc.node
2018-05-04 21:30 - 2018-05-04 21:30 - 001249112 _____ () \\?\C:\Users\lenovo\AppData\Roaming\discord\0.0.301\modules\discord_vigilante\discord_vigilante.node
2018-05-04 21:30 - 2018-05-04 21:30 - 002760536 _____ () \\?\C:\Users\lenovo\AppData\Roaming\discord\0.0.301\modules\discord_contact_import\discord_contact_import.node
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\Users\lenovo\Local Settings:lgCCpTXUERcLn0LuO0ekr1yvi [2138]
AlternateDataStreams: C:\Users\lenovo\AppData\Local:lgCCpTXUERcLn0LuO0ekr1yvi [2138]
AlternateDataStreams: C:\Users\lenovo\AppData\Local\Application Data:lgCCpTXUERcLn0LuO0ekr1yvi [2138]
AlternateDataStreams: C:\Users\lenovo\AppData\Local\Temp:1F1WDjreYptc8l8FJx [2052]
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\Software\Classes\regfile: regedit.exe "%1" <==== ATTENTION
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2017-01-15 06:35 - 2017-06-23 20:42 - 000000828 _____ C:\WINDOWS\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\lenovo\Pictures\Wallpapers\317828-universe-wallpaper-3840x2160-for-lockscreen.jpg
DNS Servers: 192.168.2.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
HKLM\...\StartupApproved\Run: => "IgfxTray"
HKLM\...\StartupApproved\Run: => "ForteConfig"
HKLM\...\StartupApproved\Run: => "AdobeAAMUpdater-1.0"
HKLM\...\StartupApproved\Run: => "Wondershare Helper Compact.exe"
HKLM\...\StartupApproved\Run: => "Malwarebytes TrayApp"
HKLM\...\StartupApproved\Run: => "Daemon for Mouse Suite"
HKLM\...\StartupApproved\Run: => "AdobeGCInvoker-1.0"
HKLM\...\StartupApproved\Run32: => "SunJavaUpdateSched"
HKLM\...\StartupApproved\Run32: => "Avira System Speedup Tray"
HKLM\...\StartupApproved\Run32: => "AdobeCS6ServiceManager"
HKLM\...\StartupApproved\Run32: => "SwitchBoard"
HKLM\...\StartupApproved\Run32: => "Wondershare Helper Compact.exe"
HKLM\...\StartupApproved\Run32: => "APSDaemon"
HKLM\...\StartupApproved\Run32: => "Adobe Creative Cloud"
HKLM\...\StartupApproved\Run32: => "IJNetworkScannerSelectorEX"
HKLM\...\StartupApproved\Run32: => "AdobeAAMUpdater-1.0"
HKLM\...\StartupApproved\Run32: => "AdobeGCInvoker-1.0"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\StartupFolder: => "WO Mic Client.lnk"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "BlueStacks Agent"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "GarminExpressTrayApp"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "TunnelBear"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "GlassWire"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "CCleaner Monitoring"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "Skype"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "MiPhoneManager"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "Discord"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "World of Tanks"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "proXPN"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "GoogleChromeAutoLaunch_EE07359CBB5DF117C451479D648E72F4"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "GoogleDriveSync"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "FACEIT"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "QQ2009"
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\StartupApproved\Run: => "Server Runtime Subsystem"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [TCP Query User{3862D208-19EB-4074-9F74-C793F835DFD3}C:\program files (x86)\steam\steamapps\common\counter-strike global offensive\csgo.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\counter-strike global offensive\csgo.exe
FirewallRules: [UDP Query User{BAD9EEAF-1B44-4F14-818B-5196CA41340A}C:\program files (x86)\steam\steamapps\common\counter-strike global offensive\csgo.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\counter-strike global offensive\csgo.exe
FirewallRules: [TCP Query User{6967C092-0CA7-4466-B5AB-1D90F8DD0912}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [UDP Query User{36722994-6169-468F-8F3A-0C94ABD68FDE}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [{0C3EFE94-DE51-4CC2-B4FA-2EF736A3A755}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{769DE923-99DB-4A1B-A006-2574F2CBADBF}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{10C05F2E-6197-4AC2-89B4-DE86F5E876D4}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{64ED3F0E-4CDC-4AAA-B6DA-02B57F0D6C0E}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{3C74E005-6A9C-49DC-8DE3-857A80FFFDA5}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\World of Tanks Blitz\wotblitz.exe
FirewallRules: [{D85FAA32-DEC1-4E5C-A712-2708E45F8B2F}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\World of Tanks Blitz\wotblitz.exe
FirewallRules: [{09E213D4-FDD9-4BCB-A724-D4C598A81333}] => (Allow) C:\Users\lenovo\AppData\Local\Kingsoft\WPS Office\10.2.0.6020\office6\wpscloudsvr.exe
FirewallRules: [{9F915563-F864-401F-A5AF-1897DE619B00}] => (Allow) C:\Users\lenovo\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe
FirewallRules: [{CC5EF743-E621-4AFD-AEF8-43E70EC4CB2B}] => (Allow) C:\program files (x86)\common files\tencent\qqdownload\135\bugreport_xf.exe
FirewallRules: [{C8EDFBE6-E7A7-4CB0-BAA5-6A69D4EC57A0}] => (Allow) C:\program files (x86)\common files\tencent\qqdownload\135\tencentdl.exe
FirewallRules: [{31F80DF2-3AAB-435D-A2EF-1A772D011B7D}] => (Allow) C:\Program Files (x86)\WOMic\womicclient.exe
FirewallRules: [{C1EEFFBF-5CF1-409C-8BFA-AD6777383A04}] => (Allow) C:\program files (x86)\common files\tencent\qqdownload\135\tencentdl.exe
FirewallRules: [{30FCA57C-55E0-46CD-8D1C-91694C20DC80}] => (Allow) C:\program files (x86)\common files\tencent\qqdownload\135\bugreport_xf.exe
FirewallRules: [{18A31C50-8A9B-4C1D-8267-E882B84D50F6}] => (Allow) C:\Program Files (x86)\Tencent\QQMusic\QzoneMusic\QzoneMusic.exe
FirewallRules: [{5159D2CB-FE8D-4D3E-82AA-5A3861285BA9}] => (Allow) C:\Program Files (x86)\Tencent\QQMusic\QzoneMusic\QzoneMusic.exe
FirewallRules: [{518A6032-CC58-4D51-B5C8-CCD803737CDA}] => (Allow) C:\Users\Public\Documents\Tencent\QQGameMicro\QQGameMicro.exe
FirewallRules: [{422CA481-56BE-4622-AEE3-94D838D50A1F}] => (Allow) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe
FirewallRules: [TCP Query User{20F4C275-9724-4418-8FC1-4AFFBDE37E62}C:\program files (x86)\steam\steamapps\common\insurgency2\insurgency.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\insurgency2\insurgency.exe
FirewallRules: [UDP Query User{89E57EFF-1154-40BE-82EA-AECB79B16D5A}C:\program files (x86)\steam\steamapps\common\insurgency2\insurgency.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\insurgency2\insurgency.exe
FirewallRules: [TCP Query User{096A2849-1AD8-4CCF-B401-54A13BC689BA}C:\users\lenovo\downloads\greenstreettutorials bngdrive\beamng.drive.v0.11\bin64\beamng.drive.x64.exe] => (Allow) C:\users\lenovo\downloads\greenstreettutorials bngdrive\beamng.drive.v0.11\bin64\beamng.drive.x64.exe
FirewallRules: [UDP Query User{A63256B5-03E5-4D41-89CB-B68648731BDB}C:\users\lenovo\downloads\greenstreettutorials bngdrive\beamng.drive.v0.11\bin64\beamng.drive.x64.exe] => (Allow) C:\users\lenovo\downloads\greenstreettutorials bngdrive\beamng.drive.v0.11\bin64\beamng.drive.x64.exe
FirewallRules: [TCP Query User{09CBB3F1-ABA8-4F70-9928-AF6AFAA53E4C}C:\users\lenovo\downloads\greenstreettutorials counter strike 1.6\counter-strike 16 nosteam\hl.exe] => (Allow) C:\users\lenovo\downloads\greenstreettutorials counter strike 1.6\counter-strike 16 nosteam\hl.exe
FirewallRules: [UDP Query User{64785CD9-AC38-43FB-9A79-0E951598DE96}C:\users\lenovo\downloads\greenstreettutorials counter strike 1.6\counter-strike 16 nosteam\hl.exe] => (Allow) C:\users\lenovo\downloads\greenstreettutorials counter strike 1.6\counter-strike 16 nosteam\hl.exe
FirewallRules: [TCP Query User{AF800B08-289F-4FBE-ABA9-59508C5C9D69}C:\users\lenovo\downloads\bngdrive\beamng.drive.v0.11\bin64\beamng.drive.x64.exe] => (Allow) C:\users\lenovo\downloads\bngdrive\beamng.drive.v0.11\bin64\beamng.drive.x64.exe
FirewallRules: [UDP Query User{6C48C16E-170A-4A8F-8BFB-E9BF54B7D222}C:\users\lenovo\downloads\bngdrive\beamng.drive.v0.11\bin64\beamng.drive.x64.exe] => (Allow) C:\users\lenovo\downloads\bngdrive\beamng.drive.v0.11\bin64\beamng.drive.x64.exe
FirewallRules: [{D0BC20B5-7D40-459E-A719-32C073397645}] => (Allow) C:\Users\lenovo\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe
FirewallRules: [{3811A4E1-2521-471B-9A4E-70F460B66FAE}] => (Allow) C:\Users\lenovo\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe
FirewallRules: [{7616FBCE-3E64-4259-BAF3-ED5ED3FEB5FD}] => (Allow) C:\Users\lenovo\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe
FirewallRules: [{8B7A99A3-3A1B-4688-83AA-02CDCCE923D5}] => (Allow) C:\Users\lenovo\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe
FirewallRules: [TCP Query User{AD2C4EEB-5209-4A8C-8235-810AC036DB76}C:\users\lenovo\downloads\beamng.drive\beamng.drive.v0.11\bin64\beamng.drive.x64.exe] => (Allow) C:\users\lenovo\downloads\beamng.drive\beamng.drive.v0.11\bin64\beamng.drive.x64.exe
FirewallRules: [UDP Query User{EFA06A6C-C72F-4FF3-9C05-D580CBE70EBD}C:\users\lenovo\downloads\beamng.drive\beamng.drive.v0.11\bin64\beamng.drive.x64.exe] => (Allow) C:\users\lenovo\downloads\beamng.drive\beamng.drive.v0.11\bin64\beamng.drive.x64.exe
FirewallRules: [{85A65CD0-E53D-46F8-A578-B585FA1422EA}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{4EEEBA62-EE82-42E5-9F1A-B87232B12388}] => (Allow) C:\Program Files (x86)\Tencent\QQ\Bin\QQ.exe
FirewallRules: [{25D05BB2-5AB5-45F5-9B02-1F6C47B79802}] => (Allow) C:\Program Files (x86)\Tencent\QQ\Bin\auclt.exe
FirewallRules: [{03E7D4CD-9734-4FD9-9695-19E927761405}] => (Allow) C:\Program Files (x86)\Tencent\QQ\Bin\txupd.exe
FirewallRules: [{74317FDB-A38F-4196-886B-99643FE528BB}] => (Allow) C:\Program Files (x86)\Tencent\QQ\Bin\SetupEx\SetupEx.exe
FirewallRules: [{7EBD6D4E-6466-47F8-A7F1-AB4180FF2655}] => (Allow) C:\Program Files (x86)\Tencent\QQ\Bin\maLauncher.exe
FirewallRules: [{6953F469-680D-4172-A6F5-15BE5DE13471}] => (Allow) C:\Program Files (x86)\Tencent\QQ\Bin\maUpdat.exe
FirewallRules: [{3317C258-E051-4218-A688-930E765974E2}] => (Allow) C:\program files (x86)\common files\tencent\qqdownload\135\tencentdl.exe
FirewallRules: [{8173DE0E-3031-4825-875B-93B97C9FFE28}] => (Allow) C:\program files (x86)\common files\tencent\qqdownload\135\bugreport_xf.exe
FirewallRules: [{D555641A-7DFC-463E-9D7A-00B18BAC24C3}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{63E71014-204E-40FF-BFBF-56764E49AC36}] => (Allow) C:\Program Files (x86)\Nox\bin\Nox.exe
FirewallRules: [{3ED1A313-9CA3-49CF-833E-A804E6FF5BFF}] => (Allow) C:\Program Files (x86)\Bignox\BigNoxVM\RT\NoxVMHandle.exe
FirewallRules: [TCP Query User{4CB92E63-0D92-463E-B996-38A364578272}C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => (Allow) C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe
FirewallRules: [UDP Query User{3A528F51-1520-4019-90A2-642A4ABBF1BA}C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => (Allow) C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe
 
==================== Restore Points =========================
 
26-05-2018 22:33:44 malwarecleared
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (05/26/2018 10:33:46 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: 加密服务处理系统写入程序对象中的 OnIdentity() 调用时失败。
 
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft 链路层发现协议.
 
System Error:
拒绝访问。
 
Error: (05/26/2018 04:22:22 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: DLL“C:\Windows\System32\rasctrs.dll”中服务“RemoteAccess”的打开过程失败。该服务的性能数据将不可使用。数据段的第一个四字节 (DWORD) 包含错误代码。
 
Error: (05/26/2018 04:22:22 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: DLL“C:\Windows\System32\bitsperf.dll”中服务“BITS”的打开过程失败。该服务的性能数据将不可使用。数据段的第一个四字节 (DWORD) 包含错误代码。
 
Error: (05/26/2018 04:01:50 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: 加密服务处理系统写入程序对象中的 OnIdentity() 调用时失败。
 
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft 链路层发现协议.
 
System Error:
拒绝访问。
 
Error: (05/26/2018 10:58:25 AM) (Source: Microsoft-Windows-EFS) (EventID: 4401) (User: LENOVO-PC)
Description: 7.488: EFS 服务无法为 EDP 预配用户。错误代码: 0x80070005。
 
Error: (05/26/2018 09:52:31 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: 加密服务处理系统写入程序对象中的 OnIdentity() 调用时失败。
 
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft 链路层发现协议.
 
System Error:
拒绝访问。
 
Error: (05/26/2018 08:55:42 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: LENOVO-PC)
Description: 激活应用 Microsoft.Getstarted_5.12.2691.1000_x64__8wekyb3d8bbwe:App.AppX7mv0s3r0wanj0n66dy6vax24ps6avzvz.mca 失败错误: -2144927149 请查看 Microsoft-Windows-TWinUI/运行日志以了解其他信息。
 
Error: (05/26/2018 08:52:03 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: LENOVO-PC)
Description: 激活应用 Microsoft.Getstarted_5.12.2691.1000_x64__8wekyb3d8bbwe:App.AppX7mv0s3r0wanj0n66dy6vax24ps6avzvz.mca 失败错误: -2144927149 请查看 Microsoft-Windows-TWinUI/运行日志以了解其他信息。
 
 
System errors:
=============
Error: (05/27/2018 09:29:41 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: 应用程序-特定 权限设置并未向在应用程序容器 不可用 SID (不可用)中运行的地址 LocalHost (使用 LRPC) 中的用户 NT AUTHORITY\SYSTEM SID (S-1-5-18)授予针对 CLSID 为 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
、APPID 为 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 的 COM 服务器应用程序的 本地 激活 权限。此安全权限可以使用组件服务管理工具进行修改。
 
Error: (05/27/2018 09:16:56 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: WMPNetworkSvc 服务因下列错误而停止: 
试图引用不存在的令牌。
 
Error: (05/27/2018 09:16:54 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: HvHost 服务因下列错误而停止: 
连到系统上的设备没有发挥作用。
 
Error: (05/27/2018 09:16:54 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: 由于下列错误vcs 服务启动失败: 
Windows 无法验证此文件的数字签名。某软件或硬件最近有所更改可能安装了签名错误或损毁的文件或者安装的文件可能是来路不明的恶意软件。
 
Error: (05/27/2018 09:16:54 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: 由于下列错误NVR0FLASHDev 服务启动失败: 
系统找不到指定的文件。
 
Error: (05/27/2018 09:16:53 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: 由于下列错误HuaweiHiSuiteService64.exe 服务启动失败: 
系统找不到指定的文件。
 
Error: (05/27/2018 09:16:53 AM) (Source: NETLOGON) (EventID: 3095) (User: )
Description: 此计算机被配置为某个工作组的成员
并不是域的成员。
此种配置下不需要运行 Netlogon 服务。
 
Error: (05/26/2018 10:34:24 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: 应用程序-特定 权限设置并未向在应用程序容器 不可用 SID (不可用)中运行的地址 LocalHost (使用 LRPC) 中的用户 NT AUTHORITY\SYSTEM SID (S-1-5-18)授予针对 CLSID 为 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
、APPID 为 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 的 COM 服务器应用程序的 本地 激活 权限。此安全权限可以使用组件服务管理工具进行修改。
 
 
Windows Defender:
===================================
Date: 2018-05-26 21:33:55.742
Description: 
Windows Defender ???????????????????
?????????:
??: HackTool:Win32/Patcher
ID: 2147659947
???: ?
??: ??
??: file:_C:\Users\lenovo\Downloads\Applications\Adobe Programs Crack\Patch.exe
????: ?????
????: ??
???: ????
??: Lenovo-PC\lenovo
????: C:\Users\lenovo\Downloads\esetonlinescanner_enu.exe
????: AV: 1.269.141.0, AS: 1.269.141.0, NIS: 1.269.141.0
????: AM: 1.1.14901.4, NIS: 1.1.14901.4
 
Date: 2018-05-26 10:37:33.989
Description: 
Windows Defender ???????????????????
?????????:
??: HackTool:MSIL/Uflooder.C!bit
ID: 2147709445
???: ?
??: ??
??: file:_C:\Users\lenovo\Downloads\Tools\LOIC\LOIC.exe
????: ?????
????: ??
???: ??
??: NT AUTHORITY\SYSTEM
????: Unknown
????: AV: 1.269.141.0, AS: 1.269.141.0, NIS: 1.269.141.0
????: AM: 1.1.14901.4, NIS: 1.1.14901.4
 
Date: 2018-05-26 10:36:45.669
Description: 
Windows Defender ???????????????????
?????????:
??: HackTool:Win32/Oylecann.A
ID: 2147641076
???: ?
??: ??
??: file:_C:\Users\lenovo\Downloads\Tools\LOIC\LOIC.exe
????: ?????
????: ??
???: ??
??: Lenovo-PC\lenovo
????: Unknown
????: AV: 1.267.543.0, AS: 1.267.543.0, NIS: 1.267.543.0
????: AM: 1.1.14800.3, NIS: 1.1.14800.3
 
Date: 2018-04-28 18:32:04.380
Description: 
??????? Windows Defender ???
?? ID: {9A3B751C-940E-4EE0-9ED0-B33FD5258F4F}
????: ?????
????: ????
??: NT AUTHORITY\SYSTEM
 
Date: 2018-04-19 19:04:45.079
Description: 
??????? Windows Defender ???
?? ID: {B0A1E9A2-46F7-43E1-AB94-314A12BF8C73}
????: ?????
????: ????
??: NT AUTHORITY\SYSTEM
 
Date: 2018-03-19 22:44:32.322
Description: 
Translation: Windows Defender ?????????????
?????: 
?????: 118.5.0.0
???: Microsoft ????????
????: ??????
????: ??
??: NT AUTHORITY\NETWORK SERVICE
??????: 
?????: 2.1.14202.0
????: 0x80072ee7
????: ????????????? 
 
Date: 2018-03-19 22:44:32.315
Description: 
Translation: Windows Defender ?????????????
?????: 
?????: 1.263.792.0
???: Microsoft ????????
????: ?????
????: ??
??: NT AUTHORITY\NETWORK SERVICE
??????: 
?????: 1.1.14600.4
????: 0x80072ee7
????: ????????????? 
 
Date: 2018-03-19 22:44:32.315
Description: 
Translation: Windows Defender ?????????????
?????: 
?????: 1.263.792.0
???: Microsoft ????????
????: ???
????: ??
??: NT AUTHORITY\NETWORK SERVICE
??????: 
?????: 1.1.14600.4
????: 0x80072ee7
????: ????????????? 
 
Date: 2018-03-19 22:44:32.271
Description: 
Translation: Windows Defender ?????????????
?????: 
?????: 1.263.792.0
???: Microsoft ?????
????: ???
????: ??
??: NT AUTHORITY\SYSTEM
??????: 
?????: 1.1.14600.4
????: 0x80240438
????: ????????????????????????????,???“?????”? 
 
Date: 2018-03-06 15:29:16.230
Description: 
Translation: Windows Defender ?????????????
?????: 
?????: 118.2.0.0
???: Microsoft ????????
????: ??????
????: ??
??: NT AUTHORITY\NETWORK SERVICE
??????: 
?????: 2.1.14202.0
????: 0x80072ee7
????: ????????????? 
 
CodeIntegrity:
===================================
 
Date: 2018-05-27 09:16:54.589
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\Common Files\Avnex\vcs64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
Date: 2018-05-26 22:30:44.915
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\Common Files\Avnex\vcs64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
Date: 2018-05-26 08:58:03.849
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\Common Files\Avnex\vcs64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
Date: 2018-05-25 22:08:49.845
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\Common Files\Avnex\vcs64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
Date: 2018-05-20 15:59:35.399
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\Common Files\Avnex\vcs64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
Date: 2018-05-18 16:43:32.261
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\Common Files\Avnex\vcs64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
Date: 2018-05-15 20:51:22.411
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\Common Files\Avnex\vcs64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
Date: 2018-05-12 18:03:58.723
Description: 
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\Common Files\Avnex\vcs64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5-2520M CPU @ 2.50GHz
Percentage of memory in use: 85%
Total physical RAM: 3937.43 MB
Available physical RAM: 587.63 MB
Total Virtual: 7874.86 MB
Available Virtual: 3614.77 MB
 
==================== Drives ================================
 
Drive c: (Windows) (Fixed) (Total:91.63 GB) (Free:5.66 GB) NTFS ==>[system with boot components (obtained from drive)]
 
\\?\Volume{938d232d-5759-47bc-a13b-6018c5415891}\ (WINRE_DRV) (Fixed) (Total:0.98 GB) (Free:0.61 GB) NTFS
\\?\Volume{ce4b4549-a6b7-499d-a651-f6079bf7d8d2}\ (Lenovo_Recovery) (Fixed) (Total:11.8 GB) (Free:2.5 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 111.8 GB) (Disk ID: D720B0F1)
 
Partition: GPT.
 
==================== End of Addition.txt ============================

Attached Files



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:57 AM

Posted 27 May 2018 - 10:51 AM

Please post the FRST.txt log that was created by the Farbar Program.

I need to review it.

#6 Er1cL1n

Er1cL1n
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 27 May 2018 - 03:58 PM

Please post the FRST.txt log that was created by the Farbar Program.

I need to review it.

You said to PASTE the FRST log into the reply and ATTACH the Addition.txt. But I'll attach both as you asked. 

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:57 AM

Posted 28 May 2018 - 07:43 AM

Hi,

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\...\Policies\Explorer: [NoChangeStartMenu] 0
HKLM\...\Policies\Explorer: [NoRecentDocsNetHood] 0
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <==== ATTENTION
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\Policies\Explorer: [NolowDiskSpaceChecks] 1
Startup: C:\Users\lenovo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WO Mic Client.lnk [2017-11-12]
ShortcutTarget: WO Mic Client.lnk -> C:\Program Files (x86)\WOMic\WOMicClient.exe (No File)
FF Plugin-x32: @tencent.com/npQQMailWebKit,version=1.0.0.1 -> C:\Program Files (x86)\QQMailPlugin\npQQMailWebKit.dll [No File]
FF Plugin-x32: @tencent.com/nptxftnWebKit,version=1.0.0.1 -> C:\Program Files (x86)\QQMailPlugin\nptxftnWebKit.dll [No File]
FF Plugin HKU\S-1-5-21-1760713586-1289027972-3592165009-1001: @1.qq.com/npqqwebgame -> C:\Users\lenovo\AppData\Roaming\Tencent\WebGamePlugin\1.0.4.3\npqqwebgame.dll [No File]
S2 wust; C:\OSRSS\wust.exe [0 ] () <==== ATTENTION (zero byte File/Folder)
S2 HuaweiHiSuiteService64.exe; "C:\Program Files (x86)\HiSuite\HandSetService\HuaweiHiSuiteService64.exe" -/service [X]
S3 glavcam; \SystemRoot\system32\DRIVERS\glavcam.sys [X]
S2 NVR0FLASHDev; \??\C:\WINDOWS\nvflsh64.sys [X]
S3 ShuameProtectX64Test; \??\C:\Program Files (x86)\shuame\4.1.7.217\ShuameProtectX64Test.sys [X]
S3 VMnetAdapter; \SystemRoot\system32\DRIVERS\vmnetadapter.sys [X]
C:\OSRSS

ContextMenuHandlers4: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} =>  -> No File
ContextMenuHandlers5: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} =>  -> No File
AlternateDataStreams: C:\Users\lenovo\Local Settings:lgCCpTXUERcLn0LuO0ekr1yvi [2138]
AlternateDataStreams: C:\Users\lenovo\AppData\Local:lgCCpTXUERcLn0LuO0ekr1yvi [2138]
AlternateDataStreams: C:\Users\lenovo\AppData\Local\Application Data:lgCCpTXUERcLn0LuO0ekr1yvi [2138]
AlternateDataStreams: C:\Users\lenovo\AppData\Local\Temp:1F1WDjreYptc8l8FJx [2052]
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\Software\Classes\regfile: regedit.exe "%1" <==== ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#8 Er1cL1n

Er1cL1n
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 28 May 2018 - 06:44 PM

Hi,

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 

Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\...\Policies\Explorer: [NoChangeStartMenu] 0
HKLM\...\Policies\Explorer: [NoRecentDocsNetHood] 0
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <==== ATTENTION
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\...\Policies\Explorer: [NolowDiskSpaceChecks] 1
Startup: C:\Users\lenovo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WO Mic Client.lnk [2017-11-12]
ShortcutTarget: WO Mic Client.lnk -> C:\Program Files (x86)\WOMic\WOMicClient.exe (No File)
FF Plugin-x32: @tencent.com/npQQMailWebKit,version=1.0.0.1 -> C:\Program Files (x86)\QQMailPlugin\npQQMailWebKit.dll [No File]
FF Plugin-x32: @tencent.com/nptxftnWebKit,version=1.0.0.1 -> C:\Program Files (x86)\QQMailPlugin\nptxftnWebKit.dll [No File]
FF Plugin HKU\S-1-5-21-1760713586-1289027972-3592165009-1001: @1.qq.com/npqqwebgame -> C:\Users\lenovo\AppData\Roaming\Tencent\WebGamePlugin\1.0.4.3\npqqwebgame.dll [No File]
S2 wust; C:\OSRSS\wust.exe [0 ] () <==== ATTENTION (zero byte File/Folder)
S2 HuaweiHiSuiteService64.exe; "C:\Program Files (x86)\HiSuite\HandSetService\HuaweiHiSuiteService64.exe" -/service [X]
S3 glavcam; \SystemRoot\system32\DRIVERS\glavcam.sys [X]
S2 NVR0FLASHDev; \??\C:\WINDOWS\nvflsh64.sys [X]
S3 ShuameProtectX64Test; \??\C:\Program Files (x86)\shuame\4.1.7.217\ShuameProtectX64Test.sys [X]
S3 VMnetAdapter; \SystemRoot\system32\DRIVERS\vmnetadapter.sys [X]
C:\OSRSS

ContextMenuHandlers4: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} =>  -> No File
ContextMenuHandlers5: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} =>  -> No File
AlternateDataStreams: C:\Users\lenovo\Local Settings:lgCCpTXUERcLn0LuO0ekr1yvi [2138]
AlternateDataStreams: C:\Users\lenovo\AppData\Local:lgCCpTXUERcLn0LuO0ekr1yvi [2138]
AlternateDataStreams: C:\Users\lenovo\AppData\Local\Application Data:lgCCpTXUERcLn0LuO0ekr1yvi [2138]
AlternateDataStreams: C:\Users\lenovo\AppData\Local\Temp:1F1WDjreYptc8l8FJx [2052]
HKU\S-1-5-21-1760713586-1289027972-3592165009-1001\Software\Classes\regfile: regedit.exe "%1" <==== ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

 

 

The RAT has probably already been removed from my computer by Malwarebytes. I am just trying to make sure that it is in fact off my system. Thank you, here is the log.

Attached Files


Edited by Er1cL1n, 28 May 2018 - 06:44 PM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:57 AM

Posted 29 May 2018 - 06:26 AM

Hi,

Looking good.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users