GeekPolice Tech TutorialsLog in

 


Share

description[INACTIVE] Help removing malware/virus

more_horiz
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14.03.2018
Ran by user (administrator) on USER-PC (09-04-2018 22:19:43)
Running from F:\
Loaded Profiles: user (Available Profiles: user)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: 中文(简体,中国)
Internet Explorer Version 9 (Default browser: "c:\users\user\appdata\local\liebao\liebao.exe" "%1")
Boot Mode: Safe Mode (minimal)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [kxesc] => c:\program files (x86)\kingsoft\kingsoft antivirus\kxetray.exe [2065936 2018-02-09] (Kingsoft Corporation)
HKLM-x32\...\Run: [kwifi] => C:\Program Files (x86)\kingsoft\kwifi\kwifi.exe [2354336 2018-01-02] (Kingsoft Corporation)
HKLM-x32\...\Run: [360Safetray] => C:\Program Files (x86)\360\360Safe\safemon\360tray.exe [398944 2017-12-06] (360.cn)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-18\...\RunOnce: [SPReview] => "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"hxxp://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
GroupPolicy: Restriction <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{4032058B-B4B2-4DB9-92AD-860F4E5B0098}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = 
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\root\Office16\OCHelper.dll [2018-03-10] (Microsoft Corporation)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_121\bin\ssv.dll [2017-02-18] (Oracle Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\root\Office16\URLREDIR.DLL [2018-03-10] (Microsoft Corporation)
BHO: SafeMon Class -> {B69F34DD-F0F9-42DC-9EDD-957187DA688D} -> C:\Program Files (x86)\360\360Safe\safemon\safemon64.dll [2018-02-28] (360.cn)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\root\Office16\GROOVEEX.DLL [2018-03-10] (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_121\bin\jp2ssv.dll [2017-02-18] (Oracle Corporation)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll [2018-03-10] (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\URLREDIR.DLL [2018-03-10] (Microsoft Corporation)
BHO-x32: SafeMon Class -> {B69F34DD-F0F9-42DC-9EDD-957187DA688D} -> C:\Program Files (x86)\360\360Safe\safemon\safemon.dll [2018-03-16] (360.cn)
BHO-x32: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\GROOVEEX.DLL [2018-03-10] (Microsoft Corporation)
Handler: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -  No File
Handler: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -  No File
Handler: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2018-03-10] (Microsoft Corporation)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2018-03-10] (Microsoft Corporation)
Handler: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2018-03-10] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2018-03-10] (Microsoft Corporation)
Handler: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2018-03-10] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2018-03-10] (Microsoft Corporation)
Handler: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2018-03-10] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2018-03-10] (Microsoft Corporation)

FireFox:
========
FF Plugin: @hunantv.com/HunanTVPlugin -> C:\Program Files (x86)\HunanTV\HunanTVPluginsX64.dll [No File]
FF Plugin: @java.com/DTPlugin,version=11.121.2 -> C:\Program Files\Java\jre1.8.0_121\bin\dtplugin\npDeployJava1.dll [2017-02-18] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.121.2 -> C:\Program Files\Java\jre1.8.0_121\bin\plugin2\npjp2.dll [2017-02-18] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL [2018-03-10] (Microsoft Corporation)
FF Plugin-x32: @360.cn/npaxlogin -> C:\Program Files (x86)\360\360Safe\Utils\npaxlogin.dll [2014-04-22] (360.cn)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-10-14] ()
FF Plugin-x32: @baidu.com/npxbdcntb -> C:\Program Files (x86)\Baidu\BaiduPinyin\3.4.2717.9\npxbdcntb.dll [No File]
FF Plugin-x32: @hunantv.com/HunanTVPlugin -> C:\Program Files (x86)\HunanTV\HunanTVPlugins.dll [No File]
FF Plugin-x32: @kingsfot.com/npkws -> c:\program files (x86)\kingsoft\kingsoft antivirus\npkws.dll [2018-01-02] (Kingsoft Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2018-03-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL [2018-03-10] (Microsoft Corporation)
FF Plugin-x32: @tencent.com/npQQMailWebKit,version=1.0.0.1 -> C:\Program Files (x86)\QQMailPlugin\npQQMailWebKit.dll [No File]
FF Plugin-x32: @tencent.com/nptxftnWebKit,version=1.0.0.1 -> C:\Program Files (x86)\QQMailPlugin\nptxftnWebKit.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.3\npGoogleUpdate3.dll [2017-04-20] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.3\npGoogleUpdate3.dll [2017-04-20] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-07-31] (Adobe Systems Inc.)
FF Plugin HKU\.DEFAULT: @1.qq.com/npqqwebgame -> C:\Windows\system32\config\systemprofile\AppData\Roaming\Tencent\WebGamePlugin\1.0.4.9\npqqwebgame.dll [No File]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77104 2015-10-06] (Apple Inc.)
S2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [7962800 2018-02-22] (Microsoft Corporation)
S3 dsmainsrv; C:\Program Files (x86)\360\360Safe\deepscan\dsmain.exe [265312 2017-11-22] (360.cn)
S2 knatsvc; C:\Program Files (x86)\kingsoft\kwifi\knatsvc.exe [285272 2017-11-21] (Kingsoft Corporation)
S2 knbcenter; C:\Users\user\AppData\Local\liebao\6.5.115.17898\knbcenter.exe [882936 2018-03-12] (Kingsoft Corporation)
S4 KugouService; C:\Program Files (x86)\KuGou\KGMusic\8.1.51.19889\service.exe [45080 2017-05-15] (酷狗音乐)
S2 kxescore; c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe [314000 2017-11-27] (Kingsoft Corporation)
S4 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4355024 2017-01-20] (Malwarebytes)
S4 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [292568 2014-11-20] (Realtek Semiconductor)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S2 ZhuDongFangYu; C:\Program Files (x86)\360\360Safe\deepscan\ZhuDongFangYu.exe [249952 2018-03-20] (360.cn)
U2 DGPNPSEV; c:\Ksafe\Mydrivers\DriverGenius2013\dgservice.exe [X]
S3 pnphost; C:\Program Files (x86)\DTLSoft\USBBox\pnphost.dll [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S1 360AntiHacker; C:\Windows\System32\Drivers\360AntiHacker64.sys [183416 2017-10-25] (360.cn)
S1 360AntiHijack; C:\Windows\System32\Drivers\360AntiHijack64.sys [60024 2018-01-08] (360.cn)
S1 360Box64; C:\Windows\System32\DRIVERS\360Box64.sys [330176 2016-11-15] (360.cn)
S1 360Camera; C:\Windows\System32\Drivers\360Camera64.sys [49088 2016-11-24] (360.cn)
S1 360FsFlt; C:\Windows\System32\DRIVERS\360FsFlt.sys [435320 2018-03-16] (360.cn)
S1 360Hvm; C:\Windows\System32\Drivers\360Hvm64.sys [285816 2017-11-07] (360安全中心)
S1 360netmon; C:\Windows\System32\DRIVERS\360netmon.sys [87160 2018-01-27] (360.cn)
S1 360qpesv; C:\Windows\System32\DRIVERS\360qpesv64.sys [295032 2018-04-09] (360.cn)
S3 360Sensor; C:\Windows\system32\drivers\360Sensor64.sys [34960 2017-06-14] (360.cn)
S1 BAPIDRV; C:\Windows\System32\DRIVERS\BAPIDRV64.sys [206456 2018-02-08] (360.cn)
S0 bootsafe; C:\Windows\System32\Drivers\bootsafe64.sys [116040 2018-02-03] (Kingsoft Corporation)
R0 DsArk; C:\Windows\System32\drivers\DsArk64.sys [176248 2017-12-14] (360.cn)
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28008 2013-08-27] (Intel Corporation)
S0 KAVBootC; C:\Windows\System32\Drivers\KAVBootC64.sys [54960 2017-10-20] (Kingsoft Corporation)
S1 KDHacker; c:\program files (x86)\kingsoft\kingsoft antivirus\security\kxescan\KDHacker64.sys [203952 2017-10-20] (Kingsoft Corporation)
S2 kisknl; C:\Windows\system32\drivers\kisknl.sys [344904 2018-01-02] (Kingsoft Corporation)
S1 kisnetm; c:\program files (x86)\kingsoft\kingsoft antivirus\security\ksnetm\kisnetm64.sys [109880 2017-10-20] (Kingsoft Corporation)
S2 KNBDrv; C:\Windows\system32\drivers\KNBDrv.sys [151608 2018-03-12] (Kingsoft Corporation)
S2 ksapi64; C:\Windows\System32\drivers\ksapi64.sys [81584 2017-12-09] (Kingsoft Corporation)
S1 LiebaoNAT; C:\Windows\System32\DRIVERS\liebaonat64.sys [41664 2017-11-21] (Kingsoft Corporation)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [129312 2014-09-22] (Intel Corporation)
S1 QMUdisk; \??\C:\Program Files (x86)\Tencent\QQPCMgr\12.9.19141.213\QMUdisk64.sys [X]
S1 softaal; \??\C:\Program Files (x86)\Tencent\QQPCMgr\12.9.19141.213\softaal64.sys [X]
S2 tsnethlpx64; \??\C:\Program Files (x86)\Tencent\QQPCMgr\12.9.19141.213\TsNetHlpX64.sys [X]
S3 X6va021; \??\C:\Windows\SysWOW64\Drivers\X6va021 [X]
S3 X6va029; \??\C:\Windows\SysWOW64\Drivers\X6va029 [X]
S3 X6va031; \??\C:\Windows\SysWOW64\Drivers\X6va031 [X]
S3 X6va060; \??\C:\Windows\SysWOW64\Drivers\X6va060 [X]
S3 X6va061; \??\C:\Windows\SysWOW64\Drivers\X6va061 [X]
S3 X6va062; \??\C:\Windows\SysWOW64\Drivers\X6va062 [X]
S3 X6va063; \??\C:\Windows\SysWOW64\Drivers\X6va063 [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

NETSVCx32: HpSvc -> no filepath.

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-04-09 22:15 - 2018-04-09 22:19 - 000000000 ____D C:\FRST
2018-04-09 22:12 - 2018-04-09 22:12 - 000000020 ___SH C:\Users\TEMP.user-PC.003\ntuser.ini
2018-04-09 22:12 - 2018-04-09 22:12 - 000000000 _SHDL C:\Users\TEMP.user-PC.003\AppData\Roaming\Microsoft\Windows\Start Menu\程序
2018-04-09 22:12 - 2018-04-09 22:12 - 000000000 _SHDL C:\Users\TEMP.user-PC.003\「开始」菜单
2018-04-09 22:12 - 2018-04-09 22:12 - 000000000 ____D C:\Users\TEMP.user-PC.003
2018-04-09 22:12 - 2009-07-14 06:44 - 000000000 ____D C:\Users\TEMP.user-PC.003\AppData\Roaming\Media Center Programs
2018-03-15 22:54 - 2018-03-15 23:45 - 000000000 ____D C:\AdwCleaner
2018-03-15 19:19 - 2018-04-09 22:12 - 000415940 _____ C:\Windows\ntbtlog.txt
2018-03-13 14:37 - 2017-06-14 18:29 - 000034960 _____ (360.cn) C:\Windows\system32\Drivers\360Sensor64.sys
2018-03-13 12:06 - 2018-03-13 12:30 - 000000000 ____D C:\Users\TEMP.user-PC.002\AppData\LocalLow\360WD
2018-03-13 11:51 - 2018-03-13 13:44 - 000000000 ____D C:\Users\TEMP.user-PC.002
2018-03-13 11:51 - 2018-03-13 11:51 - 000000000 ____D C:\Users\TEMP.user-PC.002\AppData\Local\liebao
2018-03-13 11:21 - 2018-03-13 11:21 - 000000020 ___SH C:\Users\TEMP.user-PC.001\ntuser.ini
2018-03-13 11:21 - 2018-03-13 11:21 - 000000000 _SHDL C:\Users\TEMP.user-PC.001\AppData\Roaming\Microsoft\Windows\Start Menu\程序
2018-03-13 11:21 - 2018-03-13 11:21 - 000000000 _SHDL C:\Users\TEMP.user-PC.001\「开始」菜单
2018-03-13 11:21 - 2018-03-13 11:21 - 000000000 ____D C:\Users\TEMP.user-PC.001\AppData\Local\liebao
2018-03-13 11:21 - 2018-03-13 11:21 - 000000000 ____D C:\Users\TEMP.user-PC.001
2018-03-13 11:21 - 2009-07-14 06:44 - 000000000 ____D C:\Users\TEMP.user-PC.001\AppData\Roaming\Media Center Programs
2018-03-13 10:28 - 2018-03-13 10:28 - 000000020 ___SH C:\Users\TEMP.user-PC.000\ntuser.ini
2018-03-13 10:28 - 2018-03-13 10:28 - 000000000 _SHDL C:\Users\TEMP.user-PC.000\AppData\Roaming\Microsoft\Windows\Start Menu\程序
2018-03-13 10:28 - 2018-03-13 10:28 - 000000000 _SHDL C:\Users\TEMP.user-PC.000\「开始」菜单
2018-03-13 10:28 - 2018-03-13 10:28 - 000000000 ____D C:\Users\TEMP.user-PC.000\AppData\Local\liebao
2018-03-13 10:28 - 2018-03-13 10:28 - 000000000 ____D C:\Users\TEMP.user-PC.000
2018-03-13 10:28 - 2009-07-14 06:44 - 000000000 ____D C:\Users\TEMP.user-PC.000\AppData\Roaming\Media Center Programs
2018-03-13 10:05 - 2018-03-13 10:05 - 000000020 ___SH C:\Users\TEMP.user-PC\ntuser.ini
2018-03-13 10:05 - 2018-03-13 10:05 - 000000000 _SHDL C:\Users\TEMP.user-PC\AppData\Roaming\Microsoft\Windows\Start Menu\程序
2018-03-13 10:05 - 2018-03-13 10:05 - 000000000 _SHDL C:\Users\TEMP.user-PC\「开始」菜单
2018-03-13 10:05 - 2018-03-13 10:05 - 000000000 ____D C:\Users\TEMP.user-PC\AppData\Local\liebao
2018-03-13 10:05 - 2018-03-13 10:05 - 000000000 ____D C:\Users\TEMP.user-PC
2018-03-13 10:05 - 2009-07-14 06:44 - 000000000 ____D C:\Users\TEMP.user-PC\AppData\Roaming\Media Center Programs
2018-03-13 09:57 - 2018-03-13 09:57 - 000006816 ____N C:\bootsqm.dat
2018-03-13 09:49 - 2018-03-13 09:49 - 000000000 __SHD C:\found.000
2018-03-13 08:26 - 2018-03-13 08:26 - 000000000 ____D C:\Users\TEMP\AppData\Local\liebao
2018-03-13 08:25 - 2018-03-13 08:25 - 000000020 ___SH C:\Users\TEMP\ntuser.ini
2018-03-13 08:25 - 2018-03-13 08:25 - 000000000 _SHDL C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\程序
2018-03-13 08:25 - 2018-03-13 08:25 - 000000000 _SHDL C:\Users\TEMP\「开始」菜单
2018-03-13 08:25 - 2018-03-13 08:25 - 000000000 ____D C:\Users\TEMP
2018-03-13 08:25 - 2009-07-14 06:44 - 000000000 ____D C:\Users\TEMP\AppData\Roaming\Media Center Programs
2018-03-12 22:56 - 2018-03-12 22:56 - 000001138 _____ C:\Users\user\Desktop\猎豹安全浏览器.lnk
2018-03-12 22:56 - 2018-03-12 22:56 - 000000000 ____D C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\猎豹安全浏览器
2018-03-12 22:55 - 2018-03-12 22:55 - 000218440 _____ (Kingsoft Corporation) C:\Windows\system32\Drivers\knbdrv_ev.sys
2018-03-12 22:55 - 2018-03-12 22:55 - 000165704 _____ (Kingsoft Corporation) C:\Windows\system32\Drivers\knbdrv64_ev.sys
2018-03-12 22:55 - 2018-03-12 22:55 - 000151608 _____ (Kingsoft Corporation) C:\Windows\system32\Drivers\KNBDrv64.sys
2018-03-12 22:55 - 2018-03-12 22:55 - 000151608 _____ (Kingsoft Corporation) C:\Windows\system32\Drivers\knbdrv.sys
2018-03-12 22:55 - 2018-03-12 22:55 - 000122520 _____ (Kingsoft Corporation) C:\Windows\system32\Drivers\ksapi_ev.sys
2018-03-12 22:55 - 2018-03-12 22:55 - 000114776 _____ (Kingsoft Corporation) C:\Windows\system32\Drivers\ksapi.sys
2018-03-12 22:55 - 2018-03-12 22:55 - 000079000 _____ (Kingsoft Corporation) C:\Windows\system32\Drivers\ksapi64_ev.sys
2018-03-12 22:55 - 2017-12-09 01:03 - 000081584 _____ (Kingsoft Corporation) C:\Windows\system32\Drivers\ksapi64.sys
2018-03-12 22:54 - 2018-03-12 22:56 - 000000000 ____D C:\Users\user\AppData\Local\liebao
2018-03-10 14:48 - 2018-03-10 14:48 - 000000000 ____D C:\Program Files\Common Files\DESIGNER

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-04-09 21:51 - 2009-07-14 06:32 - 000414290 _____ C:\Windows\system32\prfh0804.dat
2018-04-09 21:51 - 2009-07-14 06:32 - 000138510 _____ C:\Windows\system32\prfc0804.dat
2018-04-09 21:51 - 2009-07-14 01:13 - 001414784 _____ C:\Windows\system32\PerfStringBackup.INI
2018-04-09 21:36 - 2017-10-20 08:32 - 000000001 _____ C:\Windows\system32\Drivers\360Hvm64.dat
2018-04-09 21:24 - 2017-11-06 09:25 - 000000432 _____ C:\Windows\system32\Drivers\etc\hosts.ics
2018-04-09 21:22 - 2016-12-17 03:33 - 000000206 __RSH C:\ProgramData\ntuser.pol
2018-04-09 21:18 - 2009-07-14 01:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-04-09 20:47 - 2009-07-14 00:45 - 000015136 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-04-09 20:43 - 2009-07-14 00:45 - 000015136 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-04-09 20:31 - 2017-10-20 08:36 - 000295032 _____ (360.cn) C:\Windows\system32\Drivers\360qpesv64.sys
2018-03-20 16:29 - 2009-07-13 23:20 - 000000000 ____D C:\Windows\inf
2018-03-20 15:58 - 2017-10-20 17:09 - 000002044 _____ C:\Users\Public\Desktop\垃圾清理.lnk
2018-03-16 03:37 - 2017-10-20 08:32 - 000435320 _____ (360.cn) C:\Windows\system32\Drivers\360fsflt.sys
2018-03-16 03:01 - 2017-10-20 08:33 - 000000000 ____D C:\360用户文件
2018-03-12 23:00 - 2017-10-20 08:25 - 000000000 ____D C:\ProgramData\Kingsoft
2018-03-12 22:55 - 2017-10-20 08:33 - 000000000 ____D C:\Users\user\AppData\LocalLow\360WD
2018-03-12 14:29 - 2015-06-12 21:47 - 000000000 ____D C:\Users\user\AppData\Roaming\KuGou8
2018-03-10 14:49 - 2016-11-11 17:01 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2018-03-10 14:48 - 2009-07-13 23:20 - 000000000 ____D C:\Program Files\Common Files\Microsoft Shared
2018-03-10 14:45 - 2016-11-11 16:56 - 000000000 ____D C:\Program Files\Microsoft Office

==================== Files in the root of some directories =======

2017-11-01 08:45 - 2017-10-31 20:07 - 000880968 _____ () C:\ProgramData\app.exe
2016-10-27 22:28 - 2016-10-27 22:28 - 001754304 _____ () C:\ProgramData\QQGAMEPBL2024.DLL
2016-10-27 22:28 - 2016-10-27 22:28 - 001447104 _____ () C:\ProgramData\QQGamePBL344.exe
2016-12-07 19:03 - 2016-12-07 19:03 - 001696960 _____ () C:\ProgramData\QQGAMEQCK2205.DLL
2016-12-11 23:14 - 2016-12-11 23:14 - 001389760 _____ () C:\ProgramData\QQGameQCK2432.exe

Some files in TEMP:
====================
2018-03-05 15:03 - 2018-03-12 13:48 - 003082152 _____ (360.cn) C:\Users\user\AppData\Local\Temp\360SafeIme.exe
2017-10-24 16:39 - 2017-10-24 16:39 - 000513840 _____ () C:\Users\user\AppData\Local\Temp\masar_runxx.dl.dll
2017-05-03 17:21 - 2017-05-03 17:21 - 002061064 _____ () C:\Users\user\AppData\Local\Temp\masauto_runxx.dl.dll
2015-08-05 19:58 - 2015-08-05 19:58 - 000518592 _____ () C:\Users\user\AppData\Local\Temp\masblog_runxx.dl.dll
2016-05-06 19:33 - 2016-05-06 19:33 - 001892776 _____ (TODO: ) C:\Users\user\AppData\Local\Temp\masflag_runxx.dl.dll
2017-07-19 16:36 - 2017-07-19 16:36 - 001464072 _____ () C:\Users\user\AppData\Local\Temp\QYAgent_runxx.dl.dll
2018-02-06 15:47 - 2018-03-12 22:47 - 000190048 _____ (360.cn) C:\Users\user\AppData\Local\Temp\SimpleIME.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2018-03-09 13:04

==================== End of FRST.txt ============================

descriptionRe: [INACTIVE] Help removing malware/virus

more_horiz
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 14.03.2018
Ran by user (09-04-2018 22:21:32)
Running from F:\
Windows 7 Home Premium Service Pack 1 (X64) (2015-06-12 13:00:02)
Boot Mode: Safe Mode (minimal)
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2369721095-1413440205-1466323716-500 - Administrator - Disabled)
Guest (S-1-5-21-2369721095-1413440205-1466323716-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2369721095-1413440205-1466323716-1002 - Limited - Enabled)
user (S-1-5-21-2369721095-1413440205-1466323716-1000 - Administrator - Enabled) => C:\Users\TEMP.user-PC.003

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: 金山毒霸铠甲防御 (Enabled - Up to date) {7ABCE12F-C6E4-9881-73BB-C28F80F2D87D}
AS: 360安全卫士 (Enabled - Up to date) {90070FFA-C3F2-CD79-5E3F-7527D7EF99C0}
AS: Malwarebytes (Disabled - Out of date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: 金山毒霸铠甲防御 (Enabled - Up to date) {C1DD00CB-E0DE-970F-490B-F9FDFB7592C0}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

360安全卫士 (HKLM-x32\...\360安全卫士) (Version: 11.4.0.2001 - 360安全中心)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 17.012.20098 - Adobe Systems Incorporated)
Adobe Flash Player 28 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 28.0.0.161 - Adobe Systems Incorporated)
Adobe Flash Player 28 PPAPI (HKLM-x32\...\Adobe Flash Player PPAPI) (Version: 28.0.0.161 - Adobe Systems Incorporated)
Apple Mobile Device Support (HKLM\...\{3540181E-340A-4E7A-B409-31663472B2F7}) (Version: 9.1.0.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{FFD1F7F1-1AC9-4BC4-A908-0686D635ABAF}) (Version: 2.1.4.131 - Apple Inc.)
Apple 应用程序支持 (64 位) (HKLM\...\{691F30EB-9009-475A-B8A9-E1BF39598FD5}) (Version: 4.1.2 - Apple Inc.)
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.29 - Piriform)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 57.0.2987.133 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.3 - Google Inc.) Hidden
Hearthstone (HKLM-x32\...\Hearthstone) (Version:  - Blizzard Entertainment)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.2849 - Intel Corporation)
Intel(R) SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
iTunes (HKLM\...\{FBEB98F8-64E4-4FA3-A15E-4A9F42FF962E}) (Version: 12.3.2.35 - Apple Inc.)
Java 8 Update 121 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180121F0}) (Version: 8.0.1210.13 - Oracle Corporation)
Java SE Development Kit 8 Update 121 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180121}) (Version: 8.0.1210.13 - Oracle Corporation)
Java SE Development Kit 8 Update 131 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180131}) (Version: 8.0.1310.11 - Oracle Corporation)
jGRASP (HKLM-x32\...\jGRASP) (Version: 2.0.3_05 - Auburn University)
Malwarebytes version 3.0.6.1469 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.0.6.1469 - Malwarebytes)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft .NET Framework 4.6.1 (简体中文) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 2052) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Office 365 ProPlus - en-us (HKLM\...\O365ProPlusRetail - en-us) (Version: 16.0.9029.2167 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
NetBeans IDE 8.2 (HKLM\...\nbi-nb-base-8.2.0.0.201609300101) (Version: 8.2 - NetBeans.org)
Office 16 Click-to-Run Extensibility Component (HKLM\...\{90160000-008C-0000-1000-0000000FF1CE}) (Version: 16.0.9029.2167 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-007E-0000-1000-0000000FF1CE}) (Version: 16.0.9029.2167 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (HKLM\...\{90160000-008C-0409-1000-0000000FF1CE}) (Version: 16.0.9029.2167 - Microsoft Corporation) Hidden
QQ游戏 (HKLM-x32\...\QQ游戏) (Version: 5.8.46912.0 - 腾讯公司)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7391 - Realtek Semiconductor Corp.)
Renesas Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\{5442DAB8-7177-49E1-8B22-09A049EA5996}) (Version: 2.1.16.0 - Renesas Electronics Corporation) Hidden
Renesas Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996}) (Version: 2.1.16.0 - Renesas Electronics Corporation)
Revo Uninstaller 2.0.3 (HKLM\...\{A28DBDA2-3CC7-4ADC-8BFE-66D7743C6C97}_is1) (Version: 2.0.3 - VS Revo Group, Ltd.)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.6 - VideoLAN)
WinRAR 压缩文件管理器 (HKLM-x32\...\WinRAR archiver) (Version:  - )
憋七 (HKLM-x32\...\{DB7CC047-54FC-4B8A-A404-1259C77C3E65}) (Version:  - )
金山毒霸 (HKLM-x32\...\Kingsoft Internet Security) (Version: 2017.11.8.4 - Kingsoft Internet Security)
竞技斗地主 (HKLM-x32\...\{054EB426-5D5C-4D5D-8ABB-9FDCEC3A31E6}) (Version:  - )
酷狗音乐 (HKLM-x32\...\酷狗音乐) (Version: 8.1.51.19889 - 酷狗音乐)
酷我音乐 (HKLM-x32\...\KwMusic7) (Version: 8.7.3.1 - 酷我科技)
赖子山庄 (HKLM-x32\...\{DB7EF88E-5BBE-42A2-80A4-AD515FF0A6CB}) (Version:  - )
猎豹安全浏览器 (HKLM-x32\...\liebao) (Version: 6.5.115.18430 - 猎豹工作室)
猎豹免费WiFi (HKLM-x32\...\kwifi) (Version: 5.1 - Cheetah Mobile)
驱动精灵 (HKLM-x32\...\DriverGenius) (Version: 2013 - 驱动之家)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ShellIconOverlayIdentifiers: [       360UDiskGuard Icon Overlay] -> {CC00F81D-5262-450A-B1FA-D6BEE3406263} => C:\Program Files (x86)\360\360Safe\safemon\360UDiskGuard64.dll [2018-03-16] (360.cn)
ContextMenuHandlers1: [AGpShellExt] -> {5CD76C57-6893-478A-B776-47E7C82504BE} =>  -> No File
ContextMenuHandlers1-x32: [duba_32bit] -> {D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4} => c:\program files (x86)\kingsoft\kingsoft antivirus\kavmenu.dll [2017-12-20] (Kingsoft Corporation)
ContextMenuHandlers1-x32: [duba_64bit] -> {DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51} => c:\program files (x86)\kingsoft\kingsoft antivirus\kavmenu64.dll [2017-12-20] (Kingsoft Corporation)
ContextMenuHandlers1-x32: [kwansvc] -> {367F6AE2-6809-4bed-B09B-228893FB33DD} => c:\program files (x86)\kingsoft\kingsoft antivirus\kwansvc64.dll [2017-10-20] (Kingsoft Corporation)
ContextMenuHandlers1-x32: [Safe360Ext] -> {7C0F6D57-E799-4C8A-A319-8E2B4D724CF0} => C:\Program Files (x86)\360\360Safe\Utils\shell360ext64.dll [2017-10-20] (360.cn)
ContextMenuHandlers1-x32: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext64.dll [2008-06-19] ()
ContextMenuHandlers1-x32-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext.dll [2008-09-16] ()
ContextMenuHandlers2-x32: [duba_32bit] -> {D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4} => c:\program files (x86)\kingsoft\kingsoft antivirus\kavmenu.dll [2017-12-20] (Kingsoft Corporation)
ContextMenuHandlers2-x32: [duba_64bit] -> {DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51} => c:\program files (x86)\kingsoft\kingsoft antivirus\kavmenu64.dll [2017-12-20] (Kingsoft Corporation)
ContextMenuHandlers2-x32: [kwansvc] -> {367F6AE2-6809-4bed-B09B-228893FB33DD} => c:\program files (x86)\kingsoft\kingsoft antivirus\kwansvc64.dll [2017-10-20] (Kingsoft Corporation)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-01-20] (Malwarebytes)
ContextMenuHandlers4-x32: [duba_32bit] -> {D21D88E8-4123-48BA-B0B1-3FDBE4AE5FA4} => c:\program files (x86)\kingsoft\kingsoft antivirus\kavmenu.dll [2017-12-20] (Kingsoft Corporation)
ContextMenuHandlers4-x32: [duba_64bit] -> {DDEA5705-1BB0-4C03-AC1E-8FF9716A0D51} => c:\program files (x86)\kingsoft\kingsoft antivirus\kavmenu64.dll [2017-12-20] (Kingsoft Corporation)
ContextMenuHandlers4-x32: [kwansvc] -> {367F6AE2-6809-4bed-B09B-228893FB33DD} => c:\program files (x86)\kingsoft\kingsoft antivirus\kwansvc64.dll [2017-10-20] (Kingsoft Corporation)
ContextMenuHandlers4-x32: [Safe360Ext] -> {7C0F6D57-E799-4C8A-A319-8E2B4D724CF0} => C:\Program Files (x86)\360\360Safe\Utils\shell360ext64.dll [2017-10-20] (360.cn)
ContextMenuHandlers4-x32: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext64.dll [2008-06-19] ()
ContextMenuHandlers4-x32-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext.dll [2008-09-16] ()
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\Windows\system32\igfxpph.dll [2012-09-01] (Intel Corporation)
ContextMenuHandlers5: [kwansvc] -> {367F6AE2-6809-4bed-B09B-228893FB33DD} => c:\program files (x86)\kingsoft\kingsoft antivirus\kwansvc64.dll [2017-10-20] (Kingsoft Corporation)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-01-20] (Malwarebytes)
ContextMenuHandlers6: [Safe360Ext] -> {7C0F6D57-E799-4C8A-A319-8E2B4D724CF0} => C:\Program Files (x86)\360\360Safe\Utils\shell360ext64.dll [2017-10-20] (360.cn)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext64.dll [2008-06-19] ()
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext.dll [2008-09-16] ()

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {1D8CA44D-F0FC-4E6A-A394-B553B13E572E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-06-20] (Google Inc.)
Task: {20DED5D7-BBC3-4F50-9D73-EF1C6F3A84A7} - \{FD8CAE6F-A69D-4899-A029-DEB5B3EBC3A8} -> No File <==== ATTENTION
Task: {3FDEACFA-69E1-499A-A034-49ACCD2986A1} - System32\Tasks\Adobe Flash Player PPAPI Notifier => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_28_0_0_161_pepper.exe [2018-02-13] (Adobe Systems Incorporated)
Task: {62471158-BB40-407F-8DB0-5A916BBB047B} - System32\Tasks\{1717748E-C5A9-4170-AE36-3BC2388BAEAB} => C:\Windows\system32\pcalua.exe -a C:\Users\user\Desktop\laizi_hall_201607.exe -d C:\Users\user\Desktop
Task: {6BFF34E3-BEBF-4FE9-BBB1-59B4F5D49629} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2018-02-22] (Microsoft Corporation)
Task: {742CFCFA-00AC-4568-9501-E53161DEB8CE} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerRegistration => C:\Program Files\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2018-03-10] (Microsoft Corporation)
Task: {78FF3B78-24FC-4362-99DB-91D0A37A451A} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe
Task: {AE2B4CA1-C599-4C9D-9607-48AD7E66A77B} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn2016 => C:\Program Files\Microsoft Office\root\Office16\msoia.exe [2018-03-10] (Microsoft Corporation)
Task: {B231AEA2-717A-407B-BD40-9FED9AA81485} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-07-19] (Adobe Systems Incorporated)
Task: {B37475A5-D230-499D-9E99-C9E8A7A13A53} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-06-20] (Google Inc.)
Task: {B882CC3A-8EEE-4C54-8EEF-FE1199E9A305} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerLogon => C:\Program Files\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2018-03-10] (Microsoft Corporation)
Task: {D11B3E94-926F-4A50-8AAE-C057304A1E1C} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack2016 => C:\Program Files\Microsoft Office\root\Office16\msoia.exe [2018-03-10] (Microsoft Corporation)
Task: {D484951E-A86D-4C7F-93F2-62FF232DE1E3} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2018-02-22] (Microsoft Corporation)
Task: {D78BAF57-63D5-4EB0-A65E-7A63E053FA78} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\Office16\OLicenseHeartbeat.exe [2018-03-10] (Microsoft Corporation)
Task: {DF6BAD9F-04E8-40CF-9830-C73B82F55C58} - System32\Tasks\{9D1B20D0-AE04-4FFE-94CB-B10813E95839} => C:\Windows\system32\pcalua.exe -a C:\Users\user\AppData\Local\Temp\201614-142959\dotnet_setup.exe -d C:\Users\user\Downloads <==== ATTENTION
Task: {DFE4A84E-697F-47CC-9C62-26B23EFDAF7C} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2018-02-13] (Adobe Systems Incorporated)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player PPAPI Notifier.job_ => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_24_0_0_194_pepper.exe
Task: C:\Windows\Tasks\QQBrowser Updater Task.job_ => C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe <==== ATTENTION
Task: C:\Windows\Tasks\QQBrowser Updater Task(Core).job_ => C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe <==== ATTENTION

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


ShortcutWithArgument: C:\Users\Public\Desktop\金山猎豹游戏中心.lnk -> C:\Program Files (x86)\kingsoft\kingsoft antivirus\kvipwiz.exe (Kingsoft Corporation) -> /vip:kybox /from:2198 /webbrowser:0 /weburl:hxxp://wan.liebao.cn?frm=kjfs-db&referer=jsdb

==================== Loaded Modules (Whitelisted) ==============

2017-08-20 11:30 - 2018-03-10 14:39 - 008933552 _____ () C:\Program Files\Microsoft Office\root\Office16\1033\GrooveIntlResource.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="1"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 22:34 - 2009-06-10 17:00 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

DNS Servers: Media is not connected to internet.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\Services: AdobeARMservice => 2
MSCONFIG\Services: AdobeFlashPlayerUpdateSvc => 3
MSCONFIG\Services: AERTFilters => 2
MSCONFIG\Services: Apple Mobile Device Service => 2
MSCONFIG\Services: BFAssistantSvc_1561394442 => 3
MSCONFIG\Services: Bonjour Service => 2
MSCONFIG\Services: cphs => 3
MSCONFIG\Services: gupdate => 3
MSCONFIG\Services: gupdatem => 3
MSCONFIG\Services: iPod Service => 3
MSCONFIG\Services: KugouService => 2
MSCONFIG\Services: MBAMService => 2
MSCONFIG\Services: RtkAudioService => 2
MSCONFIG\Services: Steam Client Service => 3
MSCONFIG\Services: XYService => 3
MSCONFIG\Services: ZhuDongFangYu => 
MSCONFIG\startupfolder: C:^Users^user^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^QQ游戏启动加速程序.lnk => C:\Windows\pss\QQ游戏启动加速程序.lnk.Startup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: CCleaner Monitoring => "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
MSCONFIG\startupreg: ctfmon => C:\Windows\system32\ctfmon.exe
MSCONFIG\startupreg: HCDNClient => "C:\Program Files (x86)\IQIYI Video\LStyle\5.6.40.4071\QyKernel.exe" -shell_start
MSCONFIG\startupreg: HotKeysCmds => C:\Windows\system32\hkcmd.exe
MSCONFIG\startupreg: HunanTV => "C:\Program Files (x86)\HunanTV\HunanTV.exe" -autorun
MSCONFIG\startupreg: IgfxTray => C:\Windows\system32\igfxtray.exe
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: JJPlayer => "C:\Program Files (x86)\JJPlayer\JJPlayer.exe" -autorun
MSCONFIG\startupreg: KuGou8 => C:\Program Files (x86)\KuGou\KGMusic\KuGou.exe -Mini
MSCONFIG\startupreg: Lync => "C:\Program Files\Microsoft Office\Root\Office16\lync.exe" /fromrunkey
MSCONFIG\startupreg: Malwarebytes TrayApp => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe
MSCONFIG\startupreg: NUSB3MON => "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
MSCONFIG\startupreg: Persistence => C:\Windows\system32\igfxpers.exe
MSCONFIG\startupreg: QQ2009 => "C:\Program Files (x86)\Tencent\QQ\QQProtect\Bin\QQProtect.exe" /background
MSCONFIG\startupreg: QQMicroGameBoxTray => "C:\Users\user\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe" -/autorun
MSCONFIG\startupreg: QyClient => "C:\Program Files (x86)\IQIYI Video\LStyle\5.6.40.4071\QyClient.exe" startup
MSCONFIG\startupreg: RTHDVCPL => "C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe" -s
MSCONFIG\startupreg: SmartCalendar => "C:\Program Files (x86)\DTLSoft\SmartCalendar\SmartCalendar.exe" /start
MSCONFIG\startupreg: Steam => "C:\Program Files (x86)\Steam\steam.exe" -silent
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{4DA18B59-3B12-4E42-AAD5-5F684E207CBA}] => (Allow) C:\Program Files (x86)\KuGou\KGMusic\KuGou.exe
FirewallRules: [{4E199B29-6D40-48BA-BCFF-6259312CA0F6}] => (Allow) C:\Program Files (x86)\KuGou\KGMusic\KuGou.exe
FirewallRules: [{17DDF5C2-D6CA-416A-AADF-68B4F3D8E95E}] => (Allow) C:\Program Files (x86)\Battle.net\Battle.net.exe
FirewallRules: [{F6F9365E-7AF8-4952-B139-A775A34648DB}] => (Allow) C:\Program Files (x86)\Battle.net\Battle.net.exe
FirewallRules: [{97D3C4E4-B07A-4A47-B9D1-DCFBF2340AD5}] => (Allow) C:\Program Files (x86)\Hearthstone\Hearthstone.exe
FirewallRules: [{049C275C-2BCB-4D0A-84E7-C9E6E17BDE1A}] => (Allow) C:\Program Files (x86)\Hearthstone\Hearthstone.exe
FirewallRules: [TCP Query User{13A59DE8-2FD1-407B-A628-7E76B543B61D}C:\program files (x86)\hearthstone\hearthstone.exe] => (Allow) C:\program files (x86)\hearthstone\hearthstone.exe
FirewallRules: [UDP Query User{2650B45A-5165-4F84-8EE8-181760AB1FC8}C:\program files (x86)\hearthstone\hearthstone.exe] => (Allow) C:\program files (x86)\hearthstone\hearthstone.exe
FirewallRules: [{4A789176-F88C-4A37-9F91-D0386E45B502}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{E0D948B3-75DA-44B5-8302-2DB4F1D9AB97}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{783E02D4-DE97-48BB-97D2-8D68791712A7}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{FB446CAD-D3B4-47A4-A228-7336142DE5E6}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{19B156B4-3E5A-4C37-ACFD-392877317EFC}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{AF68284A-4AC0-450E-A433-54E02C7EACFA}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{8D7CE80A-B492-49E2-A94A-F25CA3FA821A}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{E7F55C89-3C23-4482-B3F0-20365B2449CF}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{A47A59A5-1364-4E51-B07A-7C31DE67E616}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [TCP Query User{5DEA17D9-416B-45DF-95EC-C9ED990EF59C}C:\users\user\appdata\roaming\kugou8\appstore\6\dlna_player.exe] => (Block) C:\users\user\appdata\roaming\kugou8\appstore\6\dlna_player.exe
FirewallRules: [UDP Query User{836B7D7C-48DF-4591-98EA-686FED295BED}C:\users\user\appdata\roaming\kugou8\appstore\6\dlna_player.exe] => (Block) C:\users\user\appdata\roaming\kugou8\appstore\6\dlna_player.exe
FirewallRules: [{D2CA2719-BE28-4F31-93BF-1B700D449F18}] => (Allow) C:\program files (x86)\common files\tencent\qqdownload\135\tencentdl.exe
FirewallRules: [TCP Query User{9320E85D-5C06-4CCC-8DEF-B183D2547BEF}C:\users\user\appdata\local\xldl\download\minithunderplatform.exe] => (Allow) C:\users\user\appdata\local\xldl\download\minithunderplatform.exe
FirewallRules: [UDP Query User{264573D7-DD7F-4FBD-B2B2-97EE1829BAF0}C:\users\user\appdata\local\xldl\download\minithunderplatform.exe] => (Allow) C:\users\user\appdata\local\xldl\download\minithunderplatform.exe
FirewallRules: [{D3CE12AD-0F6A-43F8-9478-40BEC008F2B3}] => (Allow) C:\program files (x86)\common files\tencent\qqdownload\135\tencentdl.exe
FirewallRules: [{B433FFA1-30E0-44D7-90A2-8077AED3F3C1}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\Lync.exe
FirewallRules: [{91AC15EC-E7F8-42A5-A1CF-1336964DDEF5}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\UcMapi.exe
FirewallRules: [{BF92750E-2B0F-4F60-9B04-78328C4F4504}] => (Allow) C:\Program Files (x86)\KuGou\KGMusic\8.1.23.19503\KGService.exe
FirewallRules: [{A00E6A05-8FDC-46DD-9393-882664F35A11}] => (Allow) C:\Program Files (x86)\KuGou\KGMusic\8.1.23.19503\KGService.exe
FirewallRules: [{8598B498-1E37-44BE-BF48-65E5A2035242}] => (Allow) C:\Program Files (x86)\KuGou\KGMusic\8.1.23.19503\kgupnp.exe
FirewallRules: [{AE1EAED3-D3C2-4089-B5DE-A479C71F0CC1}] => (Allow) C:\Program Files (x86)\KuGou\KGMusic\8.1.23.19503\kgupnp.exe
FirewallRules: [{38AED7FE-BA4B-4516-9295-BAC84B9C84DD}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\Lync.exe
FirewallRules: [{04076EA9-8341-4EDF-9EA5-D0DA97DCFBFF}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\UcMapi.exe
FirewallRules: [{1617A807-1508-47BF-BDBF-8B660E853416}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{DB905AC9-01C3-46ED-BF94-E3A395D501AC}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{DC252076-2C01-469F-AD31-9AADF616EF4A}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{044E2578-11C7-4F43-B978-61BD94098622}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{4C6344D5-18F7-419A-9862-52F9ABD8050C}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{6E092FCC-FE6A-40A3-ABA5-BCDA892B229A}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Limbo\limbo.exe
FirewallRules: [{9C6071F2-A540-404C-B4A4-F02C5301673D}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Limbo\limbo.exe
FirewallRules: [TCP Query User{6D900F64-C76F-4098-BF23-28CAB0DE7BAB}C:\program files (x86)\kugou\kgmusic\8.1.23.19503\kgservice.exe] => (Block) C:\program files (x86)\kugou\kgmusic\8.1.23.19503\kgservice.exe
FirewallRules: [UDP Query User{E5C9B665-F615-406C-B72E-7B6CF3BEE228}C:\program files (x86)\kugou\kgmusic\8.1.23.19503\kgservice.exe] => (Block) C:\program files (x86)\kugou\kgmusic\8.1.23.19503\kgservice.exe
FirewallRules: [{621D026A-9B5E-438C-8328-9719DE8C83AC}] => (Allow) C:\Program Files (x86)\KuGou\KGMusic\KuGou.exe
FirewallRules: [{67D06ED0-BB7C-40A5-9D96-D79CDA76933F}] => (Allow) C:\Program Files (x86)\KuGou\KGMusic\KuGou.exe
FirewallRules: [{8C97E8C5-481B-4DDD-ABA8-C4DA40B4EE8B}] => (Allow) C:\Program Files (x86)\KuGou\KGMusic\8.1.51.19889\KGService.exe
FirewallRules: [{641968D2-7691-4394-84CC-2CBD85A339DF}] => (Allow) C:\Program Files (x86)\KuGou\KGMusic\8.1.51.19889\KGService.exe
FirewallRules: [{3619C770-0D57-42E9-96A2-E8E3D472C75D}] => (Allow) C:\Program Files (x86)\KuGou\KGMusic\8.1.51.19889\kgupnp.exe
FirewallRules: [{B6BC3CDE-EA9A-40D9-B9BE-192B3683DCD2}] => (Allow) C:\Program Files (x86)\KuGou\KGMusic\8.1.51.19889\kgupnp.exe
FirewallRules: [{9DD60E0C-AF43-41EE-BD52-42C115143265}] => (Allow) C:\Users\user\AppData\Roaming\KuGou8\AppStore\6\dlna_player.exe
FirewallRules: [{44BFF90F-0962-4C94-900B-CB175781CB9E}] => (Allow) C:\Users\user\AppData\Roaming\KuGou8\AppStore\6\dlna_player.exe
FirewallRules: [TCP Query User{5E92D530-7F90-43B6-8520-ADE596D6DE86}C:\program files (x86)\kugou\kgmusic\8.1.51.19889\kgservice.exe] => (Block) C:\program files (x86)\kugou\kgmusic\8.1.51.19889\kgservice.exe
FirewallRules: [UDP Query User{C82C41C6-885F-422A-8411-F07F19F84344}C:\program files (x86)\kugou\kgmusic\8.1.51.19889\kgservice.exe] => (Block) C:\program files (x86)\kugou\kgmusic\8.1.51.19889\kgservice.exe
FirewallRules: [{D4DBDC1A-18D9-478C-9E85-79AEA371B0CA}] => (Allow) C:\Program Files (x86)\kuwo\kuwomusic\8.7.3.1_P2T1\bin\KwMusic.exe
FirewallRules: [{DFBFC77E-9892-4813-84D3-B3383C10BF00}] => (Allow) C:\Program Files (x86)\kuwo\kuwomusic\8.7.3.1_P2T1\bin\KwMusic.exe
FirewallRules: [{D4926BB0-7AD9-4153-BB59-F07D5529E87B}] => (Allow) C:\Program Files (x86)\kuwo\kuwomusic\8.7.3.1_P2T1\bin\KwService.exe
FirewallRules: [{17CDEE68-80EF-4755-8BEA-CD0BCB336C22}] => (Allow) C:\Program Files (x86)\kuwo\kuwomusic\8.7.3.1_P2T1\bin\KwService.exe
FirewallRules: [{72883C5E-D948-4467-B60E-9F0CCD748913}] => (Allow) C:\Program Files (x86)\360\360Safe\LiveUpdate360.exe
FirewallRules: [{C498C53B-3570-4804-B0A4-A9D32F862D3B}] => (Allow) C:\Program Files (x86)\360\360Safe\LiveUpdate360.exe
FirewallRules: [{67D943D7-B96A-4914-94A0-0F1262A9326C}] => (Allow) C:\Users\user\AppData\Roaming\360se6\Application\360se.exe
FirewallRules: [{A83D0BEB-B973-4198-8AE7-706091A78264}] => (Allow) C:\Users\user\AppData\Roaming\360se6\Application\360se.exe
FirewallRules: [{7BD0FBD8-BCF3-4335-9B6F-5E04A2C595D8}] => (Allow) C:\Users\user\AppData\Roaming\360se6\Application\8.1.1.158\installer\seup.exe
FirewallRules: [{DF1BA19A-EC4A-443F-B6E4-ABD6A0038245}] => (Allow) C:\Users\user\AppData\Roaming\360se6\Application\8.1.1.158\installer\seup.exe
FirewallRules: [{1E01444D-7D97-49C7-8ADE-C885A66F1B91}] => (Allow) C:\Program Files (x86)\360\360Safe\safemon\360Tray.exe
FirewallRules: [{B86FCD71-331E-43A9-914B-ED9A6348D295}] => (Allow) C:\Program Files (x86)\360\360Safe\safemon\360Tray.exe
FirewallRules: [{CCAE8DEA-0244-44A3-8634-72C4161953D7}] => (Allow) C:\Program Files (x86)\360\360Safe\netmon\360SpeedTest.exe
FirewallRules: [{15BDC397-8BF7-4ABB-A938-ACD023CD2988}] => (Allow) C:\Program Files (x86)\360\360Safe\netmon\360SpeedTest.exe
FirewallRules: [{8FD6E845-E93A-4FBF-9874-D2B085D41606}] => (Allow) C:\Program Files (x86)\kingsoft\kwifi\kwifi.exe
FirewallRules: [{4BA08843-A938-4E48-A5E5-27C1CE20A030}] => (Allow) C:\Program Files (x86)\kingsoft\kingsoft antivirus\xlmodule\download\minithunderplatform.exe
FirewallRules: [{E97B9C51-E7C8-4D0E-9A37-5F6098FB80F8}] => (Allow) C:\Program Files (x86)\kingsoft\kingsoft antivirus\xlmodule\download\minithunderplatform.exe
FirewallRules: [{9C6129C9-C4EA-47A7-B4BE-F675AEEC7599}] => (Allow) C:\Program Files (x86)\kingsoft\kingsoft antivirus\xlmodule\download\minithunderplatform.exe
FirewallRules: [{48C380B9-F155-471D-BA92-AA050DEFADC7}] => (Allow) C:\Program Files (x86)\kingsoft\kingsoft antivirus\xlmodule\download\minithunderplatform.exe
FirewallRules: [{0AD61916-D328-417D-860F-778A4AF0A4A8}] => (Allow) C:\Program Files (x86)\zk\zkremote\zkremote.exe
FirewallRules: [{4893638A-04E5-485A-8F69-E47D264D6E9B}] => (Allow) C:\Program Files (x86)\360\360Safe\safemon\360tray.exe
FirewallRules: [{6FE275A1-414A-412A-A4D5-D26B49978124}] => (Allow) C:\Program Files (x86)\360\360Safe\safemon\360tray.exe
FirewallRules: [{94605161-F3C6-4334-8EDE-DC6FE4BAF7D8}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\outlook.exe
FirewallRules: [{325D4AFF-8A37-4604-9B01-DC40BB4B7A57}] => (Allow) C:\Users\user\AppData\Local\liebao\6.5.115.17898\Module\thunder\download\MiniThunderPlatform.exe
FirewallRules: [{D2062146-83F1-4211-98EC-3B1A1668EC6A}] => (Allow) C:\Users\user\AppData\Local\liebao\6.5.115.17898\Module\thunder\download\MiniThunderPlatform.exe
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\拇指通科技\赖子山庄\games\bieqipk\bieqi.exe] => \:*:Enabled:\憋七
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\拇指通科技\赖子山庄\games\jjddzpk\jjddz.exe] => \:*:Enabled:\竞技斗地主

==================== Restore Points =========================

26-11-2017 23:57:50 Windows 模块安装程序
27-11-2017 00:05:35 Windows 模块安装程序
01-12-2017 16:09:58 设备驱动程序包安装: Microsoft 网络适配器
16-12-2017 22:11:36 Windows 模块安装程序
16-12-2017 22:17:47 Windows 模块安装程序

==================== Faulty Device Manager Devices =============

Name: Security Processor Loader Driver
Description: Security Processor Loader Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: spldr
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: bootsafe
Description: bootsafe
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: bootsafe
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: WiMAX Bus Eumerator
Description: WiMAX Bus Eumerator
Class Guid: 
Manufacturer: 
Service: 
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: KAVBootC
Description: KAVBootC
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: KAVBootC
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


==================== Event log errors: =========================

Application errors:
==================
Error: (04/09/2018 10:12:00 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1511) (User: user-PC)
Description: Windows 找不到本地配置文件,正在用临时配置文件让您登录。当您注销时,对此配置文件所作的更改将丢失。

Error: (04/09/2018 10:12:00 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1515) (User: user-PC)
Description: Windows 已经备份了此用户的配置文件。下次此用户登录时,Windows 将自动尝试使用此备份的配置文件。

Error: (04/09/2018 10:12:00 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1502) (User: user-PC)
Description: Windows 不能加载本地存储的配置文件。此问题的可能原因是安全权限不足或本地配置文件损坏。

 详细信息 - 由注册表启动的 I/O 操作失败并无法恢复。注册表无法读入、写出或清除任意一个包含注册表系统映像的文件。

Error: (04/09/2018 10:12:00 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1508) (User: NT AUTHORITY)
Description: Windows 不能加载注册表。这通常是由于内存或安全权限不足造成的。

 详细信息 - C:\Users\user\ntuser.dat 的 由注册表启动的 I/O 操作失败并无法恢复。注册表无法读入、写出或清除任意一个包含注册表系统映像的文件。

Error: (04/09/2018 09:50:26 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1511) (User: user-PC)
Description: Windows 找不到本地配置文件,正在用临时配置文件让您登录。当您注销时,对此配置文件所作的更改将丢失。

Error: (04/09/2018 09:50:26 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1515) (User: user-PC)
Description: Windows 已经备份了此用户的配置文件。下次此用户登录时,Windows 将自动尝试使用此备份的配置文件。

Error: (04/09/2018 09:50:26 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1502) (User: user-PC)
Description: Windows 不能加载本地存储的配置文件。此问题的可能原因是安全权限不足或本地配置文件损坏。

 详细信息 - 由注册表启动的 I/O 操作失败并无法恢复。注册表无法读入、写出或清除任意一个包含注册表系统映像的文件。

Error: (04/09/2018 09:50:26 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1508) (User: NT AUTHORITY)
Description: Windows 不能加载注册表。这通常是由于内存或安全权限不足造成的。

 详细信息 - C:\Users\user\ntuser.dat 的 由注册表启动的 I/O 操作失败并无法恢复。注册表无法读入、写出或清除任意一个包含注册表系统映像的文件。


System errors:
=============
Error: (04/09/2018 10:39:30 PM) (Source: Disk) (EventID: 7) (User: )
Description: 设备 \Device\Harddisk0\DR0 有一个不正确的区块。

Error: (04/09/2018 10:39:27 PM) (Source: Disk) (EventID: 7) (User: )
Description: 设备 \Device\Harddisk0\DR0 有一个不正确的区块。

Error: (04/09/2018 10:39:24 PM) (Source: Disk) (EventID: 7) (User: )
Description: 设备 \Device\Harddisk0\DR0 有一个不正确的区块。

Error: (04/09/2018 10:39:20 PM) (Source: Disk) (EventID: 7) (User: )
Description: 设备 \Device\Harddisk0\DR0 有一个不正确的区块。

Error: (04/09/2018 10:39:17 PM) (Source: Disk) (EventID: 7) (User: )
Description: 设备 \Device\Harddisk0\DR0 有一个不正确的区块。

Error: (04/09/2018 10:39:14 PM) (Source: Disk) (EventID: 7) (User: )
Description: 设备 \Device\Harddisk0\DR0 有一个不正确的区块。

Error: (04/09/2018 10:39:10 PM) (Source: Disk) (EventID: 7) (User: )
Description: 设备 \Device\Harddisk0\DR0 有一个不正确的区块。

Error: (04/09/2018 10:39:07 PM) (Source: Disk) (EventID: 7) (User: )
Description: 设备 \Device\Harddisk0\DR0 有一个不正确的区块。


Windows Defender:
===================================
Date: 2016-09-13 16:49:10.165
Description: 
Windows Defender 已检测到间谍软件或其他可能不需要的软件。
有关详细信息,请参阅以下信息:
http://go.microsoft.com/fwlink/?linkid=37020&name=BrowserModifier:Win32/Xiazai&threatid=223573
名称:BrowserModifier:Win32/Xiazai
ID:223573
严重性:高
类别:浏览器修改程序
找到的路径:file:C:\360安全浏览器下载\iPadia2(iPad模拟器)2014@2247_35579.exe
检测类型:实际
检测源:系统
状态:未知
用户:NT AUTHORITY\SYSTEM
进程名称:

Date: 2016-09-11 16:52:08.982
Description: 
Windows Defender 已检测到间谍软件或其他可能不需要的软件。
有关详细信息,请参阅以下信息:
http://go.microsoft.com/fwlink/?linkid=37020&name=BrowserModifier:Win32/Xiazai&threatid=223573
名称:BrowserModifier:Win32/Xiazai
ID:223573
严重性:高
类别:浏览器修改程序
找到的路径:file:C:\360安全浏览器下载\iPadia2(iPad模拟器)2014@2247_35579.exe
检测类型:实际
检测源:系统
状态:未知
用户:NT AUTHORITY\SYSTEM
进程名称:

Date: 2016-09-10 14:38:14.679
Description: 
Windows Defender 已检测到间谍软件或其他可能不需要的软件。
有关详细信息,请参阅以下信息:
http://go.microsoft.com/fwlink/?linkid=37020&name=BrowserModifier:Win32/Xiazai&threatid=223573
名称:BrowserModifier:Win32/Xiazai
ID:223573
严重性:高
类别:浏览器修改程序
找到的路径:file:C:\360安全浏览器下载\iPadia2(iPad模拟器)2014@2247_35579.exe
检测类型:实际
检测源:系统
状态:未知
用户:NT AUTHORITY\SYSTEM
进程名称:

Date: 2016-09-09 23:56:58.570
Description: 
Windows Defender 已检测到间谍软件或其他可能不需要的软件。
有关详细信息,请参阅以下信息:
http://go.microsoft.com/fwlink/?linkid=37020&name=BrowserModifier:Win32/Xiazai&threatid=223573
名称:BrowserModifier:Win32/Xiazai
ID:223573
严重性:高
类别:浏览器修改程序
找到的路径:file:C:\360安全浏览器下载\iPadia2(iPad模拟器)2014@2247_35579.exe
检测类型:实际
检测源:系统
状态:未知
用户:NT AUTHORITY\SYSTEM
进程名称:

Date: 2016-09-08 23:15:30.220
Description: 
Windows Defender 已检测到间谍软件或其他可能不需要的软件。
有关详细信息,请参阅以下信息:
http://go.microsoft.com/fwlink/?linkid=37020&name=BrowserModifier:Win32/Xiazai&threatid=223573
名称:BrowserModifier:Win32/Xiazai
ID:223573
严重性:高
类别:浏览器修改程序
找到的路径:file:C:\360安全浏览器下载\iPadia2(iPad模拟器)2014@2247_35579.exe
检测类型:实际
检测源:系统
状态:未知
用户:NT AUTHORITY\SYSTEM
进程名称:

Date: 2017-02-07 22:55:56.614
Description: 
Windows Defender 在尝试加载签名时遇到错误,并将尝试还原回已知正确的签名集。
已尝试签名:当前
错误代码:0x80070002
错误描述:系统找不到指定的文件。 
签名版本:0.0.0.0
引擎版本:0.0.0.0

Date: 2017-02-07 22:55:56.614
Description: 
Windows Defender 在尝试更新签名时遇到错误。
新签名版本:
旧签名版本:
更新源:签名更新文件夹
签名类型:反间谍软件
更新类型:增量
用户:NT AUTHORITY\SYSTEM
当前引擎版本:
旧引擎版本:
错误代码:0x80070002
错误描述:系统找不到指定的文件。 

==================== Memory info =========================== 

Processor: Intel(R) Core(TM) i5-2450M CPU @ 2.50GHz
Percentage of memory in use: 11%
Total physical RAM: 8086.17 MB
Available physical RAM: 7184.79 MB
Total Virtual: 16170.52 MB
Available Virtual: 15316.7 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:698.54 GB) (Free:620.24 GB) NTFS
Drive f: (USB) (Removable) (Total:14.6 GB) (Free:11.99 GB) FAT32

\\?\Volume{7e7b956e-1101-11e5-bf3f-806e6f6e6963}\ (系统保留) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 698.6 GB) (Disk ID: 07F2837E)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=698.5 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 14.6 GB) (Disk ID: 00273DE6)
Partition 1: (Active) - (Size=14.6 GB) - (Type=0C)

==================== End of Addition.txt ============================

descriptionRe: [INACTIVE] Help removing malware/virus

more_horiz
Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer. 

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
What makes you think that your computer is infected? Any unusual behaviour?
 

Please download AdwareCleaner onto your Desktop. AdwCleaner

Before starting AdwCleaner, close all open programs and internet browsers, then double-click on the AdwCleaner icon.



If Windows prompts you as to whether or not you wish to run AdwCleaner, please allow it to run.
When the AdwCleaner program will open, click on the Scan button as shown below.



AdwCleaner will now start to search for malicious files that may be installed on your computer.
To remove the files that were detected in the previous step, please click on the Clean button.



AdwCleaner will now prompt you to save any open files or data as the program will need to reboot the computer. Please do so and then click on the OK button. AdwCleaner will now delete all detected adware from your computer. When it is done it will display an alert that explains what PUPs (Potentially Unwanted Programs) and Adware are. Please read through this information and then press the OK button. You will now be presented with an alert that states AdwCleaner needs to reboot your computer.
Please click on the OK button to allow AdwCleaner reboot your computer.A log will be produced. Please copy and paste this log in your next reply.
*********************************************
Download and install: Please download Malwarebytes' scanner to your desktop.
Double Click mbam-setup.exe to install the application.


  • It should update automatically if the computer is connected to the internet.
  • Click on Threat Scan and click on Scan Now.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete make sure all the infections have "quarantine" selected in the Action box.
  • Click on "Apply actions" You may be asked to Restart your computer to completely remove the infections.
  • When disinfection is completed you can click on "Copy to Clipboard".
  • Paste the log in you next reply (CTRL+ V)

*************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Security Check

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

descriptionRe: [INACTIVE] Help removing malware/virus

more_horiz
Can I run the scans while in safe mode because it takes forever to load the laptop. I think my dad accidently installed a malicious software that has slowed down the laptop incredibly to the point it would take me atleast 20 minutes for the system to boot to desktop screen.

descriptionRe: [INACTIVE] Help removing malware/virus

more_horiz
zhengs wrote:
Can I run the scans while in safe mode because it takes forever to load the laptop. I think my dad accidently installed a malicious software that has slowed down the laptop incredibly to the point it would take me atleast 20 minutes for the system to boot to desktop screen.

Yes, please do that.

descriptionRe: [INACTIVE] Help removing malware/virus

more_horiz
[adm]Due to lack of response, this topic is now closed. If you would like it reopened, PM me, a Security Officer, or another administrator. If you have a different computer other than the one above, or if you are someone else, please start a new topic.[/adm]

descriptionRe: [INACTIVE] Help removing malware/virus

more_horiz
Permissions in this forum:
You cannot reply to topics in this forum