Explorer high cpu usage, excludeproc.d running encoded powershell commands

Hello, I am looking for the solution to my problem.

Every time i start up the computer, the windows defender notifies me with the messages below:

 

--------------------------------------

Detected: VirTool:Win32/ExcludeProc.D

CmdLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=

CmdLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA

----------------------------------------

Detected: Behavior:Win32/ExcludeProc.A

behavior: pid:5020:23860413273102

process: pid:5020,ProcessStart:132952570460764972

----------------------------------------

 

They keep showing up every time i start up even if they are blocked by the defender. It seems that the command lines are encoded, so I tried to decode them, and the results are as follows:

"Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

'Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force'

These commands are intended to avoid the defender's scanning. The pid changes but the figures after pid remain the same. 

Also, I have noticed that, the explorer.exe occupies the cpu a lot, causing the fan running noisily even though the computer is idle. As long as I opened the task manager, it is silent again. I did several full scans with different anti-malware applications, but the problem remains.

I've found a topic similar to my problem from the forum, https://www.bleepingcomputer.com/forums/t/771152/virtoolwin32excludeprocd-virusmalware-running-encoded-powershell/.

 

I have attacted the FRST.txt and Additions.txt below.

Thank you for your help!

There are two typos in the titile, the title should be "explorer high cpu usage, excludeproc.d running encoded powershell commands". I am not a native English speaker, sorry for my carelessness.

 

EDIT: Fixed typos

Edited by buddy215, 24 April 2022 - 04:06 AM.

I monitored the "explorer.exe" process with remote process explorer (the event hides when i open task manager or something with similar functions), and the suspicious process with the high cpu usage has the command line as below:

-----------------------------------------------------------

"C:\windows\explorer.exe guqtdbluznxqj0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJTuL0ZzLyO7DchZ2uSJmVLEIu96CtmJ5kjUH/zpjH58umVRHGBMBHp/+1TgXkTnxFN0sh8dFwaGd75J0t7e4z2mnsLUJmq7m769OqP4MkBOrXyOOCbz/h4LY5yVpmRR4k/Dz+nAekSiCGAd+ro8hJbQlzCVYboZWje/0Ds3TWVvQjEPvp2tuJM/0QMtX6JcQleHqtiN1CuZZLO635NaSs+95JWNoUjWZimixDRfzzQCRZeX99bMii5A77f9DPY7iEJiCdAoOH5e2ezWZTQ7WdkCnlhHTNp1Kp4kba1keQBbhTW7ty8s9VZPllQGxt7/21MqWDvLaWf4t5W6EgG2FJdEHGhAhm0LqLJiliXt7BMzvK962PVPM7IRle5B6CXpsDk="

 

I wonder whether the arguments are encrypted. If they are, in what form?

Greetings tyctxt and to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:

• First, please keep in mind most of us at BleepingComputer volunteer our assistance for your benefit in your time of need. Please try to match our commitment to you with your patience toward us.
• It is important to not run any tools or take any steps other than those I will provide for you.
• Please perform all steps in the order they are listed. If things are not clear or you experience problems be sure to stop and let me know.
• Please copy and paste all logs into your post unless otherwise requested.
• When your computer is clean I will let you know, provide instructions to remove tools and reports, and offer you information about how you can combat future infections.
• If you do not reply to your topic after 5 days I will assume it has been abandoned and I will close it.

===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and let me know.

Please rename FRST64 to FRST64english and run another scan. Copy and paste each report in your reply.

Edited by Oh My!, 24 April 2022 - 07:37 AM.

Thank you for your reply. You can call me Eric.

I renamed it and the FRST report is in English now, but several parts of the Additions.txt are still in Chinese.

 

 

Thank you Eric, we will work through it.

In addition to being infected, the reports are a bit complicated. I would like to address some preliminary things before we start the cleanup process.

I would strongly recommend you remove any questionable software downloaded from other than trustworthy sources.

Do you recognize these?

115电脑版
Sangfor
NetEase(Hangzhou) Network
CloudMusic
Foxit

Please do this.

===================================================

Farbar Recovery Scan Tool Fix

--------------------

• Right click on the FRST icon and select Run as administrator
• Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
• There is no need to paste the information anywhere, FRST will do it for you

Start::
CreateRestorePoint:
CloseProcesses:
Zip: C:\Users\YuchenTong\AppData\Roaming\Microsoft\MicrosoftMalwareProtection.exe
File: C:\windows\system32\diskparts.exe
Folder: C:\Users\YuchenTong\AppData\Roaming\hgslpds
Folder: C:\Users\YuchenTong\AppData\Roaming\AuntecPkg
End::

• Click Fix
• When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
• The tool will create a zipped folder in the same location from where FRST was run with today's date, example: 02.17.2022_13.24.50.zip. Please upload the file here.

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.

• Recognize programs?
• Fixlog
• Uploaded zip file

About these programs:

Actually they are quite known in China. "115电脑版" is a cloud drive frequently used in China. "Sangfor" is a VPN server provided by my college. The third and fourth are music players which are quite popular in China. Foxit is a PDF reader and provides other utilities but I remembered uninstalling it already.

 

 

 

 

Fixlog:

Thank you for the information.

Please upload the file here. Be sure to include a link to our topic and let me know when the file has been submitted.

Are you familiar with Suzhou Happy Box Software Co., Ltd.?

===================================================

Farbar Recovery Scan Tool Fix

--------------------

• Right click on the FRST icon and select Run as administrator
• Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
• There is no need to paste the information anywhere, FRST will do it for you

Start::
CloseProcesses:
File: C:\windows\system32\diskparts.exe
Task: {77ECA5DF-FF10-4FC9-9581-2F41D61495AE} - System32\Tasks\MicrosoftMalwareProtection => C:\Users\YuchenTong\AppData\Roaming\Microsoft\MicrosoftMalwareProtection.exe [1381355632 2022-03-14] () [File not signed] <==== ATTENTION
Task: {812F3E28-02F3-4AF8-B8ED-6D9C42966775} - System32\Tasks\Microsoft\VisualStudio\Updates\BackgroundDownload => C:\Program Files (x86)\Microsoft Visual Studio\Installer.bacd823895d847ca8da24154e424012b\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe (No File)
S3 GSDriver; \SystemRoot\System32\drivers\GSDriver64.sys [X]
2022-04-24 18:53 - 2022-04-24 18:53 - 000011730 _____ C:\Users\YuchenTong\Downloads\{0A7ABDE6-CD0B-405D-9678-7F5A397DA5D2}
2022-04-23 20:05 - 2022-04-24 20:13 - 000000000 ____D C:\ProgramData\TEMP
2022-04-21 18:20 - 2022-04-21 18:25 - 000000000 __SHD C:\Users\YuchenTong\AppData\Roaming\Windows
2022-04-04 20:29 - 2022-04-04 20:29 - 000000000 ____D C:\Users\Public\MTool_Game_Tmp
2022-03-29 20:04 - 2022-03-29 20:04 - 000000000 ____D C:\Users\YuchenTong\Documents\Foxit Software
2022-03-29 20:04 - 2022-03-29 20:04 - 000000000 ____D C:\Users\YuchenTong\AppData\Roaming\UserSystemSDK_DB
2022-03-29 20:04 - 2022-03-29 20:04 - 000000000 ____D C:\Users\YuchenTong\AppData\Roaming\Foxit Software
2022-03-29 20:04 - 2022-03-29 20:04 - 000000000 ____D C:\Users\YuchenTong\AppData\Roaming\Foxit
2022-03-29 20:04 - 2022-03-29 20:04 - 000000000 ____D C:\Users\YuchenTong\AppData\Roaming\FnInformation
2022-04-21 18:20 - 2022-03-14 17:42 - 1381355632 ___SH () C:\Users\YuchenTong\AppData\Roaming\Microsoft\MicrosoftMalwareProtection.exe
CustomCLSID: HKU\S-1-5-21-1919967345-4022050966-3323017305-1001_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32 ->  => No File
ContextMenuHandlers1: [cloudmusic] -> {5C6A637C-9780-4D0F-A379-4732EDCCE7C3} =>  -> No File
AlternateDataStreams: C:\ProgramData\TEMP:341E39B2 [390]
FirewallRules: [{407EBEE8-586E-44DA-AC79-CDB22EE88008}] => (Allow) C:\Users\YuchenTong\AppData\Roaming\Tencent\QQ\STemp\SetupEx0\QQSetupEx.exe => No File
FirewallRules: [{F5F15141-729F-4061-AC3C-28A231AD7244}] => (Allow) C:\Program Files (x86)\Tencent\WeChat\WeChatBrowser.exe => No File
FirewallRules: [{8811352F-0F21-413C-BABD-F4732E9ADF5F}] => (Allow) C:\Program Files (x86)\Tencent\WeChat\WeChatPlayer.exe => No File
FirewallRules: [{C5247D6D-FB17-4CCE-8E0B-CD6FFAD096CE}] => (Allow) C:\Program Files (x86)\Tencent\QQ\Bin\txupd.exe => No File
FirewallRules: [{AF7A5B46-779B-4DAC-B689-B9B7765E969F}] => (Allow) C:\Program Files (x86)\Tencent\QQ\Bin\SetupEx\SetupEx.exe => No File
FirewallRules: [{B0850279-AAE9-483D-853A-8FC76EE38A7B}] => (Allow) C:\program files (x86)\common files\tencent\qqdownload\135\bugreport_xf.exe => No File
FirewallRules: [{A9B90926-A38D-4E14-970A-2B5E79E8A7BA}] => (Allow) C:\Program Files (x86)\Tencent\QQMusic\moleplugin\tadb.exe => No File
FirewallRules: [TCP Query User{34363D0E-9FD6-4774-82BC-49FE16C44C85}C:\users\yuchentong\appdata\roaming\tencent\wechat\xplugin\plugins\xweb\712\extracted\wechatbrowser.exe] => (Allow) C:\users\yuchentong\appdata\roaming\tencent\wechat\xplugin\plugins\xweb\712\extracted\wechatbrowser.exe => No File
FirewallRules: [UDP Query User{9240DCA0-AA58-4927-84F9-1DF9B3B6BAFD}C:\users\yuchentong\appdata\roaming\tencent\wechat\xplugin\plugins\xweb\712\extracted\wechatbrowser.exe] => (Allow) C:\users\yuchentong\appdata\roaming\tencent\wechat\xplugin\plugins\xweb\712\extracted\wechatbrowser.exe => No File
FirewallRules: [{A20CDAC6-BD71-40DD-B56B-27075D32DE6B}] => (Block) C:\users\yuchentong\appdata\roaming\tencent\wechat\xplugin\plugins\xweb\712\extracted\wechatbrowser.exe => No File
FirewallRules: [{BB5D847A-AE63-4FB0-B969-E0D8D47E9295}] => (Block) C:\users\yuchentong\appdata\roaming\tencent\wechat\xplugin\plugins\xweb\712\extracted\wechatbrowser.exe => No File
FirewallRules: [{84C1F3DE-C1B4-4AB4-A039-7D7C4A3B543C}] => (Allow) C:\Program Files (x86)\Foxit Software\FoxitREC\FoxitREC.exe => No File
FirewallRules: [{071CA9CC-73A8-4D6C-B496-E560AED35BBB}] => (Allow) C:\Program Files (x86)\Foxit Software\FoxitREC\FoxitREC.exe => No File
FirewallRules: [TCP Query User{40F5216D-05C5-41FA-BAD3-9B4ECB8FAE4C}C:\program files (x86)\sangfor\ssl\sangforserviceclient\sangforserviceclient.exe] => (Allow) C:\program files (x86)\sangfor\ssl\sangforserviceclient\sangforserviceclient.exe => No File
FirewallRules: [UDP Query User{B25A318C-65EF-43D5-AD6A-D804E8CDC99D}C:\program files (x86)\sangfor\ssl\sangforserviceclient\sangforserviceclient.exe] => (Allow) C:\program files (x86)\sangfor\ssl\sangforserviceclient\sangforserviceclient.exe => No File
FirewallRules: [TCP Query User{12414319-2366-46B5-A707-FF93AA924B4F}C:\program files (x86)\sangfor\ssl\sangforcsclient\sangforcsclient.exe] => (Allow) C:\program files (x86)\sangfor\ssl\sangforcsclient\sangforcsclient.exe => No File
FirewallRules: [UDP Query User{14B1CED0-2B7A-4F20-8070-B08FF22EAF7E}C:\program files (x86)\sangfor\ssl\sangforcsclient\sangforcsclient.exe] => (Allow) C:\program files (x86)\sangfor\ssl\sangforcsclient\sangforcsclient.exe => No File
FirewallRules: [{DAF1A415-8652-4441-BB68-EA7A31779DDE}] => (Block) C:\program files (x86)\sangfor\ssl\sangforserviceclient\sangforserviceclient.exe => No File
FirewallRules: [{D1476AD9-9E5C-4BE0-B4F4-6B1CE3F79BD1}] => (Block) C:\program files (x86)\sangfor\ssl\sangforserviceclient\sangforserviceclient.exe => No File
FirewallRules: [{4A54105F-D224-47FB-B1AB-ED55784013CA}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Crusader Kings III\launcher\dowser.exe => No File
FirewallRules: [{A32C8932-5E39-4587-94C2-5C5DB268F55C}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Crusader Kings III\launcher\dowser.exe => No File
FirewallRules: [TCP Query User{AD721708-BE92-4E5D-A6CC-E4CD835B5E5A}C:\program files (x86)\steam\steamapps\common\forzahorizon4\forzahorizon4.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\forzahorizon4\forzahorizon4.exe => No File
FirewallRules: [UDP Query User{6724343B-004C-4028-B1CF-77F9BD0EB442}C:\program files (x86)\steam\steamapps\common\forzahorizon4\forzahorizon4.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\forzahorizon4\forzahorizon4.exe => No File
FirewallRules: [{FABCF631-6EEC-4871-B727-55313768CF50}] => (Block) C:\program files (x86)\steam\steamapps\common\forzahorizon4\forzahorizon4.exe => No File
FirewallRules: [{B4362568-E511-4425-B943-F508CC561AF2}] => (Block) C:\program files (x86)\steam\steamapps\common\forzahorizon4\forzahorizon4.exe => No File
End::

• Click Fix
• When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.

• Familiar with Suzhou Happy Box?
• Fixlog
• Uploaded file

Edited by Oh My!, 24 April 2022 - 01:51 PM.

Thanks for your advice. I was sleeping.

 

• About Suzhou Happy Box:
• It is from a screen recorder that I have already uninstalled.

 

Fix log

Thank you for the information.

Please do this.

===================================================

Farbar Recovery Scan Tool Fix

--------------------

• Right click on the FRST icon and select Run as administrator
• Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
• There is no need to paste the information anywhere, FRST will do it for you

Start::
C:\windows\system32\diskparts.exe
C:\Users\YuchenTong\AppData\Roaming\hgslpds
C:\Users\YuchenTong\AppData\Roaming\AuntecPkg
Emptytemp:
End::

• Click Fix
• When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
• Copy/paste the following in the Search: box

SearchAll: foxit;AuntecPkg;hgslpds;HIRECORDER;screenrecorder

• Click Search Files button
• When completed click OK and a Search.txt document will open on your desktop
• Copy and paste the report in your reply. If the file is too large zip and upload it here.

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.

• Fixlog
• Search.txt

Thanks for your advice.

I have rebooted several times since last fix. It seems that the defender no longer warns me and the explorer have not gone wrong since then. I may observe the computer more to see if it recovers. Thank you so much.

 

 

 

Very good.

Let's run this and monitor your computer for a day.

===================================================

Farbar Recovery Scan Tool Fix

--------------------

• Right click on the FRST icon and select Run as administrator
• Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
• There is no need to paste the information anywhere, FRST will do it for you

Start::
C:\Program Files (x86)\Tencent\QQ\Plugin\Com.Tencent.AudioVideo
DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION|FoxitREC.exe
DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION|FoxitREC.exe
DeleteValue: HKEY_USERS\S-1-5-21-1919967345-4022050966-3323017305-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched|{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Foxit Software\FoxitREC\FoxitREC.exe
DeleteValue: HKEY_USERS\S-1-5-21-1919967345-4022050966-3323017305-1001\Software\Microsoft\Windows\CurrentVersion\Search\JumplistData|{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Foxit Software\FoxitREC\FoxitREC.exe
DeleteValue: HKEY_USERS\S-1-5-21-1919967345-4022050966-3323017305-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store|C:\Users\YuchenTong\Downloads\foxitrec-pd.exe
DeleteValue: HKEY_USERS\S-1-5-21-1919967345-4022050966-3323017305-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store|C:\Program Files (x86)\Foxit Software\FoxitREC\unins000.exe
DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113|{EEDBAC4F-D024-4FDD-B578-0D6CB152634C},ScreenRecorder\2052
DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Installer\Components\F4CABDEE420DDDF45B87D0C61B2536C4|ScreenRecorder\2052
DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Installer\Features\00006109E60040800100000000F01FEC|ScreenRecorderFilesIntl_2052
DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Interface\{73720014-33A0-11E4-9B9A-00155D152105}|""
DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Interface\{73720015-33A0-11E4-9B9A-00155D152105}|""
DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\FeatureListForC2RGimme|ScreenRecorderFilesIntl_2052
DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109E60040800100000000F01FEC\Features|ScreenRecorderFilesIntl_2052
DeleteValue: HKEY_USERS\S-1-5-21-1919967345-4022050966-3323017305-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched|C:\Users\YuchenTong\Downloads\screenrecorder_6979ADD5.exe
DeleteValue: HKEY_USERS\S-1-5-21-1919967345-4022050966-3323017305-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store|C:\Users\YuchenTong\Downloads\screenrecorder_6979ADD5.exe
DeleteValue: HKEY_USERS\S-1-5-21-1919967345-4022050966-3323017305-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache|C:\Users\YuchenTong\Downloads\screenrecorder_6979ADD5.exe.FriendlyAppName
DeleteValue: HKEY_USERS\S-1-5-21-1919967345-4022050966-3323017305-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache|C:\Users\YuchenTong\Downloads\screenrecorder_6979ADD5.exe.ApplicationCompany
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Foxit Software
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Foxit Software\FoxitREC 
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Foxit Software\FoxitREC\Foxit Information 
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\FoxitREC_RASAPI32 
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\FoxitREC_RASMANCS 
DeleteKey: HKEY_USERS\S-1-5-21-1919967345-4022050966-3323017305-1001\Software\Apowersoft\Windows FoxitREC 
DeleteKey: HKEY_USERS\S-1-5-21-1919967345-4022050966-3323017305-1001\Software\Foxit Software 
DeleteKey: HKEY_USERS\S-1-5-21-1919967345-4022050966-3323017305-1001\Software\Microsoft\Internet Explorer\DOMStorage\foxitreader.cn 
DeleteKey: HKEY_USERS\S-1-5-21-1919967345-4022050966-3323017305-1001\Software\Microsoft\Internet Explorer\DOMStorage\sso.foxitreader.cn 
DeleteKey: HKEY_USERS\S-1-5-21-1919967345-4022050966-3323017305-1001\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Program Files (x86)#Foxit Software#FoxitREC#FoxitREC.exe
End::

• Click Fix
• When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.

• Fixlog

The fixlog

 

Thank you, it is our pleasure to help.

Touch base tomorrow and let me know how things are going.